API - CRUD for peers, interfaces and users (#340)

Public REST API implementation to handle peers, interfaces and users. It also includes some simple provisioning endpoints. The Swagger API documentation is available under /api/v1/doc.html
2025-09-15 07:11:15 +00:00 · 2025-01-11 18:44:55 +01:00
parent ad267ed0a8
commit d596f578f6
53 changed files with 11028 additions and 274 deletions
--- a/internal/domain/user.go
+++ b/internal/domain/user.go
@@ -1,6 +1,7 @@
 package domain

 import (
+	"crypto/subtle"
 	"errors"
 	"time"

@@ -42,6 +43,10 @@ type User struct {
 	Locked         *time.Time    `gorm:"index;column:locked"` // if this field is set, the user is locked and can no longer login (WireGuard peers still can connect)
 	LockedReason   string        // the reason why the user has been locked

+	// API token for REST API access
+	ApiToken        string `form:"api_token" binding:"omitempty"`
+	ApiTokenCreated *time.Time
+
 	LinkedPeerCount int `gorm:"-"`
 }

@@ -56,6 +61,14 @@ func (u *User) IsLocked() bool {
 	return u.Locked != nil
 }

+func (u *User) IsApiEnabled() bool {
+	if u.ApiToken != "" {
+		return true
+	}
+
+	return false
+}
+
 func (u *User) CanChangePassword() error {
 	if u.Source == UserSourceDatabase {
 		return nil
@@ -115,6 +128,18 @@ func (u *User) CheckPassword(password string) error {
 	return nil
 }

+func (u *User) CheckApiToken(token string) error {
+	if !u.IsApiEnabled() {
+		return errors.New("api access disabled")
+	}
+
+	if res := subtle.ConstantTimeCompare([]byte(u.ApiToken), []byte(token)); res != 1 {
+		return errors.New("wrong token")
+	}
+
+	return nil
+}
+
 func (u *User) HashPassword() error {
 	if u.Password == "" {
 		return nil // nothing to hash