Added loginkey support to meshctrl.js, #3115

2021-09-10 13:04:10 -07:00 · 2021-09-10 13:04:10 -07:00 · 15d8f4b027
parent f918ae537c
commit 15d8f4b027
3 changed files with 13 additions and 8 deletions
--- a/meshcentral.js
+++ b/meshcentral.js
@ -2767,6 +2767,7 @@ function CreateMeshCentralServer(config, args) {
                    if ((docs.length > 0) && (docs[0].key != null) && (obj.args.logintokengen == null) && (docs[0].key.length >= 160)) {
                        // Key is present, use it.
                        obj.loginCookieEncryptionKey = Buffer.from(docs[0].key, 'hex');
+                        console.log('obj.loginCookieEncryptionKey', obj.loginCookieEncryptionKey);
                        func(obj.encodeCookie({ u: userid, a: 3 }, obj.loginCookieEncryptionKey));
                    } else {
                        // Key is not present, generate one.
--- a/meshctrl.js
+++ b/meshctrl.js
@ -968,7 +968,7 @@ function displayConfigHelp() {
 }

 function performConfigOperations(args) {
-    var domainValues = ['title', 'title2', 'titlepicture', 'trustedcert', 'welcomepicture', 'welcometext', 'userquota', 'meshquota', 'newaccounts', 'usernameisemail', 'newaccountemaildomains', 'newaccountspass', 'newaccountsrights', 'geolocation', 'lockagentdownload', 'userconsentflags', 'Usersessionidletimeout', 'auth', 'ldapoptions', 'ldapusername', 'ldapuserbinarykey', 'ldapuseremail', 'footer', 'certurl', 'loginKey', 'userallowedip', 'agentallowedip', 'agentnoproxy', 'agentconfig', 'orphanagentuser', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording', 'hide', 'loginkey'];
+    var domainValues = ['title', 'title2', 'titlepicture', 'trustedcert', 'welcomepicture', 'welcometext', 'userquota', 'meshquota', 'newaccounts', 'usernameisemail', 'newaccountemaildomains', 'newaccountspass', 'newaccountsrights', 'geolocation', 'lockagentdownload', 'userconsentflags', 'Usersessionidletimeout', 'auth', 'ldapoptions', 'ldapusername', 'ldapuserbinarykey', 'ldapuseremail', 'footer', 'certurl', 'loginKey', 'userallowedip', 'agentallowedip', 'agentnoproxy', 'agentconfig', 'orphanagentuser', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording', 'hide'];
    var domainObjectValues = [ 'ldapoptions', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording' ];
    var domainArrayValues = [ 'newaccountemaildomains', 'newaccountsrights', 'loginkey', 'agentconfig' ];
    var configChange = false;
@ -1111,19 +1111,19 @@ function serverConnect() {
    }

    // Cookie authentication
-    var ckey = null;
+    var ckey = null, loginCookie = null;
    if (args.loginkey != null) {
        // User key passed in a argument hex
-        if (args.loginkey.length != 160) { console.log("Invalid login key."); process.exit(); return; }
+        if (args.loginkey.length != 160) { loginCookie = args.loginkey; }
        ckey = Buffer.from(args.loginkey, 'hex');
-        if (ckey != 80) { console.log("Invalid login key."); process.exit(); return; }
+        if (ckey != 80) { ckey = null; loginCookie = args.loginkey; }
    } else if (args.loginkeyfile != null) {
        // Load key from hex file
        var fs = require('fs');
        try {
            var keydata = fs.readFileSync(args.loginkeyfile, 'utf8').split(' ').join('').split('\r').join('').split('\n').join('');
            ckey = Buffer.from(keydata, 'hex');
-            if (ckey.length != 80) { console.log("Invalid login key file."); process.exit(); return; }
+            if (ckey.length != 80) { ckey = null; loginCookie = args.loginkey; }
        } catch (ex) { console.log(ex.message); process.exit(); return; }
    }

@ -1135,10 +1135,11 @@ function serverConnect() {
        url += '?auth=' + encodeCookie({ userid: 'user/' + domainid + '/' + username, domainid: domainid }, ckey);
    } else {
        if (args.logindomain != null) { console.log("--logindomain can only be used along with --loginkey."); process.exit(); return; }
+        if (loginCookie != null) { url += '?auth=' + loginCookie; }
    }

    const ws = new WebSocket(url, options);
-    //console.log('Connecting to ' + url);
+    console.log('Connecting to ' + url);

    ws.on('open', function open() {
        //console.log('Connected.');
--- a/webserver.js
+++ b/webserver.js
@ -6473,9 +6473,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                    parent.debug('web', 'ERR: Invalid cookie IP address, got \"' + cookie.ip + '\", expected \"' + cleanRemoteAddr(req.clientIp) + '\".');
                    cookie = null;
                }
-                if ((cookie != null) && (obj.users[cookie.userid]) && (cookie.domainid == domain.id)) {
-                    // Valid cookie, we are authenticated
+                if ((cookie != null) && (cookie.userid != null) && (obj.users[cookie.userid]) && (cookie.domainid == domain.id) && (cookie.userid.split('/')[1] == domain.id)) {
+                    // Valid cookie, we are authenticated. Cookie of format { userid: 'user//name', domain: '' }
                    func(ws, req, domain, obj.users[cookie.userid], cookie);
+                } else if ((cookie != null) && (cookie.a === 3) && (typeof cookie.u == 'string') && (obj.users[cookie.u]) && (cookie.u.split('/')[1] == domain.id)) {
+                    // Valid cookie, we are authenticated. Cookie of format { u: 'user//name', a: 3 }
+                    func(ws, req, domain, obj.users[cookie.u], cookie);
                } else {
                    // This is a bad cookie, keep going anyway, maybe we have a active session that will save us.
                    if ((cookie != null) && (cookie.domainid != domain.id)) { parent.debug('web', 'ERR: Invalid domain, got \"' + cookie.domainid + '\", expected \"' + domain.id + '\".'); }