Don't require tickets for clients which already have a trusted certificate

fixes #8465

diff --git a/lib/remote/apiclient.cpp b/lib/remote/apiclient.cpp
index dd0a4dfe8adedf0954297184fc7787bb1a3b76b2..2304df3fba66c94b2646577eb15221ceba80f716 100644 (file)
--- a/lib/remote/apiclient.cpp
+++ b/lib/remote/apiclient.cpp
@@ -220,22 +220,24 @@ Value RequestCertificateHandler(const MessageOrigin& origin, const Dictionary::P
        if (!params)
                return Empty;
 
-       ApiListener::Ptr listener = ApiListener::GetInstance();
-       String salt = listener->GetTicketSalt();
-
        Dictionary::Ptr result = new Dictionary();
 
-       if (salt.IsEmpty()) {
-               result->Set("error", "Ticket salt is not configured.");
-               return result;
-       }
+       if (!origin.FromClient->IsAuthenticated()) {
+               ApiListener::Ptr listener = ApiListener::GetInstance();
+               String salt = listener->GetTicketSalt();
+
+               if (salt.IsEmpty()) {
+                       result->Set("error", "Ticket salt is not configured.");
+                       return result;
+               }
 
-       String ticket = params->Get("ticket");
-       String realTicket = PBKDF2_SHA1(origin.FromClient->GetIdentity(), salt, 50000);
+               String ticket = params->Get("ticket");
+               String realTicket = PBKDF2_SHA1(origin.FromClient->GetIdentity(), salt, 50000);
 
-       if (ticket != realTicket) {
-               result->Set("error", "Invalid ticket.");
-               return result;
+               if (ticket != realTicket) {
+                       result->Set("error", "Invalid ticket.");
+                       return result;
+               }
        }
 
        boost::shared_ptr<X509> cert = origin.FromClient->GetStream()->GetPeerCertificate();