Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-11-10 14:01:27 +03:00
Code Issues Packages Projects Releases Wiki Activity
191285c4d2
MeshCentral/webserver.js

8253 lines
558 KiB
JavaScript
Raw Normal View History

Initial main commit
2017-08-28 19:27:45 +03:00
/**
Fixed multi-tenancy DNS support
2018-01-04 23:15:21 +03:00
* @description MeshCentral web server
Initial main commit
2017-08-28 19:27:45 +03:00
* @author Ylian Saint-Hilaire
Updated headers.
2022-01-24 10:21:24 +03:00
* @copyright Intel Corporation 2018-2022
Fixed multi-tenancy DNS support
2018-01-04 23:15:21 +03:00
* @license Apache-2.0
Initial main commit
2017-08-28 19:27:45 +03:00
* @version v0.0.1
*/
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
/*jslint node: true */
/*jshint node: true */
/*jshint strict:false */
/*jshint -W097 */
/*jshint esversion: 6 */
Centralization of user access control.
2019-12-27 09:53:01 +03:00
'use strict';
Initial main commit
2017-08-28 19:27:45 +03:00
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
// SerialTunnel object is used to embed TLS within another connection.
Initial main commit
2017-08-28 19:27:45 +03:00
function SerialTunnel(options) {
var obj = new require('stream').Duplex(options);
obj.forwardwrite = null;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
obj.updateBuffer = function (chunk) { this.push(chunk); };
obj._write = function (chunk, encoding, callback) { if (obj.forwardwrite != null) { obj.forwardwrite(chunk); } else { console.err("Failed to fwd _write."); } if (callback) callback(); }; // Pass data written to forward
obj._read = function (size) { }; // Push nothing, anything to read should be pushed from updateBuffer()
Initial main commit
2017-08-28 19:27:45 +03:00
return obj;
}
// ExpressJS login sample
// https://github.com/expressjs/express/blob/master/examples/auth/index.js
// Polyfill startsWith/endsWith for older NodeJS
if (!String.prototype.startsWith) { String.prototype.startsWith = function (searchString, position) { position = position || 0; return this.substr(position, searchString.length) === searchString; }; }
if (!String.prototype.endsWith) { String.prototype.endsWith = function (searchString, position) { var subjectString = this.toString(); if (typeof position !== 'number' || !isFinite(position) || Math.floor(position) !== position || position > subjectString.length) { position = subjectString.length; } position -= searchString.length; var lastIndex = subjectString.lastIndexOf(searchString, position); return lastIndex !== -1 && lastIndex === position; }; }
Improved some websocket error handling.
2019-01-03 05:34:50 +03:00
// Construct a HTTP server object
Early work on IP KVM integration.
2021-12-03 07:20:37 +03:00
module.exports.CreateWebServer = function (parent, db, args, certificates, doneFunc) {
Made MQTT optional.
2019-10-04 22:18:56 +03:00
var obj = {}, i = 0;
Initial main commit
2017-08-28 19:27:45 +03:00
Faster RSA signatures.
2018-01-10 07:13:41 +03:00
// Modules
Initial main commit
2017-08-28 19:27:45 +03:00
obj.fs = require('fs');
obj.net = require('net');
obj.tls = require('tls');
obj.path = require('path');
obj.bodyParser = require('body-parser');
Improved http session handling, new account page
2018-08-23 02:18:01 +03:00
obj.session = require('cookie-session');
Initial main commit
2017-08-28 19:27:45 +03:00
obj.exphbs = require('express-handlebars');
obj.crypto = require('crypto');
obj.common = require('./common.js');
obj.express = require('express');
obj.meshAgentHandler = require('./meshagent.js');
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
obj.meshRelayHandler = require('./meshrelay.js');
Added support for device stream downloads.
2020-08-27 04:42:41 +03:00
obj.meshDeviceFileHandler = require('./meshdevicefile.js');
Start work in desktop multiplexor.
2020-04-24 09:19:28 +03:00
obj.meshDesktopMultiplexHandler = require('./meshdesktopmultiplex.js');
First server with working hard-coded server-side IDER support.
2019-04-24 21:38:28 +03:00
obj.meshIderHandler = require('./amt/amt-ider.js');
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
obj.meshUserHandler = require('./meshuser.js');
Initial main commit
2017-08-28 19:27:45 +03:00
obj.interceptor = require('./interceptor');
Added view previous logins.
2021-02-26 11:58:38 +03:00
obj.uaparser = require('./ua-parser');
Fix for Node 11.10 deprecation of require('constants').
2019-02-27 02:49:44 +03:00
const constants = (obj.crypto.constants ? obj.crypto.constants : require('constants')); // require('constants') is deprecated in Node 11.10, use require('crypto').constants instead.
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
More FIDO2 improvements, improved NPM install.
2019-03-23 23:28:17 +03:00
// Setup WebAuthn / FIDO2
Centralization of user access control.
2019-12-27 09:53:01 +03:00
obj.webauthn = require('./webauthn.js').CreateWebAuthnModule();
Started work on adding FIDO2 support.
2019-03-23 08:33:53 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Variables
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
obj.args = args;
Initial main commit
2017-08-28 19:27:45 +03:00
obj.parent = parent;
obj.filespath = parent.filespath;
obj.db = db;
obj.app = obj.express();
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
if (obj.args.agentport) { obj.agentapp = obj.express(); }
Added compression option.
2020-06-20 01:56:48 +03:00
if (args.compression !== false) { obj.app.use(require('compression')()); }
obj.app.disable('x-powered-by');
Initial main commit
2017-08-28 19:27:45 +03:00
obj.tlsServer = null;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
obj.tcpServer = null;
Initial main commit
2017-08-28 19:27:45 +03:00
obj.certificates = certificates;
Centralization of user access control.
2019-12-27 09:53:01 +03:00
obj.users = {}; // UserID --> User
obj.meshes = {}; // MeshID --> Mesh (also called device group)
More user groups improvements.
2020-01-02 11:30:14 +03:00
obj.userGroups = {}; // UGrpID --> User Group
Centralization of user access control.
2019-12-27 09:53:01 +03:00
obj.userAllowedIp = args.userallowedip; // List of allowed IP addresses for users
obj.agentAllowedIp = args.agentallowedip; // List of allowed IP addresses for agents
obj.agentBlockedIp = args.agentblockedip; // List of blocked IP addresses for agents
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
obj.tlsSniCredentials = null;
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
obj.dnsDomains = {};
Added relay session count.
2019-02-19 04:14:00 +03:00
obj.relaySessionCount = 0;
obj.relaySessionErrorCount = 0;
Improved IP blocking, improved relay tunnel error in meshcore.js
2020-01-10 22:19:23 +03:00
obj.blockedUsers = 0;
obj.blockedAgents = 0;
Translation fixed, some french strings added.
2019-10-22 01:59:20 +03:00
obj.renderPages = null;
Added language selection.
2019-10-22 21:59:19 +03:00
obj.renderLanguages = [];
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
obj.destroyedSessions = {};
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
Added RDP ClickOnce support.
2017-10-24 00:09:58 +03:00
// Mesh Rights
Tools not allowed to connect when account twas notools site rights, #2726
2021-06-04 22:46:41 +03:00
const MESHRIGHT_EDITMESH = 0x00000001;
const MESHRIGHT_MANAGEUSERS = 0x00000002;
const MESHRIGHT_MANAGECOMPUTERS = 0x00000004;
const MESHRIGHT_REMOTECONTROL = 0x00000008;
const MESHRIGHT_AGENTCONSOLE = 0x00000010;
const MESHRIGHT_SERVERFILES = 0x00000020;
const MESHRIGHT_WAKEDEVICE = 0x00000040;
const MESHRIGHT_SETNOTES = 0x00000080;
const MESHRIGHT_REMOTEVIEWONLY = 0x00000100;
const MESHRIGHT_NOTERMINAL = 0x00000200;
const MESHRIGHT_NOFILES = 0x00000400;
const MESHRIGHT_NOAMT = 0x00000800;
const MESHRIGHT_DESKLIMITEDINPUT = 0x00001000;
const MESHRIGHT_LIMITEVENTS = 0x00002000;
const MESHRIGHT_CHATNOTIFY = 0x00004000;
const MESHRIGHT_UNINSTALL = 0x00008000;
const MESHRIGHT_NODESKTOP = 0x00010000;
const MESHRIGHT_REMOTECOMMAND = 0x00020000;
const MESHRIGHT_RESETOFF = 0x00040000;
const MESHRIGHT_GUESTSHARING = 0x00080000;
const MESHRIGHT_ADMIN = 0xFFFFFFFF;
Fixed missing site right.
2021-10-09 06:52:22 +03:00
// Site rights
Tools not allowed to connect when account twas notools site rights, #2726
2021-06-04 22:46:41 +03:00
const SITERIGHT_SERVERBACKUP = 0x00000001;
const SITERIGHT_MANAGEUSERS = 0x00000002;
const SITERIGHT_SERVERRESTORE = 0x00000004;
const SITERIGHT_FILEACCESS = 0x00000008;
const SITERIGHT_SERVERUPDATE = 0x00000010;
const SITERIGHT_LOCKED = 0x00000020;
const SITERIGHT_NONEWGROUPS = 0x00000040;
const SITERIGHT_NOMESHCMD = 0x00000080;
const SITERIGHT_USERGROUPS = 0x00000100;
const SITERIGHT_RECORDINGS = 0x00000200;
const SITERIGHT_LOCKSETTINGS = 0x00000400;
const SITERIGHT_ALLEVENTS = 0x00000800;
Fixed missing site right.
2021-10-09 06:52:22 +03:00
const SITERIGHT_NONEWDEVICES = 0x00001000;
Tools not allowed to connect when account twas notools site rights, #2726
2021-06-04 22:46:41 +03:00
const SITERIGHT_ADMIN = 0xFFFFFFFF;
Added RDP ClickOnce support.
2017-10-24 00:09:58 +03:00
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
// Setup SSPI authentication if needed
if ((obj.parent.platform == 'win32') && (obj.args.nousers != true) && (obj.parent.config != null) && (obj.parent.config.domains != null)) {
Removed SSPI auth retrieveGroups to reduce cookie size.
2021-09-03 03:52:37 +03:00
for (i in obj.parent.config.domains) { if (obj.parent.config.domains[i].auth == 'sspi') { var nodeSSPI = require('node-sspi'); obj.parent.config.domains[i].sspi = new nodeSSPI({ retrieveGroups: false, offerBasic: false }); } }
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Perform hash on web certificate and agent certificate
Fixed agent update hash issue, connection hash issue, 2FA issue.
2021-02-15 09:22:53 +03:00
obj.webCertificateHash = parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.web.cert);
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
obj.webCertificateHashs = { '': obj.webCertificateHash };
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-03 05:03:34 +03:00
obj.webCertificateHashBase64 = Buffer.from(obj.webCertificateHash, 'binary').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
Fixed agent update hash issue, connection hash issue, 2FA issue.
2021-02-15 09:22:53 +03:00
obj.webCertificateFullHash = parent.certificateOperations.getCertHashBinary(obj.certificates.web.cert);
Fixed many TLS-SNI problems, updated agents
2018-12-01 03:42:58 +03:00
obj.webCertificateFullHashs = { '': obj.webCertificateFullHash };
Added certificate expiration warning.
2021-04-24 00:17:13 +03:00
obj.webCertificateExpire = { '': Date.parse(parent.certificateOperations.forge.pki.certificateFromPem(parent.certificates.web.cert).validity.notAfter) };
Fixed many TLS-SNI problems, updated agents
2018-12-01 03:42:58 +03:00
obj.agentCertificateHashHex = parent.certificateOperations.getPublicKeyHash(obj.certificates.agent.cert);
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-03 05:03:34 +03:00
obj.agentCertificateHashBase64 = Buffer.from(obj.agentCertificateHashHex, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
Fixed certificate generation.
2017-10-19 02:28:05 +03:00
obj.agentCertificateAsn1 = parent.certificateOperations.forge.asn1.toDer(parent.certificateOperations.forge.pki.certificateToAsn1(parent.certificateOperations.forge.pki.certificateFromPem(parent.certificates.agent.cert))).getBytes();
Fixed agent update hash issue, connection hash issue, 2FA issue.
2021-02-15 09:22:53 +03:00
obj.defaultWebCertificateHash = parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.webdefault.cert);
obj.defaultWebCertificateFullHash = parent.certificateOperations.getCertHashBinary(obj.certificates.webdefault.cert);
Added web cert loading, useful for TLS offload.
2018-11-01 02:03:09 +03:00
// Compute the hash of all of the web certificates for each domain
for (var i in obj.parent.config.domains) {
if (obj.parent.config.domains[i].certhash != null) {
// If the web certificate hash is provided, use it.
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-03 05:03:34 +03:00
obj.webCertificateHashs[i] = obj.webCertificateFullHashs[i] = Buffer.from(obj.parent.config.domains[i].certhash, 'hex').toString('binary');
if (obj.parent.config.domains[i].certkeyhash != null) { obj.webCertificateHashs[i] = Buffer.from(obj.parent.config.domains[i].certkeyhash, 'hex').toString('binary'); }
Added certificate expiration warning.
2021-04-24 00:17:13 +03:00
delete obj.webCertificateExpire[i]; // Expire time is not provided
Added web cert loading, useful for TLS offload.
2018-11-01 02:03:09 +03:00
} else if ((obj.parent.config.domains[i].dns != null) && (obj.parent.config.domains[i].certs != null)) {
// If the domain has a different DNS name, use a different certificate hash.
Fixed many TLS-SNI problems, updated agents
2018-12-01 03:42:58 +03:00
// Hash the full certificate
obj.webCertificateFullHashs[i] = parent.certificateOperations.getCertHashBinary(obj.parent.config.domains[i].certs.cert);
Added certificate expiration warning.
2021-04-24 00:17:13 +03:00
obj.webCertificateExpire[i] = Date.parse(parent.certificateOperations.forge.pki.certificateFromPem(obj.parent.config.domains[i].certs.cert).validity.notAfter);
Added web cert loading, useful for TLS offload.
2018-11-01 02:03:09 +03:00
try {
Fixed many TLS-SNI problems, updated agents
2018-12-01 03:42:58 +03:00
// Decode a RSA certificate and hash the public key.
obj.webCertificateHashs[i] = parent.certificateOperations.getPublicKeyHashBinary(obj.parent.config.domains[i].certs.cert);
Added web cert loading, useful for TLS offload.
2018-11-01 02:03:09 +03:00
} catch (ex) {
Fixed many TLS-SNI problems, updated agents
2018-12-01 03:42:58 +03:00
// This may be a ECDSA certificate, hash the entire cert.
obj.webCertificateHashs[i] = obj.webCertificateFullHashs[i];
Added web cert loading, useful for TLS offload.
2018-11-01 02:03:09 +03:00
}
Server fixes
2019-03-14 22:28:58 +03:00
} else if ((obj.parent.config.domains[i].dns != null) && (obj.certificates.dns[i] != null)) {
// If this domain has a DNS and a matching DNS cert, use it. This case works for wildcard certs.
obj.webCertificateFullHashs[i] = parent.certificateOperations.getCertHashBinary(obj.certificates.dns[i].cert);
obj.webCertificateHashs[i] = parent.certificateOperations.getPublicKeyHashBinary(obj.certificates.dns[i].cert);
Added certificate expiration warning.
2021-04-24 00:17:13 +03:00
obj.webCertificateExpire[i] = Date.parse(parent.certificateOperations.forge.pki.certificateFromPem(obj.certificates.dns[i].cert).validity.notAfter);
Fixed exception when setting up domains without seperate dns name.
2019-04-05 00:47:52 +03:00
} else if (i != '') {
// For any other domain, use the default cert.
obj.webCertificateFullHashs[i] = obj.webCertificateFullHashs[''];
obj.webCertificateHashs[i] = obj.webCertificateHashs[''];
Added certificate expiration warning.
2021-04-24 00:17:13 +03:00
obj.webCertificateExpire[i] = obj.webCertificateExpire[''];
Added web cert loading, useful for TLS offload.
2018-11-01 02:03:09 +03:00
}
}
// If we are running the legacy swarm server, compute the hash for that certificate
Completed MeshCentralv1 migration code.
2017-11-08 04:05:22 +03:00
if (parent.certificates.swarmserver != null) {
obj.swarmCertificateAsn1 = parent.certificateOperations.forge.asn1.toDer(parent.certificateOperations.forge.pki.certificateToAsn1(parent.certificateOperations.forge.pki.certificateFromPem(parent.certificates.swarmserver.cert))).getBytes();
obj.swarmCertificateHash384 = parent.certificateOperations.forge.pki.getPublicKeyFingerprint(parent.certificateOperations.forge.pki.certificateFromPem(obj.certificates.swarmserver.cert).publicKey, { md: parent.certificateOperations.forge.md.sha384.create(), encoding: 'binary' });
obj.swarmCertificateHash256 = parent.certificateOperations.forge.pki.getPublicKeyFingerprint(parent.certificateOperations.forge.pki.certificateFromPem(obj.certificates.swarmserver.cert).publicKey, { md: parent.certificateOperations.forge.md.sha256.create(), encoding: 'binary' });
}
Initial main commit
2017-08-28 19:27:45 +03:00
Added web cert loading, useful for TLS offload.
2018-11-01 02:03:09 +03:00
// Main lists
Improved support for reverse-proxy certificate loading.
2019-10-30 02:17:29 +03:00
obj.wsagents = {}; // NodeId --> Agent
obj.wsagentsWithBadWebCerts = {}; // NodeId --> Agent
Added agent trouble detection on the server.
2019-01-23 06:34:55 +03:00
obj.wsagentsDisconnections = {};
obj.wsagentsDisconnectionsTimer = null;
Many bug fixes: Login screen, hw keys, relay domain and more.
2019-05-22 00:19:32 +03:00
obj.duplicateAgentsLog = {};
Improved support for reverse-proxy certificate loading.
2019-10-30 02:17:29 +03:00
obj.wssessions = {}; // UserId --> Array Of Sessions
obj.wssessions2 = {}; // "UserId + SessionRnd" --> Session (Note that the SessionId is the UserId + / + SessionRnd)
obj.wsPeerSessions = {}; // ServerId --> Array Of "UserId + SessionRnd"
obj.wsPeerSessions2 = {}; // "UserId + SessionRnd" --> ServerId
obj.wsPeerSessions3 = {}; // ServerId --> UserId --> [ SessionId ]
obj.sessionsCount = {}; // Merged session counters, used when doing server peering. UserId --> SessionCount
obj.wsrelays = {}; // Id -> Relay
More work on desktop multiplexor.
2020-04-28 02:25:54 +03:00
obj.desktoprelays = {}; // Id -> Desktop Multiplexor Relay
Improved support for reverse-proxy certificate loading.
2019-10-30 02:17:29 +03:00
obj.wsPeerRelays = {}; // Id -> { ServerId, Time }
var tlsSessionStore = {}; // Store TLS session information for quick resume.
var tlsSessionStoreCount = 0; // Number of cached TLS session information in store.
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Setup randoms
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 09:22:19 +03:00
obj.crypto.randomBytes(48, function (err, buf) { obj.httpAuthRandom = buf; });
Initial main commit
2017-08-28 19:27:45 +03:00
obj.crypto.randomBytes(16, function (err, buf) { obj.httpAuthRealm = buf.toString('hex'); });
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 09:22:19 +03:00
obj.crypto.randomBytes(48, function (err, buf) { obj.relayRandom = buf; });
Initial main commit
2017-08-28 19:27:45 +03:00
First MeshCentral with multi-language emails.
2020-04-05 05:29:20 +03:00
// Get non-english web pages and emails
Translation fixed, some french strings added.
2019-10-22 01:59:20 +03:00
getRenderList();
First MeshCentral with multi-language emails.
2020-04-05 05:29:20 +03:00
getEmailLanguageList();
Translation fixed, some french strings added.
2019-10-22 01:59:20 +03:00
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
// Setup DNS domain TLS SNI credentials
{
var dnscount = 0;
obj.tlsSniCredentials = {};
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
for (i in obj.certificates.dns) { if (obj.parent.config.domains[i].dns != null) { obj.dnsDomains[obj.parent.config.domains[i].dns.toLowerCase()] = obj.parent.config.domains[i]; obj.tlsSniCredentials[obj.parent.config.domains[i].dns] = obj.tls.createSecureContext(obj.certificates.dns[i]).context; dnscount++; } }
Added built-in Let's Encrypt support using GreenLock.
2018-01-15 08:01:06 +03:00
if (dnscount > 0) { obj.tlsSniCredentials[''] = obj.tls.createSecureContext({ cert: obj.certificates.web.cert, key: obj.certificates.web.key, ca: obj.certificates.web.ca }).context; } else { obj.tlsSniCredentials = null; }
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
}
ClickOnce Fix
2018-12-12 04:52:37 +03:00
function TlsSniCallback(name, cb) {
var c = obj.tlsSniCredentials[name];
if (c != null) {
cb(null, c);
} else {
cb(null, obj.tlsSniCredentials['']);
}
}
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
Centralization of user access control.
2019-12-27 09:53:01 +03:00
function EscapeHtml(x) { if (typeof x == 'string') return x.replace(/&/g, '&amp;').replace(/>/g, '&gt;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;'); if (typeof x == 'boolean') return x; if (typeof x == 'number') return x; }
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
//function EscapeHtmlBreaks(x) { if (typeof x == "string") return x.replace(/&/g, '&amp;').replace(/>/g, '&gt;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;').replace(/\r/g, '<br />').replace(/\n/g, '').replace(/\t/g, '&nbsp;&nbsp;'); if (typeof x == "boolean") return x; if (typeof x == "number") return x; }
Initial main commit
2017-08-28 19:27:45 +03:00
// Fetch all users from the database, keep this in memory
obj.db.GetAllType('user', function (err, docs) {
More work done on per-device permissions.
2020-03-27 05:33:13 +03:00
obj.common.unEscapeAllLinksFieldName(docs);
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
var domainUserCount = {}, i = 0;
for (i in parent.config.domains) { domainUserCount[i] = 0; }
for (i in docs) { var u = obj.users[docs[i]._id] = docs[i]; domainUserCount[u.domain]++; }
for (i in parent.config.domains) {
Version 0.7.33
2020-12-30 02:13:09 +03:00
if ((parent.config.domains[i].share == null) && (domainUserCount[i] == 0)) {
Integrated MeshMessenger for user-to-user.
2018-12-02 10:41:57 +03:00
// If newaccounts is set to no new accounts, but no accounts exists, temporarly allow account creation.
MeshCentral now defaults to not accepting new accounts on login screen.
2019-04-23 23:42:54 +03:00
//if ((parent.config.domains[i].newaccounts === 0) || (parent.config.domains[i].newaccounts === false)) { parent.config.domains[i].newaccounts = 2; }
Initial main commit
2017-08-28 19:27:45 +03:00
console.log('Server ' + ((i == '') ? '' : (i + ' ')) + 'has no users, next new account will be site administrator.');
}
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
More user groups improvements.
2020-01-02 11:30:14 +03:00
// Fetch all device groups (meshes) from the database, keep this in memory
Added database links cleanup code.
2020-03-31 03:47:04 +03:00
// As we load things in memory, we will also be doing some cleaning up.
// We will not save any clean up in the database right now, instead it will be saved next time there is a change.
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.db.GetAllType('mesh', function (err, docs) {
obj.common.unEscapeAllLinksFieldName(docs);
Made MQTT optional.
2019-10-04 22:18:56 +03:00
for (var i in docs) { obj.meshes[docs[i]._id] = docs[i]; } // Get all meshes, including deleted ones.
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
More user groups improvements.
2020-01-02 11:30:14 +03:00
// Fetch all user groups from the database, keep this in memory
obj.db.GetAllType('ugrp', function (err, docs) {
obj.common.unEscapeAllLinksFieldName(docs);
Added database links cleanup code.
2020-03-31 03:47:04 +03:00
// Perform user group link cleanup
for (var i in docs) {
const ugrp = docs[i];
if (ugrp.links != null) {
for (var j in ugrp.links) {
if (j.startsWith('user/') && (obj.users[j] == null)) { delete ugrp.links[j]; } // User group has a link to a user that does not exist
else if (j.startsWith('mesh/') && ((obj.meshes[j] == null) || (obj.meshes[j].deleted != null))) { delete ugrp.links[j]; } // User has a link to a device group that does not exist
}
}
obj.userGroups[docs[i]._id] = docs[i]; // Get all user groups
}
// Perform device group link cleanup
for (var i in obj.meshes) {
const mesh = obj.meshes[i];
if (mesh.links != null) {
for (var j in mesh.links) {
if (j.startsWith('ugrp/') && (obj.userGroups[j] == null)) { delete mesh.links[j]; } // Device group has a link to a user group that does not exist
else if (j.startsWith('user/') && (obj.users[j] == null)) { delete mesh.links[j]; } // Device group has a link to a user that does not exist
}
}
SSO Fixes.
2020-05-27 10:52:31 +03:00
}
Added database links cleanup code.
2020-03-31 03:47:04 +03:00
// Perform user link cleanup
for (var i in obj.users) {
const user = obj.users[i];
if (user.links != null) {
for (var j in user.links) {
if (j.startsWith('ugrp/') && (obj.userGroups[j] == null)) { delete user.links[j]; } // User has a link to a user group that does not exist
else if (j.startsWith('mesh/') && ((obj.meshes[j] == null) || (obj.meshes[j].deleted != null))) { delete user.links[j]; } // User has a link to a device group that does not exist
//else if (j.startsWith('node/') && (obj.nodes[j] == null)) { delete user.links[j]; } // TODO
}
//if (Object.keys(user.links).length == 0) { delete user.links; }
}
}
// We loaded the users, device groups and user group state, start the server
More user groups improvements.
2020-01-02 11:30:14 +03:00
serverStart();
});
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
});
});
Initial main commit
2017-08-28 19:27:45 +03:00
Added database links cleanup code.
2020-03-31 03:47:04 +03:00
// Clean up a device, used before saving it in the database
obj.cleanDevice = function (device) {
// Check device links, if a link points to an unknown user, remove it.
if (device.links != null) {
for (var j in device.links) {
Started work on adding user groups in individual device permissions.
2020-04-13 08:51:57 +03:00
if ((obj.users[j] == null) && (obj.userGroups[j] == null)) {
Added database links cleanup code.
2020-03-31 03:47:04 +03:00
delete device.links[j];
if (Object.keys(device.links).length == 0) { delete device.links; }
}
}
}
return device;
}
Added server instrumentation
2019-05-02 01:02:03 +03:00
// Return statistics about this web server
obj.getStats = function () {
return {
users: Object.keys(obj.users).length,
meshes: Object.keys(obj.meshes).length,
dnsDomains: Object.keys(obj.dnsDomains).length,
relaySessionCount: obj.relaySessionCount,
relaySessionErrorCount: obj.relaySessionErrorCount,
wsagents: Object.keys(obj.wsagents).length,
wsagentsDisconnections: Object.keys(obj.wsagentsDisconnections).length,
wsagentsDisconnectionsTimer: Object.keys(obj.wsagentsDisconnectionsTimer).length,
wssessions: Object.keys(obj.wssessions).length,
wssessions2: Object.keys(obj.wssessions2).length,
wsPeerSessions: Object.keys(obj.wsPeerSessions).length,
wsPeerSessions2: Object.keys(obj.wsPeerSessions2).length,
wsPeerSessions3: Object.keys(obj.wsPeerSessions3).length,
sessionsCount: Object.keys(obj.sessionsCount).length,
wsrelays: Object.keys(obj.wsrelays).length,
wsPeerRelays: Object.keys(obj.wsPeerRelays).length,
Improved IP blocking, improved relay tunnel error in meshcore.js
2020-01-10 22:19:23 +03:00
tlsSessionStore: Object.keys(tlsSessionStore).length,
blockedUsers: obj.blockedUsers,
blockedAgents: obj.blockedAgents
Added server instrumentation
2019-05-02 01:02:03 +03:00
};
}
// Agent counters
obj.agentStats = {
createMeshAgentCount: 0,
MeshCentral Router update, fixed backup links in non-default domain.
2019-05-25 01:11:00 +03:00
agentClose: 0,
agentBinaryUpdate: 0,
Added AgentIssues command to server console.
2021-02-04 02:36:25 +03:00
agentMeshCoreBinaryUpdate: 0,
Added server instrumentation
2019-05-02 01:02:03 +03:00
coreIsStableCount: 0,
verifiedAgentConnectionCount: 0,
clearingCoreCount: 0,
updatingCoreCount: 0,
recoveryCoreIsStableCount: 0,
meshDoesNotExistCount: 0,
invalidPkcsSignatureCount: 0,
invalidRsaSignatureCount: 0,
invalidJsonCount: 0,
unknownAgentActionCount: 0,
agentBadWebCertHashCount: 0,
agentBadSignature1Count: 0,
agentBadSignature2Count: 0,
agentMaxSessionHoldCount: 0,
invalidDomainMeshCount: 0,
invalidMeshTypeCount: 0,
invalidDomainMesh2Count: 0,
invalidMeshType2Count: 0,
Added support fo domain MaxDevices limit
2019-06-06 01:24:07 +03:00
duplicateAgentCount: 0,
Allow meshcore agent update with agent in bad state.
2021-02-07 11:38:20 +03:00
maxDomainDevicesReached: 0,
agentInTrouble: 0,
agentInBigTrouble: 0
Added server instrumentation
2019-05-02 01:02:03 +03:00
}
obj.getAgentStats = function () { return obj.agentStats; }
Started work on traffic accounting.
2021-05-05 12:24:23 +03:00
// Traffic counters
obj.trafficStats = {
httpRequestCount: 0,
Added HTTP traffic accounting.
2021-05-05 21:37:26 +03:00
httpWebSocketCount: 0,
httpIn: 0,
httpOut: 0,
Started work on traffic accounting.
2021-05-05 12:24:23 +03:00
relayCount: {},
relayIn: {},
relayOut: {},
localRelayCount: {},
localRelayIn: {},
Added agent control channel data accounting.
2021-05-05 12:30:23 +03:00
localRelayOut: {},
AgentCtrlIn: 0,
Added CIRA+LMS traffic counters
2021-05-05 20:59:47 +03:00
AgentCtrlOut: 0,
LMSIn: 0,
LMSOut: 0,
CIRAIn: 0,
CIRAOut: 0
Started work on traffic accounting.
2021-05-05 12:24:23 +03:00
}
Added traffic delta functions.
2021-05-06 00:15:26 +03:00
obj.trafficStats.time = Date.now();
Started work on traffic accounting.
2021-05-05 12:24:23 +03:00
obj.getTrafficStats = function () { return obj.trafficStats; }
Added traffic delta functions.
2021-05-06 00:15:26 +03:00
obj.getTrafficDelta = function (oldTraffic) { // Return the difference between the old and new data along with the delta time.
const data = obj.common.Clone(obj.trafficStats);
data.time = Date.now();
const delta = calcDelta(oldTraffic ? oldTraffic : {}, data);
if (oldTraffic && oldTraffic.time) { delta.delta = (data.time - oldTraffic.time); }
delta.time = data.time;
return { current: data, delta: delta }
}
function calcDelta(oldData, newData) { // Recursive function that computes the difference of all numbers
const r = {};
for (var i in newData) {
if (typeof newData[i] == 'object') { r[i] = calcDelta(oldData[i] ? oldData[i] : {}, newData[i]); }
if (typeof newData[i] == 'number') { if (typeof oldData[i] == 'number') { r[i] = (newData[i] - oldData[i]); } else { r[i] = newData[i]; } }
}
return r;
}
Started work on traffic accounting.
2021-05-05 12:24:23 +03:00
Added AgentIssues command to server console.
2021-02-04 02:36:25 +03:00
// Keep a record of the last agent issues.
obj.getAgentIssues = function () { return obj.agentIssues; }
Fix for #2774
2021-06-15 18:12:45 +03:00
obj.setAgentIssue = function (agent, issue) { obj.agentIssues.push([new Date().toLocaleString(), agent.remoteaddrport, issue]); while (obj.setAgentIssue.length > 50) { obj.agentIssues.shift(); } }
Added AgentIssues command to server console.
2021-02-04 02:36:25 +03:00
obj.agentIssues = [];
Initial main commit
2017-08-28 19:27:45 +03:00
// Authenticate the user
obj.authenticate = function (name, pass, domain, fn) {
Completed 2 step login support.
2019-01-16 05:21:03 +03:00
if ((typeof (name) != 'string') || (typeof (pass) != 'string') || (typeof (domain) != 'object')) { fn(new Error('invalid fields')); return; }
Fix for #2773.
2021-06-15 00:36:00 +03:00
if (name.startsWith('~t:')) {
// Login token, try to fetch the token from the database
obj.db.Get('logintoken-' + name, function (err, docs) {
if (err != null) { fn(err); return; }
if ((docs == null) || (docs.length != 1)) { fn(new Error('login token not found')); return; }
const loginToken = docs[0];
if ((loginToken.expire != 0) && (loginToken.expire < Date.now())) { fn(new Error('login token expired')); return; }
// Default strong password hashing (pbkdf2 SHA384)
require('./pass').hash(pass, loginToken.salt, function (err, hash, tag) {
if (err) return fn(err);
if (hash == loginToken.hash) {
// Login username and password are valid.
var user = obj.users[loginToken.userid];
if (!user) { fn(new Error('cannot find user')); return; }
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
// Succesful login token authentication
var loginOptions = { tokenName: loginToken.name, tokenUser: loginToken.tokenUser };
if (loginToken.expire != 0) { loginOptions.expire = loginToken.expire; }
return fn(null, user._id, null, loginOptions);
}
fn(new Error('invalid password'));
}, 0);
});
} else if (domain.auth == 'ldap') {
LDAP fixes.
2019-04-12 00:52:23 +03:00
if (domain.ldapoptions.url == 'test') {
// Fake LDAP login
var xxuser = domain.ldapoptions[name.toLowerCase()];
if (xxuser == null) {
fn(new Error('invalid password'));
return;
Added LDAP support.
2019-04-11 23:41:51 +03:00
} else {
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
var username = xxuser['displayName'];
if (domain.ldapusername) { username = xxuser[domain.ldapusername]; }
LDAP fixes.
2019-04-12 00:52:23 +03:00
var shortname = null;
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
if (domain.ldapuserbinarykey) {
// Use a binary key as the userid
if (xxuser[domain.ldapuserbinarykey]) { shortname = Buffer.from(xxuser[domain.ldapuserbinarykey], 'binary').toString('hex'); }
} else if (domain.ldapuserkey) {
// Use a string key as the userid
if (xxuser[domain.ldapuserkey]) { shortname = xxuser[domain.ldapuserkey]; }
} else {
// Use the default key as the userid
if (xxuser.objectSid) { shortname = Buffer.from(xxuser.objectSid, 'binary').toString('hex').toLowerCase(); }
else if (xxuser.objectGUID) { shortname = Buffer.from(xxuser.objectGUID, 'binary').toString('hex').toLowerCase(); }
else if (xxuser.name) { shortname = xxuser.name; }
else if (xxuser.cn) { shortname = xxuser.cn; }
}
if (shortname == null) { fn(new Error('no user identifier')); return; }
LDAP fix for #3119
2021-09-11 22:55:51 +03:00
if (username == null) { username = shortname; }
LDAP fixes.
2019-04-12 00:52:23 +03:00
var userid = 'user/' + domain.id + '/' + shortname;
var user = obj.users[userid];
add mail address import capability from LDAP
2020-05-15 10:38:50 +03:00
var email = null;
if (domain.ldapuseremail) {
email = xxuser[domain.ldapuseremail];
} else if (xxuser.mail) { // use default
email = xxuser.mail;
}
if ('[object Array]' == Object.prototype.toString.call(email)) {
// mail may be multivalued in ldap in which case, answer is an array. Use the 1st value.
SSO Fixes.
2020-05-27 10:52:31 +03:00
email = email[0];
add mail address import capability from LDAP
2020-05-15 10:38:50 +03:00
}
if (email) { email = email.toLowerCase(); } // it seems some code otherwhere also lowercase the emailaddress. be compatible.
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
LDAP fixes.
2019-04-12 00:52:23 +03:00
if (user == null) {
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
// Create a new user
Added user last access support, #3319
2021-12-05 00:08:17 +03:00
var user = { type: 'user', _id: userid, name: username, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), access: Math.floor(Date.now() / 1000), domain: domain.id };
User management improvements.
2020-05-28 04:26:54 +03:00
if (email) { user['email'] = email; user['emailVerified'] = true; }
Fixed user interface issues and added newAccountsRights in domain config.
2019-05-13 05:14:24 +03:00
if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; }
Added newaccountsrights support for SSO accounts.
2020-05-25 22:52:13 +03:00
if (obj.common.validateStrArray(domain.newaccountrealms)) { user.groups = domain.newaccountrealms; }
LDAP fixes.
2019-04-12 00:52:23 +03:00
var usercount = 0;
for (var i in obj.users) { if (obj.users[i].domain == domain.id) { usercount++; } }
More fixes, updated MeshCommander (Intel AMT tab)
2019-06-27 08:13:56 +03:00
if (usercount == 0) { user.siteadmin = 4294967295; /*if (domain.newaccounts === 2) { delete domain.newaccounts; }*/ } // If this is the first user, give the account site admin.
User management improvements.
2020-05-28 04:26:54 +03:00
// Auto-join any user groups
if (typeof domain.newaccountsusergroups == 'object') {
for (var i in domain.newaccountsusergroups) {
var ugrpid = domain.newaccountsusergroups[i];
if (ugrpid.indexOf('/') < 0) { ugrpid = 'ugrp/' + domain.id + '/' + ugrpid; }
var ugroup = obj.userGroups[ugrpid];
if (ugroup != null) {
// Add group to the user
if (user.links == null) { user.links = {}; }
user.links[ugroup._id] = { rights: 1 };
// Add user to the group
ugroup.links[user._id] = { userid: user._id, name: user.name, rights: 1 };
db.Set(ugroup);
// Notify user group change
LDAP fix for #3119
2021-09-11 22:55:51 +03:00
var event = { etype: 'ugrp', ugrpid: ugroup._id, name: ugroup.name, desc: ugroup.desc, action: 'usergroupchange', links: ugroup.links, msgid: 71, msgArgs: [user.name, ugroup.name], msg: 'Added user ' + user.name + ' to user group ' + ugroup.name, addUserDomain: domain.id };
User management improvements.
2020-05-28 04:26:54 +03:00
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user group. Another event will come.
parent.DispatchEvent(['*', ugroup._id, user._id], obj, event);
}
}
}
LDAP fixes.
2019-04-12 00:52:23 +03:00
obj.users[user._id] = user;
obj.db.SetUser(user);
LDAP fix for #3119
2021-09-11 22:55:51 +03:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountcreate', msgid: 128, msgArgs: [user.name], msg: 'Account created, name is ' + user.name, domain: domain.id };
Improved MongoDB change stream.
2019-05-30 00:36:14 +03:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to create the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users'], obj, event);
LDAP fixes.
2019-04-12 00:52:23 +03:00
return fn(null, user._id);
} else {
// This is an existing user
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
// If the display username has changes, update it.
if (user.name != username) {
user.name = username;
Added MongoDB change stream support.
2019-05-29 03:25:23 +03:00
obj.db.SetUser(user);
LDAP fix for #3119
2021-09-11 22:55:51 +03:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msgid: 127, msgArgs: [user.name], msg: 'Changed account display name to ' + user.name, domain: domain.id };
Added MongoDB change stream support.
2019-05-29 03:25:23 +03:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
}
add mail address import capability from LDAP
2020-05-15 10:38:50 +03:00
// Check if user email has changed
var emailreason = null;
SSO Fixes.
2020-05-27 10:52:31 +03:00
if (user.email && !email) { // email unset in ldap => unset
add mail address import capability from LDAP
2020-05-15 10:38:50 +03:00
delete user.email;
delete user.emailVerified;
emailreason = 'Unset email (no more email in LDAP)'
} else if (user.email != email) { // update email
user['email'] = email;
user['emailVerified'] = true;
emailreason = 'Set account email to ' + email + '. Sync with LDAP.';
}
if (emailreason) {
obj.db.SetUser(user);
var event = { etype: 'user', userid: userid, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: emailreason, domain: domain.id };
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
}
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
// If user is locker out, block here.
LDAP fixes.
2019-04-12 00:52:23 +03:00
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
return fn(null, user._id);
}
Added LDAP support.
2019-04-11 23:41:51 +03:00
}
LDAP fixes.
2019-04-12 00:52:23 +03:00
} else {
// LDAP login
var LdapAuth = require('ldapauth-fork');
var ldap = new LdapAuth(domain.ldapoptions);
Handle ldap on 'error'
2022-01-16 23:15:14 +03:00
ldap.on('error', function (err) { console.log('ldap error: ', err); });
LDAP fixes.
2019-04-12 00:52:23 +03:00
ldap.authenticate(name, pass, function (err, xxuser) {
try { ldap.close(); } catch (ex) { console.log(ex); } // Close the LDAP object
if (err) { fn(new Error('invalid password')); return; }
var shortname = null;
add mail address import capability from LDAP
2020-05-15 10:38:50 +03:00
var email = null;
if (domain.ldapuseremail) {
email = xxuser[domain.ldapuseremail];
} else if (xxuser.mail) {
email = xxuser.mail;
}
if ('[object Array]' == Object.prototype.toString.call(email)) {
// mail may be multivalued in ldap in which case, answer would be an array. Use the 1st one.
SSO Fixes.
2020-05-27 10:52:31 +03:00
email = email[0];
add mail address import capability from LDAP
2020-05-15 10:38:50 +03:00
}
if (email) { email = email.toLowerCase(); } // it seems some code otherwhere also lowercase the emailaddress. be compatible.
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
var username = xxuser['displayName'];
if (domain.ldapusername) { username = xxuser[domain.ldapusername]; }
if (domain.ldapuserbinarykey) {
// Use a binary key as the userid
if (xxuser[domain.ldapuserbinarykey]) { shortname = Buffer.from(xxuser[domain.ldapuserbinarykey], 'binary').toString('hex').toLowerCase(); }
} else if (domain.ldapuserkey) {
// Use a string key as the userid
if (xxuser[domain.ldapuserkey]) { shortname = xxuser[domain.ldapuserkey]; }
} else {
// Use the default key as the userid
if (xxuser.objectSid) { shortname = Buffer.from(xxuser.objectSid, 'binary').toString('hex').toLowerCase(); }
else if (xxuser.objectGUID) { shortname = Buffer.from(xxuser.objectGUID, 'binary').toString('hex').toLowerCase(); }
else if (xxuser.name) { shortname = xxuser.name; }
else if (xxuser.cn) { shortname = xxuser.cn; }
}
if (shortname == null) { fn(new Error('no user identifier')); return; }
LDAP fix for #3119
2021-09-11 22:55:51 +03:00
if (username == null) { username = shortname; }
LDAP fixes.
2019-04-12 00:52:23 +03:00
var userid = 'user/' + domain.id + '/' + shortname;
var user = obj.users[userid];
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
LDAP fixes.
2019-04-12 00:52:23 +03:00
if (user == null) {
// This user does not exist, create a new account.
Added user last access support, #3319
2021-12-05 00:08:17 +03:00
var user = { type: 'user', _id: userid, name: username, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), access: Math.floor(Date.now() / 1000), domain: domain.id };
LDAP fix for #3119
2021-09-11 22:55:51 +03:00
if (email) { user['email'] = email; user['emailVerified'] = true; }
Fixed user interface issues and added newAccountsRights in domain config.
2019-05-13 05:14:24 +03:00
if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; }
Added newaccountsrights support for SSO accounts.
2020-05-25 22:52:13 +03:00
if (obj.common.validateStrArray(domain.newaccountrealms)) { user.groups = domain.newaccountrealms; }
LDAP fixes.
2019-04-12 00:52:23 +03:00
var usercount = 0;
for (var i in obj.users) { if (obj.users[i].domain == domain.id) { usercount++; } }
More fixes, updated MeshCommander (Intel AMT tab)
2019-06-27 08:13:56 +03:00
if (usercount == 0) { user.siteadmin = 4294967295; /*if (domain.newaccounts === 2) { delete domain.newaccounts; }*/ } // If this is the first user, give the account site admin.
User management improvements.
2020-05-28 04:26:54 +03:00
// Auto-join any user groups
if (typeof domain.newaccountsusergroups == 'object') {
for (var i in domain.newaccountsusergroups) {
var ugrpid = domain.newaccountsusergroups[i];
if (ugrpid.indexOf('/') < 0) { ugrpid = 'ugrp/' + domain.id + '/' + ugrpid; }
var ugroup = obj.userGroups[ugrpid];
if (ugroup != null) {
// Add group to the user
if (user.links == null) { user.links = {}; }
user.links[ugroup._id] = { rights: 1 };
// Add user to the group
ugroup.links[user._id] = { userid: user._id, name: user.name, rights: 1 };
db.Set(ugroup);
// Notify user group change
LDAP fix for #3119
2021-09-11 22:55:51 +03:00
var event = { etype: 'ugrp', ugrpid: ugroup._id, name: ugroup.name, desc: ugroup.desc, action: 'usergroupchange', links: ugroup.links, msgid: 71, msgArgs: [user.name, ugroup.name], msg: 'Added user ' + user.name + ' to user group ' + ugroup.name, addUserDomain: domain.id };
User management improvements.
2020-05-28 04:26:54 +03:00
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user group. Another event will come.
parent.DispatchEvent(['*', ugroup._id, user._id], obj, event);
}
}
}
LDAP fixes.
2019-04-12 00:52:23 +03:00
obj.users[user._id] = user;
obj.db.SetUser(user);
LDAP fix for #3119
2021-09-11 22:55:51 +03:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountcreate', msgid: 128, msgArgs: [user.name], msg: 'Account created, name is ' + user.name, domain: domain.id };
Improved MongoDB change stream.
2019-05-30 00:36:14 +03:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to create the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users'], obj, event);
LDAP fixes.
2019-04-12 00:52:23 +03:00
return fn(null, user._id);
} else {
// This is an existing user
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
// If the display username has changes, update it.
if (user.name != username) {
user.name = username;
Added MongoDB change stream support.
2019-05-29 03:25:23 +03:00
obj.db.SetUser(user);
LDAP fix for #3119
2021-09-11 22:55:51 +03:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msgid: 127, msgArgs: [user.name], msg: 'Changed account display name to ' + user.name, domain: domain.id };
Added MongoDB change stream support.
2019-05-29 03:25:23 +03:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
}
add mail address import capability from LDAP
2020-05-15 10:38:50 +03:00
// Check if user email has changed
var emailreason = null;
SSO Fixes.
2020-05-27 10:52:31 +03:00
if (user.email && !email) { // email unset in ldap => unset
add mail address import capability from LDAP
2020-05-15 10:38:50 +03:00
delete user.email;
delete user.emailVerified;
emailreason = 'Unset email (no more email in LDAP)'
} else if (user.email != email) { // update email
user['email'] = email;
user['emailVerified'] = true;
emailreason = 'Set account email to ' + email + '. Sync with LDAP.';
}
if (emailreason) {
obj.db.SetUser(user);
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: emailreason, domain: domain.id };
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
}
Improved LDAP support and user groups.
2019-04-16 01:05:09 +03:00
// If user is locker out, block here.
LDAP fixes.
2019-04-12 00:52:23 +03:00
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
return fn(null, user._id);
}
});
}
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
Added LDAP support.
2019-04-11 23:41:51 +03:00
// Regular login
var user = obj.users['user/' + domain.id + '/' + name.toLowerCase()];
// Query the db for the given username
if (!user) { fn(new Error('cannot find user')); return; }
// Apply the same algorithm to the POSTed password, applying the hash against the pass / salt, if there is a match we found the user
if (user.salt == null) {
fn(new Error('invalid password'));
Add support for IIS account migration.
2017-11-03 04:44:27 +03:00
} else {
Added LDAP support.
2019-04-11 23:41:51 +03:00
if (user.passtype != null) {
// IIS default clear or weak password hashing (SHA-1)
require('./pass').iishash(user.passtype, pass, user.salt, function (err, hash) {
if (err) return fn(err);
if (hash == user.hash) {
// Update the password to the stronger format.
Added batch account addition.
2019-05-15 00:39:26 +03:00
require('./pass').hash(pass, function (err, salt, hash, tag) { if (err) throw err; user.salt = salt; user.hash = hash; delete user.passtype; obj.db.SetUser(user); }, 0);
Added LDAP support.
2019-04-11 23:41:51 +03:00
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
return fn(null, user._id);
}
fn(new Error('invalid password'), null, user.passhint);
});
} else {
// Default strong password hashing (pbkdf2 SHA384)
Added batch account addition.
2019-05-15 00:39:26 +03:00
require('./pass').hash(pass, user.salt, function (err, hash, tag) {
Added LDAP support.
2019-04-11 23:41:51 +03:00
if (err) return fn(err);
if (hash == user.hash) {
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
return fn(null, user._id);
}
fn(new Error('invalid password'), null, user.passhint);
Added batch account addition.
2019-05-15 00:39:26 +03:00
}, 0);
Added LDAP support.
2019-04-11 23:41:51 +03:00
}
Add support for IIS account migration.
2017-11-03 04:44:27 +03:00
}
Initial main commit
2017-08-28 19:27:45 +03:00
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Add support for IIS account migration.
2017-11-03 04:44:27 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
/*
obj.restrict = function (req, res, next) {
console.log('restrict', req.url);
var domain = getDomain(req);
if (req.session.userid) {
next();
} else {
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 111; // Access denied.
Initial main commit
2017-08-28 19:27:45 +03:00
res.redirect(domain.url + 'login');
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Initial main commit
2017-08-28 19:27:45 +03:00
*/
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-31 00:43:42 +03:00
// Check if the source IP address is in the IP list, return false if not.
Added ipBlockedUserRedirect, #3189
2021-10-14 05:12:49 +03:00
function checkIpAddressEx(req, res, ipList, closeIfThis, redirectUrl) {
Added user IP filtering.
2017-09-27 22:43:20 +03:00
try {
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (req.connection) {
// HTTP(S) request
Added ipBlockedUserRedirect, #3189
2021-10-14 05:12:49 +03:00
if (req.clientIp) { for (var i = 0; i < ipList.length; i++) { if (require('ipcheck').match(req.clientIp, ipList[i])) { if (closeIfThis === true) { if (typeof redirectUrl == 'string') { res.redirect(redirectUrl); } else { res.sendStatus(401); } } return true; } } }
if (closeIfThis === false) { if (typeof redirectUrl == 'string') { res.redirect(redirectUrl); } else { res.sendStatus(401); } }
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
} else {
// WebSocket request
if (res.clientIp) { for (var i = 0; i < ipList.length; i++) { if (require('ipcheck').match(res.clientIp, ipList[i])) { if (closeIfThis === true) { try { req.close(); } catch (e) { } } return true; } } }
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-31 00:43:42 +03:00
if (closeIfThis === false) { try { req.close(); } catch (e) { } }
Made MQTT optional.
2019-10-04 22:18:56 +03:00
}
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-31 00:43:42 +03:00
} catch (e) { console.log(e); } // Should never happen
Added user IP filtering.
2017-09-27 22:43:20 +03:00
return false;
}
Improved web interface for getting started.
2017-10-03 00:12:29 +03:00
// Check if the source IP address is allowed, return domain if allowed
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
// If there is a fail and null is returned, the request or connection is closed already.
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
function checkUserIpAddress(req, res) {
Added ipBlockedUserRedirect, #3189
2021-10-14 05:12:49 +03:00
if ((parent.config.settings.userblockedip != null) && (checkIpAddressEx(req, res, parent.config.settings.userblockedip, true, parent.config.settings.ipblockeduserredirect) == true)) { obj.blockedUsers++; return null; }
if ((parent.config.settings.userallowedip != null) && (checkIpAddressEx(req, res, parent.config.settings.userallowedip, false, parent.config.settings.ipblockeduserredirect) == false)) { obj.blockedUsers++; return null; }
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = (req.url ? getDomain(req) : getDomain(res));
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { parent.debug('web', 'handleRootRequest: invalid domain.'); try { res.sendStatus(404); } catch (ex) { } return; }
Added ipBlockedUserRedirect, #3189
2021-10-14 05:12:49 +03:00
if ((domain.userblockedip != null) && (checkIpAddressEx(req, res, domain.userblockedip, true, domain.ipblockeduserredirect) == true)) { obj.blockedUsers++; return null; }
if ((domain.userallowedip != null) && (checkIpAddressEx(req, res, domain.userallowedip, false, domain.ipblockeduserredirect) == false)) { obj.blockedUsers++; return null; }
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-31 00:43:42 +03:00
return domain;
}
// Check if the source IP address is allowed, return domain if allowed
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
// If there is a fail and null is returned, the request or connection is closed already.
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-31 00:43:42 +03:00
function checkAgentIpAddress(req, res) {
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if ((parent.config.settings.agentblockedip != null) && (checkIpAddressEx(req, res, parent.config.settings.agentblockedip, null) == true)) { obj.blockedAgents++; return null; }
if ((parent.config.settings.agentallowedip != null) && (checkIpAddressEx(req, res, parent.config.settings.agentallowedip, null) == false)) { obj.blockedAgents++; return null; }
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-31 00:43:42 +03:00
const domain = (req.url ? getDomain(req) : getDomain(res));
Improved IP blocking, improved relay tunnel error in meshcore.js
2020-01-10 22:19:23 +03:00
if ((domain.agentblockedip != null) && (checkIpAddressEx(req, res, domain.agentblockedip, null) == true)) { obj.blockedAgents++; return null; }
if ((domain.agentallowedip != null) && (checkIpAddressEx(req, res, domain.agentallowedip, null) == false)) { obj.blockedAgents++; return null; }
Improved web interface for getting started.
2017-10-03 00:12:29 +03:00
return domain;
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Return the current domain of the request
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
// Request or connection says open regardless of the response
Initial main commit
2017-08-28 19:27:45 +03:00
function getDomain(req) {
Faster RSA signatures.
2018-01-10 07:13:41 +03:00
if (req.xdomain != null) { return req.xdomain; } // Domain already set for this request, return it.
Fixed getDomain() when domain uses DNS.
2020-02-18 23:02:42 +03:00
if (req.headers.host != null) { var d = obj.dnsDomains[req.headers.host.split(':')[0].toLowerCase()]; if (d != null) return d; } // If this is a DNS name domain, return it here.
Initial main commit
2017-08-28 19:27:45 +03:00
var x = req.url.split('/');
if (x.length < 2) return parent.config.domains[''];
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
var y = parent.config.domains[x[1].toLowerCase()];
Added support for CIDR address checking in UserAllowedIP setting.
2019-01-05 02:29:27 +03:00
if ((y != null) && (y.dns == null)) { return parent.config.domains[x[1].toLowerCase()]; }
Initial main commit
2017-08-28 19:27:45 +03:00
return parent.config.domains[''];
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
function handleLogoutRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
if (domain.auth == 'sspi') { parent.debug('web', 'handleLogoutRequest: failed checks.'); res.sendStatus(404); return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Improved user handling with domain auth, email validation.
2019-01-16 23:04:48 +03:00
Added Webkit download bug workaround.
2020-10-02 23:17:53 +03:00
res.set({ 'Cache-Control': 'no-store' });
Initial main commit
2017-08-28 19:27:45 +03:00
// Destroy the user's session to log them out will be re-created next request
Added auth strategy logout url.
2021-10-17 09:55:34 +03:00
var userid = req.session.userid;
Initial main commit
2017-08-28 19:27:45 +03:00
if (req.session.userid) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
var user = obj.users[req.session.userid];
Started work on internalization of event log.
2020-09-09 04:59:58 +03:00
if (user != null) { obj.parent.DispatchEvent(['*'], obj, { etype: 'user', userid: user._id, username: user.name, action: 'logout', msgid: 2, msg: 'Account logout', domain: domain.id }); }
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
if (req.session.x) { clearDestroyedSessions(); obj.destroyedSessions[req.session.userid + '/' + req.session.x] = Date.now(); } // Destroy this session
Initial main commit
2017-08-28 19:27:45 +03:00
}
Improved http session handling, new account page
2018-08-23 02:18:01 +03:00
req.session = null;
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleLogoutRequest: success.');
Added auth strategy logout url.
2021-10-17 09:55:34 +03:00
// If this user was logged in using an authentication strategy and there is a logout URL, use it.
if ((userid != null) && (domain.authstrategies != null)) {
const u = userid.split('/')[2];
if (u.startsWith('~twitter:') && (domain.authstrategies.twitter != null) && (typeof domain.authstrategies.twitter.logouturl == 'string')) { res.redirect(domain.authstrategies.twitter.logouturl); return; }
if (u.startsWith('~google:') && (domain.authstrategies.google != null) && (typeof domain.authstrategies.google.logouturl == 'string')) { res.redirect(domain.authstrategies.google.logouturl); return; }
if (u.startsWith('~github:') && (domain.authstrategies.github != null) && (typeof domain.authstrategies.github.logouturl == 'string')) { res.redirect(domain.authstrategies.github.logouturl); return; }
if (u.startsWith('~reddit:') && (domain.authstrategies.reddit != null) && (typeof domain.authstrategies.reddit.logouturl == 'string')) { res.redirect(domain.authstrategies.reddit.logouturl); return; }
if (u.startsWith('~azure:') && (domain.authstrategies.azure != null) && (typeof domain.authstrategies.azure.logouturl == 'string')) { res.redirect(domain.authstrategies.azure.logouturl); return; }
implemented passport-openidconnect used passport-openidconnect to get login 90% working, i get as far as the oidc host sending me back to mesh central with a good auth but i dont get logged in, still testing
2022-04-06 19:40:42 +03:00
if (u.startsWith('~oidc:') && (domain.authstrategies.oidc != null) && (typeof domain.authstrategies.oidc.logouturl == 'string')) { res.redirect(domain.authstrategies.oidc.logouturl); return; }
Added auth strategy logout url.
2021-10-17 09:55:34 +03:00
if (u.startsWith('~jumpcloud:') && (domain.authstrategies.jumpcloud != null) && (typeof domain.authstrategies.jumpcloud.logouturl == 'string')) { res.redirect(domain.authstrategies.jumpcloud.logouturl); return; }
if (u.startsWith('~saml:') && (domain.authstrategies.saml != null) && (typeof domain.authstrategies.saml.logouturl == 'string')) { res.redirect(domain.authstrategies.saml.logouturl); return; }
Auth strategy logout fix.
2021-10-17 10:11:20 +03:00
if (u.startsWith('~intel:') && (domain.authstrategies.intel != null) && (typeof domain.authstrategies.intel.logouturl == 'string')) { res.redirect(domain.authstrategies.intel.logouturl); return; }
Added auth strategy logout url.
2021-10-17 09:55:34 +03:00
}
// This is the default logout redirect to the login page
if (req.query.key != null) { res.redirect(domain.url + '?key=' + req.query.key); } else { res.redirect(domain.url); }
Initial main commit
2017-08-28 19:27:45 +03:00
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
// Return an object with 2FA type if 2-step auth can be skipped
function checkUserOneTimePasswordSkip(domain, user, req, loginOptions) {
if (parent.config.settings.no2factorauth == true) return null;
// If this login occured using a login token, no 2FA needed.
if ((loginOptions != null) && (typeof loginOptions.tokenName === 'string')) { return { twoFactorType: 'tokenlogin' }; }
// Check if we can skip 2nd factor auth because of the source IP address
if ((req != null) && (req.clientIp != null) && (domain.passwordrequirements != null) && (domain.passwordrequirements.skip2factor != null)) {
for (var i in domain.passwordrequirements.skip2factor) { if (require('ipcheck').match(req.clientIp, domain.passwordrequirements.skip2factor[i]) === true) { return { twoFactorType: 'ipaddr' }; } }
}
// Check if a 2nd factor cookie is present
if (typeof req.headers.cookie == 'string') {
const cookies = req.headers.cookie.split('; ');
for (var i in cookies) {
if (cookies[i].startsWith('twofactor=')) {
var twoFactorCookie = obj.parent.decodeCookie(decodeURIComponent(cookies[i].substring(10)), obj.parent.loginCookieEncryptionKey, (30 * 24 * 60)); // If the cookies does not have an expire feild, assume 30 day timeout.
if ((twoFactorCookie != null) && ((obj.args.cookieipcheck === false) || (twoFactorCookie.ip == null) || (twoFactorCookie.ip === req.clientIp)) && (twoFactorCookie.userid == user._id)) { return { twoFactorType: 'cookie' }; }
}
}
}
return null;
}
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
// Return true if this user has 2-step auth active
More work on login tokens.
2021-04-16 22:42:54 +03:00
function checkUserOneTimePasswordRequired(domain, user, req, loginOptions) {
// If this login occured using a login token, no 2FA needed.
if ((loginOptions != null) && (typeof loginOptions.tokenName === 'string')) { return false; }
Implemented optional 2nd factor skip for some IP addresses
2019-11-29 07:57:34 +03:00
// Check if we can skip 2nd factor auth because of the source IP address
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if ((req != null) && (req.clientIp != null) && (domain.passwordrequirements != null) && (domain.passwordrequirements.skip2factor != null)) {
for (var i in domain.passwordrequirements.skip2factor) { if (require('ipcheck').match(req.clientIp, domain.passwordrequirements.skip2factor[i]) === true) return false; }
Implemented optional 2nd factor skip for some IP addresses
2019-11-29 07:57:34 +03:00
}
Added remember for 30 days 2nd factor option.
2019-11-29 09:29:22 +03:00
// Check if a 2nd factor cookie is present
if (typeof req.headers.cookie == 'string') {
const cookies = req.headers.cookie.split('; ');
for (var i in cookies) {
if (cookies[i].startsWith('twofactor=')) {
Fixed My Users SMS button.
2020-04-30 03:36:04 +03:00
var twoFactorCookie = obj.parent.decodeCookie(decodeURIComponent(cookies[i].substring(10)), obj.parent.loginCookieEncryptionKey, (30 * 24 * 60)); // If the cookies does not have an expire feild, assume 30 day timeout.
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if ((twoFactorCookie != null) && ((obj.args.cookieipcheck === false) || (twoFactorCookie.ip == null) || (twoFactorCookie.ip === req.clientIp)) && (twoFactorCookie.userid == user._id)) { return false; }
Added remember for 30 days 2nd factor option.
2019-11-29 09:29:22 +03:00
}
}
}
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
// See if SMS 2FA is available
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
Implemented optional 2nd factor skip for some IP addresses
2019-11-29 07:57:34 +03:00
// Check if a 2nd factor is present
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
return ((parent.config.settings.no2factorauth !== true) && (sms2fa || (user.otpsecret != null) || ((user.email != null) && (user.emailVerified == true) && (domain.mailserver != null) && (user.otpekey != null)) || ((user.otphkeys != null) && (user.otphkeys.length > 0))));
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
}
// Check the 2-step auth token
Improved U2F authentication, added multiple U2F key support.
2019-02-11 03:04:36 +03:00
function checkUserOneTimePassword(req, domain, user, token, hwtoken, func) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'checkUserOneTimePassword()');
Improved charts, added no2factorauth switch
2019-03-27 00:11:51 +03:00
const twoStepLoginSupported = ((domain.auth != 'sspi') && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.nousers !== true) && (parent.config.settings.no2factorauth !== true));
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
if (twoStepLoginSupported == false) { parent.debug('web', 'checkUserOneTimePassword: not supported.'); func(true); return; };
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
// Check if we can use OTP tokens with email
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
var otpemail = (domain.mailserver != null);
Completed email 2FA.
2020-03-15 01:03:50 +03:00
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.email2factor == false)) { otpemail = false; }
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
var otpsms = (parent.smsserver != null);
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.sms2factor == false)) { otpsms = false; }
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
// Check 2FA login cookie
Fixed 2FA server crash.
2020-09-17 20:42:09 +03:00
if ((token != null) && (token.startsWith('cookie='))) {
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
var twoFactorCookie = obj.parent.decodeCookie(decodeURIComponent(token.substring(7)), obj.parent.loginCookieEncryptionKey, (30 * 24 * 60)); // If the cookies does not have an expire feild, assume 30 day timeout.
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
if ((twoFactorCookie != null) && ((obj.args.cookieipcheck === false) || (twoFactorCookie.ip == null) || (twoFactorCookie.ip === req.clientIp)) && (twoFactorCookie.userid == user._id)) { func(true, { twoFactorType: 'cookie' }); return; }
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
}
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
// Check email key
if ((otpemail) && (user.otpekey != null) && (user.otpekey.d != null) && (user.otpekey.k === token)) {
var deltaTime = (Date.now() - user.otpekey.d);
if ((deltaTime > 0) && (deltaTime < 300000)) { // Allow 5 minutes to use the email token (10000 * 60 * 5).
user.otpekey = {};
obj.db.SetUser(user);
parent.debug('web', 'checkUserOneTimePassword: success (email).');
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
func(true, { twoFactorType: 'email' });
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
return;
}
}
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
// Check sms key
if ((otpsms) && (user.phone != null) && (user.otpsms != null) && (user.otpsms.d != null) && (user.otpsms.k === token)) {
var deltaTime = (Date.now() - user.otpsms.d);
if ((deltaTime > 0) && (deltaTime < 300000)) { // Allow 5 minutes to use the SMS token (10000 * 60 * 5).
delete user.otpsms;
obj.db.SetUser(user);
parent.debug('web', 'checkUserOneTimePassword: success (SMS).');
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
func(true, { twoFactorType: 'sms' });
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
return;
}
}
First version that can do FIDO2/WebAuthn authentication.
2019-03-23 22:14:53 +03:00
// Check hardware key
Improved U2F authentication, added multiple U2F key support.
2019-02-11 03:04:36 +03:00
if (user.otphkeys && (user.otphkeys.length > 0) && (typeof (hwtoken) == 'string') && (hwtoken.length > 0)) {
First version that can do FIDO2/WebAuthn authentication.
2019-03-23 22:14:53 +03:00
var authResponse = null;
try { authResponse = JSON.parse(hwtoken); } catch (ex) { }
Complete replacement of the WebAuthn 2 factor support.
2019-05-17 00:55:07 +03:00
if ((authResponse != null) && (authResponse.clientDataJSON)) {
// Get all WebAuthn keys
var webAuthnKeys = [];
for (var i = 0; i < user.otphkeys.length; i++) { if (user.otphkeys[i].type == 3) { webAuthnKeys.push(user.otphkeys[i]); } }
if (webAuthnKeys.length > 0) {
// Decode authentication response
var clientAssertionResponse = { response: {} };
clientAssertionResponse.id = authResponse.id;
clientAssertionResponse.rawId = Buffer.from(authResponse.id, 'base64');
clientAssertionResponse.response.authenticatorData = Buffer.from(authResponse.authenticatorData, 'base64');
clientAssertionResponse.response.clientDataJSON = Buffer.from(authResponse.clientDataJSON, 'base64');
clientAssertionResponse.response.signature = Buffer.from(authResponse.signature, 'base64');
clientAssertionResponse.response.userHandle = Buffer.from(authResponse.userHandle, 'base64');
// Look for the key with clientAssertionResponse.id
var webAuthnKey = null;
for (var i = 0; i < webAuthnKeys.length; i++) { if (webAuthnKeys[i].keyId == clientAssertionResponse.id) { webAuthnKey = webAuthnKeys[i]; } }
// If we found a valid key to use, let's validate the response
if (webAuthnKey != null) {
// Figure out the origin
var httpport = ((args.aliasport != null) ? args.aliasport : args.port);
Removed 1h cache, back to etag.
2019-12-21 01:50:06 +03:00
var origin = 'https://' + (domain.dns ? domain.dns : parent.certificates.CommonName);
Complete replacement of the WebAuthn 2 factor support.
2019-05-17 00:55:07 +03:00
if (httpport != 443) { origin += ':' + httpport; }
var assertionExpectations = {
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
challenge: req.session.u2f,
Complete replacement of the WebAuthn 2 factor support.
2019-05-17 00:55:07 +03:00
origin: origin,
Removed 1h cache, back to etag.
2019-12-21 01:50:06 +03:00
factor: 'either',
fmt: 'fido-u2f',
Complete replacement of the WebAuthn 2 factor support.
2019-05-17 00:55:07 +03:00
publicKey: webAuthnKey.publicKey,
prevCounter: webAuthnKey.counter,
Improved translation web application.
2019-12-07 03:49:40 +03:00
userHandle: Buffer.from(user._id, 'binary').toString('base64')
Complete replacement of the WebAuthn 2 factor support.
2019-05-17 00:55:07 +03:00
};
var webauthnResponse = null;
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
try { webauthnResponse = obj.webauthn.verifyAuthenticatorAssertionResponse(clientAssertionResponse.response, assertionExpectations); } catch (ex) { parent.debug('web', 'checkUserOneTimePassword: exception ' + ex); console.log(ex); }
Complete replacement of the WebAuthn 2 factor support.
2019-05-17 00:55:07 +03:00
if ((webauthnResponse != null) && (webauthnResponse.verified === true)) {
// Update the hardware key counter and accept the 2nd factor
webAuthnKey.counter = webauthnResponse.counter;
obj.db.SetUser(user);
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
parent.debug('web', 'checkUserOneTimePassword: success (hardware).');
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
func(true, { twoFactorType: 'fido' });
Complete replacement of the WebAuthn 2 factor support.
2019-05-17 00:55:07 +03:00
} else {
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
parent.debug('web', 'checkUserOneTimePassword: fail (hardware).');
Complete replacement of the WebAuthn 2 factor support.
2019-05-17 00:55:07 +03:00
func(false);
More FIDO2 fixes.
2019-03-26 00:43:58 +03:00
}
First version that can do FIDO2/WebAuthn authentication.
2019-03-23 22:14:53 +03:00
return;
}
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
}
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
}
}
// Check Google Authenticator
const otplib = require('otplib')
Improved U2F authentication, added multiple U2F key support.
2019-02-11 03:04:36 +03:00
otplib.authenticator.options = { window: 2 }; // Set +/- 1 minute window
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
if (user.otpsecret && (typeof (token) == 'string') && (token.length == 6) && (otplib.authenticator.check(token, user.otpsecret) == true)) {
parent.debug('web', 'checkUserOneTimePassword: success (authenticator).');
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
func(true, { twoFactorType: 'otp' });
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
return;
};
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
// Check written down keys
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
if ((user.otpkeys != null) && (user.otpkeys.keys != null) && (typeof (token) == 'string') && (token.length == 8)) {
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
var tokenNumber = parseInt(token);
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
for (var i = 0; i < user.otpkeys.keys.length; i++) {
if ((tokenNumber === user.otpkeys.keys[i].p) && (user.otpkeys.keys[i].u === true)) {
parent.debug('web', 'checkUserOneTimePassword: success (one-time).');
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
user.otpkeys.keys[i].u = false; func(true, { twoFactorType: 'backup' }); return;
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
}
}
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
}
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
// Check OTP hardware key (Yubikey OTP)
Added missing dependencies
2019-02-09 01:46:07 +03:00
if ((domain.yubikey != null) && (domain.yubikey.id != null) && (domain.yubikey.secret != null) && (user.otphkeys != null) && (user.otphkeys.length > 0) && (typeof (token) == 'string') && (token.length == 44)) {
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
var keyId = token.substring(0, 12);
Session and account improvements.
2019-02-11 07:13:03 +03:00
// Find a matching OTP key
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
var match = false;
for (var i = 0; i < user.otphkeys.length; i++) { if ((user.otphkeys[i].type === 2) && (user.otphkeys[i].keyid === keyId)) { match = true; } }
// If we have a match, check the OTP
if (match === true) {
var yubikeyotp = require('yubikeyotp');
var request = { otp: token, id: domain.yubikey.id, key: domain.yubikey.secret, timestamp: true }
if (domain.yubikey.proxy) { request.requestParams = { proxy: domain.yubikey.proxy }; }
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
yubikeyotp.verifyOTP(request, function (err, results) {
if ((results != null) && (results.status == 'OK')) {
parent.debug('web', 'checkUserOneTimePassword: success (Yubikey).');
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
func(true, { twoFactorType: 'hwotp' });
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
} else {
parent.debug('web', 'checkUserOneTimePassword: fail (Yubikey).');
func(false);
}
});
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
return;
}
}
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'checkUserOneTimePassword: fail (2).');
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
func(false);
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
}
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
// Return a U2F hardware key challenge
Improved U2F authentication, added multiple U2F key support.
2019-02-11 03:04:36 +03:00
function getHardwareKeyChallenge(req, domain, user, func) {
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.u2f;
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
if (user.otphkeys && (user.otphkeys.length > 0)) {
Started work on adding FIDO2 support.
2019-03-23 08:33:53 +03:00
// Get all WebAuthn keys
Complete replacement of the WebAuthn 2 factor support.
