From 3bedd22517b81e43d54a1ad8f65061abe5dfd74c Mon Sep 17 00:00:00 2001 From: zefie Date: Sat, 22 Oct 2022 17:49:54 -0400 Subject: [PATCH 1/5] implement reserved_names option --- zefie_wtvp_minisrv/includes/WTVRegister.js | 25 ++++++++++++++++------ zefie_wtvp_minisrv/includes/config.json | 8 ++++++- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/zefie_wtvp_minisrv/includes/WTVRegister.js b/zefie_wtvp_minisrv/includes/WTVRegister.js index c798e19d..8900931b 100644 --- a/zefie_wtvp_minisrv/includes/WTVRegister.js +++ b/zefie_wtvp_minisrv/includes/WTVRegister.js @@ -29,10 +29,22 @@ class WTVRegister { checkUsernameAvailable(username, directory = null) { - // returns the user's ssid, and user_id and userid in an array if true, false if not - var search_dir = this.session_store_dir + this.path.sep + "accounts"; - var return_val = false; var self = this; + var return_val = false; + // returns the user's ssid, and user_id and userid in an array if true, false if not + + // check against reserved name list + if (this.minisrv_config.config.user_accounts.reserved_names) { + Object.keys(this.minisrv_config.config.user_accounts.reserved_names).forEach((k) => { + if (self.minisrv_config.config.user_accounts.reserved_names[k].toLowerCase() == username.toLowerCase()) return_val = true; + console.log(self.minisrv_config.config.user_accounts.reserved_names[k].toLowerCase(), username.toLowerCase(), return_val) + }) + } + + if (return_val) return !return_val; + + // check against user accounts + var search_dir = this.session_store_dir + this.path.sep + "accounts"; if (directory) search_dir = directory; this.fs.readdirSync(search_dir).forEach(file => { if (self.fs.lstatSync(search_dir + self.path.sep + file).isDirectory() && !return_val) { @@ -42,9 +54,10 @@ class WTVRegister { try { var temp_session_data_file = self.fs.readFileSync(search_dir + self.path.sep + file, 'Utf8'); var temp_session_data = JSON.parse(temp_session_data_file); - console.log(temp_session_data.subscriber_username.toLowerCase()); - if (temp_session_data.subscriber_username.toLowerCase() == username.toLowerCase()) { - return_val = true; + if (temp_session_data.subscriber_username) { + if (temp_session_data.subscriber_username.toLowerCase() == username.toLowerCase()) { + return_val = true; + } } } catch (e) { console.error(" # Error parsing Session Data JSON", search_dir + self.path.sep + file, e); diff --git a/zefie_wtvp_minisrv/includes/config.json b/zefie_wtvp_minisrv/includes/config.json index 0f27d281..84bf8f33 100644 --- a/zefie_wtvp_minisrv/includes/config.json +++ b/zefie_wtvp_minisrv/includes/config.json @@ -41,7 +41,13 @@ "user_accounts": { "max_users_per_account": 6, "min_username_length": 5, - "max_username_length": 18 + "max_username_length": 18, + "reserved_names": [ + "AccountDisabled", + "Demo", + "Flash", + "null" + ] }, "passwords": { "enabled": true, From b79ace4b761e90d5dc26617810b48701f19cd485 Mon Sep 17 00:00:00 2001 From: zefie Date: Sat, 22 Oct 2022 18:15:15 -0400 Subject: [PATCH 2/5] fix issue where users could bypass username sanity checks with direct urls --- .../wtv-register/ValidateReviewAccountInfo.js | 62 ++++++++++++------- .../wtv-setup/validate-add-user-done.js | 7 +++ zefie_wtvp_minisrv/includes/WTVRegister.js | 1 - 3 files changed, 45 insertions(+), 25 deletions(-) diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js b/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js index bbb94b33..3eb76532 100644 --- a/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js +++ b/zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js @@ -1,5 +1,6 @@ var minisrv_service_file = true; + if (!request_headers.query.registering || !request_headers.query.subscriber_name || !request_headers.query.subscriber_username || @@ -8,40 +9,52 @@ if (!request_headers.query.registering || !session_data.session_store || !session_data || !socket.ssid - ) { +) { var errpage = wtvshared.doErrorPage(400); headers = errpage[0]; data = errpage[1]; } else { - session_data.setSessionData("subscriber_name", request_headers.query.subscriber_name); - session_data.setSessionData("subscriber_username", request_headers.query.subscriber_username); - session_data.setSessionData("subscriber_contact", request_headers.query.subscriber_contact); - session_data.setSessionData("subscriber_contact_method", request_headers.query.subscriber_contact_method); - session_data.setSessionData("subscriber_userid", 0); - session_data.setSessionData("registered", true); - var mailstore_exists = session_data.mailstore.mailstoreExists(); - var mailbox_exists = false; - if (!mailstore_exists) mailstore_exists = session_data.mailstore.createMailstore(); - if (mailstore_exists) { - if (!session_data.mailstore.mailboxExists(0)) { - // mailbox does not yet exist, create it - mailbox_exists = session_data.mailstore.createMailbox(0); - } - if (mailbox_exists) { - // Just created Inbox for the first time, so create the welcome message - session_data.mailstore.createWelcomeMessage(); - } - } - if (!session_data.saveSessionData(true, true)) { - var errpage = wtvshared.doErrorPage(400); + var errpage = null; + const WTVRegister = require(classPath + "/WTVRegister.js") + var wtvr = new WTVRegister(minisrv_config, SessionStore); + if (!request_headers.query.subscriber_username) errpage = wtvshared.doErrorPage(400, "Please enter a username."); + else if (request_headers.query.subscriber_username.length < minisrv_config.config.user_accounts.min_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with " + minisrv_config.config.user_accounts.min_username_length + " or more characters."); + else if (request_headers.query.subscriber_username.length > minisrv_config.config.user_accounts.max_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with " + minisrv_config.config.user_accounts.max_username_length + " or less characters."); + else if (!wtvr.checkUsernameSanity(request_headers.query.subscriber_username)) errpage = wtvshared.doErrorPage(400, "The username you have chosen contains invalid characters. Please choose a username with only letters, numbers, _ or -. Also, please be sure your username begins with a letter."); + else if (!wtvr.checkUsernameAvailable(request_headers.query.subscriber_username)) errpage = wtvshared.doErrorPage(400, "The username you have selected is already in use. Please select another username."); + if (errpage) { headers = errpage[0]; data = errpage[1]; } else { + session_data.setSessionData("subscriber_name", request_headers.query.subscriber_name); + session_data.setSessionData("subscriber_username", request_headers.query.subscriber_username); + session_data.setSessionData("subscriber_contact", request_headers.query.subscriber_contact); + session_data.setSessionData("subscriber_contact_method", request_headers.query.subscriber_contact_method); + session_data.setSessionData("subscriber_userid", 0); + session_data.setSessionData("registered", true); + var mailstore_exists = session_data.mailstore.mailstoreExists(); + var mailbox_exists = false; + if (!mailstore_exists) mailstore_exists = session_data.mailstore.createMailstore(); + if (mailstore_exists) { + if (!session_data.mailstore.mailboxExists(0)) { + // mailbox does not yet exist, create it + mailbox_exists = session_data.mailstore.createMailbox(0); + } + if (mailbox_exists) { + // Just created Inbox for the first time, so create the welcome message + session_data.mailstore.createWelcomeMessage(); + } + } + if (!session_data.saveSessionData(true, true)) { + var errpage = wtvshared.doErrorPage(400); + headers = errpage[0]; + data = errpage[1]; + } else { - headers = `200 OK + headers = `200 OK Content-Type: text/html`; - data = ` + data = ` Finished signing up @@ -110,5 +123,6 @@ connect to the Internet by choosing </body> </html> `; + } } } \ No newline at end of file diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-setup/validate-add-user-done.js b/zefie_wtvp_minisrv/ServiceVault/wtv-setup/validate-add-user-done.js index 62bf5571..3d497352 100644 --- a/zefie_wtvp_minisrv/ServiceVault/wtv-setup/validate-add-user-done.js +++ b/zefie_wtvp_minisrv/ServiceVault/wtv-setup/validate-add-user-done.js @@ -17,8 +17,15 @@ if (!errpage) { if (!errpage) { if (session_data.getNumberOfUserAccounts() > minisrv_config.config.user_accounts.max_users_per_account) errpage = wtvshared.doErrorPage(400, "You are not authorized to add more than " + minisrv_config.config.user_accounts.max_users_per_account + ` account${minisrv_config.config.user_accounts.max_users_per_account > 1 ? 