From b07aef02c78a3ac4992e3b97b862073334963bff Mon Sep 17 00:00:00 2001 From: Cohee <18619528+Cohee1207@users.noreply.github.com> Date: Sun, 7 Apr 2024 16:41:23 +0300 Subject: [PATCH 1/3] Persist CSRF and cookie secrets across server launches --- default/config.yaml | 2 ++ jsconfig.json | 3 ++- package-lock.json | 9 +++++++ package.json | 1 + server.js | 10 ++++---- src/constants.js | 6 +++++ src/users.js | 61 +++++++++++++++++++++++++++++++++++++++++++-- src/util.js | 51 ++++++++++++++++--------------------- 8 files changed, 106 insertions(+), 37 deletions(-) diff --git a/default/config.yaml b/default/config.yaml index 506a270e9..2dde00f76 100644 --- a/default/config.yaml +++ b/default/config.yaml @@ -18,6 +18,8 @@ basicAuthUser: password: "password" # Enables CORS proxy middleware enableCorsProxy: false +# Used to sign session cookies. Will be auto-generated if not set +cookieSecret: '' # Disable security checks - NOT RECOMMENDED securityOverride: false # -- ADVANCED CONFIGURATION -- diff --git a/jsconfig.json b/jsconfig.json index bcf9db917..e4298105a 100644 --- a/jsconfig.json +++ b/jsconfig.json @@ -13,6 +13,7 @@ "exclude": [ "node_modules", "**/node_modules/*", - "public/lib" + "public/lib", + "backups/*", ] } diff --git a/package-lock.json b/package-lock.json index dca9e969d..11c382d41 100644 --- a/package-lock.json +++ b/package-lock.json @@ -32,6 +32,7 @@ "mime-types": "^2.1.35", "multer": "^1.4.5-lts.1", "node-fetch": "^2.6.11", + "node-persist": "^4.0.1", "open": "^8.4.2", "png-chunk-text": "^1.0.0", "png-chunks-encode": "^1.0.0", @@ -2735,6 +2736,14 @@ } } }, + "node_modules/node-persist": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/node-persist/-/node-persist-4.0.1.tgz", + "integrity": "sha512-QtRjwAlcOQChQpfG6odtEhxYmA3nS5XYr+bx9JRjwahl1TM3sm9J3CCn51/MI0eoHRb2DrkEsCOFo8sq8jG5sQ==", + "engines": { + "node": ">=10.12.0" + } + }, "node_modules/normalize-url": { "version": "6.1.0", "license": "MIT", diff --git a/package.json b/package.json index d491384c0..610d2df7f 100644 --- a/package.json +++ b/package.json @@ -22,6 +22,7 @@ "mime-types": "^2.1.35", "multer": "^1.4.5-lts.1", "node-fetch": "^2.6.11", + "node-persist": "^4.0.1", "open": "^8.4.2", "png-chunk-text": "^1.0.0", "png-chunks-encode": "^1.0.0", diff --git a/server.js b/server.js index de2123cd2..add84e1b6 100644 --- a/server.js +++ b/server.js @@ -1,7 +1,6 @@ #!/usr/bin/env node // native node modules -const crypto = require('crypto'); const fs = require('fs'); const http = require('http'); const https = require('https'); @@ -39,6 +38,8 @@ const { getUserDirectories, getAllUserHandles, migrateUserData, + getCsrfSecret, + getCookieSecret, } = require('./src/users'); const basicAuthMiddleware = require('./src/middleware/basicAuth'); const whitelistMiddleware = require('./src/middleware/whitelist'); @@ -132,14 +133,14 @@ app.use(CORS); if (listen && basicAuthMode) app.use(basicAuthMiddleware); app.use(whitelistMiddleware(listen)); +app.use(userDataMiddleware()); // CSRF Protection // if (!cliArguments.disableCsrf) { - const CSRF_SECRET = crypto.randomBytes(8).toString('hex'); - const COOKIES_SECRET = crypto.randomBytes(8).toString('hex'); + const COOKIES_SECRET = getCookieSecret(); const { generateToken, doubleCsrfProtection } = doubleCsrf({ - getSecret: () => CSRF_SECRET, + getSecret: getCsrfSecret, cookieName: 'X-CSRF-Token', cookieOptions: { httpOnly: true, @@ -218,7 +219,6 @@ if (enableCorsProxy) { } app.use(express.static(process.cwd() + '/public', {})); -app.use(userDataMiddleware()); app.use('/', require('./src/users').router); app.use(multer({ dest: UPLOADS_PATH, limits: { fieldSize: 10 * 1024 * 1024 } }).single('avatar')); diff --git a/src/constants.js b/src/constants.js index 01ca9af96..550ff90e7 100644 --- a/src/constants.js +++ b/src/constants.js @@ -40,12 +40,18 @@ const USER_DIRECTORY_TEMPLATE = Object.freeze({ vectors: 'vectors', }); +/** + * @type {import('./users').User} + * @readonly + */ const DEFAULT_USER = Object.freeze({ uuid: '00000000-0000-0000-0000-000000000000', handle: 'user0', name: 'User', created: 0, password: '', + admin: true, + enabled: true, }); const UNSAFE_EXTENSIONS = [ diff --git a/src/users.js b/src/users.js index 6c9a62e53..6ff6084ea 100644 --- a/src/users.js +++ b/src/users.js @@ -1,11 +1,20 @@ const path = require('path'); const fs = require('fs'); +const crypto = require('crypto'); +const storage = require('node-persist'); const { USER_DIRECTORY_TEMPLATE, DEFAULT_USER, PUBLIC_DIRECTORIES } = require('./constants'); -const { getConfigValue, color, delay } = require('./util'); +const { getConfigValue, color, delay, setConfigValue } = require('./util'); const express = require('express'); +const { readSecret, writeSecret } = require('./endpoints/secrets'); const DATA_ROOT = getConfigValue('dataRoot', './data'); +const STORAGE_KEYS = { + users: 'users', + csrfSecret: 'csrfSecret', + cookieSecret: 'cookieSecret', +}; + /** * @typedef {Object} User * @property {string} uuid - The user's id @@ -13,6 +22,8 @@ const DATA_ROOT = getConfigValue('dataRoot', './data'); * @property {string} name - The user's name. Displayed in the UI * @property {number} created - The timestamp when the user was created * @property {string} password - SHA256 hash of the user's password + * @property {boolean} enabled - Whether the user is enabled + * @property {boolean} admin - Whether the user is an admin (can manage other users) */ /** @@ -246,7 +257,51 @@ async function migrateUserData() { * @returns {Promise} */ async function initUserStorage() { - return Promise.resolve(); + await storage.init({ + dir: path.join(DATA_ROOT, '_storage'), + }); + + const users = await storage.getItem('users'); + + if (!users) { + await storage.setItem('users', [DEFAULT_USER]); + } +} + +/** + * Get the cookie secret from the config. If it doesn't exist, generate a new one. + * @returns {string} The cookie secret + */ +function getCookieSecret() { + let secret = getConfigValue(STORAGE_KEYS.cookieSecret); + + if (!secret) { + console.warn(color.yellow('Cookie secret is missing from config.yaml. Generating a new one...')); + secret = crypto.randomBytes(64).toString('base64'); + setConfigValue(STORAGE_KEYS.cookieSecret, secret); + } + + return secret; +} + +/** + * Get the CSRF secret from the storage. + * @param {import('express').Request} [request] HTTP request object + * @returns {string} The CSRF secret + */ +function getCsrfSecret(request) { + if (!request || !request.user) { + throw new Error('Request object is required to get the CSRF secret.'); + } + + let csrfSecret = readSecret(request.user.directories, STORAGE_KEYS.csrfSecret); + + if (!csrfSecret) { + csrfSecret = crypto.randomBytes(64).toString('base64'); + writeSecret(request.user.directories, STORAGE_KEYS.csrfSecret, csrfSecret); + } + + return csrfSecret; } /** @@ -348,5 +403,7 @@ module.exports = { getUserDirectories, userDataMiddleware, migrateUserData, + getCsrfSecret, + getCookieSecret, router, }; diff --git a/src/util.js b/src/util.js index b823419a5..e1410eee8 100644 --- a/src/util.js +++ b/src/util.js @@ -15,38 +15,19 @@ const { PUBLIC_DIRECTORIES } = require('./constants'); * @returns {object} Config object */ function getConfig() { - function getNewConfig() { - try { - const config = yaml.parse(fs.readFileSync(path.join(process.cwd(), './config.yaml'), 'utf8')); - return config; - } catch (error) { - console.warn('Failed to read config.yaml'); - return {}; - } + if (!fs.existsSync('./config.yaml')) { + console.error(color.red('No config file found. Please create a config.yaml file. The default config file can be found in the /default folder.')); + console.error(color.red('The program will now exit.')); + process.exit(1); } - function getLegacyConfig() { - try { - console.log(color.yellow('WARNING: config.conf is deprecated. Please run "npm run postinstall" to convert to config.yaml')); - const config = require(path.join(process.cwd(), './config.conf')); - return config; - } catch (error) { - console.warn('Failed to read config.conf'); - return {}; - } + try { + const config = yaml.parse(fs.readFileSync(path.join(process.cwd(), './config.yaml'), 'utf8')); + return config; + } catch (error) { + console.warn('Failed to read config.yaml'); + return {}; } - - if (fs.existsSync('./config.yaml')) { - return getNewConfig(); - } - - if (fs.existsSync('./config.conf')) { - return getLegacyConfig(); - } - - console.error(color.red('No config file found. Please create a config.yaml file. The default config file can be found in the /default folder.')); - console.error(color.red('The program will now exit.')); - process.exit(1); } /** @@ -60,6 +41,17 @@ function getConfigValue(key, defaultValue = null) { return _.get(config, key, defaultValue); } +/** + * Sets a value for the given key in the config object and writes it to the config.yaml file. + * @param {string} key Key to set + * @param {any} value Value to set + */ +function setConfigValue(key, value) { + const config = getConfig(); + _.set(config, key, value); + fs.writeFileSync('./config.yaml', yaml.stringify(config)); +} + /** * Encodes the Basic Auth header value for the given user and password. * @param {string} auth username:password @@ -600,6 +592,7 @@ class Cache { module.exports = { getConfig, getConfigValue, + setConfigValue, getVersion, getBasicAuthHeader, extractFileFromZipBuffer, From c6ffe4502ab940e3d6c3c51ef7918fb638bf7022 Mon Sep 17 00:00:00 2001 From: Cohee <18619528+Cohee1207@users.noreply.github.com> Date: Sun, 7 Apr 2024 17:44:40 +0300 Subject: [PATCH 2/3] Add user management endpoints --- default/config.yaml | 6 +- package-lock.json | 19 ++- package.json | 2 + server.js | 24 +--- src/constants.js | 4 + src/endpoints/content-manager.js | 137 +++++++++++++------ src/users.js | 227 ++++++++++++++++++++++++++++++- 7 files changed, 346 insertions(+), 73 deletions(-) diff --git a/default/config.yaml b/default/config.yaml index 2dde00f76..3e914009a 100644 --- a/default/config.yaml +++ b/default/config.yaml @@ -1,10 +1,12 @@ -# -- NETWORK CONFIGURATION -- +# -- DATA CONFIGURATION -- # Root directory for user data storage dataRoot: ./data +# -- SERVER CONFIGURATION -- # Listen for incoming connections listen: false # Server port port: 8000 +# -- SECURITY CONFIGURATION -- # Toggle whitelist mode whitelistMode: true # Whitelist of allowed IP addresses @@ -18,6 +20,8 @@ basicAuthUser: password: "password" # Enables CORS proxy middleware enableCorsProxy: false +# Enable multi-user mode +enableUserAccounts: true # Used to sign session cookies. Will be auto-generated if not set cookieSecret: '' # Disable security checks - NOT RECOMMENDED diff --git a/package-lock.json b/package-lock.json index 11c382d41..d9aaf7959 100644 --- a/package-lock.json +++ b/package-lock.json @@ -41,6 +41,8 @@ "sanitize-filename": "^1.6.3", "sillytavern-transformers": "^2.14.6", "simple-git": "^3.19.1", + "slugify": "^1.6.6", + "uuid": "^9.0.1", "vectra": "^0.2.2", "wavefile": "^11.0.0", "write-file-atomic": "^5.0.1", @@ -3510,6 +3512,14 @@ "version": "1.0.1", "license": "MIT" }, + "node_modules/slugify": { + "version": "1.6.6", + "resolved": "https://registry.npmjs.org/slugify/-/slugify-1.6.6.tgz", + "integrity": "sha512-h+z7HKHYXj6wJU+AnS/+IH8Uh9fdcX1Lrhg1/VMdf9PwoBQXFcXiAdsy2tSK0P6gKwJLXp02r90ahUCqHk9rrw==", + "engines": { + "node": ">=8.0.0" + } + }, "node_modules/statuses": { "version": "2.0.1", "license": "MIT", @@ -3703,8 +3713,13 @@ } }, "node_modules/uuid": { - "version": "9.0.0", - "license": "MIT", + "version": "9.0.1", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz", + "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==", + "funding": [ + "https://github.com/sponsors/broofa", + "https://github.com/sponsors/ctavan" + ], "bin": { "uuid": "dist/bin/uuid" } diff --git a/package.json b/package.json index 610d2df7f..fcc4fb039 100644 --- a/package.json +++ b/package.json @@ -31,6 +31,8 @@ "sanitize-filename": "^1.6.3", "sillytavern-transformers": "^2.14.6", "simple-git": "^3.19.1", + "slugify": "^1.6.6", + "uuid": "^9.0.1", "vectra": "^0.2.2", "wavefile": "^11.0.0", "write-file-atomic": "^5.0.1", diff --git a/server.js b/server.js index add84e1b6..9e3497d03 100644 --- a/server.js +++ b/server.js @@ -35,8 +35,6 @@ util.inspect.defaultOptions.depth = 4; const { initUserStorage, userDataMiddleware, - getUserDirectories, - getAllUserHandles, migrateUserData, getCsrfSecret, getCookieSecret, @@ -120,7 +118,7 @@ const listen = cliArguments.listen ?? getConfigValue('listen', DEFAULT_LISTEN); const enableCorsProxy = cliArguments.corsProxy ?? getConfigValue('enableCorsProxy', DEFAULT_CORS_PROXY); const basicAuthMode = getConfigValue('basicAuthMode', false); -const { UPLOADS_PATH, PUBLIC_DIRECTORIES } = require('./src/constants'); +const { UPLOADS_PATH } = require('./src/constants'); // CORS Settings // const CORS = cors({ @@ -476,7 +474,7 @@ const setupTasks = async function () { // in any order for encapsulation reasons, but right now it's unknown if that would break anything. await initUserStorage(); await settingsEndpoint.init(); - ensurePublicDirectoriesExist(); + await contentManager.ensurePublicDirectoriesExist(); await migrateUserData(); contentManager.checkForNewContent(); await ensureThumbnailCache(); @@ -567,21 +565,3 @@ if (cliArguments.ssl) { setupTasks, ); } - -async function ensurePublicDirectoriesExist() { - for (const dir of Object.values(PUBLIC_DIRECTORIES)) { - if (!fs.existsSync(dir)) { - fs.mkdirSync(dir, { recursive: true }); - } - } - - const userHandles = await getAllUserHandles(); - for (const handle of userHandles) { - const userDirectories = getUserDirectories(handle); - for (const dir of Object.values(userDirectories)) { - if (!fs.existsSync(dir)) { - fs.mkdirSync(dir, { recursive: true }); - } - } - } -} diff --git a/src/constants.js b/src/constants.js index 550ff90e7..2c5bd5e7d 100644 --- a/src/constants.js +++ b/src/constants.js @@ -5,6 +5,8 @@ const PUBLIC_DIRECTORIES = { extensions: 'public/scripts/extensions', }; +const DEFAULT_AVATAR = '/img/ai4.png'; + /** * @type {import('./users').UserDirectoryList} * @readonly @@ -52,6 +54,7 @@ const DEFAULT_USER = Object.freeze({ password: '', admin: true, enabled: true, + salt: '', }); const UNSAFE_EXTENSIONS = [ @@ -296,6 +299,7 @@ const OPENROUTER_KEYS = [ module.exports = { DEFAULT_USER, + DEFAULT_AVATAR, PUBLIC_DIRECTORIES, USER_DIRECTORY_TEMPLATE, UNSAFE_EXTENSIONS, diff --git a/src/endpoints/content-manager.js b/src/endpoints/content-manager.js index 202411043..42aa45576 100644 --- a/src/endpoints/content-manager.js +++ b/src/endpoints/content-manager.js @@ -9,6 +9,35 @@ const contentDirectory = path.join(process.cwd(), 'default/content'); const contentIndexPath = path.join(contentDirectory, 'index.json'); const { getAllUserHandles, getUserDirectories } = require('../users'); const characterCardParser = require('../character-card-parser.js'); +const { PUBLIC_DIRECTORIES } = require('../constants'); + +/** + * @typedef {Object} ContentItem + * @property {string} filename + * @property {string} type + */ + +/** + * Ensures that the content directories exist. + * @returns {Promise} + */ +async function ensurePublicDirectoriesExist() { + for (const dir of Object.values(PUBLIC_DIRECTORIES)) { + if (!fs.existsSync(dir)) { + fs.mkdirSync(dir, { recursive: true }); + } + } + + const userHandles = await getAllUserHandles(); + for (const handle of userHandles) { + const userDirectories = getUserDirectories(handle); + for (const dir of Object.values(userDirectories)) { + if (!fs.existsSync(dir)) { + fs.mkdirSync(dir, { recursive: true }); + } + } + } +} /** * Gets the default presets from the content directory. @@ -58,7 +87,63 @@ function getDefaultPresetFile(filename) { } } -async function checkForNewContent() { +/** + * Seeds content for a user. + * @param {ContentItem[]} contentIndex Content index + * @param {string} userHandle User handle + */ +async function seedContentForUser(contentIndex, userHandle) { + const directories = getUserDirectories(userHandle); + + if (!fs.existsSync(directories.root)) { + fs.mkdirSync(directories.root, { recursive: true }); + } + + const contentLogPath = path.join(directories.root, 'content.log'); + const contentLog = getContentLog(contentLogPath); + + for (const contentItem of contentIndex) { + // If the content item is already in the log, skip it + if (contentLog.includes(contentItem.filename)) { + continue; + } + + contentLog.push(contentItem.filename); + const contentPath = path.join(contentDirectory, contentItem.filename); + + if (!fs.existsSync(contentPath)) { + console.log(`Content file ${contentItem.filename} is missing`); + continue; + } + + const contentTarget = getTargetByType(contentItem.type, directories); + + if (!contentTarget) { + console.log(`Content file ${contentItem.filename} has unknown type ${contentItem.type}`); + continue; + } + + const basePath = path.parse(contentItem.filename).base; + const targetPath = path.join(process.cwd(), contentTarget, basePath); + + if (fs.existsSync(targetPath)) { + console.log(`Content file ${contentItem.filename} already exists in ${contentTarget}`); + continue; + } + + fs.cpSync(contentPath, targetPath, { recursive: true, force: false }); + console.log(`Content file ${contentItem.filename} copied to ${contentTarget}`); + } + + fs.writeFileSync(contentLogPath, contentLog.join('\n')); +} + +/** + * Checks for new content and seeds it for all users. + * @param {string} [userHandle] User to check the content for (optional) + * @returns {Promise} + */ +async function checkForNewContent(userHandle) { try { if (getConfigValue('skipContentCheck', false)) { return; @@ -68,50 +153,13 @@ async function checkForNewContent() { const contentIndex = JSON.parse(contentIndexText); const userHandles = await getAllUserHandles(); + if (userHandle && userHandles.includes(userHandle)) { + await seedContentForUser(contentIndex, userHandle); + return; + } + for (const userHandle of userHandles) { - const directories = getUserDirectories(userHandle); - - if (!fs.existsSync(directories.root)) { - fs.mkdirSync(directories.root, { recursive: true }); - } - - const contentLogPath = path.join(directories.root, 'content.log'); - const contentLog = getContentLog(contentLogPath); - - for (const contentItem of contentIndex) { - // If the content item is already in the log, skip it - if (contentLog.includes(contentItem.filename)) { - continue; - } - - contentLog.push(contentItem.filename); - const contentPath = path.join(contentDirectory, contentItem.filename); - - if (!fs.existsSync(contentPath)) { - console.log(`Content file ${contentItem.filename} is missing`); - continue; - } - - const contentTarget = getTargetByType(contentItem.type, directories); - - if (!contentTarget) { - console.log(`Content file ${contentItem.filename} has unknown type ${contentItem.type}`); - continue; - } - - const basePath = path.parse(contentItem.filename).base; - const targetPath = path.join(process.cwd(), contentTarget, basePath); - - if (fs.existsSync(targetPath)) { - console.log(`Content file ${contentItem.filename} already exists in ${contentTarget}`); - continue; - } - - fs.cpSync(contentPath, targetPath, { recursive: true, force: false }); - console.log(`Content file ${contentItem.filename} copied to ${contentTarget}`); - } - - fs.writeFileSync(contentLogPath, contentLog.join('\n')); + await seedContentForUser(contentIndex, userHandle); } } catch (err) { console.log('Content check failed', err); @@ -461,6 +509,7 @@ router.post('/importUUID', jsonParser, async (request, response) => { }); module.exports = { + ensurePublicDirectoriesExist, checkForNewContent, getDefaultPresets, getDefaultPresetFile, diff --git a/src/users.js b/src/users.js index 6ff6084ea..47b366575 100644 --- a/src/users.js +++ b/src/users.js @@ -2,12 +2,18 @@ const path = require('path'); const fs = require('fs'); const crypto = require('crypto'); const storage = require('node-persist'); -const { USER_DIRECTORY_TEMPLATE, DEFAULT_USER, PUBLIC_DIRECTORIES } = require('./constants'); -const { getConfigValue, color, delay, setConfigValue } = require('./util'); +const uuid = require('uuid'); +const mime = require('mime-types'); +const slugify = require('slugify').default; +const { USER_DIRECTORY_TEMPLATE, DEFAULT_USER, PUBLIC_DIRECTORIES, DEFAULT_AVATAR } = require('./constants'); +const { getConfigValue, color, delay, setConfigValue, Cache } = require('./util'); const express = require('express'); const { readSecret, writeSecret } = require('./endpoints/secrets'); +const { jsonParser } = require('./express-common'); +const contentManager = require('./endpoints/content-manager'); const DATA_ROOT = getConfigValue('dataRoot', './data'); +const MFA_CACHE = new Cache(5 * 60 * 1000); const STORAGE_KEYS = { users: 'users', @@ -22,10 +28,20 @@ const STORAGE_KEYS = { * @property {string} name - The user's name. Displayed in the UI * @property {number} created - The timestamp when the user was created * @property {string} password - SHA256 hash of the user's password + * @property {string} salt - Salt used for hashing the password * @property {boolean} enabled - Whether the user is enabled * @property {boolean} admin - Whether the user is an admin (can manage other users) */ +/** + * @typedef {Object} UserViewModel + * @property {string} handle - The user's short handle. Used for directories and other references + * @property {string} name - The user's name. Displayed in the UI + * @property {string} avatar - The user's avatar image + * @property {boolean} admin - Whether the user is an admin (can manage other users) + * @property {boolean} password - Whether the user is password protected + */ + /** * @typedef {Object} UserDirectoryList * @property {string} root - The root directory for the user @@ -284,6 +300,10 @@ function getCookieSecret() { return secret; } +function getPasswordSalt() { + return crypto.randomBytes(16).toString('base64'); +} + /** * Get the CSRF secret from the storage. * @param {import('express').Request} [request] HTTP request object @@ -314,11 +334,12 @@ async function getCurrentUserHandle(_req) { } /** - * Gets a list of all user handles. Currently hard coded to return the default user's handle. + * Gets a list of all user handles. * @returns {Promise} - The list of user handles */ async function getAllUserHandles() { - return [DEFAULT_USER.handle]; + const users = await storage.getItem(STORAGE_KEYS.users); + return users.map(user => user.handle); } /** @@ -383,6 +404,26 @@ function createRouteHandler(directoryFn) { }; } +/** + * Verifies that the current user is an admin. + * @param {import('express').Request} request Request object + * @param {import('express').Response} response Response object + * @param {import('express').NextFunction} next Next function + * @returns {any} + */ +function requireAdminMiddleware(request, response, next) { + if (!request.user) { + return response.sendStatus(401); + } + + if (request.user.profile.admin) { + return next(); + } + + console.warn('Unauthorized access to admin endpoint:', request.originalUrl); + return response.sendStatus(403); +} + /** * Express router for serving files from the user's directories. */ @@ -395,6 +436,184 @@ router.use('/user/images/*', createRouteHandler(req => req.user.directories.user router.use('/user/files/*', createRouteHandler(req => req.user.directories.files)); router.use('/scripts/extensions/third-party/*', createRouteHandler(req => req.user.directories.extensions)); +const endpoints = express.Router(); + +/** + * Hashes a password using SHA256. + * @param {string} password Password to hash + * @param {string} salt Salt to use for hashing + * @returns {string} Hashed password + */ +function getPasswordHash(password, salt) { + return crypto.createHash('sha256').update(password + salt).digest('hex'); +} + +endpoints.get('/list', async (_request, response) => { + /** @type {User[]} */ + const users = await storage.getItem(STORAGE_KEYS.users); + const viewModels = users.filter(x => x.enabled).map(user => ({ + handle: user.handle, + name: user.name, + avatar: DEFAULT_AVATAR, + admin: user.admin, + password: !!user.password, + })); + + // Load avatars for each user + for (const user of viewModels) { + try { + const directory = getUserDirectories(user.handle); + const pathToSettings = path.join(directory.root, 'settings.json'); + const settings = fs.existsSync(pathToSettings) ? JSON.parse(fs.readFileSync(pathToSettings, 'utf8')) : {}; + const avatarFile = settings?.power_user?.default_persona || settings?.user_avatar; + if (!avatarFile) { + continue; + } + const avatarPath = path.join(directory.avatars, avatarFile); + if (!fs.existsSync(avatarPath)) { + continue; + } + const mimeType = mime.lookup(avatarPath); + const base64Content = fs.readFileSync(avatarPath, 'base64'); + user.avatar = `data:${mimeType};base64,${base64Content}`; + } catch { + // Ignore errors + } + } + + return response.json(viewModels); +}); + +endpoints.post('/recover-step1', jsonParser, async (request, response) => { + if (!request.body.handle) { + console.log('Recover step 1 failed: Missing required fields'); + return response.status(400).json({ error: 'Missing required fields' }); + } + + /** @type {User[]} */ + const users = await storage.getItem(STORAGE_KEYS.users); + const user = users.find(user => user.handle === request.body.handle); + + if (!user) { + console.log('Recover step 1 failed: User not found'); + return response.status(404).json({ error: 'User not found' }); + } + + if (!user.enabled) { + console.log('Recover step 1 failed: User is disabled'); + return response.status(403).json({ error: 'User is disabled' }); + } + + const mfaCode = Math.floor(Math.random() * 1000000).toString().padStart(6, '0'); + console.log(color.blue(`${user.name} YOUR PASSWORD RECOVERY CODE IS: `) + color.magenta(mfaCode)); + MFA_CACHE.set(user.handle, mfaCode); + return response.sendStatus(204); +}); + +endpoints.post('/recover-step2', jsonParser, async (request, response) => { + if (!request.body.handle || !request.body.code || !request.body.password) { + console.log('Recover step 2 failed: Missing required fields'); + return response.status(400).json({ error: 'Missing required fields' }); + } + + /** @type {User[]} */ + const users = await storage.getItem(STORAGE_KEYS.users); + const user = users.find(user => user.handle === request.body.handle); + + if (!user) { + console.log('Recover step 2 failed: User not found'); + return response.status(404).json({ error: 'User not found' }); + } + + if (!user.enabled) { + console.log('Recover step 2 failed: User is disabled'); + return response.status(403).json({ error: 'User is disabled' }); + } + + const mfaCode = MFA_CACHE.get(user.handle); + + if (request.body.code !== mfaCode) { + console.log('Recover step 2 failed: Incorrect code'); + return response.status(401).json({ error: 'Incorrect code' }); + } + + const salt = getPasswordSalt(); + user.password = getPasswordHash(request.body.password, salt); + user.salt = salt; + await storage.setItem(STORAGE_KEYS.users, users); + return response.sendStatus(204); +}); + +endpoints.post('/login', jsonParser, async (request, response) => { + if (!request.body.handle || !request.body.password) { + console.log('Login failed: Missing required fields'); + return response.status(400).json({ error: 'Missing required fields' }); + } + + /** @type {User[]} */ + const users = await storage.getItem(STORAGE_KEYS.users); + const user = users.find(user => user.handle === request.body.handle); + + if (!user) { + console.log('Login failed: User not found'); + return response.status(401).json({ error: 'User not found' }); + } + + if (!user.enabled) { + console.log('Login failed: User is disabled'); + return response.status(403).json({ error: 'User is disabled' }); + } + + if (user.password !