mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-01-19 14:13:34 +01:00
import: Use the correct author ID when using sessions
There are two different ways an author ID becomes associated with a user: either bound to a token or bound to a session ID. (The token and session ID come from the `token` and `sessionID` cookies, or, in the case of socket.io messages, from the `token` and `sessionID` message properties.) When `settings.requireSession` is true or the user is accessing a group pad, the session ID should be used. Otherwise the token should be used. Before this change, the `/p/:pad/import` handler was always using the token, even when `settings.requireSession` was true. This caused the following error because a different author ID was bound to the token versus the session ID: > Unable to import file into ${pad}. Author ${authorID} exists but he > never contributed to this pad This bug was reported in issue #4006. PR #4012 worked around the problem by binding the same author ID to the token as well as the session ID. This change does the following: * Modifies the import handler to use the session ID to obtain the author ID (when appropriate). * Expands the documentation for the SecurityManager checkAccess function. * Removes the workaround from PR #4012. * Cleans up the `bin/createUserSession.js` test script.
This commit is contained in:
parent
db0bcb524e
commit
6c2a361935
5 changed files with 92 additions and 160 deletions
|
@ -2,77 +2,46 @@
|
||||||
* A tool for generating a test user session which can be used for debugging configs
|
* A tool for generating a test user session which can be used for debugging configs
|
||||||
* that require sessions.
|
* that require sessions.
|
||||||
*/
|
*/
|
||||||
|
const m = (f) => __dirname + '/../' + f;
|
||||||
|
|
||||||
const request = require('../src/node_modules/request');
|
|
||||||
const settings = require(__dirname+'/../tests/container/loadSettings').loadSettings();
|
|
||||||
const supertest = require(__dirname+'/../src/node_modules/supertest');
|
|
||||||
const api = supertest('http://'+settings.ip+":"+settings.port);
|
|
||||||
const path = require('path');
|
|
||||||
const fs = require('fs');
|
const fs = require('fs');
|
||||||
|
const path = require('path');
|
||||||
|
const querystring = require('querystring');
|
||||||
|
const request = require(m('src/node_modules/request'));
|
||||||
|
const settings = require(m('src/node/utils/Settings'));
|
||||||
|
const supertest = require(m('src/node_modules/supertest'));
|
||||||
|
|
||||||
// get the API Key
|
(async () => {
|
||||||
var filePath = path.join(__dirname, '../APIKEY.txt');
|
const api = supertest('http://'+settings.ip+':'+settings.port);
|
||||||
var apikey = fs.readFileSync(filePath, {encoding: 'utf-8'});
|
|
||||||
|
|
||||||
// Set apiVersion to base value, we change this later.
|
const filePath = path.join(__dirname, '../APIKEY.txt');
|
||||||
var apiVersion = 1;
|
const apikey = fs.readFileSync(filePath, {encoding: 'utf-8'});
|
||||||
|
|
||||||
// Update the apiVersion
|
let res;
|
||||||
api.get('/api/')
|
|
||||||
.expect(function(res){
|
|
||||||
apiVersion = res.body.currentVersion;
|
|
||||||
if (!res.body.currentVersion) throw new Error("No version set in API");
|
|
||||||
return;
|
|
||||||
})
|
|
||||||
.end(function(err, res){
|
|
||||||
// Now we know the latest API version, let's create a group
|
|
||||||
var uri = '/api/'+apiVersion+'/createGroup?apikey='+apikey;
|
|
||||||
api.post(uri)
|
|
||||||
.expect(function(res){
|
|
||||||
if (res.body.code === 1){
|
|
||||||
console.error("Error creating group", res.body);
|
|
||||||
}else{
|
|
||||||
var groupID = res.body.data.groupID;
|
|
||||||
console.log("groupID", groupID);
|
|
||||||
|
|
||||||
// creating a group pad
|
res = await api.get('/api/');
|
||||||
api.post('/api/'+apiVersion+'/createGroupPad?apikey='+apikey+'&groupID='+groupID)
|
const apiVersion = res.body.currentVersion;
|
||||||
.expect(function(res){
|
