MALIO-DEV/Supervisor
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix/correctif-sec #12

Merged
kevin merged 3 commits from fix/correctif-sec into develop 2026-03-13 08:48:27 +00:00
Conversation 1 Commits 3 Files Changed 18 +303 -61
18 changed files with 303 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
components/BackupList.vue
View File

@@ -22,6 +22,13 @@
</div>
</div>
<div v-else-if="errorMessage" class="empty-state error-state">
<IconifyIcon icon="mdi:alert-circle-outline" class="text-3xl text-m-error/70" />
<p class="mt-2 font-mono text-xs text-m-error/80">
{{ errorMessage }}
</p>
</div>
<div v-else-if="backups.length === 0" class="empty-state">
<IconifyIcon icon="mdi:file-hidden" class="text-3xl text-m-muted/40" />
<p class="mt-2 font-mono text-xs text-m-muted/50">
@@ -55,6 +62,7 @@
import {Icon as IconifyIcon} from "@iconify/vue"
import CircleSkeleton from "~/components/skeleton/CircleSkeleton.vue"
import TextSkeleton from "~/components/skeleton/TextSkeleton.vue"
import { apiFetch, downloadApiFile } from "~/composables/useApiAuth"
const props = defineProps<{
folder: string | null
@@ -62,31 +70,42 @@ const props = defineProps<{
const backups = ref<string[]>([])
const loading = ref(false)
const errorMessage = ref("")
const title = computed(() => {
if (!props.folder) return "Fichiers"
return `Backup — ${props.folder.toUpperCase()}`
})
const downloadBackup = (file: string) => {
const downloadBackup = async (file: string) => {
if (!props.folder) return
const url = `/api/download?folder=${encodeURIComponent(props.folder)}&file=${encodeURIComponent(file)}`
window.location.href = url
errorMessage.value = ""
try {
await downloadApiFile(url, file)
} catch (error) {
console.error("Erreur telechargement backup:", error)
errorMessage.value = "Erreur lors de l'opération"
}
}
watch(() => props.folder, async (folder) => {
if (!folder) {
loading.value = false
backups.value = []
errorMessage.value = ""
return
}
loading.value = true
errorMessage.value = ""
try {
const data = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`)
const data = await apiFetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`)
backups.value = data
} catch (error) {
console.error("Erreur récupération backups:", error)
backups.value = []
errorMessage.value = "Erreur lors de l'opération"
} finally {
loading.value = false
}
@@ -120,6 +139,12 @@ watch(() => props.folder, async (folder) => {
padding: 2.5rem 1rem;
}
.error-state {
border-radius: 8px;
border: 1px solid rgb(var(--m-error) / 0.12);
background: rgb(var(--m-error) / 0.06);
}
.file-list {
display: flex;
flex-direction: column;

9
components/BackupRun.vue
View File

@@ -79,6 +79,7 @@
<script setup lang="ts">
import { computed, onMounted, ref } from "vue"
import { Icon as IconifyIcon } from "@iconify/vue"
import { apiFetch } from "~/composables/useApiAuth"
type BackupScript = {
key: string
@@ -134,12 +135,12 @@ const loadScripts = async () => {
downloadFolders: []
})
try {
const data = await $fetch<BackupScriptListResponse>("/api/backup-script")
const data = await apiFetch<BackupScriptListResponse>("/api/backup-script")
scripts.value = data.scripts
} catch (error) {
scripts.value = []
isError.value = true
message.value = `Erreur chargement scripts: ${error instanceof Error ? error.message : String(error)}`
message.value = "Erreur lors de l'opération"
emit("result", {
key: null,
label: "",
@@ -160,7 +161,7 @@ const runScript = async (key: string) => {
isError.value = false
try {
const data = await $fetch<BackupScriptRunResponse>("/api/backup-script", {
const data = await apiFetch<BackupScriptRunResponse>("/api/backup-script", {
method: "POST",
body: { key }
})
@@ -175,7 +176,7 @@ const runScript = async (key: string) => {
})
} catch (error: any) {
isError.value = true
message.value = error?.data?.statusMessage || "Erreur execution script"
message.value = error?.data?.statusMessage || "Erreur lors de l'opération"
output.value = ""
emit("result", {
key,

