From fc23237fe4a0502aa307d5deca07c8ef0cbdc12c Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Fri, 2 Apr 2021 17:26:17 -0700
Subject: [PATCH] User inner authentication improvements.

---
 webserver.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/webserver.js b/webserver.js
index 44d29a38..882a6c64 100644
--- a/webserver.js
+++ b/webserver.js
@@ -5263,7 +5263,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                 if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { ws.close(); return; } // Check 3FA URL key
                 PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie) {
                     if (user == null) { // User is not authenticated, perform inner server authentication
-                        PerformWSSessionInnerAuth(ws, req, domain, function (ws1, req1, domain, user) { obj.meshUserHandler.CreateMeshUser(obj, obj.db, ws1, req1, obj.args, domain, user); }); // User is authenticated
+                        if (req.headers['x-meshauth'] === '*') {
+                            PerformWSSessionInnerAuth(ws, req, domain, function (ws1, req1, domain, user) { obj.meshUserHandler.CreateMeshUser(obj, obj.db, ws1, req1, obj.args, domain, user); }); // User is authenticated
+                        } else {
+                            try { ws.close(); } catch (ex) { } // user is not authenticated and inner authentication was not requested, disconnect now.
+                        }
                     } else {
                         obj.meshUserHandler.CreateMeshUser(obj, obj.db, ws1, req1, obj.args, domain, user); // User is authenticated
                     }
@@ -5882,6 +5886,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                 if (domain == null) { parent.debug('web', 'WSERROR: Got no domain, user auth required.'); return; }
             }
 
+            // Check if inner authentication is requested
+            if (req.headers['x-meshauth'] === '*') { func(ws, req, domain, null); return; }
+
             var emailcheck = ((domain.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true) && (domain.auth != 'sspi') && (domain.auth != 'ldap'))
 
             // A web socket session can be authenticated in many ways (Default user, session, user/pass and cookie). Check authentication here.