if (!apiVersion) throw new Error('No version set in API');
|
||||||
if (res.body.code === 1){
|
const uri = (cmd, args) => `/api/${apiVersion}/${cmd}?${querystring.stringify(args)}`;
|
||||||
console.error("Error creating author", res.body);
|
|
||||||
}else{
|
|
||||||
console.log("Test Pad ID ====> ", res.body.data.padID)
|
|
||||||
}
|
|
||||||
}).end(function(){})
|
|
||||||
|
|
||||||
// create an author
|
res = await api.post(uri('createGroup', {apikey}));
|
||||||
api.post('/api/'+apiVersion+'/createAuthor?apikey='+apikey)
|
if (res.body.code === 1) throw new Error(`Error creating group: ${res.body}`);
|
||||||
.expect(function(res){
|
const groupID = res.body.data.groupID;
|
||||||
if (res.body.code === 1){
|
console.log('groupID', groupID);
|
||||||
console.error("Error creating author", res.body);
|
|
||||||
}else{
|
|
||||||
console.log("authorID", res.body.data.authorID)
|
|
||||||
var authorID = res.body.data.authorID;
|
|
||||||
// create a session for this authorID
|
|
||||||
var validUntil = Math.floor(new Date() / 1000) + 60000;
|
|
||||||
console.log("validUntil", validUntil)
|
|
||||||
api.post('/api/'+apiVersion+'/createSession?apikey='+apikey + '&groupID='+groupID+'&authorID='+authorID+'&validUntil='+validUntil)
|
|
||||||
.expect(function(res){
|
|
||||||
if (res.body.code === 1){
|
|
||||||
console.error("Error creating author", res.body);
|
|
||||||
}else{
|
|
||||||
console.log("Session made: ====> create a cookie named sessionID and set it's value to ", res.body.data.sessionID);
|
|
||||||
}
|
|
||||||
})
|
|
||||||
.end(function(){}) // I shouldn't have nested but here we are.. it's not too ugly :P
|
|
||||||
|
|
||||||
}
|
res = await api.post(uri('createGroupPad', {apikey, groupID}));
|
||||||
})
|
if (res.body.code === 1) throw new Error(`Error creating group pad: ${res.body}`);
|
||||||
.end(function(){})
|
console.log('Test Pad ID ====> ', res.body.data.padID);
|
||||||
|
|
||||||
}
|
res = await api.post(uri('createAuthor', {apikey}));
|
||||||
return;
|
if (res.body.code === 1) throw new Error(`Error creating author: ${res.body}`);
|
||||||
})
|
const authorID = res.body.data.authorID;
|
||||||
.end(function(){})
|
console.log('authorID', authorID);
|
||||||
});
|
|
||||||
// end
|
const validUntil = Math.floor(new Date() / 1000) + 60000;
|
||||||
|
console.log('validUntil', validUntil);
|
||||||
|
res = await api.post(uri('createSession', {apikey, groupID, authorID, validUntil}));
|
||||||
|
if (res.body.code === 1) throw new Error(`Error creating session: ${res.body}`);
|
||||||
|
console.log('Session made: ====> create a cookie named sessionID and set the value to',
|
||||||
|
res.body.data.sessionID);
|
||||||
|
})();
|
||||||
|
|
|
@ -77,17 +77,6 @@ exports.createAuthorIfNotExistsFor = async function(authorMapper, name)
|
||||||
return author;
|
return author;
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
|
||||||
* Sets the token <> AuthorID relationship.
|
|
||||||
* Discussion at https://github.com/ether/etherpad-lite/issues/4006
|
|
||||||
* @param {String} token The token (generated by a client)
|
|
||||||
* @param {String} authorID The authorID (returned by the Security Manager)
|
|
||||||
*/
|
|
||||||
exports.setToken2Author = async function(token, authorID)
|
|
||||||
{
|
|
||||||
await db.set("token2author:"+token, authorID);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the AuthorID for a mapper. We can map using a mapperkey,
|
* Returns the AuthorID for a mapper. We can map using a mapperkey,
|
||||||
* so far this is token2author and mapper2author
|
* so far this is token2author and mapper2author
|
||||||
|
|
|
@ -31,15 +31,25 @@ const WRONG_PASSWORD = Object.freeze({accessStatus: 'wrongPassword'});
|
||||||
const NEED_PASSWORD = Object.freeze({accessStatus: 'needPassword'});
|
const NEED_PASSWORD = Object.freeze({accessStatus: 'needPassword'});
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This function controlls the access to a pad, it checks if the user can access a pad.
