From 26ac23c80df7c2830947eb6c7904b16076c3d4ec Mon Sep 17 00:00:00 2001 From: si458 Date: Fri, 24 May 2024 17:27:22 +0100 Subject: [PATCH] fix web-rdp/web-ssh save creds per user Signed-off-by: si458 --- meshcentral-config-schema.json | 2 +- sample-config-advanced.json | 2 +- webserver.js | 46 ++++++++++++++++++++-------------- 3 files changed, 29 insertions(+), 21 deletions(-) diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json index 0a8af53ed1..ddc68d6c80 100644 --- a/meshcentral-config-schema.json +++ b/meshcentral-config-schema.json @@ -1754,7 +1754,7 @@ }, "mstsc": { "type": "boolean", - "default": false, + "default": true, "description": "When enabled, activates the built-in web-based RDP client." }, "ssh": { diff --git a/sample-config-advanced.json b/sample-config-advanced.json index 2fd5360e92..a3c83b3d92 100644 --- a/sample-config-advanced.json +++ b/sample-config-advanced.json @@ -318,7 +318,7 @@ "_geoLocation": true, "_ipLocation": true, "_novnc": false, - "_mstsc": true, + "_mstsc": false, "_ssh": true, "_WebEmailsPath": "/myserver/email-templates", "_consentMessages": { diff --git a/webserver.js b/webserver.js index de2c8eca46..0fa431177a 100644 --- a/webserver.js +++ b/webserver.js @@ -2105,6 +2105,24 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF var features = 0; if (domain.allowsavingdevicecredentials === false) { features |= 1; } + // Get the logged in user if present + var user = null; + + // If there is a login token, use that + if (req.query.login != null) { + var ucookie = parent.decodeCookie(req.query.login, parent.loginCookieEncryptionKey, 60); // Cookie with 1 hour timeout + if ((ucookie != null) && (ucookie.a === 3) && (typeof ucookie.u == 'string')) { user = obj.users[ucookie.u]; } + } + + // If no token, see if we have an active session + if ((user == null) && (req.session.userid != null)) { user = obj.users[req.session.userid]; } + + // If still no user, see if we have a default user + if ((user == null) && (obj.args.user)) { user = obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]; } + + // No user login, exit now + if (user == null) { res.sendStatus(401); return; } + if (req.query.ws != null) { // This is a query with a websocket relay cookie, check that the cookie is valid and use it. var rcookie = parent.decodeCookie(req.query.ws, parent.loginCookieEncryptionKey, 60); // Cookie with 1 hour timeout @@ -2122,8 +2140,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF if ((typeof node.ssh == 'object') && (typeof node.ssh.u == 'string') && (typeof node.ssh.p == 'string')) { serverCredentials = 1; } // Username and password else if ((typeof node.ssh == 'object') && (typeof node.ssh.k == 'string') && (typeof node.ssh.kp == 'string')) { serverCredentials = 2; } // Username, key and password else if ((typeof node.ssh == 'object') && (typeof node.ssh.k == 'string')) { serverCredentials = 3; } // Username and key. No password. + else if ((typeof node.ssh == 'object') && (typeof node.ssh[user._id] == 'object') && (typeof node.ssh[user._id].u == 'string') && (typeof node.ssh[user._id].p == 'string')) { serverCredentials = 1; } // Username and password in per user format + else if ((typeof node.ssh == 'object') && (typeof node.ssh[user._id] == 'object') && (typeof node.ssh[user._id].k == 'string') && (typeof node.ssh[user._id].kp == 'string')) { serverCredentials = 2; } // Username, key and password in per user format + else if ((typeof node.ssh == 'object') && (typeof node.ssh[user._id] == 'object') && (typeof node.ssh[user._id].k == 'string')) { serverCredentials = 3; } // Username and key. No password. in per user format } else { - if ((typeof node.rdp == 'object') && (typeof node.rdp.d == 'string') && (typeof node.rdp.u == 'string') && (typeof node.rdp.p == 'string')) { serverCredentials = 1; } // Username and password + if ((typeof node.rdp == 'object') && (typeof node.rdp.d == 'string') && (typeof node.rdp.u == 'string') && (typeof node.rdp.p == 'string')) { serverCredentials = 1; } // Username and password in legacy format + if ((typeof node.rdp == 'object') && (typeof node.rdp[user._id] == 'object') && (typeof node.rdp[user._id].d == 'string') && (typeof node.rdp[user._id].u == 'string') && (typeof node.rdp[user._id].p == 'string')) { serverCredentials = 1; } // Username and password in per user format } } @@ -2134,24 +2156,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF } } - // Get the logged in user if present - var user = null; - - // If there is a login token, use that - if (req.query.login != null) { - var ucookie = parent.decodeCookie(req.query.login, parent.loginCookieEncryptionKey, 60); // Cookie with 1 hour timeout - if ((ucookie != null) && (ucookie.a === 3) && (typeof ucookie.u == 'string')) { user = obj.users[ucookie.u]; } - } - - // If no token, see if we have an active session - if ((user == null) && (req.session.userid != null)) { user = obj.users[req.session.userid]; } - - // If still no user, see if we have a default user - if ((user == null) && (obj.args.user)) { user = obj.users['user/' + domain.id + '/' + obj.args.user.toLowerCase()]; } - - // No user login, exit now - if (user == null) { res.sendStatus(401); return; } - // Check the nodeid if (req.query.node != null) { var nodeidsplit = req.query.node.split('/'); @@ -2187,6 +2191,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF if ((typeof node.ssh == 'object') && (typeof node.ssh.u == 'string') && (typeof node.ssh.p == 'string')) { serverCredentials = 1; } // Username and password else if ((typeof node.ssh == 'object') && (typeof node.ssh.k == 'string') && (typeof node.ssh.kp == 'string')) { serverCredentials = 2; } // Username, key and password else if ((typeof node.ssh == 'object') && (typeof node.ssh.k == 'string')) { serverCredentials = 3; } // Username and key. No password. + else if ((typeof node.ssh == 'object') && (typeof node.ssh[user._id] == 'object') && (typeof node.ssh[user._id].u == 'string') && (typeof node.ssh[user._id].p == 'string')) { serverCredentials = 1; } // Username and password in per user format + else if ((typeof node.ssh == 'object') && (typeof node.ssh[user._id] == 'object') && (typeof node.ssh[user._id].k == 'string') && (typeof node.ssh[user._id].kp == 'string')) { serverCredentials = 2; } // Username, key and password in per user format + else if ((typeof node.ssh == 'object') && (typeof node.ssh[user._id] == 'object') && (typeof node.ssh[user._id].k == 'string')) { serverCredentials = 3; } // Username and key. No password. in per user format } } else { // RDP port @@ -2196,6 +2203,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF // Check if we have RDP credentials for this device if (domain.allowsavingdevicecredentials !== false) { if ((typeof node.rdp == 'object') && (typeof node.rdp.d == 'string') && (typeof node.rdp.u == 'string') && (typeof node.rdp.p == 'string')) { serverCredentials = 1; } // Username and password + if ((typeof node.rdp == 'object') && (typeof node.rdp[user._id] == 'object') && (typeof node.rdp[user._id].d == 'string') && (typeof node.rdp[user._id].u == 'string') && (typeof node.rdp[user._id].p == 'string')) { serverCredentials = 1; } // Username and password in per user format } } if (req.query.port != null) { var qport = 0; try { qport = parseInt(req.query.port); } catch (ex) { } if ((typeof qport == 'number') && (qport > 0) && (qport < 65536)) { port = qport; } }