2019-05-17 00:55:07 +03:00
var webAuthnKeys = [];
for (var i = 0; i < user.otphkeys.length; i++) { if (user.otphkeys[i].type == 3) { webAuthnKeys.push(user.otphkeys[i]); } }
if (webAuthnKeys.length > 0) {
// Generate a Webauthn challenge, this is really easy, no need to call any modules to do this.
var authnOptions = { type: 'webAuthn', keyIds: [], timeout: 60000, challenge: obj.crypto.randomBytes(64).toString('base64') };
for (var i = 0; i < webAuthnKeys.length; i++) { authnOptions.keyIds.push(webAuthnKeys[i].keyId); }
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.u2f = authnOptions.challenge;
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'getHardwareKeyChallenge: success');
Complete replacement of the WebAuthn 2 factor support.
2019-05-17 00:55:07 +03:00
func(JSON.stringify(authnOptions));
Many bug fixes: Login screen, hw keys, relay domain and more.
2019-05-22 00:19:32 +03:00
return;
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
}
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
}
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'getHardwareKeyChallenge: fail');
Many bug fixes: Login screen, hw keys, relay domain and more.
2019-05-22 00:19:32 +03:00
func('');
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
}
Version 0.7.33
2020-12-30 02:13:09 +03:00
// Redirect a root request to a different page
function handleRootRedirect(req, res, direct) {
const domain = checkUserIpAddress(req, res);
if (domain == null) { return; }
res.redirect(domain.rootredirect + getQueryPortion(req));
}
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
function handleLoginRequest(req, res, direct) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Completed 2 step login support.
2019-01-16 05:21:03 +03:00
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
// Check if this is a banned ip address
if (obj.checkAllowLogin(req) == false) {
// Wait and redirect the user
setTimeout(function () {
req.session.messageid = 114; // IP address blocked, try again later.
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
}, 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095));
return;
}
Completed 2 step login support.
2019-01-16 05:21:03 +03:00
// Normally, use the body username/password. If this is a token, use the username/password in the session.
var xusername = req.body.username, xpassword = req.body.password;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if ((xusername == null) && (xpassword == null) && (req.body.token != null)) { xusername = req.session.tuser; xpassword = req.session.tpass; }
Completed 2 step login support.
2019-01-16 05:21:03 +03:00
// Authenticate the user
More work on login tokens.
2021-04-16 22:42:54 +03:00
obj.authenticate(xusername, xpassword, domain, function (err, userid, passhint, loginOptions) {
Initial main commit
2017-08-28 19:27:45 +03:00
if (userid) {
var user = obj.users[userid];
Added loginToken support and improved way to embed page into other sites.
2017-12-14 01:52:57 +03:00
Added server maintenance mode.
2020-11-21 03:43:58 +03:00
// Check if we are in maintenance mode
if ((parent.config.settings.maintenancemode != null) && (user.siteadmin != 4294967295)) {
req.session.messageid = 115; // Server under maintenance
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 1;
Added server maintenance mode.
2020-11-21 03:43:58 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
}
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.email != null) && (user.emailVerified == true) && (user.otpekey != null));
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
More work on mobile 2FA.
2021-04-14 09:23:09 +03:00
var push2fa = ((parent.firebase != null) && (user.otpdev != null));
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
// Check if two factor can be skipped
const twoFactorSkip = checkUserOneTimePasswordSkip(domain, user, req, loginOptions);
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
// Check if this user has 2-step login active
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
if ((twoFactorSkip == null) && (req.session.loginmode != 6) && checkUserOneTimePasswordRequired(domain, user, req, loginOptions)) {
Added 2FA timeout on login screen, default is 5 minutes.
2021-07-25 01:14:21 +03:00
if ((req.body.hwtoken == '**timeout**')) {
delete req.session; // Clear the session
res.redirect(domain.url + getQueryPortion(req));
return;
}
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
if ((req.body.hwtoken == '**email**') && email2fa) {
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
user.otpekey = { k: obj.common.zeroPad(getRandomEightDigitInteger(), 8), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA email to: ' + user.email);
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
domain.mailserver.sendAccountLoginMail(domain, user.email, user.otpekey.k, obj.getLanguageCodes(req), req.query.key);
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
req.session.messageid = 2; // "Email sent" message
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 4;
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
}
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
if ((req.body.hwtoken == '**sms**') && sms2fa) {
// Cause a token to be sent to the user's phone number
user.otpsms = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA SMS to: ' + user.phone);
parent.smsserver.sendToken(domain, user.phone, user.otpsms.k, obj.getLanguageCodes(req));
// Ask for a login token & confirm sms was sent
req.session.messageid = 4; // "SMS sent" message
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 4;
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
}
More work on device 2FA.
2021-04-15 00:06:31 +03:00
// Handle device push notification 2FA request
// We create a browser cookie, send it back and when the browser connects it's web socket, it will trigger the push notification.
if ((req.body.hwtoken == '**push**') && push2fa && ((domain.passwordrequirements == null) || (domain.passwordrequirements.push2factor != false))) {
More work on device 2FA.
2021-04-14 23:28:51 +03:00
const logincodeb64 = Buffer.from(obj.common.zeroPad(getRandomSixDigitInteger(), 6)).toString('base64');
const sessioncode = obj.crypto.randomBytes(24).toString('base64');
// Create a browser cookie so the browser can connect using websocket and wait for device accept/reject.
const browserCookie = parent.encodeCookie({ a: 'waitAuth', c: logincodeb64, u: user._id, n: user.otpdev, s: sessioncode, d: domain.id });
// Get the HTTPS port
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port if specified
// Get the agent connection server name
var serverName = obj.getWebServerName(domain);
if (typeof obj.args.agentaliasdns == 'string') { serverName = obj.args.agentaliasdns; }
// Build the connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly.
var xdomain = (domain.dns == null) ? domain.id : '';
if (xdomain != '') xdomain += '/';
var url = 'wss://' + serverName + ':' + httpsPort + '/' + xdomain + '2fahold.ashx?c=' + browserCookie;
// Request that the login page wait for device auth
req.session.messageid = 5; // "Sending notification..." message
req.session.passhint = url;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 8;
More work on device 2FA.
2021-04-14 23:28:51 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
More work on mobile 2FA.
2021-04-14 09:23:09 +03:00
return;
}
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
checkUserOneTimePassword(req, domain, user, req.body.token, req.body.hwtoken, function (result, authData) {
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
if (result == false) {
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
var randomWaitTime = 0;
Made MQTT optional.
2019-10-04 22:18:56 +03:00
Added 2FA rate limiting, #3393
2022-01-04 00:12:10 +03:00
// Check if 2FA is allowed for this IP address
if (obj.checkAllow2Fa(req) == false) {
// Wait and redirect the user
setTimeout(function () {
req.session.messageid = 114; // IP address blocked, try again later.
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
}, 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095));
return;
}
Added one time passwords for user 2-factor login.
2019-02-06 06:07:12 +03:00
// 2-step auth is required, but the token is not present or not valid.
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
if ((req.body.token != null) || (req.body.hwtoken != null)) {
randomWaitTime = 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095); // This is a fail, wait a random time. 2 to 6 seconds.
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 108; // Invalid token, try again.
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed 2FA for ' + xusername + ' from ' + cleanRemoteAddr(req.clientIp) + ' port ' + req.port); }
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleLoginRequest: invalid 2FA token');
Added view previous logins.
2021-02-26 11:58:38 +03:00
const ua = getUserAgentInfo(req);
obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, { action: 'authfail', username: user.name, userid: user._id, domain: domain.id, msg: 'User login attempt with incorrect 2nd factor from ' + req.clientIp, msgid: 108, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] });
Added 2FA rate limiting, #3393
2022-01-04 00:12:10 +03:00
obj.setbad2Fa(req);
Improved server tracing.
2019-08-23 21:51:48 +03:00
} else {
parent.debug('web', 'handleLoginRequest: 2FA token required');
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
}
// Wait and redirect the user
setTimeout(function () {
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 4;
if ((user.email != null) && (user.emailVerified == true) && (domain.mailserver != null) && (user.otpekey != null)) { req.session.temail = 1; }
if ((user.phone != null) && (parent.smsserver != null)) { req.session.tsms = 1; }
if ((user.otpdev != null) && (parent.firebase != null)) { req.session.tpush = 1; }
req.session.tuserid = userid;
req.session.tuser = xusername;
req.session.tpass = xpassword;
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
}, randomWaitTime);
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
} else {
Added remember for 30 days 2nd factor option.
2019-11-29 09:29:22 +03:00
// Check if we need to remember this device
Improved 2FA trusted cookie.
2020-04-30 01:45:31 +03:00
if ((req.body.remembertoken === 'on') && ((domain.twofactorcookiedurationdays == null) || (domain.twofactorcookiedurationdays > 0))) {
var maxCookieAge = domain.twofactorcookiedurationdays;
if (typeof maxCookieAge != 'number') { maxCookieAge = 30; }
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
const twoFactorCookie = obj.parent.encodeCookie({ userid: user._id, expire: maxCookieAge * 24 * 60 /*, ip: req.clientIp*/ }, obj.parent.loginCookieEncryptionKey);
Fixed session IP check still being performed when CookieIpCheck is false.
2022-02-24 23:22:01 +03:00
res.cookie('twofactor', twoFactorCookie, { maxAge: (maxCookieAge * 24 * 60 * 60 * 1000), httpOnly: true, sameSite: ((parent.config.settings.cookieipcheck === false) ? 'none' : 'strict'), secure: true });
Added remember for 30 days 2nd factor option.
2019-11-29 09:29:22 +03:00
}
Added email validation login page.
2020-04-21 11:50:27 +03:00
// Check if email address needs to be confirmed
Added option to turn off reset account on login screen.
2022-02-04 18:29:18 +03:00
const emailcheck = ((domain.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true) && (domain.auth != 'sspi') && (domain.auth != 'ldap'))
Added email validation login page.
2020-04-21 11:50:27 +03:00
if (emailcheck && (user.emailVerified !== true)) {
parent.debug('web', 'Redirecting using ' + user.name + ' to email check login page');
req.session.messageid = 3; // "Email verification required" message
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 7;
Added email validation login page.
2020-04-21 11:50:27 +03:00
req.session.passhint = user.email;
req.session.cuserid = userid;
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
}
Added remember for 30 days 2nd factor option.
2019-11-29 09:29:22 +03:00
// Login successful
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + xusername + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
Added remember for 30 days 2nd factor option.
2019-11-29 09:29:22 +03:00
parent.debug('web', 'handleLoginRequest: successful 2FA login');
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
if (authData != null) { if (loginOptions == null) { loginOptions = {}; } loginOptions.twoFactorType = authData.twoFactorType; }
More work on login tokens.
2021-04-16 22:42:54 +03:00
completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct, loginOptions);
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
}
});
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
return;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
}
Added loginToken support and improved way to embed page into other sites.
2017-12-14 01:52:57 +03:00
Added email validation login page.
2020-04-21 11:50:27 +03:00
// Check if email address needs to be confirmed
Added option to turn off reset account on login screen.
2022-02-04 18:29:18 +03:00
const emailcheck = ((domain.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true) && (domain.auth != 'sspi') && (domain.auth != 'ldap'))
Added email validation login page.
2020-04-21 11:50:27 +03:00
if (emailcheck && (user.emailVerified !== true)) {
parent.debug('web', 'Redirecting using ' + user.name + ' to email check login page');
req.session.messageid = 3; // "Email verification required" message
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 7;
Added email validation login page.
2020-04-21 11:50:27 +03:00
req.session.passhint = user.email;
req.session.cuserid = userid;
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
}
Added remember for 30 days 2nd factor option.
2019-11-29 09:29:22 +03:00
// Login successful
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + xusername + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
Added remember for 30 days 2nd factor option.
2019-11-29 09:29:22 +03:00
parent.debug('web', 'handleLoginRequest: successful login');
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
if (twoFactorSkip != null) { if (loginOptions == null) { loginOptions = {}; } loginOptions.twoFactorType = twoFactorSkip.twoFactorType; }
More work on login tokens.
2021-04-16 22:42:54 +03:00
completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct, loginOptions);
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
Added basic auth.log support.
2020-02-17 21:24:32 +03:00
// Login failed, log the error
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed password for ' + xusername + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
Added basic auth.log support.
2020-02-17 21:24:32 +03:00
// Wait a random delay
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
setTimeout(function () {
// If the account is locked, display that.
More Let's Encrypt changes.
2019-11-19 01:17:27 +03:00
if (typeof xusername == 'string') {
var xuserid = 'user/' + domain.id + '/' + xusername.toLowerCase();
if (err == 'locked') {
parent.debug('web', 'handleLoginRequest: login failed, locked account');
req.session.messageid = 110; // Account locked.
Added view previous logins.
2021-02-26 11:58:38 +03:00
const ua = getUserAgentInfo(req);
obj.parent.DispatchEvent(['*', 'server-users', xuserid], obj, { action: 'authfail', userid: xuserid, username: xusername, domain: domain.id, msg: 'User login attempt on locked account from ' + req.clientIp, msgid: 109, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] });
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
obj.setbadLogin(req);
More Let's Encrypt changes.
2019-11-19 01:17:27 +03:00
} else {
parent.debug('web', 'handleLoginRequest: login failed, bad username and password');
req.session.messageid = 112; // Login failed, check username and password.
Added view previous logins.
2021-02-26 11:58:38 +03:00
const ua = getUserAgentInfo(req);
obj.parent.DispatchEvent(['*', 'server-users', xuserid], obj, { action: 'authfail', userid: xuserid, username: xusername, domain: domain.id, msg: 'Invalid user login attempt from ' + req.clientIp, msgid: 110, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] });
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
obj.setbadLogin(req);
More Let's Encrypt changes.
2019-11-19 01:17:27 +03:00
}
Improved server tracing.
2019-08-23 21:51:48 +03:00
}
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
// Clean up login mode and display password hint if present.
delete req.session.loginmode;
if ((passhint != null) && (passhint.length > 0)) {
req.session.passhint = passhint;
} else {
delete req.session.passhint;
}
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
}, 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095)); // Wait for 2 to ~6 seconds.
Initial main commit
2017-08-28 19:27:45 +03:00
}
});
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
More work on login tokens.
2021-04-16 22:42:54 +03:00
function completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct, loginOptions) {
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
// Check if we need to change the password
if ((typeof user.passchange == 'number') && ((user.passchange == -1) || ((typeof domain.passwordrequirements == 'object') && (typeof domain.passwordrequirements.reset == 'number') && (user.passchange + (domain.passwordrequirements.reset * 86400) < Math.floor(Date.now() / 1000))))) {
// Request a password change
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleLoginRequest: login ok, password change requested');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 6;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 113; // Password change requested.
Fixed FIDO2 HW keys with LDAP.
2020-07-28 20:29:03 +03:00
req.session.resettokenuserid = userid;
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
req.session.resettokenusername = xusername;
req.session.resettokenpassword = xpassword;
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
return;
}
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
// Save login time
Added failed login logging and reporting.
2019-11-18 03:20:53 +03:00
user.pastlogin = user.login;
Added user last access support, #3319
2021-12-05 00:08:17 +03:00
user.login = user.access = Math.floor(Date.now() / 1000);
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
obj.db.SetUser(user);
User permission fixes, user list export feature.
2019-05-04 22:55:46 +03:00
// Notify account login
MySQL previous logins fix.
2021-03-11 01:24:55 +03:00
const targets = ['*', 'server-users', user._id];
User permission fixes, user list export feature.
2019-05-04 22:55:46 +03:00
if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } }
Added view previous logins.
2021-02-26 11:58:38 +03:00
const ua = getUserAgentInfo(req);
const loginEvent = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msgid: 107, msgArgs: [req.clientIp, ua.browserStr, ua.osStr], msg: 'Account login', domain: domain.id, ip: req.clientIp, userAgent: req.headers['user-agent'] };
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
if (loginOptions != null) {
if ((loginOptions.tokenName != null) && (loginOptions.tokenUser != null)) { loginEvent.tokenName = loginOptions.tokenName; loginEvent.tokenUser = loginOptions.tokenUser; } // If a login token was used, add it to the event.
if (loginOptions.twoFactorType != null) { loginEvent.twoFactorType = loginOptions.twoFactorType; }
}
Added view previous logins.
2021-02-26 11:58:38 +03:00
obj.parent.DispatchEvent(targets, obj, loginEvent);
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
// Regenerate session when signing in to prevent fixation
//req.session.regenerate(function () {
// Store the user's primary key in the session store to be retrieved, or in this case the entire user object
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.u2f;
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
delete req.session.loginmode;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.tuserid;
delete req.session.tuser;
delete req.session.tpass;
delete req.session.temail;
delete req.session.tsms;
delete req.session.tpush;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
delete req.session.messageid;
Session and account improvements.
2019-02-11 07:13:03 +03:00
delete req.session.passhint;
Added email validation login page.
2020-04-21 11:50:27 +03:00
delete req.session.cuserid;
Completed login token support.
2021-04-17 04:55:03 +03:00
delete req.session.expire;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.currentNode;
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
req.session.userid = userid;
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
req.session.ip = req.clientIp;
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
setSessionRandom(req);
More work on login tokens.
2021-04-16 22:42:54 +03:00
// If a login token was used, add this information and expire time to the session.
if ((loginOptions != null) && (loginOptions.tokenName != null) && (loginOptions.tokenUser != null)) {
req.session.loginToken = loginOptions.tokenUser;
if (loginOptions.expire != null) { req.session.expire = loginOptions.expire; }
}
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
if (req.body.viewmode) { req.session.viewmode = req.body.viewmode; }
if (req.body.host) {
// TODO: This is a terrible search!!! FIX THIS.
/*
obj.db.GetAllType('node', function (err, docs) {
for (var i = 0; i < docs.length; i++) {
if (docs[i].name == req.body.host) {
req.session.currentNode = docs[i]._id;
break;
}
}
console.log("CurrentNode: " + req.session.currentNode);
// This redirect happens after finding node is completed
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
});
*/
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleLoginRequest: login ok (1)');
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); } // Temporary
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
} else {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleLoginRequest: login ok (2)');
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added support for both U2F and OTP hardware login keys.
2019-02-08 20:24:00 +03:00
}
//});
}
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
function handleCreateAccountRequest(req, res, direct) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { parent.debug('web', 'handleCreateAccountRequest: failed checks.'); res.sendStatus(404); return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Completed login token support.
2021-04-17 04:55:03 +03:00
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
Improved user handling with domain auth, email validation.
2019-01-16 23:04:48 +03:00
Added server maintenance mode.
2020-11-21 03:43:58 +03:00
// Check if we are in maintenance mode
if (parent.config.settings.maintenancemode != null) {
req.session.messageid = 115; // Server under maintenance
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 1;
Added server maintenance mode.
2020-11-21 03:43:58 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
}
Account emails are not always lowercase.
2019-07-15 20:24:31 +03:00
// Always lowercase the email address
if (req.body.email) { req.body.email = req.body.email.toLowerCase(); }
Improved keyboard support, new email as username mode.
2019-07-09 01:59:44 +03:00
// If the email is the username, set this here.
if (domain.usernameisemail) { req.body.username = req.body.email; }
More work on OAuth support.
2020-05-14 08:30:59 +03:00
// Accounts that start with ~ are not allowed
if ((typeof req.body.username != 'string') || (req.body.username.length < 1) || (req.body.username[0] == '~')) {
parent.debug('web', 'handleCreateAccountRequest: unable to create account (0)');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 2;
More work on OAuth support.
2020-05-14 08:30:59 +03:00
req.session.messageid = 100; // Unable to create account.
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
}
Fixed first user creation when NewAccount is true
2019-09-27 20:15:45 +03:00
// Count the number of users in this domain
var domainUserCount = 0;
for (var i in obj.users) { if (obj.users[i].domain == domain.id) { domainUserCount++; } }
MeshCentral now defaults to not accepting new accounts on login screen.
2019-04-23 23:42:54 +03:00
// Check if we are allowed to create new users using the login screen
Fixed first user creation when NewAccount is true
2019-09-27 20:15:45 +03:00
if ((domain.newaccounts !== 1) && (domain.newaccounts !== true) && (domainUserCount > 0)) {
parent.debug('web', 'handleCreateAccountRequest: domainUserCount > 1.');
res.sendStatus(401);
return;
MeshCentral now defaults to not accepting new accounts on login screen.
2019-04-23 23:42:54 +03:00
}
Session and account improvements.
2019-02-11 07:13:03 +03:00
Added newAccountEmailDomains, more server fixes.
2019-02-26 03:07:27 +03:00
// Check if this request is for an allows email domain
if ((domain.newaccountemaildomains != null) && Array.isArray(domain.newaccountemaildomains)) {
var i = -1;
if (typeof req.body.email == 'string') { i = req.body.email.indexOf('@'); }
if (i == -1) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleCreateAccountRequest: unable to create account (1)');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 2;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 100; // Unable to create account.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added newAccountEmailDomains, more server fixes.
2019-02-26 03:07:27 +03:00
return;
}
var emailok = false, emaildomain = req.body.email.substring(i + 1).toLowerCase();
for (var i in domain.newaccountemaildomains) { if (emaildomain == domain.newaccountemaildomains[i].toLowerCase()) { emailok = true; } }
if (emailok == false) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleCreateAccountRequest: unable to create account (2)');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 2;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 100; // Unable to create account.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added newAccountEmailDomains, more server fixes.
2019-02-26 03:07:27 +03:00
return;
}
}
Session and account improvements.
2019-02-11 07:13:03 +03:00
// Check if we exceed the maximum number of user accounts
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
obj.db.isMaxType(domain.limits.maxuseraccounts, 'user', domain.id, function (maxExceed) {
Session and account improvements.
2019-02-11 07:13:03 +03:00
if (maxExceed) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleCreateAccountRequest: account limit reached');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 2;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 101; // Account limit reached.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Session and account improvements.
2019-02-11 07:13:03 +03:00
} else {
if (!obj.common.validateUsername(req.body.username, 1, 64) || !obj.common.validateEmail(req.body.email, 1, 256) || !obj.common.validateString(req.body.password1, 1, 256) || !obj.common.validateString(req.body.password2, 1, 256) || (req.body.password1 != req.body.password2) || req.body.username == '~' || !obj.common.checkPasswordRequirements(req.body.password1, domain.passwordrequirements)) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleCreateAccountRequest: unable to create account (3)');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 2;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 100; // Unable to create account.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
} else {
Session and account improvements.
2019-02-11 07:13:03 +03:00
// Check if this email was already verified
obj.db.GetUserWithVerifiedEmail(domain.id, req.body.email, function (err, docs) {
Fixes for MeshCore and MariaDB.
2020-11-03 13:58:29 +03:00
if ((docs != null) && (docs.length > 0)) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleCreateAccountRequest: Existing account with this email address');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 2;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 102; // Existing account with this email address.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Session and account improvements.
2019-02-11 07:13:03 +03:00
} else {
// Check if there is domain.newAccountToken, check if supplied token is valid
if ((domain.newaccountspass != null) && (domain.newaccountspass != '') && (req.body.anewaccountpass != domain.newaccountspass)) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleCreateAccountRequest: Invalid account creation token');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 2;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 103; // Invalid account creation token.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Session and account improvements.
2019-02-11 07:13:03 +03:00
return;
}
// Check if user exists
if (obj.users['user/' + domain.id + '/' + req.body.username.toLowerCase()]) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleCreateAccountRequest: Username already exists');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 2;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 104; // Username already exists.
Session and account improvements.
2019-02-11 07:13:03 +03:00
} else {
Added user last access support, #3319
2021-12-05 00:08:17 +03:00
var user = { type: 'user', _id: 'user/' + domain.id + '/' + req.body.username.toLowerCase(), name: req.body.username, email: req.body.email, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), access: Math.floor(Date.now() / 1000), domain: domain.id };
Fixed user interface issues and added newAccountsRights in domain config.
2019-05-13 05:14:24 +03:00
if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; }
Added newaccountsrights support for SSO accounts.
2020-05-25 22:52:13 +03:00
if (obj.common.validateStrArray(domain.newaccountrealms)) { user.groups = domain.newaccountrealms; }
Updated clickonce, password hint is configurable.
2019-03-01 03:17:22 +03:00
if ((domain.passwordrequirements != null) && (domain.passwordrequirements.hint === true) && (req.body.apasswordhint)) { var hint = req.body.apasswordhint; if (hint.length > 250) { hint = hint.substring(0, 250); } user.passhint = hint; }
More fixes, updated MeshCommander (Intel AMT tab)
2019-06-27 08:13:56 +03:00
if (domainUserCount == 0) { user.siteadmin = 4294967295; /*if (domain.newaccounts === 2) { delete domain.newaccounts; }*/ } // If this is the first user, give the account site admin.
User management improvements.
2020-05-28 04:26:54 +03:00
// Auto-join any user groups
if (typeof domain.newaccountsusergroups == 'object') {
for (var i in domain.newaccountsusergroups) {
var ugrpid = domain.newaccountsusergroups[i];
if (ugrpid.indexOf('/') < 0) { ugrpid = 'ugrp/' + domain.id + '/' + ugrpid; }
var ugroup = obj.userGroups[ugrpid];
if (ugroup != null) {
// Add group to the user
if (user.links == null) { user.links = {}; }
user.links[ugroup._id] = { rights: 1 };
// Add user to the group
ugroup.links[user._id] = { userid: user._id, name: user.name, rights: 1 };
db.Set(ugroup);
// Notify user group change
var event = { etype: 'ugrp', ugrpid: ugroup._id, name: ugroup.name, desc: ugroup.desc, action: 'usergroupchange', links: ugroup.links, msg: 'Added user ' + user.name + ' to user group ' + ugroup.name, addUserDomain: domain.id };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user group. Another event will come.
parent.DispatchEvent(['*', ugroup._id, user._id], obj, event);
}
}
}
Session and account improvements.
2019-02-11 07:13:03 +03:00
obj.users[user._id] = user;
req.session.userid = user._id;
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
req.session.ip = req.clientIp; // Bind this session to the IP address of the request
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
setSessionRandom(req);
Session and account improvements.
2019-02-11 07:13:03 +03:00
// Create a user, generate a salt and hash the password
Added batch account addition.
2019-05-15 00:39:26 +03:00
require('./pass').hash(req.body.password1, function (err, salt, hash, tag) {
Session and account improvements.
2019-02-11 07:13:03 +03:00
if (err) throw err;
user.salt = salt;
user.hash = hash;
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
delete user.passtype;
Session and account improvements.
2019-02-11 07:13:03 +03:00
obj.db.SetUser(user);
// Send the verification email
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
if ((domain.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap') && (obj.common.validateEmail(user.email, 1, 256) == true)) { domain.mailserver.sendAccountCheckMail(domain, user.name, user._id, user.email, obj.getLanguageCodes(req), req.query.key); }
Added batch account addition.
2019-05-15 00:39:26 +03:00
}, 0);
Much improved event logs
2019-07-30 02:35:48 +03:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountcreate', msg: 'Account created, email is ' + req.body.email, domain: domain.id };
Improved MongoDB change stream.
2019-05-30 00:36:14 +03:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to create the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users'], obj, event);
Session and account improvements.
2019-02-11 07:13:03 +03:00
}
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Session and account improvements.
2019-02-11 07:13:03 +03:00
}
});
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
}
Session and account improvements.
2019-02-11 07:13:03 +03:00
}
});
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
}
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
// Called to process an account password reset
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
function handleResetPasswordRequest(req, res, direct) {
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Completed login token support.
2021-04-17 04:55:03 +03:00
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
// Check everything is ok
Added option to turn off reset account on login screen.
2022-02-04 18:29:18 +03:00
const allowAccountReset = ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.allowaccountreset !== false));
if ((allowAccountReset === false) || (domain == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap') || (typeof req.body.rpassword1 != 'string') || (typeof req.body.rpassword2 != 'string') || (req.body.rpassword1 != req.body.rpassword2) || (typeof req.body.rpasswordhint != 'string') || (req.session == null) || (typeof req.session.resettokenusername != 'string') || (typeof req.session.resettokenpassword != 'string')) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetPasswordRequest: checks failed');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.u2f;
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
delete req.session.loginmode;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.tuserid;
delete req.session.tuser;
delete req.session.tpass;
Fixed FIDO2 HW keys with LDAP.
2020-07-28 20:29:03 +03:00
delete req.session.resettokenuserid;
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
delete req.session.resettokenusername;
delete req.session.resettokenpassword;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.temail;
delete req.session.tsms;
delete req.session.tpush;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
delete req.session.messageid;
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
delete req.session.passhint;
Added email validation login page.
2020-04-21 11:50:27 +03:00
delete req.session.cuserid;
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
return;
}
// Authenticate the user
More work on login tokens.
2021-04-16 22:42:54 +03:00
obj.authenticate(req.session.resettokenusername, req.session.resettokenpassword, domain, function (err, userid, passhint, loginOptions) {
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
if (userid) {
// Login
var user = obj.users[userid];
// If we have password requirements, check this here.
if (!obj.common.checkPasswordRequirements(req.body.rpassword1, domain.passwordrequirements)) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetPasswordRequest: password rejected, use a different one (1)');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 6;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 105; // Password rejected, use a different one.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
return;
}
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
// Check if the password is the same as a previous one
obj.checkOldUserPasswords(domain, user, req.body.rpassword1, function (result) {
Added support for banning common passwords.
2020-08-16 23:44:54 +03:00
if (result != 0) {
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
// This is the same password as an older one, request a password change again
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetPasswordRequest: password rejected, use a different one (2)');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 6;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 105; // Password rejected, use a different one.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
} else {
// Update the password, use a different salt.
Added batch account addition.
2019-05-15 00:39:26 +03:00
require('./pass').hash(req.body.rpassword1, function (err, salt, hash, tag) {
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
const nowSeconds = Math.floor(Date.now() / 1000);
if (err) { parent.debug('web', 'handleResetPasswordRequest: hash error.'); throw err; }
if (domain.passwordrequirements != null) {
// Save password hint if this feature is enabled
if ((domain.passwordrequirements.hint === true) && (req.body.apasswordhint)) { var hint = req.body.apasswordhint; if (hint.length > 250) hint = hint.substring(0, 250); user.passhint = hint; } else { delete user.passhint; }
// Save previous password if this feature is enabled
if ((typeof domain.passwordrequirements.oldpasswordban == 'number') && (domain.passwordrequirements.oldpasswordban > 0)) {
if (user.oldpasswords == null) { user.oldpasswords = []; }
user.oldpasswords.push({ salt: user.salt, hash: user.hash, start: user.passchange, end: nowSeconds });
const extraOldPasswords = user.oldpasswords.length - domain.passwordrequirements.oldpasswordban;
if (extraOldPasswords > 0) { user.oldpasswords.splice(0, extraOldPasswords); }
}
}
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
user.salt = salt;
user.hash = hash;
Added user last access support, #3319
2021-12-05 00:08:17 +03:00
user.passchange = user.access = nowSeconds;
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
delete user.passtype;
obj.db.SetUser(user);
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
// Event the account change
Much improved event logs
2019-07-30 02:35:48 +03:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'User password reset', domain: domain.id };
Added MongoDB change stream support.
2019-05-29 03:25:23 +03:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
Added remember for 30 days 2nd factor option.
2019-11-29 09:29:22 +03:00
// Login successful
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetPasswordRequest: success');
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
req.session.userid = userid;
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
req.session.ip = req.clientIp; // Bind this session to the IP address of the request
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
setSessionRandom(req);
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
completeLoginRequest(req, res, domain, obj.users[userid], userid, req.session.tuser, req.session.tpass, direct, loginOptions);
Added batch account addition.
2019-05-15 00:39:26 +03:00
}, 0);
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
}
Added batch account addition.
2019-05-15 00:39:26 +03:00
}, 0);
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
} else {
// Failed, error out.
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetPasswordRequest: failed authenticate()');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.u2f;
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
delete req.session.loginmode;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.tuserid;
delete req.session.tuser;
delete req.session.tpass;
Fixed FIDO2 HW keys with LDAP.
2020-07-28 20:29:03 +03:00
delete req.session.resettokenuserid;
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
delete req.session.resettokenusername;
delete req.session.resettokenpassword;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.temail;
delete req.session.tsms;
delete req.session.tpush;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
delete req.session.messageid;
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
delete req.session.passhint;
Added email validation login page.
2020-04-21 11:50:27 +03:00
delete req.session.cuserid;
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
return;
}
});
}
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
// Called to process an account reset request
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
function handleResetAccountRequest(req, res, direct) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added option to turn off reset account on login screen.
2022-02-04 18:29:18 +03:00
const allowAccountReset = ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.allowaccountreset !== false));
if ((allowAccountReset === false) || (domain.auth == 'sspi') || (domain.auth == 'ldap') || (obj.args.lanonly == true) || (obj.parent.certificates.CommonName == null) || (obj.parent.certificates.CommonName.indexOf('.') == -1)) { parent.debug('web', 'handleResetAccountRequest: check failed'); res.sendStatus(404); return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Completed login token support.
2021-04-17 04:55:03 +03:00
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
Improved user handling with domain auth, email validation.
2019-01-16 23:04:48 +03:00
Account emails are not always lowercase.
2019-07-15 20:24:31 +03:00
// Always lowercase the email address
if (req.body.email) { req.body.email = req.body.email.toLowerCase(); }
Fixed e-mail password recovery.
2019-02-12 01:59:04 +03:00
// Get the email from the body or session.
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
var email = req.body.email;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if ((email == null) || (email == '')) { email = req.session.temail; }
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
Server fixes, added locale arg in web app.
2019-06-11 21:33:44 +03:00
// Check the email string format
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
if (!email || checkEmail(email) == false) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetAccountRequest: Invalid email');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 3;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 106; // Invalid email.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
} else {
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
obj.db.GetUserWithVerifiedEmail(domain.id, email, function (err, docs) {
Password reset improvements.
2020-12-10 09:14:51 +03:00
// Remove all accounts that start with ~ since they are special accounts.
var cleanDocs = [];
if ((err == null) && (docs.length > 0)) {
for (var i in docs) {
const user = docs[i];
const locked = ((user.siteadmin != null) && (user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)); // No password recovery for locked accounts
const specialAccount = (user._id.split('/')[2].startsWith('~')); // No password recovery for special accounts
if ((specialAccount == false) && (locked == false)) { cleanDocs.push(user); }
}
}
docs = cleanDocs;
// Check if we have any account that match this email address
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
if ((err != null) || (docs.length == 0)) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetAccountRequest: Account not found');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 3;
More code clean up and input validation.
2020-07-07 01:04:22 +03:00
req.session.messageid = 1; // If valid, reset mail sent. Instead of "Account not found" (107), we send this hold on message so users can't know if this account exists or not.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
} else {
Server fixes, added locale arg in web app.
2019-06-11 21:33:44 +03:00
// If many accounts have the same validated e-mail, we are going to use the first one for display, but sent a reset email for all accounts.
var responseSent = false;
for (var i in docs) {
var user = docs[i];
Implemented optional 2nd factor skip for some IP addresses
2019-11-29 07:57:34 +03:00
if (checkUserOneTimePasswordRequired(domain, user, req) == true) {
Server fixes, added locale arg in web app.
2019-06-11 21:33:44 +03:00
// Second factor setup, request it now.
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
checkUserOneTimePassword(req, domain, user, req.body.token, req.body.hwtoken, function (result, authData) {
Server fixes, added locale arg in web app.
2019-06-11 21:33:44 +03:00
if (result == false) {
if (i == 0) {
Added 2FA rate limiting, #3393
2022-01-04 00:12:10 +03:00
// Check if 2FA is allowed for this IP address
if (obj.checkAllow2Fa(req) == false) {
// Wait and redirect the user
setTimeout(function () {
req.session.messageid = 114; // IP address blocked, try again later.
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
}, 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095));
return;
}
Server fixes, added locale arg in web app.
2019-06-11 21:33:44 +03:00
// 2-step auth is required, but the token is not present or not valid.
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetAccountRequest: Invalid 2FA token, try again');
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
if ((req.body.token != null) || (req.body.hwtoken != null)) {
Password reset improvements.
2020-12-10 09:14:51 +03:00
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
if ((req.body.hwtoken == '**sms**') && sms2fa) {
// Cause a token to be sent to the user's phone number
user.otpsms = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA SMS for password recovery to: ' + user.phone);
parent.smsserver.sendToken(domain, user.phone, user.otpsms.k, obj.getLanguageCodes(req));
req.session.messageid = 4; // SMS sent.
} else {
req.session.messageid = 108; // Invalid token, try again.
Added view previous logins.
2021-02-26 11:58:38 +03:00
const ua = getUserAgentInfo(req);
obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, { action: 'authfail', username: user.name, userid: user._id, domain: domain.id, msg: 'User login attempt with incorrect 2nd factor from ' + req.clientIp, msgid: 108, msgArgs: [req.clientIp, ua.browserStr, ua.osStr] });
Added 2FA rate limiting, #3393
2022-01-04 00:12:10 +03:00
obj.setbad2Fa(req);
Password reset improvements.
2020-12-10 09:14:51 +03:00
}
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
}
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 5;
req.session.temail = email;
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Server fixes, added locale arg in web app.
2019-06-11 21:33:44 +03:00
}
} else {
// Send email to perform recovery.
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.temail;
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
if (domain.mailserver != null) {
domain.mailserver.sendAccountResetMail(domain, user.name, user._id, user.email, obj.getLanguageCodes(req), req.query.key);
Server fixes, added locale arg in web app.
2019-06-11 21:33:44 +03:00
if (i == 0) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetAccountRequest: Hold on, reset mail sent.');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 1;
More code clean up and input validation.
2020-07-07 01:04:22 +03:00
req.session.messageid = 1; // If valid, reset mail sent.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Server fixes, added locale arg in web app.
2019-06-11 21:33:44 +03:00
}
} else {
if (i == 0) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetAccountRequest: Unable to sent email.');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 3;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 109; // Unable to sent email.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Server fixes, added locale arg in web app.
2019-06-11 21:33:44 +03:00
}
}
}
});
} else {
// No second factor, send email to perform recovery.
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
if (domain.mailserver != null) {
domain.mailserver.sendAccountResetMail(domain, user.name, user._id, user.email, obj.getLanguageCodes(req), req.query.key);
Server fixes, added locale arg in web app.
2019-06-11 21:33:44 +03:00
if (i == 0) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetAccountRequest: Hold on, reset mail sent.');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 1;
More code clean up and input validation.
2020-07-07 01:04:22 +03:00
req.session.messageid = 1; // If valid, reset mail sent.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Server fixes, added locale arg in web app.
2019-06-11 21:33:44 +03:00
}
} else {
if (i == 0) {
Improved server tracing.
2019-08-23 21:51:48 +03:00
parent.debug('web', 'handleResetAccountRequest: Unable to sent email.');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 3;
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
req.session.messageid = 109; // Unable to sent email.
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
}
}
}
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
}
}
});
}
}
Added email validation login page.
2020-04-21 11:50:27 +03:00
// Handle account email change and email verification request
function handleCheckAccountEmailRequest(req, res, direct) {
const domain = checkUserIpAddress(req, res);
if (domain == null) { return; }
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
if ((domain.mailserver == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap') || (typeof req.session.cuserid != 'string') || (obj.users[req.session.cuserid] == null) || (!obj.common.validateEmail(req.body.email, 1, 256))) { parent.debug('web', 'handleCheckAccountEmailRequest: failed checks.'); res.sendStatus(404); return; }
Added email validation login page.
2020-04-21 11:50:27 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Completed login token support.
2021-04-17 04:55:03 +03:00
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
Added email validation login page.
2020-04-21 11:50:27 +03:00
// Always lowercase the email address
if (req.body.email) { req.body.email = req.body.email.toLowerCase(); }
// Get the email from the body or session.
var email = req.body.email;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if ((email == null) || (email == '')) { email = req.session.temail; }
Added email validation login page.
2020-04-21 11:50:27 +03:00
// Check if this request is for an allows email domain
if ((domain.newaccountemaildomains != null) && Array.isArray(domain.newaccountemaildomains)) {
var i = -1;
if (typeof req.body.email == 'string') { i = req.body.email.indexOf('@'); }
if (i == -1) {
parent.debug('web', 'handleCreateAccountRequest: unable to create account (1)');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 7;
Added email validation login page.
2020-04-21 11:50:27 +03:00
req.session.messageid = 106; // Invalid email.
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
}
var emailok = false, emaildomain = req.body.email.substring(i + 1).toLowerCase();
for (var i in domain.newaccountemaildomains) { if (emaildomain == domain.newaccountemaildomains[i].toLowerCase()) { emailok = true; } }
if (emailok == false) {
parent.debug('web', 'handleCreateAccountRequest: unable to create account (2)');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 7;
Added email validation login page.
2020-04-21 11:50:27 +03:00
req.session.messageid = 106; // Invalid email.
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
}
}
// Check the email string format
if (!email || checkEmail(email) == false) {
parent.debug('web', 'handleCheckAccountEmailRequest: Invalid email');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 7;
Added email validation login page.
2020-04-21 11:50:27 +03:00
req.session.messageid = 106; // Invalid email.
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
} else {
// Check is email already exists
obj.db.GetUserWithVerifiedEmail(domain.id, email, function (err, docs) {
Fix for: Collapse all when using view Group-Tags #3765
2022-03-16 00:31:28 +03:00
if ((err != null) || ((docs.length > 0) && (docs.find(function (u) { return (u._id === req.session.cuserid); }) < 0))) {
Added email validation login page.
2020-04-21 11:50:27 +03:00
// Email already exitst
req.session.messageid = 102; // Existing account with this email address.
} else {
// Update the user and notify of user email address change
var user = obj.users[req.session.cuserid];
if (user.email != email) {
user.email = email;
db.SetUser(user);
var targets = ['*', 'server-users', user._id];
if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } }
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'Account changed: ' + user.name, domain: domain.id };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
parent.DispatchEvent(targets, obj, event);
}
// Send the verification email
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
domain.mailserver.sendAccountCheckMail(domain, user.name, user._id, user.email, obj.getLanguageCodes(req), req.query.key);
Added email validation login page.
2020-04-21 11:50:27 +03:00
// Send the response
req.session.messageid = 2; // Email sent.
}
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 7;
Added email validation login page.
2020-04-21 11:50:27 +03:00
delete req.session.cuserid;
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
});
}
}
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
// Called to process a web based email verification request
function handleCheckMailRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
if ((domain.auth == 'sspi') || (domain.auth == 'ldap') || (domain.mailserver == null)) { parent.debug('web', 'handleCheckMailRequest: failed checks.'); res.sendStatus(404); return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Improved user handling with domain auth, email validation.
2019-01-16 23:04:48 +03:00
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
if (req.query.c != null) {
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
var cookie = obj.parent.decodeCookie(req.query.c, domain.mailserver.mailCookieEncryptionKey, 30);
Password reset improvements.
2020-12-10 09:14:51 +03:00
if ((cookie != null) && (cookie.u != null) && (cookie.u.startsWith('user/')) && (cookie.e != null)) {
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
var idsplit = cookie.u.split('/');
Password reset improvements.
2020-12-10 09:14:51 +03:00
if ((idsplit.length != 3) || (idsplit[1] != domain.id)) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleCheckMailRequest: Invalid domain.');
Added message.handlebar support for sitestyle 2.
2020-09-15 00:28:55 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 1, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain));
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
} else {
Password reset improvements.
2020-12-10 09:14:51 +03:00
obj.db.Get(cookie.u, function (err, docs) {
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
if (docs.length == 0) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleCheckMailRequest: Invalid username.');
Added message.handlebar support for sitestyle 2.
2020-09-15 00:28:55 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 2, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27'), arg1: encodeURIComponent(idsplit[1]).replace(/'/g, '%27') }, req, domain));
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
} else {
var user = docs[0];
if (user.email != cookie.e) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleCheckMailRequest: Invalid e-mail.');
Added message.handlebar support for sitestyle 2.
2020-09-15 00:28:55 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 3, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27'), arg1: encodeURIComponent(user.email).replace(/'/g, '%27'), arg2: encodeURIComponent(user.name).replace(/'/g, '%27') }, req, domain));
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
} else {
if (cookie.a == 1) {
// Account email verification
if (user.emailVerified == true) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleCheckMailRequest: email already verified.');
Added message.handlebar support for sitestyle 2.
2020-09-15 00:28:55 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 4, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27'), arg1: encodeURIComponent(user.email).replace(/'/g, '%27'), arg2: encodeURIComponent(user.name).replace(/'/g, '%27') }, req, domain));
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
} else {
obj.db.GetUserWithVerifiedEmail(domain.id, user.email, function (err, docs) {
Fixed email verification issue
2022-03-16 06:58:44 +03:00
if ((docs.length > 0) && (docs.find(function (u) { return (u._id === user._id); }) < 0)) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleCheckMailRequest: email already in use.');
Added message.handlebar support for sitestyle 2.
2020-09-15 00:28:55 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 5, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27'), arg1: encodeURIComponent(user.email).replace(/'/g, '%27') }, req, domain));
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
} else {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleCheckMailRequest: email verification success.');
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
// Set the verified flag
obj.users[user._id].emailVerified = true;
user.emailVerified = true;
obj.db.SetUser(user);
// Event the change
Much improved event logs
2019-07-30 02:35:48 +03:00
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'Verified email of user ' + EscapeHtml(user.name) + ' (' + EscapeHtml(user.email) + ')', domain: domain.id };
Added MongoDB change stream support.
2019-05-29 03:25:23 +03:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
// Send the confirmation page
Added message.handlebar support for sitestyle 2.
2020-09-15 00:28:55 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 6, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27'), arg1: encodeURIComponent(user.email).replace(/'/g, '%27'), arg2: encodeURIComponent(user.name).replace(/'/g, '%27') }, req, domain));
Added loginToken support and improved way to embed page into other sites.
2017-12-14 01:52:57 +03:00
// Send a notification
Fixed notifications that had html codes.
2020-07-15 23:25:18 +03:00
obj.parent.DispatchEvent([user._id], obj, { action: 'notify', title: 'Email verified', value: user.email, nolog: 1, id: Math.random() });
Authlog improvements.
2020-04-21 03:19:25 +03:00
// Send to authlog
if (obj.parent.authlog) { obj.parent.authLog('https', 'Verified email address ' + user.email + ' for user ' + user.name); }
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
}
});
}
} else if (cookie.a == 2) {
// Account reset
if (user.emailVerified != true) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleCheckMailRequest: email not verified.');
Added message.handlebar support for sitestyle 2.
2020-09-15 00:28:55 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 7, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27'), arg1: EscapeHtml(user.email), arg2: EscapeHtml(user.name) }, req, domain));
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
} else {
Password reset improvements.
2020-12-10 09:14:51 +03:00
if (req.query.confirm == 1) {
// Set a temporary password
obj.crypto.randomBytes(16, function (err, buf) {
var newpass = buf.toString('base64').split('=').join('').split('/').join('').split('+').join('');
require('./pass').hash(newpass, function (err, salt, hash, tag) {
if (err) throw err;
// Change the password
var userinfo = obj.users[user._id];
userinfo.salt = salt;
userinfo.hash = hash;
delete userinfo.passtype;
Added user last access support, #3319
2021-12-05 00:08:17 +03:00
userinfo.passchange = userinfo.access = Math.floor(Date.now() / 1000);
Password reset improvements.
2020-12-10 09:14:51 +03:00
delete userinfo.passhint;
obj.db.SetUser(userinfo);
// Event the change
var event = { etype: 'user', userid: user._id, username: userinfo.name, account: obj.CloneSafeUser(userinfo), action: 'accountchange', msg: 'Password reset for user ' + EscapeHtml(user.name), domain: domain.id };
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, event);
// Send the new password
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 8, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27'), arg1: EscapeHtml(user.name), arg2: EscapeHtml(newpass) }, req, domain));
parent.debug('web', 'handleCheckMailRequest: send temporary password.');
// Send to authlog
if (obj.parent.authlog) { obj.parent.authLog('https', 'Performed account reset for user ' + user.name); }
}, 0);
});
} else {
// Display a link for the user to confirm password reset
// We must do this because GMail will also load this URL a few seconds after the user does and we don't want to cause two password resets.
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 14, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain));
}
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
}
} else {
Added message.handlebar support for sitestyle 2.
2020-09-15 00:28:55 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 9, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain));
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
}
}
}
});
}
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
Added message.handlebar support for sitestyle 2.
2020-09-15 00:28:55 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 10, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain));
Initial main commit
2017-08-28 19:27:45 +03:00
}
}
}
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
Started work on agent install using invitation code.
2020-03-17 01:23:59 +03:00
// Called to process an agent invite GET/POST request
function handleInviteRequest(req, res) {
const domain = getDomain(req);
if (domain == null) { parent.debug('web', 'handleInviteRequest: failed checks.'); res.sendStatus(404); return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Full minification support in all languages.
2020-05-03 09:49:59 +03:00
if ((req.body.inviteCode == null) || (req.body.inviteCode == '')) { render(req, res, getRenderPage('invite', req, domain), getRenderArgs({ messageid: 0 }, req, domain)); return; } // No invitation code
Started work on agent install using invitation code.
2020-03-17 01:23:59 +03:00
More work on agent invite by codes.
2020-03-17 04:03:14 +03:00
// Each for a device group that has this invite code.
for (var i in obj.meshes) {
Fix for #2673
2021-05-23 09:51:56 +03:00
if ((obj.meshes[i].domain == domain.id) && (obj.meshes[i].deleted == null) && (obj.meshes[i].invite != null) && (obj.meshes[i].invite.codes.indexOf(req.body.inviteCode) >= 0)) {
More work on agent invite by codes.
2020-03-17 04:03:14 +03:00
// Send invitation link, valid for 1 minute.
Improved agent invitations, #3694
2022-02-24 03:14:32 +03:00
res.redirect(domain.url + 'agentinvite?c=' + parent.encodeCookie({ a: 4, mid: i, f: obj.meshes[i].invite.flags, ag: obj.meshes[i].invite.ag, expire: 1 }, parent.invitationLinkEncryptionKey) + (req.query.key ? ('&key=' + req.query.key) : '') + (req.query.hide ? ('&hide=' + req.query.hide) : ''));
More work on agent invite by codes.
2020-03-17 04:03:14 +03:00
return;
}
}
Started work on agent install using invitation code.
2020-03-17 01:23:59 +03:00
Full minification support in all languages.
2020-05-03 09:49:59 +03:00
render(req, res, getRenderPage('invite', req, domain), getRenderArgs({ messageid: 100 }, req, domain)); // Bad invitation code
Started work on agent install using invitation code.
2020-03-17 01:23:59 +03:00
}
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
// Called to render the MSTSC (RDP) or SSH web page
function handleMSTSCRequest(req, res, page) {
Internationalized RDP login page and added 3FA support.
2020-06-12 23:56:29 +03:00
const domain = getDomain(req);
if (domain == null) { parent.debug('web', 'handleMSTSCRequest: failed checks.'); res.sendStatus(404); return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Improved MSTSC.js login access options.
2020-06-14 03:43:12 +03:00
Added server maintenance mode.
2020-11-21 03:43:58 +03:00
// Check if we are in maintenance mode
Fix for #2686
2021-05-25 21:17:23 +03:00
if ((parent.config.settings.maintenancemode != null) && (req.query.loginscreen !== '1')) {
Added server maintenance mode.
2020-11-21 03:43:58 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 3, msgid: 13, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain));
return;
}
Added new allowSavingDeviceCredentials option, #3751
2022-03-16 03:00:43 +03:00
// Set features we want to send to this page
var features = 0;
if (domain.allowsavingdevicecredentials === false) { features |= 1; }
Improved MSTSC.js login access options.
2020-06-14 03:43:12 +03:00
if (req.query.ws != null) {
// This is a query with a websocket relay cookie, check that the cookie is valid and use it.
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
var rcookie = parent.decodeCookie(req.query.ws, parent.loginCookieEncryptionKey, 60); // Cookie with 1 hour timeout
Code fixes & clean up.
2020-07-06 22:46:38 +03:00
if ((rcookie != null) && (rcookie.domainid == domain.id) && (rcookie.nodeid != null) && (rcookie.tcpport != null)) {
MeshCentral can now remember RDP credentials.
2021-06-30 03:13:18 +03:00
// Fetch the node from the database
obj.db.Get(rcookie.nodeid, function (err, nodes) {
if ((err != null) || (nodes.length != 1)) { res.sendStatus(404); return; }
const node = nodes[0];
// Check if we have RDP credentials for this device
Added new allowSavingDeviceCredentials option, #3751
2022-03-16 03:00:43 +03:00
var serverCredentials = false;
if (domain.allowsavingdevicecredentials !== false) {
if (page == 'ssh') {
serverCredentials = ((typeof node.rdp == 'object') && (typeof node.rdp.d == 'string') && (typeof node.rdp.u == 'string') && (typeof node.rdp.p == 'string'))
} else {
serverCredentials = ((typeof node.ssh == 'object') && (typeof node.ssh.u == 'string'))
}
}
MeshCentral can now remember RDP credentials.
2021-06-30 03:13:18 +03:00
// Render the page
Added new allowSavingDeviceCredentials option, #3751
2022-03-16 03:00:43 +03:00
render(req, res, getRenderPage(page, req, domain), getRenderArgs({ cookie: req.query.ws, name: encodeURIComponent(req.query.name).replace(/'/g, '%27'), serverCredentials: serverCredentials, features: features }, req, domain));
MeshCentral can now remember RDP credentials.
2021-06-30 03:13:18 +03:00
});
return;
Code fixes & clean up.
2020-07-06 22:46:38 +03:00
}
Improved MSTSC.js login access options.
2020-06-14 03:43:12 +03:00
}
// Get the logged in user if present
var user = null;
// If there is a login token, use that
if (req.query.login != null) {
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
var ucookie = parent.decodeCookie(req.query.login, parent.loginCookieEncryptionKey, 60); // Cookie with 1 hour timeout
Improved MSTSC.js login access options.
2020-06-14 03:43:12 +03:00
if ((ucookie != null) && (ucookie.a === 3) && (typeof ucookie.u == 'string')) { user = obj.users[ucookie.u]; }
}
// If no token, see if we have an active session
if ((user == null) && (req.session.userid != null)) { user = obj.users[req.session.userid]; }
// If still no user, see if we have a default user
if ((user == null) && (obj.args.user)) { user = obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]; }
// No user login, exit now
SSO Fixes.
2020-06-15 09:23:05 +03:00
if (user == null) { res.sendStatus(401); return; }
Improved MSTSC.js login access options.
2020-06-14 03:43:12 +03:00
// Check the nodeid
if (req.query.node != null) {
var nodeidsplit = req.query.node.split('/');
if (nodeidsplit.length == 1) {
req.query.node = 'node/' + domain.id + '/' + nodeidsplit[0]; // Format the nodeid correctly
} else if (nodeidsplit.length == 3) {
if ((nodeidsplit[0] != 'node') || (nodeidsplit[1] != domain.id)) { req.query.node = null; } // Check the nodeid format
} else {
req.query.node = null; // Bad nodeid
}
}
// If there is no nodeid, exit now
Added new allowSavingDeviceCredentials option, #3751
2022-03-16 03:00:43 +03:00
if (req.query.node == null) { render(req, res, getRenderPage(page, req, domain), getRenderArgs({ cookie: '', name: '', features: features }, req, domain)); return; }
Improved MSTSC.js login access options.
2020-06-14 03:43:12 +03:00
// Fetch the node from the database
obj.db.Get(req.query.node, function (err, nodes) {
if ((err != null) || (nodes.length != 1)) { res.sendStatus(404); return; }
const node = nodes[0];
// Check access rights, must have remote control rights
if ((obj.GetNodeRights(user, node.meshid, node._id) & MESHRIGHT_REMOTECONTROL) == 0) { res.sendStatus(401); return; }
// Figure out the target port
Added new allowSavingDeviceCredentials option, #3751
2022-03-16 03:00:43 +03:00
var port = 0, serverCredentials = false;
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
if (page == 'ssh') {
// SSH port
port = 22;
Added SSH support in terminal tab for local devices.
2021-05-09 04:09:49 +03:00
if (typeof node.sshport == 'number') { port = node.sshport; }
Added new allowSavingDeviceCredentials option, #3751
2022-03-16 03:00:43 +03:00
// Check if we have SSH credentials for this device
if (domain.allowsavingdevicecredentials !== false) { serverCredentials = ((typeof node.ssh == 'object') && (typeof node.ssh.u == 'string')); }
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
} else {
// RDP port
Added SSH support in terminal tab for local devices.
2021-05-09 04:09:49 +03:00
port = 3389;
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
if (typeof node.rdpport == 'number') { port = node.rdpport; }
Added new allowSavingDeviceCredentials option, #3751
2022-03-16 03:00:43 +03:00
// Check if we have RDP credentials for this device
if (domain.allowsavingdevicecredentials !== false) { serverCredentials = ((typeof node.rdp == 'object') && (typeof node.rdp.d == 'string') && (typeof node.rdp.u == 'string') && (typeof node.rdp.p == 'string')); }
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
}
Improved MSTSC.js login access options.
2020-06-14 03:43:12 +03:00
if (req.query.port != null) { var qport = 0; try { qport = parseInt(req.query.port); } catch (ex) { } if ((typeof qport == 'number') && (qport > 0) && (qport < 65536)) { port = qport; } }
// Generate a cookie and respond
var cookie = parent.encodeCookie({ userid: user._id, domainid: user.domain, nodeid: node._id, tcpport: port }, parent.loginCookieEncryptionKey);
Added new allowSavingDeviceCredentials option, #3751
2022-03-16 03:00:43 +03:00
render(req, res, getRenderPage(page, req, domain), getRenderArgs({ cookie: cookie, name: encodeURIComponent(node.name).replace(/'/g, '%27'), serverCredentials: serverCredentials, features: features }, req, domain));
Improved MSTSC.js login access options.
2020-06-14 03:43:12 +03:00
});
Internationalized RDP login page and added 3FA support.
2020-06-12 23:56:29 +03:00
}
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
Added Firebase Cloud Messaging Relay.
2021-02-03 10:31:44 +03:00
// Called to handle push-only requests
function handleFirebasePushOnlyRelayRequest(req, res) {
parent.debug('email', 'handleFirebasePushOnlyRelayRequest');
if ((req.body == null) || (req.body.msg == null) || (obj.parent.firebase == null)) { res.sendStatus(404); return; }
if (obj.parent.config.firebase.pushrelayserver == null) { res.sendStatus(404); return; }
Added Firebase two-way push notification relay.
2021-02-04 08:48:54 +03:00
if ((typeof obj.parent.config.firebase.pushrelayserver == 'string') && (req.query.key != obj.parent.config.firebase.pushrelayserver)) { res.sendStatus(404); return; }
Added Firebase Cloud Messaging Relay.
2021-02-03 10:31:44 +03:00
var data = null;
try { data = JSON.parse(req.body.msg) } catch (ex) { res.sendStatus(404); return; }
if (typeof data != 'object') { res.sendStatus(404); return; }
if (typeof data.pmt != 'string') { res.sendStatus(404); return; }
if (typeof data.payload != 'object') { res.sendStatus(404); return; }
if (typeof data.payload.notification != 'object') { res.sendStatus(404); return; }
if (typeof data.payload.notification.title != 'string') { res.sendStatus(404); return; }
if (typeof data.payload.notification.body != 'string') { res.sendStatus(404); return; }
if (typeof data.options != 'object') { res.sendStatus(404); return; }
if ((data.options.priority != 'Normal') && (data.options.priority != 'High')) { res.sendStatus(404); return; }
if ((typeof data.options.timeToLive != 'number') || (data.options.timeToLive < 1)) { res.sendStatus(404); return; }
parent.debug('email', 'handleFirebasePushOnlyRelayRequest - ok');
obj.parent.firebase.sendToDevice({ pmt: data.pmt }, data.payload, data.options, function (id, err, errdesc) {
if (err == null) { res.sendStatus(200); } else { res.sendStatus(500); }
});
}
Added Firebase two-way push notification relay.
2021-02-04 08:48:54 +03:00
// Called to handle two-way push notification relay request
function handleFirebaseRelayRequest(ws, req) {
parent.debug('email', 'handleFirebaseRelayRequest');
if (obj.parent.firebase == null) { try { ws.close(); } catch (e) { } return; }
if (obj.parent.firebase.setupRelay == null) { try { ws.close(); } catch (e) { } return; }
if (obj.parent.config.firebase.relayserver == null) { try { ws.close(); } catch (e) { } return; }
if ((typeof obj.parent.config.firebase.relayserver == 'string') && (req.query.key != obj.parent.config.firebase.relayserver)) { res.sendStatus(404); try { ws.close(); } catch (e) { } return; }
obj.parent.firebase.setupRelay(ws);
}
Added public agent install invitation link support.
2019-06-03 23:15:38 +03:00
// Called to process an agent invite request
function handleAgentInviteRequest(req, res) {
Fixed agent invite link when UserAllowedIP is used.
2019-10-12 01:39:15 +03:00
const domain = getDomain(req);
Added 3FA using LoginKey in domain section of config.json, add &key= to URL.
2019-11-22 05:57:57 +03:00
if ((domain == null) || ((req.query.m == null) && (req.query.c == null))) { parent.debug('web', 'handleAgentInviteRequest: failed checks.'); res.sendStatus(404); return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Added 3FA using LoginKey in domain section of config.json, add &key= to URL.
2019-11-22 05:57:57 +03:00
Added public agent install invitation link support.
2019-06-03 23:15:38 +03:00
if (req.query.c != null) {
// A cookie is specified in the query string, use that
Fixed invitation link encryption key.
2019-06-08 03:11:56 +03:00
var cookie = obj.parent.decodeCookie(req.query.c, obj.parent.invitationLinkEncryptionKey);
Added public agent install invitation link support.
2019-06-03 23:15:38 +03:00
if (cookie == null) { res.sendStatus(404); return; }
var mesh = obj.meshes[cookie.mid];
if (mesh == null) { res.sendStatus(404); return; }
var installflags = cookie.f;
if (typeof installflags != 'number') { installflags = 0; }
Improved agent invitations, #3694
2022-02-24 03:14:32 +03:00
var showagents = cookie.ag;
if (typeof showagents != 'number') { showagents = 0; }
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleAgentInviteRequest using cookie.');
Added Android to agent install invitation page.
2021-01-30 01:08:05 +03:00
// Build the mobile agent URL, this is used to connect mobile devices
var agentServerName = obj.getWebServerName(domain);
if (typeof obj.args.agentaliasdns == 'string') { agentServerName = obj.args.agentaliasdns; }
var xdomain = (domain.dns == null) ? domain.id : '';
var agentHttpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
if (obj.args.agentport != null) { agentHttpsPort = obj.args.agentport; } // If an agent only port is enabled, use that.
if (obj.args.agentaliasport != null) { agentHttpsPort = obj.args.agentaliasport; } // If an agent alias port is specified, use that.
var magenturl = 'mc://' + agentServerName + ((agentHttpsPort != 443) ? (':' + agentHttpsPort) : '') + ((xdomain != '') ? ('/' + xdomain) : '') + ',' + obj.agentCertificateHashBase64 + ',' + mesh._id.split('/')[2];
Added MeshID obfuscation in agent invite page.
2020-06-18 23:56:04 +03:00
var meshcookie = parent.encodeCookie({ m: mesh._id.split('/')[2] }, parent.invitationLinkEncryptionKey);
Improved agent invitations, #3694
2022-02-24 03:14:32 +03:00
render(req, res, getRenderPage('agentinvite', req, domain), getRenderArgs({ meshid: meshcookie, serverport: ((args.aliasport != null) ? args.aliasport : args.port), serverhttps: 1, servernoproxy: ((domain.agentnoproxy === true) ? '1' : '0'), meshname: encodeURIComponent(mesh.name).replace(/'/g, '%27'), installflags: installflags, showagents: showagents, magenturl: magenturl }, req, domain));
Added public agent install invitation link support.
2019-06-03 23:15:38 +03:00
} else if (req.query.m != null) {
// The MeshId is specified in the query string, use that
var mesh = obj.meshes['mesh/' + domain.id + '/' + req.query.m.toLowerCase()];
if (mesh == null) { res.sendStatus(404); return; }
var installflags = 0;
if (req.query.f) { installflags = parseInt(req.query.f); }
if (typeof installflags != 'number') { installflags = 0; }
Improved agent invitations, #3694
2022-02-24 03:14:32 +03:00
var showagents = 0;
if (req.query.f) { showagents = parseInt(req.query.ag); }
if (typeof showagents != 'number') { showagents = 0; }
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleAgentInviteRequest using meshid.');
Added Android to agent install invitation page.
2021-01-30 01:08:05 +03:00
// Build the mobile agent URL, this is used to connect mobile devices
var agentServerName = obj.getWebServerName(domain);
if (typeof obj.args.agentaliasdns == 'string') { agentServerName = obj.args.agentaliasdns; }
var xdomain = (domain.dns == null) ? domain.id : '';
var agentHttpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
if (obj.args.agentport != null) { agentHttpsPort = obj.args.agentport; } // If an agent only port is enabled, use that.
if (obj.args.agentaliasport != null) { agentHttpsPort = obj.args.agentaliasport; } // If an agent alias port is specified, use that.
var magenturl = 'mc://' + agentServerName + ((agentHttpsPort != 443) ? (':' + agentHttpsPort) : '') + ((xdomain != '') ? ('/' + xdomain) : '') + ',' + obj.agentCertificateHashBase64 + ',' + mesh._id.split('/')[2];
Added MeshID obfuscation in agent invite page.
2020-06-18 23:56:04 +03:00
var meshcookie = parent.encodeCookie({ m: mesh._id.split('/')[2] }, parent.invitationLinkEncryptionKey);
Improved agent invitations, #3694
2022-02-24 03:14:32 +03:00
render(req, res, getRenderPage('agentinvite', req, domain), getRenderArgs({ meshid: meshcookie, serverport: ((args.aliasport != null) ? args.aliasport : args.port), serverhttps: 1, servernoproxy: ((domain.agentnoproxy === true) ? '1' : '0'), meshname: encodeURIComponent(mesh.name).replace(/'/g, '%27'), installflags: installflags, showagents: showagents, magenturl: magenturl }, req, domain));
Added public agent install invitation link support.
2019-06-03 23:15:38 +03:00
}
}
Started work on account pictures.
2021-03-19 14:12:45 +03:00
// Called to process an agent invite request
function handleUserImageRequest(req, res) {
const domain = getDomain(req);
if (domain == null) { parent.debug('web', 'handleUserImageRequest: failed checks.'); res.sendStatus(404); return; }
if ((req.session == null) || (req.session.userid == null)) { parent.debug('web', 'handleUserImageRequest: failed checks 2.'); res.sendStatus(404); return; }
Completed first version of account picture support.
2021-03-20 00:49:40 +03:00
var imageUserId = req.session.userid;
if ((req.query.id != null)) {
var user = obj.users[req.session.userid];
if ((user == null) || (user.siteadmin == null) && ((user.siteadmin & 2) == 0)) { res.sendStatus(404); return; }
imageUserId = 'user/' + domain.id + '/' + req.query.id;
}
obj.db.Get('im' + imageUserId, function (err, docs) {
Started work on account pictures.
2021-03-19 14:12:45 +03:00
if ((err != null) || (docs == null) || (docs.length != 1) || (typeof docs[0].image != 'string')) { res.sendStatus(404); return; }
var imagebase64 = docs[0].image;
if (imagebase64.startsWith('data:image/png;base64,')) {
res.set('Content-Type', 'image/png');
Completed first version of account picture support.
2021-03-20 00:49:40 +03:00
res.set({ 'Cache-Control': 'no-store' });
Started work on account pictures.
2021-03-19 14:12:45 +03:00
res.send(Buffer.from(imagebase64.substring(22), 'base64'));
} else if (imagebase64.startsWith('data:image/jpeg;base64,')) {
res.set('Content-Type', 'image/jpeg');
Completed first version of account picture support.
2021-03-20 00:49:40 +03:00
res.set({ 'Cache-Control': 'no-store' });
Started work on account pictures.
2021-03-19 14:12:45 +03:00
res.send(Buffer.from(imagebase64.substring(23), 'base64'));
} else {
res.sendStatus(404);
}
});
}
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
function handleDeleteAccountRequest(req, res, direct) {
parent.debug('web', 'handleDeleteAccountRequest()');
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { parent.debug('web', 'handleDeleteAccountRequest: failed checks.'); res.sendStatus(404); return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Completed login token support.
2021-04-17 04:55:03 +03:00
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
Improved user handling with domain auth, email validation.
2019-01-16 23:04:48 +03:00
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
var user = null;
if (req.body.authcookie) {
// If a authentication cookie is provided, decode it here
var loginCookie = obj.parent.decodeCookie(req.body.authcookie, obj.parent.loginCookieEncryptionKey, 60); // 60 minute timeout
if ((loginCookie != null) && (domain.id == loginCookie.domainid)) { user = obj.users[loginCookie.userid]; }
} else {
// Check if the user is logged and we have all required parameters
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (!req.session || !req.session.userid || !req.body.apassword1 || (req.body.apassword1 != req.body.apassword2) || (req.session.userid.split('/')[1] != domain.id)) {
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
parent.debug('web', 'handleDeleteAccountRequest: required parameters not present.');
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
} else {
user = obj.users[req.session.userid];
}
}
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
if (!user) { parent.debug('web', 'handleDeleteAccountRequest: user not found.'); res.sendStatus(404); return; }
Added Account Settings Lock Feature.
2020-08-06 06:15:34 +03:00
if ((user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)) { parent.debug('web', 'handleDeleteAccountRequest: account settings locked.'); res.sendStatus(404); return; }
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Check if the password is correct
More work on login tokens.
2021-04-16 22:42:54 +03:00
obj.authenticate(user._id.split('/')[2], req.body.apassword1, domain, function (err, userid, passhint, loginOptions) {
More work on user device permissions.
2020-03-27 10:21:44 +03:00
var deluser = obj.users[userid];
Server fixes.
2020-06-22 00:27:10 +03:00
if ((userid != null) && (deluser != null)) {
More work on user device permissions.
2020-03-27 10:21:44 +03:00
// Remove all links to this user
if (deluser.links != null) {
for (var i in deluser.links) {
if (i.startsWith('mesh/')) {
// Get the device group
User management improvements.
2020-05-28 04:26:54 +03:00
var mesh = obj.meshes[i];
More work on user device permissions.
2020-03-27 10:21:44 +03:00
if (mesh) {
// Remove user from the mesh
if (mesh.links[deluser._id] != null) { delete mesh.links[deluser._id]; parent.db.Set(mesh); }
// Notify mesh change
User management improvements.
2020-05-28 04:26:54 +03:00
var change = 'Removed user ' + deluser.name + ' from group ' + mesh.name;
More work on user device permissions.
2020-03-27 10:21:44 +03:00
var event = { etype: 'mesh', userid: user._id, username: user.name, meshid: mesh._id, name: mesh.name, mtype: mesh.mtype, desc: mesh.desc, action: 'meshchange', links: mesh.links, msg: change, domain: domain.id, invite: mesh.invite };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the mesh. Another event will come.
User management improvements.
2020-05-28 04:26:54 +03:00
parent.DispatchEvent(['*', mesh._id, deluser._id, user._id], obj, event);
More work on user device permissions.
2020-03-27 10:21:44 +03:00
}
} else if (i.startsWith('node/')) {
// Get the node and the rights for this node
User management improvements.
2020-05-28 04:26:54 +03:00
obj.GetNodeWithRights(domain, deluser, i, function (node, rights, visible) {
More work on user device permissions.
2020-03-27 10:21:44 +03:00
if ((node == null) || (node.links == null) || (node.links[deluser._id] == null)) return;
// Remove the link and save the node to the database
delete node.links[deluser._id];
if (Object.keys(node.links).length == 0) { delete node.links; }
Added database links cleanup code.
2020-03-31 03:47:04 +03:00
db.Set(obj.cleanDevice(node));
More work on user device permissions.
2020-03-27 10:21:44 +03:00
// Event the node change
User management improvements.
2020-05-28 04:26:54 +03:00
var event = { etype: 'node', userid: user._id, username: user.name, action: 'changenode', nodeid: node._id, domain: domain.id, msg: ('Removed user device rights for ' + node.name), node: obj.CloneSafeNode(node) }
More work on user device permissions.
2020-03-27 10:21:44 +03:00
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the mesh. Another event will come.
User management improvements.
2020-05-28 04:26:54 +03:00
parent.DispatchEvent(['*', node.meshid, node._id], obj, event);
More work on user device permissions.
2020-03-27 10:21:44 +03:00
});
User management improvements.
