initial attempt to fix security issue

- likely adds new bug where users will be kicked to relogin after the
  server restarts
- TODO: figure out a way to safely check the user login when session
  data is unknown (eg restart) (hint: ticket?)

zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js

@@ -45,11 +45,10 @@ else {
 		var home_url = "wtv-home:/splash?";
 	}
 	var limitedLogin = ssid_sessions[socket.ssid].lockdown;
-	var limitedLoginRegistered = (limitedLogin || (ssid_sessions[socket.ssid].isRegistered() && ssid_sessions[socket.ssid].getSessionData('password_valid')));
+	var limitedLoginRegistered = (limitedLogin || (ssid_sessions[socket.ssid].isRegistered() && !ssid_sessions[socket.ssid].getSessionData('password_valid')));
 	var offline_user_list = null;
 	if (ssid_sessions[socket.ssid].isRegistered() && ssid_sessions[socket.ssid].user_id == 0) {
 		var accounts = ssid_sessions[socket.ssid].listPrimaryAccountUsers();
-		console.log(accounts);
 		var num_accounts = ssid_sessions[socket.ssid].getNumberOfUserAccounts();
 		var offline_user_list_str = "<user-list>\n";
 		var i = 0;
@@ -143,9 +142,8 @@ wtv-inactive-timeout: 1440
 			if (request_headers.query.guest_login) headers += "&guest_login=true";
 
 			headers += "\nwtv-boot-url: wtv-head-waiter:/relogin?relogin=true";
-			if (request_headers.query.guest_login) headers += "&guest_login=true";
+			if (request_headers.query.guest_login) headers += "&guest_login=true";			
-
+			headers += "\nwtv-home-url: " + home_url;
-			headers += "\nwtv-home-url: wtv-home:/home?";
 		}
 
 		if (ssid_sessions[socket.ssid].get('wtv-need-upgrade') != 'true' && !request_headers.query.reconnect && !limitedLogin)

zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/password.js

@@ -18,7 +18,7 @@ data = `<html><HEAD><title>Password</title>
 <img src="images/PasswordBanner.gif" width=50 height=191> <tr> <td absheight=8> 
 </table>
 </sidebar>
-<body background="images/NameStrip.gif"
+<body background="/ROMCache/NameStrip.gif"
 novtilebg
 nohtilebg
 bgcolor=191919 

zefie_wtvp_minisrv/WTVClientSessionData.js

@@ -43,6 +43,9 @@ class WTVClientSessionData {
             "wtv-head-waiter:/ValidateLogin",
             "wtv-head-waiter:/login-stage-two",
             "wtv-head-waiter:/relogin",
+			"wtv-head-waiter:/ROMCache/Spacer.gif",
+			"wtv-head-waiter:/ROMCache/NameStrip.gif",
+			"wtv-head-waiter:/images/NameBanner.gif",
             "wtv-head-waiter:/bad-disk",
             "wtv-head-waiter:/images/PasswordBanner.gif",
             "wtv-log:/log",
@@ -682,7 +685,7 @@ class WTVClientSessionData {
 
     isAuthorized(url, whitelist = 'lockdown', ignore_lockdown = false) {
         // not in lockdown so just return true
-        if (!this.lockdown && !ignore_lockdown) return true;
+        if (whitelist == 'lockdown' && !this.lockdown && !ignore_lockdown) return true;
 
         // in lockdown, check whitelisted urls
         var self = this;

zefie_wtvp_minisrv/app.js

@@ -411,6 +411,18 @@ async function processURL(socket, request_headers) {
             console.log(" * Lockdown rejected request for " + shortURL + " on socket ID", socket.id);
             return;
         }
+		
+		 if (ssid_sessions[socket.ssid].isRegistered() && !ssid_sessions[socket.ssid].getSessionData('password_valid')) {
+			 if (!ssid_sessions[socket.ssid].isAuthorized(shortURL,'login')) {
+				// user is not fully logged in, and URL not authorized
+				headers = "300 Unauthorized\n";
+				headers += "Location: client:relogin\n";
+				data = "";
+				sendToClient(socket, headers, data);
+				console.log(" * Incomplete login rejected request for " + shortURL + " on socket ID", socket.id);
+				return;
+			 }
+		 }
 
         if (ssid_sessions[socket.ssid].get("wtv-my-disk-sucks-sucks-sucks")) {
             if (!ssid_sessions[socket.ssid].baddisk) {