From 47bc8ba96684354ff808056bdf97ebd55be7bdd5 Mon Sep 17 00:00:00 2001
From: kevin <kevin@yuno.malio.fr>
Date: Thu, 12 Mar 2026 08:37:53 +0100
Subject: [PATCH] fix : securite middle  et execfile

---
 components/BackupList.vue        | 10 +++++++---
 components/BackupRun.vue         |  9 +++++++--
 components/MessageDiscord.vue    |  6 +++++-
 components/Speedtest.vue         |  8 ++++++--
 components/StatusSite.vue        |  6 +++++-
 nuxt.config.ts                   |  2 ++
 pages/backup.vue                 | 30 +++++++++++++-----------------
 pages/index.vue                  |  6 +++++-
 server/api/backup-script.post.ts |  9 +++++----
 server/api/disk.get.ts           |  9 +++++----
 server/config/backup-script.json | 20 ++++++++++++++++----
 server/config/disk-commands.json | 13 ++++++++++---
 server/middleware/auth.ts        | 30 ++++++++++++++++++++++++++++++
 13 files changed, 116 insertions(+), 42 deletions(-)
 create mode 100644 server/middleware/auth.ts

diff --git a/components/BackupList.vue b/components/BackupList.vue
index 9dcad3b..1aa8a38 100644
--- a/components/BackupList.vue
+++ b/components/BackupList.vue
@@ -55,6 +55,7 @@
 import {Icon as IconifyIcon} from "@iconify/vue"
 import CircleSkeleton from "~/components/skeleton/CircleSkeleton.vue"
 import TextSkeleton from "~/components/skeleton/TextSkeleton.vue"
+import { downloadApiFile, useApiAuthHeader } from "~/composables/useApiAuth"
 
 const props = defineProps<{
   folder: string | null
@@ -62,15 +63,16 @@ const props = defineProps<{
 
 const backups = ref<string[]>([])
 const loading = ref(false)
+const apiAuthHeader = useApiAuthHeader()
 const title = computed(() => {
   if (!props.folder) return "Fichiers"
   return `Backup — ${props.folder.toUpperCase()}`
 })
 
-const downloadBackup = (file: string) => {
+const downloadBackup = async (file: string) => {
   if (!props.folder) return
   const url = `/api/download?folder=${encodeURIComponent(props.folder)}&file=${encodeURIComponent(file)}`
-  window.location.href = url
+  await downloadApiFile(url, file)
 }
 
 watch(() => props.folder, async (folder) => {
@@ -82,7 +84,9 @@ watch(() => props.folder, async (folder) => {
 
   loading.value = true
   try {
-    const data = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`)
+    const data = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`, {
+      headers: apiAuthHeader
+    })
     backups.value = data
   } catch (error) {
     console.error("Erreur récupération backups:", error)
diff --git a/components/BackupRun.vue b/components/BackupRun.vue
index cae972c..36b9db2 100644
--- a/components/BackupRun.vue
+++ b/components/BackupRun.vue
@@ -79,6 +79,7 @@
 <script setup lang="ts">
 import { computed, onMounted, ref } from "vue"
 import { Icon as IconifyIcon } from "@iconify/vue"
+import { useApiAuthHeader } from "~/composables/useApiAuth"
 
 type BackupScript = {
   key: string
@@ -118,6 +119,7 @@ const scripts = ref<BackupScript[]>([])
 const output = ref<string>("")
 const message = ref<string>("")
 const isError = ref(false)
+const apiAuthHeader = useApiAuthHeader()
 
 const statusClass = computed(() => (isError.value ? "status-error" : "status-success"))
 
@@ -134,7 +136,9 @@ const loadScripts = async () => {
     downloadFolders: []
   })
   try {
-    const data = await $fetch<BackupScriptListResponse>("/api/backup-script")
+    const data = await $fetch<BackupScriptListResponse>("/api/backup-script", {
+      headers: apiAuthHeader
+    })
     scripts.value = data.scripts
   } catch (error) {
     scripts.value = []
@@ -162,7 +166,8 @@ const runScript = async (key: string) => {
   try {
     const data = await $fetch<BackupScriptRunResponse>("/api/backup-script", {
       method: "POST",
-      body: { key }
+      body: { key },
+      headers: apiAuthHeader
     })
     message.value = `${data.label} execute avec succes`
     output.value = data.output || "Aucune sortie retournee."
diff --git a/components/MessageDiscord.vue b/components/MessageDiscord.vue
index 6c82c53..6b61904 100644
--- a/components/MessageDiscord.vue
+++ b/components/MessageDiscord.vue
@@ -1,6 +1,10 @@
 <script setup>
 import {Icon as IconifyIcon} from "@iconify/vue"
-const { data: messages } = await useFetch('/api/discord/messages')
+import { useApiAuthHeader } from "~/composables/useApiAuth"
+
+const { data: messages } = await useFetch('/api/discord/messages', {
+  headers: useApiAuthHeader()
+})
 </script>
 