== getPasswordHash(request.body.password, user.salt)) { + console.log('Login failed: Incorrect password'); + return response.status(401).json({ error: 'Incorrect password' }); + } + + console.log('Login successful:', user.handle); + return response.json({ handle: user.handle }); +}); + +endpoints.post('/create', requireAdminMiddleware, jsonParser, async (request, response) => { + if (!request.body.handle || !request.body.name) { + console.log('Create user failed: Missing required fields'); + return response.status(400).json({ error: 'Missing required fields' }); + } + + /** @type {User[]} */ + const users = await storage.getItem(STORAGE_KEYS.users); + const handle = slugify(request.body.handle, { lower: true, trim: true }); + + if (users.some(user => user.handle === request.body.handle)) { + console.log('Create user failed: User with that handle already exists'); + return response.status(409).json({ error: 'User already exists' }); + } + + const salt = getPasswordSalt(); + const password = request.body.password ? getPasswordHash(request.body.password, salt) : ''; + + const newUser = { + uuid: uuid.v4(), + handle: handle, + name: request.body.name || 'Anonymous', + created: Date.now(), + password: password, + salt: salt, + admin: !!request.body.admin, + enabled: !!request.body.enabled, + }; + + users.push(newUser); + await storage.setItem(STORAGE_KEYS.users, users); + + // Create user directories + console.log('Creating data directories for', newUser.handle); + await contentManager.ensurePublicDirectoriesExist(); + await contentManager.checkForNewContent(newUser.handle); + return response.json({ handle: newUser.handle }); +}); + +router.use('/api/users', endpoints); + module.exports = { initUserStorage, getCurrentUserDirectories, From 0f105e030024397b417f18550cac2fdfd209c63d Mon Sep 17 00:00:00 2001 From: Cohee <18619528+Cohee1207@users.noreply.github.com> Date: Sun, 7 Apr 2024 18:11:23 +0300 Subject: [PATCH 3/3] Fix circular deps, add Helmet https://helmetjs.github.io/ --- package-lock.json | 9 +++++++ package.json | 1 + server.js | 9 +++++-- src/endpoints/content-manager.js | 45 +++++--------------------------- src/users.js | 30 ++++++++++++++++++--- 5 files changed, 50 insertions(+), 44 deletions(-) diff --git a/package-lock.json b/package-lock.json index d9aaf7959..b4e5d82c1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -25,6 +25,7 @@ "form-data": "^4.0.0", "google-translate-api-browser": "^3.0.1", "gpt3-tokenizer": "^1.1.5", + "helmet": "^7.1.0", "ip-matching": "^2.1.2", "ipaddr.js": "^2.0.1", "jimp": "^0.22.10", @@ -2176,6 +2177,14 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/helmet": { + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/helmet/-/helmet-7.1.0.tgz", + "integrity": "sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==", + "engines": { + "node": ">=16.0.0" + } + }, "node_modules/htmlparser2": { "version": "8.0.2", "funding": [ diff --git a/package.json b/package.json index fcc4fb039..d358ef5d4 100644 --- a/package.json +++ b/package.json @@ -15,6 +15,7 @@ "form-data": "^4.0.0", "google-translate-api-browser": "^3.0.1", "gpt3-tokenizer": "^1.1.5", + "helmet": "^7.1.0", "ip-matching": "^2.1.2", "ipaddr.js": "^2.0.1", "jimp": "^0.22.10", diff --git a/server.js b/server.js index 9e3497d03..c20bd30b0 100644 --- a/server.js +++ b/server.js @@ -20,6 +20,7 @@ const compression = require('compression'); const cookieParser = require('cookie-parser'); const multer = require('multer'); const responseTime = require('response-time'); +const helmet = require('helmet').default; // net related library imports const net = require('net'); @@ -34,6 +35,7 @@ util.inspect.defaultOptions.depth = 4; // local library imports const { initUserStorage, + ensurePublicDirectoriesExist, userDataMiddleware, migrateUserData, getCsrfSecret, @@ -109,6 +111,9 @@ const serverDirectory = __dirname; process.chdir(serverDirectory); const app = express(); +app.use(helmet({ + contentSecurityPolicy: false, +})); app.use(compression()); app.use(responseTime()); @@ -474,9 +479,9 @@ const setupTasks = async function () { // in any order for encapsulation reasons, but right now it's unknown if that would break anything. await initUserStorage(); await settingsEndpoint.init(); - await contentManager.ensurePublicDirectoriesExist(); + const directories = await ensurePublicDirectoriesExist(); await migrateUserData(); - contentManager.checkForNewContent(); + await contentManager.checkForNewContent(directories); await ensureThumbnailCache(); cleanUploads(); diff --git a/src/endpoints/content-manager.js b/src/endpoints/content-manager.js index 42aa45576..905d8f1bc 100644 --- a/src/endpoints/content-manager.js +++ b/src/endpoints/content-manager.js @@ -7,9 +7,7 @@ const { getConfigValue } = require('../util'); const { jsonParser } = require('../express-common'); const contentDirectory = path.join(process.cwd(), 'default/content'); const contentIndexPath = path.join(contentDirectory, 'index.json'); -const { getAllUserHandles, getUserDirectories } = require('../users'); const characterCardParser = require('../character-card-parser.js'); -const { PUBLIC_DIRECTORIES } = require('../constants'); /** * @typedef {Object} ContentItem @@ -17,28 +15,6 @@ const { PUBLIC_DIRECTORIES } = require('../constants'); * @property {string} type */ -/** - * Ensures that the content directories exist. - * @returns {Promise} - */ -async function ensurePublicDirectoriesExist() { - for (const dir of Object.values(PUBLIC_DIRECTORIES)) { - if (!fs.existsSync(dir)) { - fs.mkdirSync(dir, { recursive: true }); - } - } - - const userHandles = await getAllUserHandles(); - for (const handle of userHandles) { - const userDirectories = getUserDirectories(handle); - for (const dir of Object.values(userDirectories)) { - if (!fs.existsSync(dir)) { - fs.mkdirSync(dir, { recursive: true }); - } - } - } -} - /** * Gets the default presets from the content directory. * @param {import('../users').UserDirectoryList} directories User directories @@ -90,11 +66,9 @@ function getDefaultPresetFile(filename) { /** * Seeds content for a user. * @param {ContentItem[]} contentIndex Content index - * @param {string} userHandle User handle + * @param {import('../users').UserDirectoryList} directories User directories */ -async function seedContentForUser(contentIndex, userHandle) { - const directories = getUserDirectories(userHandle); - +async function seedContentForUser(contentIndex, directories) { if (!fs.existsSync(directories.root)) { fs.mkdirSync(directories.root, { recursive: true }); } @@ -140,10 +114,10 @@ async function seedContentForUser(contentIndex, userHandle) { /** * Checks for new content and seeds it for all users. - * @param {string} [userHandle] User to check the content for (optional) + * @param {import('../users').UserDirectoryList[]} directoriesList List of user directories * @returns {Promise} */ -async function checkForNewContent(userHandle) { +async function checkForNewContent(directoriesList) { try { if (getConfigValue('skipContentCheck', false)) { return; @@ -151,15 +125,9 @@ async function checkForNewContent(userHandle) { const contentIndexText = fs.readFileSync(contentIndexPath, 'utf8'); const contentIndex = JSON.parse(contentIndexText); - const userHandles = await getAllUserHandles(); - if (userHandle && userHandles.includes(userHandle)) { - await seedContentForUser(contentIndex, userHandle); - return; - } - - for (const userHandle of userHandles) { - await seedContentForUser(contentIndex, userHandle); + for (const directories of directoriesList) { + await seedContentForUser(contentIndex, directories); } } catch (err) { console.log('Content check failed', err); @@ -509,7 +477,6 @@ router.post('/importUUID', jsonParser, async (request, response) => { }); module.exports = { - ensurePublicDirectoriesExist, checkForNewContent, getDefaultPresets, getDefaultPresetFile, diff --git a/src/users.js b/src/users.js index 47b366575..41f69c0f4 100644 --- a/src/users.js +++ b/src/users.js @@ -10,7 +10,7 @@ const { getConfigValue, color, delay, setConfigValue, Cache } = require('./util' const express = require('express'); const { readSecret, writeSecret } = require('./endpoints/secrets'); const { jsonParser } = require('./express-common'); -const contentManager = require('./endpoints/content-manager'); +const { checkForNewContent } = require('./endpoints/content-manager'); const DATA_ROOT = getConfigValue('dataRoot', './data'); const MFA_CACHE = new Cache(5 * 60 * 1000); @@ -73,6 +73,29 @@ const STORAGE_KEYS = { * @property {string} vectors - The directory where the vectors are stored */ +/** + * Ensures that the content directories exist. + * @returns {Promise} - The list of user directories + */ +async function ensurePublicDirectoriesExist() { + for (const dir of Object.values(PUBLIC_DIRECTORIES)) { + if (!fs.existsSync(dir)) { + fs.mkdirSync(dir, { recursive: true }); + } + } + + const userHandles = await getAllUserHandles(); + const directoriesList = userHandles.map(handle => getUserDirectories(handle)); + for (const userDirectories of directoriesList) { + for (const dir of Object.values(userDirectories)) { + if (!fs.existsSync(dir)) { + fs.mkdirSync(dir, { recursive: true }); + } + } + } + return directoriesList; +} + /** * Perform migration from the old user data format to the new one. */ @@ -607,8 +630,8 @@ endpoints.post('/create', requireAdminMiddleware, jsonParser, async (request, re // Create user directories console.log('Creating data directories for', newUser.handle); - await contentManager.ensurePublicDirectoriesExist(); - await contentManager.checkForNewContent(newUser.handle); + const directories = await ensurePublicDirectoriesExist(); + await checkForNewContent(directories); return response.json({ handle: newUser.handle }); }); @@ -616,6 +639,7 @@ router.use('/api/users', endpoints); module.exports = { initUserStorage, + ensurePublicDirectoriesExist, getCurrentUserDirectories, getCurrentUserHandle, getAllUserHandles,