22
components/MessageDiscord.vue
View File

@@ -1,6 +1,11 @@
<script setup>
import {Icon as IconifyIcon} from "@iconify/vue"
const { data: messages } = await useFetch('/api/discord/messages')
import { apiFetch } from "~/composables/useApiAuth"
const { data: messages, error } = await useFetch('/api/discord/messages', {
$fetch: apiFetch,
server: false
})
</script>
<template>
@@ -13,7 +18,14 @@ const { data: messages } = await useFetch('/api/discord/messages')
<span class="font-mono text-[10px] text-m-muted tracking-widest uppercase">Messages</span>
</div>
<div v-if="!messages || messages.length === 0" class="empty-state">
<div v-if="error" class="empty-state error-state">
<IconifyIcon icon="mdi:alert-circle-outline" class="text-3xl text-m-error/70" />
<p class="mt-2 font-mono text-xs text-m-error/80">
Erreur lors de l'opération
</p>
</div>
<div v-else-if="!messages || messages.length === 0" class="empty-state">
<IconifyIcon icon="mdi:chat-outline" class="text-3xl text-m-muted/40" />
<p class="mt-2 font-mono text-xs text-m-muted/50">
Aucun message
@@ -74,6 +86,12 @@ const { data: messages } = await useFetch('/api/discord/messages')
padding: 2rem 1rem;
}
.error-state {
border-radius: 8px;
border: 1px solid rgb(var(--m-error) / 0.12);
background: rgb(var(--m-error) / 0.06);
}
.message-list {
display: flex;
flex-direction: column;

36
components/Speedtest.vue
View File

@@ -36,17 +36,23 @@
</div>
</div>
</div>
<p v-if="errorMessage" class="error-text" role="status" aria-live="polite">
{{ errorMessage }}
</p>
</div>
</template>
<script setup lang="ts">
import {computed, ref} from "vue"
import {Icon as IconifyIcon} from "@iconify/vue"
import { apiRequest } from "~/composables/useApiAuth"
const ping = ref<number | null>(null)
const download = ref<number | null>(null)
const upload = ref<number | null>(null)
const isTesting = ref(false)
const errorMessage = ref("")
const metrics = computed(() => [
{ label: "Download", icon: "mdi:arrow-down-bold", value: download.value, unit: "Mbps" },
@@ -56,7 +62,10 @@ const metrics = computed(() => [
async function testDownload() {
const start = performance.now()
const res = await fetch('/api/download')
const res = await apiRequest('/api/download')
if (!res.ok) {
throw new Error(`HTTP ${res.status}`)
}
const blob = await res.blob()
const end = performance.now()
const size = blob.size
@@ -68,7 +77,10 @@ async function testUpload() {
const size = 5 * 1024 * 1024
const data = new Uint8Array(size)
const start = performance.now()
await fetch('/api/upload', { method: 'POST', body: data })
const response = await apiRequest('/api/upload', { method: 'POST', body: data })
if (!response.ok) {
throw new Error(`HTTP ${response.status}`)
}
matthieu commented 2026-03-13 08:17:33 +00:00
Review
Copy Link