's' : ''}.`); + + if (!request_headers.query.user_name) errpage = wtvshared.doErrorPage(400, "Please enter a username."); + else if (request_headers.query.user_name.length < minisrv_config.config.user_accounts.min_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.min_username_length + "</b> or more characters."); + else if (request_headers.query.user_name.length > minisrv_config.config.user_accounts.max_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.max_username_length + "</b> or less characters."); + else if (!wtvr.checkUsernameSanity(request_headers.query.user_name)) errpage = wtvshared.doErrorPage(400, "The username you have chosen contains invalid characters. Please choose a username with only <b>letters</b>, <b>numbers</b>, <b>_</b> or <b>-</b>. Also, please be sure your username begins with a letter."); + else if (!wtvr.checkUsernameAvailable(request_headers.query.user_name)) errpage = wtvshared.doErrorPage(400, "The username you have selected is already in use. Please select another username."); } + if (errpage) { headers = errpage[0]; data = errpage[1]; diff --git a/zefie_wtvp_minisrv/includes/WTVRegister.js b/zefie_wtvp_minisrv/includes/WTVRegister.js index 8900931b..6ad617e4 100644 --- a/zefie_wtvp_minisrv/includes/WTVRegister.js +++ b/zefie_wtvp_minisrv/includes/WTVRegister.js @@ -37,7 +37,6 @@ class WTVRegister { if (this.minisrv_config.config.user_accounts.reserved_names) { Object.keys(this.minisrv_config.config.user_accounts.reserved_names).forEach((k) => { if (self.minisrv_config.config.user_accounts.reserved_names[k].toLowerCase() == username.toLowerCase()) return_val = true; - console.log(self.minisrv_config.config.user_accounts.reserved_names[k].toLowerCase(), username.toLowerCase(), return_val) }) } From 6c34f488d2bdc43748906931d04d406ad6b9855f Mon Sep 17 00:00:00 2001 From: zefie <zefie@zefie.net> Date: Sat, 22 Oct 2022 18:25:44 -0400 Subject: [PATCH 3/5] potentially fix reg loop --- .../ServiceVault/wtv-register/FinishRegistration.js | 1 + 1 file changed, 1 insertion(+) diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-register/FinishRegistration.js b/zefie_wtvp_minisrv/ServiceVault/wtv-register/FinishRegistration.js index 34d684cd..b1360686 100644 --- a/zefie_wtvp_minisrv/ServiceVault/wtv-register/FinishRegistration.js +++ b/zefie_wtvp_minisrv/ServiceVault/wtv-register/FinishRegistration.js @@ -1,4 +1,5 @@ var minisrv_service_file = true; +session_data.data_store.wtvsec_login.PrepareTicket(); headers = `300 Moved Connection: Close From fcccab0c03eb1d4b8b7a6325bf34efc22b644f4f Mon Sep 17 00:00:00 2001 From: zefie <zefie@zefie.net> Date: Tue, 25 Oct 2022 04:55:52 -0400 Subject: [PATCH 4/5] Update README.md --- README.md | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9ffb9e45..a0cf4a77 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,8 @@ The ***wtv minisrv***, or "***zefie_wtvp_minisrv***" project is a node.js project that provides a mini WebTV Server, aiming for full WTVP (WebTV Protocol) support. This open source server is in beta status. Use at your own risk. +## Note: `dev` branch offers more features and bug fixes. Until the release of v1.0 (and the removal of this message), it is suggested you download from the dev branch + [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0) ### Current status: @@ -18,12 +20,20 @@ This open source server is in beta status. Use at your own risk. - Custom Tellyscripts *(not yet customizable though)* - Flat file client session store and registration system - wtv-lzpf compression support by eMac (99.9%) +- wtv-favorites support +- wtv-news support (WIP) +- wtv-mail (within same server only) +- "PC Services" (node express with minisrv custom script processing) +- "ViewerGen" Generate "WebTV Viewer" (Windows WebTV Sim) with unique SSIDs ### Current issues: - Mis-configuring