Improved http session handling, new account page

This commit is contained in:
Ylian Saint-Hilaire 2018-08-22 16:18:01 -07:00
parent 82801f4069
commit e3ed9bd3c2
6 changed files with 49 additions and 32 deletions

View File

@ -79,7 +79,7 @@ function CreateMeshCentralServer(config, args) {
try { require('./pass').hash('test', function () { }); } catch (e) { console.log('Old version of node, must upgrade.'); return; } // TODO: Not sure if this test works or not.
// Check for invalid arguments
var validArguments = ['_', 'notls', 'user', 'port', 'aliasport', 'mpsport', 'mpsaliasport', 'redirport', 'cert', 'mpscert', 'deletedomain', 'deletedefaultdomain', 'showall', 'showusers', 'shownodes', 'showmeshes', 'showevents', 'showpower', 'clearpower', 'showiplocations', 'help', 'exactports', 'install', 'uninstall', 'start', 'stop', 'restart', 'debug', 'filespath', 'datapath', 'noagentupdate', 'launch', 'noserverbackup', 'mongodb', 'mongodbcol', 'wanonly', 'lanonly', 'nousers', 'mpsdebug', 'mpspass', 'ciralocalfqdn', 'dbexport', 'dbimport', 'selfupdate', 'tlsoffload', 'userallowedip', 'fastcert', 'swarmport', 'swarmdebug', 'logintoken', 'logintokenkey', 'logintokengen', 'logintokengen', 'mailtokengen', 'admin', 'unadmin'];
var validArguments = ['_', 'notls', 'user', 'port', 'aliasport', 'mpsport', 'mpsaliasport', 'redirport', 'cert', 'mpscert', 'deletedomain', 'deletedefaultdomain', 'showall', 'showusers', 'shownodes', 'showmeshes', 'showevents', 'showpower', 'clearpower', 'showiplocations', 'help', 'exactports', 'install', 'uninstall', 'start', 'stop', 'restart', 'debug', 'filespath', 'datapath', 'noagentupdate', 'launch', 'noserverbackup', 'mongodb', 'mongodbcol', 'wanonly', 'lanonly', 'nousers', 'mpsdebug', 'mpspass', 'ciralocalfqdn', 'dbexport', 'dbimport', 'selfupdate', 'tlsoffload', 'userallowedip', 'fastcert', 'swarmport', 'swarmdebug', 'logintoken', 'logintokenkey', 'logintokengen', 'logintokengen', 'mailtokengen', 'admin', 'unadmin', 'sessionkey', 'sessiontime'];
for (var arg in obj.args) { obj.args[arg.toLocaleLowerCase()] = obj.args[arg]; if (validArguments.indexOf(arg.toLocaleLowerCase()) == -1) { console.log('Invalid argument "' + arg + '", use --help.'); return; } }
if (obj.args.mongodb == true) { console.log('Must specify: --mongodb [connectionstring] \r\nSee https://docs.mongodb.com/manual/reference/connection-string/ for MongoDB connection string.'); return; }
for (var i in obj.config.settings) { obj.args[i] = obj.config.settings[i]; } // Place all settings into arguments, arguments have already been placed into settings so arguments take precedence.
@ -419,13 +419,12 @@ function CreateMeshCentralServer(config, args) {
// If the server is set to "nousers", allow only loopback unless IP filter is set
if ((obj.args.nousers == true) && (obj.args.userallowedip == null)) { obj.args.userallowedip = "::1,127.0.0.1"; }
if (obj.args.secret) {
// This secret is used to encrypt HTTP session information, if specified, user it.
obj.webserver = require('./webserver.js').CreateWebServer(obj, obj.db, obj.args, obj.args.secret, obj.certificates);
} else {
// If the secret is not specified, generate a random number.
obj.webserver = require('./webserver.js').CreateWebServer(obj, obj.db, obj.args, buf.toString('hex').toUpperCase(), obj.certificates);
}
// Set the session length to 60 minutes if not set and set a random key if needed
if ((obj.args.sessiontime == null) || (typeof obj.args.sessiontime != 'number') || (obj.args.sessiontime < 1)) { obj.args.sessiontime = 60; }
if (!obj.args.sessionkey) { obj.args.sessionkey = buf.toString('hex').toUpperCase(); }
// Start eh web server and if needed, the redirection web server.
obj.webserver = require('./webserver.js').CreateWebServer(obj, obj.db, obj.args, obj.certificates);
if (obj.redirserver != null) { obj.redirserver.hookMainWebServer(obj.certificates); }
// Setup the Intel AMT event handler

