Fix token delete security bug

api.go

@@ -194,6 +194,30 @@ func (a *Api) CreateToken(tokenData TokenData, params url.Values) (string, error
 	return token, nil
 }
 
+func (a *Api) DeleteToken(tokenData TokenData, params url.Values) error {
+	token := params.Get("token")
+	if token == "" {
+		return errors.New("Invalid token parameter")
+	}
+
+	delTokenData, exists := a.db.GetTokenData(token)
+	if !exists {
+		return errors.New("Token doesn't exist")
+	}
+
+	if tokenData.Owner != delTokenData.Owner {
+		user, _ := a.db.GetUser(tokenData.Owner)
+		if !user.IsAdmin {
+			return errors.New("Unauthorized")
+		}
+	}
+
+	a.db.DeleteTokenData(token)
+
+	return nil
+
+}
+
 func (a *Api) handleTunnels(w http.ResponseWriter, r *http.Request) {
 
 	token, err := extractToken("access_token", r)

ui_handler.go

@@ -319,7 +319,7 @@ func (h *WebUiHandler) handleWebUiRequest(w http.ResponseWriter, r *http.Request
 	case "/confirm-delete-token":
 		h.confirmDeleteToken(w, r)
 	case "/delete-token":
-		h.deleteToken(w, r)
+		h.deleteToken(w, r, tokenData)
 	//case "/ssh-keys":
 	//	h.handleSshKeys(w, r, user, tokenData)
 	//case "/delete-ssh-key":
@@ -670,20 +670,17 @@ func (h *WebUiHandler) confirmDeleteToken(w http.ResponseWriter, r *http.Request
 	tmpl.Execute(w, data)
 }
 
-func (h *WebUiHandler) deleteToken(w http.ResponseWriter, r *http.Request) {
-	r.ParseForm()
+func (h *WebUiHandler) deleteToken(w http.ResponseWriter, r *http.Request, tokenData TokenData) {
 
-	if len(r.Form["token"]) != 1 {
-		w.WriteHeader(400)
-		w.Write([]byte("Invalid token parameter"))
+	r.ParseForm()
+	err := h.api.DeleteToken(tokenData, r.Form)
+	if err != nil {
+		w.WriteHeader(500)
+		h.alertDialog(w, r, err.Error(), "/#/tokens")
 		return
 	}
-	token := r.Form["token"][0]
-
-	h.db.DeleteTokenData(token)
 
 	http.Redirect(w, r, "/#/tokens", 303)
-
 }
 
 func (h *WebUiHandler) alertDialog(w http.ResponseWriter, r *http.Request, message, redirectUrl string) error {