wtv-disk:/sync DiskMaps may cause units to delete contents of partitions (need more info) ### Feature Todo: - TellyScript generation and/or manipulation without external dependancies +- Finish wtv-news, complete with upstream integration support (cross-minisrv usenet) +- Finish wtv-guide +- Add wtv-author (Pagebuilder) - ~~wtv-setup and bgm support~~ ***Done [v0.9.23](https://github.com/zefie/zefie_wtvp_minisrv/releases/tag/v0.9.23)*** - ~~wtv-cookie full support~~ ***Done [v0.9.13](https://github.com/zefie/zefie_wtvp_minisrv/releases/tag/v0.9.13)*** - ~~Flashrom flashing for bf0app old classic~~ ***Done [v0.9.9](https://github.com/zefie/zefie_wtvp_minisrv/releases/tag/v0.9.9)*** @@ -32,14 +42,15 @@ This open source server is in beta status. Use at your own risk. - ~~Implement HTTP proxy (needs to be able to defluff most of the web, think retro WAP converter)~~ ***Done [v0.7.1](https://github.com/zefie/zefie_wtvp_minisrv/releases/tag/v0.7.1)*** ### How To Use: -- Install [node.js](https://nodejs.org/en/download/). Be sure to say `Yes` when asked about `Chocolatey`. +- Install [node.js](https://nodejs.org/en/download/). If on Windows, be sure to say `Yes` when asked about `Chocolatey`. +- Install git (if on Windows, install from [Git for Windows](https://gitforwindows.org/) - Download a snapshot (either of master, or of any commit/branch/relase/tag etc) - Extract zip somewhere and enter that directory with a command prompt - Enter `zefie_wtvp_minisrv` subdirectory - Verify you are in the same directory as `app.js`, then run `npm install` - Check any configuration. Create your override `user_config.json`. Especally `service_ip`. See [user_config_README.md](user_config_README.md) and [user_config.example.json](zefie_wtvp_minisrv/user_config.example.json) for more information. - **Note:** The intended use is for all custom config to be in `user_config.json` and any custom service files to go in `UserServiceVault`. If you do not care about potential issues with future `git pull`, and will manually add new upstream `config.json` entries, you could use the standard `ServiceVault` and `config.json` -- Run `npm start` (note: if you are using node version 17 or newer, and are getting errors, try `npm start17`) +- Run `npm start` (**note**: if you are using node version 17 or newer, and are getting errors, try `npm start17`) - If you have trouble running it on Windows, try a Linux machine, Windows may need a full development enviroment or extra steps. - Test with a WebTV Viewer or connect with a real box - To connect with a real box, you will need to open ports in your firewall and have a way to connect your WebTV (and preferably reroute 10.0.0.1 to the server) @@ -49,4 +60,11 @@ This open source server is in beta status. Use at your own risk. - [Report Bugs](https://github.com/zefie/zefie_wtvp_minisrv/issues) - [Add a Feature and send a Pull Request](https://github.com/zefie/zefie_wtvp_minisrv/pulls) - Write and submit better documentation than I created (see Pull Request above) -- [Support financially on Patreon](https://www.patreon.com/zefie) +- **Content Creators**: Shout out this project, and my YouTube Channel (https://www.youtube.com/zefievideo) +- Financially Support: + - **Companies**: Reach out to biz@zefie.net to sponsor this project + - [Subscribe on Patreon](https://www.patreon.com/zefie) + - One-Time Support: + - [CashApp $altimit](https://cash.app/$altimit) + - Chime: $zefie + - [Credit Card or PayPal (powered by StreamElements)](https://zef.pw/ttv_tip) From 87854d9918980f00efc999a6fd7111427eaa5e69 Mon Sep 17 00:00:00 2001 From: zefie <zefie@zefie.net> Date: Tue, 25 Oct 2022 04:58:52 -0400 Subject: [PATCH 5/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a0cf4a77..8f28516e 100644 --- a/README.md +++ b/README.md @@ -67,4 +67,4 @@ This open source server is in beta status. Use at your own risk. - One-Time Support: - [CashApp $altimit](https://cash.app/$altimit) - Chime: $zefie - - [Credit Card or PayPal (powered by StreamElements)](https://zef.pw/ttv_tip) + - [Credit Card or PayPal (powered by StreamElements)](https://zef.pw/ttv-tip)