2020-05-28 04:26:54 +03:00
} else if (i.startsWith('ugrp/')) {
// Get the device group
var ugroup = obj.userGroups[i];
if (ugroup) {
// Remove user from the user group
if (ugroup.links[deluser._id] != null) { delete ugroup.links[deluser._id]; parent.db.Set(ugroup); }
// Notify user group change
var change = 'Removed user ' + deluser.name + ' from user group ' + ugroup.name;
var event = { etype: 'ugrp', userid: user._id, username: user.name, ugrpid: ugroup._id, name: ugroup.name, desc: ugroup.desc, action: 'usergroupchange', links: ugroup.links, msg: 'Removed user ' + deluser.name + ' from user group ' + ugroup.name, addUserDomain: domain.id };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user group. Another event will come.
parent.DispatchEvent(['*', ugroup._id, user._id, deluser._id], obj, event);
}
Access permission and CIRA improvements.
2018-03-27 03:13:32 +03:00
}
}
}
Added personal notes.
2021-03-25 23:28:33 +03:00
obj.db.Remove('ws' + deluser._id); // Remove user web state
obj.db.Remove('nt' + deluser._id); // Remove notes for this user
obj.db.Remove('ntp' + deluser._id); // Remove personal notes for this user
obj.db.Remove('im' + deluser._id); // Remove image for this user
Fixed account delete issues
2018-05-17 23:37:50 +03:00
Completed login token support.
2021-04-17 04:55:03 +03:00
// Delete any login tokens
parent.db.GetAllTypeNodeFiltered(['logintoken-' + deluser._id], domain.id, 'logintoken', null, function (err, docs) {
if ((err == null) && (docs != null)) { for (var i = 0; i < docs.length; i++) { parent.db.Remove(docs[i]._id, function () { }); } }
});
// Delete all files on the server for this account
try {
var deluserpath = obj.getServerRootFilePath(deluser);
if (deluserpath != null) { obj.deleteFolderRec(deluserpath); }
} catch (e) { }
Access permission and CIRA improvements.
2018-03-27 03:13:32 +03:00
// Remove the user
More work on user device permissions.
2020-03-27 10:21:44 +03:00
obj.db.Remove(deluser._id);
delete obj.users[deluser._id];
Improved http session handling, new account page
2018-08-23 02:18:01 +03:00
req.session = null;
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
More work on user device permissions.
2020-03-27 10:21:44 +03:00
obj.parent.DispatchEvent(['*', 'server-users'], obj, { etype: 'user', userid: deluser._id, username: deluser.name, action: 'accountremove', msg: 'Account removed', domain: domain.id });
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleDeleteAccountRequest: removed user.');
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleDeleteAccountRequest: auth failed.');
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Initial main commit
2017-08-28 19:27:45 +03:00
}
});
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
// Check a user's password
Made MQTT optional.
2019-10-04 22:18:56 +03:00
obj.checkUserPassword = function (domain, user, password, func) {
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
// Check the old password
if (user.passtype != null) {
// IIS default clear or weak password hashing (SHA-1)
require('./pass').iishash(user.passtype, password, user.salt, function (err, hash) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
if (err) { parent.debug('web', 'checkUserPassword: SHA-1 fail.'); return func(false); }
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
if (hash == user.hash) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { parent.debug('web', 'checkUserPassword: SHA-1 locked.'); return func(false); } // Account is locked
Made MQTT optional.
2019-10-04 22:18:56 +03:00
parent.debug('web', 'checkUserPassword: SHA-1 ok.');
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
return func(true); // Allow password change
}
func(false);
});
} else {
// Default strong password hashing (pbkdf2 SHA384)
Added batch account addition.
2019-05-15 00:39:26 +03:00
require('./pass').hash(password, user.salt, function (err, hash, tag) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
if (err) { parent.debug('web', 'checkUserPassword: pbkdf2 SHA384 fail.'); return func(false); }
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
if (hash == user.hash) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { parent.debug('web', 'checkUserPassword: pbkdf2 SHA384 locked.'); return func(false); } // Account is locked
Made MQTT optional.
2019-10-04 22:18:56 +03:00
parent.debug('web', 'checkUserPassword: pbkdf2 SHA384 ok.');
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
return func(true); // Allow password change
}
func(false);
Added batch account addition.
2019-05-15 00:39:26 +03:00
}, 0);
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
}
}
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
// Check a user's old passwords
Added support for banning common passwords.
2020-08-16 23:44:54 +03:00
// Callback: 0=OK, 1=OldPass, 2=CommonPass
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
obj.checkOldUserPasswords = function (domain, user, password, func) {
// Check how many old passwords we need to check
Fixed server exception on password change.
2020-08-21 01:33:12 +03:00
if ((domain.passwordrequirements != null) && (typeof domain.passwordrequirements.oldpasswordban == 'number') && (domain.passwordrequirements.oldpasswordban > 0)) {
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
if (user.oldpasswords != null) {
const extraOldPasswords = user.oldpasswords.length - domain.passwordrequirements.oldpasswordban;
if (extraOldPasswords > 0) { user.oldpasswords.splice(0, extraOldPasswords); }
}
} else {
delete user.oldpasswords;
}
// If there is no old passwords, exit now.
var oldPassCount = 1;
if (user.oldpasswords != null) { oldPassCount += user.oldpasswords.length; }
Added support for banning common passwords.
2020-08-16 23:44:54 +03:00
var oldPassCheckState = { response: 0, count: oldPassCount, user: user, func: func };
// Test against common passwords if this feature is enabled
// Example of common passwords: 123456789, password123
if ((domain.passwordrequirements != null) && (domain.passwordrequirements.bancommonpasswords == true)) {
oldPassCheckState.count++;
require('wildleek')(password).then(function (wild) {
if (wild == true) { oldPassCheckState.response = 2; }
if (--oldPassCheckState.count == 0) { oldPassCheckState.func(oldPassCheckState.response); }
});
}
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
// Try current password
require('./pass').hash(password, user.salt, function oldPassCheck(err, hash, tag) {
Added support for banning common passwords.
2020-08-16 23:44:54 +03:00
if ((err == null) && (hash == tag.user.hash)) { tag.response = 1; }
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
if (--tag.count == 0) { tag.func(tag.response); }
}, oldPassCheckState);
// Try each old password
if (user.oldpasswords != null) {
for (var i in user.oldpasswords) {
const oldpassword = user.oldpasswords[i];
// Default strong password hashing (pbkdf2 SHA384)
require('./pass').hash(password, oldpassword.salt, function oldPassCheck(err, hash, tag) {
Added support for banning common passwords.
2020-08-16 23:44:54 +03:00
if ((err == null) && (hash == tag.oldPassword.hash)) { tag.state.response = 1; }
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
if (--tag.state.count == 0) { tag.state.func(tag.state.response); }
}, { oldPassword: oldpassword, state: oldPassCheckState });
}
}
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Handle password changes
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
function handlePasswordChangeRequest(req, res, direct) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { parent.debug('web', 'handlePasswordChangeRequest: failed checks (1).'); res.sendStatus(404); return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Completed login token support.
2021-04-17 04:55:03 +03:00
if (req.session.loginToken != null) { res.sendStatus(404); return; } // Do not allow this command when logged in using a login token
Improved user handling with domain auth, email validation.
2019-01-16 23:04:48 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Check if the user is logged and we have all required parameters
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (!req.session || !req.session.userid || !req.body.apassword0 || !req.body.apassword1 || (req.body.apassword1 != req.body.apassword2) || (req.session.userid.split('/')[1] != domain.id)) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handlePasswordChangeRequest: failed checks (2).');
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
// Get the current user
var user = obj.users[req.session.userid];
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
if (!user) {
parent.debug('web', 'handlePasswordChangeRequest: user not found.');
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
}
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
Added Account Settings Lock Feature.
2020-08-06 06:15:34 +03:00
// Check account settings locked
if ((user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)) {
parent.debug('web', 'handlePasswordChangeRequest: account settings locked.');
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added Account Settings Lock Feature.
2020-08-06 06:15:34 +03:00
return;
}
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
// Check old password
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
obj.checkUserPassword(domain, user, req.body.apassword1, function (result) {
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
if (result == true) {
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
// Check if the new password is allowed, only do this if this feature is enabled.
parent.checkOldUserPasswords(domain, user, command.newpass, function (result) {
Added support for banning common passwords.
2020-08-16 23:44:54 +03:00
if (result == 1) {
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
parent.debug('web', 'handlePasswordChangeRequest: old password reuse attempt.');
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added support for banning common passwords.
2020-08-16 23:44:54 +03:00
} else if (result == 2) {
parent.debug('web', 'handlePasswordChangeRequest: commonly used password use attempt.');
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
} else {
// Update the password
require('./pass').hash(req.body.apassword1, function (err, salt, hash, tag) {
const nowSeconds = Math.floor(Date.now() / 1000);
if (err) { parent.debug('web', 'handlePasswordChangeRequest: hash error.'); throw err; }
if (domain.passwordrequirements != null) {
// Save password hint if this feature is enabled
if ((domain.passwordrequirements.hint === true) && (req.body.apasswordhint)) { var hint = req.body.apasswordhint; if (hint.length > 250) hint = hint.substring(0, 250); user.passhint = hint; } else { delete user.passhint; }
// Save previous password if this feature is enabled
if ((typeof domain.passwordrequirements.oldpasswordban == 'number') && (domain.passwordrequirements.oldpasswordban > 0)) {
if (user.oldpasswords == null) { user.oldpasswords = []; }
user.oldpasswords.push({ salt: user.salt, hash: user.hash, start: user.passchange, end: nowSeconds });
const extraOldPasswords = user.oldpasswords.length - domain.passwordrequirements.oldpasswordban;
if (extraOldPasswords > 0) { user.oldpasswords.splice(0, extraOldPasswords); }
}
}
user.salt = salt;
user.hash = hash;
Added user last access support, #3319
2021-12-05 00:08:17 +03:00
user.passchange = user.access = nowSeconds;
Added support for oldPasswordBan to not allow old password re-use.
2020-08-16 21:10:02 +03:00
delete user.passtype;
obj.db.SetUser(user);
req.session.viewmode = 2;
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
obj.parent.DispatchEvent(['*', 'server-users'], obj, { etype: 'user', userid: user._id, username: user.name, action: 'passchange', msg: 'Account password changed: ' + user.name, domain: domain.id });
}, 0);
}
});
Updated Windows agent, security improvements.
2019-02-13 06:23:40 +03:00
}
Initial main commit
2017-08-28 19:27:45 +03:00
});
}
More OAuth work.
2020-05-14 11:41:03 +03:00
// Called when a strategy login occured
// This is called after a succesful Oauth to Twitter, Google, GitHub...
function handleStrategyLogin(req, res) {
const domain = checkUserIpAddress(req, res);
if (domain == null) { return; }
parent.debug('web', 'handleStrategyLogin: ' + JSON.stringify(req.user));
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
if ((req.user != null) && (req.user.sid != null)) {
const userid = 'user/' + domain.id + '/' + req.user.sid;
More OAuth work.
2020-05-14 11:41:03 +03:00
var user = obj.users[userid];
if (user == null) {
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
var newAccountAllowed = false;
Added newaccountsrights support for SSO accounts.
2020-05-25 22:52:13 +03:00
var newAccountRealms = null;
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
if (domain.newaccounts === true) { newAccountAllowed = true; }
Added newaccountsrights support for SSO accounts.
2020-05-25 22:52:13 +03:00
if (obj.common.validateStrArray(domain.newaccountrealms)) { newAccountRealms = domain.newaccountrealms; }
if ((domain.authstrategies != null) && (domain.authstrategies[req.user.strategy] != null)) {
if (domain.authstrategies[req.user.strategy].newaccounts === true) { newAccountAllowed = true; }
if (obj.common.validateStrArray(domain.authstrategies[req.user.strategy].newaccountrealms)) { newAccountRealms = domain.authstrategies[req.user.strategy].newaccountrealms; }
}
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
if (newAccountAllowed === true) {
First working OAuth support for Twitter, Google, GitHub, Reddit.
2020-05-15 03:06:55 +03:00
// Create the user
parent.debug('web', 'handleStrategyLogin: creating new user: ' + userid);
Added user last access support, #3319
2021-12-05 00:08:17 +03:00
user = { type: 'user', _id: userid, name: req.user.name, email: req.user.email, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), access: Math.floor(Date.now() / 1000), domain: domain.id };
First working OAuth support for Twitter, Google, GitHub, Reddit.
2020-05-15 03:06:55 +03:00
if (req.user.email != null) { user.email = req.user.email; user.emailVerified = true; }
Added newaccountsrights support for SSO accounts.
2020-05-25 22:52:13 +03:00
if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; } // New accounts automatically assigned server rights.
Added newAccountsRights to SSO strategies
2020-05-29 04:04:30 +03:00
if (domain.authstrategies[req.user.strategy].newaccountsrights) { user.siteadmin = obj.common.meshServerRightsArrayToNumber(domain.authstrategies[req.user.strategy].newaccountsrights); } // If there are specific SSO server rights, use these instead.
Added newaccountsrights support for SSO accounts.
2020-05-25 22:52:13 +03:00
if (newAccountRealms) { user.groups = newAccountRealms; } // New accounts automatically part of some groups (Realms).
First working OAuth support for Twitter, Google, GitHub, Reddit.
2020-05-15 03:06:55 +03:00
obj.users[userid] = user;
User management improvements.
2020-05-28 04:26:54 +03:00
// Auto-join any user groups
var newaccountsusergroups = null;
if (typeof domain.newaccountsusergroups == 'object') { newaccountsusergroups = domain.newaccountsusergroups; }
if (typeof domain.authstrategies[req.user.strategy].newaccountsusergroups == 'object') { newaccountsusergroups = domain.authstrategies[req.user.strategy].newaccountsusergroups; }
if (newaccountsusergroups) {
for (var i in newaccountsusergroups) {
var ugrpid = newaccountsusergroups[i];
if (ugrpid.indexOf('/') < 0) { ugrpid = 'ugrp/' + domain.id + '/' + ugrpid; }
var ugroup = obj.userGroups[ugrpid];
if (ugroup != null) {
// Add group to the user
if (user.links == null) { user.links = {}; }
user.links[ugroup._id] = { rights: 1 };
// Add user to the group
ugroup.links[user._id] = { userid: user._id, name: user.name, rights: 1 };
db.Set(ugroup);
// Notify user group change
var event = { etype: 'ugrp', ugrpid: ugroup._id, name: ugroup.name, desc: ugroup.desc, action: 'usergroupchange', links: ugroup.links, msg: 'Added user ' + user.name + ' to user group ' + ugroup.name, addUserDomain: domain.id };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user group. Another event will come.
parent.DispatchEvent(['*', ugroup._id, user._id], obj, event);
}
}
}
// Save the user
First working OAuth support for Twitter, Google, GitHub, Reddit.
2020-05-15 03:06:55 +03:00
obj.db.SetUser(user);
// Event user creation
var targets = ['*', 'server-users'];
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountcreate', msg: 'Account created, username is ' + user.name, domain: domain.id };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to create the user. Another event will come.
parent.DispatchEvent(targets, obj, event);
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
req.session.userid = userid;
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
setSessionRandom(req);
Now putting SSO user login events in event log.
2022-03-16 01:03:58 +03:00
// Notify account login using SSO
var targets = ['*', 'server-users', user._id];
if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } }
const ua = getUserAgentInfo(req);
const loginEvent = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msgid: 107, msgArgs: [req.clientIp, ua.browserStr, ua.osStr], msg: 'Account login', domain: domain.id, ip: req.clientIp, userAgent: req.headers['user-agent'], twoFactorType: 'sso' };
obj.parent.DispatchEvent(targets, obj, loginEvent);
First working OAuth support for Twitter, Google, GitHub, Reddit.
2020-05-15 03:06:55 +03:00
} else {
// New users not allowed
parent.debug('web', 'handleStrategyLogin: Can\'t create new accounts');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session.loginmode = 1;
First working OAuth support for Twitter, Google, GitHub, Reddit.
2020-05-15 03:06:55 +03:00
req.session.messageid = 100; // Unable to create account.
res.redirect(domain.url + getQueryPortion(req));
return;
}
More OAuth work.
2020-05-14 11:41:03 +03:00
} else {
// Login success
var userChange = false;
if ((req.user.name != null) && (req.user.name != user.name)) { user.name = req.user.name; userChange = true; }
if ((req.user.email != null) && (req.user.email != user.email)) { user.email = req.user.email; user.emailVerified = true; userChange = true; }
if (userChange) {
obj.db.SetUser(user);
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
Now putting SSO user login events in event log.
2022-03-16 01:03:58 +03:00
// Event user change
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
var targets = ['*', 'server-users'];
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'Account changed', domain: domain.id };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to create the user. Another event will come.
parent.DispatchEvent(targets, obj, event);
More OAuth work.
2020-05-14 11:41:03 +03:00
}
parent.debug('web', 'handleStrategyLogin: succesful login: ' + userid);
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
req.session.userid = userid;
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
setSessionRandom(req);
Now putting SSO user login events in event log.
2022-03-16 01:03:58 +03:00
// Notify account login using SSO
var targets = ['*', 'server-users', user._id];
if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } }
const ua = getUserAgentInfo(req);
const loginEvent = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msgid: 107, msgArgs: [req.clientIp, ua.browserStr, ua.osStr], msg: 'Account login', domain: domain.id, ip: req.clientIp, userAgent: req.headers['user-agent'], twoFactorType: 'sso' };
obj.parent.DispatchEvent(targets, obj, loginEvent);
More OAuth work.
2020-05-14 11:41:03 +03:00
}
}
//res.redirect(domain.url); // This does not handle cookie correctly.
res.set('Content-Type', 'text/html');
res.end('<html><head><meta http-equiv="refresh" content=0;url="' + domain.url + '"></head><body></body></html>');
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Indicates that any request to "/" should render "default" or "login" depending on login state
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
function handleRootRequest(req, res, direct) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Improved server tracing.
2019-08-23 21:51:48 +03:00
if (!obj.args) { parent.debug('web', 'handleRootRequest: no obj.args.'); res.sendStatus(500); return; }
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
Completed login token support.
2021-04-17 04:55:03 +03:00
// If the session is expired, clear it.
if ((req.session != null) && (typeof req.session.expire == 'number') && ((req.session.expire - Date.now()) <= 0)) { for (var i in req.session) { delete req.session[i]; } }
Added server maintenance mode.
2020-11-21 03:43:58 +03:00
// Check if we are in maintenance mode
Fix for #2686
2021-05-25 21:17:23 +03:00
if ((parent.config.settings.maintenancemode != null) && (req.query.loginscreen !== '1')) {
Added server maintenance mode.
2020-11-21 03:43:58 +03:00
parent.debug('web', 'handleLoginRequest: Server under maintenance.');
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 3, msgid: 13, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain));
return;
}
Added unknownUserRootRedirect option, #3172
2021-10-08 23:24:04 +03:00
// If set and there is no user logged in, redirect the root page. Make sure not to redirect if /login is used
if ((typeof domain.unknownuserrootredirect == 'string') && ((req.session == null) || (req.session.userid == null))) {
var q = require('url').parse(req.url, true);
if (!q.pathname.endsWith('/login')) { res.redirect(domain.unknownuserrootredirect + getQueryPortion(req)); return; }
}
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
if ((domain.sspi != null) && ((req.query.login == null) || (obj.parent.loginCookieEncryptionKey == null))) {
// Login using SSPI
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
domain.sspi.authenticate(req, res, function (err) {
if ((err != null) || (req.connection.user == null)) {
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed SSPI-auth for ' + req.connection.user + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequest: SSPI auth required.');
res.end('Authentication Required...');
} else {
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted SSPI-auth for ' + req.connection.user + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequest: SSPI auth ok.');
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
handleRootRequestEx(req, res, domain, direct);
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
}
});
Many fixes.
2018-12-20 23:12:24 +03:00
} else if (req.query.user && req.query.pass) {
Added basic auth.log support.
2020-02-17 21:24:32 +03:00
// User credentials are being passed in the URL. WARNING: Putting credentials in a URL is bad security... but people are requesting this option.
More work on login tokens.
2021-04-16 22:42:54 +03:00
obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid, passhint, loginOptions) {
Removed SSPI auth retrieveGroups to reduce cookie size.
2021-09-03 03:52:37 +03:00
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + userid + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequest: user/pass in URL auth ok.');
Added LDAP support.
2019-04-11 23:41:51 +03:00
req.session.userid = userid;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.currentNode;
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
req.session.ip = req.clientIp; // Bind this session to the IP address of the request
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
setSessionRandom(req);
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
handleRootRequestEx(req, res, domain, direct);
Added LDAP support.
2019-04-11 23:41:51 +03:00
});
Additional login token checking.
2021-04-17 09:15:57 +03:00
} else if ((req.session != null) && (typeof req.session.loginToken == 'string')) {
// Check if the loginToken is still valid
obj.db.Get('logintoken-' + req.session.loginToken, function (err, docs) {
if ((err != null) || (docs == null) || (docs.length != 1) || (docs[0].tokenUser != req.session.loginToken)) { for (var i in req.session) { delete req.session[i]; } }
handleRootRequestEx(req, res, domain, direct); // Login using a different system
});
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
} else {
// Login using a different system
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
handleRootRequestEx(req, res, domain, direct);
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
}
}
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
function handleRootRequestEx(req, res, domain, direct) {
Added option to remove clipboard get/set support.
2021-07-15 23:58:30 +03:00
var nologout = false, user = null;
Added Webkit download bug workaround.
2020-10-02 23:17:53 +03:00
res.set({ 'Cache-Control': 'no-store' });
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Check if we have an incomplete domain name in the path
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
if ((domain.id != '') && (domain.dns == null) && (req.url.split('/').length == 2)) {
parent.debug('web', 'handleRootRequestEx: incomplete domain name in the path.');
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
res.redirect(domain.url + getQueryPortion(req)); // BAD***
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
return;
}
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
if (obj.args.nousers == true) {
// If in single user mode, setup things here.
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.loginmode;
Initial main commit
2017-08-28 19:27:45 +03:00
req.session.userid = 'user/' + domain.id + '/~';
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.currentNode;
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
req.session.ip = req.clientIp; // Bind this session to the IP address of the request
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
setSessionRandom(req);
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
if (obj.users[req.session.userid] == null) {
Initial main commit
2017-08-28 19:27:45 +03:00
// Create the dummy user ~ with impossible password
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequestEx: created dummy user in nouser mode.');
More fixes, updated MeshCommander (Intel AMT tab)
2019-06-27 08:13:56 +03:00
obj.users[req.session.userid] = { type: 'user', _id: req.session.userid, name: '~', email: '~', domain: domain.id, siteadmin: 4294967295 };
Initial main commit
2017-08-28 19:27:45 +03:00
obj.db.SetUser(obj.users[req.session.userid]);
}
Fixed desktop tools
2018-09-12 00:28:47 +03:00
} else if (obj.args.user && obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]) {
Initial main commit
2017-08-28 19:27:45 +03:00
// If a default user is active, setup the session here.
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequestEx: auth using default user.');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.loginmode;
Initial main commit
2017-08-28 19:27:45 +03:00
req.session.userid = 'user/' + domain.id + '/' + obj.args.user.toLowerCase();
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.currentNode;
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
req.session.ip = req.clientIp; // Bind this session to the IP address of the request
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
setSessionRandom(req);
Added loginToken support and improved way to embed page into other sites.
2017-12-14 01:52:57 +03:00
} else if (req.query.login && (obj.parent.loginCookieEncryptionKey != null)) {
var loginCookie = obj.parent.decodeCookie(req.query.login, obj.parent.loginCookieEncryptionKey, 60); // 60 minute timeout
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
//if ((loginCookie != null) && (obj.args.cookieipcheck !== false) && (loginCookie.ip != null) && (loginCookie.ip != req.clientIp)) { loginCookie = null; } // If the cookie if binded to an IP address, check here.
Added loginToken support and improved way to embed page into other sites.
2017-12-14 01:52:57 +03:00
if ((loginCookie != null) && (loginCookie.a == 3) && (loginCookie.u != null) && (loginCookie.u.split('/')[1] == domain.id)) {
// If a login cookie was provided, setup the session here.
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequestEx: cookie auth ok.');
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.loginmode;
Added loginToken support and improved way to embed page into other sites.
2017-12-14 01:52:57 +03:00
req.session.userid = loginCookie.u;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.currentNode;
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
req.session.ip = req.clientIp; // Bind this session to the IP address of the request
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
setSessionRandom(req);
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
} else {
parent.debug('web', 'handleRootRequestEx: cookie auth failed.');
Added loginToken support and improved way to embed page into other sites.
2017-12-14 01:52:57 +03:00
}
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
} else if (domain.sspi != null) {
// SSPI login (Windows only)
//console.log(req.connection.user, req.connection.userSid);
if ((req.connection.user == null) || (req.connection.userSid == null)) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequestEx: SSPI no user auth.');
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
res.sendStatus(404); return;
} else {
nologout = true;
Added recovery core support.
2019-01-22 01:05:50 +03:00
req.session.userid = 'user/' + domain.id + '/' + req.connection.user.toLowerCase();
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
req.session.usersid = req.connection.userSid;
req.session.usersGroups = req.connection.userGroups;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
delete req.session.currentNode;
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
req.session.ip = req.clientIp; // Bind this session to the IP address of the request
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
setSessionRandom(req);
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
// Check if this user exists, create it if not.
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
user = obj.users[req.session.userid];
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
if ((user == null) || (user.sid != req.session.usersid)) {
// Create the domain user
Added user last access support, #3319
2021-12-05 00:08:17 +03:00
var usercount = 0, user2 = { type: 'user', _id: req.session.userid, name: req.connection.user, domain: domain.id, sid: req.session.usersid, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), access: Math.floor(Date.now() / 1000) };
Fixed user interface issues and added newAccountsRights in domain config.
2019-05-13 05:14:24 +03:00
if (domain.newaccountsrights) { user2.siteadmin = domain.newaccountsrights; }
Added newaccountsrights support for SSO accounts.
2020-05-25 22:52:13 +03:00
if (obj.common.validateStrArray(domain.newaccountrealms)) { user2.groups = domain.newaccountrealms; }
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
for (var i in obj.users) { if (obj.users[i].domain == domain.id) { usercount++; } }
More fixes, updated MeshCommander (Intel AMT tab)
2019-06-27 08:13:56 +03:00
if (usercount == 0) { user2.siteadmin = 4294967295; } // If this is the first user, give the account site admin.
User management improvements.
2020-05-28 04:26:54 +03:00
// Auto-join any user groups
if (typeof domain.newaccountsusergroups == 'object') {
for (var i in domain.newaccountsusergroups) {
var ugrpid = domain.newaccountsusergroups[i];
if (ugrpid.indexOf('/') < 0) { ugrpid = 'ugrp/' + domain.id + '/' + ugrpid; }
var ugroup = obj.userGroups[ugrpid];
if (ugroup != null) {
// Add group to the user
if (user2.links == null) { user2.links = {}; }
user2.links[ugroup._id] = { rights: 1 };
// Add user to the group
ugroup.links[user2._id] = { userid: user2._id, name: user2.name, rights: 1 };
db.Set(ugroup);
// Notify user group change
var event = { etype: 'ugrp', ugrpid: ugroup._id, name: ugroup.name, desc: ugroup.desc, action: 'usergroupchange', links: ugroup.links, msg: 'Added user ' + user2.name + ' to user group ' + ugroup.name, addUserDomain: domain.id };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user group. Another event will come.
parent.DispatchEvent(['*', ugroup._id, user2._id], obj, event);
}
}
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
obj.users[req.session.userid] = user2;
obj.db.SetUser(user2);
Much improved event logs
2019-07-30 02:35:48 +03:00
var event = { etype: 'user', userid: req.session.userid, username: req.connection.user, account: obj.CloneSafeUser(user2), action: 'accountcreate', msg: 'Domain account created, user ' + req.connection.user, domain: domain.id };
Improved MongoDB change stream.
2019-05-30 00:36:14 +03:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to create the user. Another event will come.
obj.parent.DispatchEvent(['*', 'server-users'], obj, event);
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequestEx: SSPI new domain user.');
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
}
}
Initial main commit
2017-08-28 19:27:45 +03:00
}
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
Added password requirements checking.
2018-12-21 01:14:37 +03:00
// Figure out the minimal password requirement
var passRequirements = null;
if (domain.passwordrequirements != null) {
Fixed create account dialog, improved meshctrl.js
2019-12-12 22:44:03 +03:00
if (domain.passrequirementstr == null) {
var passRequirements = {};
if (typeof domain.passwordrequirements.min == 'number') { passRequirements.min = domain.passwordrequirements.min; }
if (typeof domain.passwordrequirements.max == 'number') { passRequirements.max = domain.passwordrequirements.max; }
if (typeof domain.passwordrequirements.upper == 'number') { passRequirements.upper = domain.passwordrequirements.upper; }
if (typeof domain.passwordrequirements.lower == 'number') { passRequirements.lower = domain.passwordrequirements.lower; }
if (typeof domain.passwordrequirements.numeric == 'number') { passRequirements.numeric = domain.passwordrequirements.numeric; }
if (typeof domain.passwordrequirements.nonalpha == 'number') { passRequirements.nonalpha = domain.passwordrequirements.nonalpha; }
domain.passwordrequirementsstr = encodeURIComponent(JSON.stringify(passRequirements));
}
Added password requirements checking.
2018-12-21 01:14:37 +03:00
passRequirements = domain.passwordrequirementsstr;
}
Fixed user session counts
2018-11-07 06:41:21 +03:00
// If a user exists and is logged in, serve the default app, otherwise server the login app.
if (req.session && req.session.userid && obj.users[req.session.userid]) {
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
const user = obj.users[req.session.userid];
First version with FireFox push messaging support.
2021-02-10 04:36:30 +03:00
Fix for #2686
2021-05-25 21:17:23 +03:00
// Check if we are in maintenance mode
if ((parent.config.settings.maintenancemode != null) && (user.siteadmin != 4294967295)) {
req.session.messageid = 115; // Server under maintenance
req.session.loginmode = 1;
res.redirect(domain.url);
return;
}
First version with FireFox push messaging support.
2021-02-10 04:36:30 +03:00
// If the request has a "meshmessengerid", redirect to MeshMessenger
// This situation happens when you get a push notification for a chat session, but are not logged in.
if (req.query.meshmessengerid != null) {
res.redirect(domain.url + 'messenger?id=' + req.query.meshmessengerid + ((req.query.key != null) ? ('&key=' + req.query.key) : ''));
return;
}
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
const xdbGetFunc = function dbGetFunc(err, states) {
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (dbGetFunc.req.session.userid.split('/')[1] != domain.id) { // Check if the session is for the correct domain
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
parent.debug('web', 'handleRootRequestEx: incorrect domain.');
dbGetFunc.req.session = null;
dbGetFunc.res.redirect(domain.url + getQueryPortion(dbGetFunc.req)); // BAD***
return;
}
Session and account improvements.
2019-02-11 07:13:03 +03:00
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
// Check if this is a locked account
if ((dbGetFunc.user.siteadmin != null) && ((dbGetFunc.user.siteadmin & 32) != 0) && (dbGetFunc.user.siteadmin != 0xFFFFFFFF)) {
// Locked account
parent.debug('web', 'handleRootRequestEx: locked account.');
delete dbGetFunc.req.session.userid;
delete dbGetFunc.req.session.currentNode;
delete dbGetFunc.req.session.passhint;
delete dbGetFunc.req.session.cuserid;
dbGetFunc.req.session.messageid = 110; // Account locked.
dbGetFunc.res.redirect(domain.url + getQueryPortion(dbGetFunc.req)); // BAD***
return;
}
Session and account improvements.
2019-02-11 07:13:03 +03:00
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
var viewmode = 1;
if (dbGetFunc.req.session.viewmode) {
viewmode = dbGetFunc.req.session.viewmode;
delete dbGetFunc.req.session.viewmode;
} else if (dbGetFunc.req.query.viewmode) {
viewmode = dbGetFunc.req.query.viewmode;
}
var currentNode = '';
if (dbGetFunc.req.session.currentNode) {
currentNode = dbGetFunc.req.session.currentNode;
delete dbGetFunc.req.session.currentNode;
} else if (dbGetFunc.req.query.node) {
currentNode = 'node/' + domain.id + '/' + dbGetFunc.req.query.node;
}
var logoutcontrols = {};
if (obj.args.nousers != true) { logoutcontrols.name = user.name; }
Added option to remove clipboard get/set support.
2021-07-15 23:58:30 +03:00
// Give the web page a list of supported server features for this domain and user
const allFeatures = obj.getDomainUserFeatures(domain, dbGetFunc.user, dbGetFunc.req);
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
// Create a authentication cookie
const authCookie = obj.parent.encodeCookie({ userid: dbGetFunc.user._id, domainid: domain.id, ip: req.clientIp }, obj.parent.loginCookieEncryptionKey);
const authRelayCookie = obj.parent.encodeCookie({ ruserid: dbGetFunc.user._id, domainid: domain.id }, obj.parent.loginCookieEncryptionKey);
Added web app minifiy support
2018-08-24 02:55:06 +03:00
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
// Send the main web application
var extras = (dbGetFunc.req.query.key != null) ? ('&key=' + dbGetFunc.req.query.key) : '';
if ((!obj.args.user) && (obj.args.nousers != true) && (nologout == false)) { logoutcontrols.logoutUrl = (domain.url + 'logout?' + Math.random() + extras); } // If a default user is in use or no user mode, don't display the logout button
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
// Clean up the U2F challenge if needed
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (dbGetFunc.req.session.u2f) { delete dbGetFunc.req.session.u2f; };
Web app speed improvement with geolocation is off.
2019-12-03 01:00:28 +03:00
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
// Intel AMT Scanning options
var amtscanoptions = '';
if (typeof domain.amtscanoptions == 'string') { amtscanoptions = encodeURIComponent(domain.amtscanoptions); }
else if (obj.common.validateStrArray(domain.amtscanoptions)) { domain.amtscanoptions = domain.amtscanoptions.join(','); amtscanoptions = encodeURIComponent(domain.amtscanoptions); }
// Fetch the web state
parent.debug('web', 'handleRootRequestEx: success.');
Added AmtScanOptions.
2020-06-19 20:37:55 +03:00
Server exceptions fixes.
2021-01-25 03:09:15 +03:00
var webstate = '';
if ((err == null) && (states != null) && (Array.isArray(states)) && (states.length == 1) && (states[0].state != null)) { webstate = obj.filterUserWebState(states[0].state); }
Added User Web State control on config.json.
2020-02-28 05:05:18 +03:00
if ((webstate == '') && (typeof domain.defaultuserwebstate == 'object')) { webstate = JSON.stringify(domain.defaultuserwebstate); } // User has no web state, use defaults.
Server exceptions fixes.
2021-01-25 03:09:15 +03:00
if (typeof domain.forceduserwebstate == 'object') { // Forces initial user web state if present, use it.
Added User Web State control on config.json.
2020-02-28 05:05:18 +03:00
var webstate2 = {};
try { if (webstate != '') { webstate2 = JSON.parse(webstate); } } catch (ex) { }
for (var i in domain.forceduserwebstate) { webstate2[i] = domain.forceduserwebstate[i]; }
webstate = JSON.stringify(webstate2);
}
Added support for custom ui buttons and dialogs.
2020-06-02 03:26:27 +03:00
// Custom user interface
var customui = '';
if (domain.customui != null) { customui = encodeURIComponent(JSON.stringify(domain.customui)); }
Added per-domain configuration of the MyServer action tab.
2020-09-28 23:28:08 +03:00
// Server features
Allow complete removal of My Server tab for a specific domain.
2020-10-06 02:47:30 +03:00
var serverFeatures = 127;
if (domain.myserver === false) { serverFeatures = 0; } // 64 = Show "My Server" tab
else if (typeof domain.myserver == 'object') {
Added user group consent policy and fixed user access rights.
2020-09-30 21:05:53 +03:00
if (domain.myserver.backup !== true) { serverFeatures -= 1; } // Disallow simple server backups
if (domain.myserver.restore !== true) { serverFeatures -= 2; } // Disallow simple server restore
if (domain.myserver.upgrade !== true) { serverFeatures -= 4; } // Disallow server upgrade
if (domain.myserver.errorlog !== true) { serverFeatures -= 8; } // Disallow show server crash log
if (domain.myserver.console !== true) { serverFeatures -= 16; } // Disallow server console
if (domain.myserver.trace !== true) { serverFeatures -= 32; } // Disallow server tracing
}
if (obj.db.databaseType != 1) { // If not using NeDB, we can't backup using the simple system.
if ((serverFeatures & 1) != 0) { serverFeatures -= 1; } // Disallow server backups
if ((serverFeatures & 2) != 0) { serverFeatures -= 2; } // Disallow simple server restore
Added per-domain configuration of the MyServer action tab.
2020-09-28 23:28:08 +03:00
}
Cookie session is now auto-refreshed.
2020-06-12 22:00:58 +03:00
// Refresh the session
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
render(dbGetFunc.req, dbGetFunc.res, getRenderPage('default', dbGetFunc.req, domain), getRenderArgs({
Added per-domain configuration of the MyServer action tab.
2020-09-28 23:28:08 +03:00
authCookie: authCookie,
authRelayCookie: authRelayCookie,
viewmode: viewmode,
currentNode: currentNode,
logoutControls: encodeURIComponent(JSON.stringify(logoutcontrols)).replace(/'/g, '%27'),
domain: domain.id,
debuglevel: parent.debugLevel,
serverDnsName: obj.getWebServerName(domain),
serverRedirPort: args.redirport,
serverPublicPort: httpsPort,
serverfeatures: serverFeatures,
Added option to remove clipboard get/set support.
2021-07-15 23:58:30 +03:00
features: allFeatures.features,
features2: allFeatures.features2,
Fixed default session renew timer.
2021-01-06 10:38:52 +03:00
sessiontime: (args.sessiontime) ? args.sessiontime : 60,
Added per-domain configuration of the MyServer action tab.
2020-09-28 23:28:08 +03:00
mpspass: args.mpspass,
passRequirements: passRequirements,
customui: customui,
webcerthash: Buffer.from(obj.webCertificateFullHashs[domain.id], 'binary').toString('base64').replace(/\+/g, '@').replace(/\//g, '$'),
footer: (domain.footer == null) ? '' : domain.footer,
webstate: encodeURIComponent(webstate).replace(/'/g, '%27'),
amtscanoptions: amtscanoptions,
pluginHandler: (parent.pluginHandler == null) ? 'null' : parent.pluginHandler.prepExports()
Fixed device notification email language translation, #3513
2022-01-23 11:34:47 +03:00
}, dbGetFunc.req, domain), user);
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
}
xdbGetFunc.req = req;
xdbGetFunc.res = res;
xdbGetFunc.user = user;
obj.db.Get('ws' + user._id, xdbGetFunc);
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
// Send back the login application
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
// If this is a 2 factor auth request, look for a hardware key challenge.
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
// Normal login 2 factor request
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (req.session && (req.session.loginmode == 4) && (req.session.tuserid)) {
var user = obj.users[req.session.tuserid];
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
if (user != null) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequestEx: sending 2FA challenge.');
More FIDO2 fixes.
2019-03-26 00:43:58 +03:00
getHardwareKeyChallenge(req, domain, user, function (hwchallenge) { handleRootRequestLogin(req, res, domain, hwchallenge, passRequirements); });
Improved U2F authentication, added multiple U2F key support.
2019-02-11 03:04:36 +03:00
return;
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
}
}
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
// Password recovery 2 factor request
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (req.session && (req.session.loginmode == 5) && (req.session.temail)) {
obj.db.GetUserWithVerifiedEmail(domain.id, req.session.temail, function (err, docs) {
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
if ((err != null) || (docs.length == 0)) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequestEx: password recover 2FA fail.');
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
req.session = null;
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
res.redirect(domain.url + getQueryPortion(req)); // BAD***
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
} else {
var user = obj.users[docs[0]._id];
if (user != null) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequestEx: password recover 2FA challenge.');
More FIDO2 fixes.
2019-03-26 00:43:58 +03:00
getHardwareKeyChallenge(req, domain, user, function (hwchallenge) { handleRootRequestLogin(req, res, domain, hwchallenge, passRequirements); });
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
} else {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequestEx: password recover 2FA no user.');
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
req.session = null;
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
res.redirect(domain.url + getQueryPortion(req)); // BAD***
Added user account, user session and agent session per-domain limits.
2019-02-12 01:41:15 +03:00
}
}
});
return;
}
Improved U2F authentication, added multiple U2F key support.
2019-02-11 03:04:36 +03:00
handleRootRequestLogin(req, res, domain, '', passRequirements);
}
}
Completed support for hardware key 2-factor auth.
2019-02-08 09:30:33 +03:00
Added option to remove clipboard get/set support.
2021-07-15 23:58:30 +03:00
// Return a list of server supported features for a given domain and user
obj.getDomainUserFeatures = function(domain, user, req) {
var features = 0;
var features2 = 0;
if (obj.args.wanonly == true) { features += 0x00000001; } // WAN-only mode
if (obj.args.lanonly == true) { features += 0x00000002; } // LAN-only mode
if (obj.args.nousers == true) { features += 0x00000004; } // Single user mode
if (domain.userQuota == -1) { features += 0x00000008; } // No server files mode
if (obj.args.mpstlsoffload) { features += 0x00000010; } // No mutual-auth CIRA
if ((parent.config.settings.allowframing != null) || (domain.allowframing != null)) { features += 0x00000020; } // Allow site within iframe
if ((domain.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true)) { features += 0x00000040; } // Email invites
if (obj.args.webrtc == true) { features += 0x00000080; } // Enable WebRTC (Default false for now)
// 0x00000100 --> This feature flag is free for future use.
if (obj.args.allowhighqualitydesktop !== false) { features += 0x00000200; } // Enable AllowHighQualityDesktop (Default true)
if ((obj.args.lanonly == true) || (obj.args.mpsport == 0)) { features += 0x00000400; } // No CIRA
Fixed server update feature when given rights but are not administrator.
2022-03-25 21:13:47 +03:00
if ((obj.parent.serverSelfWriteAllowed == true) && (user != null) && ((user.siteadmin & 0x00000010) != 0)) { features += 0x00000800; } // Server can self-write (Allows self-update)
Added option to remove clipboard get/set support.
2021-07-15 23:58:30 +03:00
if ((parent.config.settings.no2factorauth !== true) && (domain.auth != 'sspi') && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.nousers !== true) && (user._id.split('/')[2][0] != '~')) { features += 0x00001000; } // 2FA login supported
if (domain.agentnoproxy === true) { features += 0x00002000; } // Indicates that agents should be installed without using a HTTP proxy
if ((parent.config.settings.no2factorauth !== true) && domain.yubikey && domain.yubikey.id && domain.yubikey.secret && (user._id.split('/')[2][0] != '~')) { features += 0x00004000; } // Indicates Yubikey support
if (domain.geolocation == true) { features += 0x00008000; } // Enable geo-location features
if ((domain.passwordrequirements != null) && (domain.passwordrequirements.hint === true)) { features += 0x00010000; } // Enable password hints
if (parent.config.settings.no2factorauth !== true) { features += 0x00020000; } // Enable WebAuthn/FIDO2 support
if ((obj.args.nousers != true) && (domain.passwordrequirements != null) && (domain.passwordrequirements.force2factor === true) && (user._id.split('/')[2][0] != '~')) {
// Check if we can skip 2nd factor auth because of the source IP address
var skip2factor = false;
if ((req != null) && (req.clientIp != null) && (domain.passwordrequirements != null) && (domain.passwordrequirements.skip2factor != null)) {
for (var i in domain.passwordrequirements.skip2factor) {
if (require('ipcheck').match(req.clientIp, domain.passwordrequirements.skip2factor[i]) === true) { skip2factor = true; }
}
}
if (skip2factor == false) { features += 0x00040000; } // Force 2-factor auth
}
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { features += 0x00080000; } // LDAP or SSPI in use, warn that users must login first before adding a user to a group.
if (domain.amtacmactivation) { features += 0x00100000; } // Intel AMT ACM activation/upgrade is possible
if (domain.usernameisemail) { features += 0x00200000; } // Username is email address
if (parent.mqttbroker != null) { features += 0x00400000; } // This server supports MQTT channels
if (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null)) { features += 0x00800000; } // using email for 2FA is allowed
if (domain.agentinvitecodes == true) { features += 0x01000000; } // Support for agent invite codes
if (parent.smsserver != null) { features += 0x02000000; } // SMS messaging is supported
if ((parent.smsserver != null) && ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false))) { features += 0x04000000; } // SMS 2FA is allowed
if (domain.sessionrecording != null) { features += 0x08000000; } // Server recordings enabled
if (domain.urlswitching === false) { features += 0x10000000; } // Disables the URL switching feature
if (domain.novnc === false) { features += 0x20000000; } // Disables noVNC
if (domain.mstsc !== true) { features += 0x40000000; } // Disables MSTSC.js
if (obj.isTrustedCert(domain) == false) { features += 0x80000000; } // Indicate we are not using a trusted certificate
if (obj.parent.amtManager != null) { features2 += 0x00000001; } // Indicates that the Intel AMT manager is active
if (obj.parent.firebase != null) { features2 += 0x00000002; } // Indicates the server supports Firebase push messaging
if ((obj.parent.firebase != null) && (obj.parent.firebase.pushOnly != true)) { features2 += 0x00000004; } // Indicates the server supports Firebase two-way push messaging
if (obj.parent.webpush != null) { features2 += 0x00000008; } // Indicates web push is enabled
if (((obj.args.noagentupdate == 1) || (obj.args.noagentupdate == true))) { features2 += 0x00000010; } // No agent update
if (parent.amtProvisioningServer != null) { features2 += 0x00000020; } // Intel AMT LAN provisioning server
if (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.push2factor != false)) && (obj.parent.firebase != null)) { features2 += 0x00000040; } // Indicates device push notification 2FA is enabled
You can now limit which users can create login tokens. #3787
2022-03-25 01:05:20 +03:00
if ((typeof domain.passwordrequirements != 'object') || ((domain.passwordrequirements.logintokens !== false) && ((Array.isArray(domain.passwordrequirements.logintokens) == false) || (domain.passwordrequirements.logintokens.indexOf(user._id) >= 0)))) { features2 += 0x00000080; } // Indicates login tokens are allowed
Added option to remove clipboard get/set support.
2021-07-15 23:58:30 +03:00
if (req.session.loginToken != null) { features2 += 0x00000100; } // LoginToken mode, no account changes.
if (domain.ssh == true) { features2 += 0x00000200; } // SSH is enabled
if (domain.localsessionrecording === false) { features2 += 0x00000400; } // Disable local recording feature
if (domain.clipboardget == false) { features2 += 0x00000800; } // Disable clipboard get
if (domain.clipboardset == false) { features2 += 0x00001000; } // Disable clipboard set
Completed remote desktop server view only option.
2021-07-18 09:03:44 +03:00
if ((typeof domain.desktop == 'object') && (domain.desktop.viewonly == true)) { features2 += 0x00002000; } // Indicates remote desktop is viewonly
Lots of work on email notification of device connect/disconnect.
2021-10-10 22:43:20 +03:00
if (domain.mailserver != null) { features2 += 0x00004000; } // Indicates email server is active
Added DeviceSearchBarServerAndClientName option, #3260
2021-11-08 22:04:32 +03:00
if (domain.devicesearchbarserverandclientname) { features2 += 0x00008000; } // Search bar will find both server name and client name
Added support for IP-KVM device groups.
2021-12-03 05:34:18 +03:00
if (domain.ipkvm) { features2 += 0x00010000; } // Indicates support for IP KVM device groups
Added option to remove OTP 2FA.
2021-12-12 03:08:26 +03:00
if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) { features2 += 0x00020000; } // Indicates support for OTP 2FA is disabled
Added backupcode2factor and single2factorWarning options, #3608
2022-02-08 05:06:22 +03:00
if ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.backupcode2factor === false)) { features2 += 0x00040000; } // Indicates 2FA backup codes are disabled
if ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.single2factorwarning === false)) { features2 += 0x00080000; } // Indicates no warning if a single 2FA is in use
Added server setting to force day/night mode, #3618
2022-02-08 21:13:52 +03:00
if (domain.nightmode === 1) { features2 += 0x00100000; } // Always night mode
if (domain.nightmode === 2) { features2 += 0x00200000; } // Always day mode
Added new allowSavingDeviceCredentials option, #3751
2022-03-16 03:00:43 +03:00
if (domain.allowsavingdevicecredentials == false) { features2 += 0x00400000; } // Do not allow device credentials to be saved on the server
Added option to remove clipboard get/set support.
2021-07-15 23:58:30 +03:00
return { features: features, features2: features2 };
}
Improved U2F authentication, added multiple U2F key support.
2019-02-11 03:04:36 +03:00
function handleRootRequestLogin(req, res, domain, hardwareKeyChallenge, passRequirements) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleRootRequestLogin()');
Improved U2F authentication, added multiple U2F key support.
2019-02-11 03:04:36 +03:00
var features = 0;
Fixed allowFraming option
2019-10-23 03:51:37 +03:00
if ((parent.config != null) && (parent.config.settings != null) && ((parent.config.settings.allowframing == true) || (typeof parent.config.settings.allowframing == 'string'))) { features += 32; } // Allow site within iframe
Improved keyboard support, new email as username mode.
2019-07-09 01:59:44 +03:00
if (domain.usernameisemail) { features += 0x00200000; } // Username is email address
Improved U2F authentication, added multiple U2F key support.
2019-02-11 03:04:36 +03:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
var loginmode = 0;
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
if (req.session) { loginmode = req.session.loginmode; delete req.session.loginmode; } // Clear this state, if the user hits refresh, we want to go back to the login page.
Improved U2F authentication, added multiple U2F key support.
2019-02-11 03:04:36 +03:00
Session and account improvements.
2019-02-11 07:13:03 +03:00
// Format an error message if needed
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
var passhint = null, msgid = 0;
Session and account improvements.
2019-02-11 07:13:03 +03:00
if (req.session != null) {
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
msgid = req.session.messageid;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if ((msgid == 5) || (loginmode == 7) || ((domain.passwordrequirements != null) && (domain.passwordrequirements.hint === true))) { passhint = EscapeHtml(req.session.passhint); }
Fixed internalization of server messages on the login screen.
2019-11-18 01:33:29 +03:00
delete req.session.messageid;
Session and account improvements.
2019-02-11 07:13:03 +03:00
delete req.session.passhint;
}
Added option to turn off reset account on login screen.
2022-02-04 18:29:18 +03:00
const allowAccountReset = ((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.allowaccountreset !== false));
const emailcheck = (allowAccountReset && (domain.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true) && (domain.auth != 'sspi') && (domain.auth != 'ldap'))
Removed email verification when authenticating using SSPI.
2019-02-21 05:09:57 +03:00
MeshCentral now defaults to not accepting new accounts on login screen.
2019-04-23 23:42:54 +03:00
// Check if we are allowed to create new users using the login screen
var newAccountsAllowed = true;
if ((domain.newaccounts !== 1) && (domain.newaccounts !== true)) { for (var i in obj.users) { if (obj.users[i].domain == domain.id) { newAccountsAllowed = false; break; } } }
Added server maintenance mode.
2020-11-21 03:43:58 +03:00
if (parent.config.settings.maintenancemode != null) { newAccountsAllowed = false; }
MeshCentral now defaults to not accepting new accounts on login screen.
2019-04-23 23:42:54 +03:00
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
// Encrypt the hardware key challenge state if needed
var hwstate = null;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (hardwareKeyChallenge) { hwstate = obj.parent.encodeCookie({ u: req.session.tuser, p: req.session.tpass, c: req.session.u2f }, obj.parent.loginCookieEncryptionKey) }
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
Password reset improvements.
2020-12-10 09:14:51 +03:00
// Check if we can use OTP tokens with email. We can't use email for 2FA password recovery (loginmode 5).
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
var otpemail = (loginmode != 5) && (domain.mailserver != null) && (req.session != null) && ((req.session.temail === 1) || (typeof req.session.temail == 'string'));
Completed email 2FA.
2020-03-15 01:03:50 +03:00
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.email2factor == false)) { otpemail = false; }
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
var otpsms = (parent.smsserver != null) && (req.session != null) && (req.session.tsms === 1);
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.sms2factor == false)) { otpsms = false; }
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
var otppush = (parent.firebase != null) && (req.session != null) && (req.session.tpush === 1);
More work on device 2FA.
2021-04-15 00:06:31 +03:00
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.push2factor == false)) { otppush = false; }
Added autofido2fa option in PasswordRequirements, #2952
2021-07-28 20:35:33 +03:00
const autofido = ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.autofido2fa == true)); // See if FIDO should be automatically prompted if user account has it.
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
Improved 2FA trusted cookie.
2020-04-30 01:45:31 +03:00
// See if we support two-factor trusted cookies
var twoFactorCookieDays = 30;
if (typeof domain.twofactorcookiedurationdays == 'number') { twoFactorCookieDays = domain.twofactorcookiedurationdays; }
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
// See what authentication strategies we have
var authStrategies = [];
if (typeof domain.authstrategies == 'object') {
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
if (typeof domain.authstrategies.twitter == 'object') { authStrategies.push('twitter'); }
if (typeof domain.authstrategies.google == 'object') { authStrategies.push('google'); }
if (typeof domain.authstrategies.github == 'object') { authStrategies.push('github'); }
if (typeof domain.authstrategies.reddit == 'object') { authStrategies.push('reddit'); }
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (typeof domain.authstrategies.azure == 'object') { authStrategies.push('azure'); }
implemented passport-openidconnect used passport-openidconnect to get login 90% working, i get as far as the oidc host sending me back to mesh central with a good auth but i dont get logged in, still testing
2022-04-06 19:40:42 +03:00
if (typeof domain.authstrategies.oidc == 'object') { authStrategies.push('oidc'); }
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
if (typeof domain.authstrategies.intel == 'object') { authStrategies.push('intel'); }
if (typeof domain.authstrategies.jumpcloud == 'object') { authStrategies.push('jumpcloud'); }
if (typeof domain.authstrategies.saml == 'object') { authStrategies.push('saml'); }
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
}
Added support for custom ui buttons and dialogs.
2020-06-02 03:26:27 +03:00
// Custom user interface
var customui = '';
if (domain.customui != null) { customui = encodeURIComponent(JSON.stringify(domain.customui)); }
Added 2FA timeout on login screen, default is 5 minutes.
2021-07-25 01:14:21 +03:00
// Get two-factor screen timeout
var twoFactorTimeout = 300000; // Default is 5 minutes, 0 for no timeout.
if ((typeof domain.passwordrequirements == 'object') && (typeof domain.passwordrequirements.twofactortimeout == 'number')) {
twoFactorTimeout = domain.passwordrequirements.twofactortimeout * 1000;
}
Improved meshcentral-web customization support.
2019-08-25 21:08:32 +03:00
// Render the login page
Fixed default session renew timer.
2021-01-06 10:38:52 +03:00
render(req, res,
getRenderPage((domain.sitestyle == 2) ? 'login2' : 'login', req, domain),
getRenderArgs({
loginmode: loginmode,
Fixed root cert link when using multi-domains, #2883.
2021-07-10 23:22:46 +03:00
rootCertLink: getRootCertLink(domain),
Fixed default session renew timer.
2021-01-06 10:38:52 +03:00
newAccount: newAccountsAllowed,
newAccountPass: (((domain.newaccountspass == null) || (domain.newaccountspass == '')) ? 0 : 1),
serverDnsName: obj.getWebServerName(domain),
serverPublicPort: httpsPort,
passlogin: (typeof domain.showpasswordlogin == 'boolean') ? domain.showpasswordlogin : true,
emailcheck: emailcheck,
features: features,
sessiontime: (args.sessiontime) ? args.sessiontime : 60,
passRequirements: passRequirements,
customui: customui,
footer: (domain.loginfooter == null) ? '' : domain.loginfooter,
hkey: encodeURIComponent(hardwareKeyChallenge).replace(/'/g, '%27'),
messageid: msgid,
passhint: passhint,
welcometext: domain.welcometext ? encodeURIComponent(domain.welcometext).split('\'').join('\\\'') : null,
Updated MeshCentral Router.
2021-05-10 22:19:53 +03:00
welcomePictureFullScreen: ((typeof domain.welcomepicturefullscreen == 'boolean') ? domain.welcomepicturefullscreen : false),
Fixed default session renew timer.
2021-01-06 10:38:52 +03:00
hwstate: hwstate,
otpemail: otpemail,
otpsms: otpsms,
More work on mobile 2FA.
2021-04-14 09:23:09 +03:00
otppush: otppush,
Added autofido2fa option in PasswordRequirements, #2952
2021-07-28 20:35:33 +03:00
autofido: autofido,
Fixed default session renew timer.
2021-01-06 10:38:52 +03:00
twoFactorCookieDays: twoFactorCookieDays,
authStrategies: authStrategies.join(','),
Added 2FA timeout on login screen, default is 5 minutes.
2021-07-25 01:14:21 +03:00
loginpicture: (typeof domain.loginpicture == 'string'),
tokenTimeout: twoFactorTimeout // Two-factor authentication screen timeout in milliseconds
Fixed default session renew timer.
2021-01-06 10:38:52 +03:00
}, req, domain, (domain.sitestyle == 2) ? 'login2' : 'login'));
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
}
// Handle a post request on the root
function handleRootPostRequest(req, res) {
Added 3FA using LoginKey in domain section of config.json, add &key= to URL.
2019-11-22 05:57:57 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added toggle footer bar option in webapp.
2019-12-22 03:07:25 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.end("Not Found"); return; } // Check 3FA URL key
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
parent.debug('web', 'handleRootPostRequest, action: ' + req.body.action);
Fixed EXDEV error on rename.
2020-02-01 01:44:11 +03:00
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
switch (req.body.action) {
case 'login': { handleLoginRequest(req, res, true); break; }
case 'tokenlogin': {
if (req.body.hwstate) {
var cookie = obj.parent.decodeCookie(req.body.hwstate, obj.parent.loginCookieEncryptionKey, 10);
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (cookie != null) { req.session.tuser = cookie.u; req.session.tpass = cookie.p; req.session.u2f = cookie.c; }
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
}
handleLoginRequest(req, res, true); break;
}
More work on device 2FA.
2021-04-14 23:28:51 +03:00
case 'pushlogin': {
if (req.body.hwstate) {
var cookie = obj.parent.decodeCookie(req.body.hwstate, obj.parent.loginCookieEncryptionKey, 1);
if ((cookie != null) && (typeof cookie.u == 'string') && (cookie.d == domain.id) && (cookie.a == 'pushAuth')) {
More work on device 2FA.
2021-04-15 00:06:31 +03:00
// Push authentication is a success, login the user
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
req.session = { userid: cookie.u };
More work on device 2FA.
2021-04-15 00:06:31 +03:00
// Check if we need to remember this device
if ((req.body.remembertoken === 'on') && ((domain.twofactorcookiedurationdays == null) || (domain.twofactorcookiedurationdays > 0))) {
var maxCookieAge = domain.twofactorcookiedurationdays;
if (typeof maxCookieAge != 'number') { maxCookieAge = 30; }
const twoFactorCookie = obj.parent.encodeCookie({ userid: cookie.u, expire: maxCookieAge * 24 * 60 /*, ip: req.clientIp*/ }, obj.parent.loginCookieEncryptionKey);
Fixed session IP check still being performed when CookieIpCheck is false.
2022-02-24 23:22:01 +03:00
res.cookie('twofactor', twoFactorCookie, { maxAge: (maxCookieAge * 24 * 60 * 60 * 1000), httpOnly: true, sameSite: ((parent.config.settings.cookieipcheck === false) ? 'none' : 'strict'), secure: true });
More work on device 2FA.
2021-04-15 00:06:31 +03:00
}
More work on device 2FA.
2021-04-14 23:28:51 +03:00
handleRootRequestEx(req, res, domain);
return;
}
}
handleLoginRequest(req, res, true); break;
}
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
case 'changepassword': { handlePasswordChangeRequest(req, res, true); break; }
case 'deleteaccount': { handleDeleteAccountRequest(req, res, true); break; }
case 'createaccount': { handleCreateAccountRequest(req, res, true); break; }
case 'resetpassword': { handleResetPasswordRequest(req, res, true); break; }
case 'resetaccount': { handleResetAccountRequest(req, res, true); break; }
Added email validation login page.
2020-04-21 11:50:27 +03:00
case 'checkemail': { handleCheckAccountEmailRequest(req, res, true); break; }
Added support for browsers that don't support cookies.
2019-08-26 22:20:24 +03:00
default: { handleLoginRequest(req, res, true); break; }
}
Initial main commit
2017-08-28 19:27:45 +03:00
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Many server improvements & stability fixes.
2019-02-15 01:44:38 +03:00
// Return true if it looks like we are using a real TLS certificate.
Fixed EXDEV error on rename.
2020-02-01 01:44:11 +03:00
obj.isTrustedCert = function (domain) {
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
if ((domain != null) && (typeof domain.trustedcert == 'boolean')) return domain.trustedcert; // If the status of the cert specified, use that.
if (typeof obj.args.trustedcert == 'boolean') return obj.args.trustedcert; // If the status of the cert specified, use that.
Many server improvements & stability fixes.
2019-02-15 01:44:38 +03:00
if (obj.args.tlsoffload != null) return true; // We are using TLS offload, a real cert is likely used.
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
if (obj.parent.config.letsencrypt != null) return (obj.parent.config.letsencrypt.production === true); // We are using Let's Encrypt, real cert in use if production is set to true.
Many server improvements & stability fixes.
2019-02-15 01:44:38 +03:00
if (obj.certificates.WebIssuer.indexOf('MeshCentralRoot-') == 0) return false; // Our cert is issued by self-signed cert.
Server improvements, first Intel AMT CCM activation.
2019-03-05 10:48:45 +03:00
if (obj.certificates.CommonName.indexOf('.') == -1) return false; // Our cert is named with a fake name
Many server improvements & stability fixes.
2019-02-15 01:44:38 +03:00
return true; // This is a guess
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Get the link to the root certificate if needed
Fixed root cert link when using multi-domains, #2883.
2021-07-10 23:22:46 +03:00
function getRootCertLink(domain) {
Partinally ran code thru JsHint
2018-08-30 03:40:30 +03:00
// Check if the HTTPS certificate is issued from MeshCentralRoot, if so, add download link to root certificate.
Fixed root cert link when using multi-domains, #2883.
2021-07-10 23:22:46 +03:00
if (obj.isTrustedCert(domain) == false) {
// Get the domain suffix
var xdomain = (domain.dns == null) ? domain.id : '';
if (xdomain != '') xdomain += '/';
return '<a href=/' + xdomain + 'MeshServerRootCert.cer title="Download the root certificate for this server">Root Certificate</a>';
}
Initial main commit
2017-08-28 19:27:45 +03:00
return '';
}
Added xterm terminal and fixed device link.
2020-01-24 02:15:56 +03:00
// Serve the xterm page
function handleXTermRequest(req, res) {
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added xterm terminal and fixed device link.
2020-01-24 02:15:56 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
parent.debug('web', 'handleXTermRequest: sending xterm');
Added Webkit download bug workaround.
2020-10-02 23:17:53 +03:00
res.set({ 'Cache-Control': 'no-store' });
Added xterm terminal and fixed device link.
2020-01-24 02:15:56 +03:00
if (req.session && req.session.userid) {
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (req.session.userid.split('/')[1] != domain.id) { res.redirect(domain.url + getQueryPortion(req)); return; } // Check if the session is for the correct domain
Added xterm terminal and fixed device link.
2020-01-24 02:15:56 +03:00
var user = obj.users[req.session.userid];
if ((user == null) || (req.query.nodeid == null)) { res.redirect(domain.url + getQueryPortion(req)); return; } // Check if the user exists
// Check permissions
obj.GetNodeWithRights(domain, user, req.query.nodeid, function (node, rights, visible) {
if ((node == null) || ((rights & 8) == 0) || ((rights != 0xFFFFFFFF) && ((rights & 512) != 0))) { res.redirect(domain.url + getQueryPortion(req)); return; }
var logoutcontrols = { name: user.name };
var extras = (req.query.key != null) ? ('&key=' + req.query.key) : '';
if ((domain.ldap == null) && (domain.sspi == null) && (obj.args.user == null) && (obj.args.nousers != true)) { logoutcontrols.logoutUrl = (domain.url + 'logout?' + Math.random() + extras); } // If a default user is in use or no user mode, don't display the logout button
// Create a authentication cookie
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
const authCookie = obj.parent.encodeCookie({ userid: user._id, domainid: domain.id, ip: req.clientIp }, obj.parent.loginCookieEncryptionKey);
Added xterm terminal and fixed device link.
2020-01-24 02:15:56 +03:00
const authRelayCookie = obj.parent.encodeCookie({ ruserid: user._id, domainid: domain.id }, obj.parent.loginCookieEncryptionKey);
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
Fixed accounts names with single quote.
2020-05-10 01:56:40 +03:00
render(req, res, getRenderPage('xterm', req, domain), getRenderArgs({ serverDnsName: obj.getWebServerName(domain), serverRedirPort: args.redirport, serverPublicPort: httpsPort, authCookie: authCookie, authRelayCookie: authRelayCookie, logoutControls: encodeURIComponent(JSON.stringify(logoutcontrols)).replace(/'/g, '%27'), name: EscapeHtml(node.name) }, req, domain));
Added xterm terminal and fixed device link.
2020-01-24 02:15:56 +03:00
});
} else {
res.redirect(domain.url + getQueryPortion(req));
return;
}
}
Many fixes.
2018-12-20 23:12:24 +03:00
// Render the terms of service.
Initial main commit
2017-08-28 19:27:45 +03:00
function handleTermsRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Added a way to specify terms of service in terms.txt.
2018-11-29 03:33:07 +03:00
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
// See if term.txt was loaded from the database
if ((parent.configurationFiles != null) && (parent.configurationFiles['terms.txt'] != null)) {
// Send the terms from the database
Added Webkit download bug workaround.
2020-10-02 23:17:53 +03:00
res.set({ 'Cache-Control': 'no-store' });
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
if (req.session && req.session.userid) {
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (req.session.userid.split('/')[1] != domain.id) { req.session = null; res.redirect(domain.url + getQueryPortion(req)); return; } // Check if the session is for the correct domain
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
var user = obj.users[req.session.userid];
Improved internalization, french translation.
2019-12-02 02:21:33 +03:00
var logoutcontrols = { name: user.name };
Added 3FA using LoginKey in domain section of config.json, add &key= to URL.
2019-11-22 05:57:57 +03:00
var extras = (req.query.key != null) ? ('&key=' + req.query.key) : '';
Improved internalization, french translation.
2019-12-02 02:21:33 +03:00
if ((domain.ldap == null) && (domain.sspi == null) && (obj.args.user == null) && (obj.args.nousers != true)) { logoutcontrols.logoutUrl = (domain.url + 'logout?' + Math.random() + extras); } // If a default user is in use or no user mode, don't display the logout button
Fixed accounts names with single quote.
2020-05-10 01:56:40 +03:00
render(req, res, getRenderPage('terms', req, domain), getRenderArgs({ terms: encodeURIComponent(parent.configurationFiles['terms.txt'].toString()).split('\'').join('\\\''), logoutControls: encodeURIComponent(JSON.stringify(logoutcontrols)).replace(/'/g, '%27') }, req, domain));
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
} else {
Full minification support in all languages.
2020-05-03 09:49:59 +03:00
render(req, res, getRenderPage('terms', req, domain), getRenderArgs({ terms: encodeURIComponent(parent.configurationFiles['terms.txt'].toString()).split('\'').join('\\\''), logoutControls: encodeURIComponent('{}') }, req, domain));
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
}
} else {
// See if there is a terms.txt file in meshcentral-data
var p = obj.path.join(obj.parent.datapath, 'terms.txt');
if (obj.fs.existsSync(p)) {
obj.fs.readFile(p, 'utf8', function (err, data) {
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
if (err != null) { parent.debug('web', 'handleTermsRequest: no terms.txt'); res.sendStatus(404); return; }
Added a way to specify terms of service in terms.txt.
2018-11-29 03:33:07 +03:00
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
// Send the terms from terms.txt
Added Webkit download bug workaround.
2020-10-02 23:17:53 +03:00
res.set({ 'Cache-Control': 'no-store' });
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
if (req.session && req.session.userid) {
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (req.session.userid.split('/')[1] != domain.id) { req.session = null; res.redirect(domain.url + getQueryPortion(req)); return; } // Check if the session is for the correct domain
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
var user = obj.users[req.session.userid];
Improved internalization, french translation.
2019-12-02 02:21:33 +03:00
var logoutcontrols = { name: user.name };
Added 3FA using LoginKey in domain section of config.json, add &key= to URL.
2019-11-22 05:57:57 +03:00
var extras = (req.query.key != null) ? ('&key=' + req.query.key) : '';
Improved internalization, french translation.
2019-12-02 02:21:33 +03:00
if ((domain.ldap == null) && (domain.sspi == null) && (obj.args.user == null) && (obj.args.nousers != true)) { logoutcontrols.logoutUrl = (domain.url + 'logout?' + Math.random() + extras); } // If a default user is in use or no user mode, don't display the logout button
Fixed accounts names with single quote.
2020-05-10 01:56:40 +03:00
render(req, res, getRenderPage('terms', req, domain), getRenderArgs({ terms: encodeURIComponent(data).split('\'').join('\\\''), logoutControls: encodeURIComponent(JSON.stringify(logoutcontrols)).replace(/'/g, '%27') }, req, domain));
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
} else {
Full minification support in all languages.
2020-05-03 09:49:59 +03:00
render(req, res, getRenderPage('terms', req, domain), getRenderArgs({ terms: encodeURIComponent(data).split('\'').join('\\\''), logoutControls: encodeURIComponent('{}') }, req, domain));
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
}
});
} else {
// Send the default terms
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
parent.debug('web', 'handleTermsRequest: sending default terms');
Added Webkit download bug workaround.
2020-10-02 23:17:53 +03:00
res.set({ 'Cache-Control': 'no-store' });
Added a way to specify terms of service in terms.txt.
2018-11-29 03:33:07 +03:00
if (req.session && req.session.userid) {
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (req.session.userid.split('/')[1] != domain.id) { req.session = null; res.redirect(domain.url + getQueryPortion(req)); return; } // Check if the session is for the correct domain
Added a way to specify terms of service in terms.txt.
2018-11-29 03:33:07 +03:00
var user = obj.users[req.session.userid];
Improved internalization, french translation.
2019-12-02 02:21:33 +03:00
var logoutcontrols = { name: user.name };
Added 3FA using LoginKey in domain section of config.json, add &key= to URL.
2019-11-22 05:57:57 +03:00
var extras = (req.query.key != null) ? ('&key=' + req.query.key) : '';
Improved internalization, french translation.
2019-12-02 02:21:33 +03:00
if ((domain.ldap == null) && (domain.sspi == null) && (obj.args.user == null) && (obj.args.nousers != true)) { logoutcontrols.logoutUrl = (domain.url + 'logout?' + Math.random() + extras); } // If a default user is in use or no user mode, don't display the logout button
Fixed accounts names with single quote.
2020-05-10 01:56:40 +03:00
render(req, res, getRenderPage('terms', req, domain), getRenderArgs({ logoutControls: encodeURIComponent(JSON.stringify(logoutcontrols)).replace(/'/g, '%27') }, req, domain));
Added a way to specify terms of service in terms.txt.
2018-11-29 03:33:07 +03:00
} else {
Full minification support in all languages.
2020-05-03 09:49:59 +03:00
render(req, res, getRenderPage('terms', req, domain), getRenderArgs({ logoutControls: encodeURIComponent('{}') }, req, domain));
Added a way to specify terms of service in terms.txt.
2018-11-29 03:33:07 +03:00
}
}
Initial main commit
2017-08-28 19:27:45 +03:00
}
}
Many fixes.
2018-12-20 23:12:24 +03:00
// Render the messenger application.
function handleMessengerRequest(req, res) {
Fixed chat not working when UserAllowedIP is set.
2019-10-10 21:43:21 +03:00
const domain = getDomain(req);
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
if (domain == null) { parent.debug('web', 'handleMessengerRequest: no domain'); res.sendStatus(404); return; }
parent.debug('web', 'handleMessengerRequest()');
Terminal is not bash, fixed chat feature.
2019-05-30 19:40:59 +03:00
Added server maintenance mode.
2020-11-21 03:43:58 +03:00
// Check if we are in maintenance mode
if (parent.config.settings.maintenancemode != null) {
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 3, msgid: 13, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain));
return;
}
First version with FireFox push messaging support.