 <template>
diff --git a/components/Speedtest.vue b/components/Speedtest.vue
index 582e20e..09872e5 100644
--- a/components/Speedtest.vue
+++ b/components/Speedtest.vue
@@ -42,11 +42,13 @@
 <script setup lang="ts">
 import {computed, ref} from "vue"
 import {Icon as IconifyIcon} from "@iconify/vue"
+import { useApiAuthHeader, withApiAuth } from "~/composables/useApiAuth"
 
 const ping = ref<number | null>(null)
 const download = ref<number | null>(null)
 const upload = ref<number | null>(null)
 const isTesting = ref(false)
+const apiAuthHeader = useApiAuthHeader()
 
 const metrics = computed(() => [
   { label: "Download", icon: "mdi:arrow-down-bold", value: download.value, unit: "Mbps" },
@@ -56,7 +58,9 @@ const metrics = computed(() => [
 
 async function testDownload() {
   const start = performance.now()
-  const res = await fetch('/api/download')
+  const res = await fetch('/api/download', {
+    headers: apiAuthHeader
+  })
   const blob = await res.blob()
   const end = performance.now()
   const size = blob.size
@@ -68,7 +72,7 @@ async function testUpload() {
   const size = 5 * 1024 * 1024
   const data = new Uint8Array(size)
   const start = performance.now()
-  await fetch('/api/upload', { method: 'POST', body: data })
+  await fetch('/api/upload', withApiAuth({ method: 'POST', body: data }))
   const end = performance.now()
   const seconds = (end - start) / 1000
   upload.value = Math.round((size * 8) / seconds / 1000000)
diff --git a/components/StatusSite.vue b/components/StatusSite.vue
index 507a585..8300daa 100644
--- a/components/StatusSite.vue
+++ b/components/StatusSite.vue
@@ -43,6 +43,7 @@
 import CircleSkeleton from "~/components/skeleton/CircleSkeleton.vue"
 import TextSkeleton from "~/components/skeleton/TextSkeleton.vue"
 import {onBeforeUnmount, onMounted, ref} from "vue"
+import { useApiAuthHeader } from "~/composables/useApiAuth"
 
 interface StatusRow {
   label: string
@@ -71,6 +72,7 @@ const props = withDefaults(
 const rows = ref<StatusRow[]>([])
 const loading = ref(true)
 const initialized = ref(false)
+const apiAuthHeader = useApiAuthHeader()
 let timer: ReturnType<typeof setInterval> | null = null
 
 const statusLabel = (status: number) => {
@@ -84,7 +86,9 @@ const checkStatus = async () => {
     loading.value = true
   }
   try {
-    const data = await $fetch<StatusResponse>(props.endpoint)
+    const data = await $fetch<StatusResponse>(props.endpoint, {
+      headers: apiAuthHeader
+    })
     rows.value = data.results
   } catch (error) {
     rows.value = [
diff --git a/nuxt.config.ts b/nuxt.config.ts
index ffc3361..0145bef 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -35,7 +35,9 @@ export default defineNuxtConfig({
     }
   },
   runtimeConfig: {
+    apiSecretKey: process.env.API_SECRET_KEY,
     public: {
+      apiSecretKey: process.env.API_SECRET_KEY || "",
       appVersion: getRepoVersion()
     }
   },
diff --git a/pages/backup.vue b/pages/backup.vue
index 1124c75..4c33a8a 100644
--- a/pages/backup.vue
+++ b/pages/backup.vue
@@ -96,6 +96,7 @@
 <script setup lang="ts">
 import { ref } from "vue"
 import BackupRun from "~/components/BackupRun.vue"
+import { downloadApiFile, useApiAuthHeader } from "~/composables/useApiAuth"
 
 definePageMeta({ layout: false })
 
@@ -117,35 +118,30 @@ const emptyScriptResult = (): ScriptResult => ({
 
 const selectedBackup = ref<string | null>(null)
 const scriptResult = ref<ScriptResult>(emptyScriptResult())
+const apiAuthHeader = useApiAuthHeader()
 
 const fetchLatestBackup = async (folder: string) => {
-  const files = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`)
+  const files = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`, {
+    headers: apiAuthHeader
+  })
   return files[0] || null
 }
 
