From 74930c10df56ace070995ab11873ac3fc87eaa72 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Fri, 7 Jun 2019 17:11:56 -0700 Subject: [PATCH] Fixed invitation link encryption key. --- meshcentral.js | 10 ++++++++++ meshuser.js | 2 +- package.json | 2 +- webserver.js | 2 +- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/meshcentral.js b/meshcentral.js index 3414ad74..8a552eef 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -59,6 +59,7 @@ function CreateMeshCentralServer(config, args) { obj.currentVer = null; obj.serverKey = Buffer.from(obj.crypto.randomBytes(48), 'binary'); obj.loginCookieEncryptionKey = null; + obj.invitationLinkEncryptionKey = null; obj.serverSelfWriteAllowed = true; obj.serverStatsCounter = Math.floor(Math.random() * 1000); obj.taskLimiter = obj.common.createTaskLimiterQueue(50, 20, 60); // (maxTasks, maxTaskTime, cleaningInterval) This is a task limiter queue to smooth out server work. @@ -836,6 +837,15 @@ function CreateMeshCentralServer(config, args) { }); } + // Load the invitation link encryption key from the database + obj.db.Get('InvitationLinkEncryptionKey', function (err, docs) { + if ((docs.length > 0) && (docs[0].key != null) && (docs[0].key.length >= 160)) { + obj.invitationLinkEncryptionKey = Buffer.from(docs[0].key, 'hex'); + } else { + obj.invitationLinkEncryptionKey = obj.generateCookieKey(); obj.db.Set({ _id: 'InvitationLinkEncryptionKey', key: obj.invitationLinkEncryptionKey.toString('hex'), time: Date.now() }); + } + }); + // Start collecting server stats every 5 minutes setInterval(function () { obj.serverStatsCounter++; diff --git a/meshuser.js b/meshuser.js index 841232a1..46981672 100644 --- a/meshuser.js +++ b/meshuser.js @@ -2509,7 +2509,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use if (common.validateInt(command.flags, 0, 256) == false) break; // Check the flags var mesh = parent.meshes[command.meshid]; if (mesh == null) break; - const inviteCookie = parent.parent.encodeCookie({ a: 4, mid: command.meshid, f: command.flags, expire: command.expire * 60 }, parent.parent.loginCookieEncryptionKey); + const inviteCookie = parent.parent.encodeCookie({ a: 4, mid: command.meshid, f: command.flags, expire: command.expire * 60 }, parent.parent.invitationLinkEncryptionKey); if (inviteCookie == null) break; ws.send(JSON.stringify({ action: 'createInviteLink', meshid: command.meshid, expire: command.expire, cookie: inviteCookie })); break; diff --git a/package.json b/package.json index 57177556..b5006890 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "meshcentral", - "version": "0.3.6-h", + "version": "0.3.6-i", "keywords": [ "Remote Management", "Intel AMT", diff --git a/webserver.js b/webserver.js index e6fe902b..7819604f 100644 --- a/webserver.js +++ b/webserver.js @@ -1070,7 +1070,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if ((domain == null) || ((req.query.m == null) && (req.query.c == null))) { res.sendStatus(404); return; } if (req.query.c != null) { // A cookie is specified in the query string, use that - var cookie = obj.parent.decodeCookie(req.query.c, obj.parent.loginCookieEncryptionKey); + var cookie = obj.parent.decodeCookie(req.query.c, obj.parent.invitationLinkEncryptionKey); if (cookie == null) { res.sendStatus(404); return; } var mesh = obj.meshes[cookie.mid]; if (mesh == null) { res.sendStatus(404); return; }