|
* Determines whether the user can access a pad.
|
||||||
* @param padID the pad the user wants to access
|
*
|
||||||
* @param sessionCookie the session the user has (set via api)
|
* @param padID identifies the pad the user wants to access.
|
||||||
* @param token a random token representing the author, of the form
|
* @param sessionCookie identifies the sessions the user created via the HTTP API, if any.
|
||||||
* t.randomstring_of_lenght_20. The random string is generated by
|
* Note: The term "session" used here is unrelated to express-session.
|
||||||
* the client.
|
* @param token is a random token of the form t.randomstring_of_length_20 generated by the client
|
||||||
* Used for every pad in the web UI. Not used for the HTTP API.
|
* when using the web UI (not the HTTP API). This token is only used if settings.requireSession
|
||||||
* @param password the password the user has given to access this pad, can be null
|
* is false and the user is accessing a public pad. If there is not an author already associated
|
||||||
* @return {accessStatus: grant|deny|wrongPassword|needPassword, authorID: a.xxxxxx})
|
* with this token then a new author object is created (including generating an author ID) and
|
||||||
|
* associated with this token.
|
||||||
|
* @param password is the password the user has given to access this pad. It can be null.
|
||||||
|
* @return {accessStatus: grant|deny|wrongPassword|needPassword, authorID: a.xxxxxx}. The caller
|
||||||
|
* must use the author ID returned in this object when making any changes associated with the
|
||||||
|
* author.
|
||||||
|
*
|
||||||
|
* WARNING: Tokens and session IDs MUST be kept secret, otherwise users will be able to impersonate
|
||||||
|
* each other (which might allow them to gain privileges).
|
||||||
|
*
|
||||||
|
* TODO: Add a hook so that plugins can make access decisions.
|
||||||
*/
|
*/
|
||||||
exports.checkAccess = async function(padID, sessionCookie, token, password)
|
exports.checkAccess = async function(padID, sessionCookie, token, password)
|
||||||
{
|
{
|
||||||
|
|
|
@ -36,6 +36,7 @@ var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks.js");
|
||||||
var channels = require("channels");
|
var channels = require("channels");
|
||||||
var stats = require('../stats');
|
var stats = require('../stats');
|
||||||
var remoteAddress = require("../utils/RemoteAddress").remoteAddress;
|
var remoteAddress = require("../utils/RemoteAddress").remoteAddress;
|
||||||
|
const assert = require('assert').strict;
|
||||||
const nodeify = require("nodeify");
|
const nodeify = require("nodeify");
|
||||||
const { RateLimiterMemory } = require('rate-limiter-flexible');
|
const { RateLimiterMemory } = require('rate-limiter-flexible');
|
||||||
|
|
||||||
|
@ -260,20 +261,11 @@ exports.handleMessage = async function(client, message)
|
||||||
|
|
||||||
let dropMessage = await handleMessageHook();
|
let dropMessage = await handleMessageHook();
|
||||||
if (!dropMessage) {
|
if (!dropMessage) {
|
||||||
|
|
||||||
// check permissions
|
|
||||||
|
|
||||||
if (message.type == "CLIENT_READY") {
|
if (message.type == "CLIENT_READY") {
|
||||||
// client tried to auth for the first time (first msg from the client)
|
// client tried to auth for the first time (first msg from the client)
|
||||||
createSessionInfo(client, message);
|
createSessionInfo(client, message);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Note: message.sessionID is an entirely different kind of
|
|
||||||
// session from the sessions we use here! Beware!
|
|
||||||
// FIXME: Call our "sessions" "connections".
