Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-08-15 19:50:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

Removed SSPI auth retrieveGroups to reduce cookie size.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2021-09-02 17:52:37 -07:00
parent 2bdf6ce6af
commit 8b93655638
2 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
views/default-mobile.handlebars
View File

@ -6168,7 +6168,8 @@
else if (n.tag == 'console') gotoDevice(n.nodeid, 15); // Files
else gotoDevice(n.nodeid, 10); // General
} else {
if ((n.tag != null) && n.tag.startsWith('meshmessenger/')) {
if ((n.tag == 'backupcodes') && !xxdialogMode) { account_manageOtp(0); notificationDelete(id); } // 2FA backup codes
else if ((n.tag != null) && n.tag.startsWith('meshmessenger/')) {
safeNewWindow('/messenger?id=' + n.tag + '&title=' + encodeURIComponentEx(n.username), n.tag.split('/')[2]);
notificationDelete(id);
} else if (n.url != null) {

8
webserver.js
View File

@ -125,7 +125,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Setup SSPI authentication if needed
if ((obj.parent.platform == 'win32') && (obj.args.nousers != true) && (obj.parent.config != null) && (obj.parent.config.domains != null)) {
for (i in obj.parent.config.domains) { if (obj.parent.config.domains[i].auth == 'sspi') { var nodeSSPI = require('node-sspi'); obj.parent.config.domains[i].sspi = new nodeSSPI({ retrieveGroups: true, offerBasic: false }); } }
for (i in obj.parent.config.domains) { if (obj.parent.config.domains[i].auth == 'sspi') { var nodeSSPI = require('node-sspi'); obj.parent.config.domains[i].sspi = new nodeSSPI({ retrieveGroups: false, offerBasic: false }); } }
}
// Perform hash on web certificate and agent certificate
@ -2454,7 +2454,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
} else if (req.query.user && req.query.pass) {
// User credentials are being passed in the URL. WARNING: Putting credentials in a URL is bad security... but people are requesting this option.
obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid, passhint, loginOptions) {
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + req.connection.user + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + userid + ' from ' + req.clientIp + ' port ' + req.connection.remotePort); }
parent.debug('web', 'handleRootRequest: user/pass in URL auth ok.');
req.session.userid = userid;
delete req.session.currentNode;
@ -4869,8 +4869,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if (user == null) { try { res.sendStatus(404); } catch (ex) { } return; }
}
if ((req.query.meshaction == 'route') && (req.query.nodeid != null)) {
var nodeIdSplit = req.query.nodeid.split('/');
if ((nodeIdSplit[0] != 'node') || (nodeIdSplit[1] != domain.id)) { try { res.sendStatus(401); } catch (ex) { } return; }
obj.db.Get(req.query.nodeid, function (err, nodes) {
if (nodes.length != 1) { try { res.sendStatus(401); } catch (ex) { } return; }
if ((err != null) || (nodes.length != 1)) { try { res.sendStatus(401); } catch (ex) { } return; }
var node = nodes[0];
// Create the meshaction.txt file for meshcmd.exe