Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update fastify dependencies #461

Closed
1 task done
Rossebma opened this issue Jul 16, 2023 · 6 comments
Closed
1 task done

Update fastify dependencies #461

Rossebma opened this issue Jul 16, 2023 · 6 comments
Assignees
@eartharoid
Labels
dependencies Pull requests that update a dependency file
Milestone
v4.3

Comments

@Rossebma
Copy link

Rossebma commented Jul 16, 2023
edited

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

The bot itself seems to run, however the settings webpanel is not reachable and I get huge Festify Errors dureing startup.

Expected Behavior

Well I would expect the webpanel to work. (Sry. I don't know how to really describe it other than that.)

Steps To Reproduce

  1. Environment:
  • Bot running in standalone mode
  • Note that I have an apache2 webserver already running on the server
  1. Config:
DB_CONNECTION_URL=mysql://ticketbot:sensoredpassword@localhost/tickets
DB_PROVIDER=mysql
DISCORD_SECRET=sensoredkey
DISCORD_TOKEN=sensoredtoken
ENCRYPTION_KEY=sensoredkey
HTTP_EXTERNAL=http://00.000.00.00 #(real-ip | sensored for security)
HTTP_HOST=0.0.0.0
HTTP_PORT=8169
HTTP_TRUST_PROXY=false
NODE_ENV=production
OVERRIDE_ARCHIVE=
PUBLIC_BOT=false
PUBLISH_COMMANDS=false
SUPER=319467558166069248,mysensoreddiscordid

  1. Run:
    node .

  2. See error:

 16/07/23 09:40:10  [SUCCESS] Connected to Discord as "[LoR] Support System#7623"
 16/07/23 09:40:10  [INFO] (PRISMA) quaint::pooled Starting a mysql pool with 17 connections.
 16/07/23 09:40:10  [NOTICE] Discord Tickets v4.0.7 on Node.js v19.6.0 (linux)
 16/07/23 09:40:10  [WARN] Uncaught exception
 16/07/23 09:40:10  [ERROR] FastifyError [Error]: The decorator 'parseCookie' has already been added!
    at decorate (/root/Discord/bots/ticket/node_modules/fastify/lib/decorate.js:23:11)
    at Object.decorateFastify [as decorate] (/root/Discord/bots/ticket/node_modules/fastify/lib/decorate.js:67:3)
    at plugin (/root/Discord/bots/ticket/node_modules/@fastify/cookie/plugin.js:60:11)
    at Plugin.exec (/root/Discord/bots/ticket/node_modules/avvio/plugin.js:130:19)
    at Boot.loadPlugin (/root/Discord/bots/ticket/node_modules/avvio/plugin.js:272:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
  code: 'FST_ERR_DEC_ALREADY_PRESENT',
  statusCode: 500
}
 16/07/23 09:40:10  [INFO] Cached ticket count of 0 categories (0 open tickets)
 16/07/23 09:40:10  [INFO] Loaded 0 active cooldowns
 16/07/23 09:40:10  [INFO] Closed 0 deleted tickets
 16/07/23 09:40:10  [INFO] Checking for updates...
 16/07/23 09:40:10  [INFO] No updates available
 16/07/23 09:40:11  [SUCCESS] Posted client stats
 16/07/23 09:40:20  [ERROR] (HTTP) FastifyError [Error]: fastify-plugin: Plugin did not start in time: 'fastify-cookie'. You may have forgotten to call 'done' function or to resolve a Promise
    at manageErr (/root/Discord/bots/ticket/node_modules/fastify/fastify.js:576:33)
    at /root/Discord/bots/ticket/node_modules/fastify/fastify.js:563:11
    at Object._encapsulateThreeParam (/root/Discord/bots/ticket/node_modules/avvio/boot.js:562:7)
    at Boot.timeoutCall (/root/Discord/bots/ticket/node_modules/avvio/boot.js:458:5)
    at Boot.callWithCbOrNextTick (/root/Discord/bots/ticket/node_modules/avvio/boot.js:440:19)
    at release (/root/Discord/bots/ticket/node_modules/fastq/queue.js:149:16)
    at Object.resume (/root/Discord/bots/ticket/node_modules/fastq/queue.js:82:7)
    at /root/Discord/bots/ticket/node_modules/avvio/boot.js:174:18
    at /root/Discord/bots/ticket/node_modules/avvio/plugin.js:275:7
    at done (/root/Discord/bots/ticket/node_modules/avvio/plugin.js:200:5) {
  code: 'FST_ERR_PLUGIN_TIMEOUT',
  statusCode: 500,
  cause: AvvioError [Error]: Plugin did not start in time: 'fastify-cookie'. You may have forgotten to call 'done' function or to resolve a Promise
      at Timeout._onTimeout (/root/Discord/bots/ticket/node_modules/avvio/plugin.js:122:19)
      at listOnTimeout (node:internal/timers:568:17)
      at process.processTimers (node:internal/timers:511:7) {
    code: 'AVV_ERR_READY_TIMEOUT',
    fn: <ref *1> [Function: plugin] {
      default: [Circular *1],
      fastifyCookie: [Circular *1],
      [Symbol(skip-override)]: true,
      [Symbol(fastify.display-name)]: 'fastify-cookie',
      [Symbol(plugin-meta)]: [Object]
    }
  }
}

Environment

- OS: Debian 10.13
- Node: 19.6.0
- NPM: 9.4.1
- Bot: 4.0.7
- MySql: 8.0.33

Anything else?