|
|
||||||
// FIXME: Use a hook instead
|
|
||||||
// FIXME: Allow to override readwrite access with readonly
|
|
||||||
|
|
||||||
// the session may have been dropped during earlier processing
|
// the session may have been dropped during earlier processing
|
||||||
if (!sessioninfos[client.id]) {
|
if (!sessioninfos[client.id]) {
|
||||||
messageLogger.warn("Dropping message from a connection that has gone away.")
|
messageLogger.warn("Dropping message from a connection that has gone away.")
|
||||||
|
@ -901,12 +893,6 @@ async function handleClientReady(client, message)
|
||||||
// Get ro/rw id:s
|
// Get ro/rw id:s
|
||||||
let padIds = await readOnlyManager.getIds(message.padId);
|
let padIds = await readOnlyManager.getIds(message.padId);
|
||||||
|
|
||||||
// check permissions
|
|
||||||
|
|
||||||
// Note: message.sessionID is an entierly different kind of
|
|
||||||
// session from the sessions we use here! Beware!
|
|
||||||
// FIXME: Call our "sessions" "connections".
|
|
||||||
// FIXME: Use a hook instead
|
|
||||||
// FIXME: Allow to override readwrite access with readonly
|
// FIXME: Allow to override readwrite access with readonly
|
||||||
let statusObject = await securityManager.checkAccess(padIds.padId, message.sessionID, message.token, message.password);
|
let statusObject = await securityManager.checkAccess(padIds.padId, message.sessionID, message.token, message.password);
|
||||||
let accessStatus = statusObject.accessStatus;
|
let accessStatus = statusObject.accessStatus;
|
||||||
|
@ -920,19 +906,11 @@ async function handleClientReady(client, message)
|
||||||
let author = statusObject.authorID;
|
let author = statusObject.authorID;
|
||||||
|
|
||||||
// get all authordata of this new user
|
// get all authordata of this new user
|
||||||
|
assert(author);
|
||||||
let value = await authorManager.getAuthor(author);
|
let value = await authorManager.getAuthor(author);
|
||||||
let authorColorId = value.colorId;
|
let authorColorId = value.colorId;
|
||||||
let authorName = value.name;
|
let authorName = value.name;
|
||||||
|
|
||||||
/*
|
|
||||||
* Here we know authorID, token and session. We should ?always? store it..
|
|
||||||
* TODO: I fear that this might allow a user to pass a token for an authorID
|
|
||||||
* meaning that they could in theory "imitate" another author?
|
|
||||||
* Perhaps the fix to this is check to see if it exists first and if it
|
|
||||||
* does then abort.. Details: https://github.com/ether/etherpad-lite/issues/4006
|
|
||||||
*/
|
|
||||||
await authorManager.setToken2Author(message.token, statusObject.authorID)
|
|
||||||
|
|
||||||
// load the pad-object from the database
|
// load the pad-object from the database
|
||||||
let pad = await padManager.getPad(padIds.padId);
|
let pad = await padManager.getPad(padIds.padId);
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
const assert = require('assert').strict;
|
||||||
var hasPadAccess = require("../../padaccess");
|
var hasPadAccess = require("../../padaccess");
|
||||||
var settings = require('../../utils/Settings');
|
var settings = require('../../utils/Settings');
|
||||||
var exportHandler = require('../../handler/ExportHandler');
|
var exportHandler = require('../../handler/ExportHandler');
|
||||||
|
@ -5,6 +6,7 @@ var importHandler = require('../../handler/ImportHandler');
|
||||||
var padManager = require("../../db/PadManager");
|
var padManager = require("../../db/PadManager");
|
||||||
var authorManager = require("../../db/AuthorManager");
|
var authorManager = require("../../db/AuthorManager");
|
||||||
const rateLimit = require("express-rate-limit");
|
const rateLimit = require("express-rate-limit");
|
||||||
|
const securityManager = require("../../db/SecurityManager");
|
||||||
|
|
||||||
settings.importExportRateLimiting.onLimitReached = function(req, res, options) {
|
settings.importExportRateLimiting.onLimitReached = function(req, res, options) {
|
||||||
// when the rate limiter triggers, write a warning in the logs