2021-02-10 04:36:30 +03:00
// Check if this session is for a user
if (req.query.id == null) { res.sendStatus(404); return; }
var idSplit = decodeURIComponent(req.query.id).split('/');
if ((idSplit.length != 7) || (idSplit[0] != 'meshmessenger')) { res.sendStatus(404); return; }
if ((idSplit[1] == 'user') && (idSplit[4] == 'user')) {
// This is a user to user conversation, both users must be logged in.
var user1 = idSplit[1] + '/' + idSplit[2] + '/' + idSplit[3]
var user2 = idSplit[4] + '/' + idSplit[5] + '/' + idSplit[6]
if (!req.session || !req.session.userid) {
// Redirect to login page
if (req.query.key != null) { res.redirect(domain.url + '?key=' + req.query.key + '&meshmessengerid=' + req.query.id); } else { res.redirect(domain.url + '?meshmessengerid=' + req.query.id); }
return;
}
if ((req.session.userid != user1) && (req.session.userid != user2)) { res.sendStatus(404); return; }
}
Added MeshMessenger title bar customization.
2021-01-25 11:04:43 +03:00
// Get WebRTC configuration
Many fixes.
2018-12-20 23:12:24 +03:00
var webRtcConfig = null;
Code fixes & clean up.
2020-07-06 22:46:38 +03:00
if (obj.parent.config.settings && obj.parent.config.settings.webrtconfig && (typeof obj.parent.config.settings.webrtconfig == 'object')) { webRtcConfig = encodeURIComponent(JSON.stringify(obj.parent.config.settings.webrtconfig)).replace(/'/g, '%27'); }
MeshMessenger improvements on mobile devices.
2021-01-05 13:05:34 +03:00
else if (args.webrtconfig && (typeof args.webrtconfig == 'object')) { webRtcConfig = encodeURIComponent(JSON.stringify(args.webrtconfig)).replace(/'/g, '%27'); }
Added MeshMessenger title bar customization.
2021-01-25 11:04:43 +03:00
// Setup other options
var options = { webrtconfig: webRtcConfig };
if (typeof domain.meshmessengertitle == 'string') { options.meshMessengerTitle = domain.meshmessengertitle; } else { options.meshMessengerTitle = '!'; }
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
// Get the userid and name
if ((domain.meshmessengertitle != null) && (req.query.id != null) && (req.query.id.startsWith('meshmessenger/node'))) {
if (idSplit.length == 7) {
const user = obj.users[idSplit[4] + '/' + idSplit[5] + '/' + idSplit[6]];
if (user != null) {
Minor messenger username fix.
2021-01-28 02:35:58 +03:00
if (domain.meshmessengertitle.indexOf('{0}') >= 0) { options.username = encodeURIComponent(user.realname ? user.realname : user.name).replace(/'/g, '%27'); }
Added Alpine Linux values.
2021-01-28 10:37:44 +03:00
if (domain.meshmessengertitle.indexOf('{1}') >= 0) { options.userid = encodeURIComponent(user.name).replace(/'/g, '%27'); }
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
}
}
}
Added MeshMessenger title bar customization.
2021-01-25 11:04:43 +03:00
// Render the page
Added Webkit download bug workaround.
2020-10-02 23:17:53 +03:00
res.set({ 'Cache-Control': 'no-store' });
Added MeshMessenger title bar customization.
2021-01-25 11:04:43 +03:00
render(req, res, getRenderPage('messenger', req, domain), getRenderArgs(options, req, domain));
}
// Handle messenger image request
function handleMessengerImageRequest(req, res) {
const domain = getDomain(req);
if (domain == null) { parent.debug('web', 'handleMessengerImageRequest: no domain'); res.sendStatus(404); return; }
parent.debug('web', 'handleMessengerImageRequest()');
// Check if we are in maintenance mode
if (parent.config.settings.maintenancemode != null) { res.sendStatus(404); return; }
//res.set({ 'Cache-Control': 'max-age=86400' }); // 1 day
if (domain.meshmessengerpicture) {
// Use the configured messenger logo picture
Handle all configured paths as potentially absolute
2021-07-29 17:38:44 +03:00
try { res.sendFile(obj.common.joinPath(obj.parent.datapath, domain.meshmessengerpicture)); return; } catch (ex) { }
Added MeshMessenger title bar customization.
2021-01-25 11:04:43 +03:00
}
var imagefile = 'images/messenger.png';
if (domain.webpublicpath != null) {
obj.fs.exists(obj.path.join(domain.webpublicpath, imagefile), function (exists) {
if (exists) {
// Use the domain logo picture
try { res.sendFile(obj.path.join(domain.webpublicpath, imagefile)); } catch (ex) { res.sendStatus(404); }
} else {
// Use the default logo picture
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, imagefile)); } catch (ex) { res.sendStatus(404); }
}
});
} else if (parent.webPublicOverridePath) {
obj.fs.exists(obj.path.join(obj.parent.webPublicOverridePath, imagefile), function (exists) {
if (exists) {
// Use the override logo picture
try { res.sendFile(obj.path.join(obj.parent.webPublicOverridePath, imagefile)); } catch (ex) { res.sendStatus(404); }
} else {
// Use the default logo picture
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, imagefile)); } catch (ex) { res.sendStatus(404); }
}
});
} else {
// Use the default logo picture
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, imagefile)); } catch (ex) { res.sendStatus(404); }
}
Many fixes.
2018-12-20 23:12:24 +03:00
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Returns the server root certificate encoded in base64
function getRootCertBase64() {
var rootcert = obj.certificates.root.cert;
Centralization of user access control.
2019-12-27 09:53:01 +03:00
var i = rootcert.indexOf('-----BEGIN CERTIFICATE-----\r\n');
Initial main commit
2017-08-28 19:27:45 +03:00
if (i >= 0) { rootcert = rootcert.substring(i + 29); }
Centralization of user access control.
2019-12-27 09:53:01 +03:00
i = rootcert.indexOf('-----END CERTIFICATE-----');
Initial main commit
2017-08-28 19:27:45 +03:00
if (i >= 0) { rootcert = rootcert.substring(i, 0); }
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-03 05:03:34 +03:00
return Buffer.from(rootcert, 'base64').toString('base64');
Initial main commit
2017-08-28 19:27:45 +03:00
}
// Returns the mesh server root certificate
function handleRootCertRequest(req, res) {
Added 3FA using LoginKey in domain section of config.json, add &key= to URL.
2019-11-22 05:57:57 +03:00
const domain = getDomain(req);
if (domain == null) { parent.debug('web', 'handleRootCertRequest: no domain'); res.sendStatus(404); return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Improved server tracing, added 1h static file max-age.
2019-08-24 01:45:36 +03:00
if ((obj.userAllowedIp != null) && (checkIpAddressEx(req, res, obj.userAllowedIp, false) === false)) { parent.debug('web', 'handleRootCertRequest: invalid ip'); return; } // Check server-wide IP filter only.
parent.debug('web', 'handleRootCertRequest()');
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', certificates.RootName + '.cer', null, 'rootcert.cer');
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-03 05:03:34 +03:00
res.send(Buffer.from(getRootCertBase64(), 'base64'));
Initial main commit
2017-08-28 19:27:45 +03:00
}
// Handle user public file downloads
function handleDownloadUserFiles(req, res) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Added 3FA using LoginKey in domain section of config.json, add &key= to URL.
2019-11-22 05:57:57 +03:00
Minor security fixes.
2019-01-05 04:59:13 +03:00
if (obj.common.validateString(req.path, 1, 4096) == false) { res.sendStatus(404); return; }
Improved web interface for getting started.
2017-10-03 00:12:29 +03:00
var domainname = 'domain', spliturl = decodeURIComponent(req.path).split('/'), filename = '';
Initial main commit
2017-08-28 19:27:45 +03:00
if ((spliturl.length < 3) || (obj.common.IsFilenameValid(spliturl[2]) == false) || (domain.userQuota == -1)) { res.sendStatus(404); return; }
if (domain.id != '') { domainname = 'domain-' + domain.id; }
Centralization of user access control.
2019-12-27 09:53:01 +03:00
var path = obj.path.join(obj.filespath, domainname + '/user-' + spliturl[2] + '/Public');
Initial main commit
2017-08-28 19:27:45 +03:00
for (var i = 3; i < spliturl.length; i++) { if (obj.common.IsFilenameValid(spliturl[i]) == true) { path += '/' + spliturl[i]; filename = spliturl[i]; } else { res.sendStatus(404); return; } }
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
var stat = null;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
try { stat = obj.fs.statSync(path); } catch (e) { }
Initial main commit
2017-08-28 19:27:45 +03:00
if ((stat != null) && ((stat.mode & 0x004000) == 0)) {
if (req.query.download == 1) {
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', filename, null, 'file.bin');
Initial main commit
2017-08-28 19:27:45 +03:00
try { res.sendFile(obj.path.resolve(__dirname, path)); } catch (e) { res.sendStatus(404); }
} else {
Fixed root cert link when using multi-domains, #2883.
2021-07-10 23:22:46 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'download2' : 'download', req, domain), getRenderArgs({ rootCertLink: getRootCertLink(domain), messageid: 1, fileurl: req.path + '?download=1', filename: filename, filesize: stat.size }, req, domain));
Initial main commit
2017-08-28 19:27:45 +03:00
}
} else {
Fixed root cert link when using multi-domains, #2883.
2021-07-10 23:22:46 +03:00
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'download2' : 'download', req, domain), getRenderArgs({ rootCertLink: getRootCertLink(domain), messageid: 2 }, req, domain));
Initial main commit
2017-08-28 19:27:45 +03:00
}
}
Added support for device stream downloads.
2020-08-27 04:42:41 +03:00
// Handle device file request
function handleDeviceFile(req, res) {
const domain = checkUserIpAddress(req, res);
if (domain == null) { return; }
Completed improved device guest sharing.
2021-04-09 23:27:21 +03:00
if ((req.query.c == null) || (req.query.f == null)) { res.sendStatus(404); return; }
Added support for device stream downloads.
2020-08-27 04:42:41 +03:00
// Check the inbound desktop sharing cookie
var c = obj.parent.decodeCookie(req.query.c, obj.parent.loginCookieEncryptionKey, 60); // 60 minute timeout
if ((c == null) || (c.domainid !== domain.id)) { res.sendStatus(404); return; }
// Check userid
const user = obj.users[c.userid];
if ((c == user)) { res.sendStatus(404); return; }
Completed improved device guest sharing.
2021-04-09 23:27:21 +03:00
// If this cookie has restricted usages, check that it's allowed to perform downloads
if (Array.isArray(c.usages) && (c.usages.indexOf(10) < 0)) { res.sendStatus(404); return; } // Check protocol #10
if (c.nid != null) { req.query.n = c.nid.split('/')[2]; } // This cookie is restricted to a specific nodeid.
if (req.query.n == null) { res.sendStatus(404); return; }
Added support for device stream downloads.
2020-08-27 04:42:41 +03:00
// Check if this user has permission to manage this computer
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
obj.GetNodeWithRights(domain, user, 'node/' + domain.id + '/' + req.query.n, function (node, rights, visible) {
if ((node == null) || ((rights & MESHRIGHT_REMOTECONTROL) == 0) || (visible == false)) { res.sendStatus(404); return; } // We don't have remote control rights to this device
Added support for device stream downloads.
2020-08-27 04:42:41 +03:00
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
// All good, start the file transfer
req.query.id = getRandomLowerCase(12);
obj.meshDeviceFileHandler.CreateMeshDeviceFile(obj, null, res, req, domain, user, node.meshid, node._id);
});
Added support for device stream downloads.
2020-08-27 04:42:41 +03:00
}
Added multi-agent upload feature.
2020-11-08 12:13:23 +03:00
// Handle download of a server file by an agent
function handleAgentDownloadFile(req, res) {
const domain = checkUserIpAddress(req, res);
if (domain == null) { return; }
if (req.query.c == null) { res.sendStatus(404); return; }
// Check the inbound desktop sharing cookie
var c = obj.parent.decodeCookie(req.query.c, obj.parent.loginCookieEncryptionKey, 5); // 5 minute timeout
if ((c == null) || (c.a != 'tmpdl') || (c.d != domain.id) || (c.nid == null) || (c.f == null) || (obj.common.IsFilenameValid(c.f) == false)) { res.sendStatus(404); return; }
// Send the file back
try { res.sendFile(obj.path.join(obj.filespath, 'tmp', c.f)); return; } catch (ex) { res.sendStatus(404); }
}
Added customization of the web site title logo.
2018-12-22 01:39:26 +03:00
// Handle logo request
function handleLogoRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added customization of the web site title logo.
2018-12-22 01:39:26 +03:00
Removed 1h cache, back to etag.
2019-12-21 01:50:06 +03:00
//res.set({ 'Cache-Control': 'max-age=86400' }); // 1 day
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain.titlepicture) {
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
if ((parent.configurationFiles != null) && (parent.configurationFiles[domain.titlepicture] != null)) {
// Use the logo in the database
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
res.set({ 'Content-Type': domain.titlepicture.toLowerCase().endsWith('.png')?'image/png':'image/jpeg' });
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
res.send(parent.configurationFiles[domain.titlepicture]);
Rebranding fixes
2019-09-15 22:47:59 +03:00
return;
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
} else {
// Use the logo on file
Handle all configured paths as potentially absolute
2021-07-29 17:38:44 +03:00
try { res.sendFile(obj.common.joinPath(obj.parent.datapath, domain.titlepicture)); return; } catch (ex) { }
Added customization of the web site title logo.
2018-12-22 01:39:26 +03:00
}
Rebranding fixes
2019-09-15 22:47:59 +03:00
}
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if ((domain.webpublicpath != null) && (obj.fs.existsSync(obj.path.join(domain.webpublicpath, 'images/logoback.png')))) {
Added support for per-domain web folder.
2020-03-25 23:21:14 +03:00
// Use the domain logo picture
try { res.sendFile(obj.path.join(domain.webpublicpath, 'images/logoback.png')); } catch (ex) { res.sendStatus(404); }
} else if (parent.webPublicOverridePath && obj.fs.existsSync(obj.path.join(obj.parent.webPublicOverridePath, 'images/logoback.png'))) {
Rebranding fixes
2019-09-15 22:47:59 +03:00
// Use the override logo picture
try { res.sendFile(obj.path.join(obj.parent.webPublicOverridePath, 'images/logoback.png')); } catch (ex) { res.sendStatus(404); }
Added customization of the web site title logo.
2018-12-22 01:39:26 +03:00
} else {
Rebranding fixes
2019-09-15 22:47:59 +03:00
// Use the default logo picture
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, 'images/logoback.png')); } catch (ex) { res.sendStatus(404); }
Added customization of the web site title logo.
2018-12-22 01:39:26 +03:00
}
}
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
// Handle login logo request
function handleLoginLogoRequest(req, res) {
const domain = checkUserIpAddress(req, res);
if (domain == null) { return; }
//res.set({ 'Cache-Control': 'max-age=86400' }); // 1 day
if (domain.loginpicture) {
if ((parent.configurationFiles != null) && (parent.configurationFiles[domain.loginpicture] != null)) {
// Use the logo in the database
res.set({ 'Content-Type': domain.loginpicture.toLowerCase().endsWith('.png') ? 'image/png' : 'image/jpeg' });
res.send(parent.configurationFiles[domain.loginpicture]);
return;
} else {
// Use the logo on file
Handle all configured paths as potentially absolute
2021-07-29 17:38:44 +03:00
try { res.sendFile(obj.common.joinPath(obj.parent.datapath, domain.loginpicture)); return; } catch (ex) { res.sendStatus(404); }
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
}
Version 0.7.33
2020-12-30 02:13:09 +03:00
} else {
res.sendStatus(404);
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
}
}
Improved translator web application.
2019-12-06 02:33:22 +03:00
// Handle translation request
function handleTranslationsRequest(req, res) {
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Improved translator web application.
2019-12-06 02:33:22 +03:00
//if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
if ((obj.userAllowedIp != null) && (checkIpAddressEx(req, res, obj.userAllowedIp, false) === false)) { return; } // Check server-wide IP filter only.
var user = null;
if (obj.args.user != null) {
// A default user is active
user = obj.users['user/' + domain.id + '/' + obj.args.user];
if (!user) { parent.debug('web', 'handleTranslationsRequest: user not found.'); res.sendStatus(401); return; }
} else {
// Check if the user is logged and we have all required parameters
if (!req.session || !req.session.userid) { parent.debug('web', 'handleTranslationsRequest: failed checks (2).'); res.sendStatus(401); return; }
// Get the current user
user = obj.users[req.session.userid];
if (!user) { parent.debug('web', 'handleTranslationsRequest: user not found.'); res.sendStatus(401); return; }
if (user.siteadmin != 0xFFFFFFFF) { parent.debug('web', 'handleTranslationsRequest: user not site administrator.'); res.sendStatus(401); return; }
}
var data = '';
req.setEncoding('utf8');
req.on('data', function (chunk) { data += chunk; });
req.on('end', function () {
try { data = JSON.parse(data); } catch (ex) { data = null; }
if (data == null) { res.sendStatus(404); return; }
if (data.action == 'getTranslations') {
if (obj.fs.existsSync(obj.path.join(obj.parent.datapath, 'translate.json'))) {
// Return the translation file (JSON)
try { res.sendFile(obj.path.join(obj.parent.datapath, 'translate.json')); } catch (ex) { res.sendStatus(404); }
} else if (obj.fs.existsSync(obj.path.join(__dirname, 'translate', 'translate.json'))) {
// Return the default translation file (JSON)
try { res.sendFile(obj.path.join(__dirname, 'translate', 'translate.json')); } catch (ex) { res.sendStatus(404); }
} else { res.sendStatus(404); }
} else if (data.action == 'setTranslations') {
Translation tools improvements.
2020-01-08 02:10:12 +03:00
obj.fs.writeFile(obj.path.join(obj.parent.datapath, 'translate.json'), obj.common.translationsToJson({ strings: data.strings }), function (err) { if (err == null) { res.send(JSON.stringify({ response: 'ok' })); } else { res.send(JSON.stringify({ response: err })); } });
Improved translation web application.
2019-12-07 03:49:40 +03:00
} else if (data.action == 'translateServer') {
if (obj.pendingTranslation === true) { res.send(JSON.stringify({ response: 'Server is already performing a translation.' })); return; }
const nodeVersion = Number(process.version.match(/^v(\d+\.\d+)/)[1]);
if (nodeVersion < 8) { res.send(JSON.stringify({ response: 'Server requires NodeJS 8.x or better.' })); return; }
var translateFile = obj.path.join(obj.parent.datapath, 'translate.json');
if (obj.fs.existsSync(translateFile) == false) { translateFile = obj.path.join(__dirname, 'translate', 'translate.json'); }
if (obj.fs.existsSync(translateFile) == false) { res.send(JSON.stringify({ response: 'Unable to find translate.js file on the server.' })); return; }
res.send(JSON.stringify({ response: 'ok' }));
console.log('Started server translation...');
obj.pendingTranslation = true;
require('child_process').exec('node translate.js translateall \"' + translateFile + '\"', { maxBuffer: 512000, timeout: 120000, cwd: obj.path.join(__dirname, 'translate') }, function (error, stdout, stderr) {
delete obj.pendingTranslation;
//console.log('error', error);
//console.log('stdout', stdout);
//console.log('stderr', stderr);
//console.log('Server restart...'); // Perform a server restart
//process.exit(0);
console.log('Server translation completed.');
});
Improved translator web application.
2019-12-06 02:33:22 +03:00
} else {
// Unknown request
res.sendStatus(404);
}
});
}
Added welcome page customization options.
2019-02-14 00:22:52 +03:00
// Handle welcome image request
function handleWelcomeImageRequest(req, res) {
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added welcome page customization options.
2019-02-14 00:22:52 +03:00
Removed 1h cache, back to etag.
2019-12-21 01:50:06 +03:00
//res.set({ 'Cache-Control': 'max-age=86400' }); // 1 day
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain.welcomepicture) {
Added welcome page customization options.
2019-02-14 00:22:52 +03:00
if ((parent.configurationFiles != null) && (parent.configurationFiles[domain.welcomepicture] != null)) {
// Use the welcome image in the database
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
res.set({ 'Content-Type': domain.welcomepicture.toLowerCase().endsWith('.png')?'image/png':'image/jpeg' });
Added welcome page customization options.
2019-02-14 00:22:52 +03:00
res.send(parent.configurationFiles[domain.welcomepicture]);
Rebranding fixes
2019-09-15 22:47:59 +03:00
return;
Added welcome page customization options.
2019-02-14 00:22:52 +03:00
}
Fixed welcome image not working in config.json
2019-09-26 20:16:22 +03:00
// Use the configured logo picture
Handle all configured paths as potentially absolute
2021-07-29 17:38:44 +03:00
try { res.sendFile(obj.common.joinPath(obj.parent.datapath, domain.welcomepicture)); return; } catch (ex) { }
Rebranding fixes
2019-09-15 22:47:59 +03:00
}
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
var imagefile = 'images/mainwelcome.jpg';
if (domain.sitestyle == 2) { imagefile = 'images/login/back.png'; }
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain.webpublicpath != null) {
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
obj.fs.exists(obj.path.join(domain.webpublicpath, imagefile), function (exists) {
Added support for per-domain web folder.
2020-03-25 23:21:14 +03:00
if (exists) {
// Use the domain logo picture
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
try { res.sendFile(obj.path.join(domain.webpublicpath, imagefile)); } catch (ex) { res.sendStatus(404); }
Added support for per-domain web folder.
2020-03-25 23:21:14 +03:00
} else {
// Use the default logo picture
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, imagefile)); } catch (ex) { res.sendStatus(404); }
Added support for per-domain web folder.
2020-03-25 23:21:14 +03:00
}
});
} else if (parent.webPublicOverridePath) {
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
obj.fs.exists(obj.path.join(obj.parent.webPublicOverridePath, imagefile), function (exists) {
Fixed web app interface and server version.
2019-12-21 01:02:49 +03:00
if (exists) {
// Use the override logo picture
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
try { res.sendFile(obj.path.join(obj.parent.webPublicOverridePath, imagefile)); } catch (ex) { res.sendStatus(404); }
Fixed web app interface and server version.
2019-12-21 01:02:49 +03:00
} else {
// Use the default logo picture
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, imagefile)); } catch (ex) { res.sendStatus(404); }
Fixed web app interface and server version.
2019-12-21 01:02:49 +03:00
}
});
Added welcome page customization options.
2019-02-14 00:22:52 +03:00
} else {
Rebranding fixes
2019-09-15 22:47:59 +03:00
// Use the default logo picture
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, imagefile)); } catch (ex) { res.sendStatus(404); }
Added welcome page customization options.
2019-02-14 00:22:52 +03:00
}
}
Session recording viewer can now stream.
2021-11-08 05:07:45 +03:00
// Download a session recording
Added recodings manager and recording improvements.
2020-05-05 23:00:51 +03:00
function handleGetRecordings(req, res) {
const domain = checkUserIpAddress(req, res);
Server fixes.
2020-06-22 00:27:10 +03:00
if (domain == null) return;
Added recodings manager and recording improvements.
2020-05-05 23:00:51 +03:00
// Check the query
Session recording viewer can now stream.
2021-11-08 05:07:45 +03:00
if ((domain.sessionrecording == null) || (req.query.file == null) || (obj.common.IsFilenameValid(req.query.file) !== true) || (req.query.file.endsWith('.mcrec') == false)) { res.sendStatus(401); return; }
Added recodings manager and recording improvements.
2020-05-05 23:00:51 +03:00
// Get the recording path
var recordingsPath = null;
if (domain.sessionrecording.filepath) { recordingsPath = domain.sessionrecording.filepath; } else { recordingsPath = parent.recordpath; }
if (recordingsPath == null) { res.sendStatus(401); return; }
// Get the user and check user rights
var authUserid = null;
if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; }
if (authUserid == null) { res.sendStatus(401); return; }
const user = obj.users[authUserid];
if (user == null) { res.sendStatus(401); return; }
if ((user.siteadmin & 512) == 0) { res.sendStatus(401); return; } // Check if we have right to get recordings
// Send the recorded file
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', req.query.file, null, 'recording.mcrec');
Added recodings manager and recording improvements.
2020-05-05 23:00:51 +03:00
try { res.sendFile(obj.path.join(recordingsPath, req.query.file)); } catch (ex) { res.sendStatus(404); }
}
Session recording viewer can now stream.
2021-11-08 05:07:45 +03:00
// Stream a session recording
function handleGetRecordingsWebSocket(ws, req) {
var domain = checkAgentIpAddress(ws, req);
if (domain == null) { parent.debug('web', 'Got recordings file transfer connection with bad domain or blocked IP address ' + req.clientIp + ', dropping.'); try { ws.close(); } catch (ex) { } return; }
// Check the query
if ((domain.sessionrecording == null) || (req.query.file == null) || (obj.common.IsFilenameValid(req.query.file) !== true) || (req.query.file.endsWith('.mcrec') == false)) { try { ws.close(); } catch (ex) { } return; }
// Get the recording path
var recordingsPath = null;
if (domain.sessionrecording.filepath) { recordingsPath = domain.sessionrecording.filepath; } else { recordingsPath = parent.recordpath; }
if (recordingsPath == null) { try { ws.close(); } catch (ex) { } return; }
// Get the user and check user rights
var authUserid = null;
if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; }
if (authUserid == null) { try { ws.close(); } catch (ex) { } return; }
const user = obj.users[authUserid];
if (user == null) { try { ws.close(); } catch (ex) { } return; }
if ((user.siteadmin & 512) == 0) { try { ws.close(); } catch (ex) { } return; } // Check if we have right to get recordings
const filefullpath = obj.path.join(recordingsPath, req.query.file);
obj.fs.stat(filefullpath, function(err, stats) {
if (err) {
try { ws.close(); } catch (ex) { } // File does not exist
} else {
Fix for recording playback server crash, #3337
2021-12-14 00:20:04 +03:00
obj.fs.open(filefullpath, 'r', function (err, fd) {
Session recording viewer can now stream.
2021-11-08 05:07:45 +03:00
if (err == null) {
// When data is received from the web socket
ws.on('message', function (msg) {
if (typeof msg != 'string') return;
var command;
try { command = JSON.parse(msg); } catch (e) { return; }
if ((command == null) || (typeof command.action != 'string')) return;
switch (command.action) {
case 'get': {
const buffer = Buffer.alloc(8 + command.size);
//buffer.writeUInt32BE((command.ptr >> 32), 0);
buffer.writeUInt32BE((command.ptr & 0xFFFFFFFF), 4);
obj.fs.read(fd, buffer, 8, command.size, command.ptr, function (err, bytesRead, buffer) { if (bytesRead > (buffer.length - 8)) { buffer = buffer.slice(0, bytesRead + 8); } ws.send(buffer); });
break;
}
}
});
// If error, do nothing
ws.on('error', function (err) { try { ws.close(); } catch (ex) { } obj.fs.close(fd, function (err) { }); });
// If the web socket is closed
ws.on('close', function (req) { try { ws.close(); } catch (ex) { } obj.fs.close(fd, function (err) { }); });
ws.send(JSON.stringify({ "action": "info", "name": req.query.file, "size": stats.size }));
} else {
try { ws.close(); } catch (ex) { }
}
});
}
});
}
Initial work on desktop sharing.
2020-08-07 02:05:48 +03:00
// Serve the player page
Internalization improvements.
2020-02-05 03:22:00 +03:00
function handlePlayerRequest(req, res) {
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Internalization improvements.
2020-02-05 03:22:00 +03:00
parent.debug('web', 'handlePlayerRequest: sending player');
Added Webkit download bug workaround.
2020-10-02 23:17:53 +03:00
res.set({ 'Cache-Control': 'no-store' });
Full minification support in all languages.
2020-05-03 09:49:59 +03:00
render(req, res, getRenderPage('player', req, domain), getRenderArgs({}, req, domain));
Internalization improvements.
2020-02-05 03:22:00 +03:00
}
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
// Serve the guest sharing page
function handleSharingRequest(req, res) {
const domain = getDomain(req, res);
if (domain == null) { return; }
if (req.query.c == null) { res.sendStatus(404); return; }
if (domain.guestdevicesharing === false) { res.sendStatus(404); return; } // This feature is not allowed.
Fixed guest sharing link valid for only 60 minutes.
2021-09-02 23:45:57 +03:00
// Check the inbound guest sharing cookie
var c = obj.parent.decodeCookie(req.query.c, obj.parent.invitationLinkEncryptionKey, 9999999999); // Decode cookies with unlimited time.
Much shorter guest sharing URLs.
2021-09-12 08:58:44 +03:00
if (c == null) { res.sendStatus(404); return; }
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
Much shorter guest sharing URLs.
2021-09-12 08:58:44 +03:00
if (c.a === 5) {
// This is the older style sharing cookie with everything encoded within it.
// This cookie style gives a very large URL, so it's not used anymore.
if ((typeof c.p !== 'number') || (c.p < 1) || (c.p > 7) || (typeof c.uid != 'string') || (typeof c.nid != 'string') || (typeof c.gn != 'string') || (typeof c.cf != 'number') || (typeof c.pid != 'string')) { res.sendStatus(404); return; }
handleSharingRequestEx(req, res, domain, c);
return;
}
if (c.a === 6) {
// This is the new style sharing cookie, just encodes the pointer to the sharing information in the database.
// Gives a much more compact URL.
if (typeof c.pid != 'string') { res.sendStatus(404); return; }
Guest sharing fixes.
2021-09-12 21:17:54 +03:00
// Check the expired time, expire message.
if ((c.e != null) && (c.e <= Date.now())) { render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 2, msgid: 12, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain)); return; }
Much shorter guest sharing URLs.
2021-09-12 08:58:44 +03:00
obj.db.Get('deviceshare-' + c.pid, function (err, docs) {
if ((err != null) || (docs == null) || (docs.length != 1)) { res.sendStatus(404); return; }
const doc = docs[0];
Completed work on recurring guest device sharing.
2022-01-17 05:10:56 +03:00
// If this is a recurrent share, check if we are at the currect time to make use of it
if (typeof doc.recurring == 'number') {
const now = Date.now();
if (now >= doc.startTime) { // We don't want to move the validity window before the start time
const deltaTime = (now - doc.startTime);
if (doc.recurring === 1) {
// This moves the start time to the next valid daily window
const oneDay = (24 * 60 * 60 * 1000);
var addition = Math.floor(deltaTime / oneDay);
if ((deltaTime - (addition * oneDay)) > (doc.duration * 60000)) { addition++; } // If we are passed the current windows, move to the next one. This will show link as not being valid yet.
doc.startTime += (addition * oneDay);
} else if (doc.recurring === 2) {
// This moves the start time to the next valid weekly window
const oneWeek = (7 * 24 * 60 * 60 * 1000);
var addition = Math.floor(deltaTime / oneWeek);
if ((deltaTime - (addition * oneWeek)) > (doc.duration * 60000)) { addition++; } // If we are passed the current windows, move to the next one. This will show link as not being valid yet.
doc.startTime += (addition * oneWeek);
}
}
}
Much shorter guest sharing URLs.
2021-09-12 08:58:44 +03:00
// Generate an old style cookie from the information in the database
Fixed event dispatching bug.
2021-11-11 04:56:12 +03:00
var cookie = { a: 5, p: doc.p, gn: doc.guestName, nid: doc.nodeid, cf: doc.consent, pid: doc.publicid, k: doc.extrakey };
if (doc.userid) { cookie.uid = doc.userid; }
More work on device self-sharing.
2021-11-11 00:21:30 +03:00
if ((cookie.userid == null) && (cookie.pid.startsWith('AS:node/'))) { cookie.nouser = 1; }
Completed work on recurring guest device sharing.
2022-01-17 05:10:56 +03:00
if (doc.startTime != null) {
if (doc.expireTime != null) { cookie.start = doc.startTime; cookie.expire = doc.expireTime; }
else if (doc.duration != null) { cookie.start = doc.startTime; cookie.expire = doc.startTime + (doc.duration * 60000); }
}
Much shorter guest sharing URLs.
2021-09-12 08:58:44 +03:00
if (doc.viewOnly === true) { cookie.vo = 1; }
handleSharingRequestEx(req, res, domain, cookie);
});
return;
}
res.sendStatus(404); return;
}
// Serve the guest sharing page
function handleSharingRequestEx(req, res, domain, c) {
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
// Check the expired time, expire message.
Guest device shares can now be unlimited time.
2021-08-31 23:40:03 +03:00
if ((c.expire != null) && (c.expire <= Date.now())) { render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 2, msgid: 12, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain)); return; }
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
// Check the public id
obj.db.GetAllTypeNodeFiltered([c.nid], domain.id, 'deviceshare', null, function (err, docs) {
// Check if any desktop sharing links are present, expire message.
if ((err != null) || (docs.length == 0)) { render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 2, msgid: 12, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain)); return; }
// Search for the device share public identifier, expire message.
var found = false;
Fixed event dispatching bug.
2021-11-11 04:56:12 +03:00
for (var i = 0; i < docs.length; i++) { if ((docs[i].publicid == c.pid) && ((docs[i].extrakey == null) || (docs[i].extrakey === c.k))) { found = true; } }
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
if (found == false) { render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 2, msgid: 12, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain)); return; }
// Get information about this node
obj.db.Get(c.nid, function (err, nodes) {
if ((err != null) || (nodes == null) || (nodes.length != 1)) { res.sendStatus(404); return; }
var node = nodes[0];
// Check the start time, not yet valid message.
Guest device shares can now be unlimited time.
2021-08-31 23:40:03 +03:00
if ((c.start != null) && (c.expire != null) && ((c.start > Date.now()) || (c.start > c.expire))) { render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 2, msgid: 11, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27') }, req, domain)); return; }
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
// Looks good, let's create the outbound session cookies.
// Consent flags are 1 = Notify, 8 = Prompt, 64 = Privacy Bar.
More work on device self-sharing.
2021-11-11 00:21:30 +03:00
const authCookieData = { userid: c.uid, domainid: domain.id, nid: c.nid, ip: req.clientIp, p: c.p, gn: c.gn, cf: c.cf, r: 8, expire: c.expire, pid: c.pid, vo: c.vo };
if ((authCookieData.userid == null) && (authCookieData.pid.startsWith('AS:node/'))) { authCookieData.nouser = 1; }
Fixed event dispatching bug.
2021-11-11 04:56:12 +03:00
if (c.k != null) { authCookieData.k = c.k; }
More work on device self-sharing.
2021-11-11 00:21:30 +03:00
const authCookie = obj.parent.encodeCookie(authCookieData, obj.parent.loginCookieEncryptionKey);
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
Fixed guest sharing desktop quality.
2021-09-03 00:10:35 +03:00
// Server features
var features2 = 0;
if (obj.args.allowhighqualitydesktop !== false) { features2 += 1; } // Enable AllowHighQualityDesktop (Default true)
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
// Lets respond by sending out the desktop viewer.
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
Fix for #2588 + Unused files cleanup.
2021-05-05 20:40:10 +03:00
parent.debug('web', 'handleSharingRequest: Sending guest sharing page for \"' + c.uid + '\", guest \"' + c.gn + '\".');
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
res.set({ 'Cache-Control': 'no-store' });
Fixed guest sharing desktop quality.
2021-09-03 00:10:35 +03:00
render(req, res, getRenderPage('sharing', req, domain), getRenderArgs({ authCookie: authCookie, authRelayCookie: '', domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27'), nodeid: c.nid, serverDnsName: obj.getWebServerName(domain), serverRedirPort: args.redirport, serverPublicPort: httpsPort, expire: c.expire, viewOnly: (c.vo == 1) ? 1 : 0, nodeName: encodeURIComponent(node.name).replace(/'/g, '%27'), features: c.p, features2: features2 }, req, domain));
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
});
});
}
Added server redirection and unlimited invite URL's.
2019-06-07 20:20:54 +03:00
// Handle domain redirection
Made MQTT optional.
2019-10-04 22:18:56 +03:00
obj.handleDomainRedirect = function (req, res) {
Added server redirection and unlimited invite URL's.
2019-06-07 20:20:54 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
if (domain.redirects == null) { res.sendStatus(404); return; }
Centralization of user access control.
2019-12-27 09:53:01 +03:00
var urlArgs = '', urlName = null, splitUrl = req.originalUrl.split('?');
Added server redirection and unlimited invite URL's.
2019-06-07 20:20:54 +03:00
if (splitUrl.length > 1) { urlArgs = '?' + splitUrl[1]; }
if ((splitUrl.length > 0) && (splitUrl[0].length > 1)) { urlName = splitUrl[0].substring(1).toLowerCase(); }
Server fixes when agent comes in with unknown agentid.
2019-06-18 01:37:13 +03:00
if ((urlName == null) || (domain.redirects[urlName] == null) || (urlName[0] == '_')) { res.sendStatus(404); return; }
Server fixes and webapp trace support.
2019-06-18 03:17:23 +03:00
if (domain.redirects[urlName] == '~showversion') {
// Show the current version
res.end('MeshCentral v' + obj.parent.currentVer);
} else {
// Perform redirection
res.redirect(domain.redirects[urlName] + urlArgs + getQueryPortion(req));
}
Added server redirection and unlimited invite URL's.
2019-06-07 20:20:54 +03:00
}
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
// Take a "user/domain/userid/path/file" format and return the actual server disk file path if access is allowed
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
obj.getServerFilePath = function (user, domain, path) {
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
var splitpath = path.split('/'), serverpath = obj.path.join(obj.filespath, 'domain'), filename = '';
if ((splitpath.length < 3) || (splitpath[0] != 'user' && splitpath[0] != 'mesh') || (splitpath[1] != domain.id)) return null; // Basic validation
var objid = splitpath[0] + '/' + splitpath[1] + '/' + splitpath[2];
if (splitpath[0] == 'user' && (objid != user._id)) return null; // User validation, only self allowed
More access control improvements, RPi icon.
2019-12-28 02:18:43 +03:00
if (splitpath[0] == 'mesh') { if ((obj.GetMeshRights(user, objid) & 32) == 0) { return null; } } // Check mesh server file rights
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
if (splitpath[1] != '') { serverpath += '-' + splitpath[1]; } // Add the domain if needed
serverpath += ('/' + splitpath[0] + '-' + splitpath[2]);
for (var i = 3; i < splitpath.length; i++) { if (obj.common.IsFilenameValid(splitpath[i]) == true) { serverpath += '/' + splitpath[i]; filename = splitpath[i]; } else { return null; } } // Check that each folder is correct
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
return { fullpath: obj.path.resolve(obj.filespath, serverpath), path: serverpath, name: filename, quota: obj.getQuota(objid, domain) };
};
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
// Return the maximum number of bytes allowed in the user account "My Files".
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
obj.getQuota = function (objid, domain) {
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
if (objid == null) return 0;
if (objid.startsWith('user/')) {
var user = obj.users[objid];
if (user == null) return 0;
Server bug fixing and new MeshAgent
2018-09-01 01:23:42 +03:00
if (user.siteadmin == 0xFFFFFFFF) return null; // Administrators have no user limit
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
if ((user.quota != null) && (typeof user.quota == 'number')) { return user.quota; }
Server bug fixing and new MeshAgent
2018-09-01 01:23:42 +03:00
if ((domain != null) && (domain.userquota != null) && (typeof domain.userquota == 'number')) { return domain.userquota; }
return null; // By default, the user will have no limit
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
} else if (objid.startsWith('mesh/')) {
var mesh = obj.meshes[objid];
if (mesh == null) return 0;
if ((mesh.quota != null) && (typeof mesh.quota == 'number')) { return mesh.quota; }
Server bug fixing and new MeshAgent
2018-09-01 01:23:42 +03:00
if ((domain != null) && (domain.meshquota != null) && (typeof domain.meshquota == 'number')) { return domain.meshquota; }
return null; // By default, the mesh will have no limit
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
}
return 0;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Download a file from the server
function handleDownloadFile(req, res) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
if ((req.query.link == null) || (req.session == null) || (req.session.userid == null) || (domain == null) || (domain.userQuota == -1)) { res.sendStatus(404); return; }
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const user = obj.users[req.session.userid];
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
if (user == null) { res.sendStatus(404); return; }
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const file = obj.getServerFilePath(user, domain, req.query.link);
Initial main commit
2017-08-28 19:27:45 +03:00
if (file == null) { res.sendStatus(404); return; }
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', file.name, null, 'file.bin');
More code clean up and input validation.
2020-07-07 01:04:22 +03:00
obj.fs.exists(file.fullpath, function (exists) { if (exists == true) { res.sendFile(file.fullpath); } else { res.sendStatus(404); } });
Initial main commit
2017-08-28 19:27:45 +03:00
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Upload a MeshCore.js file to the server
function handleUploadMeshCoreFile(req, res) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added authCookie to all multiparty forms
2019-10-01 00:50:28 +03:00
if (domain.id !== '') { res.sendStatus(401); return; }
var authUserid = null;
if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; }
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const multiparty = require('multiparty');
const form = new multiparty.Form();
Initial main commit
2017-08-28 19:27:45 +03:00
form.parse(req, function (err, fields, files) {
Added authCookie to all multiparty forms
2019-10-01 00:50:28 +03:00
// If an authentication cookie is embedded in the form, use that.
if ((fields != null) && (fields.auth != null) && (fields.auth.length == 1) && (typeof fields.auth[0] == 'string')) {
var loginCookie = obj.parent.decodeCookie(fields.auth[0], obj.parent.loginCookieEncryptionKey, 60); // 60 minute timeout
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if ((loginCookie != null) && (obj.args.cookieipcheck !== false) && (loginCookie.ip != null) && (loginCookie.ip != req.clientIp)) { loginCookie = null; } // Check cookie IP binding.
Added authCookie to all multiparty forms
2019-10-01 00:50:28 +03:00
if ((loginCookie != null) && (domain.id == loginCookie.domainid)) { authUserid = loginCookie.userid; } // Use cookie authentication
}
if (authUserid == null) { res.sendStatus(401); return; }
Fixed permissions on uploading custom mesh core.
2021-02-05 00:44:40 +03:00
if ((fields == null) || (fields.attrib == null) || (fields.attrib.length != 1)) { res.sendStatus(404); return; }
Added authCookie to all multiparty forms
2019-10-01 00:50:28 +03:00
// Get the user
const user = obj.users[authUserid];
Fixed permissions on uploading custom mesh core.
2021-02-05 00:44:40 +03:00
if (user == null) { res.sendStatus(401); return; } // Check this user exists
// Get the node and check node rights
const nodeid = fields.attrib[0];
obj.GetNodeWithRights(domain, user, nodeid, function (node, rights, visible) {
if ((node == null) || (rights != 0xFFFFFFFF) || (visible == false)) { res.sendStatus(404); return; } // We don't have remote control rights to this device
for (var i in files.files) {
var file = files.files[i];
obj.fs.readFile(file.path, 'utf8', function (err, data) {
if (err != null) return;
data = obj.common.IntToStr(0) + data; // Add the 4 bytes encoding type & flags (Set to 0 for raw)
obj.sendMeshAgentCore(user, domain, fields.attrib[0], 'custom', data); // Upload the core
try { obj.fs.unlinkSync(file.path); } catch (e) { }
});
}
res.send('');
});
Initial main commit
2017-08-28 19:27:45 +03:00
});
}
Started work on Intel AMT Click Once Recovery.
2021-03-23 04:45:07 +03:00
// Upload a MeshCore.js file to the server
More work on Intel AMT One Click Recovery.
2021-03-23 09:36:05 +03:00
function handleOneClickRecoveryFile(req, res) {
Started work on Intel AMT Click Once Recovery.
2021-03-23 04:45:07 +03:00
const domain = checkUserIpAddress(req, res);
if (domain == null) { return; }
if (domain.id !== '') { res.sendStatus(401); return; }
var authUserid = null;
if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; }
const multiparty = require('multiparty');
const form = new multiparty.Form();
form.parse(req, function (err, fields, files) {
// If an authentication cookie is embedded in the form, use that.
if ((fields != null) && (fields.auth != null) && (fields.auth.length == 1) && (typeof fields.auth[0] == 'string')) {
var loginCookie = obj.parent.decodeCookie(fields.auth[0], obj.parent.loginCookieEncryptionKey, 60); // 60 minute timeout
if ((loginCookie != null) && (obj.args.cookieipcheck !== false) && (loginCookie.ip != null) && (loginCookie.ip != req.clientIp)) { loginCookie = null; } // Check cookie IP binding.
if ((loginCookie != null) && (domain.id == loginCookie.domainid)) { authUserid = loginCookie.userid; } // Use cookie authentication
}
if (authUserid == null) { res.sendStatus(401); return; }
if ((fields == null) || (fields.attrib == null) || (fields.attrib.length != 1)) { res.sendStatus(404); return; }
// Get the user
const user = obj.users[authUserid];
if (user == null) { res.sendStatus(401); return; } // Check this user exists
// Get the node and check node rights
const nodeid = fields.attrib[0];
obj.GetNodeWithRights(domain, user, nodeid, function (node, rights, visible) {
if ((node == null) || (rights != 0xFFFFFFFF) || (visible == false)) { res.sendStatus(404); return; } // We don't have remote control rights to this device
for (var i in files.files) {
var file = files.files[i];
More work on Intel AMT Click Once Recovery.
2021-03-23 05:00:50 +03:00
More work on Intel AMT One Click Recovery.
2021-03-23 09:36:05 +03:00
// Event Intel AMT One Click Recovery, this will cause Intel AMT wake operations on this and other servers.
parent.DispatchEvent('*', obj, { action: 'oneclickrecovery', userid: user._id, username: user.name, nodeids: [node._id], domain: domain.id, nolog: 1, file: file.path });
More work on Intel AMT Click Once Recovery.
2021-03-23 05:00:50 +03:00
Version 0.7.95
2021-03-24 00:48:57 +03:00
//try { obj.fs.unlinkSync(file.path); } catch (e) { } // TODO: Remove this file after 30 minutes.
Started work on Intel AMT Click Once Recovery.
2021-03-23 04:45:07 +03:00
}
res.send('');
});
});
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Upload a file to the server
function handleUploadFile(req, res) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added authCookie in server file upload
2019-10-01 00:08:51 +03:00
if (domain.userQuota == -1) { res.sendStatus(401); return; }
var authUserid = null;
if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; }
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const multiparty = require('multiparty');
const form = new multiparty.Form();
Initial main commit
2017-08-28 19:27:45 +03:00
form.parse(req, function (err, fields, files) {
Added authCookie in server file upload
2019-10-01 00:08:51 +03:00
// If an authentication cookie is embedded in the form, use that.
if ((fields != null) && (fields.auth != null) && (fields.auth.length == 1) && (typeof fields.auth[0] == 'string')) {
var loginCookie = obj.parent.decodeCookie(fields.auth[0], obj.parent.loginCookieEncryptionKey, 60); // 60 minute timeout
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if ((loginCookie != null) && (obj.args.cookieipcheck !== false) && (loginCookie.ip != null) && (loginCookie.ip != req.clientIp)) { loginCookie = null; } // Check cookie IP binding.
Added authCookie in server file upload
2019-10-01 00:08:51 +03:00
if ((loginCookie != null) && (domain.id == loginCookie.domainid)) { authUserid = loginCookie.userid; } // Use cookie authentication
}
if (authUserid == null) { res.sendStatus(401); return; }
// Get the user
const user = obj.users[authUserid];
if ((user == null) || (user.siteadmin & 8) == 0) { res.sendStatus(401); return; } // Check if we have file rights
if ((fields == null) || (fields.link == null) || (fields.link.length != 1)) { /*console.log('UploadFile, Invalid Fields:', fields, files);*/ console.log('err4'); res.sendStatus(404); return; }
Server fix.
2020-06-22 00:31:00 +03:00
var xfile = null;
try { xfile = obj.getServerFilePath(user, domain, decodeURIComponent(fields.link[0])); } catch (ex) { }
Initial main commit
2017-08-28 19:27:45 +03:00
if (xfile == null) { res.sendStatus(404); return; }
// Get total bytes in the path
var totalsize = readTotalFileSize(xfile.fullpath);
Server bug fixing and new MeshAgent
2018-09-01 01:23:42 +03:00
if ((xfile.quota == null) || (totalsize < xfile.quota)) { // Check if the quota is not already broken
Improved login screen, Mesh server directory handling
2019-02-20 02:38:27 +03:00
if (fields.name != null) {
DB record expire in config + Mesh folder optimizations
2019-02-19 09:20:25 +03:00
Improved login screen, Mesh server directory handling
2019-02-20 02:38:27 +03:00
// See if we need to create the folder
var domainx = 'domain';
if (domain.id.length > 0) { domainx = 'domain-' + usersplit[1]; }
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
try { obj.fs.mkdirSync(obj.parent.filespath); } catch (ex) { }
try { obj.fs.mkdirSync(obj.parent.path.join(obj.parent.filespath, domainx)); } catch (ex) { }
try { obj.fs.mkdirSync(xfile.fullpath); } catch (ex) { }
DB record expire in config + Mesh folder optimizations
2019-02-19 09:20:25 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Upload method where all the file data is within the fields.
var names = fields.name[0].split('*'), sizes = fields.size[0].split('*'), types = fields.type[0].split('*'), datas = fields.data[0].split('*');
if ((names.length == sizes.length) && (types.length == datas.length) && (names.length == types.length)) {
for (var i = 0; i < names.length; i++) {
if (obj.common.IsFilenameValid(names[i]) == false) { res.sendStatus(404); return; }
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-03 05:03:34 +03:00
var filedata = Buffer.from(datas[i].split(',')[1], 'base64');
Server bug fixing and new MeshAgent
2018-09-01 01:23:42 +03:00
if ((xfile.quota == null) || ((totalsize + filedata.length) < xfile.quota)) { // Check if quota would not be broken if we add this file
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
// Create the user folder if needed
(function (fullpath, filename, filedata) {
obj.fs.mkdir(xfile.fullpath, function () {
// Write the file
obj.fs.writeFile(obj.path.join(xfile.fullpath, filename), filedata, function () {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
obj.parent.DispatchEvent([user._id], obj, 'updatefiles'); // Fire an event causing this user to update this files
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
});
});
})(xfile.fullpath, names[i], filedata);
Added disk quota exceed notification.
2020-07-16 00:11:27 +03:00
} else {
// Send a notification
obj.parent.DispatchEvent([user._id], obj, { action: 'notify', title: "Disk quota exceed", value: names[i], nolog: 1, id: Math.random() });
Initial main commit
2017-08-28 19:27:45 +03:00
}
}
}
} else {
// More typical upload method, the file data is in a multipart mime post.
for (var i in files.files) {
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
var file = files.files[i], fpath = obj.path.join(xfile.fullpath, file.originalFilename);
Server bug fixing and new MeshAgent
2018-09-01 01:23:42 +03:00
if (obj.common.IsFilenameValid(file.originalFilename) && ((xfile.quota == null) || ((totalsize + file.size) < xfile.quota))) { // Check if quota would not be broken if we add this file
Improved login screen, Mesh server directory handling
2019-02-20 02:38:27 +03:00
// See if we need to create the folder
var domainx = 'domain';
Fixed 404 page, file uploads, sub-domain support.
2019-08-23 02:39:50 +03:00
if (domain.id.length > 0) { domainx = 'domain-' + domain.id; }
Improved login screen, Mesh server directory handling
2019-02-20 02:38:27 +03:00
try { obj.fs.mkdirSync(obj.parent.filespath); } catch (e) { }
try { obj.fs.mkdirSync(obj.parent.path.join(obj.parent.filespath, domainx)); } catch (e) { }
try { obj.fs.mkdirSync(xfile.fullpath); } catch (e) { }
Fixed EXDEV error on rename.
2020-02-01 01:44:11 +03:00
// Rename the file
obj.fs.rename(file.path, fpath, function (err) {
First signs of life with MariaDB.
2020-02-02 23:37:27 +03:00
if (err && (err.code === 'EXDEV')) {
Fixed EXDEV error on rename.
2020-02-01 01:44:11 +03:00
// On some Linux, the rename will fail with a "EXDEV" error, do a copy+unlink instead.
obj.common.copyFile(file.path, fpath, function (err) {
obj.fs.unlink(file.path, function (err) {
obj.parent.DispatchEvent([user._id], obj, 'updatefiles'); // Fire an event causing this user to update this files
});
});
} else {
obj.parent.DispatchEvent([user._id], obj, 'updatefiles'); // Fire an event causing this user to update this files
}
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
});
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
Added disk quota exceed notification.
2020-07-16 00:11:27 +03:00
// Send a notification
obj.parent.DispatchEvent([user._id], obj, { action: 'notify', title: "Disk quota exceed", value: file.originalFilename, nolog: 1, id: Math.random() });
Fixed unlink() required callback in NodeJS v10.
2019-01-07 07:32:12 +03:00
try { obj.fs.unlink(file.path, function (err) { }); } catch (e) { }
Initial main commit
2017-08-28 19:27:45 +03:00
}
}
}
Added disk quota exceed notification.
2020-07-16 00:11:27 +03:00
} else {
// Send a notification
obj.parent.DispatchEvent([user._id], obj, { action: 'notify', value: "Disk quota exceed", nolog: 1, id: Math.random() });
Initial main commit
2017-08-28 19:27:45 +03:00
}
res.send('');
});
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Added multi-agent upload feature.
2020-11-08 12:13:23 +03:00
// Upload a file to the server and then batch upload to many agents
function handleUploadFileBatch(req, res) {
const domain = checkUserIpAddress(req, res);
if (domain == null) { return; }
var authUserid = null;
if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; }
const multiparty = require('multiparty');
const form = new multiparty.Form();
form.parse(req, function (err, fields, files) {
// If an authentication cookie is embedded in the form, use that.
if ((fields != null) && (fields.auth != null) && (fields.auth.length == 1) && (typeof fields.auth[0] == 'string')) {
var loginCookie = obj.parent.decodeCookie(fields.auth[0], obj.parent.loginCookieEncryptionKey, 60); // 60 minute timeout
if ((loginCookie != null) && (obj.args.cookieipcheck !== false) && (loginCookie.ip != null) && (loginCookie.ip != req.clientIp)) { loginCookie = null; } // Check cookie IP binding.
if ((loginCookie != null) && (domain.id == loginCookie.domainid)) { authUserid = loginCookie.userid; } // Use cookie authentication
}
if (authUserid == null) { res.sendStatus(401); return; }
// Get the user
const user = obj.users[authUserid];
Fixed multi-device batch upload.
2020-12-22 10:55:26 +03:00
if (user == null) { parent.debug('web', 'Batch upload error, invalid user.'); res.sendStatus(401); return; } // Check if user exists
Added multi-agent upload feature.
2020-11-08 12:13:23 +03:00
// Get fields
if ((fields == null) || (fields.nodeIds == null) || (fields.nodeIds.length != 1)) { res.sendStatus(404); return; }
Partial fix for #2772.
2021-06-15 00:19:02 +03:00
var cmd = { nodeids: fields.nodeIds[0].split(','), files: [], user: user, domain: domain, overwrite: false, createFolder: false };
Added multi-agent upload feature.
2020-11-08 12:13:23 +03:00
if ((fields.winpath != null) && (fields.winpath.length == 1)) { cmd.windowsPath = fields.winpath[0]; }
if ((fields.linuxpath != null) && (fields.linuxpath.length == 1)) { cmd.linuxPath = fields.linuxpath[0]; }
if ((fields.overwriteFiles != null) && (fields.overwriteFiles.length == 1) && (fields.overwriteFiles[0] == 'on')) { cmd.overwrite = true; }
Added batch upload folder creation.
2020-11-10 02:28:46 +03:00
if ((fields.createFolder != null) && (fields.createFolder.length == 1) && (fields.createFolder[0] == 'on')) { cmd.createFolder = true; }
Added multi-agent upload feature.
2020-11-08 12:13:23 +03:00
Fixed multi-device batch upload.
2020-12-22 10:55:26 +03:00
// Check if we have at least one target path
Added support for agent with improved key input.
2020-11-18 06:30:26 +03:00
if ((cmd.windowsPath == null) && (cmd.linuxPath == null)) {
parent.debug('web', 'Batch upload error, invalid fields: ' + JSON.stringify(fields));
res.send('');
return;
}
Added multi-agent upload feature.
2020-11-08 12:13:23 +03:00
// Get server temporary path
var serverpath = obj.path.join(obj.filespath, 'tmp')
try { obj.fs.mkdirSync(obj.parent.filespath); } catch (ex) { }
try { obj.fs.mkdirSync(serverpath); } catch (ex) { }
// More typical upload method, the file data is in a multipart mime post.
for (var i in files.files) {
var file = files.files[i], ftarget = getRandomPassword() + '-' + file.originalFilename, fpath = obj.path.join(serverpath, ftarget);
cmd.files.push({ name: file.originalFilename, target: ftarget });
// Rename the file
obj.fs.rename(file.path, fpath, function (err) {
if (err && (err.code === 'EXDEV')) {
// On some Linux, the rename will fail with a "EXDEV" error, do a copy+unlink instead.
Improved device batch upload.
2020-11-10 03:51:48 +03:00
obj.common.copyFile(file.path, fpath, function (err) { obj.fs.unlink(file.path, function (err) { }); });
}
});
}
// Instruct one of more agents to download a URL to a given local drive location.
Fixed support for ignoreagenthashcheck
2020-11-10 23:51:34 +03:00
var tlsCertHash = null;
Fixed meshcore update faliure case.
2021-01-29 00:41:19 +03:00
if ((parent.args.ignoreagenthashcheck == null) || (parent.args.ignoreagenthashcheck === false)) { // TODO: If ignoreagenthashcheck is an array of IP addresses, not sure how to handle this.
Updated Linux agents.
2020-11-12 03:50:51 +03:00
tlsCertHash = obj.webCertificateFullHashs[cmd.domain.id];
Fixed support for ignoreagenthashcheck
2020-11-10 23:51:34 +03:00
if (tlsCertHash != null) { tlsCertHash = Buffer.from(tlsCertHash, 'binary').toString('hex'); }
}
Improved device batch upload.
2020-11-10 03:51:48 +03:00
for (var i in cmd.nodeids) {
obj.GetNodeWithRights(cmd.domain, cmd.user, cmd.nodeids[i], function (node, rights, visible) {
if ((node == null) || ((rights & 8) == 0) || (visible == false)) return; // We don't have remote control rights to this device
Improved batch upload command information.
2021-06-15 23:10:07 +03:00
var agentPath = (((node.agent.id > 0) && (node.agent.id < 5)) || (node.agent.id == 34)) ? cmd.windowsPath : cmd.linuxPath;
Added support for agent with improved key input.
2020-11-18 06:30:26 +03:00
if (agentPath == null) return;
Improved device batch upload.
2020-11-10 03:51:48 +03:00
Improved batch upload command information.
2021-06-15 23:10:07 +03:00
// Compute user consent
var consent = 0;
var mesh = obj.meshes[node.meshid];
if (typeof domain.userconsentflags == 'number') { consent |= domain.userconsentflags; } // Add server required consent flags
if ((mesh != null) && (typeof mesh.consent == 'number')) { consent |= mesh.consent; } // Add device group user consent
if (typeof node.consent == 'number') { consent |= node.consent; } // Add node user consent
if (typeof user.consent == 'number') { consent |= user.consent; } // Add user consent
// Check if we need to add consent flags because of a user group link
if ((mesh != null) && (user.links != null) && (user.links[mesh._id] == null) && (user.links[node._id] == null)) {
// This user does not have a direct link to the device group or device. Find all user groups the would cause the link.
for (var i in user.links) {
Fixed for server exception when uploading a file to many devices with user group account. #3259
2021-11-19 07:05:39 +03:00
var ugrp = obj.userGroups[i];
Improved batch upload command information.
2021-06-15 23:10:07 +03:00
if ((ugrp != null) && (ugrp.consent != null) && (ugrp.links != null) && ((ugrp.links[mesh._id] != null) || (ugrp.links[node._id] != null))) {
consent |= ugrp.consent; // Add user group consent flags
}
}
}
Improved device batch upload.
2020-11-10 03:51:48 +03:00
// Event that this operation is being performed.
var targets = obj.CreateNodeDispatchTargets(node.meshid, node._id, ['server-users', cmd.user._id]);
var msgid = 103; // "Batch upload of {0} file(s) to folder {1}"
var event = { etype: 'node', userid: cmd.user._id, username: cmd.user.name, nodeid: node._id, action: 'batchupload', msg: 'Performing batch upload of ' + cmd.files.length + ' file(s) to ' + agentPath, msgid: msgid, msgArgs: [cmd.files.length, agentPath], domain: cmd.domain.id };
parent.DispatchEvent(targets, obj, event);
// Send the agent commands to perform the batch upload operation
for (var f in cmd.files) {
Added support for agent with improved key input.
2020-11-18 06:30:26 +03:00
if (cmd.files[f].name != null) {
Improved batch upload command information.
2021-06-15 23:10:07 +03:00
const acmd = { action: 'wget', userid: user._id, username: user.name, realname: user.realname, remoteaddr: req.clientIp, consent: consent, rights: rights, overwrite: cmd.overwrite, createFolder: cmd.createFolder, urlpath: '/agentdownload.ashx?c=' + obj.parent.encodeCookie({ a: 'tmpdl', d: cmd.domain.id, nid: node._id, f: cmd.files[f].target }, obj.parent.loginCookieEncryptionKey), path: obj.path.join(agentPath, cmd.files[f].name), folder: agentPath, servertlshash: tlsCertHash };
Added support for agent with improved key input.
2020-11-18 06:30:26 +03:00
var agent = obj.wsagents[node._id];
if (agent != null) { try { agent.send(JSON.stringify(acmd)); } catch (ex) { } }
// TODO: Add support for peer servers.
French translation update and debugging improvements.
2020-11-18 00:44:17 +03:00
}
Added multi-agent upload feature.
2020-11-08 12:13:23 +03:00
}
});
}
res.send('');
});
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Subscribe to all events we are allowed to receive
obj.subscribe = function (userid, target) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const user = obj.users[userid];
Added 2FA lock feature.
2022-02-01 20:11:11 +03:00
const subscriptions = [userid, 'server-allusers'];
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
if (user.siteadmin != null) {
Added extra server permission to see all server events.
2020-08-18 22:46:20 +03:00
// Allow full site administrators of users with all events rights to see all events.
if ((user.siteadmin == 0xFFFFFFFF) || ((user.siteadmin & 2048) != 0)) { subscriptions.push('*'); }
else if ((user.siteadmin & 2) != 0) {
First version with user groups enforcement.
2019-04-17 03:32:18 +03:00
if ((user.groups == null) || (user.groups.length == 0)) {
// Subscribe to all user changes
subscriptions.push('server-users');
} else {
// Subscribe to user changes for some groups
for (var i in user.groups) { subscriptions.push('server-users:' + i); }
}
}
Initial main commit
2017-08-28 19:27:45 +03:00
}
Fixed usernames that include a dot (.)
2018-07-14 05:18:43 +03:00
if (user.links != null) { for (var i in user.links) { subscriptions.push(i); } }
Initial main commit
2017-08-28 19:27:45 +03:00
obj.parent.RemoveAllEventDispatch(target);
obj.parent.AddEventDispatch(subscriptions, target);
return subscriptions;
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Initial main commit
2017-08-28 19:27:45 +03:00
// Handle a web socket relay request
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
function handleRelayWebSocket(ws, req, domain, user, cookie) {
if (!(req.query.host)) { console.log('ERR: No host target specified'); try { ws.close(); } catch (e) { } return; } // Disconnect websocket
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('web', 'Websocket relay connected from ' + user.name + ' for ' + req.query.host + '.');
Made MQTT optional.
2019-10-04 22:18:56 +03:00
Allows MeshCommander to relay thru MeshCentral.
2018-10-14 02:04:04 +03:00
try { ws._socket.setKeepAlive(true, 240000); } catch (ex) { } // Set TCP keep alive
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Fetch information about the target
obj.db.Get(req.query.host, function (err, docs) {
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
if (docs.length == 0) { console.log('ERR: Node not found'); try { ws.close(); } catch (e) { } return; } // Disconnect websocket
Improved web interface for getting started.
2017-10-03 00:12:29 +03:00
var node = docs[0];
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
if (!node.intelamt) { console.log('ERR: Not AMT node'); try { ws.close(); } catch (e) { } return; } // Disconnect websocket
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Check if this user has permission to manage this computer
Improved MeshCentral Router with individual device permission support.
2020-04-02 02:41:35 +03:00
if ((obj.GetNodeRights(user, node.meshid, node._id) & MESHRIGHT_REMOTECONTROL) == 0) { console.log('ERR: Access denied (3)'); try { ws.close(); } catch (e) { } return; }
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Check what connectivity is available for this node
Added a lot of the load-balancing support
2017-09-13 21:25:57 +03:00
var state = parent.GetConnectivityState(req.query.host);
Initial main commit
2017-08-28 19:27:45 +03:00
var conn = 0;
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
if (!state || state.connectivity == 0) { parent.debug('web', 'ERR: No routing possible (1)'); try { ws.close(); } catch (e) { } return; } else { conn = state.connectivity; }
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
// Check what server needs to handle this connection
Yubikey fix & Server peering fixes.
2019-08-15 21:47:40 +03:00
if ((obj.parent.multiServer != null) && ((cookie == null) || (cookie.ps != 1))) { // If a cookie is provided and is from a peer server, don't allow the connection to jump again to a different server
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
var server = obj.parent.GetRoutingServerId(req.query.host, 2); // Check for Intel CIRA connection
if (server != null) {
if (server.serverid != obj.parent.serverId) {
// Do local Intel CIRA routing using a different server
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('web', 'Route Intel AMT CIRA connection to peer server: ' + server.serverid);
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
obj.parent.multiServer.createPeerRelay(ws, req, server.serverid, user);
return;
}
} else {
server = obj.parent.GetRoutingServerId(req.query.host, 4); // Check for local Intel AMT connection
if ((server != null) && (server.serverid != obj.parent.serverId)) {
// Do local Intel AMT routing using a different server
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('web', 'Route Intel AMT direct connection to peer server: ' + server.serverid);
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
obj.parent.multiServer.createPeerRelay(ws, req, server.serverid, user);
return;
}
}
Initial main commit
2017-08-28 19:27:45 +03:00
}
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
Node 6.x cbor fix.
2019-08-08 00:25:23 +03:00
// Setup session recording if needed
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
if (domain.sessionrecording == true || ((typeof domain.sessionrecording == 'object') && ((domain.sessionrecording.protocols == null) || (domain.sessionrecording.protocols.indexOf((req.query.p == 2) ? 101 : 100) >= 0)))) { // TODO 100
MeshCore.js can now handle long connection name pipes.
2020-10-01 02:59:34 +03:00
// Check again if we need to do recording
var record = true;
Started work on per-user session recording. #3064
2021-08-26 22:42:09 +03:00
// Check user or device group recording
Fix for #3066
2021-08-27 08:04:17 +03:00
if ((typeof domain.sessionrecording == 'object') && ((domain.sessionrecording.onlyselectedusers === true) || (domain.sessionrecording.onlyselecteddevicegroups === true))) {
Started work on per-user session recording. #3064
2021-08-26 22:42:09 +03:00
record = false;
// Check device group recording
if (domain.sessionrecording.onlyselecteddevicegroups === true) {
var mesh = obj.meshes[node.meshid];
if ((mesh.flags != null) && ((mesh.flags & 4) != 0)) { record = true; } // Record the session
}
// Check user recording
if (domain.sessionrecording.onlyselectedusers === true) {
if ((user.flags != null) && ((user.flags & 2) != 0)) { record = true; } // Record the session
}
Node 6.x cbor fix.
2019-08-08 00:25:23 +03:00
}
MeshCore.js can now handle long connection name pipes.
2020-10-01 02:59:34 +03:00
if (record == true) {
var now = new Date(Date.now());
Fixed recording file name and recording icon. #3207
2021-10-20 20:33:21 +03:00
var recFilename = 'relaysession' + ((domain.id == '') ? '' : '-') + domain.id + '-' + now.getUTCFullYear() + '-' + obj.common.zeroPad(now.getUTCMonth() + 1, 2) + '-' + obj.common.zeroPad(now.getUTCDate(), 2) + '-' + obj.common.zeroPad(now.getUTCHours(), 2) + '-' + obj.common.zeroPad(now.getUTCMinutes(), 2) + '-' + obj.common.zeroPad(now.getUTCSeconds(), 2) + '-' + getRandomPassword() + '.mcrec'
MeshCore.js can now handle long connection name pipes.
2020-10-01 02:59:34 +03:00
var recFullFilename = null;
if (domain.sessionrecording.filepath) {
try { obj.fs.mkdirSync(domain.sessionrecording.filepath); } catch (e) { }
recFullFilename = obj.path.join(domain.sessionrecording.filepath, recFilename);
} else {
try { obj.fs.mkdirSync(parent.recordpath); } catch (e) { }
recFullFilename = obj.path.join(parent.recordpath, recFilename);
}
var fd = obj.fs.openSync(recFullFilename, 'w');
if (fd != null) {
// Write the recording file header
var firstBlock = JSON.stringify({ magic: 'MeshCentralRelaySession', ver: 1, userid: user._id, username: user.name, ipaddr: req.clientIp, nodeid: node._id, intelamt: true, protocol: (req.query.p == 2) ? 101 : 100, time: new Date().toLocaleString() })
recordingEntry(fd, 1, 0, firstBlock, function () { });
ws.logfile = { fd: fd, lock: false };
if (req.query.p == 2) { ws.send(Buffer.from(String.fromCharCode(0xF0), 'binary')); } // Intel AMT Redirection: Indicate the session is being recorded
}
Node 6.x cbor fix.
2019-08-08 00:25:23 +03:00
}
}
Initial main commit
2017-08-28 19:27:45 +03:00
// If Intel AMT CIRA connection is available, use it
Many Intel AMT improvements.
2020-10-10 01:44:09 +03:00
var ciraconn = parent.mpsserver.GetConnectionToNode(req.query.host, null, false);
if (ciraconn != null) {
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('web', 'Opening relay CIRA channel connection to ' + req.query.host + '.');
Fixed MeshRelay access control
2018-10-16 20:52:05 +03:00
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
// TODO: If the CIRA connection is a relay or LMS connection, we can't detect the TLS state like this.
Initial main commit
2017-08-28 19:27:45 +03:00
// Compute target port, look at the CIRA port mappings, if non-TLS is allowed, use that, if not use TLS
var port = 16993;
//if (node.intelamt.tls == 0) port = 16992; // DEBUG: Allow TLS flag to set TLS mode within CIRA
if (ciraconn.tag.boundPorts.indexOf(16992) >= 0) port = 16992; // RELEASE: Always use non-TLS mode if available within CIRA
if (req.query.p == 2) port += 2;
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Setup a new CIRA channel
if ((port == 16993) || (port == 16995)) {
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
// Perform TLS
Initial main commit
2017-08-28 19:27:45 +03:00
var ser = new SerialTunnel();
First version with CIRA support in AMT Manager.
2020-10-08 22:50:27 +03:00
var chnl = parent.mpsserver.SetupChannel(ciraconn, port);
Initial main commit
2017-08-28 19:27:45 +03:00
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
// Let's chain up the TLSSocket <-> SerialTunnel <-> CIRA APF (chnl)
Initial main commit
2017-08-28 19:27:45 +03:00
// Anything that needs to be forwarded by SerialTunnel will be encapsulated by chnl write
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
ser.forwardwrite = function (data) { if (data.length > 0) { chnl.write(data); } }; // TLS ---> CIRA
Initial main commit
2017-08-28 19:27:45 +03:00
// When APF tunnel return something, update SerialTunnel buffer
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
chnl.onData = function (ciraconn, data) { if (data.length > 0) { try { ser.updateBuffer(data); } catch (ex) { console.log(ex); } } }; // CIRA ---> TLS
Initial main commit
2017-08-28 19:27:45 +03:00
Allows MeshCommander to relay thru MeshCentral.
