From 9521b8e12260c19eaf3a0f173c1e47ad48620dd0 Mon Sep 17 00:00:00 2001 From: M1CK431 Date: Sat, 12 Aug 2023 22:15:50 +0200 Subject: [PATCH] API: ensure user is active in checkLogin helper --- server/server.js | 66 +++++++++---------- .../socket-handlers/api-key-socket-handler.js | 10 +-- .../cloudflared-socket-handler.js | 10 +-- .../database-socket-handler.js | 4 +- .../socket-handlers/docker-socket-handler.js | 6 +- .../socket-handlers/general-socket-handler.js | 2 +- .../maintenance-socket-handler.js | 22 +++---- .../socket-handlers/proxy-socket-handler.js | 4 +- .../status-page-socket-handler.js | 12 ++-- server/util-server.js | 6 +- 10 files changed, 72 insertions(+), 70 deletions(-) diff --git a/server/server.js b/server/server.js index 080d080d2..05d1f5b86 100644 --- a/server/server.js +++ b/server/server.js @@ -494,7 +494,7 @@ let needSetup = false; return; } - checkLogin(socket); + await checkLogin(socket); await doubleCheckPassword(socket.userID, currentPassword); let user = await R.findOne("user", " id = ? AND active = 1 ", [ @@ -544,7 +544,7 @@ let needSetup = false; return; } - checkLogin(socket); + await checkLogin(socket); await doubleCheckPassword(socket.userID, currentPassword); await R.exec("UPDATE `user` SET twofa_status = 1 WHERE id = ? ", [ @@ -577,7 +577,7 @@ let needSetup = false; return; } - checkLogin(socket); + await checkLogin(socket); await doubleCheckPassword(socket.userID, currentPassword); await TwoFA.disable2FA(socket.userID); @@ -601,7 +601,7 @@ let needSetup = false; socket.on("verifyToken", async (token, currentPassword, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await doubleCheckPassword(socket.userID, currentPassword); let user = await R.findOne("user", " id = ? AND active = 1 ", [ @@ -634,7 +634,7 @@ let needSetup = false; socket.on("twoFAStatus", async (callback) => { try { - checkLogin(socket); + await checkLogin(socket); let user = await R.findOne("user", " id = ? AND active = 1 ", [ socket.userID, @@ -696,7 +696,7 @@ let needSetup = false; socket.on("getUsers", async callback => { try { - checkLogin(socket); + await checkLogin(socket); const users = await sendUserList(socket); @@ -714,7 +714,7 @@ let needSetup = false; socket.on("getUser", async (userID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); const user = await getUser(userID); @@ -732,7 +732,7 @@ let needSetup = false; socket.on("saveUser", async (user, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await saveUser(socket, user); await sendUserList(socket); @@ -752,7 +752,7 @@ let needSetup = false; // Add a new monitor socket.on("add", async (monitor, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let bean = R.dispense("monitor"); let notificationIDList = monitor.notificationIDList; @@ -809,7 +809,7 @@ let needSetup = false; socket.on("editMonitor", async (monitor, callback) => { try { let removeGroupChildren = false; - checkLogin(socket); + await checkLogin(socket); let bean = await R.findOne("monitor", " id = ? ", [ monitor.id ]); @@ -952,7 +952,7 @@ let needSetup = false; socket.on("getMonitorList", async (callback) => { try { - checkLogin(socket); + await checkLogin(socket); await server.sendMonitorList(socket); callback({ ok: true, @@ -968,7 +968,7 @@ let needSetup = false; socket.on("getMonitor", async (monitorID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.info("monitor", `Get Monitor: ${monitorID} User ID: ${socket.userID}`); @@ -992,7 +992,7 @@ let needSetup = false; socket.on("getMonitorBeats", async (monitorID, period, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.info("monitor", `Get Monitor Beats: ${monitorID} User ID: ${socket.userID}`); @@ -1028,7 +1028,7 @@ let needSetup = false; // Start or Resume the monitor socket.on("resumeMonitor", async (monitorID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await startMonitor(socket.userID, monitorID); await server.sendUpdateMonitorIntoList(socket, monitorID); @@ -1048,7 +1048,7 @@ let needSetup = false; socket.on("pauseMonitor", async (monitorID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await