|
// when the rate limiter triggers, write a warning in the logs
|
||||||
|
@ -51,13 +53,16 @@ exports.expressCreateServer = function (hook_name, args, cb) {
|
||||||
// handle import requests
|
// handle import requests
|
||||||
args.app.use('/p/:pad/import', limiter);
|
args.app.use('/p/:pad/import', limiter);
|
||||||
args.app.post('/p/:pad/import', async function(req, res, next) {
|
args.app.post('/p/:pad/import', async function(req, res, next) {
|
||||||
if (await hasPadAccess(req, res)) {
|
if (!(await padManager.doesPadExists(req.params.pad))) {
|
||||||
let exists = await padManager.doesPadExists(req.params.pad);
|
|
||||||
if (!exists) {
|
|
||||||
console.warn(`Someone tried to import into a pad that doesn't exist (${req.params.pad})`);
|
console.warn(`Someone tried to import into a pad that doesn't exist (${req.params.pad})`);
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const {accessStatus, authorID} = await securityManager.checkAccess(
|
||||||
|
req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password);
|
||||||
|
if (accessStatus !== 'grant') return res.status(403).send('Forbidden');
|
||||||
|
assert(authorID);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Starting from Etherpad 1.8.3 onwards, importing into a pad is allowed
|
* Starting from Etherpad 1.8.3 onwards, importing into a pad is allowed
|
||||||
* only if a user has his browser opened and connected to the pad (i.e. a
|
* only if a user has his browser opened and connected to the pad (i.e. a
|
||||||
|
@ -71,37 +76,18 @@ exports.expressCreateServer = function (hook_name, args, cb) {
|
||||||
*
|
*
|
||||||
* See: https://github.com/ether/etherpad-lite/pull/3833#discussion_r407490205
|
* See: https://github.com/ether/etherpad-lite/pull/3833#discussion_r407490205
|
||||||
*/
|
*/
|
||||||
if (!req.cookies && !settings.allowAnyoneToImport) {
|
if (!settings.allowAnyoneToImport) {
|
||||||
console.warn(`Unable to import file into "${req.params.pad}". No cookies included in request`);
|
const authorsPads = await authorManager.listPadsOfAuthor(authorID);
|
||||||
|
if (!authorsPads) {
|
||||||
|
console.warn(`Unable to import file into "${req.params.pad}". Author "${authorID}" exists but he never contributed to any pad`);
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
|
if (authorsPads.padIDs.indexOf(req.params.pad) === -1) {
|
||||||
if (!req.cookies.token && !settings.allowAnyoneToImport) {
|
console.warn(`Unable to import file into "${req.params.pad}". Author "${authorID}" exists but he never contributed to this pad`);
|
||||||
console.warn(`Unable to import file into "${req.params.pad}". No token in the cookies`);
|
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
|
|
||||||
let author = await authorManager.getAuthor4Token(req.cookies.token);
|
|
||||||
// author is of the form: "a.g2droBYw1prY7HW9"
|
|
||||||
if (!author && !settings.allowAnyoneToImport) {
|
|
||||||
console.warn(`Unable to import file into "${req.params.pad}". No Author found for token ${req.cookies.token}`);
|
|
||||||
|
|
||||||
return next();
|
|
||||||
}
|
|
||||||
|
|
||||||
let authorsPads = await authorManager.listPadsOfAuthor(author);
|
|
||||||
if (!authorsPads && !settings.allowAnyoneToImport) {
|
|
||||||
console.warn(`Unable to import file into "${req.params.pad}". Author "${author}" exists but he never contributed to any pad`);
|
|
||||||
return next();
|
|
||||||
}
|
|
||||||
|
|
||||||
let authorsPadIDs = authorsPads.padIDs;
|
|
||||||
if ( (authorsPadIDs.indexOf(req.params.pad) === -1) && !settings.allowAnyoneToImport) {
|
|
||||||
console.warn(`Unable to import file into "${req.params.pad}". Author "${author}" exists but he never contributed to this pad`);
|
|
||||||
return next();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
importHandler.doImport(req, res, req.params.pad);
|
importHandler.doImport(req, res, req.params.pad);
|
||||||
}
|
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue