Make sure the browser does not show the access-key in the logs (#61)

2025-02-21 14:04:18 +01:00 · 2019-02-24 22:16:41 +09:00 · 2019-02-24 22:16:41 +09:00 · eaebb2b1d8
commit eaebb2b1d8
parent 99317650f1
7 changed files with 43 additions and 4 deletions
--- a/app.js
+++ b/app.js
@ -1,6 +1,8 @@
 const path = require("path");
 const express = require("express");
 const bodyParser = require("body-parser");
+const cookieParser = require("cookie-parser");
+const common = require("./common");
 const app = express();

 //Declare all Routes here
@ -22,6 +24,7 @@ const switchRoutes = require("./routes/switch");
 const baseHref = '/rtl/';
 const apiRoot = baseHref + 'api/';

+app.use(cookieParser(common.cookieParserSecret));
 app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: false }));
 app.use(baseHref, express.static(path.join(__dirname, "angular")));
--- a/common.js
+++ b/common.js
@ -1,3 +1,5 @@
+var crypto = require('crypto');
+
 var common = {};

 common.port = 3000;
@ -14,6 +16,7 @@ common.rtl_sso = 0;
 common.rtl_cookie_path = '';
 common.logout_redirect_link = '/login';
 common.cookie = '';
+common.cookieParserSecret = crypto.randomBytes(64).toString('hex');

 common.convertToBTC = (num) => {
 	return (num / 100000000).toFixed(6);
--- a/connect.js
+++ b/connect.js
@ -1,4 +1,5 @@
 var fs = require('fs');
+var crypto = require('crypto');
 var clArgs = require('optimist').argv;
 var ini = require('ini');
 var common = require('./common');
@ -205,7 +206,7 @@ const readCookie = (cookieFile) => {
    try {
      var dirname = path.dirname(cookieFile);
      createDirectory(dirname);
-      fs.writeFileSync(cookieFile, String.random(50));
+      fs.writeFileSync(cookieFile, crypto.randomBytes(64).toString('hex'));
      common.cookie = fs.readFileSync(cookieFile, 'utf-8');
    }
    catch(err) {
--- a/controllers/authenticate.js
+++ b/controllers/authenticate.js
@ -6,10 +6,30 @@ var upperCase = require('upper-case');
 var atob = require('atob');
 var logger = require('./logger');

-exports.authenticateUser = (req, res, next) => {
-  password = atob(req.body.password);
+exports.authenticateUserWithCookie = (req, res, next) => {
  if(+common.rtl_sso) {
-    if (common.cookie === password) {
+    res.cookie('access-key', req.query['access-key'], { signed: true, httpOnly: true, sameSite: true, secure: true });
+    res.set(
+      {
+        'Cache-Control': 'private, no-cache'
+      }
+    );
+    res.redirect(301, '/rtl/');
+  }
+  else
+  {
+    res.status(404).json({
+      message: "Login Failure!",
+      error: "SSO not available"
+    });
+  }
+};
+
+exports.authenticateUser = (req, res, next) => {
+  if(+common.rtl_sso) {
+    const access_key = req.cookies['access-key'];
+    res.clearCookie("access-key");
+    if (common.cookie === access_key) {
      const token = jwt.sign(
        { user: 'Custom_User', lndConfigPath: common.lnd_config_path, macaroonPath: common.macaroon_path },
        'default_secret_key'
@ -22,6 +42,7 @@ exports.authenticateUser = (req, res, next) => {
      });
    }
  } else {
+    password = atob(req.body.password);
    if(upperCase(common.node_auth_type) === 'CUSTOM') {
      if (common.rtl_pass === password) {
        var rpcUser = 'Custom_User';
--- a/package-lock.json
+++ b/package-lock.json
@ -2724,6 +2724,15 @@
      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.3.1.tgz",
      "integrity": "sha1-5+Ch+e9DtMi6klxcWpboBtFoc7s="
    },
+    "cookie-parser": {
+      "version": "1.4.4",
+      "resolved": "https://registry.npmjs.org/cookie-parser/-/cookie-parser-1.4.4.tgz",
+      "integrity": "sha512-lo13tqF3JEtFO7FyA49CqbhaFkskRJ0u/UAiINgrIXeRCY41c88/zxtrECl8AKH3B0hj9q10+h3Kt8I7KlW4tw==",
+      "requires": {
+        "cookie": "0.3.1",
+        "cookie-signature": "1.0.6"
+      }
+    },
    "cookie-signature": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
--- a/package.json
+++ b/package.json
@ -34,6 +34,7 @@
    "angular-user-idle": "^2.0.0",
    "angularx-qrcode": "^1.5.3",
    "atob": "^2.1.2",
+    "cookie-parser": "^1.4.4",
    "core-js": "^2.5.4",
    "express": "^4.16.4",
    "hammerjs": "^2.0.8",
--- a/routes/authenticate.js
+++ b/routes/authenticate.js
@ -2,6 +2,7 @@ const AuthenticateController = require("../controllers/authenticate");
 const express = require("express");
 const router = express.Router();

+router.get("/cookie", AuthenticateController.authenticateUserWithCookie);
 router.post("/", AuthenticateController.authenticateUser);

 module.exports = router;