Idem ici inclure en auto withApiAuth dans un fetch global

Idem ici inclure en auto withApiAuth dans un fetch global
const end = performance.now()
const seconds = (end - start) / 1000
upload.value = Math.round((size * 8) / seconds / 1000000)
@@ -76,7 +88,10 @@ async function testUpload() {
async function testPing() {
const start = performance.now()
await fetch('/api/ping')
const response = await fetch('/api/ping')
if (!response.ok) {
throw new Error(`HTTP ${response.status}`)
}
const end = performance.now()
ping.value = Math.round(end - start)
}
@@ -86,11 +101,15 @@ async function runTests() {
download.value = null
upload.value = null
ping.value = null
errorMessage.value = ""
try {
await testDownload()
await testUpload()
await testPing()
} catch (error) {
console.error("Erreur speedtest:", error)
errorMessage.value = "Erreur lors de l'opération"
} finally {
isTesting.value = false
}
@@ -189,4 +208,15 @@ async function runTests() {
letter-spacing: 0.1em;
color: rgb(var(--m-muted));
}
.error-text {
margin-top: 0.75rem;
border-radius: 8px;
border: 1px solid rgb(var(--m-error) / 0.12);
background: rgb(var(--m-error) / 0.06);
padding: 0.75rem 0.875rem;
font-family: var(--font-mono);
font-size: 0.75rem;
color: rgb(var(--m-error));
}
</style>

3
components/StatusSite.vue
View File

@@ -43,6 +43,7 @@
import CircleSkeleton from "~/components/skeleton/CircleSkeleton.vue"
import TextSkeleton from "~/components/skeleton/TextSkeleton.vue"
import {onBeforeUnmount, onMounted, ref} from "vue"
import { apiFetch } from "~/composables/useApiAuth"
interface StatusRow {
label: string
@@ -84,7 +85,7 @@ const checkStatus = async () => {
loading.value = true
}
try {
const data = await $fetch<StatusResponse>(props.endpoint)
const data = await apiFetch<StatusResponse>(props.endpoint)
rows.value = data.results
} catch (error) {
rows.value = [

75
composables/useApiAuth.ts Normal file
View File

@@ -0,0 +1,75 @@
function toHeadersObject(headers?: HeadersInit): Record<string, string> {
if (!headers) {
return {}
}
if (headers instanceof Headers) {
return Object.fromEntries(headers.entries())
}
if (Array.isArray(headers)) {
return Object.fromEntries(headers)
}
return { ...headers }
}
function getDownloadFileName(contentDisposition: string | null, fallback: string) {
if (!contentDisposition) {
return fallback
}
const utf8Match = contentDisposition.match(/filename\*=UTF-8''([^;]+)/i)
if (utf8Match?.[1]) {
return decodeURIComponent(utf8Match[1])
}
const asciiMatch = contentDisposition.match(/filename="([^"]+)"/i)
if (asciiMatch?.[1]) {
return asciiMatch[1]
}
return fallback
}
export function withApiAuth(init: RequestInit = {}) {
// Les appels frontend reutilisent les cookies httpOnly poses cote serveur.
return {
...init,
headers: {
...toHeadersObject(init.headers)
}
}
}
export const apiFetch = $fetch.create({})
export function apiRequest(input: RequestInfo | URL, init: RequestInit = {}) {
return fetch(input, withApiAuth(init))
}
export async function downloadApiFile(url: string, fileNameFallback: string) {
// Les telechargements passent aussi par fetch pour pouvoir recuperer
// le contenu et le nom de fichier renvoye par l'API.
const response = await apiRequest(url)
if (!response.ok) {
throw new Error(`HTTP ${response.status}`)
}
const blob = await response.blob()
const objectUrl = URL.createObjectURL(blob)
const fileName = getDownloadFileName(
response.headers.get("content-disposition"),
fileNameFallback
)
const link = document.createElement("a")
link.href = objectUrl
link.download = fileName
link.style.display = "none"
document.body.appendChild(link)
link.click()
link.remove()
URL.revokeObjectURL(objectUrl)
}

3
nuxt.config.ts
View File

@@ -26,7 +26,7 @@ export default defineNuxtConfig({
head: {
link: [
{ rel: "preconnect", href: "https://fonts.googleapis.com" },
{ rel: "preconnect", href: "https://fonts.gstatic.com", crossorigin: "" },
{ rel: "preconnect", href: "https://fonts.gstatic.com ", crossorigin: "" },
{
rel: "stylesheet",
href: "https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;600;700&family=Outfit:wght@300;400;500;600;700;800;900&display=swap"
@@ -35,6 +35,7 @@ export default defineNuxtConfig({
}
},
runtimeConfig: {
apiSecretKey: process.env.API_SECRET_KEY,
public: {
appVersion: getRepoVersion()
matthieu commented 2026-03-13 08:18:30 +00:00
Outdated
Review
Copy Link

runtimeConfig: {
apiSecretKey: process.env.API_SECRET_KEY,
public: {
apiSecretKey: process.env.API_SECRET_KEY || "",