-const triggerDownload = (folder: string, file: string) => {
-  const link = document.createElement("a")
-  link.href = `/api/download?folder=${encodeURIComponent(folder)}&file=${encodeURIComponent(file)}`
-  link.style.display = "none"
-  document.body.appendChild(link)
-  link.click()
-  link.remove()
+const triggerDownload = async (folder: string, file: string) => {
+  const url = `/api/download?folder=${encodeURIComponent(folder)}&file=${encodeURIComponent(file)}`
+  await downloadApiFile(url, file)
 }
 
-const triggerBatchDownload = (folders: string[]) => {
-  const link = document.createElement("a")
-  link.href = `/api/download-latest?folders=${encodeURIComponent(folders.join(","))}`
-  link.style.display = "none"
-  document.body.appendChild(link)
-  link.click()
-  link.remove()
+const triggerBatchDownload = async (folders: string[]) => {
+  const url = `/api/download-latest?folders=${encodeURIComponent(folders.join(","))}`
+  await downloadApiFile(url, "backup-latest.tar.gz")
 }
 
 const downloadLatestBackup = async (folder: string) => {
   const latestFile = await fetchLatestBackup(folder)
 
   if (latestFile) {
-    triggerDownload(folder, latestFile)
+    await triggerDownload(folder, latestFile)
   }
 }
 
@@ -157,7 +153,7 @@ const handleScriptResult = async (payload: ScriptResult) => {
   }
 
   if (payload.downloadFolders.length > 1) {
-    triggerBatchDownload(payload.downloadFolders)
+    await triggerBatchDownload(payload.downloadFolders)
     return
   }
 
diff --git a/pages/index.vue b/pages/index.vue
index 7d3d125..1f6a1ff 100644
--- a/pages/index.vue
+++ b/pages/index.vue
@@ -49,6 +49,7 @@
 <script setup lang="ts">
 definePageMeta({layout: false})
 import {computed, onMounted, ref} from "vue"
+import { useApiAuthHeader } from "~/composables/useApiAuth"
 
 type DiskSourceResult = {
   key: string
@@ -77,6 +78,7 @@ type DiagramItem = {
 const selectedBackup = ref<string | null>(null)
 const rawResults = ref<DiskSourceResult[]>([])
 const loading = ref(false)
+const apiAuthHeader = useApiAuthHeader()
 const chartRadius = 52
 const chartCircumference = 2 * Math.PI * chartRadius
 
@@ -151,7 +153,9 @@ const runScript = async () => {
   rawResults.value = []
 
   try {
-    const output = await $fetch<DiskApiResponse>("/api/disk")
+    const output = await $fetch<DiskApiResponse>("/api/disk", {
+      headers: apiAuthHeader
+    })
     rawResults.value = output.results
   } catch (error) {
     const message = `Erreur: ${error instanceof Error ? error.message : String(error)}`
diff --git a/server/api/backup-script.post.ts b/server/api/backup-script.post.ts
index 487d786..a9eb7b1 100644
--- a/server/api/backup-script.post.ts
+++ b/server/api/backup-script.post.ts
@@ -1,4 +1,4 @@
-import { exec } from "node:child_process"
+import { execFile } from "node:child_process"
 import scripts from "../config/backup-script.json"
 
 type BackupScript = {
@@ -6,11 +6,12 @@ type BackupScript = {
   label: string
   downloadFolders?: string[]
   command: string
+  args?: string[]
 }
 
-function runCommand(command: string): Promise<string> {
+function runCommand(command: string, args: string[] = []): Promise<string> {
   return new Promise((resolve, reject) => {
-    exec(command, { timeout: 10 * 60 * 1000 }, (error, stdout, stderr) => {
+    execFile(command, args, { timeout: 10 * 60 * 1000 }, (error, stdout, stderr) => {
       if (error) {
         reject(stderr || error.message)
         return
@@ -40,7 +41,7 @@ export default defineEventHandler(async (event) => {
   }
 
   try {
-    const output = await runCommand(script.command)
+    const output = await runCommand(script.command, script.args || [])
     return {
       ok: true,
       key: script.key,
diff --git a/server/api/disk.get.ts b/server/api/disk.get.ts
index da537a9..0c59016 100644
--- a/server/api/disk.get.ts
+++ b/server/api/disk.get.ts
@@ -1,10 +1,11 @@
-import { exec } from "child_process"
+import { execFile } from "child_process"
 import diskSources from "../config/disk-commands.json"
 
 type DiskSource = {
   key: string
   label: string
   command: string
+  args?: string[]
 }
 
 function getCommand(source: DiskSource) {
@@ -15,9 +16,9 @@ function getCommand(source: DiskSource) {
   return process.env[envKey] || (legacyEnvKey ? process.env[legacyEnvKey] : undefined) || source.command
 }
 
