From b926196d0a06f7629637c53ba33d6ac09b7f7b9c Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Mon, 14 Jun 2021 14:36:00 -0700 Subject: [PATCH] Fix for #2773. --- package.json | 14 +------------- webserver.js | 52 ++++++++++++++++++++++++++-------------------------- 2 files changed, 27 insertions(+), 39 deletions(-) diff --git a/package.json b/package.json index 226d7fdd..2e8276da 100644 --- a/package.json +++ b/package.json @@ -36,8 +36,6 @@ "sample-config-advanced.json" ], "dependencies": { - "archiver": "^4.0.2", - "archiver-zip-encrypted": "^1.0.10", "body-parser": "^1.19.0", "cbor": "~5.2.0", "compression": "^1.7.4", @@ -45,24 +43,14 @@ "express": "^4.17.0", "express-handlebars": "^3.1.0", "express-ws": "^4.0.0", - "image-size": "^1.0.0", "ipcheck": "^0.1.0", - "loadavg-windows": "^1.1.1", "minimist": "^1.2.0", - "mongodb": "^3.6.9", "multiparty": "^4.2.1", "nedb": "^1.8.0", "node-forge": "^0.10.0", - "node-rdpjs-2": "^0.3.5", - "node-windows": "^1.0.0-beta.5", - "otplib": "^10.2.3", - "saslprep": "^1.0.3", - "ssh2": "^1.1.0", - "web-push": "^3.4.4", "ws": "^5.2.0", "xmldom": "^0.5.0", - "yauzl": "^2.10.0", - "yubikeyotp": "^0.2.0" + "yauzl": "^2.10.0" }, "repository": { "type": "git", diff --git a/webserver.js b/webserver.js index 8357437b..e4c54e55 100644 --- a/webserver.js +++ b/webserver.js @@ -408,7 +408,32 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { // Authenticate the user obj.authenticate = function (name, pass, domain, fn) { if ((typeof (name) != 'string') || (typeof (pass) != 'string') || (typeof (domain) != 'object')) { fn(new Error('invalid fields')); return; } - if (domain.auth == 'ldap') { + if (name.startsWith('~t:')) { + // Login token, try to fetch the token from the database + obj.db.Get('logintoken-' + name, function (err, docs) { + if (err != null) { fn(err); return; } + if ((docs == null) || (docs.length != 1)) { fn(new Error('login token not found')); return; } + const loginToken = docs[0]; + if ((loginToken.expire != 0) && (loginToken.expire < Date.now())) { fn(new Error('login token expired')); return; } + + // Default strong password hashing (pbkdf2 SHA384) + require('./pass').hash(pass, loginToken.salt, function (err, hash, tag) { + if (err) return fn(err); + if (hash == loginToken.hash) { + // Login username and password are valid. + var user = obj.users[loginToken.userid]; + if (!user) { fn(new Error('cannot find user')); return; } + if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; } + + // Succesful login token authentication + var loginOptions = { tokenName: loginToken.name, tokenUser: loginToken.tokenUser }; + if (loginToken.expire != 0) { loginOptions.expire = loginToken.expire; } + return fn(null, user._id, null, loginOptions); + } + fn(new Error('invalid password')); + }, 0); + }); + } else if (domain.auth == 'ldap') { if (domain.ldapoptions.url == 'test') { // Fake LDAP login var xxuser = domain.ldapoptions[name.toLowerCase()]; @@ -633,31 +658,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { } }); } - } else if (name.startsWith('~t:')) { - // Login token, try to fetch the token from the database - obj.db.Get('logintoken-' + name, function (err, docs) { - if (err != null) { fn(err); return; } - if ((docs == null) || (docs.length != 1)) { fn(new Error('login token not found')); return; } - const loginToken = docs[0]; - if ((loginToken.expire != 0) && (loginToken.expire < Date.now())) { fn(new Error('login token expired')); return; } - - // Default strong password hashing (pbkdf2 SHA384) - require('./pass').hash(pass, loginToken.salt, function (err, hash, tag) { - if (err) return fn(err); - if (hash == loginToken.hash) { - // Login username and password are valid. - var user = obj.users[loginToken.userid]; - if (!user) { fn(new Error('cannot find user')); return; } - if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; } - - // Succesful login token authentication - var loginOptions = { tokenName: loginToken.name, tokenUser: loginToken.tokenUser }; - if (loginToken.expire != 0) { loginOptions.expire = loginToken.expire; } - return fn(null, user._id, null, loginOptions); - } - fn(new Error('invalid password')); - }, 0); - }); } else { // Regular login var user = obj.users['user/' + domain.id + '/' + name.toLowerCase()];