PK il y est deux fois

runtimeConfig: { apiSecretKey: process.env.API_SECRET_KEY, public: { apiSecretKey: process.env.API_SECRET_KEY || "", PK il y est deux fois
}

27
pages/backup.vue
View File

@@ -96,6 +96,7 @@
<script setup lang="ts">
import { ref } from "vue"
import BackupRun from "~/components/BackupRun.vue"
import { apiFetch, downloadApiFile } from "~/composables/useApiAuth"
definePageMeta({ layout: false })
@@ -119,33 +120,25 @@ const selectedBackup = ref<string | null>(null)
const scriptResult = ref<ScriptResult>(emptyScriptResult())
const fetchLatestBackup = async (folder: string) => {
const files = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`)
const files = await apiFetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`)
return files[0] || null
}
matthieu commented 2026-03-13 08:18:55 +00:00
Outdated
Review
Copy Link

ici fetch global et les autres endroit

ici fetch global et les autres endroit
const triggerDownload = (folder: string, file: string) => {
const link = document.createElement("a")
link.href = `/api/download?folder=${encodeURIComponent(folder)}&file=${encodeURIComponent(file)}`
link.style.display = "none"
document.body.appendChild(link)
link.click()
link.remove()
const triggerDownload = async (folder: string, file: string) => {
const url = `/api/download?folder=${encodeURIComponent(folder)}&file=${encodeURIComponent(file)}`
await downloadApiFile(url, file)
}
const triggerBatchDownload = (folders: string[]) => {
const link = document.createElement("a")
link.href = `/api/download-latest?folders=${encodeURIComponent(folders.join(","))}`
link.style.display = "none"
document.body.appendChild(link)
link.click()
link.remove()
const triggerBatchDownload = async (folders: string[]) => {
const url = `/api/download-latest?folders=${encodeURIComponent(folders.join(","))}`
await downloadApiFile(url, "backup-latest.tar.gz")
}
const downloadLatestBackup = async (folder: string) => {
const latestFile = await fetchLatestBackup(folder)
if (latestFile) {
triggerDownload(folder, latestFile)
await triggerDownload(folder, latestFile)
}
}
@@ -157,7 +150,7 @@ const handleScriptResult = async (payload: ScriptResult) => {
}
if (payload.downloadFolders.length > 1) {
triggerBatchDownload(payload.downloadFolders)
await triggerBatchDownload(payload.downloadFolders)
return
}

6
pages/index.vue
View File

@@ -49,6 +49,7 @@
<script setup lang="ts">
definePageMeta({layout: false})
import {computed, onMounted, ref} from "vue"
import { apiFetch } from "~/composables/useApiAuth"
type DiskSourceResult = {
key: string
@@ -151,16 +152,15 @@ const runScript = async () => {
rawResults.value = []
try {
const output = await $fetch<DiskApiResponse>("/api/disk")
const output = await apiFetch<DiskApiResponse>("/api/disk")
rawResults.value = output.results
} catch (error) {
const message = `Erreur: ${error instanceof Error ? error.message : String(error)}`
rawResults.value = [
{
key: "error",
label: "Source indisponible",
ok: false,
output: message
output: "Erreur lors de l'opération"
}
]
} finally {

