From 90b9ba15ec6f35b3486ce40da282103e478074ad Mon Sep 17 00:00:00 2001
From: Bernd Storath <32197462+kaaax0815@users.noreply.github.com>
Date: Wed, 9 Jul 2025 15:42:29 +0200
Subject: [PATCH] feat: make api more secure (#2015)

make api more secure
---
 .../database/repositories/client/service.ts   | 30 +++++++++++++++++++
 src/server/utils/WireGuard.ts                 |  2 +-
 src/shared/utils/permissions.ts               |  2 +-
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/src/server/database/repositories/client/service.ts b/src/server/database/repositories/client/service.ts
index 3e41869a..3616aa09 100644
--- a/src/server/database/repositories/client/service.ts
+++ b/src/server/database/repositories/client/service.ts
@@ -18,6 +18,17 @@ function createPreparedStatement(db: DBType) {
         },
       })
       .prepare(),
+    findAllPublic: db.query.client
+      .findMany({
+        with: {
+          oneTimeLink: true,
+        },
+        columns: {
+          privateKey: false,
+          preSharedKey: false,
+        },
+      })
+      .prepare(),
     findById: db.query.client
       .findFirst({ where: eq(client.id, sql.placeholder('id')) })
       .prepare(),
@@ -25,6 +36,10 @@ function createPreparedStatement(db: DBType) {
       .findMany({
         where: eq(client.userId, sql.placeholder('userId')),
         with: { oneTimeLink: true },
+        columns: {
+          privateKey: false,
+          preSharedKey: false,
+        },
       })
       .prepare(),
     toggle: db
@@ -57,6 +72,9 @@ export class ClientService {
     }));
   }
 
+  /**
+   * Never return values directly from this function. Use {@link getAllPublic} instead.
+   */
   async getAll() {
     const result = await this.#statements.findAll.execute();
     return result.map((row) => ({
@@ -66,6 +84,18 @@ export class ClientService {
     }));
   }
 
+  /**
+   * Returns all clients without sensitive data
+   */
+  async getAllPublic() {
+    const result = await this.#statements.findAllPublic.execute();
+    return result.map((row) => ({
+      ...row,
+      createdAt: new Date(row.createdAt),
+      updatedAt: new Date(row.updatedAt),
+    }));
+  }
+
   get(id: ID) {
     return this.#statements.findById.execute({ id });
   }
diff --git a/src/server/utils/WireGuard.ts b/src/server/utils/WireGuard.ts
index 0cf44006..22132371 100644
--- a/src/server/utils/WireGuard.ts
+++ b/src/server/utils/WireGuard.ts
@@ -95,7 +95,7 @@ class WireGuard {
 
   async getAllClients() {
     const wgInterface = await Database.interfaces.get();
-    const dbClients = await Database.clients.getAll();
+    const dbClients = await Database.clients.getAllPublic();
     const clients = dbClients.map((client) => ({
       ...client,
       latestHandshakeAt: null as Date | null,
diff --git a/src/shared/utils/permissions.ts b/src/shared/utils/permissions.ts
index 912b5ac1..a559aaaf 100644
--- a/src/shared/utils/permissions.ts
+++ b/src/shared/utils/permissions.ts
@@ -59,7 +59,7 @@ type RolesWithPermissions = {
 
 export type Permissions = {
   clients: {
-    dataType: ClientType;
+    dataType: Pick<ClientType, 'id' | 'userId'>;
     action: 'view' | 'create' | 'update' | 'delete' | 'custom';
   };
   admin: {