pauseMonitor(socket.userID, monitorID); await server.sendUpdateMonitorIntoList(socket, monitorID); @@ -1068,7 +1068,7 @@ let needSetup = false; socket.on("deleteMonitor", async (monitorID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.info("manage", `Delete Monitor: ${monitorID} User ID: ${socket.userID}`); @@ -1105,7 +1105,7 @@ let needSetup = false; socket.on("getTags", async (callback) => { try { - checkLogin(socket); + await checkLogin(socket); const list = await R.findAll("tag"); @@ -1124,7 +1124,7 @@ let needSetup = false; socket.on("addTag", async (tag, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let bean = R.dispense("tag"); bean.name = tag.name; @@ -1146,7 +1146,7 @@ let needSetup = false; socket.on("editTag", async (tag, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let bean = await R.findOne("tag", " id = ? ", [ tag.id ]); if (bean == null) { @@ -1178,7 +1178,7 @@ let needSetup = false; socket.on("deleteTag", async (tagID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await R.exec("DELETE FROM tag WHERE id = ? ", [ tagID ]); @@ -1198,7 +1198,7 @@ let needSetup = false; socket.on("addMonitorTag", async (tagID, monitorID, value, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await R.exec("INSERT INTO monitor_tag (tag_id, monitor_id, value) VALUES (?, ?, ?)", [ tagID, @@ -1222,7 +1222,7 @@ let needSetup = false; socket.on("editMonitorTag", async (tagID, monitorID, value, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await R.exec("UPDATE monitor_tag SET value = ? WHERE tag_id = ? AND monitor_id = ?", [ value, @@ -1246,7 +1246,7 @@ let needSetup = false; socket.on("deleteMonitorTag", async (tagID, monitorID, value, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await R.exec("DELETE FROM monitor_tag WHERE tag_id = ? AND monitor_id = ? AND value = ?", [ tagID, @@ -1336,7 +1336,7 @@ let needSetup = false; socket.on("changePassword", async (userID, password, callback) => { try { - checkLogin(socket); + await checkLogin(socket); if (!password.newPassword) { throw new Error("Invalid new password"); @@ -1368,7 +1368,7 @@ let needSetup = false; socket.on("getSettings", async (callback) => { try { - checkLogin(socket); + await checkLogin(socket); const data = await getSettings("general"); if (!data.serverTimezone) { @@ -1390,7 +1390,7 @@ let needSetup = false; socket.on("setSettings", async (data, currentPassword, callback) => { try { - checkLogin(socket); + await checkLogin(socket); // If currently is disabled auth, don't need to check // Disabled Auth + Want to Disable Auth => No Check @@ -1454,7 +1454,7 @@ let needSetup = false; // Add or Edit socket.on("addNotification", async (notification, notificationID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let notificationBean = await Notification.save(notification, notificationID, socket.userID); await sendNotificationList(socket); @@ -1476,7 +1476,7 @@ let needSetup = false; socket.on("deleteNotification", async (notificationID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await Notification.delete(notificationID, socket.userID); await sendNotificationList(socket); @@ -1497,7 +1497,7 @@ let needSetup = false; socket.on("testNotification", async (notification, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let msg = await Notification.send(notification, notification.name + " Testing"); @@ -1518,7 +1518,7 @@ let needSetup = false; socket.on("checkApprise", async (callback) => { try { - checkLogin(socket); + await checkLogin(socket); callback(Notification.checkApprise()); } catch (e) { callback(false); @@ -1527,7 +1527,7 @@ let needSetup = false; socket.on("clearEvents", async (monitorID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.info("manage", `Clear Events Monitor: ${monitorID} User ID: ${socket.userID}`); @@ -1551,7 +1551,7 @@ let needSetup = false; socket.on("clearHeartbeats", async (monitorID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.info("manage", `Clear Heartbeats Monitor: ${monitorID} User ID: ${socket.userID}`); @@ -1575,7 +1575,7 @@ let needSetup = false; socket.on("clearStatistics", async (callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.info("manage", `Clear Statistics User ID: ${socket.userID}`); diff --git a/server/socket-handlers/api-key-socket-handler.js b/server/socket-handlers/api-key-socket-handler.js index 7c57d358f..efe9984a0 100644 --- a/server/socket-handlers/api-key-socket-handler.js +++ b/server/socket-handlers/api-key-socket-handler.js @@ -17,7 +17,7 @@ module.exports.apiKeySocketHandler = (socket) => { // Add a new api key socket.on("addAPIKey", async (key, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let clearKey = nanoid(40); let hashedKey = passwordHash.generate(clearKey); @@ -54,7 +54,7 @@ module.exports.apiKeySocketHandler = (socket) => { socket.on("getAPIKeyList", async (callback) => { try { - checkLogin(socket); + await checkLogin(socket); await sendAPIKeyList(socket); callback({ ok: true, @@ -70,7 +70,7 @@ module.exports.apiKeySocketHandler = (socket) => { socket.on("deleteAPIKey", async (keyID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.debug("apikeys", `Deleted API Key: ${keyID} User ID: ${socket.userID}`); @@ -96,7 +96,7 @@ module.exports.apiKeySocketHandler = (socket) => { socket.on("disableAPIKey", async (keyID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.debug("apikeys", `Disabled Key: ${keyID} User ID: ${socket.userID}`); @@ -124,7 +124,7 @@ module.exports.apiKeySocketHandler = (socket) => { socket.on("enableAPIKey", async (keyID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.debug("apikeys", `Enabled Key: ${keyID} User ID: ${socket.userID}`); diff --git a/server/socket-handlers/cloudflared-socket-handler.js b/server/socket-handlers/cloudflared-socket-handler.js index 809191fe8..9508aeb6f 100644 --- a/server/socket-handlers/cloudflared-socket-handler.js +++ b/server/socket-handlers/cloudflared-socket-handler.js @@ -36,7 +36,7 @@ module.exports.cloudflaredSocketHandler = (socket) => { socket.on(prefix + "join", async () => { try { - checkLogin(socket); + await checkLogin(socket); socket.join("cloudflared"); io.to(socket.userID).emit(prefix + "installed", cloudflared.checkInstalled()); io.to(socket.userID).emit(prefix + "running", cloudflared.running); @@ -46,14 +46,14 @@ module.exports.cloudflaredSocketHandler = (socket) => { socket.on(prefix + "leave", async () => { try { - checkLogin(socket); + await checkLogin(socket); socket.leave("cloudflared"); } catch (error) { } }); socket.on(prefix + "start", async (token) => { try { - checkLogin(socket); + await checkLogin(socket); if (token && typeof token === "string") { await setSetting("cloudflaredTunnelToken", token); cloudflared.token = token; @@ -66,7 +66,7 @@ module.exports.cloudflaredSocketHandler = (socket) => { socket.on(prefix + "stop", async (currentPassword, callback) => { try { - checkLogin(socket); + await checkLogin(socket); const disabledAuth = await setting("disableAuth"); if (!disabledAuth) { await doubleCheckPassword(socket, currentPassword); @@ -82,7 +82,7 @@ module.exports.cloudflaredSocketHandler = (socket) => { socket.on(prefix + "removeToken", async () => { try { - checkLogin(socket); + await checkLogin(socket); await setSetting("cloudflaredTunnelToken", ""); } catch (error) { } }); diff --git a/server/socket-handlers/database-socket-handler.js b/server/socket-handlers/database-socket-handler.js index ee2394bf6..b440fd5b6 100644 --- a/server/socket-handlers/database-socket-handler.js +++ b/server/socket-handlers/database-socket-handler.js @@ -11,7 +11,7 @@ module.exports.databaseSocketHandler = (socket) => { // Post or edit incident socket.on("getDatabaseSize", async (callback) => { try { - checkLogin(socket); + await checkLogin(socket); callback({ ok: true, size: Database.getSize(), @@ -26,7 +26,7 @@ module.exports.databaseSocketHandler = (socket) => { socket.on("shrinkDatabase", async (callback) => { try { - checkLogin(socket); + await checkLogin(socket); await Database.shrink(); callback({ ok: true, diff --git a/server/socket-handlers/docker-socket-handler.js