Fixed server exception when using agent installation invite codes, #4233

This commit is contained in:
Ylian Saint-Hilaire 2022-07-06 23:39:36 -07:00
parent 947d9094cb
commit 695e3068de
1 changed files with 9 additions and 1 deletions

View File

@ -1036,6 +1036,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
const domain = checkUserIpAddress(req, res); const domain = checkUserIpAddress(req, res);
if (domain == null) { return; } if (domain == null) { return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
if (req.body == null) { res.sendStatus(404); return; } // Post body is empty or can't be parsed
// Check if this is a banned ip address // Check if this is a banned ip address
if (obj.checkAllowLogin(req) == false) { if (obj.checkAllowLogin(req) == false) {
@ -1343,6 +1344,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { parent.debug('web', 'handleCreateAccountRequest: failed checks.'); res.sendStatus(404); return; } if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { parent.debug('web', 'handleCreateAccountRequest: failed checks.'); res.sendStatus(404); return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
if (req.body == null) { res.sendStatus(404); return; } // Post body is empty or can't be parsed
// Check if we are in maintenance mode // Check if we are in maintenance mode
if (parent.config.settings.maintenancemode != null) { if (parent.config.settings.maintenancemode != null) {
@ -1498,6 +1500,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if (domain == null) { return; } if (domain == null) { return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
if (req.body == null) { res.sendStatus(404); return; } // Post body is empty or can't be parsed
// Check everything is ok // Check everything is ok
const allowAccountReset = ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.allowaccountreset !== false)); const allowAccountReset = ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.allowaccountreset !== false));
@ -1614,6 +1617,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if ((allowAccountReset === false) || (domain.auth == 'sspi') || (domain.auth == 'ldap') || (obj.args.lanonly == true) || (obj.parent.certificates.CommonName == null) || (obj.parent.certificates.CommonName.indexOf('.') == -1)) { parent.debug('web', 'handleResetAccountRequest: check failed'); res.sendStatus(404); return; } if ((allowAccountReset === false) || (domain.auth == 'sspi') || (domain.auth == 'ldap') || (obj.args.lanonly == true) || (obj.parent.certificates.CommonName == null) || (obj.parent.certificates.CommonName.indexOf('.') == -1)) { parent.debug('web', 'handleResetAccountRequest: check failed'); res.sendStatus(404); return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
if (req.body == null) { res.sendStatus(404); return; } // Post body is empty or can't be parsed
// Always lowercase the email address // Always lowercase the email address
if (req.body.email) { req.body.email = req.body.email.toLowerCase(); } if (req.body.email) { req.body.email = req.body.email.toLowerCase(); }
@ -1744,6 +1748,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if ((domain.mailserver == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap') || (typeof req.session.cuserid != 'string') || (obj.users[req.session.cuserid] == null) || (!obj.common.validateEmail(req.body.email, 1, 256))) { parent.debug('web', 'handleCheckAccountEmailRequest: failed checks.'); res.sendStatus(404); return; } if ((domain.mailserver == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap') || (typeof req.session.cuserid != 'string') || (obj.users[req.session.cuserid] == null) || (!obj.common.validateEmail(req.body.email, 1, 256))) { parent.debug('web', 'handleCheckAccountEmailRequest: failed checks.'); res.sendStatus(404); return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
if (req.body == null) { res.sendStatus(404); return; } // Post body is empty or can't be parsed
// Always lowercase the email address // Always lowercase the email address
if (req.body.email) { req.body.email = req.body.email.toLowerCase(); } if (req.body.email) { req.body.email = req.body.email.toLowerCase(); }
@ -1930,7 +1935,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
const domain = getDomain(req); const domain = getDomain(req);
if (domain == null) { parent.debug('web', 'handleInviteRequest: failed checks.'); res.sendStatus(404); return; } if (domain == null) { parent.debug('web', 'handleInviteRequest: failed checks.'); res.sendStatus(404); return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
if ((req.body.inviteCode == null) || (req.body.inviteCode == '')) { render(req, res, getRenderPage('invite', req, domain), getRenderArgs({ messageid: 0 }, req, domain)); return; } // No invitation code if ((req.body == null) || (req.body.inviteCode == null) || (req.body.inviteCode == '')) { render(req, res, getRenderPage('invite', req, domain), getRenderArgs({ messageid: 0 }, req, domain)); return; } // No invitation code
// Each for a device group that has this invite code. // Each for a device group that has this invite code.
for (var i in obj.meshes) { for (var i in obj.meshes) {
@ -2184,6 +2189,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { parent.debug('web', 'handleDeleteAccountRequest: failed checks.'); res.sendStatus(404); return; } if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { parent.debug('web', 'handleDeleteAccountRequest: failed checks.'); res.sendStatus(404); return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
if (req.body == null) { res.sendStatus(404); return; } // Post body is empty or can't be parsed
var user = null; var user = null;
if (req.body.authcookie) { if (req.body.authcookie) {
@ -2367,6 +2373,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { parent.debug('web', 'handlePasswordChangeRequest: failed checks (1).'); res.sendStatus(404); return; } if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { parent.debug('web', 'handlePasswordChangeRequest: failed checks (1).'); res.sendStatus(404); return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
if (req.body == null) { res.sendStatus(404); return; } // Post body is empty or can't be parsed
// Check if the user is logged and we have all required parameters // Check if the user is logged and we have all required parameters
if (!req.session || !req.session.userid || !req.body.apassword0 || !req.body.apassword1 || (req.body.apassword1 != req.body.apassword2) || (req.session.userid.split('/')[1] != domain.id)) { if (!req.session || !req.session.userid || !req.body.apassword0 || !req.body.apassword1 || (req.body.apassword1 != req.body.apassword2) || (req.session.userid.split('/')[1] != domain.id)) {
@ -3087,6 +3094,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
const domain = checkUserIpAddress(req, res); const domain = checkUserIpAddress(req, res);
if (domain == null) { return; } if (domain == null) { return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.end("Not Found"); return; } // Check 3FA URL key if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.end("Not Found"); return; } // Check 3FA URL key
if (req.body == null) { req.body = {}; }
parent.debug('web', 'handleRootPostRequest, action: ' + req.body.action); parent.debug('web', 'handleRootPostRequest, action: ' + req.body.action);
// If a HTTP header is required, check new UserRequiredHttpHeader // If a HTTP header is required, check new UserRequiredHttpHeader