Protect sensitive settings with 2FA reveal flow

Author: 0xJacky

api/settings/protected.go

@@ -0,0 +1,43 @@
+package settings
+
+import (
+	"net/http"
+
+	"github.com/0xJacky/Nginx-UI/settings"
+	"github.com/gin-gonic/gin"
+	cSettings "github.com/uozi-tech/cosy/settings"
+)
+
+var protectedSettingRevealAllowlist = map[string]func() string{
+	"app.jwt_secret": func() string {
+		return cSettings.AppSettings.JwtSecret
+	},
+	"node.secret": func() string {
+		return settings.NodeSettings.Secret
+	},
+	"openai.token": func() string {
+		return settings.OpenAISettings.Token
+	},
+}
+
+func GetProtectedSetting(c *gin.Context) {
+	if _, ok := c.Get("Secret"); ok {
+		c.AbortWithStatusJSON(http.StatusForbidden, gin.H{
+			"message": "Node secret authentication is not allowed for protected settings",
+		})
+		return
+	}
+
+	path := c.Query("path")
+	getter, ok := protectedSettingRevealAllowlist[path]
+	if !ok {
+		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
+			"message": "Protected setting path is invalid",
+		})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"value": getter(),
+	})
+}

api/settings/router.go

@@ -8,6 +8,7 @@ import (
 func InitRouter(r *gin.RouterGroup) {
 	r.GET("settings/server/name", GetServerName)
 	r.GET("settings", GetSettings)
+	r.GET("settings/protected", middleware.RequireSecureSession(), GetProtectedSetting)
 	r.POST("settings", middleware.RequireSecureSession(), SaveSettings)
 
 	r.GET("settings/auth/banned_ips", GetBanLoginIP)

api/settings/settings.go

@@ -1,6 +1,7 @@
 package settings
 
 import (
+	"encoding/json"
 	"fmt"
 	"net/http"
 
@@ -15,6 +16,77 @@ import (
 	cSettings "github.com/uozi-tech/cosy/settings"
 )
 
+const redactedSensitiveValue = "__NGINX_UI_REDACTED__"
+
+type saveSettingsPayload struct {
+	App       cSettings.App      `json:"app"`
+	Server    cSettings.Server   `json:"server"`
+	Auth      settings.Auth      `json:"auth"`
+	Cert      settings.Cert      `json:"cert"`
+	Http      settings.HTTP      `json:"http"`
+	Node      settings.Node      `json:"node"`
+	Openai    settings.OpenAI    `json:"openai"`
+	Logrotate settings.Logrotate `json:"logrotate"`
+	Nginx     settings.Nginx     `json:"nginx"`
+	Oidc      settings.OIDC      `json:"oidc"`
+}
+
+func cloneSettingsSection(section any) gin.H {
+	raw, err := json.Marshal(section)
+	if err != nil {
+		return gin.H{}
+	}
+
+	var cloned gin.H
+	if err := json.Unmarshal(raw, &cloned); err != nil {
+		return gin.H{}
+	}
+
+	return cloned
+}
+
+func buildSettingsResponse() gin.H {
+	app := cloneSettingsSection(cSettings.AppSettings)
+	app["jwt_secret"] = redactedSensitiveValue
+
+	node := cloneSettingsSection(settings.NodeSettings)
+	node["secret"] = redactedSensitiveValue
+
+	openai := cloneSettingsSection(settings.OpenAISettings)
+	openai["token"] = redactedSensitiveValue
+
+	return gin.H{
+		"app":       app,
+		"server":    cSettings.ServerSettings,
+		"database":  settings.DatabaseSettings,
+		"auth":      settings.AuthSettings,
+		"casdoor":   settings.CasdoorSettings,
+		"oidc":      settings.OIDCSettings,
+		"cert":      settings.CertSettings,
+		"http":      settings.HTTPSettings,
+		"logrotate": settings.LogrotateSettings,
+		"nginx":     settings.NginxSettings,
+		"node":      node,
+		"openai":    openai,
+		"terminal":  settings.TerminalSettings,
+		"webauthn":  settings.WebAuthnSettings,
+	}
+}
+
+func restoreRedactedSensitiveSettings(payload *saveSettingsPayload) {
+	if payload.App.JwtSecret == redactedSensitiveValue {
+		payload.App.JwtSecret = cSettings.AppSettings.JwtSecret
+	}
+
+	if payload.Node.Secret == redactedSensitiveValue {
+		payload.Node.Secret = settings.NodeSettings.Secret
+	}
+
+	if payload.Openai.Token == redactedSensitiveValue {
+		payload.Openai.Token = settings.OpenAISettings.Token
+	}
+}
+
 func GetServerName(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{
 		"name": settings.NodeSettings.Name,
@@ -46,42 +118,18 @@ func GetSettings(c *gin.Context) {
 			fmt.Sprintf("start-stop-daemon --start --quiet --pidfile %s --exec %s", pidPath, daemon)
 	}
 
-	c.JSON(http.StatusOK, gin.H{
-		"app":       cSettings.AppSettings,
-		"server":    cSettings.ServerSettings,
-		"database":  settings.DatabaseSettings,
-		"auth":      settings.AuthSettings,
-		"casdoor":   settings.CasdoorSettings,
-		"oidc":      settings.OIDCSettings,
-		"cert":      settings.CertSettings,
-		"http":      settings.HTTPSettings,
-		"logrotate": settings.LogrotateSettings,
-		"nginx":     settings.NginxSettings,
-		"node":      settings.NodeSettings,
-		"openai":    settings.OpenAISettings,
-		"terminal":  settings.TerminalSettings,
-		"webauthn":  settings.WebAuthnSettings,
-	})
+	c.JSON(http.StatusOK, buildSettingsResponse())
 }
 
 func SaveSettings(c *gin.Context) {
-	var json struct {
-		App       cSettings.App      `json:"app"`
-		Server    cSettings.Server   `json:"server"`
-		Auth      settings.Auth      `json:"auth"`
-		Cert      settings.Cert      `json:"cert"`
-		Http      settings.HTTP      `json:"http"`
-		Node      settings.Node      `json:"node"`
-		Openai    settings.OpenAI    `json:"openai"`
-		Logrotate settings.Logrotate `json:"logrotate"`
-		Nginx     settings.Nginx     `json:"nginx"`
-		Oidc      settings.OIDC      `json:"oidc"`
-	}
+	var json saveSettingsPayload
 
 	if !cosy.BindAndValid(c, &json) {
 		return
 	}
 
+	restoreRedactedSensitiveSettings(&json)
+
 	if settings.LogrotateSettings.Enabled != json.Logrotate.Enabled ||
 		settings.LogrotateSettings.Interval != json.Logrotate.Interval {
 		go cron.RestartLogrotate()

api/settings/settings_test.go

@@ -2,13 +2,19 @@ package settings
 
 import (
 	"bytes"
+	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 
+	"github.com/0xJacky/Nginx-UI/internal/cache"
+	"github.com/0xJacky/Nginx-UI/internal/middleware"
+	internaluser "github.com/0xJacky/Nginx-UI/internal/user"
+	"github.com/0xJacky/Nginx-UI/model"
 	appsettings "github.com/0xJacky/Nginx-UI/settings"
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
+	cSettings "github.com/uozi-tech/cosy/settings"
 )
 
 func TestSaveSettingsRejectsNegativeLogrotateInterval(t *testing.T) {
@@ -26,6 +32,163 @@ func TestSaveSettingsRejectsNegativeLogrotateInterval(t *testing.T) {
 
 	SaveSettings(c)
 
-	assert.Equal(t, http.StatusBadRequest, w.Code)
-	assert.Contains(t, w.Body.String(), appsettings.InvalidLogrotateIntervalMessage)
+	assert.Equal(t, http.StatusNotAcceptable, w.Code)
+	assert.Contains(t, w.Body.String(), "\"interval\":\"min\"")
+}
+
+func TestGetSettingsRedactsSensitiveFields(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	originalJWTSecret := cSettings.AppSettings.JwtSecret
+	originalPageSize := cSettings.AppSettings.PageSize
+	originalNodeSecret := appsettings.NodeSettings.Secret
+	originalNodeName := appsettings.NodeSettings.Name
+	originalOpenAIToken := appsettings.OpenAISettings.Token
+	originalReloadCmd := appsettings.NginxSettings.ReloadCmd
+	originalRestartCmd := appsettings.NginxSettings.RestartCmd
+	defer func() {
+		cSettings.AppSettings.JwtSecret = originalJWTSecret
+		cSettings.AppSettings.PageSize = originalPageSize
+		appsettings.NodeSettings.Secret = originalNodeSecret
+		appsettings.NodeSettings.Name = originalNodeName
+		appsettings.OpenAISettings.Token = originalOpenAIToken
+		appsettings.NginxSettings.ReloadCmd = originalReloadCmd
+		appsettings.NginxSettings.RestartCmd = originalRestartCmd
+	}()
+
+	cSettings.AppSettings.JwtSecret = "jwt-secret"
+	cSettings.AppSettings.PageSize = 50
+	appsettings.NodeSettings.Secret = "node-secret"
+	appsettings.NodeSettings.Name = "local-node"
+	appsettings.OpenAISettings.Token = "openai-secret"
+	appsettings.NginxSettings.ReloadCmd = "nginx -s reload"
+	appsettings.NginxSettings.RestartCmd = "nginx -s restart"
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest(http.MethodGet, "/api/settings", nil)
+
+	GetSettings(c)
+
+	assert.Equal(t, http.StatusOK, w.Code)
+
+	var body map[string]map[string]any
+	err := json.Unmarshal(w.Body.Bytes(), &body)
+	assert.NoError(t, err)
+	assert.Equal(t, redactedSensitiveValue, body["app"]["jwt_secret"])
+	assert.Equal(t, float64(50), body["app"]["page_size"])
+	assert.Equal(t, redactedSensitiveValue, body["node"]["secret"])
+	assert.Equal(t, "local-node", body["node"]["name"])
+	assert.Equal(t, redactedSensitiveValue, body["openai"]["token"])
+}
+
+func TestRestoreRedactedSensitiveSettings(t *testing.T) {
+	originalJWTSecret := cSettings.AppSettings.JwtSecret
+	originalNodeSecret := appsettings.NodeSettings.Secret
+	originalOpenAIToken := appsettings.OpenAISettings.Token
+	defer func() {
+		cSettings.AppSettings.JwtSecret = originalJWTSecret
+		appsettings.NodeSettings.Secret = originalNodeSecret
+		appsettings.OpenAISettings.Token = originalOpenAIToken
+	}()
+
+	cSettings.AppSettings.JwtSecret = "jwt-secret"
+	appsettings.NodeSettings.Secret = "node-secret"
+	appsettings.OpenAISettings.Token = "openai-secret"
+
+	payload := saveSettingsPayload{}
+	payload.App.JwtSecret = redactedSensitiveValue
+	payload.Node.Secret = redactedSensitiveValue
+	payload.Openai.Token = redactedSensitiveValue
+
+	restoreRedactedSensitiveSettings(&payload)
+
+	assert.Equal(t, "jwt-secret", payload.App.JwtSecret)
+	assert.Equal(t, "node-secret", payload.Node.Secret)
+	assert.Equal(t, "openai-secret", payload.Openai.Token)
+}
+
+func TestGetProtectedSetting(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	cache.InitInMemoryCache()