b/server/socket-handlers/docker-socket-handler.js index 95a60bcd3..c483b253c 100644 --- a/server/socket-handlers/docker-socket-handler.js +++ b/server/socket-handlers/docker-socket-handler.js @@ -11,7 +11,7 @@ const { log } = require("../../src/util"); module.exports.dockerSocketHandler = (socket) => { socket.on("addDockerHost", async (dockerHost, dockerHostID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let dockerHostBean = await DockerHost.save(dockerHost, dockerHostID, socket.userID); await sendDockerHostList(socket); @@ -33,7 +33,7 @@ module.exports.dockerSocketHandler = (socket) => { socket.on("deleteDockerHost", async (dockerHostID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await DockerHost.delete(dockerHostID, socket.userID); await sendDockerHostList(socket); @@ -54,7 +54,7 @@ module.exports.dockerSocketHandler = (socket) => { socket.on("testDockerHost", async (dockerHost, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let amount = await DockerHost.testDockerHost(dockerHost); let msg; diff --git a/server/socket-handlers/general-socket-handler.js b/server/socket-handlers/general-socket-handler.js index 50dcd946e..0b8ad99d9 100644 --- a/server/socket-handlers/general-socket-handler.js +++ b/server/socket-handlers/general-socket-handler.js @@ -38,7 +38,7 @@ function getGameList() { module.exports.generalSocketHandler = (socket, server) => { socket.on("initServerTimezone", async (timezone) => { try { - checkLogin(socket); + await checkLogin(socket); log.debug("generalSocketHandler", "Timezone: " + timezone); await Settings.set("initServerTimezone", true); await server.setTimezone(timezone); diff --git a/server/socket-handlers/maintenance-socket-handler.js b/server/socket-handlers/maintenance-socket-handler.js index 086811964..a38943c23 100644 --- a/server/socket-handlers/maintenance-socket-handler.js +++ b/server/socket-handlers/maintenance-socket-handler.js @@ -15,7 +15,7 @@ module.exports.maintenanceSocketHandler = (socket) => { // Add a new maintenance socket.on("addMaintenance", async (maintenance, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.debug("maintenance", maintenance); @@ -46,7 +46,7 @@ module.exports.maintenanceSocketHandler = (socket) => { // Edit a maintenance socket.on("editMaintenance", async (maintenance, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let bean = server.getMaintenance(maintenance.id); @@ -74,7 +74,7 @@ module.exports.maintenanceSocketHandler = (socket) => { // Add a new monitor_maintenance socket.on("addMonitorMaintenance", async (maintenanceID, monitors, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await R.exec("DELETE FROM monitor_maintenance WHERE maintenance_id = ?", [ maintenanceID @@ -109,7 +109,7 @@ module.exports.maintenanceSocketHandler = (socket) => { // Add a new monitor_maintenance socket.on("addMaintenanceStatusPage", async (maintenanceID, statusPages, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await R.exec("DELETE FROM maintenance_status_page WHERE maintenance_id = ?", [ maintenanceID @@ -143,7 +143,7 @@ module.exports.maintenanceSocketHandler = (socket) => { socket.on("getMaintenance", async (maintenanceID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.debug("maintenance", `Get Maintenance: ${maintenanceID} User ID: ${socket.userID}`); @@ -164,7 +164,7 @@ module.exports.maintenanceSocketHandler = (socket) => { socket.on("getMaintenanceList", async (callback) => { try { - checkLogin(socket); + await checkLogin(socket); await server.sendMaintenanceList(socket); callback({ ok: true, @@ -180,7 +180,7 @@ module.exports.maintenanceSocketHandler = (socket) => { socket.on("getMonitorMaintenance", async (maintenanceID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.debug("maintenance", `Get Monitors for Maintenance: ${maintenanceID} User ID: ${socket.userID}`); @@ -204,7 +204,7 @@ module.exports.maintenanceSocketHandler = (socket) => { socket.on("getMaintenanceStatusPage", async (maintenanceID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.debug("maintenance", `Get