View File

@ -1,6 +1,6 @@
{
"name": "meshcentral",
"version": "0.1.9-k",
"version": "0.1.9-m",
"keywords": [
"Remote Management",
"Intel AMT",
@ -30,6 +30,7 @@
"body-parser": "^1.18.2",
"compression": "^1.7.1",
"connect-redis": "^3.3.3",
"cookie-session": "^2.0.0-beta.3",
"express": "^4.16.2",
"express-handlebars": "^3.0.0",
"express-session": "^1.15.6",
@ -43,7 +44,7 @@
"xmldom": "^0.1.27",
"yauzl": "^2.9.1"
},
"devDependencies": { },
"devDependencies": {},
"repository": {
"type": "git",
"url": "https://github.com/Ylianst/MeshCentral.git"

View File

@ -5,6 +5,8 @@
"_MongoDbCol": "meshcentral",
"_WANonly": true,
"_LANonly": true,
"_SessionTime": 30,
"_SessionKey": "MyReallySecretPassword",
"_Port": 443,
"_RedirPort": 80,
"_AllowLoginToken": true,

View File

@ -72,27 +72,27 @@
</div>
<table>
<tr>
<td align=right width=100>Username:</td>
<td id="nuUser" align=right width=100>Username:</td>
<td><input id=ausername type=text name=username onchange=validateCreate(1) maxlength=64 onkeydown=haltReturn(event) onkeyup=validateCreate(1,event) /></td>
</tr>
<tr>
<td align=right width=100>Email:</td>
<td id="nuEmail" align=right width=100>Email:</td>
<td><input id=aemail type=text name=email onchange=validateCreate(2) maxlength=256 onkeydown=haltReturn(event) onkeyup=validateCreate(2,event) /></td>
</tr>
<tr>
<td align=right>Password:</td>
<td id="nuPass1" align=right>Password:</td>
<td><input id=apassword1 type=password name=password1 autocomplete=off maxlength=256 onkeydown=haltReturn(event) onchange=validateCreate(3) onkeyup=validateCreate(3,event) /></td>
</tr>
<tr>
<td align=right>Password:</td>
<td id="nuPass2" align=right>Password:</td>
<td><input id=apassword2 type=password name=password2 autocomplete=off maxlength=256 onkeydown=haltReturn(event) onchange=validateCreate(4) onkeyup=validateCreate(4,event) /></td>
</tr>
<tr>
<td align=right>Password Hint:</td>
<td id="nuHint" align=right>Password Hint:</td>
<td><input id=apasswordhint type=text name=apasswordhint autocomplete=off maxlength=256 onkeydown=haltReturn(event) onchange=validateCreate(5) onkeyup=validateCreate(5,event) /></td>
</tr>
<tr id=newAccountPass title="Enter the account creation token">
<td align=right>Creation Token:</td>
<td id="nuToken" align=right>Creation Token:</td>
<td><input id=anewaccountpass type=password name=anewaccountpass autocomplete=off maxlength=256 onkeydown=haltReturn(event) onchange=validateCreate(6) onkeyup=validateCreate(6,event) /></td>
</tr>
<tr>
@ -224,8 +224,20 @@
function validateCreate(box,e) {
setDialogMode(0);
var ok = ((Q('ausername').value.length > 0) && (Q('ausername').value.indexOf(' ') == -1) && (validateEmail(Q('aemail').value) == true) && (Q('apassword1').value.length > 0) && (Q('apassword2').value == Q('apassword1').value));
if ((newAccountPass == 1) && (Q('anewaccountpass').value.length == 0)) { ok = false; }
var userok = (Q('ausername').value.length > 0) && (Q('ausername').value.indexOf(' ') == -1);
var emailok = (validateEmail(Q('aemail').value) == true);
var pass1ok = (Q('apassword1').value.length > 0);
var pass2ok = (Q('apassword2').value.length > 0) && (Q('apassword2').value == Q('apassword1').value);
var newAccOk = (newAccountPass == 0) || (Q('anewaccountpass').value.length > 0);
var ok = (userok && emailok && pass1ok && pass2ok && newAccOk);
// Color the fields
QS('nuUser').color = userok?'black':'#7b241c';
QS('nuEmail').color = emailok?'black':'#7b241c';
QS('nuPass1').color = pass1ok?'black':'#7b241c';
QS('nuPass2').color = pass2ok?'black':'#7b241c';
QS('nuToken').color = newAccOk?'black':'#7b241c';
QE('createButton', ok);
if (Q('apassword1').value == '') {
QH('passWarning', '');