13
server/api/backup-script.post.ts
View File

@@ -1,4 +1,4 @@
import { exec } from "node:child_process"
import { execFile } from "node:child_process"
import scripts from "../config/backup-script.json"
type BackupScript = {
@@ -6,11 +6,12 @@ type BackupScript = {
label: string
downloadFolders?: string[]
command: string
args?: string[]
}
function runCommand(command: string): Promise<string> {
function runCommand(command: string, args: string[] = []): Promise<string> {
return new Promise((resolve, reject) => {
exec(command, { timeout: 10 * 60 * 1000 }, (error, stdout, stderr) => {
execFile(command, args, { timeout: 10 * 60 * 1000 }, (error, stdout, stderr) => {
if (error) {
reject(stderr || error.message)
return
@@ -40,7 +41,7 @@ export default defineEventHandler(async (event) => {
}
try {
const output = await runCommand(script.command)
const output = await runCommand(script.command, script.args || [])
return {
ok: true,
key: script.key,
@@ -49,9 +50,11 @@ export default defineEventHandler(async (event) => {
output: output.trim()
}
} catch (error) {
console.error("Erreur execution script:", error)
throw createError({
statusCode: 500,
statusMessage: `Erreur execution script: ${String(error)}`
statusMessage: "Erreur lors de l'opération"
})
}
})

4
server/api/backups.get.ts
View File

@@ -31,9 +31,11 @@ function isMissingPathError(error: unknown): boolean {
}
function toServerError(error: unknown) {
console.error("Erreur backups:", error)
return createError({
statusCode: 500,
statusMessage: `Erreur SSH backups: ${String(error)}`
statusMessage: "Erreur lors de l'opération"
})
}

32
server/api/discord/messages.get.ts
View File

@@ -1,15 +1,31 @@
export default defineEventHandler(async () => {
const token = process.env.DISCORD_BOT_TOKEN
const channel = process.env.DISCORD_CHANNEL_ID
const token = process.env.DISCORD_BOT_TOKEN
const channel = process.env.DISCORD_CHANNEL_ID
if (!token || !channel) {
throw createError({
statusCode: 503,
statusMessage: "Service indisponible"
})
}
try {
const messages = await $fetch(
`https://discord.com/api/v10/channels/${channel}/messages?limit=20`,
{
headers: {
Authorization: `Bot ${token}`
}
`https://discord.com/api/v10/channels/${channel}/messages?limit=20`,
{
headers: {
Authorization: `Bot ${token}`
}
}
)
return messages
})
} catch (error) {
console.error("Erreur Discord messages:", error)
throw createError({
statusCode: 500,
statusMessage: "Erreur lors de l'opération"
})
}
})

12
server/api/disk.get.ts
View File

@@ -1,10 +1,11 @@
import { exec } from "child_process"
import { execFile } from "child_process"
import diskSources from "../config/disk-commands.json"
type DiskSource = {
key: string
label: string
command: string
args?: string[]
}
function getCommand(source: DiskSource) {
@@ -15,9 +16,9 @@ function getCommand(source: DiskSource) {
return process.env[envKey] || (legacyEnvKey ? process.env[legacyEnvKey] : undefined) || source.command
}
function runCommand(command: string): Promise<string> {
function runCommand(command: string, args: string[] = []): Promise<string> {
return new Promise((resolve, reject) => {
exec(command, (error, stdout, stderr) => {
execFile(command, args, (error, stdout, stderr) => {
if (error) {
reject(stderr || error.message)
return
@@ -31,7 +32,7 @@ export default defineEventHandler(async () => {
const results = await Promise.all(
(diskSources as DiskSource[]).map(async (source) => {
try {
const output = await runCommand(getCommand(source))
const output = await runCommand(source.command, source.args || [])
return {
key: source.key,
label: source.label,
@@ -39,11 +40,12 @@ export default defineEventHandler(async () => {
output
}
} catch (error) {
console.error(`Erreur disk source ${source.key}:`, error)
return {
key: source.key,
label: source.label,
ok: false,
output: `Erreur: ${String(error)}`
output: "Erreur lors de l'opération"
}
}
})

2
server/api/download.get.ts
View File

@@ -7,7 +7,7 @@ const REMOTE_ROOT = process.env.BACKUPS_REMOTE_ROOT || "/home/malio-b/backups"
const FOLDER_MAP = folderMap as Record<string, string>
const isSafeFolder = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
const isSafeFile = (value: string) => /^[^/\\]+$/.test(value)
const isSafeFile = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
const shellQuote = (value: string) => `'${value.replace(/'/g, `'\\''`)}'`
function runSsh(command: string): Promise<string> {

