Fixed invitation link encryption key.

2019-06-07 17:11:56 -07:00 · 2019-06-07 17:11:56 -07:00 · 74930c10df
parent 85ed10abd8
commit 74930c10df
4 changed files with 13 additions and 3 deletions
--- a/meshcentral.js
+++ b/meshcentral.js
@ -59,6 +59,7 @@ function CreateMeshCentralServer(config, args) {
    obj.currentVer = null;
    obj.serverKey = Buffer.from(obj.crypto.randomBytes(48), 'binary');
    obj.loginCookieEncryptionKey = null;
+    obj.invitationLinkEncryptionKey = null;
    obj.serverSelfWriteAllowed = true;
    obj.serverStatsCounter = Math.floor(Math.random() * 1000);
    obj.taskLimiter = obj.common.createTaskLimiterQueue(50, 20, 60); // (maxTasks, maxTaskTime, cleaningInterval) This is a task limiter queue to smooth out server work.
@ -836,6 +837,15 @@ function CreateMeshCentralServer(config, args) {
                    });
                }

+                // Load the invitation link encryption key from the database
+                obj.db.Get('InvitationLinkEncryptionKey', function (err, docs) {
+                    if ((docs.length > 0) && (docs[0].key != null) && (docs[0].key.length >= 160)) {
+                        obj.invitationLinkEncryptionKey = Buffer.from(docs[0].key, 'hex');
+                    } else {
+                        obj.invitationLinkEncryptionKey = obj.generateCookieKey(); obj.db.Set({ _id: 'InvitationLinkEncryptionKey', key: obj.invitationLinkEncryptionKey.toString('hex'), time: Date.now() });
+                    }
+                });
+
                // Start collecting server stats every 5 minutes
                setInterval(function () {
                    obj.serverStatsCounter++;
--- a/meshuser.js
+++ b/meshuser.js
@ -2509,7 +2509,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                if (common.validateInt(command.flags, 0, 256) == false) break; // Check the flags
                var mesh = parent.meshes[command.meshid];
                if (mesh == null) break;
-                const inviteCookie = parent.parent.encodeCookie({ a: 4, mid: command.meshid, f: command.flags, expire: command.expire * 60 }, parent.parent.loginCookieEncryptionKey);
+                const inviteCookie = parent.parent.encodeCookie({ a: 4, mid: command.meshid, f: command.flags, expire: command.expire * 60 }, parent.parent.invitationLinkEncryptionKey);
                if (inviteCookie == null) break;
                ws.send(JSON.stringify({ action: 'createInviteLink', meshid: command.meshid, expire: command.expire, cookie: inviteCookie }));
                break;
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "meshcentral",
-  "version": "0.3.6-h",
+  "version": "0.3.6-i",
  "keywords": [
    "Remote Management",
    "Intel AMT",
--- a/webserver.js
+++ b/webserver.js
@ -1070,7 +1070,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
        if ((domain == null) || ((req.query.m == null) && (req.query.c == null))) { res.sendStatus(404); return; }
        if (req.query.c != null) {
            // A cookie is specified in the query string, use that
-            var cookie = obj.parent.decodeCookie(req.query.c, obj.parent.loginCookieEncryptionKey);
+            var cookie = obj.parent.decodeCookie(req.query.c, obj.parent.invitationLinkEncryptionKey);
            if (cookie == null) { res.sendStatus(404); return; }
            var mesh = obj.meshes[cookie.mid];
            if (mesh == null) { res.sendStatus(404); return; }