From b9e39e0c1e2a605d246d865202ae09cf65adbca1 Mon Sep 17 00:00:00 2001 From: "Patrik J. Braun" Date: Fri, 14 Jan 2022 11:02:17 +0100 Subject: [PATCH] improving security on enforced users #220 --- src/backend/middlewares/RenderingMWs.ts | 2 ++ .../model/database/sql/SQLConnection.ts | 34 +++++++++++-------- .../routers/admin/SettingsRouter.ts | 1 + 3 files changed, 22 insertions(+), 15 deletions(-) diff --git a/src/backend/middlewares/RenderingMWs.ts b/src/backend/middlewares/RenderingMWs.ts index b48948cf..95a0a49f 100644 --- a/src/backend/middlewares/RenderingMWs.ts +++ b/src/backend/middlewares/RenderingMWs.ts @@ -79,7 +79,9 @@ export class RenderingMWs { public static async renderConfig(req: Request, res: Response, next: NextFunction): Promise { const originalConf = await Config.original(); + // These are sensitive information, do not send to the client side originalConf.Server.sessionSecret = null; + originalConf.Server.Database.enforcedUsers = null; const message = new Message(null, originalConf.toJSON({ attachState: true, attachVolatile: true diff --git a/src/backend/model/database/sql/SQLConnection.ts b/src/backend/model/database/sql/SQLConnection.ts index 5869a8a1..4f956e21 100644 --- a/src/backend/model/database/sql/SQLConnection.ts +++ b/src/backend/model/database/sql/SQLConnection.ts @@ -22,6 +22,7 @@ import {DatabaseType, ServerDataBaseConfig, SQLLogLevel} from '../../../../commo import {AlbumBaseEntity} from './enitites/album/AlbumBaseEntity'; import {SavedSearchEntity} from './enitites/album/SavedSearchEntity'; import {NotificationManager} from '../../NotifocationManager'; +import {isArray} from '../../../../../node_modules/ngx-bootstrap/chronos'; const LOG_TAG = '[SQLConnection]'; @@ -98,25 +99,28 @@ export class SQLConnection { // Adding enforced users to the db const userRepository = connection.getRepository(UserEntity); - for (const uc of Config.Server.Database.enforcedUsers) { - const user = await userRepository.findOne({name: uc.name}); - if (!user) { - Logger.info(LOG_TAG, 'Saving enforced user: ' + uc.name); - const a = new UserEntity(); - a.name = uc.name; - // encrypt password and save back to the db - if (!uc.encryptedPassword) { - uc.encryptedPassword = PasswordHelper.cryptPassword(uc.password); - uc.password = ''; - await Config.save(); + if (isArray(Config.Server.Database.enforcedUsers) && + Config.Server.Database.enforcedUsers.length > 0) { + for (const uc of Config.Server.Database.enforcedUsers) { + const user = await userRepository.findOne({name: uc.name}); + if (!user) { + Logger.info(LOG_TAG, 'Saving enforced user: ' + uc.name); + const a = new UserEntity(); + a.name = uc.name; + // encrypt password and save back to the db + if (!uc.encryptedPassword) { + uc.encryptedPassword = PasswordHelper.cryptPassword(uc.password); + uc.password = ''; + await Config.save(); + } + a.password = uc.encryptedPassword; + a.role = uc.role; + await userRepository.save(a); } - a.password = uc.encryptedPassword; - a.role = uc.role; - await userRepository.save(a); } } const defAdmin = await userRepository.findOne({name: 'admin', role: UserRoles.Admin}); - if (PasswordHelper.comparePassword('admin', defAdmin.password)) { + if (defAdmin && PasswordHelper.comparePassword('admin', defAdmin.password)) { NotificationManager.error('Using default admin user!', 'You are using the default admin/admin user/password, please change or remove it.'); } diff --git a/test/backend/integration/routers/admin/SettingsRouter.ts b/test/backend/integration/routers/admin/SettingsRouter.ts index acbdee08..ec84a9e6 100644 --- a/test/backend/integration/routers/admin/SettingsRouter.ts +++ b/test/backend/integration/routers/admin/SettingsRouter.ts @@ -34,6 +34,7 @@ describe('SettingsRouter', () => { Config.Client.authenticationRequired = false; const originalSettings = await Config.original(); originalSettings.Server.sessionSecret = null; + originalSettings.Server.Database.enforcedUsers = null; const srv = new Server(); await srv.onStarted.wait(); const result = await chai.request(srv.App)