security: Require explicit token for agent downloads

- Remove server_id auto-resolution from validateAndGetToken()
- Links in edit.twig now use token instead of server_id
- Add agent_token retrieval in ServerController::edit()
This commit is contained in:
mirivlad 2026-04-17 09:55:45 +08:00
parent 6ec03325be
commit c8d0bc4a40
3 changed files with 15 additions and 14 deletions

View File

@ -15,17 +15,6 @@ class AgentController extends Model
{
$queryParams = $request->getQueryParams();
$token = $queryParams['token'] ?? null;
$server_id = $queryParams['server_id'] ?? null;
if (!empty($server_id) && empty($token)) {
$stmt = $this->pdo->prepare("SELECT encrypted_token FROM agent_tokens WHERE server_id = :server_id LIMIT 1");
$stmt->execute([':server_id' => $server_id]);
$result = $stmt->fetch();
if ($result && !empty($result['encrypted_token'])) {
$token = EncryptionHelper::decrypt($result['encrypted_token']);
}
}
if (empty($token)) {
$response->getBody()->write('Token is required');

View File

@ -127,6 +127,11 @@ class ServerController extends Model
$stmt->execute();
$groups = $stmt->fetchAll();
$stmt = $this->pdo->prepare("SELECT encrypted_token FROM agent_tokens WHERE server_id = :server_id");
$stmt->execute([':server_id' => $id]);
$tokenRow = $stmt->fetch();
$decryptedToken = $tokenRow ? \App\Utils\EncryptionHelper::decrypt($tokenRow['encrypted_token']) : null;
if (!$server) {
return $response->withHeader('Location', '/servers')->withStatus(302);
}
@ -134,7 +139,8 @@ class ServerController extends Model
$templateData = [
'title' => 'Редактировать сервер',
'server' => $server,
'groups' => $groups
'groups' => $groups,
'agent_token' => $decryptedToken
];
return $this->twig->render($response, 'servers/edit.twig', $templateData);

View File

@ -53,14 +53,15 @@
<div class="mt-4">
<h5>Управление агентом мониторинга:</h5>
{% if agent_token %}
<div class="row">
<div class="col-md-4 mb-2">
<a href="/agent/install.sh?server_id={{ server.id }}" class="btn btn-outline-primary w-100">
<a href="/agent/install.sh?token={{ agent_token }}" class="btn btn-outline-primary w-100">
<i class="fab fa-linux"></i> Агент для Linux
</a>
</div>
<div class="col-md-4 mb-2">
<a href="/agent/install.bat?server_id={{ server.id }}" class="btn btn-outline-info w-100">
<a href="/agent/install.bat?token={{ agent_token }}" class="btn btn-outline-info w-100">
<i class="fab fa-windows"></i> Агент для Windows
</a>
</div>
@ -71,6 +72,11 @@
</div>
</div>
<p class="mt-2">Если вы потеряли доступ к агенту или хотите создать новый токен безопасности, используйте кнопку "Сбросить токен".</p>
{% else %}
<div class="alert alert-warning">
Токен агента не создан. <a href="/servers/{{ server.id }}/regenerate-token">Создать токен</a>
</div>
{% endif %}
</div>
</div>
</div>