zefie/minisrv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial attempt to fix security issue

Browse Source 
- likely adds new bug where users will be kicked to relogin after the
  server restarts
- TODO: figure out a way to safely check the user login when session
  data is unknown (eg restart) (hint: ticket?)
This commit is contained in:
zefie
2022-02-16 18:30:19 -05:00
parent c295f81ccc
commit 2a526c0702
5 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
zefie_wtvp_minisrv/app.js
View File

@@ -411,6 +411,18 @@ async function processURL(socket, request_headers) {
console.log(" * Lockdown rejected request for " + shortURL + " on socket ID", socket.id);
return;
}
if (ssid_sessions[socket.ssid].isRegistered() && !ssid_sessions[socket.ssid].getSessionData('password_valid')) {
if (!ssid_sessions[socket.ssid].isAuthorized(shortURL,'login')) {
// user is not fully logged in, and URL not authorized
headers = "300 Unauthorized\n";
headers += "Location: client:relogin\n";
data = "";
sendToClient(socket, headers, data);
console.log(" * Incomplete login rejected request for " + shortURL + " on socket ID", socket.id);
return;
}
}
if (ssid_sessions[socket.ssid].get("wtv-my-disk-sucks-sucks-sucks")) {
if (!ssid_sessions[socket.ssid].baddisk) {