improving security on enforced users #220

2024-11-03 21:04:03 +08:00 · 2022-01-14 11:02:17 +01:00 · 2022-01-14 11:02:17 +01:00 · b9e39e0c1e
commit b9e39e0c1e
parent 2ca74ef8b4
3 changed files with 22 additions and 15 deletions
--- a/src/backend/middlewares/RenderingMWs.ts
+++ b/src/backend/middlewares/RenderingMWs.ts
@ -79,7 +79,9 @@ export class RenderingMWs {

  public static async renderConfig(req: Request, res: Response, next: NextFunction): Promise<void> {
    const originalConf = await Config.original();
+    // These are sensitive information, do not send to the client side
    originalConf.Server.sessionSecret = null;
+    originalConf.Server.Database.enforcedUsers = null;
    const message = new Message<PrivateConfigClass>(null, originalConf.toJSON({
      attachState: true,
      attachVolatile: true
--- a/src/backend/model/database/sql/SQLConnection.ts
+++ b/src/backend/model/database/sql/SQLConnection.ts
@ -22,6 +22,7 @@ import {DatabaseType, ServerDataBaseConfig, SQLLogLevel} from '../../../../commo
 import {AlbumBaseEntity} from './enitites/album/AlbumBaseEntity';
 import {SavedSearchEntity} from './enitites/album/SavedSearchEntity';
 import {NotificationManager} from '../../NotifocationManager';
+import {isArray} from '../../../../../node_modules/ngx-bootstrap/chronos';

 const LOG_TAG = '[SQLConnection]';

@ -98,25 +99,28 @@ export class SQLConnection {

    // Adding enforced users to the db
    const userRepository = connection.getRepository(UserEntity);
-    for (const uc of Config.Server.Database.enforcedUsers) {
-      const user = await userRepository.findOne({name: uc.name});
-      if (!user) {
-        Logger.info(LOG_TAG, 'Saving enforced user: ' + uc.name);
-        const a = new UserEntity();
-        a.name = uc.name;
-        // encrypt password and save back to the db
-        if (!uc.encryptedPassword) {
-          uc.encryptedPassword = PasswordHelper.cryptPassword(uc.password);
-          uc.password = '';
-          await Config.save();
+    if (isArray(Config.Server.Database.enforcedUsers) &&
+      Config.Server.Database.enforcedUsers.length > 0) {
+      for (const uc of Config.Server.Database.enforcedUsers) {
+        const user = await userRepository.findOne({name: uc.name});
+        if (!user) {
+          Logger.info(LOG_TAG, 'Saving enforced user: ' + uc.name);
+          const a = new UserEntity();
+          a.name = uc.name;
+          // encrypt password and save back to the db
+          if (!uc.encryptedPassword) {
+            uc.encryptedPassword = PasswordHelper.cryptPassword(uc.password);
+            uc.password = '';
+            await Config.save();
+          }
+          a.password = uc.encryptedPassword;
+          a.role = uc.role;
+          await userRepository.save(a);
        }
-        a.password = uc.encryptedPassword;
-        a.role = uc.role;
-        await userRepository.save(a);
      }
    }
    const defAdmin = await userRepository.findOne({name: 'admin', role: UserRoles.Admin});
-    if (PasswordHelper.comparePassword('admin', defAdmin.password)) {
+    if (defAdmin && PasswordHelper.comparePassword('admin', defAdmin.password)) {
      NotificationManager.error('Using default admin user!', 'You are using the default admin/admin user/password, please change or remove it.');
    }

--- a/test/backend/integration/routers/admin/SettingsRouter.ts
+++ b/test/backend/integration/routers/admin/SettingsRouter.ts
@ -34,6 +34,7 @@ describe('SettingsRouter', () => {
      Config.Client.authenticationRequired = false;
      const originalSettings = await Config.original();
      originalSettings.Server.sessionSecret = null;
+      originalSettings.Server.Database.enforcedUsers = null;
      const srv = new Server();
      await srv.onStarted.wait();
      const result = await chai.request(srv.App)