+	defer cache.Shutdown()
+
+	originalJWTSecret := cSettings.AppSettings.JwtSecret
+	defer func() {
+		cSettings.AppSettings.JwtSecret = originalJWTSecret
+	}()
+	cSettings.AppSettings.JwtSecret = "jwt-secret"
+
+	t.Run("rejects missing secure session", func(t *testing.T) {
+		r := gin.New()
+		r.GET("/api/settings/protected", func(c *gin.Context) {
+			c.Set("user", &model.User{
+				Model:     model.Model{ID: 1},
+				OTPSecret: []byte("otp-enabled"),
+			})
+		}, middleware.RequireSecureSession(), GetProtectedSetting)
+
+		req := httptest.NewRequest(http.MethodGet, "/api/settings/protected?path=app.jwt_secret", nil)
+		w := httptest.NewRecorder()
+		r.ServeHTTP(w, req)
+
+		assert.Equal(t, http.StatusUnauthorized, w.Code)
+	})
+
+	t.Run("rejects node secret authentication", func(t *testing.T) {
+		r := gin.New()
+		r.GET("/api/settings/protected", func(c *gin.Context) {
+			c.Set("user", &model.User{
+				Model: model.Model{ID: 1},
+			})
+			c.Set("Secret", "node-secret")
+		}, middleware.RequireSecureSession(), GetProtectedSetting)
+
+		req := httptest.NewRequest(http.MethodGet, "/api/settings/protected?path=app.jwt_secret", nil)
+		w := httptest.NewRecorder()
+		r.ServeHTTP(w, req)
+
+		assert.Equal(t, http.StatusForbidden, w.Code)
+	})
+
+	t.Run("rejects invalid path", func(t *testing.T) {
+		r := gin.New()
+		r.GET("/api/settings/protected", func(c *gin.Context) {
+			user := &model.User{
+				Model:     model.Model{ID: 2},
+				OTPSecret: []byte("otp-enabled"),
+			}
+			c.Set("user", user)
+		}, middleware.RequireSecureSession(), GetProtectedSetting)
+
+		req := httptest.NewRequest(http.MethodGet, "/api/settings/protected?path=node.name", nil)
+		req.Header.Set("X-Secure-Session-ID", internaluser.SetSecureSessionID(2))
+		w := httptest.NewRecorder()
+		r.ServeHTTP(w, req)
+
+		assert.Equal(t, http.StatusBadRequest, w.Code)
+	})
+
+	t.Run("returns protected value", func(t *testing.T) {
+		r := gin.New()
+		r.GET("/api/settings/protected", func(c *gin.Context) {
+			user := &model.User{
+				Model:     model.Model{ID: 3},
+				OTPSecret: []byte("otp-enabled"),
+			}
+			c.Set("user", user)
+		}, middleware.RequireSecureSession(), GetProtectedSetting)
+
+		req := httptest.NewRequest(http.MethodGet, "/api/settings/protected?path=app.jwt_secret", nil)
+		req.Header.Set("X-Secure-Session-ID", internaluser.SetSecureSessionID(3))
+		w := httptest.NewRecorder()
+		r.ServeHTTP(w, req)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+
+		var body map[string]string
+		err := json.Unmarshal(w.Body.Bytes(), &body)
+		assert.NoError(t, err)
+		assert.Equal(t, "jwt-secret", body["value"])
+	})
 }

app/src/api/settings.ts

@@ -1,5 +1,7 @@
 import { http } from '@uozi-admin/request'
 
+export const PROTECTED_VALUE_PLACEHOLDER = '__NGINX_UI_REDACTED__'
+
 export interface AppSettings {
   page_size: number
   jwt_secret: string
@@ -141,6 +143,11 @@ const settings = {
   get(): Promise<Settings> {
     return http.get('/settings')
   },
+  get_protected_value(path: string): Promise<{ value: string }> {
+    return http.get('/settings/protected', {
+      params: { path },
+    })
+  },
   save(data: Settings) {
     return http.post('/settings', data)
   },