No response
@Rossebma Rossebma added the bug Something isn't working label Jul 16, 2023
@RooRay
Copy link
Contributor

RooRay commented Jul 17, 2023

This looks like a bigger issue, I'll assign earth to it. In the meantime, is your apache2 webserver proxying the bot panel?

@RooRay RooRay added this to the v4.1 milestone Jul 17, 2023
@Rossebma
Copy link
Author

Rossebma commented Jul 17, 2023
edited

So I fixed the Issue for me. Sadly not in a way that would be perticularly helpful for you.
The first problem was that I didn't setup the proxy for the web server. (I wanted to run it in secure mode (https)).
But before I fixed this I completely reinstalled the Bot. And when I did, I did two things different:

  1. I didn't use the newest version, rather one, I viewed as stable.
  2. I didn't run npm audit fix (I think it was sth like that. But I remember the word "force" somewhere in the command...). This was recommended during both installations and the second time I didn't do it.

I hope this gives you at least clues where to look. If you need any further information feel free to ask me here or via discord (Name: rossebma)

@eartharoid
Copy link
Member

I'm still unable to reproduce this error.

@chrisbadley
Copy link

chrisbadley commented Aug 5, 2023
edited

image

I think Rossebma is talking about that, which relates to this:

image

I think if you do run "npm audit fix --force", it causes the error originally posted.

It can be resolved by taking aback up of the database and env, deleting the entire directory that contains Discord tickets, installing again from git clone, running "npm i --production", copying back the .env file, run "npm run postinstall" and re-importing the database, then try "node ." again

You will then be on the latest Discord Tickets BUT one of the dependency will have a high risk vulnerability. This project needs to be made compatible with the safe and updated version of the dependency.

@eartharoid
Copy link
Member

eartharoid commented Aug 5, 2023
edited

Related:

Impact

All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users.
The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it.

Patches

v7.2.0 changes the default behavior to store the state in a cookie with the http-only and same-site=lax attributes set. The state is now by default generated for every user.

Note that this contains a breaking change in the checkStateFunction function, which now accepts the full Request object.

Workarounds

There are no known workarounds.

References

@eartharoid
Copy link
Member

eartharoid commented Aug 5, 2023
edited

Thank you for the clarification @chrisbadley.
Errors are to be expected as the patched version of @fastify/oauth2 introduces breaking changes, however, the fact that this obvious flaw was in the package from the beginning and the fact that the state parameter is optional makes me question the "high" severity.
Anyway, Discord Tickets already uses random state parameters to provide the redirects, so I think this vulnerability and patch can be safely ignored, and the solution is to not force-fix npm audits.

bot/src/http.js

Lines 14 to 38 in fb7a11f

fastify.register(oauth, {
callbackUri: `${process.env.HTTP_EXTERNAL}/auth/callback`,
checkStateFunction: (state, callback) => {
if (fastify.states.has(state)) {
callback();
return;
}
callback(new Error('Invalid state'));
},
credentials: {
auth: oauth.DISCORD_CONFIGURATION,
client: {
id: client.user.id,
secret: process.env.DISCORD_SECRET,
},
},
generateStateFunction: req => {
const state = randomBytes(12).toString('hex');
fastify.states.set(state, req.query.r);
return state;
},
name: 'discord',
scope: ['applications.commands.permissions.update', 'guilds', 'identify'],
startRedirectPath: '/auth/login',
});

With that said, I will eventually need to upgrade all of the fastify dependencies and update any affected code so the patched version is compatible. This will allow npm audit fix to be used in the future, so I'll keep this issue open for now.
Also need to update this to delete used states.

bot/src/http.js

Lines 17 to 20 in fb7a11f

if (fastify.states.has(state)) {
callback();
return;
}

@eartharoid eartharoid added dependencies Pull requests that update a dependency file and removed bug Something isn't working labels Aug 5, 2023
@eartharoid eartharoid changed the title [BUG] FastifyError [Error]: The decorator 'parseCookie' has already been added! Update fastify dependencies Aug 5, 2023
@eartharoid eartharoid modified the milestones: v4.1, v4.3 Aug 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eartharoid eartharoid

Labels
dependencies Pull requests that update a dependency file
Projects
Discord Tickets Bot
Status: Complete
Milestone
v4.3
Development

No branches or pull requests
4 participants
@eartharoid @Rossebma @chrisbadley @RooRay