fix: CSRF vulnerability

backend/WebUI/api_webui.go

@@ -463,9 +463,11 @@ func Login(c *gin.Context) {
 	userId := userData["userId"].(string)
 	tenantId := userData["tenantId"].(string)
 
-	logger.ProcLog.Warnln("Login success", login.Username)
-	logger.ProcLog.Warnln("userid", userId)
-	logger.ProcLog.Warnln("tenantid", tenantId)
+	logger.ProcLog.Warnln("Login success {",
+		"username:", login.Username,
+		", userid:", userId,
+		", tenantid:", tenantId,
+		"}")
 
 	token := JWT(login.Username, userId, tenantId)
 	logger.ProcLog.Warnln("token", token)
@@ -504,7 +506,9 @@ func ParseJWT(tokenStr string) (jwt.MapClaims, error) {
 // Check of admin user. This should be done with proper JWT token.
 func CheckAuth(c *gin.Context) bool {
 	tokenStr := c.GetHeader("Token")
-	if tokenStr == "admin" {
+	claims, err := ParseJWT(tokenStr)
+
+	if err == nil && claims["email"] == "admin" {
 		return true
 	} else {
 		return false
@@ -514,7 +518,7 @@ func CheckAuth(c *gin.Context) bool {
 // Tenant ID
 func GetTenantId(c *gin.Context) (string, error) {
 	tokenStr := c.GetHeader("Token")
-	if tokenStr == "admin" {
+	if !CheckAuth(c) {
 		return "", nil
 	}
 	claims, err := ParseJWT(tokenStr)
@@ -530,7 +534,7 @@ func GetTenants(c *gin.Context) {
 	setCorsHeader(c)
 
 	if !CheckAuth(c) {
-		c.JSON(http.StatusNotFound, bson.M{})
+		c.JSON(http.StatusNotFound, gin.H{"cause": "Illegal Token"})
 		return
 	}
 
@@ -932,12 +936,7 @@ func GetSubscribers(c *gin.Context) {
 	logger.ProcLog.Infoln("Get All Subscribers List")
 
 	tokenStr := c.GetHeader("Token")
-
-	var claims jwt.MapClaims = nil
-	var err error = nil
-	if tokenStr != "admin" {
-		claims, err = ParseJWT(tokenStr)
-	}
+	claims, err := ParseJWT(tokenStr)
 	if err != nil {
 		logger.ProcLog.Errorln(err.Error())
 		c.JSON(http.StatusBadRequest, gin.H{
@@ -975,7 +974,7 @@ func GetSubscribers(c *gin.Context) {
 			return
 		}
 
-		if tokenStr == "admin" || tenantId == claims["tenantId"].(string) {
+		if claims["email"] == "admin" || tenantId == claims["tenantId"].(string) {
 			tmp := SubsListIE{
 				PlmnID: servingPlmnId.(string),
 				UeId:   ueId.(string),
@@ -1156,13 +1155,8 @@ func PostSubscriberByID(c *gin.Context) {
 	setCorsHeader(c)
 	logger.ProcLog.Infoln("Post One Subscriber Data")
 
-	var claims jwt.MapClaims = nil
-	var err error = nil
 	tokenStr := c.GetHeader("Token")
-
-	if tokenStr != "admin" {
-		claims, err = ParseJWT(tokenStr)
-	}
+	claims, err := ParseJWT(tokenStr)
 	if err != nil {
 		logger.ProcLog.Errorln(err.Error())
 		c.JSON(http.StatusBadRequest, gin.H{
@@ -1571,7 +1565,6 @@ func GetRegisteredUEContext(c *gin.Context) {
 	webuiSelf.UpdateNfProfiles()
 
 	supi, supiExists := c.Params.Get("supi")
-
 	// TODO: support fetching data from multiple AMFs
 	if amfUris := webuiSelf.GetOamUris(models.NfType_AMF); amfUris != nil {
 		var requestUri string

backend/webui_service/webui_init.go

@@ -6,6 +6,8 @@ import (
 
 	"github.com/gin-contrib/cors"
 	"github.com/sirupsen/logrus"
+	"go.mongodb.org/mongo-driver/bson"
+	"golang.org/x/crypto/bcrypt"
 
 	"github.com/free5gc/util/mongoapi"
 	"github.com/free5gc/webconsole/backend/WebUI"
@@ -77,6 +79,29 @@ func (a *WebuiApp) Start(tlsKeyLogPath string) {
 		return
 	}
 
+	// Create admin account
+	filter := bson.M{"email": "admin"}
+	hash, err := bcrypt.GenerateFromPassword([]byte("free5gc"), 12)
+	if err != nil {
+		logger.InitLog.Errorf("GenerateFromPassword err: %+v", err)
+	}
+
+	data := bson.M{
+		"userId":            "1",
+		"tenantId":          "1",
+		"email":             "admin",
+		"encryptedPassword": string(hash),
+	}
+
+	existed, err := mongoapi.RestfulAPIPutOne("userData", filter, data)
+	if err != nil {
+		logger.InitLog.Errorf("RestfulAPIPutOne err: %+v", err)
+	}
+
+	if existed {
+		logger.InitLog.Infof("Admin existed.")
+	}
+
 	logger.InitLog.Infoln("Server started")
 
 	router := WebUI.NewRouter()

frontend/src/components/SideBar/Nav.js

@@ -9,7 +9,7 @@ class Nav extends Component {
     let {location} = this.props;
     let user = LocalStorageHelper.getUserInfo();
     let childView = "";
-    if (user.accessToken === "admin") {
+    if (user.username === "admin") {
       childView = (
           <li className={this.isPathActive('/tenants') ? 'active' : null}>
           <Link to="/tenants">

frontend/src/pages/Auth/Login.js

@@ -16,7 +16,7 @@ class Login extends Component {
     password: "",
   };
 
-  conponentWillMount() {
+  componentWillMount() {
     this.setState({
       submitDisabled: false,
       errorMsg: "",

frontend/src/util/AuthHelper.js

@@ -14,24 +14,20 @@ export default class AuthHelper {
    * @return {Promise<(boolean|string)>} true for success, string for error message
    */
   static async login(username, password) {
-    if (username === config.USERNAME && password === config.PASSWORD) {
-      let user = new User(username, "System Administrator", "admin");
+    let response = await ApiHelper.login({username: username, password: password});
+
+    if (response !== undefined && response.status === 200) {
+      var user = null
+      if (username == "admin") {
+        user = new User(username, "System Administrator", response.data.access_token);
+      } else {
+        user = new User(username, "User", response.data.access_token);
+      }
       LocalStorageHelper.setUserInfo(user);
       store.dispatch(authActions.setUser(user));
       return true;
     } else {
-      let response = await ApiHelper.login({username: username, password: password});
-      if (response === undefined) {
-        return false;
-      }
-      if (response.status === 200) {
-        let user = new User(username, "User", response.data.access_token);
-        LocalStorageHelper.setUserInfo(user);
-        store.dispatch(authActions.setUser(user));
-        return true;
-      } else {
-        return false;
-      }
+      return false;
     }
   }