Status Pages for Maintenance: ${maintenanceID} User ID: ${socket.userID}`); @@ -228,7 +228,7 @@ module.exports.maintenanceSocketHandler = (socket) => { socket.on("deleteMaintenance", async (maintenanceID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.debug("maintenance", `Delete Maintenance: ${maintenanceID} User ID: ${socket.userID}`); @@ -259,7 +259,7 @@ module.exports.maintenanceSocketHandler = (socket) => { socket.on("pauseMaintenance", async (maintenanceID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.debug("maintenance", `Pause Maintenance: ${maintenanceID} User ID: ${socket.userID}`); @@ -293,7 +293,7 @@ module.exports.maintenanceSocketHandler = (socket) => { socket.on("resumeMaintenance", async (maintenanceID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); log.debug("maintenance", `Resume Maintenance: ${maintenanceID} User ID: ${socket.userID}`); diff --git a/server/socket-handlers/proxy-socket-handler.js b/server/socket-handlers/proxy-socket-handler.js index 9e80371d7..800977a7f 100644 --- a/server/socket-handlers/proxy-socket-handler.js +++ b/server/socket-handlers/proxy-socket-handler.js @@ -12,7 +12,7 @@ const server = UptimeKumaServer.getInstance(); module.exports.proxySocketHandler = (socket) => { socket.on("addProxy", async (proxy, proxyID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); const proxyBean = await Proxy.save(proxy, proxyID, socket.userID); await sendProxyList(socket); @@ -39,7 +39,7 @@ module.exports.proxySocketHandler = (socket) => { socket.on("deleteProxy", async (proxyID, callback) => { try { - checkLogin(socket); + await checkLogin(socket); await Proxy.delete(proxyID, socket.userID); await sendProxyList(socket); diff --git a/server/socket-handlers/status-page-socket-handler.js b/server/socket-handlers/status-page-socket-handler.js index 0804da15d..c8bf4b698 100644 --- a/server/socket-handlers/status-page-socket-handler.js +++ b/server/socket-handlers/status-page-socket-handler.js @@ -18,7 +18,7 @@ module.exports.statusPageSocketHandler = (socket) => { // Post or edit incident socket.on("postIncident", async (slug, incident, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let statusPageID = await StatusPage.slugToID(slug); @@ -71,7 +71,7 @@ module.exports.statusPageSocketHandler = (socket) => { socket.on("unpinIncident", async (slug, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let statusPageID = await StatusPage.slugToID(slug); @@ -92,7 +92,7 @@ module.exports.statusPageSocketHandler = (socket) => { socket.on("getStatusPage", async (slug, callback) => { try { - checkLogin(socket); + await checkLogin(socket); let statusPage = await R.findOne("status_page", " slug = ? ", [ slug @@ -118,7 +118,7 @@ module.exports.statusPageSocketHandler = (socket) => { // imgDataUrl Only Accept PNG! socket.on("saveStatusPage", async (slug, config, imgDataUrl, publicGroupList, callback) => { try { - checkLogin(socket); + await checkLogin(socket); // Save Config let statusPage = await R.findOne("status_page", " slug = ? ", [ @@ -256,7 +256,7 @@ module.exports.statusPageSocketHandler = (socket) => { // Add a new status page socket.on("addStatusPage", async (title, slug, callback) => { try { - checkLogin(socket); + await checkLogin(socket); title = title?.trim(); slug = slug?.trim(); @@ -304,7 +304,7 @@ module.exports.statusPageSocketHandler = (socket) => { const server = UptimeKumaServer.getInstance(); try { - checkLogin(socket); + await checkLogin(socket); let statusPageID = await StatusPage.slugToID(slug); diff --git a/server/util-server.js b/server/util-server.js index 6c4111df6..954da4444 100644 --- a/server/util-server.js +++ b/server/util-server.js @@ -757,8 +757,10 @@ exports.allowAllOrigin = (res) => { * @returns {void} * @throws The user is not logged in */ -exports.checkLogin = (socket) => { - if (!socket.userID) { +exports.checkLogin = async (socket) => { + const user = await R.findOne("user", " id = ? AND active = 1 ", [ socket.userID ]); + + if (!user) { throw new Error("You are not logged in."); } };