From b926196d0a06f7629637c53ba33d6ac09b7f7b9c Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Mon, 14 Jun 2021 14:36:00 -0700
Subject: [PATCH] Fix for #2773.

---
 package.json | 14 +-------------
 webserver.js | 52 ++++++++++++++++++++++++++--------------------------
 2 files changed, 27 insertions(+), 39 deletions(-)

diff --git a/package.json b/package.json
index 226d7fdd..2e8276da 100644
--- a/package.json
+++ b/package.json
@@ -36,8 +36,6 @@
     "sample-config-advanced.json"
   ],
   "dependencies": {
-    "archiver": "^4.0.2",
-    "archiver-zip-encrypted": "^1.0.10",
     "body-parser": "^1.19.0",
     "cbor": "~5.2.0",
     "compression": "^1.7.4",
@@ -45,24 +43,14 @@
     "express": "^4.17.0",
     "express-handlebars": "^3.1.0",
     "express-ws": "^4.0.0",
-    "image-size": "^1.0.0",
     "ipcheck": "^0.1.0",
-    "loadavg-windows": "^1.1.1",
     "minimist": "^1.2.0",
-    "mongodb": "^3.6.9",
     "multiparty": "^4.2.1",
     "nedb": "^1.8.0",
     "node-forge": "^0.10.0",
-    "node-rdpjs-2": "^0.3.5",
-    "node-windows": "^1.0.0-beta.5",
-    "otplib": "^10.2.3",
-    "saslprep": "^1.0.3",
-    "ssh2": "^1.1.0",
-    "web-push": "^3.4.4",
     "ws": "^5.2.0",
     "xmldom": "^0.5.0",
-    "yauzl": "^2.10.0",
-    "yubikeyotp": "^0.2.0"
+    "yauzl": "^2.10.0"
   },
   "repository": {
     "type": "git",
diff --git a/webserver.js b/webserver.js
index 8357437b..e4c54e55 100644
--- a/webserver.js
+++ b/webserver.js
@@ -408,7 +408,32 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
     // Authenticate the user
     obj.authenticate = function (name, pass, domain, fn) {
         if ((typeof (name) != 'string') || (typeof (pass) != 'string') || (typeof (domain) != 'object')) { fn(new Error('invalid fields')); return; }
-        if (domain.auth == 'ldap') {
+        if (name.startsWith('~t:')) {
+            // Login token, try to fetch the token from the database
+            obj.db.Get('logintoken-' + name, function (err, docs) {
+                if (err != null) { fn(err); return; }
+                if ((docs == null) || (docs.length != 1)) { fn(new Error('login token not found')); return; }
+                const loginToken = docs[0];
+                if ((loginToken.expire != 0) && (loginToken.expire < Date.now())) { fn(new Error('login token expired')); return; }
+
+                // Default strong password hashing (pbkdf2 SHA384)
+                require('./pass').hash(pass, loginToken.salt, function (err, hash, tag) {
+                    if (err) return fn(err);
+                    if (hash == loginToken.hash) {
+                        // Login username and password are valid.
+                        var user = obj.users[loginToken.userid];
+                        if (!user) { fn(new Error('cannot find user')); return; }
+                        if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
+
+                        // Succesful login token authentication
+                        var loginOptions = { tokenName: loginToken.name, tokenUser: loginToken.tokenUser };
+                        if (loginToken.expire != 0) { loginOptions.expire = loginToken.expire; }
+                        return fn(null, user._id, null, loginOptions);
+                    }
+                    fn(new Error('invalid password'));
+                }, 0);
+            });
+        } else if (domain.auth == 'ldap') {
             if (domain.ldapoptions.url == 'test') {
                 // Fake LDAP login
                 var xxuser = domain.ldapoptions[name.toLowerCase()];
@@ -633,31 +658,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                     }
                 });
             }
-        } else if (name.startsWith('~t:')) {
-            // Login token, try to fetch the token from the database
-            obj.db.Get('logintoken-' + name, function (err, docs) {
-                if (err != null) { fn(err); return; }
-                if ((docs == null) || (docs.length != 1)) { fn(new Error('login token not found')); return; }
-                const loginToken = docs[0];
-                if ((loginToken.expire != 0) && (loginToken.expire < Date.now())) { fn(new Error('login token expired')); return; }
-
-                // Default strong password hashing (pbkdf2 SHA384)
-                require('./pass').hash(pass, loginToken.salt, function (err, hash, tag) {
-                    if (err) return fn(err);
-                    if (hash == loginToken.hash) {
-                        // Login username and password are valid.
-                        var user = obj.users[loginToken.userid];
-                        if (!user) { fn(new Error('cannot find user')); return; }
-                        if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
-
-                        // Succesful login token authentication
-                        var loginOptions = { tokenName: loginToken.name, tokenUser: loginToken.tokenUser };
-                        if (loginToken.expire != 0) { loginOptions.expire = loginToken.expire; }
-                        return fn(null, user._id, null, loginOptions);
-                    }
-                    fn(new Error('invalid password'));
-                }, 0);
-            });
         } else {
             // Regular login
             var user = obj.users['user/' + domain.id + '/' + name.toLowerCase()];