2018-10-14 02:04:04 +03:00
// Handle CIRA tunnel state change
Initial main commit
2017-08-28 19:27:45 +03:00
chnl.onStateChange = function (ciraconn, state) {
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('webrelay', 'Relay TLS CIRA state change', state);
Initial main commit
2017-08-28 19:27:45 +03:00
if (state == 0) { try { ws.close(); } catch (e) { } }
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
if (state == 2) {
// TLSSocket to encapsulate TLS communication, which then tunneled via SerialTunnel an then wrapped through CIRA APF
const tlsoptions = { socket: ser, ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false };
if (req.query.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; }
var tlsock = obj.tls.connect(tlsoptions, function () { parent.debug('webrelay', "CIRA Secure TLS Connection"); ws._socket.resume(); });
tlsock.chnl = chnl;
tlsock.setEncoding('binary');
tlsock.on('error', function (err) { parent.debug('webrelay', "CIRA TLS Connection Error", err); });
// Decrypted tunnel from TLS communcation to be forwarded to websocket
tlsock.on('data', function (data) {
// AMT/TLS ---> WS
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
if (ws.interceptor) { data = ws.interceptor.processAmtData(data); } // Run data thru interceptor
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
try { ws.send(data); } catch (ex) { }
});
Initial main commit
2017-08-28 19:27:45 +03:00
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
// If TLS is on, forward it through TLSSocket
ws.forwardclient = tlsock;
ws.forwardclient.xtls = 1;
Initial main commit
2017-08-28 19:27:45 +03:00
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
ws.forwardclient.onStateChange = function (ciraconn, state) {
parent.debug('webrelay', 'Relay CIRA state change', state);
if (state == 0) { try { ws.close(); } catch (e) { } }
};
ws.forwardclient.onData = function (ciraconn, data) {
// Run data thru interceptor
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
if (ws.interceptor) { data = ws.interceptor.processAmtData(data); }
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
if (data.length > 0) {
if (ws.logfile == null) {
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
try { ws.send(data); } catch (e) { }
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
} else {
// Log to recording file
recordingEntry(ws.logfile.fd, 2, 0, data, function () { try { ws.send(data); } catch (ex) { console.log(ex); } }); // TODO: Add TLS support
}
}
};
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
// TODO: Flow control? (Dont' really need it with AMT, but would be nice)
ws.forwardclient.onSendOk = function (ciraconn) { };
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
}
};
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
// Without TLS
First version with CIRA support in AMT Manager.
2020-10-08 22:50:27 +03:00
ws.forwardclient = parent.mpsserver.SetupChannel(ciraconn, port);
Initial main commit
2017-08-28 19:27:45 +03:00
ws.forwardclient.xtls = 0;
Updated to Express-ws 4.x
2018-12-01 08:23:10 +03:00
ws._socket.resume();
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
ws.forwardclient.onStateChange = function (ciraconn, state) {
parent.debug('webrelay', 'Relay CIRA state change', state);
if (state == 0) { try { ws.close(); } catch (e) { } }
};
ws.forwardclient.onData = function (ciraconn, data) {
//parent.debug('webrelaydata', 'Relay CIRA data to WS', data.length);
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
// Run data thru interceptorp
if (ws.interceptor) { data = ws.interceptor.processAmtData(data); }
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
//console.log('AMT --> WS', Buffer.from(data, 'binary').toString('hex'));
if (data.length > 0) {
if (ws.logfile == null) {
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
try { ws.send(data); } catch (e) { }
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
} else {
// Log to recording file
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
recordingEntry(ws.logfile.fd, 2, 0, data, function () { try { ws.send(data); } catch (ex) { console.log(ex); } });
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
}
}
};
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
// TODO: Flow control? (Dont' really need it with AMT, but would be nice)
ws.forwardclient.onSendOk = function (ciraconn) { };
Initial main commit
2017-08-28 19:27:45 +03:00
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// When data is received from the web socket, forward the data into the associated CIRA cahnnel.
// If the CIRA connection is pending, the CIRA channel has built-in buffering, so we are ok sending anyway.
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
ws.on('message', function (data) {
//parent.debug('webrelaydata', 'Relay WS data to CIRA', data.length);
if (typeof data == 'string') { data = Buffer.from(data, 'binary'); }
Initial main commit
2017-08-28 19:27:45 +03:00
// WS ---> AMT/TLS
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
if (ws.interceptor) { data = ws.interceptor.processBrowserData(data); } // Run data thru interceptor
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
// Log to recording file
if (ws.logfile == null) {
// Forward data to the associated TCP connection.
Fixed possible server exceptions.
2021-01-26 11:09:28 +03:00
try { ws.forwardclient.write(data); } catch (ex) { }
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
} else {
// Log to recording file
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
recordingEntry(ws.logfile.fd, 2, 2, data, function () { try { ws.forwardclient.write(data); } catch (ex) { } });
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
}
Initial main commit
2017-08-28 19:27:45 +03:00
});
Improved some websocket error handling.
2019-01-03 05:34:50 +03:00
// If error, close the associated TCP connection.
ws.on('error', function (err) {
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
console.log('CIRA server websocket error from ' + req.clientIp + ', ' + err.toString().split('\r')[0] + '.');
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('webrelay', 'Websocket relay closed on error.');
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
// Websocket closed, close the CIRA channel and TLS session.
if (ws.forwardclient) {
if (ws.forwardclient.close) { ws.forwardclient.close(); } // NonTLS, close the CIRA channel
if (ws.forwardclient.end) { ws.forwardclient.end(); } // TLS, close the TLS session
if (ws.forwardclient.chnl) { ws.forwardclient.chnl.close(); } // TLS, close the CIRA channel
delete ws.forwardclient;
}
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
// Close the recording file
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
if (ws.logfile != null) { recordingEntry(ws.logfile.fd, 3, 0, 'MeshCentralMCREC', function (fd, ws) { obj.fs.close(fd); delete ws.logfile; }, ws); }
Improved some websocket error handling.
2019-01-03 05:34:50 +03:00
});
Initial main commit
2017-08-28 19:27:45 +03:00
// If the web socket is closed, close the associated TCP connection.
ws.on('close', function (req) {
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('webrelay', 'Websocket relay closed.');
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
// Websocket closed, close the CIRA channel and TLS session.
if (ws.forwardclient) {
if (ws.forwardclient.close) { ws.forwardclient.close(); } // NonTLS, close the CIRA channel
if (ws.forwardclient.end) { ws.forwardclient.end(); } // TLS, close the TLS session
if (ws.forwardclient.chnl) { ws.forwardclient.chnl.close(); } // TLS, close the CIRA channel
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
delete ws.forwardclient;
Improved session recording support.
2019-08-13 21:49:05 +03:00
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
// Close the recording file
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
if (ws.logfile != null) { recordingEntry(ws.logfile.fd, 3, 0, 'MeshCentralMCREC', function (fd, ws) { obj.fs.close(fd); delete ws.logfile; }, ws); }
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
});
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Added Intel AMT tunneling configuration support.
2020-10-18 05:23:24 +03:00
// Note that here, req.query.p: 1 = WSMAN with server auth, 2 = REDIR with server auth, 3 = WSMAN without server auth, 4 = REDIR with server auth
Initial main commit
2017-08-28 19:27:45 +03:00
// Fetch Intel AMT credentials & Setup interceptor
if (req.query.p == 1) {
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('webrelaydata', 'INTERCEPTOR1', { host: node.host, port: port, user: node.intelamt.user, pass: node.intelamt.pass });
Initial main commit
2017-08-28 19:27:45 +03:00
ws.interceptor = obj.interceptor.CreateHttpInterceptor({ host: node.host, port: port, user: node.intelamt.user, pass: node.intelamt.pass });
WebRTC is now used by default and fully automatic.
2018-02-05 22:56:29 +03:00
ws.interceptor.blockAmtStorage = true;
Fixed WebRelay when using CIRA with TLS.
2020-10-14 23:13:05 +03:00
} else if (req.query.p == 2) {
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('webrelaydata', 'INTERCEPTOR2', { user: node.intelamt.user, pass: node.intelamt.pass });
Initial main commit
2017-08-28 19:27:45 +03:00
ws.interceptor = obj.interceptor.CreateRedirInterceptor({ user: node.intelamt.user, pass: node.intelamt.pass });
WebRTC is now used by default and fully automatic.
2018-02-05 22:56:29 +03:00
ws.interceptor.blockAmtStorage = true;
Initial main commit
2017-08-28 19:27:45 +03:00
}
return;
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// If Intel AMT direct connection is possible, option a direct socket
if ((conn & 4) != 0) { // We got a new web socket connection, initiate a TCP connection to the target Intel AMT host/port.
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('webrelay', 'Opening relay TCP socket connection to ' + req.query.host + '.');
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
// When data is received from the web socket, forward the data into the associated TCP connection.
ws.on('message', function (msg) {
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
//parent.debug('webrelaydata', 'TCP relay data to ' + node.host + ', ' + msg.length + ' bytes');
if (typeof msg == 'string') { msg = Buffer.from(msg, 'binary'); }
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 09:22:19 +03:00
if (ws.interceptor) { msg = ws.interceptor.processBrowserData(msg); } // Run data thru interceptor
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
// Log to recording file
if (ws.logfile == null) {
// Forward data to the associated TCP connection.
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
try { ws.forwardclient.write(msg); } catch (ex) { }
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
} else {
// Log to recording file
recordingEntry(ws.logfile.fd, 2, 2, msg, function () { try { ws.forwardclient.write(msg); } catch (ex) { } });
}
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
});
Improved some websocket error handling.
2019-01-03 05:34:50 +03:00
// If error, close the associated TCP connection.
ws.on('error', function (err) {
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
console.log('Error with relay web socket connection from ' + req.clientIp + ', ' + err.toString().split('\r')[0] + '.');
parent.debug('webrelay', 'Error with relay web socket connection from ' + req.clientIp + '.');
Improved some websocket error handling.
2019-01-03 05:34:50 +03:00
if (ws.forwardclient) { try { ws.forwardclient.destroy(); } catch (e) { } }
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
// Close the recording file
Improved session recording support.
2019-08-13 21:49:05 +03:00
if (ws.logfile != null) {
recordingEntry(ws.logfile.fd, 3, 0, 'MeshCentralMCREC', function (fd) {
obj.fs.close(fd);
ws.logfile = null;
});
}
Improved some websocket error handling.
2019-01-03 05:34:50 +03:00
});
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
// If the web socket is closed, close the associated TCP connection.
Added chat to device support, more fixes.
2018-12-08 03:36:27 +03:00
ws.on('close', function () {
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('webrelay', 'Closing relay web socket connection to ' + req.query.host + '.');
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
if (ws.forwardclient) { try { ws.forwardclient.destroy(); } catch (e) { } }
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
// Close the recording file
Improved session recording support.
2019-08-13 21:49:05 +03:00
if (ws.logfile != null) {
recordingEntry(ws.logfile.fd, 3, 0, 'MeshCentralMCREC', function (fd) {
obj.fs.close(fd);
ws.logfile = null;
});
}
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
});
Initial main commit
2017-08-28 19:27:45 +03:00
// Compute target port
var port = 16992;
if (node.intelamt.tls > 0) port = 16993; // This is a direct connection, use TLS when possible
Added Intel AMT tunneling configuration support.
2020-10-18 05:23:24 +03:00
if ((req.query.p == 2) || (req.query.p == 4)) port += 2;
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
if (node.intelamt.tls == 0) {
// If this is TCP (without TLS) set a normal TCP socket
ws.forwardclient = new obj.net.Socket();
ws.forwardclient.setEncoding('binary');
ws.forwardclient.xstate = 0;
ws.forwardclient.forwardwsocket = ws;
Updated to Express-ws 4.x
2018-12-01 08:23:10 +03:00
ws._socket.resume();
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
// If TLS is going to be used, setup a TLS socket
Fixed Intel AMT TLS.
2020-03-31 05:29:46 +03:00
var tlsoptions = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false };
if (req.query.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; }
Added new certificate for Intel AMT console authentication.
2017-09-30 00:26:51 +03:00
ws.forwardclient = obj.tls.connect(port, node.host, tlsoptions, function () {
Initial main commit
2017-08-28 19:27:45 +03:00
// The TLS connection method is the same as TCP, but located a bit differently.
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('webrelay', 'TLS connected to ' + node.host + ':' + port + '.');
Initial main commit
2017-08-28 19:27:45 +03:00
ws.forwardclient.xstate = 1;
Updated to Express-ws 4.x
2018-12-01 08:23:10 +03:00
ws._socket.resume();
Initial main commit
2017-08-28 19:27:45 +03:00
});
ws.forwardclient.setEncoding('binary');
ws.forwardclient.xstate = 0;
ws.forwardclient.forwardwsocket = ws;
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// When we receive data on the TCP connection, forward it back into the web socket connection.
ws.forwardclient.on('data', function (data) {
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
if (typeof data == 'string') { data = Buffer.from(data, 'binary'); }
Update MeshAgents, fixed MeshCmd.js
2018-08-07 04:57:30 +03:00
if (obj.parent.debugLevel >= 1) { // DEBUG
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('webrelaydata', 'TCP relay data from ' + node.host + ', ' + data.length + ' bytes.');
//if (obj.parent.debugLevel >= 4) { Debug(4, ' ' + Buffer.from(data, 'binary').toString('hex')); }
Update MeshAgents, fixed MeshCmd.js
2018-08-07 04:57:30 +03:00
}
Initial main commit
2017-08-28 19:27:45 +03:00
if (ws.interceptor) { data = ws.interceptor.processAmtData(data); } // Run data thru interceptor
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
if (ws.logfile == null) {
// No logging
AMT interceptor performance improvement.
2020-10-14 23:39:24 +03:00
try { ws.send(data); } catch (e) { }
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
} else {
// Log to recording file
recordingEntry(ws.logfile.fd, 2, 0, data, function () { try { ws.send(data); } catch (e) { } });
}
Initial main commit
2017-08-28 19:27:45 +03:00
});
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// If the TCP connection closes, disconnect the associated web socket.
ws.forwardclient.on('close', function () {
Fixed Intel AMT TLS.
2020-03-31 05:29:46 +03:00
parent.debug('webrelay', 'TCP relay disconnected from ' + node.host + ':' + port + '.');
Initial main commit
2017-08-28 19:27:45 +03:00
try { ws.close(); } catch (e) { }
});
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// If the TCP connection causes an error, disconnect the associated web socket.
ws.forwardclient.on('error', function (err) {
Fixed Intel AMT TLS.
2020-03-31 05:29:46 +03:00
parent.debug('webrelay', 'TCP relay error from ' + node.host + ':' + port + ': ' + err);
Initial main commit
2017-08-28 19:27:45 +03:00
try { ws.close(); } catch (e) { }
});
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Fetch Intel AMT credentials & Setup interceptor
if (req.query.p == 1) { ws.interceptor = obj.interceptor.CreateHttpInterceptor({ host: node.host, port: port, user: node.intelamt.user, pass: node.intelamt.pass }); }
else if (req.query.p == 2) { ws.interceptor = obj.interceptor.CreateRedirInterceptor({ user: node.intelamt.user, pass: node.intelamt.pass }); }
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
if (node.intelamt.tls == 0) {
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
// A TCP connection to Intel AMT just connected, start forwarding.
Initial main commit
2017-08-28 19:27:45 +03:00
ws.forwardclient.connect(port, node.host, function () {
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('webrelay', 'TCP relay connected to ' + node.host + ':' + port + '.');
Initial main commit
2017-08-28 19:27:45 +03:00
ws.forwardclient.xstate = 1;
Updated to Express-ws 4.x
2018-12-01 08:23:10 +03:00
ws._socket.resume();
Initial main commit
2017-08-28 19:27:45 +03:00
});
}
return;
}
});
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
}
Initial main commit
2017-08-28 19:27:45 +03:00
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
// Setup agent to/from server file transfer handler
function handleAgentFileTransfer(ws, req) {
var domain = checkAgentIpAddress(ws, req);
if (domain == null) { parent.debug('web', 'Got agent file transfer connection with bad domain or blocked IP address ' + req.clientIp + ', dropping.'); ws.close(); return; }
if (req.query.c == null) { parent.debug('web', 'Got agent file transfer connection without a cookie from ' + req.clientIp + ', dropping.'); ws.close(); return; }
var c = obj.parent.decodeCookie(req.query.c, obj.parent.loginCookieEncryptionKey, 10); // 10 minute timeout
if ((c == null) || (c.a != 'aft')) { parent.debug('web', 'Got agent file transfer connection with invalid cookie from ' + req.clientIp + ', dropping.'); ws.close(); return; }
ws.xcmd = c.b; ws.xarg = c.c, ws.xfilelen = 0;
ws.send('c'); // Indicate connection of the tunnel. In this case, we are the termination point.
ws.send('5'); // Indicate we want to perform file transfers (5 = Files).
if (ws.xcmd == 'coredump') {
// Check the agent core dump folder if not already present.
Improved Google Drive autobackup.
2020-08-21 21:47:34 +03:00
var coreDumpPath = obj.path.join(parent.datapath, '..', 'meshcentral-coredumps');
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
if (obj.fs.existsSync(coreDumpPath) == false) { try { obj.fs.mkdirSync(coreDumpPath); } catch (ex) { } }
Improved Google Drive autobackup.
2020-08-21 21:47:34 +03:00
ws.xfilepath = obj.path.join(parent.datapath, '..', 'meshcentral-coredumps', ws.xarg);
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
ws.xid = 'coredump';
Agent core download and reverse proxy improvements.
2020-12-01 00:20:31 +03:00
ws.send(JSON.stringify({ action: 'download', sub: 'start', ask: 'coredump', id: 'coredump' })); // Ask for a core dump file
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
}
// When data is received from the web socket, echo it back
ws.on('message', function (data) {
if (typeof data == 'string') {
// Control message
var cmd = null;
try { cmd = JSON.parse(data); } catch (ex) { }
if ((cmd == null) || (cmd.action != 'download') || (cmd.sub == null)) return;
switch (cmd.sub) {
case 'start': {
// Perform an async file open
var callback = function onFileOpen(err, fd) {
onFileOpen.xws.xfile = fd;
Fixed server exception.
2021-03-01 23:38:13 +03:00
try { onFileOpen.xws.send(JSON.stringify({ action: 'download', sub: 'startack', id: onFileOpen.xws.xid, ack: 1 })); } catch (ex) { } // Ask for a directory (test)
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
};
callback.xws = this;
Improved agent coredump processing.
2020-10-28 02:40:12 +03:00
obj.fs.open(this.xfilepath + '.part', 'w', callback);
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
break;
}
}
} else {
// Binary message
if (data.length < 4) return;
var flags = data.readInt32BE(0);
if ((data.length > 4)) {
// Write the file
this.xfilelen += (data.length - 4);
try {
var callback = function onFileDataWritten(err, bytesWritten, buffer) {
if (onFileDataWritten.xflags & 1) {
// End of file
parent.debug('web', "Completed downloads of agent dumpfile, " + onFileDataWritten.xws.xfilelen + " bytes.");
Improved agent coredump processing.
2020-10-28 02:40:12 +03:00
if (onFileDataWritten.xws.xfile) {
obj.fs.close(onFileDataWritten.xws.xfile, function (err) { });
obj.fs.rename(onFileDataWritten.xws.xfilepath + '.part', onFileDataWritten.xws.xfilepath, function (err) { });
onFileDataWritten.xws.xfile = null;
}
Fixed server exception.
2021-03-01 23:38:13 +03:00
try { onFileDataWritten.xws.send(JSON.stringify({ action: 'markcoredump' })); } catch (ex) { } // Ask to delete the core dump file
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
try { onFileDataWritten.xws.close(); } catch (ex) { }
} else {
// Send ack
Fixed server exception.
2021-03-01 23:38:13 +03:00
try { onFileDataWritten.xws.send(JSON.stringify({ action: 'download', sub: 'ack', id: onFileDataWritten.xws.xid })); } catch (ex) { } // Ask for a directory (test)
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
}
};
callback.xws = this;
callback.xflags = flags;
obj.fs.write(this.xfile, data, 4, data.length - 4, callback);
} catch (ex) { }
} else {
if (flags & 1) {
// End of file
parent.debug('web', "Completed downloads of agent dumpfile, " + this.xfilelen + " bytes.");
Improved agent coredump processing.
2020-10-28 02:40:12 +03:00
if (this.xfile) {
obj.fs.close(this.xfile, function (err) { });
obj.fs.rename(this.xfilepath + '.part', this.xfilepath, function (err) { });
this.xfile = null;
}
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
this.send(JSON.stringify({ action: 'markcoredump' })); // Ask to delete the core dump file
try { this.close(); } catch (ex) { }
} else {
// Send ack
this.send(JSON.stringify({ action: 'download', sub: 'ack', id: this.xid })); // Ask for a directory (test)
}
}
}
});
// If error, do nothing.
ws.on('error', function (err) { console.log('Agent file transfer server error from ' + req.clientIp + ', ' + err.toString().split('\r')[0] + '.'); });
// If closed, do nothing
Improved agent coredump processing.
2020-10-28 02:40:12 +03:00
ws.on('close', function (req) {
if (this.xfile) {
obj.fs.close(this.xfile, function (err) { });
obj.fs.unlink(this.xfilepath + '.part', function (err) { }); // Remove a partial file
}
});
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Handle the web socket echo request, just echo back the data sent
function handleEchoWebSocket(ws, req) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(ws, req);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
More ClickOnce fixes.
2017-10-25 19:58:14 +03:00
ws._socket.setKeepAlive(true, 240000); // Set TCP keep alive
Added user IP filtering.
2017-09-27 22:43:20 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// When data is received from the web socket, echo it back
ws.on('message', function (data) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
if (data.toString('utf8') == 'close') {
Initial main commit
2017-08-28 19:27:45 +03:00
try { ws.close(); } catch (e) { console.log(e); }
} else {
try { ws.send(data); } catch (e) { console.log(e); }
}
});
Improved some websocket error handling.
2019-01-03 05:34:50 +03:00
// If error, do nothing.
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
ws.on('error', function (err) { console.log('Echo server error from ' + req.clientIp + ', ' + err.toString().split('\r')[0] + '.'); });
Initial main commit
2017-08-28 19:27:45 +03:00
// If closed, do nothing
ws.on('close', function (req) { });
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
More work on device 2FA.
2021-04-14 23:28:51 +03:00
// Handle the 2FA hold web socket
// Accept an hold a web socket connection until the 2FA response is received.
function handle2faHoldWebSocket(ws, req) {
const domain = checkUserIpAddress(ws, req);
if (domain == null) { return; }
More work on device 2FA.
2021-04-15 00:06:31 +03:00
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.push2factor == false)) { ws.close(); return; } // Push 2FA is disabled
More work on device 2FA.
2021-04-14 23:28:51 +03:00
if (typeof req.query.c !== 'string') { ws.close(); return; }
const cookie = parent.decodeCookie(req.query.c, null, 1);
if ((cookie == null) || (cookie.d != domain.id)) { ws.close(); return; }
var user = obj.users[cookie.u];
if ((user == null) || (typeof user.otpdev != 'string')) { ws.close(); return; }
More work on device 2FA.
2021-04-15 00:06:31 +03:00
ws._socket.setKeepAlive(true, 240000); // Set TCP keep alive
More work on device 2FA.
2021-04-14 23:28:51 +03:00
// 2FA event subscription
obj.parent.AddEventDispatch(['2fadev-' + cookie.s], ws);
ws.cookie = cookie;
ws.HandleEvent = function (source, event, ids, id) {
obj.parent.RemoveAllEventDispatch(this);
if ((event.approved === true) && (event.userid == this.cookie.u)) {
// Create a login cookie
const loginCookie = obj.parent.encodeCookie({ a: 'pushAuth', u: event.userid, d: event.domain }, obj.parent.loginCookieEncryptionKey);
try { ws.send(JSON.stringify({ approved: true, token: loginCookie })); } catch (ex) { }
} else {
// Reject the login
try { ws.send(JSON.stringify({ approved: false })); } catch (ex) { }
}
}
// We do not accept any data on this connection.
ws.on('message', function (data) { this.close(); });
// If error, do nothing.
ws.on('error', function (err) { });
// If closed, unsubscribe
ws.on('close', function (req) { obj.parent.RemoveAllEventDispatch(this); });
// Perform push notification to device
try {
const deviceCookie = parent.encodeCookie({ a: 'checkAuth', c: cookie.c, u: cookie.u, n: cookie.n, s: cookie.s });
var code = Buffer.from(cookie.c, 'base64').toString();
var payload = { notification: { title: (domain.title ? domain.title : 'MeshCentral'), body: "Authentication - " + code }, data: { url: '2fa://auth?code=' + cookie.c + '&c=' + deviceCookie } };
var options = { priority: 'High', timeToLive: 60 }; // TTL: 1 minute
parent.firebase.sendToDevice(user.otpdev, payload, options, function (id, err, errdesc) {
if (err == null) {
try { ws.send(JSON.stringify({ sent: true, code: code })); } catch (ex) { }
} else {
try { ws.send(JSON.stringify({ sent: false })); } catch (ex) { }
}
});
} catch (ex) { console.log(ex); }
}
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
// Get the total size of all files in a folder and all sub-folders. (TODO: try to make all async version)
Initial main commit
2017-08-28 19:27:45 +03:00
function readTotalFileSize(path) {
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
var r = 0, dir;
try { dir = obj.fs.readdirSync(path); } catch (e) { return 0; }
Initial main commit
2017-08-28 19:27:45 +03:00
for (var i in dir) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
var stat = obj.fs.statSync(path + '/' + dir[i]);
Initial main commit
2017-08-28 19:27:45 +03:00
if ((stat.mode & 0x004000) == 0) { r += stat.size; } else { r += readTotalFileSize(path + '/' + dir[i]); }
}
return r;
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Fixed server files upload/download
2017-12-01 01:40:46 +03:00
// Delete a folder and all sub items. (TODO: try to make all async version)
Initial main commit
2017-08-28 19:27:45 +03:00
function deleteFolderRec(path) {
if (obj.fs.existsSync(path) == false) return;
New MeshMessenger and fixed server crash on some file copy.
2019-10-31 00:30:34 +03:00
try {
obj.fs.readdirSync(path).forEach(function (file, index) {
var pathx = path + '/' + file;
if (obj.fs.lstatSync(pathx).isDirectory()) { deleteFolderRec(pathx); } else { obj.fs.unlinkSync(pathx); }
});
obj.fs.rmdirSync(path);
} catch (ex) { }
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Handle Intel AMT events
// To subscribe, add "http://server:port/amtevents.ashx" to Intel AMT subscriptions.
obj.handleAmtEventRequest = function (req, res) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = getDomain(req);
Initial main commit
2017-08-28 19:27:45 +03:00
try {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
if (req.headers.authorization) {
var authstr = req.headers.authorization;
Centralization of user access control.
2019-12-27 09:53:01 +03:00
if (authstr.substring(0, 7) == 'Digest ') {
Initial main commit
2017-08-28 19:27:45 +03:00
var auth = obj.common.parseNameValueList(obj.common.quoteSplit(authstr.substring(7)));
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 09:22:19 +03:00
if ((req.url === auth.uri) && (obj.httpAuthRealm === auth.realm) && (auth.opaque === obj.crypto.createHmac('SHA384', obj.httpAuthRandom).update(auth.nonce).digest('hex'))) {
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Read the data, we need to get the arg field
var eventData = '';
req.on('data', function (chunk) { eventData += chunk; });
req.on('end', function () {
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Completed event read, let get the argument that must contain the nodeid
var i = eventData.indexOf('<m:arg xmlns:m="http://x.com">');
if (i > 0) {
Base64 encoding of meshid/nodeid in the database.
2017-10-16 03:36:06 +03:00
var nodeid = eventData.substring(i + 30, i + 30 + 64);
Initial main commit
2017-08-28 19:27:45 +03:00
if (nodeid.length == 64) {
var nodekey = 'node/' + domain.id + '/' + nodeid;
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// See if this node exists in the database
obj.db.Get(nodekey, function (err, nodes) {
if (nodes.length == 1) {
// Yes, the node exists, compute Intel AMT digest password
var node = nodes[0];
Centralization of user access control.
2019-12-27 09:53:01 +03:00
var amtpass = obj.crypto.createHash('sha384').update(auth.username.toLowerCase() + ':' + nodeid + ":" + obj.parent.dbconfig.amtWsEventSecret).digest('base64').substring(0, 12).split('/').join('x').split('\\').join('x');
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Check the MD5 hash
Centralization of user access control.
2019-12-27 09:53:01 +03:00
if (auth.response === obj.common.ComputeDigesthash(auth.username, amtpass, auth.realm, 'POST', auth.uri, auth.qop, auth.nonce, auth.nc, auth.cnonce)) {
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// This is an authenticated Intel AMT event, update the host address
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
var amthost = req.clientIp;
Initial main commit
2017-08-28 19:27:45 +03:00
if (amthost.substring(0, 7) === '::ffff:') { amthost = amthost.substring(7); }
if (node.host != amthost) {
// Get the mesh for this device
var mesh = obj.meshes[node.meshid];
if (mesh) {
// Update the database
var oldname = node.host;
node.host = amthost;
Added database links cleanup code.
2020-03-31 03:47:04 +03:00
obj.db.Set(obj.cleanDevice(node));
Initial main commit
2017-08-28 19:27:45 +03:00
// Event the node change
Windows MeshAgent fixes, small UI improvements
2018-09-25 03:47:03 +03:00
var event = { etype: 'node', action: 'changenode', nodeid: node._id, domain: domain.id, msg: 'Intel(R) AMT host change ' + node.name + ' from group ' + mesh.name + ': ' + oldname + ' to ' + amthost };
Removed clonings.
2019-10-11 21:16:36 +03:00
// Remove the Intel AMT password before eventing this.
event.node = node;
if (event.node.intelamt && event.node.intelamt.pass) {
event.node = Object.assign({}, event.node); // Shallow clone
event.node.intelamt = Object.assign({}, event.node.intelamt); // Shallow clone
delete event.node.intelamt.pass;
}
Added MongoDB change stream support.
2019-05-29 03:25:23 +03:00
if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come.
Initial main commit
2017-08-28 19:27:45 +03:00
obj.parent.DispatchEvent(['*', node.meshid], obj, event);
}
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Removed all dependencies on XMLDOM module.
2021-08-20 23:05:34 +03:00
if (parent.amtEventHandler) { parent.amtEventHandler.handleAmtEvent(eventData, nodeid, amthost); }
Initial main commit
2017-08-28 19:27:45 +03:00
//res.send('OK');
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
return;
}
}
});
}
}
});
}
}
}
} catch (e) { console.log(e); }
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Send authentication response
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 09:22:19 +03:00
obj.crypto.randomBytes(48, function (err, buf) {
var nonce = buf.toString('hex'), opaque = obj.crypto.createHmac('SHA384', obj.httpAuthRandom).update(nonce).digest('hex');
Initial main commit
2017-08-28 19:27:45 +03:00
res.set({ 'WWW-Authenticate': 'Digest realm="' + obj.httpAuthRealm + '", qop="auth,auth-int", nonce="' + nonce + '", opaque="' + opaque + '"' });
res.sendStatus(401);
});
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Handle a server backup request
function handleBackupRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Added per-domain configuration of the MyServer action tab.
2020-09-28 23:28:08 +03:00
if ((!req.session) || (req.session == null) || (!req.session.userid)) { res.sendStatus(401); return; }
Allow complete removal of My Server tab for a specific domain.
2020-10-06 02:47:30 +03:00
if ((domain.myserver === false) || ((domain.myserver != null) && (domain.myserver.backup !== true))) { res.sendStatus(401); return; }
Added per-domain configuration of the MyServer action tab.
2020-09-28 23:28:08 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
var user = obj.users[req.session.userid];
MeshCentral Router update, fixed backup links in non-default domain.
2019-05-25 01:11:00 +03:00
if ((user == null) || ((user.siteadmin & 1) == 0)) { res.sendStatus(401); return; } // Check if we have server backup rights
Initial main commit
2017-08-28 19:27:45 +03:00
// Require modules
Improved some websocket error handling.
2019-01-03 05:34:50 +03:00
const archive = require('archiver')('zip', { level: 9 }); // Sets the compression method to maximum.
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
SMBios improvements
2019-12-09 22:30:08 +03:00
// Good practice to catch this error explicitly
Initial main commit
2017-08-28 19:27:45 +03:00
archive.on('error', function (err) { throw err; });
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Set the archive name
Fixed MeshCentral server update on Windows.
2019-12-22 23:44:16 +03:00
res.attachment((domain.title ? domain.title : 'MeshCentral') + '-Backup-' + new Date().toLocaleDateString().replace('/', '-').replace('/', '-') + '.zip');
Initial main commit
2017-08-28 19:27:45 +03:00
// Pipe archive data to the file
archive.pipe(res);
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Improved simple server backup.
2020-09-28 20:34:44 +03:00
// Append files from a glob pattern
archive.directory(obj.parent.datapath, false);
Initial main commit
2017-08-28 19:27:45 +03:00
// Finalize the archive (ie we are done appending files but streams have to finish yet)
archive.finalize();
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Handle a server restore request
function handleRestoreRequest(req, res) {
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Added support for multiple login 3FA keys.
2019-11-26 01:30:23 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Allow complete removal of My Server tab for a specific domain.
2020-10-06 02:47:30 +03:00
if ((domain.myserver === false) || ((domain.myserver != null) && (domain.myserver.restore !== true))) { res.sendStatus(401); return; }
Added per-domain configuration of the MyServer action tab.
2020-09-28 23:28:08 +03:00
Added authCookie to all multiparty forms
2019-10-01 00:50:28 +03:00
var authUserid = null;
if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; }
Server code cleanup & fixes.
2019-01-05 23:04:18 +03:00
const multiparty = require('multiparty');
const form = new multiparty.Form();
Initial main commit
2017-08-28 19:27:45 +03:00
form.parse(req, function (err, fields, files) {
Added authCookie to all multiparty forms
2019-10-01 00:50:28 +03:00
// If an authentication cookie is embedded in the form, use that.
if ((fields != null) && (fields.auth != null) && (fields.auth.length == 1) && (typeof fields.auth[0] == 'string')) {
var loginCookie = obj.parent.decodeCookie(fields.auth[0], obj.parent.loginCookieEncryptionKey, 60); // 60 minute timeout
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if ((loginCookie != null) && (obj.args.cookieipcheck !== false) && (loginCookie.ip != null) && (loginCookie.ip != req.clientIp)) { loginCookie = null; } // Check cookie IP binding.
Added authCookie to all multiparty forms
2019-10-01 00:50:28 +03:00
if ((loginCookie != null) && (domain.id == loginCookie.domainid)) { authUserid = loginCookie.userid; } // Use cookie authentication
}
if (authUserid == null) { res.sendStatus(401); return; }
// Get the user
const user = obj.users[req.session.userid];
if ((user == null) || ((user.siteadmin & 4) == 0)) { res.sendStatus(401); return; } // Check if we have server restore rights
Improved simple server backup.
2020-09-28 20:34:44 +03:00
res.set('Content-Type', 'text/html');
res.end('<html><body>Server must be restarted, <a href="' + domain.url + '">click here to login</a>.</body></html>');
Initial main commit
2017-08-28 19:27:45 +03:00
parent.Stop(files.datafile[0].path);
});
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Handle a request to download a mesh agent
obj.handleMeshAgentRequest = function (req, res) {
Fixed server crash due to assigning a const.
2020-03-31 20:37:52 +03:00
var domain = getDomain(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { parent.debug('web', 'handleRootRequest: invalid domain.'); try { res.sendStatus(404); } catch (ex) { } return; }
Improved MicroLMS and MeshCmd.
2018-01-31 05:23:57 +03:00
// If required, check if this user has rights to do this
Updated MeshCommander and fixes to message dispatch.
2019-07-11 00:27:38 +03:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true)) && (req.session.userid == null)) { res.sendStatus(401); return; }
Improved MicroLMS and MeshCmd.
2018-01-31 05:23:57 +03:00
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
if ((req.query.meshinstall != null) && (req.query.id != null)) {
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { try { res.sendStatus(404); } catch (ex) { } return; } // Check 3FA URL key
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
// Send meshagent with included self installer for a specific platform back
// Start by getting the .msh for this request
var meshsettings = getMshFromRequest(req, res, domain);
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (meshsettings == null) { try { res.sendStatus(401); } catch (ex) { } return; }
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
// Get the interactive install script, this only works for non-Windows agents
var agentid = parseInt(req.query.meshinstall);
var argentInfo = obj.parent.meshAgentBinaries[agentid];
Added per-domain agent customizations, #3736
2022-03-05 20:35:04 +03:00
if (domain.meshAgentBinaries && domain.meshAgentBinaries[agentid]) { argentInfo = domain.meshAgentBinaries[agentid]; }
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
var scriptInfo = obj.parent.meshAgentInstallScripts[6];
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if ((argentInfo == null) || (scriptInfo == null) || (argentInfo.platform == 'win32')) { try { res.sendStatus(404); } catch (ex) { } return; }
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
// Change the .msh file into JSON format and merge it into the install script
var tokens, msh = {}, meshsettingslines = meshsettings.split('\r').join('').split('\n');
for (var i in meshsettingslines) { tokens = meshsettingslines[i].split('='); if (tokens.length == 2) { msh[tokens[0]] = tokens[1]; } }
var js = scriptInfo.data.replace('var msh = {};', 'var msh = ' + JSON.stringify(msh) + ';');
Added agent filename customization.
2020-12-20 04:21:42 +03:00
// Get the agent filename
var meshagentFilename = 'meshagent';
if ((domain.agentcustomization != null) && (typeof domain.agentcustomization.filename == 'string')) { meshagentFilename = domain.agentcustomization.filename; }
setContentDispositionHeader(res, 'application/octet-stream', meshagentFilename, null, 'meshagent');
Added Last-Modified HTTP header for agent downloads, #3281
2021-11-19 05:43:27 +03:00
if (argentInfo.mtime != null) { res.setHeader('Last-Modified', argentInfo.mtime.toUTCString()); }
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
res.statusCode = 200;
obj.parent.exeHandler.streamExeWithJavaScript({ platform: argentInfo.platform, sourceFileName: argentInfo.path, destinationStream: res, js: Buffer.from(js, 'utf8'), peinfo: argentInfo.pe });
} else if (req.query.id != null) {
Initial main commit
2017-08-28 19:27:45 +03:00
// Send a specific mesh agent back
var argentInfo = obj.parent.meshAgentBinaries[req.query.id];
Added per-domain agent customizations, #3736
2022-03-05 20:35:04 +03:00
if (domain.meshAgentBinaries && domain.meshAgentBinaries[req.query.id]) { argentInfo = domain.meshAgentBinaries[req.query.id]; }
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (argentInfo == null) { try { res.sendStatus(404); } catch (ex) { } return; }
Added .PDB downloading.
2020-10-26 11:22:46 +03:00
// Download PDB debug files, only allowed for administrator or accounts with agent dump access
Fixed meshagent PDB download.
2020-10-26 21:13:27 +03:00
if (req.query.pdb == 1) {
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if ((req.session == null) || (req.session.userid == null)) { try { res.sendStatus(404); } catch (ex) { } return; }
Fixed meshagent PDB download.
2020-10-26 21:13:27 +03:00
var user = obj.users[req.session.userid];
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (user == null) { try { res.sendStatus(404); } catch (ex) { } return; }
Fixed meshagent PDB download.
2020-10-26 21:13:27 +03:00
if ((user != null) && ((user.siteadmin == 0xFFFFFFFF) || ((Array.isArray(obj.parent.config.settings.agentcoredumpusers)) && (obj.parent.config.settings.agentcoredumpusers.indexOf(user._id) >= 0)))) {
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (argentInfo.id == 3) {
setContentDispositionHeader(res, 'application/octet-stream', 'MeshService.pdb', null, 'MeshService.pdb');
Added Last-Modified HTTP header for agent downloads, #3281
2021-11-19 05:43:27 +03:00
if (argentInfo.mtime != null) { res.setHeader('Last-Modified', argentInfo.mtime.toUTCString()); }
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
try { res.sendFile(argentInfo.path.split('MeshService-signed.exe').join('MeshService.pdb')); } catch (ex) { }
return;
}
if (argentInfo.id == 4) {
setContentDispositionHeader(res, 'application/octet-stream', 'MeshService64.pdb', null, 'MeshService64.pdb');
Added Last-Modified HTTP header for agent downloads, #3281
2021-11-19 05:43:27 +03:00
if (argentInfo.mtime != null) { res.setHeader('Last-Modified', argentInfo.mtime.toUTCString()); }
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
try { res.sendFile(argentInfo.path.split('MeshService64-signed.exe').join('MeshService64.pdb')); } catch (ex) { }
return;
}
Fixed meshagent PDB download.
2020-10-26 21:13:27 +03:00
}
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
try { res.sendStatus(404); } catch (ex) { }
return;
Added .PDB downloading.
2020-10-26 11:22:46 +03:00
}
Improved executable binary handling
2018-01-20 05:04:54 +03:00
if ((req.query.meshid == null) || (argentInfo.platform != 'win32')) {
Added agent filename customization.
2020-12-20 04:21:42 +03:00
// Get the agent filename
var meshagentFilename = argentInfo.rname;
if ((domain.agentcustomization != null) && (typeof domain.agentcustomization.filename == 'string')) { meshagentFilename = domain.agentcustomization.filename; }
Added Last-Modified HTTP header for agent downloads, #3281
2021-11-19 05:43:27 +03:00
if (argentInfo.mtime != null) { res.setHeader('Last-Modified', argentInfo.mtime.toUTCString()); }
Added MeshAgent ZIP links when compressed version is available.
2021-08-18 01:32:58 +03:00
if (req.query.zip == 1) { if (argentInfo.zdata != null) { setContentDispositionHeader(res, 'application/octet-stream', meshagentFilename + '.zip', null, 'meshagent.zip'); res.send(argentInfo.zdata); } else { try { res.sendStatus(404); } catch (ex) { } } return; } // Send compressed agent
Added agent filename customization.
2020-12-20 04:21:42 +03:00
setContentDispositionHeader(res, 'application/octet-stream', meshagentFilename, null, 'meshagent');
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (argentInfo.data == null) { res.sendFile(argentInfo.path); } else { res.send(argentInfo.data); }
return;
Improved executable binary handling
2018-01-20 05:04:54 +03:00
} else {
Added MeshID obfuscation in agent invite page.
2020-06-18 23:56:04 +03:00
// Check if the meshid is a time limited, encrypted cookie
var meshcookie = obj.parent.decodeCookie(req.query.meshid, obj.parent.invitationLinkEncryptionKey);
if ((meshcookie != null) && (meshcookie.m != null)) { req.query.meshid = meshcookie.m; }
Improved executable binary handling
2018-01-20 05:04:54 +03:00
// We are going to embed the .msh file into the Windows executable (signed or not).
Mesh agents can now connect and skip server cert check to boost speed
2018-08-22 01:08:15 +03:00
// First, fetch the mesh object to build the .msh file
var mesh = obj.meshes['mesh/' + domain.id + '/' + req.query.meshid];
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (mesh == null) { try { res.sendStatus(401); } catch (ex) { } return; }
Mesh agents can now connect and skip server cert check to boost speed
2018-08-22 01:08:15 +03:00
// If required, check if this user has rights to do this
Updated MeshCommander and fixes to message dispatch.
2019-07-11 00:27:38 +03:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true))) {
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if ((domain.id != mesh.domain) || ((obj.GetMeshRights(req.session.userid, mesh) & 1) == 0)) { try { res.sendStatus(401); } catch (ex) { } return; }
Mesh agents can now connect and skip server cert check to boost speed
2018-08-22 01:08:15 +03:00
}
Improved executable binary handling
2018-01-20 05:04:54 +03:00
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-03 05:03:34 +03:00
var meshidhex = Buffer.from(req.query.meshid.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
var serveridhex = Buffer.from(obj.agentCertificateHashBase64.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
Added AgentAliasPort option.
2020-05-04 08:37:51 +03:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port if specified
Use agent-only port first by default if present.
2020-05-22 20:10:06 +03:00
if (obj.args.agentport != null) { httpsPort = obj.args.agentport; } // If an agent only port is enabled, use that.
Added AgentAliasPort option.
2020-05-04 08:37:51 +03:00
if (obj.args.agentaliasport != null) { httpsPort = obj.args.agentaliasport; } // If an agent alias port is specified, use that.
Improved executable binary handling
2018-01-20 05:04:54 +03:00
Fixed downloads links with HTML5 solution.
2019-06-21 22:10:06 +03:00
// Prepare a mesh agent file name using the device group name.
var meshfilename = mesh.name
meshfilename = meshfilename.split('\\').join('').split('/').join('').split(':').join('').split('*').join('').split('?').join('').split('"').join('').split('<').join('').split('>').join('').split('|').join('').split(' ').join('').split('\'').join('');
if (argentInfo.rname.endsWith('.exe')) { meshfilename = argentInfo.rname.substring(0, argentInfo.rname.length - 4) + '-' + meshfilename + '.exe'; } else { meshfilename = argentInfo.rname + '-' + meshfilename; }
Added agent filename customization.
2020-12-20 04:21:42 +03:00
// Customize the mesh agent file name
if ((domain.agentcustomization != null) && (typeof domain.agentcustomization.filename == 'string')) {
Removed device group name in file when Assistant is monitoring only.
2021-06-08 23:31:46 +03:00
meshfilename = meshfilename.split('meshagent').join(domain.agentcustomization.filename).split('MeshAgent').join(domain.agentcustomization.filename);
Added agent filename customization.
2020-12-20 04:21:42 +03:00
}
Added AgentAliasDNS settings option
2020-05-10 23:45:10 +03:00
// Get the agent connection server name
var serverName = obj.getWebServerName(domain);
if (typeof obj.args.agentaliasdns == 'string') { serverName = obj.args.agentaliasdns; }
Mesh agents can now connect and skip server cert check to boost speed
2018-08-22 01:08:15 +03:00
// Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly.
var xdomain = (domain.dns == null) ? domain.id : '';
Centralization of user access control.
2019-12-27 09:53:01 +03:00
if (xdomain != '') xdomain += '/';
Added assistantconfig options in config.json.
2022-01-31 21:21:13 +03:00
var meshsettings = '\r\nMeshName=' + mesh.name + '\r\nMeshType=' + mesh.mtype + '\r\nMeshID=0x' + meshidhex + '\r\nServerID=' + serveridhex + '\r\n';
if (obj.args.lanonly != true) { meshsettings += 'MeshServer=wss://' + serverName + ':' + httpsPort + '/' + xdomain + 'agent.ashx\r\n'; } else {
meshsettings += 'MeshServer=local\r\n';
if ((obj.args.localdiscovery != null) && (typeof obj.args.localdiscovery.key == 'string') && (obj.args.localdiscovery.key.length > 0)) { meshsettings += 'DiscoveryKey=' + obj.args.localdiscovery.key + '\r\n'; }
Support for local discovery UDP encryption.
2020-07-15 02:09:08 +03:00
}
Added assistantconfig options in config.json.
2022-01-31 21:21:13 +03:00
if ((req.query.tag != null) && (typeof req.query.tag == 'string') && (obj.common.isAlphaNumeric(req.query.tag) == true)) { meshsettings += 'Tag=' + req.query.tag + '\r\n'; }
if ((req.query.installflags != null) && (req.query.installflags != 0) && (parseInt(req.query.installflags) == req.query.installflags)) { meshsettings += 'InstallFlags=' + parseInt(req.query.installflags) + '\r\n'; }
Added Assistant Customization.
2021-06-04 03:35:49 +03:00
if (req.query.id == '10006') { // Assistant settings and customizations
if ((req.query.ac != null)) { meshsettings += 'AutoConnect=' + req.query.ac + '\r\n'; } // Set MeshCentral Assistant flags if needed. 0x01 = Always Connected, 0x02 = Not System Tray
Added assistantconfig options in config.json.
2022-01-31 21:21:13 +03:00
if (obj.args.assistantconfig) { for (var i in obj.args.assistantconfig) { meshsettings += obj.args.assistantconfig[i] + '\r\n'; } }
if (domain.assistantconfig) { for (var i in domain.assistantconfig) { meshsettings += domain.assistantconfig[i] + '\r\n'; } }
if ((domain.assistantnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += 'ignoreProxyFile=1\r\n'; }
Added Assistant Customization.
2021-06-04 03:35:49 +03:00
if ((domain.assistantcustomization != null) && (typeof domain.assistantcustomization == 'object')) {
if (typeof domain.assistantcustomization.title == 'string') { meshsettings += 'Title=' + domain.assistantcustomization.title + '\r\n'; }
if (typeof domain.assistantcustomization.image == 'string') {
try { meshsettings += 'Image=' + Buffer.from(obj.fs.readFileSync(parent.getConfigFilePath(domain.assistantcustomization.image)), 'binary').toString('base64') + '\r\n'; } catch (ex) { console.log(ex); }
}
Removed device group name in file when Assistant is monitoring only.
2021-06-08 23:31:46 +03:00
if (req.query.ac != '4') {
// Send with custom filename followed by device group name
if (typeof domain.assistantcustomization.filename == 'string') { meshfilename = meshfilename.split('MeshCentralAssistant').join(domain.assistantcustomization.filename); }
} else {
// Send with custom filename, no device group name
if (typeof domain.assistantcustomization.filename == 'string') { meshfilename = domain.assistantcustomization.filename + '.exe'; } else { meshfilename = 'MeshCentralAssistant.exe'; }
}
More Assistant customizations and update changes.
2021-06-04 06:18:38 +03:00
}
} else { // Add agent customization, not for Assistant
Added assistantconfig options in config.json.
2022-01-31 21:21:13 +03:00
if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + '\r\n'; } }
if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + '\r\n'; } }
if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += 'ignoreProxyFile=1\r\n'; }
More Assistant customizations and update changes.
2021-06-04 06:18:38 +03:00
if (domain.agentcustomization != null) {
if (domain.agentcustomization.displayname != null) { meshsettings += 'displayName=' + domain.agentcustomization.displayname + '\r\n'; }
if (domain.agentcustomization.description != null) { meshsettings += 'description=' + domain.agentcustomization.description + '\r\n'; }
if (domain.agentcustomization.companyname != null) { meshsettings += 'companyName=' + domain.agentcustomization.companyname + '\r\n'; }
if (domain.agentcustomization.servicename != null) { meshsettings += 'meshServiceName=' + domain.agentcustomization.servicename + '\r\n'; }
if (domain.agentcustomization.filename != null) { meshsettings += 'fileName=' + domain.agentcustomization.filename + '\r\n'; }
Added agent logo support.
2022-01-19 00:34:10 +03:00
if (domain.agentcustomization.image != null) { meshsettings += 'image=' + domain.agentcustomization.image + '\r\n'; }
Updated Windows agents.
2022-02-22 11:21:39 +03:00
if (domain.agentcustomization.foregroundcolor != null) { meshsettings += checkAgentColorString('foreground=', domain.agentcustomization.foregroundcolor); }
if (domain.agentcustomization.backgroundcolor != null) { meshsettings += checkAgentColorString('background=', domain.agentcustomization.backgroundcolor); }
Added Assistant Customization.
2021-06-04 03:35:49 +03:00
}
Fixed agent install text option.
2022-02-05 02:02:09 +03:00
if (domain.agentTranslations != null) { meshsettings += 'translation=' + domain.agentTranslations + '\r\n'; } // Translation strings, not for MeshCentral Assistant
Added Assistant Customization.
2021-06-04 03:35:49 +03:00
}
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', meshfilename, null, argentInfo.rname);
Added Last-Modified HTTP header for agent downloads, #3281
2021-11-19 05:43:27 +03:00
if (argentInfo.mtime != null) { res.setHeader('Last-Modified', argentInfo.mtime.toUTCString()); }
Added per-domain agent customizations, #3736
2022-03-05 20:35:04 +03:00
if (domain.meshAgentBinaries && domain.meshAgentBinaries[req.query.id]) {
obj.parent.exeHandler.streamExeWithMeshPolicy({ platform: 'win32', sourceFileName: domain.meshAgentBinaries[req.query.id].path, destinationStream: res, msh: meshsettings, peinfo: domain.meshAgentBinaries[req.query.id].pe });
} else {
obj.parent.exeHandler.streamExeWithMeshPolicy({ platform: 'win32', sourceFileName: obj.parent.meshAgentBinaries[req.query.id].path, destinationStream: res, msh: meshsettings, peinfo: obj.parent.meshAgentBinaries[req.query.id].pe });
}
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
return;
Improved executable binary handling
2018-01-20 05:04:54 +03:00
}
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
} else if (req.query.script != null) {
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { try { res.sendStatus(404); } catch (ex) { } return; } // Check 3FA URL key
Improved 3FA LoginKey feature
2020-03-14 01:43:24 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Send a specific mesh install script back
var scriptInfo = obj.parent.meshAgentInstallScripts[req.query.script];
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (scriptInfo == null) { try { res.sendStatus(404); } catch (ex) { } return; }
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', scriptInfo.rname, null, 'script');
Improved Linux install script.
2019-07-11 21:43:45 +03:00
var data = scriptInfo.data;
var cmdoptions = { wgetoptionshttp: '', wgetoptionshttps: '', curloptionshttp: '-L ', curloptionshttps: '-L ' }
Added MQTT authentication.
2019-10-06 00:24:40 +03:00
if (obj.isTrustedCert(domain) != true) {
Improved Linux install script.
2019-07-11 21:43:45 +03:00
cmdoptions.wgetoptionshttps += '--no-check-certificate ';
cmdoptions.curloptionshttps += '-k ';
}
if (domain.agentnoproxy === true) {
cmdoptions.wgetoptionshttp += '--no-proxy ';
cmdoptions.wgetoptionshttps += '--no-proxy ';
cmdoptions.curloptionshttp += '--noproxy \'*\' ';
cmdoptions.curloptionshttps += '--noproxy \'*\' ';
}
for (var i in cmdoptions) { data = data.split('{{{' + i + '}}}').join(cmdoptions[i]); }
res.send(data);
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
return;
Added support for MeshCmd routing.
2017-11-01 02:19:58 +03:00
} else if (req.query.meshcmd != null) {
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { try { res.sendStatus(404); } catch (ex) { } return; } // Check 3FA URL key
Improved 3FA LoginKey feature
2020-03-14 01:43:24 +03:00
Added support for MeshCmd routing.
2017-11-01 02:19:58 +03:00
// Send meshcmd for a specific platform back
MeshAgents on Windows are now signed.
2018-03-09 04:58:22 +03:00
var agentid = parseInt(req.query.meshcmd);
Added signed MeshCmd.exe.
2018-03-10 03:39:14 +03:00
// If the agentid is 3 or 4, check if we have a signed MeshCmd.exe
if ((agentid == 3)) { // Signed Windows MeshCmd.exe x86
var stats = null, meshCmdPath = obj.path.join(__dirname, 'agents', 'MeshCmd-signed.exe');
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
try { stats = obj.fs.statSync(meshCmdPath); } catch (e) { }
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
if ((stats != null)) {
setContentDispositionHeader(res, 'application/octet-stream', 'meshcmd' + ((req.query.meshcmd <= 3) ? '.exe' : ''), null, 'meshcmd');
res.sendFile(meshCmdPath); return;
}
Added signed MeshCmd.exe.
2018-03-10 03:39:14 +03:00
} else if ((agentid == 4)) { // Signed Windows MeshCmd64.exe x64
var stats = null, meshCmd64Path = obj.path.join(__dirname, 'agents', 'MeshCmd64-signed.exe');
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
try { stats = obj.fs.statSync(meshCmd64Path); } catch (e) { }
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
if ((stats != null)) {
setContentDispositionHeader(res, 'application/octet-stream', 'meshcmd' + ((req.query.meshcmd <= 4) ? '.exe' : ''), null, 'meshcmd');
res.sendFile(meshCmd64Path); return;
}
Added signed MeshCmd.exe.
2018-03-10 03:39:14 +03:00
}
Fix for broken MeshCMD link.
2021-05-21 01:18:21 +03:00
Added signed MeshCmd.exe.
2018-03-10 03:39:14 +03:00
// No signed agents, we are going to merge a new MeshCmd.
Fix for broken MeshCMD link.
2021-05-21 01:18:21 +03:00
if (((agentid == 3) || (agentid == 4)) && (obj.parent.meshAgentBinaries[agentid + 10000] != null)) { agentid += 10000; } // Avoid merging javascript to a signed mesh agent.
MeshAgents on Windows are now signed.
2018-03-09 04:58:22 +03:00
var argentInfo = obj.parent.meshAgentBinaries[agentid];
Added per-domain agent customizations, #3736
2022-03-05 20:35:04 +03:00
if (domain.meshAgentBinaries && domain.meshAgentBinaries[agentid]) { argentInfo = domain.meshAgentBinaries[agentid]; }
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if ((argentInfo == null) || (obj.parent.defaultMeshCmd == null)) { try { res.sendStatus(404); } catch (ex) { } return; }
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', 'meshcmd' + ((req.query.meshcmd <= 4) ? '.exe' : ''), null, 'meshcmd');
Improved executable binary handling
2018-01-20 05:04:54 +03:00
res.statusCode = 200;
Fix for broken MeshCMD link.
2021-05-21 01:18:21 +03:00
MeshAgents on Windows are now signed.
2018-03-09 04:58:22 +03:00
if (argentInfo.signedMeshCmdPath != null) {
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
// If we have a pre-signed MeshCmd, send that.
MeshAgents on Windows are now signed.
2018-03-09 04:58:22 +03:00
res.sendFile(argentInfo.signedMeshCmdPath);
} else {
// Merge JavaScript to a unsigned agent and send that.
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-03 05:03:34 +03:00
obj.parent.exeHandler.streamExeWithJavaScript({ platform: argentInfo.platform, sourceFileName: argentInfo.path, destinationStream: res, js: Buffer.from(obj.parent.defaultMeshCmd, 'utf8'), peinfo: argentInfo.pe });
MeshAgents on Windows are now signed.
2018-03-09 04:58:22 +03:00
}
Fix for broken MeshCMD link.
2021-05-21 01:18:21 +03:00
return;
Added support for MeshCmd routing.
2017-11-01 02:19:58 +03:00
} else if (req.query.meshaction != null) {
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { try { res.sendStatus(404); } catch (ex) { } return; } // Check 3FA URL key
Added support for MeshCmd routing.
2017-11-01 02:19:58 +03:00
var user = obj.users[req.session.userid];
MeshCentral Router update system.
2020-11-03 08:41:58 +03:00
if (user == null) {
Updated MeshCentral Assistant with self-update system.
2020-11-04 05:44:43 +03:00
// Check if we have an authentication cookie
MeshCentral Router update system.
2020-11-03 08:41:58 +03:00
var c = obj.parent.decodeCookie(req.query.auth, obj.parent.loginCookieEncryptionKey);
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (c == null) { try { res.sendStatus(404); } catch (ex) { } return; }
Updated MeshCentral Assistant with self-update system.
2020-11-04 05:44:43 +03:00
// Download tools using a cookie
if (c.download == req.query.meshaction) {
if (req.query.meshaction == 'winrouter') {
var p = obj.path.join(__dirname, 'agents', 'MeshCentralRouter.exe');
if (obj.fs.existsSync(p)) {
setContentDispositionHeader(res, 'application/octet-stream', 'MeshCentralRouter.exe', null, 'MeshCentralRouter.exe');
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
try { res.sendFile(p); } catch (ex) { }
} else { try { res.sendStatus(404); } catch (ex) { } }
return;
Updated MeshCentral Assistant with self-update system.
2020-11-04 05:44:43 +03:00
} else if (req.query.meshaction == 'winassistant') {
var p = obj.path.join(__dirname, 'agents', 'MeshCentralAssistant.exe');
if (obj.fs.existsSync(p)) {
setContentDispositionHeader(res, 'application/octet-stream', 'MeshCentralAssistant.exe', null, 'MeshCentralAssistant.exe');
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
try { res.sendFile(p); } catch (ex) { }
} else { try { res.sendStatus(404); } catch (ex) { } }
return;
Added MeshCentral Router for macOS
2020-12-26 22:58:25 +03:00
} else if (req.query.meshaction == 'macrouter') {
var p = obj.path.join(__dirname, 'agents', 'MeshCentralRouter.dmg');
if (obj.fs.existsSync(p)) {
setContentDispositionHeader(res, 'application/octet-stream', 'MeshCentralRouter.dmg', null, 'MeshCentralRouter.dmg');
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
try { res.sendFile(p); } catch (ex) { }
} else { try { res.sendStatus(404); } catch (ex) { } }
return;
Updated MeshCentral Assistant with self-update system.
2020-11-04 05:44:43 +03:00
}
return;
}
// Check if the cookie authenticates a user
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (c.userid == null) { try { res.sendStatus(404); } catch (ex) { } return; }
MeshCentral Router update system.
2020-11-03 08:41:58 +03:00
user = obj.users[c.userid];
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (user == null) { try { res.sendStatus(404); } catch (ex) { } return; }
MeshCentral Router update system.
2020-11-03 08:41:58 +03:00
}
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
if ((req.query.meshaction == 'route') && (req.query.nodeid != null)) {
Removed SSPI auth retrieveGroups to reduce cookie size.
2021-09-03 03:52:37 +03:00
var nodeIdSplit = req.query.nodeid.split('/');
if ((nodeIdSplit[0] != 'node') || (nodeIdSplit[1] != domain.id)) { try { res.sendStatus(401); } catch (ex) { } return; }
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
obj.db.Get(req.query.nodeid, function (err, nodes) {
Removed SSPI auth retrieveGroups to reduce cookie size.
2021-09-03 03:52:37 +03:00
if ((err != null) || (nodes.length != 1)) { try { res.sendStatus(401); } catch (ex) { } return; }
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
var node = nodes[0];
Fixed meshagent.txt when CertUrl is used.
2019-04-10 21:54:55 +03:00
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
// Create the meshaction.txt file for meshcmd.exe
var meshaction = {
action: req.query.meshaction,
localPort: 1234,
remoteName: node.name,
remoteNodeId: node._id,
Added 2FA support in MeshCMD.
2020-04-04 02:06:38 +03:00
remoteTarget: null,
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
remotePort: 3389,
Fixed actionfile.txt download.
2020-04-07 06:25:52 +03:00
username: '',
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
password: '',
serverId: obj.agentCertificateHashHex.toUpperCase(), // SHA384 of server HTTPS public key
Fixed meshagent.txt when CertUrl is used.
2019-04-10 21:54:55 +03:00
serverHttpsHash: Buffer.from(obj.webCertificateHashs[domain.id], 'binary').toString('hex').toUpperCase(), // SHA384 of server HTTPS certificate
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
debugLevel: 0
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
if (user != null) { meshaction.username = user.name; }
Added LoginKey support to MeshCmd
2020-09-18 21:40:08 +03:00
if (req.query.key != null) { meshaction.loginKey = req.query.key; }
MeshAgents on Windows are now signed.
2018-03-09 04:58:22 +03:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
UI customization improvements.
2020-11-05 13:27:39 +03:00
if (obj.args.lanonly != true) { meshaction.serverUrl = 'wss://' + obj.getWebServerName(domain) + ':' + httpsPort + '/' + ((domain.id == '') ? '' : ('/' + domain.id)) + 'meshrelay.ashx'; }
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', 'meshaction.txt', null, 'meshaction.txt');
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
res.send(JSON.stringify(meshaction, null, ' '));
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
return;
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
});
Fixed MeshCentralRouter download.
2020-03-18 04:15:54 +03:00
} else if (req.query.meshaction == 'generic') {
Added support for MeshCmd routing.
2017-11-01 02:19:58 +03:00
var meshaction = {
Added 2FA support in MeshCMD.
2020-04-04 02:06:38 +03:00
username: user.name,
Added support for MeshCmd routing.
2017-11-01 02:19:58 +03:00
password: '',
serverId: obj.agentCertificateHashHex.toUpperCase(), // SHA384 of server HTTPS public key
Fixed meshagent.txt when CertUrl is used.
2019-04-10 21:54:55 +03:00
serverHttpsHash: Buffer.from(obj.webCertificateHashs[domain.id], 'binary').toString('hex').toUpperCase(), // SHA384 of server HTTPS certificate
Added support for MeshCmd routing.
2017-11-01 02:19:58 +03:00
debugLevel: 0
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Added support for MeshCmd routing.
2017-11-01 02:19:58 +03:00
if (user != null) { meshaction.username = user.name; }
Added LoginKey support to MeshCmd
2020-09-18 21:40:08 +03:00
if (req.query.key != null) { meshaction.loginKey = req.query.key; }
MeshAgents on Windows are now signed.
2018-03-09 04:58:22 +03:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
UI customization improvements.
2020-11-05 13:27:39 +03:00
if (obj.args.lanonly != true) { meshaction.serverUrl = 'wss://' + obj.getWebServerName(domain) + ':' + httpsPort + '/' + ((domain.id == '') ? '' : ('/' + domain.id)) + 'meshrelay.ashx'; }
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', 'meshaction.txt', null, 'meshaction.txt');
Added support for MeshCmd routing.
2017-11-01 02:19:58 +03:00
res.send(JSON.stringify(meshaction, null, ' '));
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
return;
Added MeshCentral Router as part of the server.
2019-04-24 00:15:48 +03:00
} else if (req.query.meshaction == 'winrouter') {
var p = obj.path.join(__dirname, 'agents', 'MeshCentralRouter.exe');
if (obj.fs.existsSync(p)) {
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', 'MeshCentralRouter.exe', null, 'MeshCentralRouter.exe');
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
try { res.sendFile(p); } catch (ex) { }
} else { try { res.sendStatus(404); } catch (ex) { } }
return;
MeshCentral Router update system.
2020-11-03 08:41:58 +03:00
} else if (req.query.meshaction == 'winassistant') {
var p = obj.path.join(__dirname, 'agents', 'MeshCentralAssistant.exe');
if (obj.fs.existsSync(p)) {
setContentDispositionHeader(res, 'application/octet-stream', 'MeshCentralAssistant.exe', null, 'MeshCentralAssistant.exe');
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
try { res.sendFile(p); } catch (ex) { }
} else { try { res.sendStatus(404); } catch (ex) { } }
return;
Added MeshCentral Router for macOS
2020-12-26 22:58:25 +03:00
} else if (req.query.meshaction == 'macrouter') {
var p = obj.path.join(__dirname, 'agents', 'MeshCentralRouter.dmg');
if (obj.fs.existsSync(p)) {
setContentDispositionHeader(res, 'application/octet-stream', 'MeshCentralRouter.dmg', null, 'MeshCentralRouter.dmg');
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
try { res.sendFile(p); } catch (ex) { }
} else { try { res.sendStatus(404); } catch (ex) { } }
return;
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
} else {
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
try { res.sendStatus(401); } catch (ex) { }
return;
Improved MeshCmd support
2017-12-16 00:43:04 +03:00
}
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
domain = checkUserIpAddress(req, res); // Recheck the domain to apply user IP filtering.
if (domain == null) return;
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { try { res.sendStatus(404); } catch (ex) { } return; } // Check 3FA URL key
if ((req.session == null) || (req.session.userid == null)) { try { res.sendStatus(404); } catch (ex) { } return; }
Added mesh agent crash dump management web page.
2020-09-18 01:39:33 +03:00
var user = null, coreDumpsAllowed = false;
if (typeof req.session.userid == 'string') { user = obj.users[req.session.userid]; }
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (user == null) { try { res.sendStatus(404); } catch (ex) { } return; }
Added mesh agent crash dump management web page.
2020-09-18 01:39:33 +03:00
// Check if this user has access to agent core dumps
if ((obj.parent.config.settings.agentcoredump === true) && ((user.siteadmin == 0xFFFFFFFF) || ((Array.isArray(obj.parent.config.settings.agentcoredumpusers)) && (obj.parent.config.settings.agentcoredumpusers.indexOf(user._id) >= 0)))) {
coreDumpsAllowed = true;
if ((req.query.dldump != null) && obj.common.IsFilenameValid(req.query.dldump)) {
// Download a dump file
var dumpFile = obj.path.join(parent.datapath, '..', 'meshcentral-coredumps', req.query.dldump);
if (obj.fs.existsSync(dumpFile)) {
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', req.query.dldump, null, 'file.bin');
Added mesh agent crash dump management web page.
2020-09-18 01:39:33 +03:00
res.sendFile(dumpFile); return;
} else {
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
try { res.sendStatus(404); } catch (ex) { } return;
Added mesh agent crash dump management web page.
2020-09-18 01:39:33 +03:00
}
}
if ((req.query.deldump != null) && obj.common.IsFilenameValid(req.query.deldump)) {
// Delete a dump file
try { obj.fs.unlinkSync(obj.path.join(parent.datapath, '..', 'meshcentral-coredumps', req.query.deldump)); } catch (ex) { console.log(ex); }
}
if ((req.query.dumps != null) || (req.query.deldump != null)) {
// Send list of agent core dumps
var response = '<html><head><title>Mesh Agents Core Dumps</title><style>table,th,td { border:1px solid black;border-collapse:collapse;padding:3px; }</style></head><body style=overflow:auto><table>';
response += '<tr style="background-color:lightgray"><th>ID</th><th>Upload Date</th><th>Description</th><th>Current</th><th>Dump</th><th>Size</th><th>Agent</th><th>Agent SHA384</th><th>NodeID</th><th></th></tr>';
var coreDumpPath = obj.path.join(parent.datapath, '..', 'meshcentral-coredumps');
if (obj.fs.existsSync(coreDumpPath)) {
var files = obj.fs.readdirSync(coreDumpPath);
var coredumps = [];
for (var i in files) {
var file = files[i];
if (file.endsWith('.dmp')) {
var fileSplit = file.substring(0, file.length - 4).split('-');
if (fileSplit.length == 3) {
var agentid = parseInt(fileSplit[0]);
if ((isNaN(agentid) == false) && (obj.parent.meshAgentBinaries[agentid] != null)) {
var agentinfo = obj.parent.meshAgentBinaries[agentid];
Added per-domain agent customizations, #3736
2022-03-05 20:35:04 +03:00
if (domain.meshAgentBinaries && domain.meshAgentBinaries[agentid]) { argentInfo = domain.meshAgentBinaries[agentid]; }
Added mesh agent crash dump management web page.
2020-09-18 01:39:33 +03:00
var filestats = obj.fs.statSync(obj.path.join(parent.datapath, '..', 'meshcentral-coredumps', file));
coredumps.push({
fileSplit: fileSplit,
agentinfo: agentinfo,
filestats: filestats,
currentAgent: agentinfo.hashhex.startsWith(fileSplit[1].toLowerCase()),
downloadUrl: req.originalUrl.split('?')[0] + '?dldump=' + file + (req.query.key ? ('&key=' + req.query.key) : ''),
deleteUrl: req.originalUrl.split('?')[0] + '?deldump=' + file + (req.query.key ? ('&key=' + req.query.key) : ''),
agentUrl: req.originalUrl.split('?')[0] + '?id=' + agentinfo.id + (req.query.key ? ('&key=' + req.query.key) : ''),
time: new Date(filestats.ctime)
});
}
}
}
}
coredumps.sort(function (a, b) { if (a.time > b.time) return -1; if (a.time < b.time) return 1; return 0; });
for (var i in coredumps) {
var d = coredumps[i];
response += '<tr><td>' + d.agentinfo.id + '</td><td>' + d.time.toDateString().split(' ').join('&nbsp;') + '</td><td>' + d.agentinfo.desc.split(' ').join('&nbsp;') + '</td>';
response += '<td style=text-align:center>' + d.currentAgent + '</td><td><a download href="' + d.downloadUrl + '">Download</a></td><td style=text-align:right>' + d.filestats.size + '</td>';
if (d.currentAgent) { response += '<td><a download href="' + d.agentUrl + '">Download</a></td>'; } else { response += '<td></td>'; }
response += '<td>' + d.fileSplit[1].toLowerCase() + '</td><td>' + d.fileSplit[2] + '</td><td><a href="' + d.deleteUrl + '">Delete</a></td></tr>';
}
}
response += '</table><a href="' + req.originalUrl.split('?')[0] + (req.query.key ? ('?key=' + req.query.key) : '') + '">Mesh Agents</a></body></html>';
res.send(response);
return;
}
}
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
Updated MeshCommander, Added MeshCore download page.
2021-01-24 01:32:43 +03:00
if (req.query.cores != null) {
// Send list of agent cores
var response = '<html><head><title>Mesh Agents Cores</title><style>table,th,td { border:1px solid black;border-collapse:collapse;padding:3px; }</style></head><body style=overflow:auto><table>';
response += '<tr style="background-color:lightgray"><th>Name</th><th>Size</th><th>Comp</th><th>Decompressed Hash SHA384</th></tr>';
for (var i in parent.defaultMeshCores) {
response += '<tr><td>' + i.split(' ').join('&nbsp;') + '</td><td style="text-align:right"><a download href="/meshagents?dlcore=' + i + '">' + parent.defaultMeshCores[i].length + (req.query.key ? ('?key=' + req.query.key) : '') + '</a></td><td style="text-align:right"><a download href="/meshagents?dlccore=' + i + (req.query.key ? ('?key=' + req.query.key) : '') + '">' + parent.defaultMeshCoresDeflate[i].length + '</a></td><td>' + Buffer.from(parent.defaultMeshCoresHash[i], 'binary').toString('hex') + '</td></tr>';
}
response += '</table><a href="' + req.originalUrl.split('?')[0] + (req.query.key ? ('?key=' + req.query.key) : '') + '">Mesh Agents</a></body></html>';
res.send(response);
return;
}
if (req.query.dlcore != null) {
// Download mesh core
var bin = parent.defaultMeshCores[req.query.dlcore];
Fixed meshcore downloads.
