From be416a5655b186b7081d74cbe5cbef4a5c312322 Mon Sep 17 00:00:00 2001
From: Alan Graham <alan@nettica.com>
Date: Tue, 25 Jun 2024 14:01:53 +0000
Subject: [PATCH] fix crash if can't authenticate

---
 api/v1/vpn/vpn.go | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/api/v1/vpn/vpn.go b/api/v1/vpn/vpn.go
index d050f6e..d46deb5 100644
--- a/api/v1/vpn/vpn.go
+++ b/api/v1/vpn/vpn.go
@@ -128,7 +128,38 @@ func readVPN(c *gin.Context) {
 	}
 	vpn := v.(*model.VPN)
 
-	if account.Status == "Suspended" {
+	authorized := false
+
+	apikey := c.Request.Header.Get("X-API-KEY")
+
+	if apikey != "" && strings.HasPrefix(apikey, "device-api-") {
+
+		device, err := core.ReadDevice(vpn.DeviceID)
+		if err != nil {
+			log.WithFields(log.Fields{
+				"err": err,
+			}).Error("failed to read client config")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+			return
+		}
+
+		if device.ApiKey == apikey {
+			authorized = true
+		}
+
+		if !authorized {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"})
+			return
+		}
+
+	}
+
+	if !authorized && account == nil {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Unauthorized"})
+		return
+	}
+
+	if account != nil && account.Status == "Suspended" {
 		log.Errorf("readVPN: account %s is suspended", account.Email)
 		c.JSON(http.StatusForbidden, gin.H{"error": "Account is suspended"})
 		return