From 5ab4d70e10d516288cddc4c47b3929abafb5deff Mon Sep 17 00:00:00 2001 From: stephannn <38951729+stephannn@users.noreply.github.com> Date: Mon, 24 Nov 2025 20:39:13 +0100 Subject: [PATCH] Allow specific group to create Login tokens (#7424) --- meshcentral-config-schema.json | 2 +- meshuser.js | 2 +- webserver.js | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json index 41426495..cf7c4eef 100644 --- a/meshcentral-config-schema.json +++ b/meshcentral-config-schema.json @@ -1784,7 +1784,7 @@ "array" ], "default": true, - "description": "Allows users to create alternative username/passwords for their account. Set to false to disallow all users, or set to a userid array to only allow some users." + "description": "Allows users to create alternative username/passwords for their account. Set to false to disallow all users, or set to a userid array or to a groupid array to only allow some users." }, "twoFactorTimeout": { "type": "integer", diff --git a/meshuser.js b/meshuser.js index 3d72b736..33657e78 100644 --- a/meshuser.js +++ b/meshuser.js @@ -5063,7 +5063,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use if (req.session.loginToken != null) { err = "Access denied"; } // Do not allow this command when logged in using a login token else if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.logintokens === false)) { err = "Not supported"; } // Login tokens are not supported on this server - else if ((typeof domain.passwordrequirements == 'object') && Array.isArray(domain.passwordrequirements.logintokens) && (domain.passwordrequirements.logintokens.indexOf(user._id) < 0)) { err = "Not supported"; } // Login tokens are not supported by this user + else if ((typeof domain.passwordrequirements == 'object') && Array.isArray(domain.passwordrequirements.logintokens) && ((domain.passwordrequirements.logintokens.indexOf(user._id) < 0) && (user.links && Object.keys(user.links).some(key => domain.passwordrequirements.logintokens.indexOf(key) < 0)))) { err = "Not supported"; } // Login tokens are not supported by this user else if (common.validateString(command.name, 1, 100) == false) { err = "Invalid name"; } // Check name else if ((typeof command.expire != 'number') || (command.expire < 0)) { err = "Invalid expire value"; } // Check expire diff --git a/webserver.js b/webserver.js index 4a4e58bf..bea23f9e 100644 --- a/webserver.js +++ b/webserver.js @@ -3369,7 +3369,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF if (((obj.args.noagentupdate == 1) || (obj.args.noagentupdate == true))) { features2 += 0x00000010; } // No agent update if (parent.amtProvisioningServer != null) { features2 += 0x00000020; } // Intel AMT LAN provisioning server if (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.push2factor != false)) && (obj.parent.firebase != null)) { features2 += 0x00000040; } // Indicates device push notification 2FA is enabled - if ((typeof domain.passwordrequirements != 'object') || ((domain.passwordrequirements.logintokens !== false) && ((Array.isArray(domain.passwordrequirements.logintokens) == false) || (domain.passwordrequirements.logintokens.indexOf(user._id) >= 0)))) { features2 += 0x00000080; } // Indicates login tokens are allowed + if ((typeof domain.passwordrequirements != 'object') || ((domain.passwordrequirements.logintokens !== false) && ((Array.isArray(domain.passwordrequirements.logintokens) == false) || ((domain.passwordrequirements.logintokens.indexOf(user._id) >= 0) || (user.links && Object.keys(user.links).some(key => domain.passwordrequirements.logintokens.indexOf(key) >= 0)) )))) { features2 += 0x00000080; } // Indicates login tokens are allowed if (req.session.loginToken != null) { features2 += 0x00000100; } // LoginToken mode, no account changes. if (domain.ssh == true) { features2 += 0x00000200; } // SSH is enabled if (domain.localsessionrecording === false) { features2 += 0x00000400; } // Disable local recording feature