2021-01-26 23:40:52 +03:00
if ((bin == null) || (bin.length < 5)) { try { res.sendStatus(404); } catch (ex) { } return; }
Updated MeshCommander, Added MeshCore download page.
2021-01-24 01:32:43 +03:00
setContentDispositionHeader(res, 'application/octet-stream', req.query.dlcore + '.js', null, 'meshcore.js');
Fixed meshcore download.
2022-01-26 03:46:43 +03:00
res.send(bin.slice(4));
Updated MeshCommander, Added MeshCore download page.
2021-01-24 01:32:43 +03:00
return;
}
if (req.query.dlccore != null) {
// Download compressed mesh core
var bin = parent.defaultMeshCoresDeflate[req.query.dlccore];
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
if (bin == null) { try { res.sendStatus(404); } catch (ex) { } return; }
Updated MeshCommander, Added MeshCore download page.
2021-01-24 01:32:43 +03:00
setContentDispositionHeader(res, 'application/octet-stream', req.query.dlccore + '.js.deflate', null, 'meshcore.js.deflate');
res.send(bin);
return;
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Send a list of available mesh agents
Added mesh agent crash dump management web page.
2020-09-18 01:39:33 +03:00
var response = '<html><head><title>Mesh Agents</title><style>table,th,td { border:1px solid black;border-collapse:collapse;padding:3px; }</style></head><body style=overflow:auto><table>';
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
response += '<tr style="background-color:lightgray"><th>ID</th><th>Description</th><th>Link</th><th>Size</th><th>SHA384</th><th>MeshCmd</th></tr>';
Added mesh agent crash dump management web page.
2020-09-18 01:39:33 +03:00
var originalUrl = req.originalUrl.split('?')[0];
Initial main commit
2017-08-28 19:27:45 +03:00
for (var agentid in obj.parent.meshAgentBinaries) {
Added Apple Silicon support.
2020-12-08 07:39:14 +03:00
if ((agentid >= 10000) && (agentid != 10005)) continue;
Initial main commit
2017-08-28 19:27:45 +03:00
var agentinfo = obj.parent.meshAgentBinaries[agentid];
Added per-domain agent customizations, #3736
2022-03-05 20:35:04 +03:00
if (domain.meshAgentBinaries && domain.meshAgentBinaries[agentid]) { argentInfo = domain.meshAgentBinaries[agentid]; }
Added mesh agent crash dump management web page.
2020-09-18 01:39:33 +03:00
response += '<tr><td>' + agentinfo.id + '</td><td>' + agentinfo.desc.split(' ').join('&nbsp;') + '</td>';
Added .PDB downloading.
2020-10-26 11:22:46 +03:00
response += '<td><a download href="' + originalUrl + '?id=' + agentinfo.id + (req.query.key ? ('&key=' + req.query.key) : '') + '">' + agentinfo.rname + '</a>';
if ((user.siteadmin == 0xFFFFFFFF) || ((Array.isArray(obj.parent.config.settings.agentcoredumpusers)) && (obj.parent.config.settings.agentcoredumpusers.indexOf(user._id) >= 0))) {
if ((agentid == 3) || (agentid == 4)) { response += ', <a download href="' + originalUrl + '?id=' + agentinfo.id + '&pdb=1' + (req.query.key ? ('&key=' + req.query.key) : '') + '">PDB</a>'; }
}
Added MeshAgent ZIP links when compressed version is available.
2021-08-18 01:32:58 +03:00
if (agentinfo.zdata != null) { response += ', <a download href="' + originalUrl + '?id=' + agentinfo.id + '&zip=1' + (req.query.key ? ('&key=' + req.query.key) : '') + '">ZIP</a>'; }
Added .PDB downloading.
2020-10-26 11:22:46 +03:00
response += '</td>';
Fixed FIDO2, added alt RDP port, fixed device tag collapse.
2020-01-28 01:03:36 +03:00
response += '<td>' + agentinfo.size + '</td><td>' + agentinfo.hashhex + '</td>';
Improved 3FA LoginKey feature
2020-03-14 01:43:24 +03:00
response += '<td><a download href="' + originalUrl + '?meshcmd=' + agentinfo.id + (req.query.key ? ('&key=' + req.query.key) : '') + '">' + agentinfo.rname.replace('agent', 'cmd') + '</a></td></tr>';
Initial main commit
2017-08-28 19:27:45 +03:00
}
Added mesh agent crash dump management web page.
2020-09-18 01:39:33 +03:00
response += '</table>';
Updated MeshCommander, Added MeshCore download page.
2021-01-24 01:32:43 +03:00
response += '<a href="' + originalUrl + '?cores=1' + (req.query.key ? ('&key=' + req.query.key) : '') + '">MeshCores</a> ';
Added mesh agent crash dump management web page.
2020-09-18 01:39:33 +03:00
if (coreDumpsAllowed) { response += '<a href="' + originalUrl + '?dumps=1' + (req.query.key ? ('&key=' + req.query.key) : '') + '">MeshAgent Crash Dumps</a>'; }
response += '</body></html>';
Initial main commit
2017-08-28 19:27:45 +03:00
res.send(response);
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
return;
Initial main commit
2017-08-28 19:27:45 +03:00
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
// Get the web server hostname. This may change if using a domain with a DNS name.
Made MQTT optional.
2019-10-04 22:18:56 +03:00
obj.getWebServerName = function (domain) {
Added DNS multi-tenancy support
2018-01-03 03:52:49 +03:00
if (domain.dns != null) return domain.dns;
return obj.certificates.CommonName;
}
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
// Create a OSX mesh agent installer
obj.handleMeshOsxAgentRequest = function (req, res) {
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
const domain = getDomain(req, res);
if (domain == null) { parent.debug('web', 'handleRootRequest: invalid domain.'); try { res.sendStatus(404); } catch (ex) { } return; }
if (req.query.id == null) { res.sendStatus(404); return; }
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
// If required, check if this user has rights to do this
Updated MeshCommander and fixes to message dispatch.
2019-07-11 00:27:38 +03:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true)) && (req.session.userid == null)) { res.sendStatus(401); return; }
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
// Send a specific mesh agent back
var argentInfo = obj.parent.meshAgentBinaries[req.query.id];
Added per-domain agent customizations, #3736
2022-03-05 20:35:04 +03:00
if (domain.meshAgentBinaries && domain.meshAgentBinaries[req.query.id]) { argentInfo = domain.meshAgentBinaries[req.query.id]; }
Many agent & UI improvements
2018-09-22 02:34:35 +03:00
if ((argentInfo == null) || (req.query.meshid == null)) { res.sendStatus(404); return; }
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
Added MeshID obfuscation in agent invite page.
2020-06-18 23:56:04 +03:00
// Check if the meshid is a time limited, encrypted cookie
var meshcookie = obj.parent.decodeCookie(req.query.meshid, obj.parent.invitationLinkEncryptionKey);
if ((meshcookie != null) && (meshcookie.m != null)) { req.query.meshid = meshcookie.m; }
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
// We are going to embed the .msh file into the Windows executable (signed or not).
// First, fetch the mesh object to build the .msh file
var mesh = obj.meshes['mesh/' + domain.id + '/' + req.query.meshid];
if (mesh == null) { res.sendStatus(401); return; }
// If required, check if this user has rights to do this
Updated MeshCommander and fixes to message dispatch.
2019-07-11 00:27:38 +03:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true))) {
More access control improvements, RPi icon.
2019-12-28 02:18:43 +03:00
if ((domain.id != mesh.domain) || ((obj.GetMeshRights(req.session.userid, mesh) & 1) == 0)) { res.sendStatus(401); return; }
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
}
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-03 05:03:34 +03:00
var meshidhex = Buffer.from(req.query.meshid.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
var serveridhex = Buffer.from(obj.agentCertificateHashBase64.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
Added AgentAliasDNS settings option
2020-05-10 23:45:10 +03:00
// Get the agent connection server name
var serverName = obj.getWebServerName(domain);
if (typeof obj.args.agentaliasdns == 'string') { serverName = obj.args.agentaliasdns; }
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
// Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly.
var xdomain = (domain.dns == null) ? domain.id : '';
Centralization of user access control.
2019-12-27 09:53:01 +03:00
if (xdomain != '') xdomain += '/';
Added blank line as start of .msh file.
2020-11-12 04:55:54 +03:00
var meshsettings = '\r\nMeshName=' + mesh.name + '\r\nMeshType=' + mesh.mtype + '\r\nMeshID=0x' + meshidhex + '\r\nServerID=' + serveridhex + '\r\n';
Updates agents and small server fixes.
2019-03-02 04:13:11 +03:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
Use agent-only port first by default if present.
2020-05-22 20:10:06 +03:00
if (obj.args.agentport != null) { httpsPort = obj.args.agentport; } // If an agent only port is enabled, use that.
Added AgentAliasPort option.
2020-05-04 08:37:51 +03:00
if (obj.args.agentaliasport != null) { httpsPort = obj.args.agentaliasport; } // If an agent alias port is specified, use that.
UI customization improvements.
2020-11-05 13:27:39 +03:00
if (obj.args.lanonly != true) { meshsettings += 'MeshServer=wss://' + serverName + ':' + httpsPort + '/' + xdomain + 'agent.ashx\r\n'; } else {
Support for local discovery UDP encryption.
2020-07-15 02:09:08 +03:00
meshsettings += 'MeshServer=local\r\n';
Added DiscoveryKey to .msh files.
2020-07-15 02:48:42 +03:00
if ((obj.args.localdiscovery != null) && (typeof obj.args.localdiscovery.key == 'string') && (obj.args.localdiscovery.key.length > 0)) { meshsettings += 'DiscoveryKey=' + obj.args.localdiscovery.key + '\r\n'; }
Support for local discovery UDP encryption.
2020-07-15 02:09:08 +03:00
}
Code fixes & clean up.
2020-07-06 22:46:38 +03:00
if ((req.query.tag != null) && (typeof req.query.tag == 'string') && (obj.common.isAlphaNumeric(req.query.tag) == true)) { meshsettings += 'Tag=' + req.query.tag + '\r\n'; }
if ((req.query.installflags != null) && (req.query.installflags != 0) && (parseInt(req.query.installflags) == req.query.installflags)) { meshsettings += 'InstallFlags=' + parseInt(req.query.installflags) + '\r\n'; }
Centralization of user access control.
2019-12-27 09:53:01 +03:00
if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += 'ignoreProxyFile=1\r\n'; }
if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + '\r\n'; } }
if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + '\r\n'; } }
Added mesh agent customizations.
2020-11-12 03:28:56 +03:00
if (domain.agentcustomization != null) { // Add agent customization
if (domain.agentcustomization.displayname != null) { meshsettings += 'displayName=' + domain.agentcustomization.displayname + '\r\n'; }
if (domain.agentcustomization.description != null) { meshsettings += 'description=' + domain.agentcustomization.description + '\r\n'; }
if (domain.agentcustomization.companyname != null) { meshsettings += 'companyName=' + domain.agentcustomization.companyname + '\r\n'; }
if (domain.agentcustomization.servicename != null) { meshsettings += 'meshServiceName=' + domain.agentcustomization.servicename + '\r\n'; }
Added agent filename to .msg file.
2020-12-23 11:53:10 +03:00
if (domain.agentcustomization.filename != null) { meshsettings += 'fileName=' + domain.agentcustomization.filename + '\r\n'; }
Added agent logo support.
2022-01-19 00:34:10 +03:00
if (domain.agentcustomization.image != null) { meshsettings += 'image=' + domain.agentcustomization.image + '\r\n'; }
Updated Windows agents.
2022-02-22 11:21:39 +03:00
if (domain.agentcustomization.foregroundcolor != null) { meshsettings += checkAgentColorString('foreground=', domain.agentcustomization.foregroundcolor); }
if (domain.agentcustomization.backgroundcolor != null) { meshsettings += checkAgentColorString('background=', domain.agentcustomization.backgroundcolor); }
Added mesh agent customizations.
2020-11-12 03:28:56 +03:00
}
Fixed agent install text option.
2022-02-05 02:02:09 +03:00
if (domain.agentTranslations != null) { meshsettings += 'translation=' + domain.agentTranslations + '\r\n'; }
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
// Setup the response output
var archive = require('archiver')('zip', { level: 5 }); // Sets the compression method.
archive.on('error', function (err) { throw err; });
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
// Set the agent download including the mesh name.
setContentDispositionHeader(res, 'application/octet-stream', 'MeshAgent-' + mesh.name + '.zip', null, 'MeshAgent.zip');
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
archive.pipe(res);
// Opens the "MeshAgentOSXPackager.zip"
Centralization of user access control.
2019-12-27 09:53:01 +03:00
var yauzl = require('yauzl');
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
yauzl.open(obj.path.join(__dirname, 'agents', 'MeshAgentOSXPackager.zip'), { lazyEntries: true }, function (err, zipfile) {
if (err) { res.sendStatus(500); return; }
zipfile.readEntry();
Centralization of user access control.
2019-12-27 09:53:01 +03:00
zipfile.on('entry', function (entry) {
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
if (/\/$/.test(entry.fileName)) {
// Skip all folder entries
zipfile.readEntry();
} else {
First working MacOS mesh agent
2018-11-15 02:44:28 +03:00
if (entry.fileName == 'MeshAgent.mpkg/Contents/distribution.dist') {
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
// This is a special file entry, we need to fix it.
zipfile.openReadStream(entry, function (err, readStream) {
Centralization of user access control.
2019-12-27 09:53:01 +03:00
readStream.on('data', function (data) { if (readStream.xxdata) { readStream.xxdata += data; } else { readStream.xxdata = data; } });
readStream.on('end', function () {
First working MacOS mesh agent
2018-11-15 02:44:28 +03:00
var meshname = mesh.name.split(']').join('').split('[').join(''); // We can't have ']]' in the string since it will terminate the CDATA.
var welcomemsg = 'Welcome to the MeshCentral agent for MacOS\n\nThis installer will install the mesh agent for "' + meshname + '" and allow the administrator to remotely monitor and control this computer over the internet. For more information, go to https://www.meshcommander.com/meshcentral2.\n\nThis software is provided under Apache 2.0 license.\n';
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
var installsize = Math.floor((argentInfo.size + meshsettings.length) / 1024);
archive.append(readStream.xxdata.toString().split('###WELCOMEMSG###').join(welcomemsg).split('###INSTALLSIZE###').join(installsize), { name: entry.fileName });
zipfile.readEntry();
});
});
} else {
// Normal file entry
zipfile.openReadStream(entry, function (err, readStream) {
if (err) { throw err; }
First working MacOS mesh agent
2018-11-15 02:44:28 +03:00
var options = { name: entry.fileName };
if (entry.fileName.endsWith('postflight') || entry.fileName.endsWith('Uninstall.command')) { options.mode = 493; }
archive.append(readStream, options);
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
readStream.on('end', function () { zipfile.readEntry(); });
});
}
}
});
Centralization of user access control.
2019-12-27 09:53:01 +03:00
zipfile.on('end', function () {
archive.file(argentInfo.path, { name: 'MeshAgent.mpkg/Contents/Packages/internal.pkg/Contents/meshagent_osx64.bin' });
archive.append(meshsettings, { name: 'MeshAgent.mpkg/Contents/Packages/internal.pkg/Contents/meshagent_osx64.msh' });
Getting ready for OSX support, added OSX agent installer system.
2018-09-08 03:09:02 +03:00
archive.finalize();
});
});
}
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
// Return a .msh file from a given request, id is the device group identifier or encrypted cookie with the identifier.
function getMshFromRequest(req, res, domain) {
Improved MicroLMS and MeshCmd.
2018-01-31 05:23:57 +03:00
// If required, check if this user has rights to do this
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true)) && (req.session.userid == null)) { return null; }
Improved MicroLMS and MeshCmd.
2018-01-31 05:23:57 +03:00
Added MeshID obfuscation in agent invite page.
2020-06-18 23:56:04 +03:00
// Check if the meshid is a time limited, encrypted cookie
var meshcookie = obj.parent.decodeCookie(req.query.id, obj.parent.invitationLinkEncryptionKey);
if ((meshcookie != null) && (meshcookie.m != null)) { req.query.id = meshcookie.m; }
Mesh agents can now connect and skip server cert check to boost speed
2018-08-22 01:08:15 +03:00
// Fetch the mesh object
var mesh = obj.meshes['mesh/' + domain.id + '/' + req.query.id];
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
if (mesh == null) { return null; }
Improved MicroLMS and MeshCmd.
2018-01-31 05:23:57 +03:00
Mesh agents can now connect and skip server cert check to boost speed
2018-08-22 01:08:15 +03:00
// If needed, check if this user has rights to do this
Updated MeshCommander and fixes to message dispatch.
2019-07-11 00:27:38 +03:00
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true))) {
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
if ((domain.id != mesh.domain) || ((obj.GetMeshRights(req.session.userid, mesh) & 1) == 0)) { return null; }
Mesh agents can now connect and skip server cert check to boost speed
2018-08-22 01:08:15 +03:00
}
Base64 encoding of meshid/nodeid in the database.
2017-10-16 03:36:06 +03:00
Cleaned up deprecation warning on NodeJS 10.x.
2019-01-03 05:03:34 +03:00
var meshidhex = Buffer.from(req.query.id.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
var serveridhex = Buffer.from(obj.agentCertificateHashBase64.replace(/\@/g, '+').replace(/\$/g, '/'), 'base64').toString('hex').toUpperCase();
Base64 encoding of meshid/nodeid in the database.
2017-10-16 03:36:06 +03:00
Added AgentAliasDNS settings option
2020-05-10 23:45:10 +03:00
// Get the agent connection server name
var serverName = obj.getWebServerName(domain);
if (typeof obj.args.agentaliasdns == 'string') { serverName = obj.args.agentaliasdns; }
Mesh agents can now connect and skip server cert check to boost speed
2018-08-22 01:08:15 +03:00
// Build the agent connection URL. If we are using a sub-domain or one with a DNS, we need to craft the URL correctly.
var xdomain = (domain.dns == null) ? domain.id : '';
Centralization of user access control.
2019-12-27 09:53:01 +03:00
if (xdomain != '') xdomain += '/';
Added blank line as start of .msh file.
2020-11-12 04:55:54 +03:00
var meshsettings = '\r\nMeshName=' + mesh.name + '\r\nMeshType=' + mesh.mtype + '\r\nMeshID=0x' + meshidhex + '\r\nServerID=' + serveridhex + '\r\n';
Mesh agents can now connect and skip server cert check to boost speed
2018-08-22 01:08:15 +03:00
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
Use agent-only port first by default if present.
2020-05-22 20:10:06 +03:00
if (obj.args.agentport != null) { httpsPort = obj.args.agentport; } // If an agent only port is enabled, use that.
Added AgentAliasPort option.
2020-05-04 08:37:51 +03:00
if (obj.args.agentaliasport != null) { httpsPort = obj.args.agentaliasport; } // If an agent alias port is specified, use that.
UI customization improvements.
2020-11-05 13:27:39 +03:00
if (obj.args.lanonly != true) { meshsettings += 'MeshServer=wss://' + serverName + ':' + httpsPort + '/' + xdomain + 'agent.ashx\r\n'; } else {
Support for local discovery UDP encryption.
2020-07-15 02:09:08 +03:00
meshsettings += 'MeshServer=local\r\n';
Added DiscoveryKey to .msh files.
2020-07-15 02:48:42 +03:00
if ((obj.args.localdiscovery != null) && (typeof obj.args.localdiscovery.key == 'string') && (obj.args.localdiscovery.key.length > 0)) { meshsettings += 'DiscoveryKey=' + obj.args.localdiscovery.key + '\r\n'; }
Support for local discovery UDP encryption.
2020-07-15 02:09:08 +03:00
}
Code fixes & clean up.
2020-07-06 22:46:38 +03:00
if ((req.query.tag != null) && (typeof req.query.tag == 'string') && (obj.common.isAlphaNumeric(req.query.tag) == true)) { meshsettings += 'Tag=' + req.query.tag + '\r\n'; }
if ((req.query.installflags != null) && (req.query.installflags != 0) && (parseInt(req.query.installflags) == req.query.installflags)) { meshsettings += 'InstallFlags=' + parseInt(req.query.installflags) + '\r\n'; }
Centralization of user access control.
2019-12-27 09:53:01 +03:00
if ((domain.agentnoproxy === true) || (obj.args.lanonly == true)) { meshsettings += 'ignoreProxyFile=1\r\n'; }
if (obj.args.agentconfig) { for (var i in obj.args.agentconfig) { meshsettings += obj.args.agentconfig[i] + '\r\n'; } }
if (domain.agentconfig) { for (var i in domain.agentconfig) { meshsettings += domain.agentconfig[i] + '\r\n'; } }
Added mesh agent customizations.
2020-11-12 03:28:56 +03:00
if (domain.agentcustomization != null) { // Add agent customization
if (domain.agentcustomization.displayname != null) { meshsettings += 'displayName=' + domain.agentcustomization.displayname + '\r\n'; }
if (domain.agentcustomization.description != null) { meshsettings += 'description=' + domain.agentcustomization.description + '\r\n'; }
if (domain.agentcustomization.companyname != null) { meshsettings += 'companyName=' + domain.agentcustomization.companyname + '\r\n'; }
if (domain.agentcustomization.servicename != null) { meshsettings += 'meshServiceName=' + domain.agentcustomization.servicename + '\r\n'; }
Added agent filename to .msg file.
2020-12-23 11:53:10 +03:00
if (domain.agentcustomization.filename != null) { meshsettings += 'fileName=' + domain.agentcustomization.filename + '\r\n'; }
Added agent logo support.
2022-01-19 00:34:10 +03:00
if (domain.agentcustomization.image != null) { meshsettings += 'image=' + domain.agentcustomization.image + '\r\n'; }
Updated Windows agents.
2022-02-22 11:21:39 +03:00
if (domain.agentcustomization.foregroundcolor != null) { meshsettings += checkAgentColorString('foreground=', domain.agentcustomization.foregroundcolor); }
if (domain.agentcustomization.backgroundcolor != null) { meshsettings += checkAgentColorString('background=', domain.agentcustomization.backgroundcolor); }
Added mesh agent customizations.
2020-11-12 03:28:56 +03:00
}
Fixed agent install text option.
2022-02-05 02:02:09 +03:00
if (domain.agentTranslations != null) { meshsettings += 'translation=' + domain.agentTranslations + '\r\n'; }
Added early server support for agent binary installer on Linux.
2020-08-02 07:12:07 +03:00
return meshsettings;
}
// Handle a request to download a mesh settings
obj.handleMeshSettingsRequest = function (req, res) {
const domain = getDomain(req);
if (domain == null) { return; }
//if ((domain.id !== '') || (!req.session) || (req.session == null) || (!req.session.userid)) { res.sendStatus(401); return; }
var meshsettings = getMshFromRequest(req, res, domain);
if (meshsettings == null) { res.sendStatus(401); return; }
Initial main commit
2017-08-28 19:27:45 +03:00
Added agent filename customization.
2020-12-20 04:21:42 +03:00
// Get the agent filename
var meshagentFilename = 'meshagent';
if ((domain.agentcustomization != null) && (typeof domain.agentcustomization.filename == 'string')) { meshagentFilename = domain.agentcustomization.filename; }
setContentDispositionHeader(res, 'application/octet-stream', meshagentFilename + '.msh', null, 'meshagent.msh');
Mesh agents can now connect and skip server cert check to boost speed
2018-08-22 01:08:15 +03:00
res.send(meshsettings);
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Initial main commit
2017-08-28 19:27:45 +03:00
Fixed device timeline.
2019-03-20 22:40:02 +03:00
// Handle a request for power events
obj.handleDevicePowerEvents = function (req, res) {
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
More work on user device rights.
2020-03-30 08:40:13 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
Fixed device timeline.
2019-03-20 22:40:02 +03:00
if ((domain.id !== '') || (!req.session) || (req.session == null) || (!req.session.userid) || (req.query.id == null) || (typeof req.query.id != 'string')) { res.sendStatus(401); return; }
var x = req.query.id.split('/');
var user = obj.users[req.session.userid];
if ((x.length != 3) || (x[0] != 'node') || (x[1] != domain.id) || (user == null) || (user.links == null)) { res.sendStatus(401); return; }
obj.db.Get(req.query.id, function (err, docs) {
if (docs.length != 1) {
res.sendStatus(401);
} else {
var node = docs[0];
// Check if we have right to this node
More work on user device rights.
2020-03-30 08:40:13 +03:00
if (obj.GetNodeRights(user, node.meshid, node._id) == 0) { res.sendStatus(401); return; }
Fixed device timeline.
2019-03-20 22:40:02 +03:00
Fixed power state time localization, #2817
2021-06-29 04:40:44 +03:00
// See how we will convert UTC time to local time
Updated computer power state timeline export to ISO format, added local browser time.
2021-06-17 00:23:58 +03:00
var localTimeOffset = 0;
Fixed power state time localization, #2817
2021-06-29 04:40:44 +03:00
var timeConversionSystem = 0;
if ((req.query.l != null) && (req.query.tz != null)) {
timeConversionSystem = 1;
} else if (req.query.tf != null) {
// Get local time offset (bad way)
timeConversionSystem = 2;
localTimeOffset = parseInt(req.query.tf);
if (isNaN(localTimeOffset)) { localTimeOffset = 0; }
}
Updated computer power state timeline export to ISO format, added local browser time.
2021-06-17 00:23:58 +03:00
Fixed device timeline.
2019-03-20 22:40:02 +03:00
// Get the list of power events and send them
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
setContentDispositionHeader(res, 'application/octet-stream', 'powerevents.csv', null, 'powerevents.csv');
Fixed device timeline.
2019-03-20 22:40:02 +03:00
obj.db.getPowerTimeline(node._id, function (err, docs) {
Updated computer power state timeline export to ISO format, added local browser time.
2021-06-17 00:23:58 +03:00
var xevents = ['UTC Time, Local Time, State, Previous State'], prevState = 0;
Fixed device timeline.
2019-03-20 22:40:02 +03:00
for (var i in docs) {
if (docs[i].power != prevState) {
Fix MariaDB/MySQL power events
2021-11-29 23:40:01 +03:00
var timedoc = docs[i].time;
if (typeof timedoc == 'string') {
timedoc = new Date(timedoc);
}
Fixed device timeline.
2019-03-20 22:40:02 +03:00
prevState = docs[i].power;
Fixed power state time localization, #2817
2021-06-29 04:40:44 +03:00
var localTime = '';
if (timeConversionSystem == 1) { // Good way
Fix MariaDB/MySQL power events
2021-11-29 23:40:01 +03:00
localTime = new Date(timedoc.getTime()).toLocaleString(req.query.l, { timeZone: req.query.tz })
Fixed power state time localization, #2817
2021-06-29 04:40:44 +03:00
} else if (timeConversionSystem == 2) { // Bad way
Fix MariaDB/MySQL power events
2021-11-29 23:40:01 +03:00
localTime = new Date(timedoc.getTime() + (localTimeOffset * 60000)).toISOString();
Fixed power state time localization, #2817
2021-06-29 04:40:44 +03:00
localTime = localTime.substring(0, localTime.length - 1);
}
Fixed device timeline.
2019-03-20 22:40:02 +03:00
if (docs[i].oldPower != null) {
Fix MariaDB/MySQL power events
2021-11-29 23:40:01 +03:00
xevents.push('\"' + timedoc.toISOString() + '\",\"' + localTime + '\",' + docs[i].power + ',' + docs[i].oldPower);
Fixed device timeline.
2019-03-20 22:40:02 +03:00
} else {
Fix MariaDB/MySQL power events
2021-11-29 23:40:01 +03:00
xevents.push('\"' + timedoc.toISOString() + '\",\"' + localTime + '\",' + docs[i].power);
Fixed device timeline.
2019-03-20 22:40:02 +03:00
}
}
}
res.send(xevents.join('\r\n'));
});
}
});
}
Plugin system improvements.
2019-11-26 01:12:43 +03:00
if (parent.pluginHandler != null) {
// Handle a plugin admin request
obj.handlePluginAdminReq = function (req, res) {
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Plugin system improvements.
2019-11-26 01:12:43 +03:00
if ((!req.session) || (req.session == null) || (!req.session.userid)) { res.sendStatus(401); return; }
var user = obj.users[req.session.userid];
if (user == null) { res.sendStatus(401); return; }
parent.pluginHandler.handleAdminReq(req, res, user, obj);
}
obj.handlePluginAdminPostReq = function (req, res) {
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Plugin system improvements.
2019-11-26 01:12:43 +03:00
if ((!req.session) || (req.session == null) || (!req.session.userid)) { res.sendStatus(401); return; }
var user = obj.users[req.session.userid];
if (user == null) { res.sendStatus(401); return; }
parent.pluginHandler.handleAdminPostReq(req, res, user, obj);
}
obj.handlePluginJS = function (req, res) {
const domain = checkUserIpAddress(req, res);
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (domain == null) { return; }
Plugin system improvements.
2019-11-26 01:12:43 +03:00
if ((!req.session) || (req.session == null) || (!req.session.userid)) { res.sendStatus(401); return; }
var user = obj.users[req.session.userid];
if (user == null) { res.sendStatus(401); return; }
parent.pluginHandler.refreshJS(req, res);
}
Tweaks to plugin install/removal so server does not require a restart. Initial support for downgrading plugins.
2019-11-22 22:25:13 +03:00
}
Fixed device timeline.
2019-03-20 22:40:02 +03:00
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
// Starts the HTTPS server, this should be called after the user/mesh tables are loaded
function serverStart() {
// Start the server, only after users and meshes are loaded from the database.
UI customization improvements.
2020-11-05 13:27:39 +03:00
if (obj.args.tlsoffload) {
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
// Setup the HTTP server without TLS
HTTP websocket compression fix.
2020-07-10 10:51:40 +03:00
obj.expressWs = require('express-ws')(obj.app, null, { wsOptions: { perMessageDeflate: (args.wscompression === true) } });
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
// Setup the HTTP server with TLS, use only TLS 1.2 and higher with perfect forward secrecy (PFS).
Added device link in web application.
2020-01-22 22:34:17 +03:00
//const tlsOptions = { cert: obj.certificates.web.cert, key: obj.certificates.web.key, ca: obj.certificates.web.ca, rejectUnauthorized: true, ciphers: "HIGH:!aNULL:!eNULL:!EXPORT:!RSA:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA", secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1 }; // This does not work with TLS 1.3
const tlsOptions = { cert: obj.certificates.web.cert, key: obj.certificates.web.key, ca: obj.certificates.web.ca, rejectUnauthorized: true, ciphers: "HIGH:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_CHACHA20_POLY1305_SHA256", secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1 };
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
if (obj.tlsSniCredentials != null) { tlsOptions.SNICallback = TlsSniCallback; } // We have multiple web server certificate used depending on the domain name
obj.tlsServer = require('https').createServer(tlsOptions, obj.app);
obj.tlsServer.on('secureConnection', function () { /*console.log('tlsServer secureConnection');*/ });
Fixed GreenLock v4
2020-01-25 23:14:14 +03:00
obj.tlsServer.on('error', function (err) { console.log('tlsServer error', err); });
//obj.tlsServer.on('tlsClientError', function (err) { console.log('tlsClientError', err); });
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.tlsServer.on('newSession', function (id, data, cb) { if (tlsSessionStoreCount > 1000) { tlsSessionStoreCount = 0; tlsSessionStore = {}; } tlsSessionStore[id.toString('hex')] = data; tlsSessionStoreCount++; cb(); });
obj.tlsServer.on('resumeSession', function (id, cb) { cb(null, tlsSessionStore[id.toString('hex')] || null); });
HTTP websocket compression fix.
2020-07-10 10:51:40 +03:00
obj.expressWs = require('express-ws')(obj.app, obj.tlsServer, { wsOptions: { perMessageDeflate: (args.wscompression === true) } });
Initial main commit
2017-08-28 19:27:45 +03:00
}
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
// Start a second agent-only server if needed
if (obj.args.agentport) {
Many updates to how agents connect, agent cert checking and tls on agent port.
2020-05-22 22:54:22 +03:00
var agentPortTls = true;
if (obj.args.tlsoffload != null) { agentPortTls = false; }
if (typeof obj.args.agentporttls == 'boolean') { agentPortTls = obj.args.agentporttls; }
if (obj.certificates.webdefault == null) { agentPortTls = false; }
if (agentPortTls == false) {
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
// Setup the HTTP server without TLS
HTTP websocket compression fix.
2020-07-10 10:51:40 +03:00
obj.expressWsAlt = require('express-ws')(obj.agentapp, null, { wsOptions: { perMessageDeflate: (args.wscompression === true) } });
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
} else {
// Setup the agent HTTP server with TLS, use only TLS 1.2 and higher with perfect forward secrecy (PFS).
Many updates to how agents connect, agent cert checking and tls on agent port.
2020-05-22 22:54:22 +03:00
// If TLS is used on the agent port, we always use the default TLS certificate.
const tlsOptions = { cert: obj.certificates.webdefault.cert, key: obj.certificates.webdefault.key, ca: obj.certificates.webdefault.ca, rejectUnauthorized: true, ciphers: "HIGH:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_CHACHA20_POLY1305_SHA256", secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1 };
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
obj.tlsAltServer = require('https').createServer(tlsOptions, obj.agentapp);
obj.tlsAltServer.on('secureConnection', function () { /*console.log('tlsAltServer secureConnection');*/ });
obj.tlsAltServer.on('error', function (err) { console.log('tlsAltServer error', err); });
//obj.tlsAltServer.on('tlsClientError', function (err) { console.log('tlsClientError', err); });
obj.tlsAltServer.on('newSession', function (id, data, cb) { if (tlsSessionStoreCount > 1000) { tlsSessionStoreCount = 0; tlsSessionStore = {}; } tlsSessionStore[id.toString('hex')] = data; tlsSessionStoreCount++; cb(); });
obj.tlsAltServer.on('resumeSession', function (id, cb) { cb(null, tlsSessionStore[id.toString('hex')] || null); });
HTTP websocket compression fix.
2020-07-10 10:51:40 +03:00
obj.expressWsAlt = require('express-ws')(obj.agentapp, obj.tlsAltServer, { wsOptions: { perMessageDeflate: (args.wscompression === true) } });
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
}
}
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
// Setup middleware
Fixed layout exception.
2022-02-15 04:20:29 +03:00
obj.app.engine('handlebars', obj.exphbs({ defaultLayout: false }));
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.set('view engine', 'handlebars');
Added support for DNS name in TLSOffload and TrustedProxy settings.
2021-01-04 12:50:00 +03:00
if (obj.args.trustedproxy) {
// Reverse proxy should add the "X-Forwarded-*" headers
try {
obj.app.set('trust proxy', obj.args.trustedproxy);
} catch (ex) {
// If there is an error, try to resolve the string
if ((obj.args.trustedproxy.length == 1) && (typeof obj.args.trustedproxy[0] == 'string')) {
Trusted proxy DNS resolve improvements.
2021-01-05 23:52:22 +03:00
require('dns').lookup(obj.args.trustedproxy[0], function (err, address, family) { if (err == null) { obj.app.set('trust proxy', address); obj.args.trustedproxy = [address]; } });
Added support for DNS name in TLSOffload and TrustedProxy settings.
2021-01-04 12:50:00 +03:00
}
}
}
else if (typeof obj.args.tlsoffload == 'object') {
// Reverse proxy should add the "X-Forwarded-*" headers
try {
obj.app.set('trust proxy', obj.args.tlsoffload);
} catch (ex) {
// If there is an error, try to resolve the string
New Windows agents, desktop shortcut customization.
2021-01-08 10:35:11 +03:00
if ((Array.isArray(obj.args.tlsoffload)) && (obj.args.tlsoffload.length == 1) && (typeof obj.args.tlsoffload[0] == 'string')) {
Trusted proxy DNS resolve improvements.
2021-01-05 23:52:22 +03:00
require('dns').lookup(obj.args.tlsoffload[0], function (err, address, family) { if (err == null) { obj.app.set('trust proxy', address); obj.args.tlsoffload = [address]; } });
Added support for DNS name in TLSOffload and TrustedProxy settings.
2021-01-04 12:50:00 +03:00
}
}
}
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.use(obj.bodyParser.urlencoded({ extended: false }));
var sessionOptions = {
name: 'xid', // Recommended security practice to not use the default cookie name
httpOnly: true,
keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
Fixed for HTTP session with reverse proxies.
2021-04-14 10:09:00 +03:00
secure: (obj.args.tlsoffload == null) // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html)
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
}
Fixed session IP check still being performed when CookieIpCheck is false.
2022-02-24 23:22:01 +03:00
if (obj.args.sessionsamesite != null) { sessionOptions.sameSite = obj.args.sessionsamesite; } else { sessionOptions.sameSite = ((parent.config.settings.cookieipcheck === false) ? 'none' : 'strict'); }
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60 * 1000); }
obj.app.use(obj.session(sessionOptions));
// Add HTTP security headers to all responses
obj.app.use(function (req, res, next) {
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
// Check if a session is destroyed
if (typeof req.session.userid == 'string') {
if (typeof req.session.x == 'string') {
if (obj.destroyedSessions[req.session.userid + '/' + req.session.x] != null) {
delete req.session.userid;
delete req.session.ip;
delete req.session.t;
delete req.session.x;
}
} else {
// Legacy session without a random, add one.
setSessionRandom(req);
}
}
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
// Remove legacy values from the session to keep the session as small as possible
delete req.session.domainid;
delete req.session.u2fchallenge
delete req.session.nowInMinutes;
delete req.session.tokenuserid;
delete req.session.tokenusername;
delete req.session.tokenpassword;
delete req.session.tokenemail;
delete req.session.tokensms;
delete req.session.tokenpush;
delete req.session.tusername;
delete req.session.tpassword;
Added HTTP header tracing.
2021-01-10 02:58:42 +03:00
// Useful for debugging reverse proxy issues
MongoDB speed boost using bulkWrite()
2021-01-10 15:53:30 +03:00
parent.debug('httpheaders', req.method, req.url, req.headers);
Added HTTP header tracing.
2021-01-10 02:58:42 +03:00
Fix for #2675, added HTTPS redirect when x-forwarded-proto:http
2021-05-23 10:02:13 +03:00
// If this request came over HTTP, redirect to HTTPS
if (req.headers['x-forwarded-proto'] == 'http') {
var host = req.headers.host;
if (typeof host == 'string') { host = host.split(':')[0]; }
if ((host == null) && (obj.certificates != null)) { host = obj.certificates.CommonName; if (obj.certificates.CommonName.indexOf('.') == -1) { host = req.headers.host; } }
var httpsPort = ((obj.args.aliasport == null) ? obj.args.port : obj.args.aliasport); // Use HTTPS alias port is specified
res.redirect('https://' + host + ':' + httpsPort + req.url);
return;
}
Added HTTP traffic accounting.
2021-05-05 21:37:26 +03:00
// Perform traffic accounting
if (req.headers.upgrade == 'websocket') {
// We don't count traffic on WebSockets since it's counted by the handling modules.
obj.trafficStats.httpWebSocketCount++;
} else {
// Normal HTTP traffic is counted
obj.trafficStats.httpRequestCount++;
if (typeof req.socket.xbytesRead != 'number') {
req.socket.xbytesRead = 0;
req.socket.xbytesWritten = 0;
req.socket.on('close', function () {
// Perform final accounting
obj.trafficStats.httpIn += (this.bytesRead - this.xbytesRead);
obj.trafficStats.httpOut += (this.bytesWritten - this.xbytesWritten);
this.xbytesRead = this.bytesRead;
this.xbytesWritten = this.bytesWritten;
});
} else {
// Update counters
obj.trafficStats.httpIn += (req.socket.bytesRead - req.socket.xbytesRead);
obj.trafficStats.httpOut += (req.socket.bytesWritten - req.socket.xbytesWritten);
req.socket.xbytesRead = req.socket.bytesRead;
req.socket.xbytesWritten = req.socket.bytesWritten;
}
}
Started work on traffic accounting.
2021-05-05 12:24:23 +03:00
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
// Set the real IP address of the request
// If a trusted reverse-proxy is sending us the remote IP address, use it.
Agent core download and reverse proxy improvements.
2020-12-01 00:20:31 +03:00
var ipex = '0.0.0.0', xforwardedhost = req.headers.host;
x-forwarded-host improvements.
2020-11-29 06:30:07 +03:00
if (typeof req.connection.remoteAddress == 'string') { ipex = (req.connection.remoteAddress.startsWith('::ffff:')) ? req.connection.remoteAddress.substring(7) : req.connection.remoteAddress; }
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (
Trusted proxy DNS resolve improvements.
2021-01-05 23:52:22 +03:00
(obj.args.trustedproxy === true) || (obj.args.tlsoffload === true) ||
Added CloudFlare auto-loading of trusted proxy IP addresses.
2020-12-11 00:56:15 +03:00
((typeof obj.args.trustedproxy == 'object') && (isIPMatch(ipex, obj.args.trustedproxy))) ||
((typeof obj.args.tlsoffload == 'object') && (isIPMatch(ipex, obj.args.tlsoffload)))
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
) {
x-forwarded-host improvements.
2020-11-29 06:30:07 +03:00
// Get client IP
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (req.headers['cf-connecting-ip']) { // Use CloudFlare IP address if present
req.clientIp = req.headers['cf-connecting-ip'].split(',')[0].trim();
Fixed x-forwarded-for server crash
2020-06-08 19:45:03 +03:00
} else if (req.headers['x-forwarded-for']) {
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
req.clientIp = req.headers['x-forwarded-for'].split(',')[0].trim();
Fixed x-forwarded-for server crash
2020-06-08 19:45:03 +03:00
} else if (req.headers['x-real-ip']) {
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
req.clientIp = req.headers['x-real-ip'].split(',')[0].trim();
} else {
req.clientIp = ipex;
}
x-forwarded-host improvements.
2020-11-29 06:30:07 +03:00
New Windows agents, desktop shortcut customization.
2021-01-08 10:35:11 +03:00
// If there is a port number, remove it. This will only work for IPv4, but nice for people that have a bad reverse proxy config.
const clientIpSplit = req.clientIp.split(':');
if (clientIpSplit.length == 2) { req.clientIp = clientIpSplit[0]; }
x-forwarded-host improvements.
2020-11-29 06:30:07 +03:00
// Get server host
Fixed x-forwarded-host where multiple hosts are specified.
2022-02-17 00:00:36 +03:00
if (req.headers['x-forwarded-host']) { xforwardedhost = req.headers['x-forwarded-host'].split(',')[0]; } // If multiple hosts are specified with a comma, take the first one.
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
} else {
req.clientIp = ipex;
}
// Get the domain for this request
const domain = req.xdomain = getDomain(req);
parent.debug('webrequest', '(' + req.clientIp + ') ' + req.url);
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
Fixed agent tunnel unable to connect.
2020-06-17 20:28:54 +03:00
// Skip the rest is this is an agent connection
First working version with local device relay.
2021-04-28 09:22:55 +03:00
if ((req.url.indexOf('/meshrelay.ashx/.websocket') >= 0) || (req.url.indexOf('/agent.ashx/.websocket') >= 0) || (req.url.indexOf('/localrelay.ashx/.websocket') >= 0)) { next(); return; }
Fixed agent tunnel unable to connect.
2020-06-17 20:28:54 +03:00
httpheaders now adds to existing headers, set a header to null to force remove it.
2022-03-01 22:18:42 +03:00
// Setup security headers
const geourl = (domain.geolocation ? ' *.openstreetmap.org' : '');
var selfurl = ' wss://' + req.headers.host;
if ((xforwardedhost != null) && (xforwardedhost != req.headers.host)) { selfurl += ' wss://' + xforwardedhost; }
const extraScriptSrc = (parent.config.settings.extrascriptsrc != null) ? (' ' + parent.config.settings.extrascriptsrc) : '';
const headers = {
'Referrer-Policy': 'no-referrer',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'Permissions-Policy': 'interest-cohort=()', // Remove Google's FLoC Network
'Content-Security-Policy': "default-src 'none'; font-src 'self'; script-src 'self' 'unsafe-inline'" + extraScriptSrc + "; connect-src 'self'" + geourl + selfurl + "; img-src 'self' blob: data:" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self' mcrouter:; media-src 'self'; form-action 'self'"
};
if ((parent.config.settings.allowframing !== true) && (typeof parent.config.settings.allowframing !== 'string')) { headers['X-Frame-Options'] = 'sameorigin'; }
if ((parent.config.settings.stricttransportsecurity === true) || ((parent.config.settings.stricttransportsecurity !== false) && (obj.isTrustedCert(domain)))) { if (typeof parent.config.settings.stricttransportsecurity == 'string') { headers['Strict-Transport-Security'] = parent.config.settings.stricttransportsecurity; } else { headers['Strict-Transport-Security'] = 'max-age=63072000'; } }
// If this domain has configured headers, add them. If a header is set to null, remove it.
Added more security in HTTP headers
2019-09-13 01:12:40 +03:00
if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) {
Fixed bug when settings custom http headers.
2022-03-05 21:51:41 +03:00
for (var i in domain.httpheaders) { if (domain.httpheaders[i] === null) { delete headers[i]; } else { headers[i] = domain.httpheaders[i]; } }
Added more security in HTTP headers
2019-09-13 01:12:40 +03:00
}
httpheaders now adds to existing headers, set a header to null to force remove it.
2022-03-01 22:18:42 +03:00
res.set(headers);
Added database merge feature.
2019-02-16 01:50:23 +03:00
Added IP binding to session and encoded cookies.
2019-09-13 02:24:35 +03:00
// Check the session if bound to the external IP address
Fixed session IP check still being performed when CookieIpCheck is false.
2022-02-24 23:22:01 +03:00
if ((parent.config.settings.cookieipcheck !== false) && (req.session.ip != null) && (req.clientIp != null) && (req.session.ip != req.clientIp)) { req.session = {}; }
Added IP binding to session and encoded cookies.
2019-09-13 02:24:35 +03:00
Cookie session is now auto-refreshed.
2020-06-12 22:00:58 +03:00
// Extend the session time by forcing a change to the session every minute.
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
if (req.session.userid != null) { req.session.t = Math.floor(Date.now() / 60e3); } else { delete req.session.t; }
Cookie session is now auto-refreshed.
2020-06-12 22:00:58 +03:00
MeshMessenger customization improvements.
2021-01-26 22:46:22 +03:00
// Debugging code, this will stop the agent from crashing if two responses are made to the same request.
const render = res.render;
const send = res.send;
res.render = function renderWrapper(...args) {
Error.captureStackTrace(this);
return render.apply(this, args);
};
res.send = function sendWrapper(...args) {
try {
send.apply(this, args);
} catch (err) {
console.error(`Error in res.send | ${err.code} | ${err.message} | ${res.stack}`);
try {
var errlogpath = null;
if (typeof parent.args.mesherrorlogpath == 'string') { errlogpath = parent.path.join(parent.args.mesherrorlogpath, 'mesherrors.txt'); } else { errlogpath = parent.getConfigFilePath('mesherrors.txt'); }
parent.fs.appendFileSync(errlogpath, new Date().toLocaleString() + ': ' + `Error in res.send | ${err.code} | ${err.message} | ${res.stack}` + '\r\n');
} catch (ex) { console.log('ERROR: Unable to write to mesherrors.txt.'); }
}
};
Improved HTTP sharing domains.
2021-01-04 14:14:26 +03:00
// Continue processing the request
return next();
Improved server UI, new Auto-Remote agent feature.
2018-09-27 00:58:55 +03:00
});
Many updates to how agents connect, agent cert checking and tls on agent port.
2020-05-22 22:54:22 +03:00
if (obj.agentapp) {
// Add HTTP security headers to all responses
obj.agentapp.use(function (req, res, next) {
// Set the real IP address of the request
// If a trusted reverse-proxy is sending us the remote IP address, use it.
Fixed certificate creation problem.
2020-09-23 19:29:19 +03:00
var ipex = '0.0.0.0';
x-forwarded-host improvements.
2020-11-29 06:30:07 +03:00
if (typeof req.connection.remoteAddress == 'string') { ipex = (req.connection.remoteAddress.startsWith('::ffff:')) ? req.connection.remoteAddress.substring(7) : req.connection.remoteAddress; }
Many updates to how agents connect, agent cert checking and tls on agent port.
2020-05-22 22:54:22 +03:00
if (
Update setting cleint ip in agentonly webrequest
2021-08-31 17:35:35 +03:00
(obj.args.trustedproxy === true) || (obj.args.tlsoffload === true) ||
((typeof obj.args.trustedproxy == 'object') && (isIPMatch(ipex, obj.args.trustedproxy))) ||
((typeof obj.args.tlsoffload == 'object') && (isIPMatch(ipex, obj.args.tlsoffload)))
Many updates to how agents connect, agent cert checking and tls on agent port.
2020-05-22 22:54:22 +03:00
) {
if (req.headers['cf-connecting-ip']) { // Use CloudFlare IP address if present
req.clientIp = req.headers['cf-connecting-ip'].split(',')[0].trim();
Fixed AgentPort server crash.
2020-05-24 02:24:05 +03:00
} else if (req.headers['x-forwarded-for']) {
Many updates to how agents connect, agent cert checking and tls on agent port.
2020-05-22 22:54:22 +03:00
req.clientIp = req.headers['x-forwarded-for'].split(',')[0].trim();
Fixed AgentPort server crash.
2020-05-24 02:24:05 +03:00
} else if (req.headers['x-real-ip']) {
Many updates to how agents connect, agent cert checking and tls on agent port.
2020-05-22 22:54:22 +03:00
req.clientIp = req.headers['x-real-ip'].split(',')[0].trim();
} else {
req.clientIp = ipex;
}
} else {
req.clientIp = ipex;
}
// Get the domain for this request
const domain = req.xdomain = getDomain(req);
parent.debug('webrequest', '(' + req.clientIp + ') AgentPort: ' + req.url);
res.removeHeader('X-Powered-By');
return next();
});
}
Improved HTTP sharing domains.
2021-01-04 14:14:26 +03:00
// Setup all sharing domains
for (var i in parent.config.domains) {
if ((parent.config.domains[i].dns == null) && (parent.config.domains[i].share != null)) { obj.app.use(parent.config.domains[i].url, obj.express.static(parent.config.domains[i].share)); }
}
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
// Setup all HTTP handlers
Server peering fixes.
2020-11-13 02:21:38 +03:00
if (parent.multiServer != null) { obj.app.ws('/meshserver.ashx', function (ws, req) { parent.multiServer.CreatePeerInServer(parent.multiServer, ws, req, obj.args.tlsoffload == null); }); }
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
for (var i in parent.config.domains) {
Improved HTTP sharing domains.
2021-01-04 14:14:26 +03:00
if ((parent.config.domains[i].dns != null) || (parent.config.domains[i].share != null)) { continue; } // This is a subdomain with a DNS name, no added HTTP bindings needed.
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
var domain = parent.config.domains[i];
var url = domain.url;
Added unknownUserRootRedirect option, #3172
2021-10-08 23:24:04 +03:00
if (typeof domain.rootredirect == 'string') {
// Root page redirects the user to a different URL
obj.app.get(url, handleRootRedirect);
} else {
Version 0.7.33
2020-12-30 02:13:09 +03:00
// Present the login page as the root page
obj.app.get(url, handleRootRequest);
obj.app.post(url, handleRootPostRequest);
}
Cookie session is now auto-refreshed.
2020-06-12 22:00:58 +03:00
obj.app.get(url + 'refresh.ashx', function (req, res) { res.sendStatus(200); });
Allow complete removal of My Server tab for a specific domain.
2020-10-06 02:47:30 +03:00
if ((domain.myserver !== false) && ((domain.myserver == null) || (domain.myserver.backup === true))) { obj.app.get(url + 'backup.zip', handleBackupRequest); }
if ((domain.myserver !== false) && ((domain.myserver == null) || (domain.myserver.restore === true))) { obj.app.post(url + 'restoreserver.ashx', handleRestoreRequest); }
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.get(url + 'terms', handleTermsRequest);
Added xterm terminal and fixed device link.
2020-01-24 02:15:56 +03:00
obj.app.get(url + 'xterm', handleXTermRequest);
Version 0.7.33
2020-12-30 02:13:09 +03:00
obj.app.get(url + 'login', handleRootRequest);
obj.app.post(url + 'login', handleRootPostRequest);
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.post(url + 'tokenlogin', handleLoginRequest);
obj.app.get(url + 'logout', handleLogoutRequest);
obj.app.get(url + 'MeshServerRootCert.cer', handleRootCertRequest);
obj.app.post(url + 'changepassword', handlePasswordChangeRequest);
obj.app.post(url + 'deleteaccount', handleDeleteAccountRequest);
obj.app.post(url + 'createaccount', handleCreateAccountRequest);
Added server password timeout and reset on next login.
2019-02-28 05:48:50 +03:00
obj.app.post(url + 'resetpassword', handleResetPasswordRequest);
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.post(url + 'resetaccount', handleResetAccountRequest);
obj.app.get(url + 'checkmail', handleCheckMailRequest);
Added public agent install invitation link support.
2019-06-03 23:15:38 +03:00
obj.app.get(url + 'agentinvite', handleAgentInviteRequest);
Started work on account pictures.
2021-03-19 14:12:45 +03:00
obj.app.get(url + 'userimage.ashx', handleUserImageRequest);
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.post(url + 'amtevents.ashx', obj.handleAmtEventRequest);
obj.app.get(url + 'meshagents', obj.handleMeshAgentRequest);
obj.app.get(url + 'messenger', handleMessengerRequest);
Added MeshMessenger title bar customization.
2021-01-25 11:04:43 +03:00
obj.app.get(url + 'messenger.png', handleMessengerImageRequest);
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.get(url + 'meshosxagent', obj.handleMeshOsxAgentRequest);
obj.app.get(url + 'meshsettings', obj.handleMeshSettingsRequest);
Fixed device timeline.
2019-03-20 22:40:02 +03:00
obj.app.get(url + 'devicepowerevents.ashx', obj.handleDevicePowerEvents);
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.get(url + 'downloadfile.ashx', handleDownloadFile);
obj.app.post(url + 'uploadfile.ashx', handleUploadFile);
Added multi-agent upload feature.
2020-11-08 12:13:23 +03:00
obj.app.post(url + 'uploadfilebatch.ashx', handleUploadFileBatch);
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.post(url + 'uploadmeshcorefile.ashx', handleUploadMeshCoreFile);
More work on Intel AMT One Click Recovery.
2021-03-23 09:36:05 +03:00
obj.app.post(url + 'oneclickrecovery.ashx', handleOneClickRecoveryFile);
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.get(url + 'userfiles/*', handleDownloadUserFiles);
obj.app.ws(url + 'echo.ashx', handleEchoWebSocket);
More work on device 2FA.
2021-04-14 23:28:51 +03:00
obj.app.ws(url + '2fahold.ashx', handle2faHoldWebSocket);
Improved Intel AMT activation logging.
2020-10-23 00:35:12 +03:00
obj.app.ws(url + 'apf.ashx', function (ws, req) { obj.parent.mpsserver.onWebSocketConnection(ws, req); })
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.get(url + 'webrelay.ashx', function (req, res) { res.send('Websocket connection expected'); });
Added health.ashx for load-balancer health checking.
2019-05-14 21:30:08 +03:00
obj.app.get(url + 'health.ashx', function (req, res) { res.send('ok'); }); // TODO: Perform more server checking.
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.ws(url + 'webrelay.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, false, handleRelayWebSocket); });
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
obj.app.ws(url + 'webider.ashx', function (ws, req) { PerformWSSessionAuth(ws, req, false, function (ws1, req1, domain, user, cookie, authData) { obj.meshIderHandler.CreateAmtIderSession(obj, obj.db, ws1, req1, obj.args, domain, user); }); });
control.ashx now behind 3FA
2020-09-18 10:57:36 +03:00
obj.app.ws(url + 'control.ashx', function (ws, req) {
Removed auth data from websocket connection URL.
2021-11-04 04:52:11 +03:00
getWebsocketArgs(ws, req, function (ws, req) {
const domain = getDomain(req);
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { ws.close(); return; } // Check 3FA URL key
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie, authData) {
Removed auth data from websocket connection URL.
2021-11-04 04:52:11 +03:00
if (user == null) { // User is not authenticated, perform inner server authentication
if (req.headers['x-meshauth'] === '*') {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
PerformWSSessionInnerAuth(ws, req, domain, function (ws1, req1, domain, user) { obj.meshUserHandler.CreateMeshUser(obj, obj.db, ws1, req1, obj.args, domain, user, authData); }); // User is authenticated
Removed auth data from websocket connection URL.
2021-11-04 04:52:11 +03:00
} else {
try { ws.close(); } catch (ex) { } // user is not authenticated and inner authentication was not requested, disconnect now.
}
User inner authentication improvements.
2021-04-03 03:26:17 +03:00
} else {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
obj.meshUserHandler.CreateMeshUser(obj, obj.db, ws1, req1, obj.args, domain, user, authData); // User is authenticated
User inner authentication improvements.
2021-04-03 03:26:17 +03:00
}
Removed auth data from websocket connection URL.
2021-11-04 04:52:11 +03:00
});
Added support for user inner server authentication.
2021-04-03 03:20:36 +03:00
});
control.ashx now behind 3FA
2020-09-18 10:57:36 +03:00
});
Added support for device stream downloads.
2020-08-27 04:42:41 +03:00
obj.app.ws(url + 'devicefile.ashx', function (ws, req) { obj.meshDeviceFileHandler.CreateMeshDeviceFile(obj, ws, null, req, domain); });
obj.app.get(url + 'devicefile.ashx', handleDeviceFile);
Added multi-agent upload feature.
2020-11-08 12:13:23 +03:00
obj.app.get(url + 'agentdownload.ashx', handleAgentDownloadFile);
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
obj.app.get(url + 'logo.png', handleLogoRequest);
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
obj.app.get(url + 'loginlogo.png', handleLoginLogoRequest);
Improved translator web application.
2019-12-06 02:33:22 +03:00
obj.app.post(url + 'translations', handleTranslationsRequest);
Added welcome page customization options.
2019-02-14 00:22:52 +03:00
obj.app.get(url + 'welcome.jpg', handleWelcomeImageRequest);
Improved login page customization, improved Chinese.
2020-09-03 12:19:17 +03:00
obj.app.get(url + 'welcome.png', handleWelcomeImageRequest);
Added recodings manager and recording improvements.
2020-05-05 23:00:51 +03:00
obj.app.get(url + 'recordings.ashx', handleGetRecordings);
Session recording viewer can now stream.
2021-11-08 05:07:45 +03:00
obj.app.ws(url + 'recordings.ashx', handleGetRecordingsWebSocket);
Internalization improvements.
2020-02-05 03:22:00 +03:00
obj.app.get(url + 'player.htm', handlePlayerRequest);
obj.app.get(url + 'player', handlePlayerRequest);
Started work on improved device guest sharing.
2021-04-09 10:28:02 +03:00
obj.app.get(url + 'sharing', handleSharingRequest);
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
obj.app.ws(url + 'agenttransfer.ashx', handleAgentFileTransfer); // Setup agent to/from server file transfer handler
Start work in desktop multiplexor.
2020-04-24 09:19:28 +03:00
obj.app.ws(url + 'meshrelay.ashx', function (ws, req) {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie, authData) {
Completed desktop multiplexor.
2020-04-28 22:42:58 +03:00
if (((parent.config.settings.desktopmultiplex === true) || (domain.desktopmultiplex === true)) && (req.query.p == 2)) {
Start work in desktop multiplexor.
2020-04-24 09:19:28 +03:00
obj.meshDesktopMultiplexHandler.CreateMeshRelay(obj, ws1, req1, domain, user, cookie); // Desktop multiplexor 1-to-n
} else {
obj.meshRelayHandler.CreateMeshRelay(obj, ws1, req1, domain, user, cookie); // Normal relay 1-to-1
}
});
});
First working version with local device relay.
2021-04-28 09:22:55 +03:00
if (obj.args.wanonly != true) { // If the server is not in WAN mode, allow server relayed connections.
obj.app.ws(url + 'localrelay.ashx', function (ws, req) {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie, authData) {
First working version with local device relay.
2021-04-28 09:22:55 +03:00
if ((user == null) || (cookie == null)) {
try { ws1.close(); } catch (ex) { }
} else {
obj.meshRelayHandler.CreateLocalRelay(obj, ws1, req1, domain, user, cookie); // Local relay
}
});
});
}
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
if (domain.agentinvitecodes == true) {
More work on agent invite by codes.
2020-03-17 04:03:14 +03:00
obj.app.get(url + 'invite', handleInviteRequest);
obj.app.post(url + 'invite', handleInviteRequest);
}
Plugin admin partial
2019-11-02 13:27:39 +03:00
if (parent.pluginHandler != null) {
obj.app.get(url + 'pluginadmin.ashx', obj.handlePluginAdminReq);
obj.app.post(url + 'pluginadmin.ashx', obj.handlePluginAdminPostReq);
Tweaks to plugin install/removal so server does not require a restart. Initial support for downgrading plugins.
2019-11-22 22:25:13 +03:00
obj.app.get(url + 'pluginHandler.js', obj.handlePluginJS);
Plugin admin partial
2019-11-02 13:27:39 +03:00
}
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
Started work on IP-KVM relay code.
2021-12-06 07:56:57 +03:00
// Setup IP-KVM relay if supported
if (domain.ipkvm) {
obj.app.ws(url + 'ipkvm.ashx/*', function (ws, req) {
const domain = getDomain(req);
if (domain == null) { parent.debug('web', 'ipkvm: failed domain checks.'); try { ws.close(); } catch (ex) { } return; }
Improved structure of IP-KVM relay handling.
2021-12-06 14:08:54 +03:00
parent.ipKvmManager.handleIpKvmWebSocket(domain, ws, req);
Started work on IP-KVM relay code.
2021-12-06 07:56:57 +03:00
});
obj.app.get(url + 'ipkvm.ashx/*', function (req, res, next) {
const domain = getDomain(req);
Improved structure of IP-KVM relay handling.
2021-12-06 14:08:54 +03:00
if (domain == null) return;
parent.ipKvmManager.handleIpKvmGet(domain, req, res, next);
Started work on IP-KVM relay code.
2021-12-06 07:56:57 +03:00
});
}
First attempt at MSTSC.js support.
2020-06-10 04:17:15 +03:00
// Setup MSTSC.js if needed
if (domain.mstsc === true) {
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
obj.app.get(url + 'mstsc.html', function (req, res) { handleMSTSCRequest(req, res, 'mstsc'); });
Added SSH support in terminal tab for local devices.
2021-05-09 04:09:49 +03:00
obj.app.ws(url + 'mstscrelay.ashx', function (ws, req) {
Improved MSTSC.js login access options.
2020-06-14 03:43:12 +03:00
const domain = getDomain(req);
if (domain == null) { parent.debug('web', 'mstsc: failed checks.'); try { ws.close(); } catch (e) { } return; }
First working web-based SSH.
2021-04-30 08:31:01 +03:00
require('./apprelays.js').CreateMstscRelay(obj, obj.db, ws, req, obj.args, domain);
First attempt at MSTSC.js support.
2020-06-10 04:17:15 +03:00
});
}
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
// Setup SSH if needed
More work on web based SSH support.
2021-04-30 01:51:06 +03:00
if (domain.ssh === true) {
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
obj.app.get(url + 'ssh.html', function (req, res) { handleMSTSCRequest(req, res, 'ssh'); });
Added SSH support in terminal tab for local devices.
2021-05-09 04:09:49 +03:00
obj.app.ws(url + 'sshrelay.ashx', function (ws, req) {
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
const domain = getDomain(req);
if (domain == null) { parent.debug('web', 'ssh: failed checks.'); try { ws.close(); } catch (e) { } return; }
First working web-based SSH.
2021-04-30 08:31:01 +03:00
try {
require('./apprelays.js').CreateSshRelay(obj, obj.db, ws, req, obj.args, domain);
} catch (ex) { console.log(ex); }
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
});
Added SSH support in terminal tab for local devices.
2021-05-09 04:09:49 +03:00
obj.app.ws(url + 'sshterminalrelay.ashx', function (ws, req) {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie, authData) {
Added SSH support in terminal tab for local devices.
2021-05-09 04:09:49 +03:00
require('./apprelays.js').CreateSshTerminalRelay(obj, obj.db, ws1, req1, domain, user, cookie, obj.args);
});
});
Partial SSH file support for local device group.
2021-05-25 01:26:54 +03:00
obj.app.ws(url + 'sshfilesrelay.ashx', function (ws, req) {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie, authData) {
Partial SSH file support for local device group.
2021-05-25 01:26:54 +03:00
require('./apprelays.js').CreateSshFilesRelay(obj, obj.db, ws1, req1, domain, user, cookie, obj.args);
});
});
Started work on web-based SSH support.
2021-04-29 09:22:54 +03:00
}
Added Firebase Cloud Messaging Relay.
2021-02-03 10:31:44 +03:00
// Setup firebase push only server
if ((obj.parent.firebase != null) && (obj.parent.config.firebase)) {
if (obj.parent.config.firebase.pushrelayserver) { parent.debug('email', 'Firebase-pushrelay-handler'); obj.app.post(url + 'firebaserelay.aspx', handleFirebasePushOnlyRelayRequest); }
Added Firebase two-way push notification relay.
2021-02-04 08:48:54 +03:00
if (obj.parent.config.firebase.relayserver) { parent.debug('email', 'Firebase-relay-handler'); obj.app.ws(url + 'firebaserelay.aspx', handleFirebaseRelayRequest); }
Added Firebase Cloud Messaging Relay.
2021-02-03 10:31:44 +03:00
}
More OAuth work.
2020-05-14 11:41:03 +03:00
// Setup auth strategies using passport if needed
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
if (typeof domain.authstrategies == 'object') {
const passport = domain.passport = require('passport');
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
passport.serializeUser(function (user, done) { done(null, user.sid); });
passport.deserializeUser(function (sid, done) { done(null, { sid: sid }); });
More work on OAuth support.
2020-05-14 08:30:59 +03:00
obj.app.use(passport.initialize());
More work on OAuth support.
2020-05-15 01:09:48 +03:00
//obj.app.use(passport.session());
More OAuth work.
2020-05-14 11:41:03 +03:00
// Twitter
First working OAuth support for Twitter, Google, GitHub, Reddit.
2020-05-15 03:06:55 +03:00
if ((typeof domain.authstrategies.twitter == 'object') && (typeof domain.authstrategies.twitter.clientid == 'string') && (typeof domain.authstrategies.twitter.clientsecret == 'string')) {
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
const TwitterStrategy = require('passport-twitter');
Fixed SSO CallBack URL's
2020-06-10 21:55:30 +03:00
var options = { consumerKey: domain.authstrategies.twitter.clientid, consumerSecret: domain.authstrategies.twitter.clientsecret };
SSO Fixes.
2020-06-15 09:23:05 +03:00
if (typeof domain.authstrategies.twitter.callbackurl == 'string') { options.callbackURL = domain.authstrategies.twitter.callbackurl; } else { options.callbackURL = url + 'auth-twitter-callback'; }
Improved web app, SSO fixes.
2020-05-27 02:36:17 +03:00
parent.debug('web', 'Adding Twitter SSO with options: ' + JSON.stringify(options));
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
passport.use('twitter-' + domain.id, new TwitterStrategy(options,
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
function (token, tokenSecret, profile, cb) {
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
parent.debug('web', 'Twitter profile: ' + JSON.stringify(profile));
var user = { sid: '~twitter:' + profile.id, name: profile.displayName, strategy: 'twitter' };
More work on OAuth support.
2020-05-14 08:30:59 +03:00
if ((typeof profile.emails == 'object') && (profile.emails[0] != null) && (typeof profile.emails[0].value == 'string')) { user.email = profile.emails[0].value; }
return cb(null, user);
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
}
));
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
obj.app.get(url + 'auth-twitter', function (req, res, next) {
var domain = getDomain(req);
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('twitter-' + domain.id)(req, res, function (err) { console.log('c1', err, req.session); next(); });
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
});
More work on OAuth support.
2020-05-15 01:09:48 +03:00
obj.app.get(url + 'auth-twitter-callback', function (req, res, next) {
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
var domain = getDomain(req);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (domain.passport == null) { next(); return; }
More work on OAuth support.
2020-05-15 01:09:48 +03:00
if ((Object.keys(req.session).length == 0) && (req.query.nmr == null)) {
// This is an empty session likely due to the 302 redirection, redirect again (this is a bit of a hack).
var url = req.url;
if (url.indexOf('?') >= 0) { url += '&nmr=1'; } else { url += '?nmr=1'; } // Add this to the URL to prevent redirect loop.
res.set('Content-Type', 'text/html');
res.end('<html><head><meta http-equiv="refresh" content=0;url="' + url + '"></head><body></body></html>');
} else {
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('twitter-' + domain.id, { failureRedirect: '/' })(req, res, function (err) { if (err != null) { console.log(err); } next(); });
More work on OAuth support.
2020-05-15 01:09:48 +03:00
}
}, handleStrategyLogin);
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
}
More OAuth work.
2020-05-14 11:41:03 +03:00
// Google
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
if ((typeof domain.authstrategies.google == 'object') && (typeof domain.authstrategies.google.clientid == 'string') && (typeof domain.authstrategies.google.clientsecret == 'string')) {
const GoogleStrategy = require('passport-google-oauth20');
Fixed SSO CallBack URL's
2020-06-10 21:55:30 +03:00
var options = { clientID: domain.authstrategies.google.clientid, clientSecret: domain.authstrategies.google.clientsecret };
SSO Fixes.
2020-06-15 09:23:05 +03:00
if (typeof domain.authstrategies.google.callbackurl == 'string') { options.callbackURL = domain.authstrategies.google.callbackurl; } else { options.callbackURL = url + 'auth-google-callback'; }
Improved web app, SSO fixes.
2020-05-27 02:36:17 +03:00
parent.debug('web', 'Adding Google SSO with options: ' + JSON.stringify(options));
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
passport.use('google-' + domain.id, new GoogleStrategy(options,
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
function (token, tokenSecret, profile, cb) {
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
parent.debug('web', 'Google profile: ' + JSON.stringify(profile));
var user = { sid: '~google:' + profile.id, name: profile.displayName, strategy: 'google' };
More work on OAuth support.
2020-05-14 08:30:59 +03:00
if ((typeof profile.emails == 'object') && (profile.emails[0] != null) && (typeof profile.emails[0].value == 'string') && (profile.emails[0].verified == true)) { user.email = profile.emails[0].value; }
return cb(null, user);
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
}
));
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
obj.app.get(url + 'auth-google', function (req, res, next) {
var domain = getDomain(req);
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('google-' + domain.id, { scope: ['profile', 'email'] })(req, res, next);
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
});
obj.app.get(url + 'auth-google-callback', function (req, res, next) {
var domain = getDomain(req);
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('google-' + domain.id, { failureRedirect: '/' })(req, res, function (err) { if (err != null) { console.log(err); } next(); });
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
}, handleStrategyLogin);
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
}
More OAuth work.
2020-05-14 11:41:03 +03:00
// Github
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
if ((typeof domain.authstrategies.github == 'object') && (typeof domain.authstrategies.github.clientid == 'string') && (typeof domain.authstrategies.github.clientsecret == 'string')) {
const GitHubStrategy = require('passport-github2');
Fixed SSO CallBack URL's
2020-06-10 21:55:30 +03:00
var options = { clientID: domain.authstrategies.github.clientid, clientSecret: domain.authstrategies.github.clientsecret };
SSO Fixes.
2020-06-15 09:23:05 +03:00
if (typeof domain.authstrategies.github.callbackurl == 'string') { options.callbackURL = domain.authstrategies.github.callbackurl; } else { options.callbackURL = url + 'auth-github-callback'; }
Improved web app, SSO fixes.
2020-05-27 02:36:17 +03:00
parent.debug('web', 'Adding Github SSO with options: ' + JSON.stringify(options));
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
passport.use('github-' + domain.id, new GitHubStrategy(options,
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
function (token, tokenSecret, profile, cb) {
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
parent.debug('web', 'Github profile: ' + JSON.stringify(profile));
var user = { sid: '~github:' + profile.id, name: profile.displayName, strategy: 'github' };
More work on OAuth support.