20
server/config/backup-script.json
View File

@@ -4,19 +4,31 @@
"label": "Backup BDD recette",
"icon": "mdi:database-export",
"downloadFolders": ["ferme", "inventory", "sirh", "user"],
"command": "ssh ferme 'cd /home/malio/Malio-ops/RecetteScripts && bash backup-bdd-recette.sh && exit'"
"command": "ssh",
"args": [
"ferme",
"cd /home/malio/Malio-ops/RecetteScripts && bash backup-bdd-recette.sh"
]
},
{
"key": "check-statut-recette",
"label": "Check statut recette",
"icon": "mdi:server-network",
"command": "ssh ferme 'cd /home/malio/Malio-ops/RecetteScripts && bash check-statut-recette.sh && exit'"
"command": "ssh",
"args": [
"ferme",
"cd /home/malio/Malio-ops/RecetteScripts && bash check-statut-recette.sh"
]
},
{
"key": "backup-vaultwarden",
"label": "Backup vaultwarden",
"icon": "mdi:data",
"downloadFolders": ["bitwarden"],
"command": "ssh bitwarden 'cd /home/matt/vaultwarden/Malio-ops/BackupVaultWarden && bash backup-vaultwarden.sh && exit'"
"command": "ssh",
"args": [
"bitwarden",
"cd /home/matt/vaultwarden/Malio-ops/BackupVaultWarden && bash backup-vaultwarden.sh"
]
}
]
]

13
server/config/disk-commands.json
View File

@@ -2,11 +2,18 @@
{
"key": "remote",
"label": "Serveur distant",
"command": "ssh malio-b 'cd /home/malio-b/Malio-ops/CheckStorage && bash check-storage.sh && exit'"
"command": "ssh",
"args": [
"malio-b",
"cd /home/malio-b/Malio-ops/CheckStorage && bash check-storage.sh"
]
},
{
"key": "local",
"label": "Machine locale",
"command": "bash /home/kevin/check_storage.sh"
"command": "bash",
"args": [
"/home/kevin/check_storage.sh"
]
}
]
]

25
server/middleware/auth-cookie.ts Normal file
View File

@@ -0,0 +1,25 @@
export default defineEventHandler((event) => {
const path = event.path || event.node.req.url || ""
if (path.startsWith("/api/")) {
return
}
const runtimeConfig = useRuntimeConfig(event)
const expectedToken = runtimeConfig.apiSecretKey
if (!expectedToken) {
return
}
if (getCookie(event, "api_auth_token") === expectedToken) {
return
}
setCookie(event, "api_auth_token", expectedToken, {
httpOnly: true,
sameSite: "lax",
secure: process.env.NODE_ENV === "production",
path: "/"
})
})

31
server/middleware/auth.ts Normal file
View File

@@ -0,0 +1,31 @@
export default defineEventHandler((event) => {
const path = event.path || event.node.req.url || ""
// Le middleware ne s'applique qu'aux routes API, sauf l'endpoint de ping
// qui reste public pour les tests de connectivite.
if (!path.startsWith("/api/") || path === "/api/ping") {
return
}
const runtimeConfig = useRuntimeConfig(event)
const authorization = getHeader(event, "authorization")
const cookieToken = getCookie(event, "api_auth_token")
const expectedToken = runtimeConfig.apiSecretKey
// Si aucun secret n'est configure cote serveur, on refuse la requete.
if (!expectedToken) {
throw createError({
statusCode: 401,
statusMessage: "Unauthorized"
})
}
// Le secret peut venir soit d'un header serveur explicite,
// soit du cookie httpOnly pose pour l'application web.
if (authorization !== `Bearer ${expectedToken}` && cookieToken !== expectedToken) {
throw createError({
statusCode: 401,
statusMessage: "Unauthorized"
})
}
})