View File

@ -36,7 +36,7 @@ if (!String.prototype.startsWith) { String.prototype.startsWith = function (sear
if (!String.prototype.endsWith) { String.prototype.endsWith = function (searchString, position) { var subjectString = this.toString(); if (typeof position !== 'number' || !isFinite(position) || Math.floor(position) !== position || position > subjectString.length) { position = subjectString.length; } position -= searchString.length; var lastIndex = subjectString.lastIndexOf(searchString, position); return lastIndex !== -1 && lastIndex === position; }; }
// Construct a HTTP web server object
module.exports.CreateWebServer = function (parent, db, args, secret, certificates) {
module.exports.CreateWebServer = function (parent, db, args, certificates) {
var obj = {};
// Modules
@ -46,7 +46,7 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
obj.path = require('path');
obj.constants = require('constants');
obj.bodyParser = require('body-parser');
obj.session = require('express-session');
obj.session = require('cookie-session');
obj.exphbs = require('express-handlebars');
obj.crypto = require('crypto');
obj.common = require('./common.js');
@ -154,9 +154,11 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
obj.app.set('view engine', 'handlebars');
obj.app.use(obj.bodyParser.urlencoded({ extended: false }));
obj.app.use(obj.session({
resave: false, // don't save session if unmodified
saveUninitialized: false, // don't create session until something stored
secret: secret // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
name: 'xid', // Recommanded security practice to not use the default cookie name
httpOnly: true,
keys: [ obj.args.sessionkey ], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
secure: (obj.args.notls != true), // Use this cookie only over TLS
maxAge: (obj.args.sessiontime * 60 * 1000) // 24 hours
}));
// Session-persisted message middleware
@ -290,9 +292,8 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
var user = obj.users[req.session.userid]
obj.parent.DispatchEvent(['*'], obj, { etype: 'user', username: user.name, action: 'logout', msg: 'Account logout', domain: domain.id })
}
req.session.destroy(function () {
req.session = null;
res.redirect(domain.url);
});
}
function handleLoginRequest(req, res) {
@ -306,8 +307,9 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
user.login = Date.now();
obj.db.SetUser(user);
// Regenerate session when signing in to prevent fixation
req.session.regenerate(function () {
//req.session.regenerate(function () {
// Store the user's primary key in the session store to be retrieved, or in this case the entire user object
// req.session.success = 'Authenticated as ' + user.name + 'click to <a href="/logout">logout</a>. You may now access <a href="/restricted">/restricted</a>.';
delete req.session.loginmode;
@ -334,7 +336,7 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
} else {
res.redirect(domain.url);
}
});
//});
obj.parent.DispatchEvent(['*'], obj, { etype: 'user', username: user.name, action: 'login', msg: 'Account login', domain: domain.id })
} else {
@ -569,7 +571,8 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
// Remove the user
obj.db.Remove(user._id);
delete obj.users[user._id];
req.session.destroy(function () { res.redirect(domain.url); });
req.session = null;
res.redirect(domain.url);
obj.parent.DispatchEvent(['*', 'server-users'], obj, { etype: 'user', username: user.name, action: 'accountremove', msg: 'Account removed', domain: domain.id })
} else {
res.redirect(domain.url);
@ -679,7 +682,7 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
// If a user is logged in, serve the default app, otherwise server the login app.
if (req.session && req.session.userid) {
if (req.session.domainid != domain.id) { req.session.destroy(function () { res.redirect(domain.url); }); return; } // Check is the session is for the correct domain
if (req.session.domainid != domain.id) { req.session = null; res.redirect(domain.url); return; } // Check is the session is for the correct domain
var viewmode = 1;
if (req.session.viewmode) {
viewmode = req.session.viewmode;
@ -751,7 +754,7 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
if (domain == null) return;
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0' });
if (req.session && req.session.userid) {
if (req.session.domainid != domain.id) { req.session.destroy(function () { res.redirect(domain.url); }); return; } // Check is the session is for the correct domain
if (req.session.domainid != domain.id) { req.session = null; res.redirect(domain.url); return; } // Check is the session is for the correct domain
var user = obj.users[req.session.userid];
res.render(obj.path.join(__dirname, isMobileBrowser(req) ? 'views/terms-mobile' : 'views/terms'), { title: domain.title, title2: domain.title2, logoutControl: 'Welcome ' + user.name + '. <a href=' + domain.url + 'logout?' + Math.random() + ' style=color:white>Logout</a>' });
} else {