2020-05-14 08:30:59 +03:00
if ((typeof profile.emails == 'object') && (profile.emails[0] != null) && (typeof profile.emails[0].value == 'string')) { user.email = profile.emails[0].value; }
return cb(null, user);
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
}
));
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
obj.app.get(url + 'auth-github', function (req, res, next) {
var domain = getDomain(req);
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('github-' + domain.id, { scope: ['user:email'] })(req, res, next);
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
});
obj.app.get(url + 'auth-github-callback', function (req, res, next) {
var domain = getDomain(req);
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('github-' + domain.id, { failureRedirect: '/' })(req, res, next);
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
}, handleStrategyLogin);
More OAuth work.
2020-05-14 11:41:03 +03:00
}
// Reddit
if ((typeof domain.authstrategies.reddit == 'object') && (typeof domain.authstrategies.reddit.clientid == 'string') && (typeof domain.authstrategies.reddit.clientsecret == 'string')) {
const RedditStrategy = require('passport-reddit');
Fixed SSO CallBack URL's
2020-06-10 21:55:30 +03:00
var options = { clientID: domain.authstrategies.reddit.clientid, clientSecret: domain.authstrategies.reddit.clientsecret };
SSO Fixes.
2020-06-15 09:23:05 +03:00
if (typeof domain.authstrategies.reddit.callbackurl == 'string') { options.callbackURL = domain.authstrategies.reddit.callbackurl; } else { options.callbackURL = url + 'auth-reddit-callback'; }
Improved web app, SSO fixes.
2020-05-27 02:36:17 +03:00
parent.debug('web', 'Adding Reddit SSO with options: ' + JSON.stringify(options));
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
passport.use('reddit-' + domain.id, new RedditStrategy.Strategy(options,
More OAuth work.
2020-05-14 11:41:03 +03:00
function (token, tokenSecret, profile, cb) {
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
parent.debug('web', 'Reddit profile: ' + JSON.stringify(profile));
var user = { sid: '~reddit:' + profile.id, name: profile.name, strategy: 'reddit' };
More OAuth work.
2020-05-14 11:41:03 +03:00
if ((typeof profile.emails == 'object') && (profile.emails[0] != null) && (typeof profile.emails[0].value == 'string')) { user.email = profile.emails[0].value; }
return cb(null, user);
}
));
More work on OAuth support.
2020-05-15 01:09:48 +03:00
obj.app.get(url + 'auth-reddit', function (req, res, next) {
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
var domain = getDomain(req);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('reddit-' + domain.id, { state: obj.parent.encodeCookie({ 'p': 'reddit' }, obj.parent.loginCookieEncryptionKey), duration: 'permanent' })(req, res, next);
More OAuth work.
2020-05-14 11:41:03 +03:00
});
More work on OAuth support.
2020-05-15 01:09:48 +03:00
obj.app.get(url + 'auth-reddit-callback', function (req, res, next) {
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
var domain = getDomain(req);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (domain.passport == null) { next(); return; }
More work on OAuth support.
2020-05-15 01:09:48 +03:00
if ((Object.keys(req.session).length == 0) && (req.query.nmr == null)) {
// This is an empty session likely due to the 302 redirection, redirect again (this is a bit of a hack).
var url = req.url;
if (url.indexOf('?') >= 0) { url += '&nmr=1'; } else { url += '?nmr=1'; } // Add this to the URL to prevent redirect loop.
res.set('Content-Type', 'text/html');
res.end('<html><head><meta http-equiv="refresh" content=0;url="' + url + '"></head><body></body></html>');
} else {
SSO Fixes.
2020-06-15 09:23:05 +03:00
if (req.query.state != null) {
var c = obj.parent.decodeCookie(req.query.state, obj.parent.loginCookieEncryptionKey, 10); // 10 minute timeout
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
if ((c != null) && (c.p == 'reddit')) { domain.passport.authenticate('reddit-' + domain.id, { failureRedirect: '/' })(req, res, next); return; }
More OAuth work.
2020-05-14 11:41:03 +03:00
}
SSO Fixes.
2020-06-15 09:23:05 +03:00
next();
More work on OAuth support.
2020-05-15 01:09:48 +03:00
}
}, handleStrategyLogin);
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
}
Started work on added JumpCloud support.
2020-05-20 05:02:27 +03:00
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
// Azure
if ((typeof domain.authstrategies.azure == 'object') && (typeof domain.authstrategies.azure.clientid == 'string') && (typeof domain.authstrategies.azure.clientsecret == 'string')) {
const AzureOAuth2Strategy = require('passport-azure-oauth2');
Fixed SSO CallBack URL's
2020-06-10 21:55:30 +03:00
var options = { clientID: domain.authstrategies.azure.clientid, clientSecret: domain.authstrategies.azure.clientsecret, tenant: domain.authstrategies.azure.tenantid };
SSO Fixes.
2020-06-15 09:23:05 +03:00
if (typeof domain.authstrategies.azure.callbackurl == 'string') { options.callbackURL = domain.authstrategies.azure.callbackurl; } else { options.callbackURL = url + 'auth-azure-callback'; }
Improved web app, SSO fixes.
2020-05-27 02:36:17 +03:00
parent.debug('web', 'Adding Azure SSO with options: ' + JSON.stringify(options));
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
passport.use('azure-' + domain.id, new AzureOAuth2Strategy(options,
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
function (accessToken, refreshtoken, params, profile, done) {
var userex = null;
try { userex = require('jwt-simple').decode(params.id_token, "", true); } catch (ex) { }
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
parent.debug('web', 'Azure profile: ' + JSON.stringify(userex));
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
var user = null;
if (userex != null) {
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
var user = { sid: '~azure:' + userex.unique_name, name: userex.name, strategy: 'azure' };
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (typeof userex.email == 'string') { user.email = userex.email; }
}
return done(null, user);
}
));
obj.app.get(url + 'auth-azure', function (req, res, next) {
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
var domain = getDomain(req);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('azure-' + domain.id, { state: obj.parent.encodeCookie({ 'p': 'azure' }, obj.parent.loginCookieEncryptionKey) })(req, res, next);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
});
obj.app.get(url + 'auth-azure-callback', function (req, res, next) {
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
var domain = getDomain(req);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (domain.passport == null) { next(); return; }
if ((Object.keys(req.session).length == 0) && (req.query.nmr == null)) {
// This is an empty session likely due to the 302 redirection, redirect again (this is a bit of a hack).
var url = req.url;
if (url.indexOf('?') >= 0) { url += '&nmr=1'; } else { url += '?nmr=1'; } // Add this to the URL to prevent redirect loop.
res.set('Content-Type', 'text/html');
res.end('<html><head><meta http-equiv="refresh" content=0;url="' + url + '"></head><body></body></html>');
} else {
SSO Fixes.
2020-06-15 09:23:05 +03:00
if (req.query.state != null) {
var c = obj.parent.decodeCookie(req.query.state, obj.parent.loginCookieEncryptionKey, 10); // 10 minute timeout
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
if ((c != null) && (c.p == 'azure')) { domain.passport.authenticate('azure-' + domain.id, { failureRedirect: '/' })(req, res, next); return; }
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
}
SSO Fixes.
2020-06-15 09:23:05 +03:00
next();
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
}
}, handleStrategyLogin);
}
implemented passport-openidconnect used passport-openidconnect to get login 90% working, i get as far as the oidc host sending me back to mesh central with a good auth but i dont get logged in, still testing
2022-04-06 19:40:42 +03:00
// passport-openidconnect example code
/* var OpenIDConnectStrategy = require('passport-openidconnect');
passport.use(new OpenIDConnectStrategy({
issuer: 'https://server.example.com',
authorizationURL: 'https://server.example.com/authorize',
tokenURL: 'https://server.example.com/token',
userInfoURL: 'https://server.example.com/userinfo',
clientID: process.env['CLIENT_ID'],
clientSecret: process.env['CLIENT_SECRET'],
callbackURL: 'https://client.example.org/cb'
)); */
// Generic OpenID Connect
if ((typeof domain.authstrategies.oidc == 'object') && (typeof domain.authstrategies.oidc.clientid == 'string') && (typeof domain.authstrategies.oidc.clientsecret == 'string') && (typeof domain.authstrategies.oidc.issuer == 'string')) {
var options = {
authorizationURL: domain.authstrategies.oidc.authorizationurl,
callbackURL: domain.authstrategies.oidc.callbackurl,
clientID: domain.authstrategies.oidc.clientid,
clientSecret: domain.authstrategies.oidc.clientsecret,
issuer: domain.authstrategies.oidc.issuer,
tokenURL: domain.authstrategies.oidc.tokenurl,
userInfoURL: domain.authstrategies.oidc.userinfourl,
scope: [ 'openid email profile' ],
state: true
};
const OIDCStrategy = require('passport-openidconnect');
if (typeof domain.authstrategies.oidc.callbackurl == 'string') { options.callbackURL = domain.authstrategies.oidc.callbackurl; } else { options.callbackURL = url + 'oidc-callback'; }
parent.debug('web', 'Adding Generic OIDC SSO with options: ' + JSON.stringify(options));
passport.use('oidc-' + domain.id, new OIDCStrategy(options,
function (accessToken, refreshtoken, params, profile, done) {
var userex = null;
try { userex = require('jwt-simple').decode(params.id_token, "", true); } catch (ex) { }
parent.debug('web', 'OpenID Connect profile: ' + JSON.stringify(userex));
var user = null;
if (userex != null) {
var user = { sid: '~oidc:' + userex.unique_name, name: userex.name, strategy: 'oidc' };
if (typeof userex.email == 'string') { user.email = userex.email; }
}
return done(null, user);
}
));
/* passport.use('oidc-' + domain.id, new OIDCStrategy.Strategy(options,
function (authorization_code, refresh_token, profile, cb) {
parent.debug('web', 'OIDC profile: ' + JSON.stringify(profile));
var user = { sid: '~oidc:' + profile.id, name: profile.displayName, strategy: 'oidc' };
if ((typeof profile.emails == 'object') && (profile.emails[0] != null) && (typeof profile.emails[0].value == 'string')) { user.email = profile.emails[0].value; }
return cb(null, user);
}
)); */
obj.app.get(url + 'auth-oidc', function (req, res, next) {
var domain = getDomain(req);
if (domain.passport == null) { next(); return; }
domain.passport.authenticate('oidc-' + domain.id, { scope: 'openid email profile', state: obj.parent.encodeCookie({ 'p': 'azure' }, obj.parent.loginCookieEncryptionKey) })(req, res, next);
});
obj.app.get(url + 'oidc-callback', function (req, res, next) {
var domain = getDomain(req);
if (domain.passport == null) { next(); return; }
if ((Object.keys(req.session).length == 0) && (req.query.nmr == null)) {
// This is an empty session likely due to the 302 redirection, redirect again (this is a bit of a hack).
var url = req.url;
if (url.indexOf('?') >= 0) { url += '&nmr=1'; } else { url += '?nmr=1'; } // Add this to the URL to prevent redirect loop.
res.set('Content-Type', 'text/html');
res.end('<html><head><meta http-equiv="refresh" content=0;url="' + url + '"></head><body></body></html>');
} else {
if (req.query.state != null) {
var c = obj.parent.decodeCookie(req.query.state, obj.parent.loginCookieEncryptionKey, 10); // 10 minute timeout
if ((c != null) && (c.p == 'oidc')) { domain.passport.authenticate('oidc-' + domain.id, { failureRedirect: '/' })(req, res, next); return; }
}
next();
}
}, handleStrategyLogin);
}
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
// Generic SAML
if (typeof domain.authstrategies.saml == 'object') {
if ((typeof domain.authstrategies.saml.cert != 'string') || (typeof domain.authstrategies.saml.idpurl != 'string')) {
console.log('ERROR: Missing SAML configuration.');
} else {
Fix for #2989 server crash due to #2986.
2021-08-05 18:43:41 +03:00
const certPath = obj.common.joinPath(obj.parent.datapath, domain.authstrategies.saml.cert);
Handle all configured paths as potentially absolute
2021-07-29 17:38:44 +03:00
var cert = obj.fs.readFileSync(certPath);
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
if (cert == null) {
console.log('ERROR: Unable to read SAML IdP certificate: ' + domain.authstrategies.saml.cert);
} else {
Fixed SSO CallBack URL's
2020-06-10 21:55:30 +03:00
var options = { entryPoint: domain.authstrategies.saml.idpurl, issuer: 'meshcentral' };
Fix setting of callbackUrl on generic SAML
2021-10-27 12:42:08 +03:00
if (typeof domain.authstrategies.saml.callbackurl == 'string') { options.callbackUrl = domain.authstrategies.saml.callbackurl; } else { options.callbackUrl = url + 'auth-saml-callback'; }
Added SAML disableRequestedAuthnContext
2020-05-29 03:03:40 +03:00
if (domain.authstrategies.saml.disablerequestedauthncontext != null) { options.disableRequestedAuthnContext = domain.authstrategies.saml.disablerequestedauthncontext; }
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
if (typeof domain.authstrategies.saml.entityid == 'string') { options.issuer = domain.authstrategies.saml.entityid; }
Minor authStrategy logging fix.
2021-11-24 23:54:12 +03:00
parent.debug('web', 'Adding SAML SSO with options: ' + JSON.stringify(options));
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
options.cert = cert.toString().split('-----BEGIN CERTIFICATE-----').join('').split('-----END CERTIFICATE-----').join('');
const SamlStrategy = require('passport-saml').Strategy;
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
passport.use('saml-' + domain.id, new SamlStrategy(options,
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
function (profile, done) {
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
parent.debug('web', 'SAML profile: ' + JSON.stringify(profile));
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
if (typeof profile.nameID != 'string') { return done(); }
Fixed SAML issuer problem.
2020-05-25 10:09:35 +03:00
var user = { sid: '~saml:' + profile.nameID, name: profile.nameID, strategy: 'saml' };
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
if ((typeof profile.firstname == 'string') && (typeof profile.lastname == 'string')) { user.name = profile.firstname + ' ' + profile.lastname; }
if (typeof profile.email == 'string') { user.email = profile.email; }
return done(null, user);
}
));
obj.app.get(url + 'auth-saml', function (req, res, next) {
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
var domain = getDomain(req);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('saml-' + domain.id, { failureRedirect: '/', failureFlash: true })(req, res, next);
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
});
obj.app.post(url + 'auth-saml-callback', function (req, res, next) {
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
var domain = getDomain(req);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('saml-' + domain.id, { failureRedirect: '/', failureFlash: true })(req, res, next);
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
}, handleStrategyLogin);
}
}
}
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
// Intel SAML
if (typeof domain.authstrategies.intel == 'object') {
if ((typeof domain.authstrategies.intel.cert != 'string') || (typeof domain.authstrategies.intel.idpurl != 'string')) {
console.log('ERROR: Missing Intel SAML configuration.');
} else {
Handle all configured paths as potentially absolute
2021-07-29 17:38:44 +03:00
var cert = obj.fs.readFileSync(obj.common.joinPath(obj.parent.datapath, domain.authstrategies.intel.cert));
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
if (cert == null) {
console.log('ERROR: Unable to read Intel SAML IdP certificate: ' + domain.authstrategies.intel.cert);
} else {
Fixed SSO CallBack URL's
2020-06-10 21:55:30 +03:00
var options = { entryPoint: domain.authstrategies.intel.idpurl, issuer: 'meshcentral' };
SSO Fixes.
2020-06-15 09:23:05 +03:00
if (typeof domain.authstrategies.intel.callbackurl == 'string') { options.callbackUrl = domain.authstrategies.intel.callbackurl; } else { options.callbackUrl = url + 'auth-intel-callback'; }
Added newAccountsRights to SSO strategies
2020-05-29 04:04:30 +03:00
if (domain.authstrategies.intel.disablerequestedauthncontext != null) { options.disableRequestedAuthnContext = domain.authstrategies.intel.disablerequestedauthncontext; }
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
if (typeof domain.authstrategies.intel.entityid == 'string') { options.issuer = domain.authstrategies.intel.entityid; }
Minor authStrategy logging fix.
2021-11-24 23:54:12 +03:00
parent.debug('web', 'Adding Intel SSO with options: ' + JSON.stringify(options));
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
options.cert = cert.toString().split('-----BEGIN CERTIFICATE-----').join('').split('-----END CERTIFICATE-----').join('');
const SamlStrategy = require('passport-saml').Strategy;
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
passport.use('isaml-' + domain.id, new SamlStrategy(options,
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
function (profile, done) {
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
parent.debug('web', 'Intel profile: ' + JSON.stringify(profile));
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
if (typeof profile.nameID != 'string') { return done(); }
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
var user = { sid: '~intel:' + profile.nameID, name: profile.nameID, strategy: 'intel' };
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
if ((typeof profile.firstname == 'string') && (typeof profile.lastname == 'string')) { user.name = profile.firstname + ' ' + profile.lastname; }
Fixes to Intel SSO
2020-05-21 11:29:06 +03:00
else if ((typeof profile.FirstName == 'string') && (typeof profile.LastName == 'string')) { user.name = profile.FirstName + ' ' + profile.LastName; }
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
if (typeof profile.email == 'string') { user.email = profile.email; }
Fixes to Intel SSO
2020-05-21 11:29:06 +03:00
else if (typeof profile.EmailAddress == 'string') { user.email = profile.EmailAddress; }
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
return done(null, user);
}
));
obj.app.get(url + 'auth-intel', function (req, res, next) {
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
var domain = getDomain(req);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('isaml-' + domain.id, { failureRedirect: '/', failureFlash: true })(req, res, next);
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
});
obj.app.post(url + 'auth-intel-callback', function (req, res, next) {
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
var domain = getDomain(req);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('isaml-' + domain.id, { failureRedirect: '/', failureFlash: true })(req, res, next);
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
}, handleStrategyLogin);
}
}
}
// JumpCloud SAML
Started work on added JumpCloud support.
2020-05-20 05:02:27 +03:00
if (typeof domain.authstrategies.jumpcloud == 'object') {
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
if ((typeof domain.authstrategies.jumpcloud.cert != 'string') || (typeof domain.authstrategies.jumpcloud.idpurl != 'string')) {
New MeshAgents on all platforms.
2020-05-21 10:25:35 +03:00
console.log('ERROR: Missing JumpCloud SAML configuration.');
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
} else {
Fix for #2989 server crash due to #2986.
2021-08-05 18:43:41 +03:00
var cert = obj.fs.readFileSync(obj.common.joinPath(obj.parent.datapath, domain.authstrategies.jumpcloud.cert));
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
if (cert == null) {
console.log('ERROR: Unable to read JumpCloud IdP certificate: ' + domain.authstrategies.jumpcloud.cert);
} else {
Fixed SSO CallBack URL's
2020-06-10 21:55:30 +03:00
var options = { entryPoint: domain.authstrategies.jumpcloud.idpurl, issuer: 'meshcentral' };
SSO Fixes.
2020-06-15 09:23:05 +03:00
if (typeof domain.authstrategies.jumpcloud.callbackurl == 'string') { options.callbackUrl = domain.authstrategies.jumpcloud.callbackurl; } else { options.callbackUrl = url + 'auth-jumpcloud-callback'; }
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
if (typeof domain.authstrategies.jumpcloud.entityid == 'string') { options.issuer = domain.authstrategies.jumpcloud.entityid; }
Minor authStrategy logging fix.
2021-11-24 23:54:12 +03:00
parent.debug('web', 'Adding JumpCloud SSO with options: ' + JSON.stringify(options));
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
options.cert = cert.toString().split('-----BEGIN CERTIFICATE-----').join('').split('-----END CERTIFICATE-----').join('');
const SamlStrategy = require('passport-saml').Strategy;
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
passport.use('jumpcloud-' + domain.id, new SamlStrategy(options,
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
function (profile, done) {
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
parent.debug('web', 'JumpCloud profile: ' + JSON.stringify(profile));
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
if (typeof profile.nameID != 'string') { return done(); }
More multi-domain single sign-on fixes.
2020-05-25 09:22:49 +03:00
var user = { sid: '~jumpcloud:' + profile.nameID, name: profile.nameID, strategy: 'jumpcloud' };
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
if ((typeof profile.firstname == 'string') && (typeof profile.lastname == 'string')) { user.name = profile.firstname + ' ' + profile.lastname; }
if (typeof profile.email == 'string') { user.email = profile.email; }
return done(null, user);
}
));
obj.app.get(url + 'auth-jumpcloud', function (req, res, next) {
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
var domain = getDomain(req);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('jumpcloud-' + domain.id, { failureRedirect: '/', failureFlash: true })(req, res, next);
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
});
obj.app.post(url + 'auth-jumpcloud-callback', function (req, res, next) {
Fixed OAuth/SAML when used in multi-domain.
2020-05-25 08:05:18 +03:00
var domain = getDomain(req);
Added support for Azure Active Directory.
2020-05-24 10:04:49 +03:00
if (domain.passport == null) { next(); return; }
Fixed authStrategies with multiple domains.
2021-11-25 00:32:48 +03:00
domain.passport.authenticate('jumpcloud-' + domain.id, { failureRedirect: '/', failureFlash: true })(req, res, next);
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
}, handleStrategyLogin);
Started work on added JumpCloud support.
2020-05-20 05:02:27 +03:00
}
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
}
Started work on added JumpCloud support.
2020-05-20 05:02:27 +03:00
}
Added SAML, JumpCloud support.
2020-05-20 10:39:17 +03:00
Started work on OAuth support.
2020-05-14 06:49:58 +03:00
}
Added server redirection and unlimited invite URL's.
2019-06-07 20:20:54 +03:00
// Server redirects
Peering fixes, 404 page, new desktop special keys.
2019-08-13 00:58:06 +03:00
if (parent.config.domains[i].redirects) { for (var j in parent.config.domains[i].redirects) { if (j[0] != '_') { obj.app.get(url + j, obj.handleDomainRedirect); } } }
Added server redirection and unlimited invite URL's.
2019-06-07 20:20:54 +03:00
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
// Server picture
obj.app.get(url + 'serverpic.ashx', function (req, res) {
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
// Check if we have "server.jpg" in the data folder, if so, use that.
Improved night mode in web app.
2019-05-12 00:02:42 +03:00
if ((parent.configurationFiles != null) && (parent.configurationFiles['server.png'] != null)) {
res.set({ 'Content-Type': 'image/png' });
res.send(parent.configurationFiles['server.png']);
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
} else {
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
// Check if we have "server.jpg" in the data folder, if so, use that.
Improved night mode in web app.
2019-05-12 00:02:42 +03:00
var p = obj.path.join(obj.parent.datapath, 'server.png');
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
if (obj.fs.existsSync(p)) {
// Use the data folder server picture
Rebranding fixes
2019-09-15 22:47:59 +03:00
try { res.sendFile(p); } catch (ex) { res.sendStatus(404); }
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
} else {
Added support for per-domain web folder.
2020-03-25 23:21:14 +03:00
var domain = getDomain(req);
if ((domain != null) && (domain.webpublicpath != null) && (obj.fs.existsSync(obj.path.join(domain.webpublicpath, 'images/server-256.png')))) {
// Use the domain server picture
try { res.sendFile(obj.path.join(domain.webpublicpath, 'images/server-256.png')); } catch (ex) { res.sendStatus(404); }
} else if (parent.webPublicOverridePath && obj.fs.existsSync(obj.path.join(obj.parent.webPublicOverridePath, 'images/server-256.png'))) {
Rebranding fixes
2019-09-15 22:47:59 +03:00
// Use the override server picture
try { res.sendFile(obj.path.join(obj.parent.webPublicOverridePath, 'images/server-256.png')); } catch (ex) { res.sendStatus(404); }
} else {
// Use the default server picture
try { res.sendFile(obj.path.join(obj.parent.webPublicPath, 'images/server-256.png')); } catch (ex) { res.sendStatus(404); }
}
Added first support for running state-less.
2019-02-03 01:54:36 +03:00
}
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
}
});
Initial main commit
2017-08-28 19:27:45 +03:00
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
// Receive mesh agent connections
obj.app.ws(url + 'agent.ashx', function (ws, req) {
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-31 00:43:42 +03:00
var domain = checkAgentIpAddress(ws, req);
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (domain == null) { parent.debug('web', 'Got agent connection with bad domain or blocked IP address ' + req.clientIp + ', holding.'); return; }
Added AgentKey support, #3468
2022-01-17 00:59:14 +03:00
if (domain.agentkey && ((req.query.key == null) || (domain.agentkey.indexOf(req.query.key) == -1))) { return; } // If agent key is required and not provided or not valid, just hold the websocket and do nothing.
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
//console.log('Agent connect: ' + req.clientIp);
Updates agents, added agent no proxy support and agent IP allow/block.
2019-01-31 00:43:42 +03:00
try { obj.meshAgentHandler.CreateMeshAgent(obj, obj.db, ws, req, obj.args, domain); } catch (e) { console.log(e); }
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
});
Made MQTT optional.
2019-10-04 22:18:56 +03:00
// Setup MQTT broker over websocket
if (obj.parent.mqttbroker != null) {
obj.app.ws(url + 'mqtt.ashx', function (ws, req) {
More MQTT improvements
2019-10-05 03:24:30 +03:00
var domain = checkAgentIpAddress(ws, req);
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (domain == null) { parent.debug('web', 'Got agent connection with bad domain or blocked IP address ' + req.clientIp + ', holding.'); return; }
More MQTT improvements
2019-10-05 03:24:30 +03:00
var serialtunnel = SerialTunnel();
serialtunnel.xtransport = 'ws';
serialtunnel.xdomain = domain;
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
serialtunnel.xip = req.clientIp;
More MQTT improvements
2019-10-05 03:24:30 +03:00
ws.on('message', function (b) { serialtunnel.updateBuffer(Buffer.from(b, 'binary')) });
Removed 1h cache, back to etag.
2019-12-21 01:50:06 +03:00
serialtunnel.forwardwrite = function (b) { ws.send(b, 'binary') }
ws.on('close', function () { serialtunnel.emit('end'); });
More MQTT improvements
2019-10-05 03:24:30 +03:00
obj.parent.mqttbroker.handle(serialtunnel); // Pass socket wrapper to MQTT broker
Made MQTT optional.
2019-10-04 22:18:56 +03:00
});
}
Added MQTT support over WSS and multiplexed with MPS
2019-10-03 03:57:18 +03:00
Added .well-known support.
2020-12-22 10:25:30 +03:00
// Setup any .well-known folders
var p = obj.parent.path.join(obj.parent.datapath, '.well-known' + ((parent.config.domains[i].id == '') ? '' : ('-' + parent.config.domains[i].id)));
if (obj.parent.fs.existsSync(p)) { obj.app.use(url + '.well-known', obj.express.static(p)); }
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
// Setup the alternative agent-only port
Many updates to how agents connect, agent cert checking and tls on agent port.
2020-05-22 22:54:22 +03:00
if (obj.agentapp) {
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
// Receive mesh agent connections on alternate port
obj.agentapp.ws(url + 'agent.ashx', function (ws, req) {
var domain = checkAgentIpAddress(ws, req);
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (domain == null) { parent.debug('web', 'Got agent connection with bad domain or blocked IP address ' + req.clientIp + ', holding.'); return; }
Include agentKey check at agent only port
2022-01-18 17:21:09 +03:00
if (domain.agentkey && ((req.query.key == null) || (domain.agentkey.indexOf(req.query.key) == -1))) { return; } // If agent key is required and not provided or not valid, just hold the websocket and do nothing.
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
try { obj.meshAgentHandler.CreateMeshAgent(obj, obj.db, ws, req, obj.args, domain); } catch (e) { console.log(e); }
});
// Setup mesh relay on alternative agent-only port
obj.agentapp.ws(url + 'meshrelay.ashx', function (ws, req) {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie, authData) {
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
if (((parent.config.settings.desktopmultiplex === true) || (domain.desktopmultiplex === true)) && (req.query.p == 2)) {
obj.meshDesktopMultiplexHandler.CreateMeshRelay(obj, ws1, req1, domain, user, cookie); // Desktop multiplexor 1-to-n
} else {
obj.meshRelayHandler.CreateMeshRelay(obj, ws1, req1, domain, user, cookie); // Normal relay 1-to-1
}
});
});
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
First version of alternate style login page.
2020-09-01 21:51:06 +03:00
// Allows agents to transfer files
obj.agentapp.ws(url + 'devicefile.ashx', function (ws, req) { obj.meshDeviceFileHandler.CreateMeshDeviceFile(obj, ws, null, req, domain); });
Added auto agent crash dump server upload option.
2020-07-08 09:56:08 +03:00
// Setup agent to/from server file transfer handler
obj.agentapp.ws(url + 'agenttransfer.ashx', handleAgentFileTransfer); // Setup agent to/from server file transfer handler
Fixed meshcore agent update when used with AgentPort.
2021-01-29 02:49:42 +03:00
// Setup agent downloads for meshcore updates
obj.agentapp.get(url + 'meshagents', obj.handleMeshAgentRequest);
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
}
Improved meshcentral-web customization support.
2019-08-25 21:08:32 +03:00
// Indicates to ExpressJS that the override public folder should be used to serve static files.
Added support for per-domain web folder.
2020-03-25 23:21:14 +03:00
if (parent.config.domains[i].webpublicpath != null) {
// Use domain public path
obj.app.use(url, obj.express.static(parent.config.domains[i].webpublicpath));
} else if (obj.parent.webPublicOverridePath != null) {
// Use override path
obj.app.use(url, obj.express.static(obj.parent.webPublicOverridePath));
}
Improved meshcentral-web customization support.
2019-08-25 21:08:32 +03:00
// Indicates to ExpressJS that the default public folder should be used to serve static files.
Removed 1h cache, back to etag.
2019-12-21 01:50:06 +03:00
obj.app.use(url, obj.express.static(obj.parent.webPublicPath));
Added agent trouble detection on the server.
2019-01-23 06:34:55 +03:00
// Start regular disconnection list flush every 2 minutes.
obj.wsagentsDisconnectionsTimer = setInterval(function () { obj.wsagentsDisconnections = {}; }, 120000);
Fixed database and webserver race condition.
2019-01-23 02:40:08 +03:00
}
Fixed 404 page, file uploads, sub-domain support.
2019-08-23 02:39:50 +03:00
// Handle 404 error
if (obj.args.nice404 !== false) {
obj.app.use(function (req, res, next) {
parent.debug('web', '404 Error ' + req.url);
var domain = getDomain(req);
Fixed TouchID on mobile, 404 page when using loginkey.
2020-02-27 23:55:14 +03:00
if ((domain == null) || (domain.auth == 'sspi')) { res.sendStatus(404); return; }
Improved 404 pages to support tight Content-Security-Policy HTTP headers.
2022-01-10 12:26:45 +03:00
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL
const cspNonce = obj.crypto.randomBytes(15).toString('base64');
Improved MongoDB indexes.
2022-01-10 23:25:31 +03:00
res.set({ 'Content-Security-Policy': "default-src 'none'; script-src 'self' 'nonce-" + cspNonce + "'; img-src 'self'; style-src 'self' 'nonce-" + cspNonce + "';" }); // This page supports very tight CSP policy
Improved 404 pages to support tight Content-Security-Policy HTTP headers.
2022-01-10 12:26:45 +03:00
res.status(404).render(getRenderPage((domain.sitestyle == 2) ? 'error4042' : 'error404', req, domain), getRenderArgs({ cspNonce: cspNonce }, req, domain));
Fixed 404 page, file uploads, sub-domain support.
2019-08-23 02:39:50 +03:00
});
}
Made MQTT optional.
2019-10-04 22:18:56 +03:00
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
// Start server on a free port.
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
CheckListenPort(obj.args.port, obj.args.portbind, StartWebServer);
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
// Start on a second agent-only alternative port if needed.
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
if (obj.args.agentport) { CheckListenPort(obj.args.agentport, obj.args.agentportbind, StartAltWebServer); }
Early work on IP KVM integration.
2021-12-03 07:20:37 +03:00
// We are done starting the web server.
if (doneFunc) doneFunc();
Initial main commit
2017-08-28 19:27:45 +03:00
}
Added support for user inner server authentication.
2021-04-03 03:20:36 +03:00
// Perform server inner authentication
// This is a type of server authentication where the client will open the socket regardless of the TLS certificate and request that the server
// sign a client nonce with the server agent cert and return the response. Only after that will the client send the client authentication username
// and password or authentication cookie.
function PerformWSSessionInnerAuth(ws, req, domain, func) {
// When data is received from the web socket
ws.on('message', function (data) {
var command;
try { command = JSON.parse(data.toString('utf8')); } catch (e) { return; }
if (obj.common.validateString(command.action, 3, 32) == false) return; // Action must be a string between 3 and 32 chars
switch (command.action) {
case 'serverAuth': { // This command is used to perform server "inner" authentication.
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
// Check the client nonce and TLS hash
if ((obj.common.validateString(command.cnonce, 1, 256) == false) || (obj.common.validateString(command.tlshash, 1, 512) == false)) {
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'badargs' })); } catch (ex) { }
try { ws.close(); } catch (ex) { }
break;
}
Added support for user inner server authentication.
2021-04-03 03:20:36 +03:00
// Check that the TLS hash is an acceptable one.
var h = Buffer.from(command.tlshash, 'hex').toString('binary');
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
if ((obj.webCertificateHashs[domain.id] != h) && (obj.webCertificateFullHashs[domain.id] != h) && (obj.defaultWebCertificateHash != h) && (obj.defaultWebCertificateFullHash != h)) {
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'badtlscert' })); } catch (ex) { }
try { ws.close(); } catch (ex) { }
return;
}
Added support for user inner server authentication.
2021-04-03 03:20:36 +03:00
// TLS hash check is a success, sign the request.
// Perform the hash signature using the server agent certificate
var nonce = obj.crypto.randomBytes(48);
var signData = Buffer.from(command.cnonce, 'base64').toString('binary') + h + nonce.toString('binary'); // Client Nonce + TLS Hash + Server Nonce
parent.certificateOperations.acceleratorPerformSignature(0, signData, null, function (tag, signature) {
// Send back our certificate + nonce + signature
ws.send(JSON.stringify({ 'action': 'serverAuth', 'cert': Buffer.from(obj.agentCertificateAsn1, 'binary').toString('base64'), 'nonce': nonce.toString('base64'), 'signature': Buffer.from(signature, 'binary').toString('base64') }));
});
break;
}
case 'userAuth': { // This command is used to perform user authentication.
// Check username and password authentication
if ((typeof command.username == 'string') && (typeof command.password == 'string')) {
More work on login tokens.
2021-04-16 22:42:54 +03:00
obj.authenticate(Buffer.from(command.username, 'base64').toString(), Buffer.from(command.password, 'base64').toString(), domain, function (err, userid, passhint, loginOptions) {
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
if ((err != null) || (userid == null)) {
// Invalid authentication
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-2c' })); } catch (ex) { }
try { ws.close(); } catch (ex) { }
} else {
var user = obj.users[userid];
if ((err == null) && (user)) {
// Check if a 2nd factor is needed
Added option to turn off reset account on login screen.
2022-02-04 18:29:18 +03:00
const emailcheck = ((domain.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true) && (domain.auth != 'sspi') && (domain.auth != 'ldap'))
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
// See if we support two-factor trusted cookies
var twoFactorCookieDays = 30;
if (typeof domain.twofactorcookiedurationdays == 'number') { twoFactorCookieDays = domain.twofactorcookiedurationdays; }
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
// Check if two factor can be skipped
const twoFactorSkip = checkUserOneTimePasswordSkip(domain, user, req, loginOptions);
if ((twoFactorSkip == null) && (checkUserOneTimePasswordRequired(domain, user, req, loginOptions) == true)) {
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
// Figure out if email 2FA is allowed
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
//var push2fa = ((parent.firebase != null) && (user.otpdev != null));
if ((typeof command.token != 'string') || (command.token == '**email**') || (command.token == '**sms**')/* || (command.token == '**push**')*/) {
if ((command.token == '**email**') && (email2fa == true)) {
// Cause a token to be sent to the user's registered email
user.otpekey = { k: obj.common.zeroPad(getRandomEightDigitInteger(), 8), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA email to: ' + user.email);
domain.mailserver.sendAccountLoginMail(domain, user.email, user.otpekey.k, obj.getLanguageCodes(req), req.query.key);
// Ask for a login token & confirm email was sent
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
} else if ((command.token == '**sms**') && (sms2fa == true)) {
// Cause a token to be sent to the user's phone number
user.otpsms = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA SMS to: ' + user.phone);
parent.smsserver.sendToken(domain, user.phone, user.otpsms.k, obj.getLanguageCodes(req));
// Ask for a login token & confirm sms was sent
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, sms2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
/*
} else if ((command.token == '**push**') && (push2fa == true)) {
// Cause push notification to device
const code = Buffer.from(obj.common.zeroPad(getRandomSixDigitInteger(), 6)).toString('base64');
const authCookie = parent.encodeCookie({ a: 'checkAuth', c: code, u: user._id, n: user.otpdev });
var payload = { notification: { title: "MeshCentral", body: user.name + " authentication" }, data: { url: '2fa://auth?code=' + code + '&c=' + authCookie } };
var options = { priority: 'High', timeToLive: 60 }; // TTL: 1 minute
parent.firebase.sendToDevice(user.otpdev, payload, options, function (id, err, errdesc) {
if (err == null) { parent.debug('email', 'Successfully auth check send push message to device'); } else { parent.debug('email', 'Failed auth check push message to device, error: ' + errdesc); }
});
*/
Added support for user inner server authentication.
2021-04-03 03:20:36 +03:00
} else {
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
// Ask for a login token
parent.debug('web', 'Asking for login token');
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (ex) { console.log(ex); }
}
} else {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
checkUserOneTimePassword(req, domain, user, command.token, null, function (result, authData) {
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
if (result == false) {
// Failed, ask for a login token again
parent.debug('web', 'Invalid login token, asking again');
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
Added support for user inner server authentication.
2021-04-03 03:20:36 +03:00
} else {
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
// We are authenticated with 2nd factor.
// Check email verification
Fix for login token with SSO, #3293
2021-11-25 21:09:11 +03:00
if (emailcheck && (user.email != null) && (!(user._id.split('/')[2].startsWith('~'))) && (user.emailVerified !== true)) {
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
parent.debug('web', 'Invalid login, asking for email validation');
try { ws.send(JSON.stringify({ action: 'close', cause: 'emailvalidation', msg: 'emailvalidationrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true })); ws.close(); } catch (e) { }
} else {
// We are authenticated
ws._socket.pause();
ws.removeAllListeners(['message', 'close', 'error']);
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
func(ws, req, domain, user, authData);
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
}
Added support for user inner server authentication.
2021-04-03 03:20:36 +03:00
}
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
});
}
Added support for user inner server authentication.
2021-04-03 03:20:36 +03:00
} else {
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
// Check email verification
Fix for login token with SSO, #3293
2021-11-25 21:09:11 +03:00
if (emailcheck && (user.email != null) && (!(user._id.split('/')[2].startsWith('~'))) && (user.emailVerified !== true)) {
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
parent.debug('web', 'Invalid login, asking for email validation');
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
try { ws.send(JSON.stringify({ action: 'close', cause: 'emailvalidation', msg: 'emailvalidationrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true })); ws.close(); } catch (e) { }
} else {
// We are authenticated
ws._socket.pause();
ws.removeAllListeners(['message', 'close', 'error']);
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
func(ws, req, domain, user, twoFactorSkip);
Improved MeshCmd error messages.
2021-05-26 08:30:33 +03:00
}
Added support for user inner server authentication.
2021-04-03 03:20:36 +03:00
}
}
}
});
} else {
// Invalid authentication
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-2c' })); } catch (ex) { }
try { ws.close(); } catch (ex) { }
}
break;
}
}
});
// If error, do nothing
ws.on('error', function (err) { try { ws.close(); } catch (e) { console.log(e); } });
// If the web socket is closed
ws.on('close', function (req) { try { ws.close(); } catch (e) { console.log(e); } });
// Resume the socket to perform inner authentication
try { ws._socket.resume(); } catch (ex) { }
}
Allows MeshCommander to relay thru MeshCentral.
2018-10-14 02:04:04 +03:00
// Authenticates a session and forwards
Fixed a ClickOnce exception
2018-10-16 03:51:03 +03:00
function PerformWSSessionAuth(ws, req, noAuthOk, func) {
Completed login token support.
2021-04-17 04:55:03 +03:00
// Check if the session expired
if ((req.session != null) && (typeof req.session.expire == 'number') && (req.session.expire <= Date.now())) {
parent.debug('web', 'WSERROR: Session expired.'); try { ws.send(JSON.stringify({ action: 'close', cause: 'expired', msg: 'expired-1' })); ws.close(); } catch (e) { } return;
}
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
// Check if this is a banned ip address
Improved remote desktop command decoding.
2020-05-17 00:07:53 +03:00
if (obj.checkAllowLogin(req) == false) { parent.debug('web', 'WSERROR: Banned connection.'); try { ws.send(JSON.stringify({ action: 'close', cause: 'banned', msg: 'banned-1' })); ws.close(); } catch (e) { } return; }
Allows MeshCommander to relay thru MeshCentral.
2018-10-14 02:04:04 +03:00
try {
Fixed MeshRelay access control
2018-10-16 20:52:05 +03:00
// Hold this websocket until we are ready.
Updated to Express-ws 4.x
2018-12-01 08:23:10 +03:00
ws._socket.pause();
Fixed MeshRelay access control
2018-10-16 20:52:05 +03:00
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
// Check IP filtering and domain
Fixed user IP address filtering.
2019-01-05 01:35:01 +03:00
var domain = null;
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
if (noAuthOk == true) {
domain = getDomain(req);
Improved remote desktop command decoding.
2020-05-17 00:07:53 +03:00
if (domain == null) { parent.debug('web', 'WSERROR: Got no domain, no auth ok.'); try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-1' })); ws.close(); return; } catch (e) { } return; }
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
} else {
// If authentication is required, enforce IP address filtering.
domain = checkUserIpAddress(ws, req);
Improved remote desktop command decoding.
2020-05-17 00:07:53 +03:00
if (domain == null) { parent.debug('web', 'WSERROR: Got no domain, user auth required.'); return; }
Fixed user and agent IP address filtering.
2020-03-26 22:06:34 +03:00
}
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
User inner authentication improvements.
2021-04-03 03:26:17 +03:00
// Check if inner authentication is requested
if (req.headers['x-meshauth'] === '*') { func(ws, req, domain, null); return; }
Added option to turn off reset account on login screen.
2022-02-04 18:29:18 +03:00
const emailcheck = ((domain.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true) && (domain.auth != 'sspi') && (domain.auth != 'ldap'))
Added email validation login page.
2020-04-21 11:50:27 +03:00
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
// A web socket session can be authenticated in many ways (Default user, session, user/pass and cookie). Check authentication here.
if ((req.query.user != null) && (req.query.pass != null)) {
// A user/pass is provided in URL arguments
More work on login tokens.
2021-04-16 22:42:54 +03:00
obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid, passhint, loginOptions) {
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
Bugfix: accessing user before declaration
2021-06-23 05:18:20 +03:00
var user = obj.users[userid];
Tools not allowed to connect when account twas notools site rights, #2726
2021-06-04 22:46:41 +03:00
// Check if user as the "notools" site right. If so, deny this connection as tools are not allowed to connect.
Fix for server exception when connecting tools.
2021-06-15 03:48:55 +03:00
if ((user != null) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & SITERIGHT_NOMESHCMD)) {
Tools not allowed to connect when account twas notools site rights, #2726
2021-06-04 22:46:41 +03:00
// No tools allowed, close the websocket connection
parent.debug('web', 'ERR: Websocket no tools allowed');
try { ws.send(JSON.stringify({ action: 'close', cause: 'notools', msg: 'notools' })); ws.close(); } catch (e) { }
return;
}
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
// See if we support two-factor trusted cookies
var twoFactorCookieDays = 30;
if (typeof domain.twofactorcookiedurationdays == 'number') { twoFactorCookieDays = domain.twofactorcookiedurationdays; }
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
if ((err == null) && (user)) {
// Check if a 2nd factor is needed
More work on login tokens.
2021-04-16 22:42:54 +03:00
if (checkUserOneTimePasswordRequired(domain, user, req, loginOptions) == true) {
Added support for email 2FA in MeshCentral Router.
2020-03-22 08:52:23 +03:00
// Figure out if email 2FA is allowed
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
More work on mobile 2FA.
2021-04-14 09:23:09 +03:00
//var push2fa = ((parent.firebase != null) && (user.otpdev != null));
if ((typeof req.query.token != 'string') || (req.query.token == '**email**') || (req.query.token == '**sms**')/* || (req.query.token == '**push**')*/) {
Added support for email 2FA in MeshCentral Router.
2020-03-22 08:52:23 +03:00
if ((req.query.token == '**email**') && (email2fa == true)) {
// Cause a token to be sent to the user's registered email
user.otpekey = { k: obj.common.zeroPad(getRandomEightDigitInteger(), 8), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA email to: ' + user.email);
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
domain.mailserver.sendAccountLoginMail(domain, user.email, user.otpekey.k, obj.getLanguageCodes(req), req.query.key);
Added support for email 2FA in MeshCentral Router.
2020-03-22 08:52:23 +03:00
// Ask for a login token & confirm email was sent
Added .well-known support.
2020-12-22 10:25:30 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
} else if ((req.query.token == '**sms**') && (sms2fa == true)) {
// Cause a token to be sent to the user's phone number
user.otpsms = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA SMS to: ' + user.phone);
parent.smsserver.sendToken(domain, user.phone, user.otpsms.k, obj.getLanguageCodes(req));
// Ask for a login token & confirm sms was sent
Added .well-known support.
2020-12-22 10:25:30 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, sms2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
More work on mobile 2FA.
2021-04-14 09:23:09 +03:00
/*
} else if ((command.token == '**push**') && (push2fa == true)) {
// Cause push notification to device
const code = Buffer.from(obj.common.zeroPad(getRandomSixDigitInteger(), 6)).toString('base64');
const authCookie = parent.encodeCookie({ a: 'checkAuth', c: code, u: user._id, n: user.otpdev });
var payload = { notification: { title: "MeshCentral", body: user.name + " authentication" }, data: { url: '2fa://auth?code=' + code + '&c=' + authCookie } };
var options = { priority: 'High', timeToLive: 60 }; // TTL: 1 minute
parent.firebase.sendToDevice(user.otpdev, payload, options, function (id, err, errdesc) {
if (err == null) { parent.debug('email', 'Successfully auth check send push message to device'); } else { parent.debug('email', 'Failed auth check push message to device, error: ' + errdesc); }
});
*/
Added support for email 2FA in MeshCentral Router.
2020-03-22 08:52:23 +03:00
} else {
// Ask for a login token
SSO Fixes.
2020-05-27 10:52:31 +03:00
parent.debug('web', 'Asking for login token');
Added .well-known support.
2020-12-22 10:25:30 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
Added support for email 2FA in MeshCentral Router.
2020-03-22 08:52:23 +03:00
}
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
} else {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
checkUserOneTimePassword(req, domain, user, req.query.token, null, function (result, authData) {
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
if (result == false) {
Added support for email 2FA in MeshCentral Router.
2020-03-22 08:52:23 +03:00
// Failed, ask for a login token again
SSO Fixes.
2020-05-27 10:52:31 +03:00
parent.debug('web', 'Invalid login token, asking again');
Added .well-known support.
2020-12-22 10:25:30 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
} else {
// We are authenticated with 2nd factor.
Added email validation login page.
2020-04-21 11:50:27 +03:00
// Check email verification
Fix for login token with SSO, #3293
2021-11-25 21:09:11 +03:00
if (emailcheck && (user.email != null) && (!(user._id.split('/')[2].startsWith('~'))) && (user.emailVerified !== true)) {
SSO Fixes.
2020-05-27 10:52:31 +03:00
parent.debug('web', 'Invalid login, asking for email validation');
Added .well-known support.
2020-12-22 10:25:30 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'emailvalidation', msg: 'emailvalidationrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true })); ws.close(); } catch (e) { }
Added email validation login page.
2020-04-21 11:50:27 +03:00
} else {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
func(ws, req, domain, user, null, authData);
Added email validation login page.
2020-04-21 11:50:27 +03:00
}
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
}
});
}
} else {
Added email validation login page.
2020-04-21 11:50:27 +03:00
// Check email verification
Fix for login token with SSO, #3293
2021-11-25 21:09:11 +03:00
if (emailcheck && (user.email != null) && (!(user._id.split('/')[2].startsWith('~'))) && (user.emailVerified !== true)) {
SSO Fixes.
2020-05-27 10:52:31 +03:00
parent.debug('web', 'Invalid login, asking for email validation');
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
Added .well-known support.
2020-12-22 10:25:30 +03:00
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
try { ws.send(JSON.stringify({ action: 'close', cause: 'emailvalidation', msg: 'emailvalidationrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true })); ws.close(); } catch (e) { }
Added email validation login page.
2020-04-21 11:50:27 +03:00
} else {
// We are authenticated
func(ws, req, domain, user);
}
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
}
Allows MeshCommander to relay thru MeshCentral.
2018-10-14 02:04:04 +03:00
} else {
Fixed MeshRelay access control
2018-10-16 20:52:05 +03:00
// Failed to authenticate, see if a default user is active
if (obj.args.user && obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]) {
// A default user is active
func(ws, req, domain, obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]);
} else {
// If not authenticated, close the websocket connection
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('web', 'ERR: Websocket bad user/pass auth');
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
//obj.parent.DispatchEvent(['*', 'server-users', 'user/' + domain.id + '/' + obj.args.user.toLowerCase()], obj, { action: 'authfail', userid: 'user/' + domain.id + '/' + obj.args.user.toLowerCase(), username: obj.args.user, domain: domain.id, msg: 'Invalid user login attempt from ' + req.clientIp });
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
//obj.setbadLogin(req);
New Windows agents, desktop shortcut customization.
2021-01-08 10:35:11 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-2a' })); ws.close(); } catch (e) { }
Fixed MeshRelay access control
2018-10-16 20:52:05 +03:00
}
Allows MeshCommander to relay thru MeshCentral.
2018-10-14 02:04:04 +03:00
}
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
});
return;
Removed dependency on browser cookies to make the site work.
2019-01-29 02:47:54 +03:00
} else if ((req.query.auth != null) && (req.query.auth != '')) {
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
// This is a encrypted cookie authentication
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
var cookie = obj.parent.decodeCookie(req.query.auth, obj.parent.loginCookieEncryptionKey, 60); // Cookie with 1 hour timeout
if ((cookie == null) && (obj.parent.multiServer != null)) { cookie = obj.parent.decodeCookie(req.query.auth, obj.parent.serverKey, 60); } // Try the server key
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if ((obj.args.cookieipcheck !== false) && (cookie != null) && (cookie.ip != null) && (cookie.ip != req.clientIp && (cookie.ip != req.clientIp))) { // If the cookie if binded to an IP address, check here.
parent.debug('web', 'ERR: Invalid cookie IP address, got \"' + cookie.ip + '\", expected \"' + cleanRemoteAddr(req.clientIp) + '\".');
Improvements to cookie ip checking error messages.
2020-01-26 21:05:27 +03:00
cookie = null;
}
Added loginkey support to meshctrl.js, #3115
2021-09-10 23:04:10 +03:00
if ((cookie != null) && (cookie.userid != null) && (obj.users[cookie.userid]) && (cookie.domainid == domain.id) && (cookie.userid.split('/')[1] == domain.id)) {
// Valid cookie, we are authenticated. Cookie of format { userid: 'user//name', domain: '' }
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
func(ws, req, domain, obj.users[cookie.userid], cookie);
Added loginkey support to meshctrl.js, #3115
2021-09-10 23:04:10 +03:00
} else if ((cookie != null) && (cookie.a === 3) && (typeof cookie.u == 'string') && (obj.users[cookie.u]) && (cookie.u.split('/')[1] == domain.id)) {
// Valid cookie, we are authenticated. Cookie of format { u: 'user//name', a: 3 }
func(ws, req, domain, obj.users[cookie.u], cookie);
More work on device self-sharing.
2021-11-11 00:21:30 +03:00
} else if ((cookie != null) && (cookie.nouser === 1)) {
// This is a valid cookie, but no user. This is used for agent self-sharing.
func(ws, req, domain, null, cookie);
Allows MeshCommander to relay thru MeshCentral.
2018-10-14 02:04:04 +03:00
} else {
Removed dependency on browser cookies to make the site work.
2019-01-29 02:47:54 +03:00
// This is a bad cookie, keep going anyway, maybe we have a active session that will save us.
Improvements to cookie ip checking error messages.
2020-01-26 21:05:27 +03:00
if ((cookie != null) && (cookie.domainid != domain.id)) { parent.debug('web', 'ERR: Invalid domain, got \"' + cookie.domainid + '\", expected \"' + domain.id + '\".'); }
parent.debug('web', 'ERR: Websocket bad cookie auth (Cookie:' + (cookie != null) + '): ' + req.query.auth);
New Windows agents, desktop shortcut customization.
2021-01-08 10:35:11 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-2b' })); ws.close(); } catch (e) { }
Allows MeshCommander to relay thru MeshCentral.
2018-10-14 02:04:04 +03:00
}
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
return;
} else if (req.headers['x-meshauth'] != null) {
// This is authentication using a custom HTTP header
var s = req.headers['x-meshauth'].split(',');
for (var i in s) { s[i] = Buffer.from(s[i], 'base64').toString(); }
New Windows agents, desktop shortcut customization.
2021-01-08 10:35:11 +03:00
if ((s.length < 2) || (s.length > 3)) { try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-2c' })); ws.close(); } catch (e) { } return; }
More work on login tokens.
2021-04-16 22:42:54 +03:00
obj.authenticate(s[0], s[1], domain, function (err, userid, passhint, loginOptions) {
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
var user = obj.users[userid];
if ((err == null) && (user)) {
Tools not allowed to connect when account twas notools site rights, #2726
2021-06-04 22:46:41 +03:00
// Check if user as the "notools" site right. If so, deny this connection as tools are not allowed to connect.
if ((user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & SITERIGHT_NOMESHCMD)) {
// No tools allowed, close the websocket connection
parent.debug('web', 'ERR: Websocket no tools allowed');
try { ws.send(JSON.stringify({ action: 'close', cause: 'notools', msg: 'notools' })); ws.close(); } catch (e) { }
return;
}
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
// Check if a 2nd factor is needed
More work on login tokens.
2021-04-16 22:42:54 +03:00
if (checkUserOneTimePasswordRequired(domain, user, req, loginOptions) == true) {
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
// See if we support two-factor trusted cookies
var twoFactorCookieDays = 30;
if (typeof domain.twofactorcookiedurationdays == 'number') { twoFactorCookieDays = domain.twofactorcookiedurationdays; }
Added support for email 2FA in MeshCentral Router.
2020-03-22 08:52:23 +03:00
// Figure out if email 2FA is allowed
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
if (s.length != 3) {
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
} else {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
checkUserOneTimePassword(req, domain, user, s[2], null, function (result, authData) {
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
if (result == false) {
Added support for email 2FA in MeshCentral Router.
2020-03-22 08:52:23 +03:00
if ((s[2] == '**email**') && (email2fa == true)) {
// Cause a token to be sent to the user's registered email
user.otpekey = { k: obj.common.zeroPad(getRandomEightDigitInteger(), 8), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA email to: ' + user.email);
Added per-domain SMTP/SendGrid support.
2021-02-10 22:28:21 +03:00
domain.mailserver.sendAccountLoginMail(domain, user.email, user.otpekey.k, obj.getLanguageCodes(req), req.query.key);
Added support for email 2FA in MeshCentral Router.
2020-03-22 08:52:23 +03:00
// Ask for a login token & confirm email was sent
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, email2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
} else if ((s[2] == '**sms**') && (sms2fa == true)) {
// Cause a token to be sent to the user's phone number
user.otpsms = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA SMS to: ' + user.phone);
parent.smsserver.sendToken(domain, user.phone, user.otpsms.k, obj.getLanguageCodes(req));
// Ask for a login token & confirm sms was sent
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', sms2fa: sms2fa, sms2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
Added support for email 2FA in MeshCentral Router.
2020-03-22 08:52:23 +03:00
} else {
// Ask for a login token
Fixed 2FA result when token is invalid.
2020-09-29 20:52:03 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
Added support for email 2FA in MeshCentral Router.
2020-03-22 08:52:23 +03:00
}
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
} else {
// We are authenticated with 2nd factor.
Added email validation login page.
2020-04-21 11:50:27 +03:00
// Check email verification
Fix for login token with SSO, #3293
2021-11-25 21:09:11 +03:00
if (emailcheck && (user.email != null) && (!(user._id.split('/')[2].startsWith('~'))) && (user.emailVerified !== true)) {
parent.debug('web', 'Invalid login, asking for email validation');
Added new 2FA cookie system.
2020-09-17 02:16:58 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'emailvalidation', msg: 'emailvalidationrequired', email2fa: email2fa, email2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
Added email validation login page.
2020-04-21 11:50:27 +03:00
} else {
Added 2FA to user login reports
2022-03-05 02:56:19 +03:00
func(ws, req, domain, user, null, authData);
Added email validation login page.
2020-04-21 11:50:27 +03:00
}
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
}
});
}
} else {
// We are authenticated
Added email validation login page.
2020-04-21 11:50:27 +03:00
// Check email verification
Fix for login token with SSO, #3293
2021-11-25 21:09:11 +03:00
if (emailcheck && (user.email != null) && (!(user._id.split('/')[2].startsWith('~'))) && (user.emailVerified !== true)) {
parent.debug('web', 'Invalid login, asking for email validation');
Added email validation login page.
2020-04-21 11:50:27 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'emailvalidation', msg: 'emailvalidationrequired', email2fa: email2fa, email2fasent: true })); ws.close(); } catch (e) { }
} else {
func(ws, req, domain, user);
SSO Fixes.
2020-05-27 10:52:31 +03:00
}
}
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
} else {
// Failed to authenticate, see if a default user is active
if (obj.args.user && obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]) {
// A default user is active
func(ws, req, domain, obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]);
} else {
// If not authenticated, close the websocket connection
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('web', 'ERR: Websocket bad user/pass auth');
New Windows agents, desktop shortcut customization.
2021-01-08 10:35:11 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-2d' })); ws.close(); } catch (e) { }
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
}
}
});
return;
Removed dependency on browser cookies to make the site work.
2019-01-29 02:47:54 +03:00
}
Improved websocket auth when 2nd factor is used.
2019-03-21 21:45:08 +03:00
//console.log(req.headers['x-meshauth']);
Removed dependency on browser cookies to make the site work.
2019-01-29 02:47:54 +03:00
if (obj.args.user && obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]) {
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
// A default user is active
func(ws, req, domain, obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]);
return;
HTTP cookie session size reduction.
2021-05-12 20:34:04 +03:00
} else if (req.session && (req.session.userid != null) && (req.session.userid.split('/')[1] == domain.id) && (obj.users[req.session.userid])) {
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
// This user is logged in using the ExpressJS session
Fixed MeshRelay access control
2018-10-16 20:52:05 +03:00
func(ws, req, domain, obj.users[req.session.userid]);
Fixed ClickOnce support & improved websocket authentication
2018-10-16 03:21:37 +03:00
return;
Allows MeshCommander to relay thru MeshCentral.
2018-10-14 02:04:04 +03:00
}
Fixed a ClickOnce exception
2018-10-16 03:51:03 +03:00
if (noAuthOk != true) {
// If not authenticated, close the websocket connection
Added server tracing dialog in web app.
2019-08-23 01:31:39 +03:00
parent.debug('web', 'ERR: Websocket no auth');
Removed dependency on browser cookies to make the site work.
2019-01-29 02:47:54 +03:00
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth-4' })); ws.close(); } catch (e) { }
Fixed a ClickOnce exception
2018-10-16 03:51:03 +03:00
} else {
// Continue this session without user authentication,
// this is expected if the agent is connecting for a tunnel.
func(ws, req, domain, null);
}
Allows MeshCommander to relay thru MeshCentral.
2018-10-14 02:04:04 +03:00
} catch (e) { console.log(e); }
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Find a free port starting with the specified one and going up.
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
function CheckListenPort(port, addr, func) {
Initial main commit
2017-08-28 19:27:45 +03:00
var s = obj.net.createServer(function (socket) { });
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
obj.tcpServer = s.listen(port, addr, function () { s.close(function () { if (func) { func(port, addr); } }); }).on('error', function (err) {
Improved some websocket error handling.
2019-01-03 05:34:50 +03:00
if (args.exactports) { console.error('ERROR: MeshCentral HTTPS server port ' + port + ' not available.'); process.exit(); }
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
else { if (port < 65535) { CheckListenPort(port + 1, addr, func); } else { if (func) { func(0); } } }
Initial main commit
2017-08-28 19:27:45 +03:00
});
}
// Start the ExpressJS web server
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
function StartWebServer(port, addr) {
Updated Windows Agents.
2019-12-11 05:17:25 +03:00
if ((port < 1) || (port > 65535)) return;
Initial main commit
2017-08-28 19:27:45 +03:00
obj.args.port = port;
if (obj.tlsServer != null) {
if (obj.args.lanonly == true) {
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
obj.tcpServer = obj.tlsServer.listen(port, addr, function () { console.log('MeshCentral HTTPS server running on port ' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); });
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
obj.tcpServer = obj.tlsServer.listen(port, addr, function () { console.log('MeshCentral HTTPS server running on ' + certificates.CommonName + ':' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); });
Added serverstate.txt file in data folder
2018-03-14 22:10:13 +03:00
obj.parent.updateServerState('servername', certificates.CommonName);
Initial main commit
2017-08-28 19:27:45 +03:00
}
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
if (obj.parent.authlog) { obj.parent.authLog('https', 'Server listening on ' + ((addr != null) ? addr : '0.0.0.0') + ' port ' + port + '.'); }
Added serverstate.txt file in data folder
2018-03-14 22:10:13 +03:00
obj.parent.updateServerState('https-port', port);
if (args.aliasport != null) { obj.parent.updateServerState('https-aliasport', args.aliasport); }
Initial main commit
2017-08-28 19:27:45 +03:00
} else {
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
obj.tcpServer = obj.app.listen(port, addr, function () { console.log('MeshCentral HTTP server running on port ' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); });
Added serverstate.txt file in data folder
2018-03-14 22:10:13 +03:00
obj.parent.updateServerState('http-port', port);
if (args.aliasport != null) { obj.parent.updateServerState('http-aliasport', args.aliasport); }
Initial main commit
2017-08-28 19:27:45 +03:00
}
Updated Windows Agents.
2019-12-11 05:17:25 +03:00
// Check if there is a permissions problem with the ports.
if (require('os').platform() != 'win32') {
var expectedPort = obj.parent.config.settings.port ? obj.parent.config.settings.port : 443;
if ((expectedPort != port) && (port >= 1024) && (port < 1034)) {
console.log('');
console.log('WARNING: MeshCentral is running without permissions to use ports below 1025.');
console.log(' Use setcap to grant access to lower ports, or read installation guide.');
console.log('');
Fixed setcap in warning message.
2020-06-24 00:10:35 +03:00
console.log(' sudo setcap \'cap_net_bind_service=+ep\' `which node` \r\n');
Updated Windows Agents.
2019-12-11 05:17:25 +03:00
obj.parent.addServerWarning('Server running without permissions to use ports below 1025.', false);
}
}
Initial main commit
2017-08-28 19:27:45 +03:00
}
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
// Start the ExpressJS web server on agent-only alternative port
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
function StartAltWebServer(port, addr) {
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
if ((port < 1) || (port > 65535)) return;
Many updates to how agents connect, agent cert checking and tls on agent port.
2020-05-22 22:54:22 +03:00
var agentAliasPort = null;
if (args.agentaliasport != null) { agentAliasPort = args.agentaliasport; }
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
if (obj.tlsAltServer != null) {
if (obj.args.lanonly == true) {
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
obj.tcpAltServer = obj.tlsAltServer.listen(port, addr, function () { console.log('MeshCentral HTTPS agent-only server running on port ' + port + ((agentAliasPort != null) ? (', alias port ' + agentAliasPort) : '') + '.'); });
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
} else {
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
obj.tcpAltServer = obj.tlsAltServer.listen(port, addr, function () { console.log('MeshCentral HTTPS agent-only server running on ' + certificates.CommonName + ':' + port + ((agentAliasPort != null) ? (', alias port ' + agentAliasPort) : '') + '.'); });
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
}
if (obj.parent.authlog) { obj.parent.authLog('https', 'Server listening on 0.0.0.0 port ' + port + '.'); }
obj.parent.updateServerState('https-agent-port', port);
} else {
Updated MeshAgents, MeshCentral Router and bug fixes.
2020-06-05 09:27:48 +03:00
obj.tcpAltServer = obj.agentapp.listen(port, addr, function () { console.log('MeshCentral HTTP agent-only server running on port ' + port + ((agentAliasPort != null) ? (', alias port ' + agentAliasPort) : '') + '.'); });
Added alternate agent port support.
2020-05-03 20:46:20 +03:00
obj.parent.updateServerState('http-agent-port', port);
}
}
Initial main commit
2017-08-28 19:27:45 +03:00
// Force mesh agent disconnection
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
obj.forceMeshAgentDisconnect = function (user, domain, nodeid, disconnectMode) {
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
if (nodeid == null) return;
Initial main commit
2017-08-28 19:27:45 +03:00
var splitnode = nodeid.split('/');
if ((splitnode.length != 3) || (splitnode[1] != domain.id)) return; // Check that nodeid is valid and part of our domain
var agent = obj.wsagents[nodeid];
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
if (agent == null) return;
Initial main commit
2017-08-28 19:27:45 +03:00
// Check we have agent rights
More access control improvements, RPi icon.
2019-12-28 02:18:43 +03:00
if (((obj.GetMeshRights(user, agent.dbMeshKey) & MESHRIGHT_AGENTCONSOLE) != 0) || (user.siteadmin == 0xFFFFFFFF)) { agent.close(disconnectMode); }
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Initial main commit
2017-08-28 19:27:45 +03:00
// Send the core module to the mesh agent
Added recovery core support.
2019-01-22 01:05:50 +03:00
obj.sendMeshAgentCore = function (user, domain, nodeid, coretype, coredata) {
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
if (nodeid == null) return;
Added recovery core support.
2019-01-22 01:05:50 +03:00
const splitnode = nodeid.split('/');
Initial main commit
2017-08-28 19:27:45 +03:00
if ((splitnode.length != 3) || (splitnode[1] != domain.id)) return; // Check that nodeid is valid and part of our domain
Added recovery core support.
2019-01-22 01:05:50 +03:00
// TODO: This command only works if the agent is connected on the same server. Will not work with multi server peering.
const agent = obj.wsagents[nodeid];
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
if (agent == null) return;
Initial main commit
2017-08-28 19:27:45 +03:00
// Check we have agent rights
More access control improvements, RPi icon.
2019-12-28 02:18:43 +03:00
if (((obj.GetMeshRights(user, agent.dbMeshKey) & MESHRIGHT_AGENTCONSOLE) != 0) || (user.siteadmin == 0xFFFFFFFF)) {
Added recovery core support.
2019-01-22 01:05:50 +03:00
if (coretype == 'clear') {
Initial main commit
2017-08-28 19:27:45 +03:00
// Clear the mesh agent core
Added recovery core support.
2019-01-22 01:05:50 +03:00
agent.agentCoreCheck = 1000; // Tell the agent object we are using a custom core.
Initial main commit
2017-08-28 19:27:45 +03:00
agent.send(obj.common.ShortToStr(10) + obj.common.ShortToStr(0));
Added recovery core support.
2019-01-22 01:05:50 +03:00
} else if (coretype == 'default') {
// Reset to default code
Initial main commit
2017-08-28 19:27:45 +03:00
agent.agentCoreCheck = 0; // Tell the agent object we are using a default code
agent.send(obj.common.ShortToStr(11) + obj.common.ShortToStr(0)); // Command 11, ask for mesh core hash.
Added recovery core support.
2019-01-22 01:05:50 +03:00
} else if (coretype == 'recovery') {
// Reset to recovery core
agent.agentCoreCheck = 1001; // Tell the agent object we are using the recovery core.
agent.send(obj.common.ShortToStr(11) + obj.common.ShortToStr(0)); // Command 11, ask for mesh core hash.
Added tiny core support.
2021-01-25 05:43:15 +03:00
} else if (coretype == 'tiny') {
// Reset to tiny core
agent.agentCoreCheck = 1011; // Tell the agent object we are using the tiny core.
agent.send(obj.common.ShortToStr(11) + obj.common.ShortToStr(0)); // Command 11, ask for mesh core hash.
Added recovery core support.
2019-01-22 01:05:50 +03:00
} else if (coretype == 'custom') {
agent.agentCoreCheck = 1000; // Tell the agent object we are using a custom core.
Fixed utf8 in meshcore.
2022-01-14 01:34:39 +03:00
var buf = Buffer.from(coredata, 'utf8');
const hash = obj.crypto.createHash('sha384').update(buf).digest().toString('binary'); // Perform a SHA384 hash on the core module
agent.sendBinary(obj.common.ShortToStr(10) + obj.common.ShortToStr(0) + hash + buf.toString('binary')); // Send the code module to the agent
Initial main commit
2017-08-28 19:27:45 +03:00
}
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Initial main commit
2017-08-28 19:27:45 +03:00
// Get the server path of a user or mesh object
function getServerRootFilePath(obj) {
Added new account creation and server peering flow control
2017-09-15 21:45:06 +03:00
if ((typeof obj != 'object') || (obj.domain == null) || (obj._id == null)) return null;
Initial main commit
2017-08-28 19:27:45 +03:00
var domainname = 'domain', splitname = obj._id.split('/');
if (splitname.length != 3) return null;
if (obj.domain !== '') domainname = 'domain-' + obj.domain;
return obj.path.join(obj.filespath, domainname + "/" + splitname[0] + "-" + splitname[2]);
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
Added SMTP email support, email verification and password reset support
2017-12-13 03:04:54 +03:00
// Return true is the input string looks like an email address
function checkEmail(str) {
var x = str.split('@');
var ok = ((x.length == 2) && (x[0].length > 0) && (x[1].split('.').length > 1) && (x[1].length > 2));
if (ok == true) { var y = x[1].split('.'); for (var i in y) { if (y[i].length == 0) { ok = false; } } }
return ok;
}
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
/*
obj.wssessions = {}; // UserId --> Array Of Sessions
obj.wssessions2 = {}; // "UserId + SessionRnd" --> Session (Note that the SessionId is the UserId + / + SessionRnd)
obj.wsPeerSessions = {}; // ServerId --> Array Of "UserId + SessionRnd"
obj.wsPeerSessions2 = {}; // "UserId + SessionRnd" --> ServerId
obj.wsPeerSessions3 = {}; // ServerId --> UserId --> [ SessionId ]
*/
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
// Count sessions and event any changes
obj.recountSessions = function (changedSessionId) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
var userid, oldcount, newcount, x, serverid;
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
if (changedSessionId == null) {
// Recount all sessions
// Calculate the session count for all userid's
var newSessionsCount = {};
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
for (userid in obj.wssessions) { newSessionsCount[userid] = obj.wssessions[userid].length; }
for (serverid in obj.wsPeerSessions3) {
for (userid in obj.wsPeerSessions3[serverid]) {
x = obj.wsPeerSessions3[serverid][userid].length;
if (newSessionsCount[userid] == null) { newSessionsCount[userid] = x; } else { newSessionsCount[userid] += x; }
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
}
}
// See what session counts have changed, event any changes
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
for (userid in newSessionsCount) {
newcount = newSessionsCount[userid];
oldcount = obj.sessionsCount[userid];
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
if (oldcount == null) { oldcount = 0; } else { delete obj.sessionsCount[userid]; }
if (newcount != oldcount) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
x = userid.split('/');
Peering fixes, 404 page, new desktop special keys.
2019-08-13 00:58:06 +03:00
var u = obj.users[userid];
User permission fixes, user list export feature.
2019-05-04 22:55:46 +03:00
if (u) {
var targets = ['*', 'server-users'];
if (u.groups) { for (var i in u.groups) { targets.push('server-users:' + i); } }
Much improved event logs
2019-07-30 02:35:48 +03:00
obj.parent.DispatchEvent(targets, obj, { action: 'wssessioncount', userid: userid, username: x[2], count: newcount, domain: x[1], nolog: 1, nopeers: 1 });
User permission fixes, user list export feature.
2019-05-04 22:55:46 +03:00
}
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
}
}
// If there are any counts left in the old counts, event to zero
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
for (userid in obj.sessionsCount) {
oldcount = obj.sessionsCount[userid];
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
if ((oldcount != null) && (oldcount != 0)) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
x = userid.split('/');
Peering fixes, 404 page, new desktop special keys.
2019-08-13 00:58:06 +03:00
var u = obj.users[userid];
User permission fixes, user list export feature.