-function runCommand(command: string): Promise<string> {
+function runCommand(command: string, args: string[] = []): Promise<string> {
   return new Promise((resolve, reject) => {
-    exec(command, (error, stdout, stderr) => {
+    execFile(command, args, (error, stdout, stderr) => {
       if (error) {
         reject(stderr || error.message)
         return
@@ -31,7 +32,7 @@ export default defineEventHandler(async () => {
   const results = await Promise.all(
     (diskSources as DiskSource[]).map(async (source) => {
       try {
-        const output = await runCommand(getCommand(source))
+        const output = await runCommand(source.command, source.args || [])
         return {
           key: source.key,
           label: source.label,
diff --git a/server/config/backup-script.json b/server/config/backup-script.json
index 00b6829..6d6a054 100644
--- a/server/config/backup-script.json
+++ b/server/config/backup-script.json
@@ -4,19 +4,31 @@
     "label": "Backup BDD recette",
     "icon": "mdi:database-export",
     "downloadFolders": ["ferme", "inventory", "sirh", "user"],
-    "command": "ssh ferme 'cd /home/malio/Malio-ops/RecetteScripts && bash backup-bdd-recette.sh && exit'"
+    "command": "ssh",
+    "args": [
+      "ferme",
+      "cd /home/malio/Malio-ops/RecetteScripts && bash backup-bdd-recette.sh"
+    ]
   },
   {
     "key": "check-statut-recette",
     "label": "Check statut recette",
     "icon": "mdi:server-network",
-    "command": "ssh ferme 'cd /home/malio/Malio-ops/RecetteScripts && bash check-statut-recette.sh && exit'"
+    "command": "ssh",
+    "args": [
+      "ferme",
+      "cd /home/malio/Malio-ops/RecetteScripts && bash check-statut-recette.sh"
+    ]
   },
   {
     "key": "backup-vaultwarden",
     "label": "Backup vaultwarden",
     "icon": "mdi:data",
     "downloadFolders": ["bitwarden"],
-    "command": "ssh bitwarden 'cd /home/matt/vaultwarden/Malio-ops/BackupVaultWarden && bash backup-vaultwarden.sh && exit'"
+    "command": "ssh",
+    "args": [
+      "bitwarden",
+      "cd /home/matt/vaultwarden/Malio-ops/BackupVaultWarden && bash backup-vaultwarden.sh"
+    ]
   }
-]
+]
\ No newline at end of file
diff --git a/server/config/disk-commands.json b/server/config/disk-commands.json
index 17e5c31..3c2e664 100644
--- a/server/config/disk-commands.json
+++ b/server/config/disk-commands.json
@@ -2,11 +2,18 @@
   {
     "key": "remote",
     "label": "Serveur distant",
-    "command": "ssh malio-b 'cd /home/malio-b/Malio-ops/CheckStorage && bash check-storage.sh && exit'"
+    "command": "ssh",
+    "args": [
+      "malio-b",
+      "cd /home/malio-b/Malio-ops/CheckStorage && bash check-storage.sh"
+    ]
   },
   {
     "key": "local",
     "label": "Machine locale",
-    "command": "bash /home/kevin/check_storage.sh"
+    "command": "bash",
+    "args": [
+      "/home/kevin/check_storage.sh"
+    ]
   }
-]
+]
\ No newline at end of file
diff --git a/server/middleware/auth.ts b/server/middleware/auth.ts
new file mode 100644
index 0000000..707f959
--- /dev/null
+++ b/server/middleware/auth.ts
@@ -0,0 +1,30 @@
+export default defineEventHandler((event) => {
+  const path = event.path || event.node.req.url || ""
+
+  // Le middleware ne s'applique qu'aux routes API, sauf l'endpoint de ping
+  // qui reste public pour les tests de connectivite.
+  if (!path.startsWith("/api/") || path === "/api/ping") {
+    return
+  }
+
+  const runtimeConfig = useRuntimeConfig(event)
+  const authorization = getHeader(event, "authorization")
+  const expectedToken = runtimeConfig.apiSecretKey
+
+  // Si aucun secret n'est configure cote serveur, on refuse la requete.
+  if (!expectedToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized"
+    })
+  }
+
+  // Le header doit correspondre exactement au format attendu :
+  // Authorization: Bearer <token>
+  if (authorization !== `Bearer ${expectedToken}`) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized"
+    })
+  }
+})