2019-05-04 22:55:46 +03:00
if (u) {
var targets = ['*', 'server-users'];
if (u.groups) { for (var i in u.groups) { targets.push('server-users:' + i); } }
Much improved event logs
2019-07-30 02:35:48 +03:00
obj.parent.DispatchEvent(['*'], obj, { action: 'wssessioncount', userid: userid, username: x[2], count: 0, domain: x[1], nolog: 1, nopeers: 1 })
User permission fixes, user list export feature.
2019-05-04 22:55:46 +03:00
}
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
}
}
// Set the new session counts
obj.sessionsCount = newSessionsCount;
} else {
// Figure out the userid
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
userid = changedSessionId.split('/').slice(0, 3).join('/');
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
// Recount only changedSessionId
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
newcount = 0;
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
if (obj.wssessions[userid] != null) { newcount = obj.wssessions[userid].length; }
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
for (serverid in obj.wsPeerSessions3) { if (obj.wsPeerSessions3[serverid][userid] != null) { newcount += obj.wsPeerSessions3[serverid][userid].length; } }
oldcount = obj.sessionsCount[userid];
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
if (oldcount == null) { oldcount = 0; }
// If the count changed, update and event
if (newcount != oldcount) {
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
x = userid.split('/');
Peering fixes, 404 page, new desktop special keys.
2019-08-13 00:58:06 +03:00
var u = obj.users[userid];
User permission fixes, user list export feature.
2019-05-04 22:55:46 +03:00
if (u) {
var targets = ['*', 'server-users'];
if (u.groups) { for (var i in u.groups) { targets.push('server-users:' + i); } }
Much improved event logs
2019-07-30 02:35:48 +03:00
obj.parent.DispatchEvent(targets, obj, { action: 'wssessioncount', userid: userid, username: x[2], count: newcount, domain: x[1], nolog: 1, nopeers: 1 });
User permission fixes, user list export feature.
2019-05-04 22:55:46 +03:00
obj.sessionsCount[userid] = newcount;
}
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
}
}
Completed first pass with JsHint, updated windows MeshAgent.
2018-08-30 22:05:23 +03:00
};
Completed server load-balancing support
2017-09-21 00:44:22 +03:00
More access control improvements, RPi icon.
2019-12-28 02:18:43 +03:00
//
// Access Control Functions
//
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
// Remove user rights
function removeUserRights(rights, user) {
if (user.removeRights == null) return rights;
var add = 0, substract = 0;
Added more user permissions removal. #3065
2021-08-28 19:51:03 +03:00
if ((user.removeRights & 0x00000008) != 0) { substract += 0x00000008; } // No Remote Control
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
if ((user.removeRights & 0x00010000) != 0) { add += 0x00010000; } // No Desktop
if ((user.removeRights & 0x00000100) != 0) { add += 0x00000100; } // Desktop View Only
if ((user.removeRights & 0x00000200) != 0) { add += 0x00000200; } // No Terminal
if ((user.removeRights & 0x00000400) != 0) { add += 0x00000400; } // No Files
if ((user.removeRights & 0x00000010) != 0) { substract += 0x00000010; } // No Console
Added more user permissions removal. #3065
2021-08-28 19:51:03 +03:00
if ((user.removeRights & 0x00008000) != 0) { substract += 0x00008000; } // No Uninstall
if ((user.removeRights & 0x00020000) != 0) { substract += 0x00020000; } // No Remote Command
if ((user.removeRights & 0x00000040) != 0) { substract += 0x00000040; } // No Wake
if ((user.removeRights & 0x00040000) != 0) { substract += 0x00040000; } // No Reset/Off
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
if (rights != 0xFFFFFFFF) {
// If not administrator, add and subsctract restrictions
rights |= add;
rights &= (0xFFFFFFFF - substract);
} else {
// If administrator for a device group, start with permissions and add and subsctract restrictions
rights = 1 + 2 + 4 + 8 + 32 + 64 + 128 + 16384 + 32768 + 131072 + 262144 + 524288 + 1048576;
rights |= add;
rights &= (0xFFFFFFFF - substract);
}
return rights;
}
Improved uicustomevent security and events, #3823
2022-03-30 17:14:14 +03:00
// Return the node and rights for a array of nodeids
obj.GetNodesWithRights = function (domain, user, nodeids, func) {
var rc = nodeids.length, r = {};
for (var i in nodeids) {
obj.GetNodeWithRights(domain, user, nodeids[i], function (node, rights, visible) {
if ((node != null) && (visible == true)) { r[node._id] = { node: node, rights: rights }; if (--rc == 0) { func(r); } }
});
}
}
More access control improvements, RPi icon.
2019-12-28 02:18:43 +03:00
// Return the node and rights for a given nodeid
obj.GetNodeWithRights = function (domain, user, nodeid, func) {
// Perform user pre-validation
if ((user == null) || (nodeid == null)) { func(null, 0, false); return; } // Invalid user
if (typeof user == 'string') { user = obj.users[user]; }
Fixed users that manage all device groups.
2020-09-10 02:17:00 +03:00
if (user == null) { func(null, 0, false); return; } // No rights
More access control improvements, RPi icon.
2019-12-28 02:18:43 +03:00
// Perform node pre-validation
if (obj.common.validateString(nodeid, 0, 128) == false) { func(null, 0, false); return; } // Invalid nodeid
const snode = nodeid.split('/');
if ((snode.length != 3) || (snode[0] != 'node')) { func(null, 0, false); return; } // Invalid nodeid
if ((domain != null) && (snode[1] != domain.id)) { func(null, 0, false); return; } // Invalid domain
// Check that we have permissions for this node.
db.Get(nodeid, function (err, nodes) {
if ((nodes == null) || (nodes.length != 1)) { func(null, 0, false); return; } // No such nodeid
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
Fixed device access control when using ManageAllDeviceGroups.
2020-05-06 21:47:23 +03:00
// This is a super user that can see all device groups for a given domain
if ((user.siteadmin == 0xFFFFFFFF) && (parent.config.settings.managealldevicegroups.indexOf(user._id) >= 0) && (nodes[0].domain == user.domain)) {
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
func(nodes[0], removeUserRights(0xFFFFFFFF, user), true); return;
Fixed device access control when using ManageAllDeviceGroups.
2020-05-06 21:47:23 +03:00
}
Fixed users that manage all device groups.
2020-09-10 02:17:00 +03:00
// If no links, stop here.
if (user.links == null) { func(null, 0, false); return; }
Fixed user account delete with user manager.
2020-03-18 03:17:04 +03:00
// Check device link
var rights = 0, visible = false, r = user.links[nodeid];
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
if (r != null) {
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
if (r.rights == 0xFFFFFFFF) { func(nodes[0], removeUserRights(0xFFFFFFFF, user), true); return; } // User has full rights thru a device link, stop here.
Fixed user account delete with user manager.
2020-03-18 03:17:04 +03:00
rights |= r.rights;
visible = true;
}
// Check device group link
r = user.links[nodes[0].meshid];
if (r != null) {
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
if (r.rights == 0xFFFFFFFF) { func(nodes[0], removeUserRights(0xFFFFFFFF, user), true); return; } // User has full rights thru a device group link, stop here.
Fixed user account delete with user manager.
2020-03-18 03:17:04 +03:00
rights |= r.rights;
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
visible = true;
}
// Check user group links
for (var i in user.links) {
if (i.startsWith('ugrp/')) {
const g = obj.userGroups[i];
if (g && (g.links != null)) {
r = g.links[nodes[0].meshid];
if (r != null) {
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
if (r.rights == 0xFFFFFFFF) { func(nodes[0], removeUserRights(0xFFFFFFFF, user), true); return; } // User has full rights thru a user group link, stop here.
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
rights |= r.rights; // TODO: Deal with reverse rights
visible = true;
}
More work on individual device thru user groups.
2020-04-13 20:50:57 +03:00
r = g.links[nodeid];
if (r != null) {
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
if (r.rights == 0xFFFFFFFF) { func(nodes[0], removeUserRights(0xFFFFFFFF, user), true); return; } // User has full rights thru a user group direct link, stop here.
More work on individual device thru user groups.
2020-04-13 20:50:57 +03:00
rights |= r.rights; // TODO: Deal with reverse rights
visible = true;
}
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
}
}
}
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
// Remove any user rights
rights = removeUserRights(rights, user);
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
// Return the rights we found
func(nodes[0], rights, visible);
More access control improvements, RPi icon.
2019-12-28 02:18:43 +03:00
});
}
Centralization of user access control.
2019-12-27 09:53:01 +03:00
// Returns a list of all meshes that this user has some rights too
obj.GetAllMeshWithRights = function (user, rights) {
if (typeof user == 'string') { user = obj.users[user]; }
Fixed users that manage all device groups.
2020-09-10 02:17:00 +03:00
if (user == null) { return []; }
Added support for accounts that manage all device group
2020-02-18 00:01:13 +03:00
Centralization of user access control.
2019-12-27 09:53:01 +03:00
var r = [];
Added support for accounts that manage all device group
2020-02-18 00:01:13 +03:00
if ((user.siteadmin == 0xFFFFFFFF) && (parent.config.settings.managealldevicegroups.indexOf(user._id) >= 0)) {
// This is a super user that can see all device groups for a given domain
var meshStartStr = 'mesh/' + user.domain + '/';
for (var i in obj.meshes) { if ((obj.meshes[i]._id.startsWith(meshStartStr)) && (obj.meshes[i].deleted == null)) { r.push(obj.meshes[i]); } }
return r;
}
Fixed users that manage all device groups.
2020-09-10 02:17:00 +03:00
if (user.links == null) { return []; }
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
for (var i in user.links) {
if (i.startsWith('mesh/')) {
// Grant access to a device group thru a direct link
const m = obj.meshes[i];
Fixed server file permissions for device groups, #3294
2021-11-25 20:26:25 +03:00
if ((m) && (r.indexOf(m) == -1) && (m.deleted == null) && ((rights == null) || ((user.links[i].rights & rights) != 0))) { r.push(m); }
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
} else if (i.startsWith('ugrp/')) {
// Grant access to a device group thru a user group
const g = obj.userGroups[i];
Fixed server file permissions for device groups, #3294
2021-11-25 20:26:25 +03:00
for (var j in g.links) {
if (j.startsWith('mesh/') && ((rights == null) || ((g.links[j].rights != null) && (g.links[j].rights & rights) != 0))) {
const m = obj.meshes[j];
if ((m) && (m.deleted == null) && (r.indexOf(m) == -1)) { r.push(m); }
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
}
}
}
}
Centralization of user access control.
2019-12-27 09:53:01 +03:00
return r;
}
// Returns a list of all mesh id's that this user has some rights too
obj.GetAllMeshIdWithRights = function (user, rights) {
if (typeof user == 'string') { user = obj.users[user]; }
Fixed users that manage all device groups.
2020-09-10 02:17:00 +03:00
if (user == null) { return []; }
Centralization of user access control.
2019-12-27 09:53:01 +03:00
var r = [];
Added support for accounts that manage all device group
2020-02-18 00:01:13 +03:00
if ((user.siteadmin == 0xFFFFFFFF) && (parent.config.settings.managealldevicegroups.indexOf(user._id) >= 0)) {
// This is a super user that can see all device groups for a given domain
var meshStartStr = 'mesh/' + user.domain + '/';
for (var i in obj.meshes) { if ((obj.meshes[i]._id.startsWith(meshStartStr)) && (obj.meshes[i].deleted == null)) { r.push(obj.meshes[i]._id); } }
return r;
}
Fixed users that manage all device groups.
2020-09-10 02:17:00 +03:00
if (user.links == null) { return []; }
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
for (var i in user.links) {
if (i.startsWith('mesh/')) {
// Grant access to a device group thru a direct link
const m = obj.meshes[i];
Fixed access control checking.
2021-01-25 11:22:01 +03:00
if ((m) && (m.deleted == null) && ((rights == null) || ((user.links[i].rights & rights) != 0))) {
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
if (r.indexOf(m._id) == -1) { r.push(m._id); }
}
} else if (i.startsWith('ugrp/')) {
// Grant access to a device group thru a user group
const g = obj.userGroups[i];
Fixed access control checking.
2021-01-25 11:22:01 +03:00
if (g && (g.links != null) && ((rights == null) || ((user.links[i].rights & rights) != 0))) {
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
for (var j in g.links) {
if (j.startsWith('mesh/')) {
const m = obj.meshes[j];
if ((m) && (m.deleted == null)) {
if (r.indexOf(m._id) == -1) { r.push(m._id); }
}
}
}
}
}
}
Centralization of user access control.
2019-12-27 09:53:01 +03:00
return r;
}
Fixed user account delete with user manager.
2020-03-18 03:17:04 +03:00
// Get the rights of a user on a given device group
Centralization of user access control.
2019-12-27 09:53:01 +03:00
obj.GetMeshRights = function (user, mesh) {
if ((user == null) || (mesh == null)) { return 0; }
if (typeof user == 'string') { user = obj.users[user]; }
Fixed users that manage all device groups.
2020-09-10 02:17:00 +03:00
if (user == null) { return 0; }
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
var r, meshid;
if (typeof mesh == 'string') {
meshid = mesh;
} else if ((typeof mesh == 'object') && (typeof mesh._id == 'string')) {
meshid = mesh._id;
} else return 0;
Added support for accounts that manage all device group
2020-02-18 00:01:13 +03:00
// Check if this is a super user that can see all device groups for a given domain
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
if ((user.siteadmin == 0xFFFFFFFF) && (parent.config.settings.managealldevicegroups.indexOf(user._id) >= 0) && (meshid.startsWith('mesh/' + user.domain + '/'))) { return removeUserRights(0xFFFFFFFF, user); }
Added support for accounts that manage all device group
2020-02-18 00:01:13 +03:00
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
// Check direct user to device group permissions
Fixed users that manage all device groups.
2020-09-10 02:17:00 +03:00
if (user.links == null) return 0;
Implemented user group permission query in the web app.
2020-01-05 00:19:32 +03:00
var rights = 0;
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
r = user.links[meshid];
Implemented user group permission query in the web app.
2020-01-05 00:19:32 +03:00
if (r != null) {
var rights = r.rights;
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
if (rights == 0xFFFFFFFF) { return removeUserRights(rights, user); } // If the user has full access thru direct link, stop here.
Implemented user group permission query in the web app.
2020-01-05 00:19:32 +03:00
}
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
// Check if we are part of any user groups that would give this user more access.
for (var i in user.links) {
if (i.startsWith('ugrp')) {
Implemented user group permission query in the web app.
2020-01-05 00:19:32 +03:00
const g = obj.userGroups[i];
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
if (g) {
r = g.links[meshid];
if (r != null) {
if (r.rights == 0xFFFFFFFF) {
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
return removeUserRights(r.rights, user); // If the user hash full access thru a user group link, stop here.
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
} else {
rights |= r.rights; // Add to existing rights (TODO: Deal with reverse rights)
}
}
}
}
}
Completed user access rights removal feature, #3065
2021-08-28 00:42:28 +03:00
return removeUserRights(rights, user);
Centralization of user access control.
2019-12-27 09:53:01 +03:00
}
// Returns true if the user can view the given device group
obj.IsMeshViewable = function (user, mesh) {
if ((user == null) || (mesh == null)) { return false; }
if (typeof user == 'string') { user = obj.users[user]; }
Fixed users that manage all device groups.
2020-09-10 02:17:00 +03:00
if (user == null) { return false; }
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
var meshid;
if (typeof mesh == 'string') {
meshid = mesh;
} else if ((typeof mesh == 'object') && (typeof mesh._id == 'string')) {
meshid = mesh._id;
} else return false;
Added support for accounts that manage all device group
2020-02-18 00:01:13 +03:00
// Check if this is a super user that can see all device groups for a given domain
if ((user.siteadmin == 0xFFFFFFFF) && (parent.config.settings.managealldevicegroups.indexOf(user._id) >= 0) && (meshid.startsWith('mesh/' + user.domain + '/'))) { return true; }
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
// Check direct user to device group permissions
Fixed users that manage all device groups.
2020-09-10 02:17:00 +03:00
if (user.links == null) { return false; }
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
if (user.links[meshid] != null) { return true; } // If the user has a direct link, stop here.
// Check if we are part of any user groups that would give this user visibility to this device group.
for (var i in user.links) {
if (i.startsWith('ugrp')) {
Implemented user group permission query in the web app.
2020-01-05 00:19:32 +03:00
const g = obj.userGroups[i];
Implemented server side user group permissions query.
2020-01-04 23:44:12 +03:00
if (g && (g.links[meshid] != null)) { return true; } // If the user has a user group link, stop here.
}
}
return false;
Centralization of user access control.
2019-12-27 09:53:01 +03:00
}
Speed up GetNodeRights() using 10 second caching.
2022-01-10 00:19:49 +03:00
var GetNodeRightsCache = {};
var GetNodeRightsCacheCount = 0;
More work on user device rights.
2020-03-30 08:40:13 +03:00
// Return the user rights for a given node
obj.GetNodeRights = function (user, mesh, nodeid) {
if ((user == null) || (mesh == null) || (nodeid == null)) { return 0; }
if (typeof user == 'string') { user = obj.users[user]; }
Improved agent coredump processing.
2020-10-28 02:40:12 +03:00
if (user == null) { return 0; }
Speed up GetNodeRights() using 10 second caching.
2022-01-10 00:19:49 +03:00
var meshid;
if (typeof mesh == 'string') { meshid = mesh; } else if ((typeof mesh == 'object') && (typeof mesh._id == 'string')) { meshid = mesh._id; } else return 0;
// Check if we have this in the cache
const cacheid = user._id + '/' + meshid + '/' + nodeid;
const cache = GetNodeRightsCache[cacheid];
if (cache != null) { if (cache.t > Date.now()) { return cache.o; } else { GetNodeRightsCacheCount--; } } // Cache hit, or we need to update the cache
if (GetNodeRightsCacheCount > 2000) { GetNodeRightsCache = {}; GetNodeRightsCacheCount = 0; } // From time to time, flush the cache
More work on user device rights.
2020-03-30 08:40:13 +03:00
var r = obj.GetMeshRights(user, mesh);
Speed up GetNodeRights() using 10 second caching.
2022-01-10 00:19:49 +03:00
if (r == 0xFFFFFFFF) {
const out = removeUserRights(r, user);
GetNodeRightsCache[cacheid] = { t: Date.now() + 10000, o: out };
GetNodeRightsCacheCount++;
return out;
}
More work on user device rights.
2020-03-30 08:40:13 +03:00
// Check direct device rights using device data
if ((user.links != null) && (user.links[nodeid] != null)) { r |= user.links[nodeid].rights; } // TODO: Deal with reverse permissions
Speed up GetNodeRights() using 10 second caching.
2022-01-10 00:19:49 +03:00
if (r == 0xFFFFFFFF) {
const out = removeUserRights(r, user);
GetNodeRightsCache[cacheid] = { t: Date.now() + 10000, o: out };
GetNodeRightsCacheCount++;
return out;
}
More work on individual device thru user groups.
2020-04-13 20:50:57 +03:00
// Check direct device rights thru a user group
for (var i in user.links) {
if (i.startsWith('ugrp')) {
const g = obj.userGroups[i];
if (g && (g.links[nodeid] != null)) { r |= g.links[nodeid].rights; }
}
}
Speed up GetNodeRights() using 10 second caching.
2022-01-10 00:19:49 +03:00
const out = removeUserRights(r, user);
GetNodeRightsCache[cacheid] = { t: Date.now() + 10000, o: out };
GetNodeRightsCacheCount++;
return out;
More work on user device rights.
2020-03-30 08:40:13 +03:00
}
First version with user groups enabled.
2020-01-05 00:46:55 +03:00
// Returns a list of displatch targets for a given mesh
// We have to target the meshid and all user groups for this mesh, plus any added targets
obj.CreateMeshDispatchTargets = function (mesh, addedTargets) {
var targets = (addedTargets != null) ? addedTargets : [];
if (targets.indexOf('*') == -1) { targets.push('*'); }
if (typeof mesh == 'string') { mesh = obj.meshes[mesh]; }
More work on user groups for individual device permissions.
2020-04-13 21:24:56 +03:00
if (mesh != null) { targets.push(mesh._id); for (var i in mesh.links) { if (i.startsWith('ugrp/')) { targets.push(i); } } }
return targets;
}
// Returns a list of displatch targets for a given mesh
// We have to target the meshid and all user groups for this mesh, plus any added targets
obj.CreateNodeDispatchTargets = function (mesh, nodeid, addedTargets) {
var targets = (addedTargets != null) ? addedTargets : [];
targets.push(nodeid);
if (targets.indexOf('*') == -1) { targets.push('*'); }
if (typeof mesh == 'string') { mesh = obj.meshes[mesh]; }
if (mesh != null) { targets.push(mesh._id); for (var i in mesh.links) { if (i.startsWith('ugrp/')) { targets.push(i); } } }
for (var i in obj.userGroups) { const g = obj.userGroups[i]; if ((g != null) && (g.links != null) && (g.links[nodeid] != null)) { targets.push(i); } }
First version with user groups enabled.
2020-01-05 00:46:55 +03:00
return targets;
}
Added one time passwords for user 2-factor login.
2019-02-06 06:07:12 +03:00
// Clone a safe version of a user object, remove everything that is secret.
Added optional database record encryption support.
2019-10-03 03:19:33 +03:00
obj.CloneSafeUser = function (user) {
Added one time passwords for user 2-factor login.
2019-02-06 06:07:12 +03:00
if (typeof user != 'object') { return user; }
Removed clonings.
2019-10-11 21:16:36 +03:00
var user2 = Object.assign({}, user); // Shallow clone
Added one time passwords for user 2-factor login.
2019-02-06 06:07:12 +03:00
delete user2.hash;
delete user2.passhint;
delete user2.salt;
delete user2.type;
delete user2.domain;
delete user2.subscriptions;
delete user2.passtype;
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
delete user2.otpsms;
Completed email 2FA.
2020-03-15 01:03:50 +03:00
if ((typeof user2.otpekey == 'object') && (user2.otpekey != null)) { user2.otpekey = 1; } // Indicates that email 2FA is enabled.
Added optional database record encryption support.
2019-10-03 03:19:33 +03:00
if ((typeof user2.otpsecret == 'string') && (user2.otpsecret != null)) { user2.otpsecret = 1; } // Indicates a time secret is present.
if ((typeof user2.otpkeys == 'object') && (user2.otpkeys != null)) { user2.otpkeys = 0; if (user.otpkeys != null) { for (var i = 0; i < user.otpkeys.keys.length; i++) { if (user.otpkeys.keys[i].u == true) { user2.otpkeys = 1; } } } } // Indicates the number of one time backup codes that are active.
if ((typeof user2.otphkeys == 'object') && (user2.otphkeys != null)) { user2.otphkeys = user2.otphkeys.length; } // Indicates the number of hardware keys setup
Partial work on mobile device 2FA.
2021-04-14 05:59:10 +03:00
if ((typeof user2.otpdev == 'string') && (user2.otpdev != null)) { user2.otpdev = 1; } // Indicates device for 2FA push notification
More web push progress.
2021-02-09 23:24:12 +03:00
if ((typeof user2.webpush == 'object') && (user2.webpush != null)) { user2.webpush = user2.webpush.length; } // Indicates the number of web push sessions we have
Added one time passwords for user 2-factor login.
2019-02-06 06:07:12 +03:00
return user2;
}
Removed clonings.
2019-10-11 21:16:36 +03:00
// Clone a safe version of a node object, remove everything that is secret.
obj.CloneSafeNode = function (node) {
if (typeof node != 'object') { return node; }
var r = node;
Added SSH Key support.
2021-08-13 08:52:42 +03:00
if ((r.pmt != null) || (r.ssh != null) || (r.rdp != null) || ((r.intelamt != null) && ((r.intelamt.pass != null) || (r.intelamt.mpspass != null)))) {
Removed clonings.
2019-10-11 21:16:36 +03:00
r = Object.assign({}, r); // Shallow clone
Added Firebase Cloud Messaging support.
2021-01-31 03:15:06 +03:00
if (r.pmt != null) { r.pmt = 1; }
Added SSH Key support.
2021-08-13 08:52:42 +03:00
if (r.ssh != null) { r.ssh = (r.ssh.k != null) ? 2 : 1; }
MeshCentral can now remember RDP credentials.
2021-06-30 03:13:18 +03:00
if (r.rdp != null) { r.rdp = 1; }
Added Firebase Cloud Messaging support.
2021-01-31 03:15:06 +03:00
if ((r.intelamt != null) && ((r.intelamt.pass != null) || (r.intelamt.mpspass != null))) {
r.intelamt = Object.assign({}, r.intelamt); // Shallow clone
if (r.intelamt.pass != null) { r.intelamt.pass = 1; }; // Remove the Intel AMT administrator password from the node
if (r.intelamt.mpspass != null) { r.intelamt.mpspass = 1; }; // Remove the Intel AMT MPS password from the node
}
Removed clonings.
2019-10-11 21:16:36 +03:00
}
return r;
}
// Clone a safe version of a mesh object, remove everything that is secret.
obj.CloneSafeMesh = function (mesh) {
if (typeof mesh != 'object') { return mesh; }
var r = mesh;
Added support for IP-KVM device groups.
2021-12-03 05:34:18 +03:00
if (((r.amt != null) && (r.amt.password != null)) || ((r.kvm != null) && (r.kvm.pass != null))) {
Removed clonings.
2019-10-11 21:16:36 +03:00
r = Object.assign({}, r); // Shallow clone
Added support for IP-KVM device groups.
2021-12-03 05:34:18 +03:00
if ((r.amt != null) && (r.amt.password != null)) {
r.amt = Object.assign({}, r.amt); // Shallow clone
if ((r.amt.password != null) && (r.amt.password != '')) { r.amt.password = 1; } // Remove the Intel AMT password from the policy
}
if ((r.kvm != null) && (r.kvm.pass != null)) {
r.kvm = Object.assign({}, r.kvm); // Shallow clone
if ((r.kvm.pass != null) && (r.kvm.pass != '')) { r.kvm.pass = 1; } // Remove the IP KVM device password
}
Removed clonings.
2019-10-11 21:16:36 +03:00
}
return r;
}
Added user web state filtering.
2019-10-26 00:41:14 +03:00
// Filter the user web site and only output state that we need to keep
WebApp NightMode and FooterBar are now server side state.
2020-02-28 03:34:59 +03:00
const acceptableUserWebStateStrings = ['webPageStackMenu', 'notifications', 'deviceView', 'nightMode', 'webPageFullScreen', 'search', 'showRealNames', 'sort', 'deskAspectRatio', 'viewsize', 'DeskControl', 'uiMode', 'footerBar'];
Added user web state filtering.
2019-10-26 00:41:14 +03:00
const acceptableUserWebStateDesktopStrings = ['encoding', 'showfocus', 'showmouse', 'showcad', 'limitFrameRate', 'noMouseRotate', 'quality', 'scaling']
obj.filterUserWebState = function (state) {
if (typeof state == 'string') { try { state = JSON.parse(state); } catch (ex) { return null; } }
Server fixes.
2020-06-22 00:27:10 +03:00
if ((state == null) || (typeof state != 'object')) { return null; }
Added user web state filtering.
2019-10-26 00:41:14 +03:00
var out = {};
for (var i in acceptableUserWebStateStrings) {
var n = acceptableUserWebStateStrings[i];
Added staring a device feature.
2020-07-29 01:27:28 +03:00
if ((state[n] != null) && ((typeof state[n] == 'number') || (typeof state[n] == 'boolean') || ((typeof state[n] == 'string') && (state[n].length < 64)))) { out[n] = state[n]; }
Added user web state filtering.
2019-10-26 00:41:14 +03:00
}
Added staring a device feature.
2020-07-29 01:27:28 +03:00
if ((typeof state.stars == 'string') && (state.stars.length < 2048)) { out.stars = state.stars; }
Added user web state filtering.
2019-10-26 00:41:14 +03:00
if (typeof state.desktopsettings == 'string') { try { state.desktopsettings = JSON.parse(state.desktopsettings); } catch (ex) { delete state.desktopsettings; } }
if (state.desktopsettings != null) {
out.desktopsettings = {};
for (var i in acceptableUserWebStateDesktopStrings) {
var n = acceptableUserWebStateDesktopStrings[i];
if ((state.desktopsettings[n] != null) && ((typeof state.desktopsettings[n] == 'number') || (typeof state.desktopsettings[n] == 'boolean') || ((typeof state.desktopsettings[n] == 'string') && (state.desktopsettings[n].length < 32)))) { out.desktopsettings[n] = state.desktopsettings[n]; }
}
out.desktopsettings = JSON.stringify(out.desktopsettings);
}
New Windows agents, desktop shortcut customization.
2021-01-08 10:35:11 +03:00
if ((typeof state.deskKeyShortcuts == 'string') && (state.deskKeyShortcuts.length < 2048)) { out.deskKeyShortcuts = state.deskKeyShortcuts; }
Added user customized quick typing strings.
2021-11-12 04:09:12 +03:00
if ((typeof state.deskStrings == 'string') && (state.deskStrings.length < 10000)) { out.deskStrings = state.deskStrings; }
Added user web state filtering.
2019-10-26 00:41:14 +03:00
return JSON.stringify(out);
}
Improved meshcentral-web customization support.
2019-08-25 21:08:32 +03:00
// Return the correct render page given mobile, minify and override path.
Added support for per-domain web folder.
2020-03-25 23:21:14 +03:00
function getRenderPage(pagename, req, domain) {
Fixed numeric password requirement check.
2020-05-02 09:53:32 +03:00
var mobile = isMobileBrowser(req), minify = (domain.minify == true), p;
Improved web app, SSO fixes.
2020-05-27 02:36:17 +03:00
if (req.query.mobile == '1') { mobile = true; } else if (req.query.mobile == '0') { mobile = false; }
Fixed numeric password requirement check.
2020-05-02 09:53:32 +03:00
if (req.query.minify == '1') { minify = true; } else if (req.query.minify == '0') { minify = false; }
Added option to disable mobile site.
2022-02-04 05:50:04 +03:00
if ((domain != null) && (domain.mobilesite === false)) { mobile = false; }
Improved meshcentral-web customization support.
2019-08-25 21:08:32 +03:00
if (mobile) {
Added support for per-domain web folder.
2020-03-25 23:21:14 +03:00
if ((domain != null) && (domain.webviewspath != null)) { // If the domain has a web views path, use that first
if (minify) {
p = obj.path.join(domain.webviewspath, pagename + '-mobile-min');
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Mobile + Minify + Override document
}
p = obj.path.join(domain.webviewspath, pagename + '-mobile');
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Mobile + Override document
}
Improved meshcentral-web customization support.
2019-08-25 21:08:32 +03:00
if (obj.parent.webViewsOverridePath != null) {
if (minify) {
p = obj.path.join(obj.parent.webViewsOverridePath, pagename + '-mobile-min');
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Mobile + Minify + Override document
}
Fixed agent invite when minify is enabled.
2019-09-21 02:24:37 +03:00
p = obj.path.join(obj.parent.webViewsOverridePath, pagename + '-mobile');
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Mobile + Override document
Improved meshcentral-web customization support.
2019-08-25 21:08:32 +03:00
}
if (minify) {
p = obj.path.join(obj.parent.webViewsPath, pagename + '-mobile-min');
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Mobile + Minify document
}
Fixed agent invite when minify is enabled.
2019-09-21 02:24:37 +03:00
p = obj.path.join(obj.parent.webViewsPath, pagename + '-mobile');
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Mobile document
Improved meshcentral-web customization support.
2019-08-25 21:08:32 +03:00
}
Added support for per-domain web folder.
2020-03-25 23:21:14 +03:00
if ((domain != null) && (domain.webviewspath != null)) { // If the domain has a web views path, use that first
if (minify) {
p = obj.path.join(domain.webviewspath, pagename + '-min');
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Minify + Override document
}
p = obj.path.join(domain.webviewspath, pagename);
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Override document
}
Improved meshcentral-web customization support.
2019-08-25 21:08:32 +03:00
if (obj.parent.webViewsOverridePath != null) {
if (minify) {
p = obj.path.join(obj.parent.webViewsOverridePath, pagename + '-min');
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Minify + Override document
}
Fixed agent invite when minify is enabled.
2019-09-21 02:24:37 +03:00
p = obj.path.join(obj.parent.webViewsOverridePath, pagename);
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Override document
Improved meshcentral-web customization support.
2019-08-25 21:08:32 +03:00
}
if (minify) {
p = obj.path.join(obj.parent.webViewsPath, pagename + '-min');
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Minify document
}
Fixed agent invite when minify is enabled.
2019-09-21 02:24:37 +03:00
p = obj.path.join(obj.parent.webViewsPath, pagename);
if (obj.fs.existsSync(p + '.handlebars')) { return p; } // Default document
return null;
Improved meshcentral-web customization support.
2019-08-25 21:08:32 +03:00
}
Added titlehtml domain option.
2019-12-16 22:21:07 +03:00
// Return the correct render page arguments.
Fixed login picture.
2020-09-08 21:44:28 +03:00
function getRenderArgs(xargs, req, domain, page) {
Full minification support in all languages.
2020-05-03 09:49:59 +03:00
var minify = (domain.minify == true);
if (req.query.minify == '1') { minify = true; } else if (req.query.minify == '0') { minify = false; }
xargs.min = minify ? '-min' : '';
Added Device Group Summary Panel, other fixes.
2019-12-18 23:00:08 +03:00
xargs.titlehtml = domain.titlehtml;
xargs.title = (domain.title != null) ? domain.title : 'MeshCentral';
Fixed login picture.
2020-09-08 21:44:28 +03:00
if (
((page == 'login2') && (domain.loginpicture == null) && (domain.titlehtml == null)) ||
((page != 'login2') && (domain.titlepicture == null) && (domain.titlehtml == null))
) {
Added Device Group Summary Panel, other fixes.
2019-12-18 23:00:08 +03:00
if (domain.title == null) {
xargs.title1 = 'MeshCentral';
More work on user device rights.
2020-03-30 08:40:13 +03:00
xargs.title2 = '';
Added Device Group Summary Panel, other fixes.
2019-12-18 23:00:08 +03:00
} else {
xargs.title1 = domain.title;
xargs.title2 = domain.title2 ? domain.title2 : '';
}
} else {
xargs.title1 = domain.title1 ? domain.title1 : '';
Lots of small fixed.
2020-01-30 01:38:41 +03:00
xargs.title2 = (domain.title1 && domain.title2) ? domain.title2 : '';
Added Device Group Summary Panel, other fixes.
2019-12-18 23:00:08 +03:00
}
Fixed quotes in title.
2020-09-08 22:24:07 +03:00
xargs.extitle = encodeURIComponent(xargs.title).split('\'').join('\\\'');
Added Device Group Summary Panel, other fixes.
2019-12-18 23:00:08 +03:00
xargs.domainurl = domain.url;
#2381, can now remove autocomplete on login page.
2021-03-19 08:13:11 +03:00
xargs.autocomplete = (domain.autocomplete === false)?'x':'autocomplete'; // This option allows autocomplete to be turned off on the login page.
Fixed web app interface and server version.
2019-12-21 01:02:49 +03:00
if (typeof domain.hide == 'number') { xargs.hide = domain.hide; }
Added Device Group Summary Panel, other fixes.
2019-12-18 23:00:08 +03:00
return xargs;
Added titlehtml domain option.
2019-12-16 22:21:07 +03:00
}
MQTT improvements, multi-line toast fix.
2019-10-10 01:56:27 +03:00
// Route a command from a agent. domainid, nodeid and meshid are the values of the source agent.
obj.routeAgentCommand = function (command, domainid, nodeid, meshid) {
// Route a message.
// If this command has a sessionid, that is the target.
if (command.sessionid != null) {
if (typeof command.sessionid != 'string') return;
var splitsessionid = command.sessionid.split('/');
// Check that we are in the same domain and the user has rights over this node.
More access control improvements, RPi icon.
2019-12-28 02:18:43 +03:00
if ((splitsessionid.length == 4) && (splitsessionid[0] == 'user') && (splitsessionid[1] == domainid)) {
MQTT improvements, multi-line toast fix.
2019-10-10 01:56:27 +03:00
// Check if this user has rights to get this message
More work on user device rights.
2020-03-30 08:40:13 +03:00
if (obj.GetNodeRights(splitsessionid[0] + '/' + splitsessionid[1] + '/' + splitsessionid[2], meshid, nodeid) == 0) return; // TODO: Check if this is ok
MQTT improvements, multi-line toast fix.
2019-10-10 01:56:27 +03:00
// See if the session is connected. If so, go ahead and send this message to the target node
var ws = obj.wssessions2[command.sessionid];
if (ws != null) {
More work on user device rights.
2020-03-30 08:40:13 +03:00
command.nodeid = nodeid; // Set the nodeid, required for responses.
delete command.sessionid; // Remove the sessionid, since we are sending to that sessionid, so it's implyed.
MQTT improvements, multi-line toast fix.
2019-10-10 01:56:27 +03:00
try { ws.send(JSON.stringify(command)); } catch (ex) { }
} else if (parent.multiServer != null) {
// See if we can send this to a peer server
var serverid = obj.wsPeerSessions2[command.sessionid];
if (serverid != null) {
command.fromNodeid = nodeid;
parent.multiServer.DispatchMessageSingleServer(command, serverid);
}
}
}
} else if (command.userid != null) { // If this command has a userid, that is the target.
if (typeof command.userid != 'string') return;
var splituserid = command.userid.split('/');
// Check that we are in the same domain and the user has rights over this node.
if ((splituserid[0] == 'user') && (splituserid[1] == domainid)) {
// Check if this user has rights to get this message
More work on user device rights.
2020-03-30 08:40:13 +03:00
if (obj.GetNodeRights(command.userid, meshid, nodeid) == 0) return; // TODO: Check if this is ok
MQTT improvements, multi-line toast fix.
2019-10-10 01:56:27 +03:00
// See if the session is connected
var sessions = obj.wssessions[command.userid];
// Go ahead and send this message to the target node
if (sessions != null) {
command.nodeid = nodeid; // Set the nodeid, required for responses.
More work on user device rights.
2020-03-30 08:40:13 +03:00
delete command.userid; // Remove the userid, since we are sending to that userid, so it's implyed.
MQTT improvements, multi-line toast fix.
2019-10-10 01:56:27 +03:00
for (i in sessions) { sessions[i].send(JSON.stringify(command)); }
}
if (parent.multiServer != null) {
// TODO: Add multi-server support
}
}
Fixed agent 'msg' dispatching.
2020-01-08 00:56:26 +03:00
} else { // Route this command to all users with MESHRIGHT_AGENTCONSOLE rights to this device group
MQTT improvements, multi-line toast fix.
2019-10-10 01:56:27 +03:00
command.nodeid = nodeid;
var cmdstr = JSON.stringify(command);
More access control improvements, RPi icon.
2019-12-28 02:18:43 +03:00
Fixed agent 'msg' dispatching.
2020-01-08 00:56:26 +03:00
// Find all connected user sessions with access to this device
More access control improvements, RPi icon.
2019-12-28 02:18:43 +03:00
for (var userid in obj.wssessions) {
var xsessions = obj.wssessions[userid];
More work on user device rights.
2020-03-30 08:40:13 +03:00
if (obj.GetNodeRights(userid, meshid, nodeid) != 0) {
Fixed agent 'msg' dispatching.
2020-01-08 00:56:26 +03:00
// Send the message to all sessions for this user on this server
for (i in xsessions) { try { xsessions[i].send(cmdstr); } catch (e) { } }
}
MQTT improvements, multi-line toast fix.
2019-10-10 01:56:27 +03:00
}
// Send the message to all users of other servers
if (parent.multiServer != null) {
delete command.nodeid;
command.fromNodeid = nodeid;
command.meshid = meshid;
parent.multiServer.DispatchMessage(command);
}
}
}
First MeshCentral with multi-language emails.
2020-04-05 05:29:20 +03:00
// Returns a list of acceptable languages in order
SSO Fixes.
2020-05-27 10:52:31 +03:00
obj.getLanguageCodes = function (req) {
First MeshCentral with multi-language emails.
2020-04-05 05:29:20 +03:00
// If a user set a localization, use that
if ((req.query.lang == null) && (req.session != null) && (req.session.userid)) {
var user = obj.users[req.session.userid];
if ((user != null) && (user.lang != null)) { req.query.lang = user.lang; }
};
Started french translation.
2019-10-22 03:21:49 +03:00
First MeshCentral with multi-language emails.
2020-04-05 05:29:20 +03:00
// Get a list of acceptable languages in order
var acceptLanguages = [];
if (req.query.lang != null) {
acceptLanguages.push(req.query.lang.toLowerCase());
} else {
if (req.headers['accept-language'] != null) {
var acceptLanguageSplit = req.headers['accept-language'].split(';');
for (var i in acceptLanguageSplit) {
var acceptLanguageSplitEx = acceptLanguageSplit[i].split(',');
for (var j in acceptLanguageSplitEx) { if (acceptLanguageSplitEx[j].startsWith('q=') == false) { acceptLanguages.push(acceptLanguageSplitEx[j].toLowerCase()); } }
Translation fixed, some french strings added.
2019-10-22 01:59:20 +03:00
}
}
First MeshCentral with multi-language emails.
2020-04-05 05:29:20 +03:00
}
return acceptLanguages;
}
// Render a page using the proper language
Fixed device notification email language translation, #3513
2022-01-23 11:34:47 +03:00
function render(req, res, filename, args, user) {
First MeshCentral with multi-language emails.
2020-04-05 05:29:20 +03:00
if (obj.renderPages != null) {
// Get the list of acceptable languages in order
var acceptLanguages = obj.getLanguageCodes(req);
Translation fixed, some french strings added.
2019-10-22 01:59:20 +03:00
// Take a look at the options we have for this file
var fileOptions = obj.renderPages[obj.path.basename(filename)];
Started french translation.
2019-10-22 03:21:49 +03:00
if (fileOptions != null) {
for (var i in acceptLanguages) {
Fixed device notification email language translation, #3513
2022-01-23 11:34:47 +03:00
if ((acceptLanguages[i] == 'en') || (acceptLanguages[i].startsWith('en-'))) {
// English requested
args.lang = 'en';
Improved event translation, #3516
2022-01-23 22:03:30 +03:00
if (user && user.llang) { delete user.llang; obj.db.SetUser(user); } // Clear user 'last language' used if needed. Since English is the default, remove "last language".
Fixed device notification email language translation, #3513
2022-01-23 11:34:47 +03:00
break;
}
Improved web page translation selection based on browser information.
2022-03-25 00:14:33 +03:00
// See if a language (like "fr-ca") or short-language (like "fr") matches an available translation file.
var foundLanguage = null;
if (fileOptions[acceptLanguages[i]] != null) { foundLanguage = acceptLanguages[i]; } else {
const ptr = acceptLanguages[i].indexOf('-');
if (ptr >= 0) {
const shortAcceptedLanguage = acceptLanguages[i].substring(0, ptr);
if (fileOptions[shortAcceptedLanguage] != null) { foundLanguage = shortAcceptedLanguage; }
}
}
// If a language is found, render it.
if (foundLanguage != null) {
Improved device group summary page.
2019-12-19 01:57:29 +03:00
// Found a match. If the file no longer exists, default to English.
Improved web page translation selection based on browser information.
2022-03-25 00:14:33 +03:00
obj.fs.exists(fileOptions[foundLanguage] + '.handlebars', function (exists) {
if (exists) { args.lang = foundLanguage; res.render(fileOptions[foundLanguage], args); } else { args.lang = 'en'; res.render(filename, args); }
Fixed web app interface and server version.
2019-12-21 01:02:49 +03:00
});
Improved web page translation selection based on browser information.
2022-03-25 00:14:33 +03:00
if (user && (user.llang != foundLanguage)) { user.llang = foundLanguage; obj.db.SetUser(user); } // Set user 'last language' used if needed.
Improved device group summary page.
2019-12-19 01:57:29 +03:00
return;
Fixed EXDEV error on rename.
2020-02-01 01:44:11 +03:00
}
Started french translation.
2019-10-22 03:21:49 +03:00
}
Translation fixed, some french strings added.
2019-10-22 01:59:20 +03:00
}
}
Fixed device notification email language translation, #3513
2022-01-23 11:34:47 +03:00
// No matches found, render the default English page.
Translation fixed, some french strings added.
2019-10-22 01:59:20 +03:00
res.render(filename, args);
}
// Get the list of pages with different languages that can be rendered
function getRenderList() {
Added --translate to MeshCentral server and allow translated custom web pages to be served.
2020-01-28 04:52:20 +03:00
// Fetch default rendeing pages
Fix rendering page folder problem.
2019-10-23 03:19:17 +03:00
var translateFolder = null;
if (obj.fs.existsSync('views/translations')) { translateFolder = 'views/translations'; }
if (obj.fs.existsSync(obj.path.join(__dirname, 'views', 'translations'))) { translateFolder = obj.path.join(__dirname, 'views', 'translations'); }
if (translateFolder != null) {
Translation fixed, some french strings added.
2019-10-22 01:59:20 +03:00
obj.renderPages = {};
Added language selection.
2019-10-22 21:59:19 +03:00
obj.renderLanguages = ['en'];
Fix rendering page folder problem.
2019-10-23 03:19:17 +03:00
var files = obj.fs.readdirSync(translateFolder);
Translation fixed, some french strings added.
2019-10-22 01:59:20 +03:00
for (var i in files) {
var name = files[i];
if (name.endsWith('.handlebars')) {
name = name.substring(0, name.length - 11);
var xname = name.split('_');
if (xname.length == 2) {
if (obj.renderPages[xname[0]] == null) { obj.renderPages[xname[0]] = {}; }
Fix rendering page folder problem.
2019-10-23 03:19:17 +03:00
obj.renderPages[xname[0]][xname[1]] = obj.path.join(translateFolder, name);
Added language selection.
2019-10-22 21:59:19 +03:00
if (obj.renderLanguages.indexOf(xname[1]) == -1) { obj.renderLanguages.push(xname[1]); }
Translation fixed, some french strings added.
2019-10-22 01:59:20 +03:00
}
}
}
Added --translate to MeshCentral server and allow translated custom web pages to be served.
2020-01-28 04:52:20 +03:00
// See if there are any custom rending pages that will override the default ones
Fixed server crash when meshcentral-web has no translations.
2020-01-28 20:41:35 +03:00
if ((obj.parent.webViewsOverridePath != null) && (obj.fs.existsSync(obj.path.join(obj.parent.webViewsOverridePath, 'translations')))) {
translateFolder = obj.path.join(obj.parent.webViewsOverridePath, 'translations');
Added --translate to MeshCentral server and allow translated custom web pages to be served.
2020-01-28 04:52:20 +03:00
var files = obj.fs.readdirSync(translateFolder);
for (var i in files) {
var name = files[i];
if (name.endsWith('.handlebars')) {
name = name.substring(0, name.length - 11);
var xname = name.split('_');
if (xname.length == 2) {
if (obj.renderPages[xname[0]] == null) { obj.renderPages[xname[0]] = {}; }
obj.renderPages[xname[0]][xname[1]] = obj.path.join(translateFolder, name);
if (obj.renderLanguages.indexOf(xname[1]) == -1) { obj.renderLanguages.push(xname[1]); }
}
}
}
}
Translation fixed, some french strings added.
2019-10-22 01:59:20 +03:00
}
}
First MeshCentral with multi-language emails.
2020-04-05 05:29:20 +03:00
// Get the list of pages with different languages that can be rendered
function getEmailLanguageList() {
// Fetch default rendeing pages
var translateFolder = null;
if (obj.fs.existsSync('emails/translations')) { translateFolder = 'emails/translations'; }
if (obj.fs.existsSync(obj.path.join(__dirname, 'emails', 'translations'))) { translateFolder = obj.path.join(__dirname, 'emails', 'translations'); }
if (translateFolder != null) {
obj.emailLanguages = ['en'];
var files = obj.fs.readdirSync(translateFolder);
for (var i in files) {
var name = files[i];
if (name.endsWith('.html')) {
name = name.substring(0, name.length - 5);
var xname = name.split('_');
if (xname.length == 2) {
if (obj.emailLanguages.indexOf(xname[1]) == -1) { obj.emailLanguages.push(xname[1]); }
}
}
}
// See if there are any custom rending pages that will override the default ones
if ((obj.parent.webEmailsOverridePath != null) && (obj.fs.existsSync(obj.path.join(obj.parent.webEmailsOverridePath, 'translations')))) {
translateFolder = obj.path.join(obj.parent.webEmailsOverridePath, 'translations');
var files = obj.fs.readdirSync(translateFolder);
for (var i in files) {
var name = files[i];
if (name.endsWith('.html')) {
name = name.substring(0, name.length - 5);
var xname = name.split('_');
if (xname.length == 2) {
if (obj.emailLanguages.indexOf(xname[1]) == -1) { obj.emailLanguages.push(xname[1]); }
}
}
}
}
}
}
More web push progress.
2021-02-10 02:31:50 +03:00
// Perform a web push to a user
// If any of the push fail, remove the subscription from the user's webpush subscription list.
obj.performWebPush = function (domain, user, payload, options) {
if ((parent.webpush == null) || (Array.isArray(user.webpush) == false) || (user.webpush.length == 0)) return;
var completionFunc = function pushCompletionFunc(sub, fail) {
pushCompletionFunc.failCount += fail;
if (--pushCompletionFunc.pushCount == 0) {
if (pushCompletionFunc.failCount > 0) {
var user = pushCompletionFunc.user, newwebpush = [];
for (var i in user.webpush) { if (user.webpush[i].fail == null) { newwebpush.push(user.webpush[i]); } }
user.webpush = newwebpush;
// Update the database
obj.db.SetUser(user);
// Event the change
var message = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', domain: domain.id, nolog: 1 };
if (db.changeStream) { message.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
var targets = ['*', 'server-users', user._id];
if (user.groups) { for (var i in user.groups) { targets.push('server-users:' + i); } }
parent.DispatchEvent(targets, obj, message);
}
}
}
completionFunc.pushCount = user.webpush.length;
completionFunc.user = user;
completionFunc.domain = domain;
completionFunc.failCount = 0;
for (var i in user.webpush) {
var errorFunc = function pushErrorFunc(error) { pushErrorFunc.sub.fail = 1; pushErrorFunc.call(pushErrorFunc.sub, 1); }
errorFunc.sub = user.webpush[i];
errorFunc.call = completionFunc;
var successFunc = function pushSuccessFunc(value) { pushSuccessFunc.call(pushSuccessFunc.sub, 0); }
successFunc.sub = user.webpush[i];
successFunc.call = completionFunc;
parent.webpush.sendNotification(user.webpush[i], JSON.stringify(payload), options).then(successFunc, errorFunc);
}
}
Improved Android push messaging token handling.
2021-02-23 03:54:30 +03:00
// Insure exclusivity of a push messaging token for Android device
obj.removePmtFromAllOtherNodes = function (node) {
if (typeof node.pmt != 'string') return;
db.Get('pmt_' + node.pmt, function (err, docs) {
if ((err == null) && (docs.length == 1)) {
var oldNodeId = docs[0].nodeid;
db.Get(oldNodeId, function (nerr, ndocs) {
if ((nerr == null) && (ndocs.length == 1)) {
var oldNode = ndocs[0];
if (oldNode.pmt == node.pmt) {
// Remove the push messaging token and save the node.
delete oldNode.pmt;
db.Set(oldNode);
// Event the node change
var event = { etype: 'node', action: 'changenode', nodeid: oldNode._id, domain: oldNode.domain, node: obj.CloneSafeNode(oldNode) }
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the mesh. Another event will come.
parent.DispatchEvent(['*', oldNode.meshid, oldNode._id], obj, event);
}
}
});
}
db.Set({ _id: 'pmt_' + node.pmt, type: 'pmt', domain: node.domain, time: Date.now(), nodeid: node._id })
});
}
Started work on mobile web site
2018-05-22 02:36:51 +03:00
// Return true if a mobile browser is detected.
Improved Windows agent crash logs and mobile phone login page
2018-05-24 07:43:44 +03:00
// This code comes from "http://detectmobilebrowsers.com/" and was modified, This is free and unencumbered software released into the public domain. For more information, please refer to the http://unlicense.org/
Added mesh screen to mobile web page
2018-05-30 02:57:08 +03:00
function isMobileBrowser(req) {
//var ua = req.headers['user-agent'].toLowerCase();
//return (/(android|bb\d+|meego).+mobile|mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(ua) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(ua.substr(0, 4)));
Partinally ran code thru JsHint
2018-08-30 03:40:30 +03:00
if (typeof req.headers['user-agent'] != 'string') return false;
Added mesh screen to mobile web page
2018-05-30 02:57:08 +03:00
return (req.headers['user-agent'].toLowerCase().indexOf('mobile') >= 0);
Started work on mobile web site
2018-05-22 02:36:51 +03:00
}
Added view previous logins.
2021-02-26 11:58:38 +03:00
// Return decoded user agent information
function getUserAgentInfo(req) {
var browser = 'Unknown', os = 'Unknown';
try {
const ua = obj.uaparser(req.headers['user-agent']);
if (ua.browser && ua.browser.name) { ua.browserStr = ua.browser.name; if (ua.browser.version) { ua.browserStr += '/' + ua.browser.version } }
if (ua.os && ua.os.name) { ua.osStr = ua.os.name; if (ua.os.version) { ua.osStr += '/' + ua.os.version } }
return ua;
} catch (ex) { return { browserStr: browser, osStr: os } }
}
Added invitation link email, server fixes and improvements.
2019-06-12 20:23:26 +03:00
// Return the query string portion of the URL, the ? and anything after.
function getQueryPortion(req) { var s = req.url.indexOf('?'); if (s == -1) { if (req.body && req.body.urlargs) { return req.body.urlargs; } return ''; } return req.url.substring(s); }
New Intel AMT ACM activation with MeshCMD
2019-06-22 03:18:48 +03:00
// Generate a random Intel AMT password
function checkAmtPassword(p) { return (p.length > 7) && (/\d/.test(p)) && (/[a-z]/.test(p)) && (/[A-Z]/.test(p)) && (/\W/.test(p)); }
function getRandomAmtPassword() { var p; do { p = Buffer.from(obj.crypto.randomBytes(9), 'binary').toString('base64').split('/').join('@'); } while (checkAmtPassword(p) == false); return p; }
Added Intel AMT session recording
2019-08-08 02:07:12 +03:00
function getRandomPassword() { return Buffer.from(obj.crypto.randomBytes(9), 'binary').toString('base64').split('/').join('@'); }
Randomized Intel AMT Env Detection.
2019-11-16 01:36:41 +03:00
function getRandomLowerCase(len) { var r = '', random = obj.crypto.randomBytes(len); for (var i = 0; i < len; i++) { r += String.fromCharCode(97 + (random[i] % 26)); } return r; }
New Intel AMT ACM activation with MeshCMD
2019-06-22 03:18:48 +03:00
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
// Generate a 8 digit integer with even random probability for each value.
function getRandomEightDigitInteger() { var bigInt; do { bigInt = parent.crypto.randomBytes(4).readUInt32BE(0); } while (bigInt >= 4200000000); return bigInt % 100000000; }
More work on SMS integration, added Plivo support.
2020-04-23 01:29:26 +03:00
function getRandomSixDigitInteger() { var bigInt; do { bigInt = parent.crypto.randomBytes(4).readUInt32BE(0); } while (bigInt >= 4200000000); return bigInt % 1000000; }
Email based 2FA almost completed.
2020-03-14 06:39:21 +03:00
Node 6.x cbor fix.
2019-08-08 00:25:23 +03:00
// Clean a IPv6 address that encodes a IPv4 address
Fixed IPv6 issue with session binding and added device group name to CIRA script.
2019-09-20 20:41:31 +03:00
function cleanRemoteAddr(addr) { if (typeof addr != 'string') { return null; } if (addr.indexOf('::ffff:') == 0) { return addr.substring(7); } else { return addr; } }
Node 6.x cbor fix.
2019-08-08 00:25:23 +03:00
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
// Set the content disposition header for a HTTP response.
// Because the filename can't have any special characters in it, we need to be extra careful.
function setContentDispositionHeader(res, type, name, size, altname) {
Fixed international download filenames.
2021-02-04 23:27:14 +03:00
var name = require('path').basename(name).split('\\').join('').split('/').join('').split(':').join('').split('*').join('').split('?').join('').split('"').join('').split('<').join('').split('>').join('').split('|').join('').split('\'').join('');
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
try {
Fixed file.bin download name
2021-02-05 06:00:22 +03:00
var x = { 'Cache-Control': 'no-store', 'Content-Type': type, 'Content-Disposition': 'attachment; filename="' + encodeURIComponent(name) + '"' };
Fixed content disposition crashes.
2020-10-23 23:49:38 +03:00
if (typeof size == 'number') { x['Content-Length'] = size; }
res.set(x);
} catch (ex) {
var x = { 'Cache-Control': 'no-store', 'Content-Type': type, 'Content-Disposition': 'attachment; filename="' + altname + '"' };
if (typeof size == 'number') { x['Content-Length'] = size; }
res.set(x);
}
}
Node 6.x cbor fix.
2019-08-08 00:25:23 +03:00
// Record a new entry in a recording log
Improved session recording support.
2019-08-13 21:49:05 +03:00
function recordingEntry(fd, type, flags, data, func, tag) {
Node 6.x cbor fix.
2019-08-08 00:25:23 +03:00
try {
if (typeof data == 'string') {
// String write
var blockData = Buffer.from(data), header = Buffer.alloc(16); // Header: Type (2) + Flags (2) + Size(4) + Time(8)
header.writeInt16BE(type, 0); // Type (1 = Header, 2 = Network Data)
header.writeInt16BE(flags, 2); // Flags (1 = Binary, 2 = User)
header.writeInt32BE(blockData.length, 4); // Size
header.writeIntBE(new Date(), 10, 6); // Time
var block = Buffer.concat([header, blockData]);
Improved session recording support.
2019-08-13 21:49:05 +03:00
obj.fs.write(fd, block, 0, block.length, function () { func(fd, tag); });
Node 6.x cbor fix.
2019-08-08 00:25:23 +03:00
} else {
// Binary write
var header = Buffer.alloc(16); // Header: Type (2) + Flags (2) + Size(4) + Time(8)
header.writeInt16BE(type, 0); // Type (1 = Header, 2 = Network Data)
header.writeInt16BE(flags | 1, 2); // Flags (1 = Binary, 2 = User)
header.writeInt32BE(data.length, 4); // Size
header.writeIntBE(new Date(), 10, 6); // Time
var block = Buffer.concat([header, data]);
Improved session recording support.
2019-08-13 21:49:05 +03:00
obj.fs.write(fd, block, 0, block.length, function () { func(fd, tag); });
Node 6.x cbor fix.
2019-08-08 00:25:23 +03:00
}
Improved session recording support.
2019-08-13 21:49:05 +03:00
} catch (ex) { console.log(ex); func(fd, tag); }
Node 6.x cbor fix.
2019-08-08 00:25:23 +03:00
}
Added CloudFlare auto-loading of trusted proxy IP addresses.
2020-12-11 00:56:15 +03:00
// Perform a IP match against a list
function isIPMatch(ip, matchList) {
const ipcheck = require('ipcheck');
for (var i in matchList) { if (ipcheck.match(ip, matchList[i]) == true) return true; }
return false;
}
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
// This is the invalid login throttling code
obj.badLoginTable = {};
obj.badLoginTableLastClean = 0;
if (parent.config.settings == null) { parent.config.settings = {}; }
Fixed loginkey, allow invalid login filter to be disabled.
2020-02-18 21:57:39 +03:00
if (parent.config.settings.maxinvalidlogin !== false) {
if (typeof parent.config.settings.maxinvalidlogin != 'object') { parent.config.settings.maxinvalidlogin = { time: 10, count: 10 }; }
if (typeof parent.config.settings.maxinvalidlogin.time != 'number') { parent.config.settings.maxinvalidlogin.time = 10; }
if (typeof parent.config.settings.maxinvalidlogin.count != 'number') { parent.config.settings.maxinvalidlogin.count = 10; }
if ((typeof parent.config.settings.maxinvalidlogin.coolofftime != 'number') || (parent.config.settings.maxinvalidlogin.coolofftime < 1)) { parent.config.settings.maxinvalidlogin.coolofftime = null; }
}
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
obj.setbadLogin = function (ip) { // Set an IP address that just did a bad login request
Fixed loginkey, allow invalid login filter to be disabled.
2020-02-18 21:57:39 +03:00
if (parent.config.settings.maxinvalidlogin === false) return;
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (typeof ip == 'object') { ip = ip.clientIp; }
Added exclusion to MaxInvalidLogin. #3192
2021-10-14 03:15:26 +03:00
if (parent.config.settings.maxinvalidlogin != null) {
if (typeof parent.config.settings.maxinvalidlogin.exclude == 'string') {
const excludeSplit = parent.config.settings.maxinvalidlogin.exclude.split(',');
for (var i in excludeSplit) { if (require('ipcheck').match(ip, excludeSplit[i])) return; }
} else if (Array.isArray(parent.config.settings.maxinvalidlogin.exclude)) {
for (var i in parent.config.settings.maxinvalidlogin.exclude) { if (require('ipcheck').match(ip, parent.config.settings.maxinvalidlogin.exclude[i])) return; }
}
}
Added plug-in tab back button, Bad user login limitor is now per-public IPv4 subnet.
2020-01-11 03:25:02 +03:00
var splitip = ip.split('.');
if (splitip.length == 4) { ip = (splitip[0] + '.' + splitip[1] + '.' + splitip[2] + '.*'); }
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
if (++obj.badLoginTableLastClean > 100) { obj.cleanBadLoginTable(); }
Added bad login IP blocking cooloff support.
2019-11-20 00:33:52 +03:00
if (typeof obj.badLoginTable[ip] == 'number') { if (obj.badLoginTable[ip] < Date.now()) { delete obj.badLoginTable[ip]; } else { return; } } // Check cooloff period
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
if (obj.badLoginTable[ip] == null) { obj.badLoginTable[ip] = [Date.now()]; } else { obj.badLoginTable[ip].push(Date.now()); }
Added bad login IP blocking cooloff support.
2019-11-20 00:33:52 +03:00
if ((obj.badLoginTable[ip].length >= parent.config.settings.maxinvalidlogin.count) && (parent.config.settings.maxinvalidlogin.coolofftime != null)) {
obj.badLoginTable[ip] = Date.now() + (parent.config.settings.maxinvalidlogin.coolofftime * 60000); // Move to cooloff period
}
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
}
obj.checkAllowLogin = function (ip) { // Check if an IP address is allowed to login
Fixed loginkey, allow invalid login filter to be disabled.
2020-02-18 21:57:39 +03:00
if (parent.config.settings.maxinvalidlogin === false) return true;
Added CloudFlare Support, improved reverse-proxy HTTP header handling.
2020-05-22 07:25:11 +03:00
if (typeof ip == 'object') { ip = ip.clientIp; }
Added plug-in tab back button, Bad user login limitor is now per-public IPv4 subnet.
2020-01-11 03:25:02 +03:00
var splitip = ip.split('.');
if (splitip.length == 4) { ip = (splitip[0] + '.' + splitip[1] + '.' + splitip[2] + '.*'); } // If this is IPv4, keep only the 3 first
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
var cutoffTime = Date.now() - (parent.config.settings.maxinvalidlogin.time * 60000); // Time in minutes
var ipTable = obj.badLoginTable[ip];
if (ipTable == null) return true;
Added bad login IP blocking cooloff support.
2019-11-20 00:33:52 +03:00
if (typeof ipTable == 'number') { if (obj.badLoginTable[ip] < Date.now()) { delete obj.badLoginTable[ip]; } else { return false; } } // Check cooloff period
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
while ((ipTable.length > 0) && (ipTable[0] < cutoffTime)) { ipTable.shift(); }
if (ipTable.length == 0) { delete obj.badLoginTable[ip]; return true; }
return (ipTable.length < parent.config.settings.maxinvalidlogin.count); // No more than x bad logins in x minutes
}
obj.cleanBadLoginTable = function () { // Clean up the IP address login blockage table, we do this occasionaly.
Fixed loginkey, allow invalid login filter to be disabled.
2020-02-18 21:57:39 +03:00
if (parent.config.settings.maxinvalidlogin === false) return;
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
var cutoffTime = Date.now() - (parent.config.settings.maxinvalidlogin.time * 60000); // Time in minutes
Added bad login IP blocking cooloff support.
2019-11-20 00:33:52 +03:00
for (var ip in obj.badLoginTable) {
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
var ipTable = obj.badLoginTable[ip];
Added bad login IP blocking cooloff support.
2019-11-20 00:33:52 +03:00
if (typeof ipTable == 'number') {
if (obj.badLoginTable[ip] < Date.now()) { delete obj.badLoginTable[ip]; } // Check cooloff period
} else {
while ((ipTable.length > 0) && (ipTable[0] < cutoffTime)) { ipTable.shift(); }
if (ipTable.length == 0) { delete obj.badLoginTable[ip]; }
}
Added bad login IP address limitation.
2019-11-19 04:31:42 +03:00
}
obj.badLoginTableLastClean = 0;
}
Added 2FA rate limiting, #3393
2022-01-04 00:12:10 +03:00
// This is the invalid 2FA throttling code
obj.bad2faTable = {};
obj.bad2faTableLastClean = 0;
if (parent.config.settings == null) { parent.config.settings = {}; }
if (parent.config.settings.maxinvalid2fa !== false) {
if (typeof parent.config.settings.maxinvalid2fa != 'object') { parent.config.settings.maxinvalid2fa = { time: 10, count: 10 }; }
if (typeof parent.config.settings.maxinvalid2fa.time != 'number') { parent.config.settings.maxinvalid2fa.time = 10; }
if (typeof parent.config.settings.maxinvalid2fa.count != 'number') { parent.config.settings.maxinvalid2fa.count = 10; }
if ((typeof parent.config.settings.maxinvalid2fa.coolofftime != 'number') || (parent.config.settings.maxinvalid2fa.coolofftime < 1)) { parent.config.settings.maxinvalid2fa.coolofftime = null; }
}
obj.setbad2Fa = function (ip) { // Set an IP address that just did a bad 2FA request
if (parent.config.settings.maxinvalid2fa === false) return;
if (typeof ip == 'object') { ip = ip.clientIp; }
if (parent.config.settings.maxinvalid2fa != null) {
if (typeof parent.config.settings.maxinvalid2fa.exclude == 'string') {
const excludeSplit = parent.config.settings.maxinvalid2fa.exclude.split(',');
for (var i in excludeSplit) { if (require('ipcheck').match(ip, excludeSplit[i])) return; }
} else if (Array.isArray(parent.config.settings.maxinvalid2fa.exclude)) {
for (var i in parent.config.settings.maxinvalid2fa.exclude) { if (require('ipcheck').match(ip, parent.config.settings.maxinvalid2fa.exclude[i])) return; }
}
}
var splitip = ip.split('.');
if (splitip.length == 4) { ip = (splitip[0] + '.' + splitip[1] + '.' + splitip[2] + '.*'); }
if (++obj.bad2faTableLastClean > 100) { obj.cleanBad2faTable(); }
if (typeof obj.bad2faTable[ip] == 'number') { if (obj.bad2faTable[ip] < Date.now()) { delete obj.bad2faTable[ip]; } else { return; } } // Check cooloff period
if (obj.bad2faTable[ip] == null) { obj.bad2faTable[ip] = [Date.now()]; } else { obj.bad2faTable[ip].push(Date.now()); }
if ((obj.bad2faTable[ip].length >= parent.config.settings.maxinvalid2fa.count) && (parent.config.settings.maxinvalid2fa.coolofftime != null)) {
obj.bad2faTable[ip] = Date.now() + (parent.config.settings.maxinvalid2fa.coolofftime * 60000); // Move to cooloff period
}
}
obj.checkAllow2Fa = function (ip) { // Check if an IP address is allowed to perform 2FA
if (parent.config.settings.maxinvalid2fa === false) return true;
if (typeof ip == 'object') { ip = ip.clientIp; }
var splitip = ip.split('.');
if (splitip.length == 4) { ip = (splitip[0] + '.' + splitip[1] + '.' + splitip[2] + '.*'); } // If this is IPv4, keep only the 3 first
var cutoffTime = Date.now() - (parent.config.settings.maxinvalid2fa.time * 60000); // Time in minutes
var ipTable = obj.bad2faTable[ip];
if (ipTable == null) return true;
if (typeof ipTable == 'number') { if (obj.bad2faTable[ip] < Date.now()) { delete obj.bad2faTable[ip]; } else { return false; } } // Check cooloff period
while ((ipTable.length > 0) && (ipTable[0] < cutoffTime)) { ipTable.shift(); }
if (ipTable.length == 0) { delete obj.bad2faTable[ip]; return true; }
return (ipTable.length < parent.config.settings.maxinvalid2fa.count); // No more than x bad 2FAs in x minutes
}
obj.cleanBad2faTable = function () { // Clean up the IP address 2FA blockage table, we do this occasionaly.
if (parent.config.settings.maxinvalid2fa === false) return;
var cutoffTime = Date.now() - (parent.config.settings.maxinvalid2fa.time * 60000); // Time in minutes
for (var ip in obj.bad2faTable) {
var ipTable = obj.bad2faTable[ip];
if (typeof ipTable == 'number') {
if (obj.bad2faTable[ip] < Date.now()) { delete obj.bad2faTable[ip]; } // Check cooloff period
} else {
while ((ipTable.length > 0) && (ipTable[0] < cutoffTime)) { ipTable.shift(); }
if (ipTable.length == 0) { delete obj.bad2faTable[ip]; }
}
}
obj.bad2faTableLastClean = 0;
}
Removed auth data from websocket connection URL.
2021-11-04 04:52:11 +03:00
// Hold a websocket until additional arguments are provided within the socket.
// This is a generic function that can be used for any websocket to avoid passing arguments in the URL.
function getWebsocketArgs(ws, req, func) {
if (req.query.moreargs != '1') {
// No more arguments needed, pass the websocket thru
func(ws, req);
} else {
// More arguments are needed
delete req.query.moreargs;
const xfunc = function getWebsocketArgsEx(msg) {
var command = null;
try { command = JSON.parse(msg.toString('utf8')); } catch (e) { return; }
if ((command != null) && (command.action === 'urlargs') && (typeof command.args == 'object')) {
for (var i in command.args) { getWebsocketArgsEx.req.query[i] = command.args[i]; }
ws.removeEventListener('message', getWebsocketArgsEx);
getWebsocketArgsEx.func(getWebsocketArgsEx.ws, getWebsocketArgsEx.req);
}
}
xfunc.ws = ws;
xfunc.req = req;
xfunc.func = func;
ws.on('message', xfunc);
}
}
Added user session destruction on logout for improved security.
2022-01-07 02:05:45 +03:00
// Set a random value to this session. Only works if the session has a userid.
// This random value along with the userid is used to destroy the session when logging out.
function setSessionRandom(req) {
if ((req.session == null) || (req.session.userid == null) || (req.session.x != null)) return;
var x = obj.crypto.randomBytes(6).toString('base64');
while (obj.destroyedSessions[req.session.userid + '/' + x] != null) { x = obj.crypto.randomBytes(6).toString('base64'); }
req.session.x = x;
}
// Remove all destroyed sessions after 2 hours, these sessions would have timed out anyway.
function clearDestroyedSessions() {
var toRemove = [], t = Date.now() - (2 * 60 * 60 * 1000);
for (var i in obj.destroyedSessions) { if (obj.destroyedSessions[i] < t) { toRemove.push(i); } }
for (var i in toRemove) { delete obj.destroyedSessions[toRemove[i]]; }
}
Added agent foreground and background color support (for future agent release)
2022-02-17 07:51:36 +03:00
// Check and/or convert the agent color value into a correct string or return empty string.
function checkAgentColorString(header, value) {
if ((typeof header !== 'string') || (typeof value !== 'string')) return '';
if (value.startsWith('#') && (value.length == 7)) {
// Convert color in hex format
value = parseInt(value.substring(1, 3), 16) + ',' + parseInt(value.substring(3, 5), 16) + ',' + parseInt(value.substring(5, 7), 16);
} else {
// Check color in decimal format
const valueSplit = value.split(',');
if (valueSplit.length != 3) return '';
const r = parseInt(valueSplit[0]), g = parseInt(valueSplit[1]), b = parseInt(valueSplit[2]);
if (isNaN(r) || (r < 0) || (r > 255) || isNaN(g) || (g < 0) || (g > 255) || isNaN(b) || (b < 0) || (b > 255)) return '';
value = r + ',' + g + ',' + b;
}
return header + value + '\r\n';
}
Initial main commit
2017-08-28 19:27:45 +03:00
return obj;
Update webserver.js Resend email verification email for current user
2022-03-15 03:33:43 +03:00
};
Reference in New Issue Copy Permalink