Persist CSRF and cookie secrets across server launches

2025-03-27 01:10:14 +01:00 · 2024-04-07 16:41:23 +03:00 · 2024-04-07 16:41:23 +03:00 · b07aef02c7
commit b07aef02c7
parent 11193896b2
8 changed files with 106 additions and 37 deletions
--- a/default/config.yaml
+++ b/default/config.yaml
@ -18,6 +18,8 @@ basicAuthUser:
  password: "password"
 # Enables CORS proxy middleware
 enableCorsProxy: false
+# Used to sign session cookies. Will be auto-generated if not set
+cookieSecret: ''
 # Disable security checks - NOT RECOMMENDED
 securityOverride: false
 # -- ADVANCED CONFIGURATION --
--- a/jsconfig.json
+++ b/jsconfig.json
@ -13,6 +13,7 @@
    "exclude": [
        "node_modules",
        "**/node_modules/*",
-        "public/lib"
+        "public/lib",
+        "backups/*",
    ]
 }
--- a/package-lock.json
+++ b/package-lock.json
@ -32,6 +32,7 @@
                "mime-types": "^2.1.35",
                "multer": "^1.4.5-lts.1",
                "node-fetch": "^2.6.11",
+                "node-persist": "^4.0.1",
                "open": "^8.4.2",
                "png-chunk-text": "^1.0.0",
                "png-chunks-encode": "^1.0.0",
@ -2735,6 +2736,14 @@
                }
            }
        },
+        "node_modules/node-persist": {
+            "version": "4.0.1",
+            "resolved": "https://registry.npmjs.org/node-persist/-/node-persist-4.0.1.tgz",
+            "integrity": "sha512-QtRjwAlcOQChQpfG6odtEhxYmA3nS5XYr+bx9JRjwahl1TM3sm9J3CCn51/MI0eoHRb2DrkEsCOFo8sq8jG5sQ==",
+            "engines": {
+                "node": ">=10.12.0"
+            }
+        },
        "node_modules/normalize-url": {
            "version": "6.1.0",
            "license": "MIT",
--- a/package.json
+++ b/package.json
@ -22,6 +22,7 @@
        "mime-types": "^2.1.35",
        "multer": "^1.4.5-lts.1",
        "node-fetch": "^2.6.11",
+        "node-persist": "^4.0.1",
        "open": "^8.4.2",
        "png-chunk-text": "^1.0.0",
        "png-chunks-encode": "^1.0.0",
--- a/server.js
+++ b/server.js
@ -1,7 +1,6 @@
 #!/usr/bin/env node

 // native node modules
-const crypto = require('crypto');
 const fs = require('fs');
 const http = require('http');
 const https = require('https');
@ -39,6 +38,8 @@ const {
    getUserDirectories,
    getAllUserHandles,
    migrateUserData,
+    getCsrfSecret,
+    getCookieSecret,
 } = require('./src/users');
 const basicAuthMiddleware = require('./src/middleware/basicAuth');
 const whitelistMiddleware = require('./src/middleware/whitelist');
@ -132,14 +133,14 @@ app.use(CORS);
 if (listen && basicAuthMode) app.use(basicAuthMiddleware);

 app.use(whitelistMiddleware(listen));
+app.use(userDataMiddleware());

 // CSRF Protection //
 if (!cliArguments.disableCsrf) {
-    const CSRF_SECRET = crypto.randomBytes(8).toString('hex');
-    const COOKIES_SECRET = crypto.randomBytes(8).toString('hex');
+    const COOKIES_SECRET = getCookieSecret();

    const { generateToken, doubleCsrfProtection } = doubleCsrf({
-        getSecret: () => CSRF_SECRET,
+        getSecret: getCsrfSecret,
        cookieName: 'X-CSRF-Token',
        cookieOptions: {
            httpOnly: true,
@ -218,7 +219,6 @@ if (enableCorsProxy) {
 }

 app.use(express.static(process.cwd() + '/public', {}));
-app.use(userDataMiddleware());
 app.use('/', require('./src/users').router);

 app.use(multer({ dest: UPLOADS_PATH, limits: { fieldSize: 10 * 1024 * 1024 } }).single('avatar'));
--- a/src/constants.js
+++ b/src/constants.js
@ -40,12 +40,18 @@ const USER_DIRECTORY_TEMPLATE = Object.freeze({
    vectors: 'vectors',
 });

+/**
+ * @type {import('./users').User}
+ * @readonly
+ */
 const DEFAULT_USER = Object.freeze({
    uuid: '00000000-0000-0000-0000-000000000000',
    handle: 'user0',
    name: 'User',
    created: 0,
    password: '',
+    admin: true,
+    enabled: true,
 });

 const UNSAFE_EXTENSIONS = [
--- a/src/users.js
+++ b/src/users.js
@ -1,11 +1,20 @@
 const path = require('path');
 const fs = require('fs');
+const crypto = require('crypto');
+const storage = require('node-persist');
 const { USER_DIRECTORY_TEMPLATE, DEFAULT_USER, PUBLIC_DIRECTORIES } = require('./constants');
-const { getConfigValue, color, delay } = require('./util');
+const { getConfigValue, color, delay, setConfigValue } = require('./util');
 const express = require('express');
+const { readSecret, writeSecret } = require('./endpoints/secrets');

 const DATA_ROOT = getConfigValue('dataRoot', './data');

+const STORAGE_KEYS = {
+    users: 'users',
+    csrfSecret: 'csrfSecret',
+    cookieSecret: 'cookieSecret',
+};
+
 /**
 * @typedef {Object} User
 * @property {string} uuid - The user's id
@ -13,6 +22,8 @@ const DATA_ROOT = getConfigValue('dataRoot', './data');
 * @property {string} name - The user's name. Displayed in the UI
 * @property {number} created - The timestamp when the user was created
 * @property {string} password - SHA256 hash of the user's password
+ * @property {boolean} enabled - Whether the user is enabled
+ * @property {boolean} admin - Whether the user is an admin (can manage other users)
 */

 /**
@ -246,7 +257,51 @@ async function migrateUserData() {
 * @returns {Promise<void>}
 */
 async function initUserStorage() {
-    return Promise.resolve();
+    await storage.init({
+        dir: path.join(DATA_ROOT, '_storage'),
+    });
+
+    const users = await storage.getItem('users');
+
+    if (!users) {
+        await storage.setItem('users', [DEFAULT_USER]);
+    }
+}
+
+/**
+ * Get the cookie secret from the config. If it doesn't exist, generate a new one.
+ * @returns {string} The cookie secret
+ */
+function getCookieSecret() {
+    let secret = getConfigValue(STORAGE_KEYS.cookieSecret);
+
+    if (!secret) {
+        console.warn(color.yellow('Cookie secret is missing from config.yaml. Generating a new one...'));
+        secret = crypto.randomBytes(64).toString('base64');
+        setConfigValue(STORAGE_KEYS.cookieSecret, secret);
+    }
+
+    return secret;
+}
+
+/**
+ * Get the CSRF secret from the storage.
+ * @param {import('express').Request} [request] HTTP request object
+ * @returns {string} The CSRF secret
+ */
+function getCsrfSecret(request) {
+    if (!request || !request.user) {
+        throw new Error('Request object is required to get the CSRF secret.');
+    }
+
+    let csrfSecret = readSecret(request.user.directories, STORAGE_KEYS.csrfSecret);
+
+    if (!csrfSecret) {
+        csrfSecret = crypto.randomBytes(64).toString('base64');
+        writeSecret(request.user.directories, STORAGE_KEYS.csrfSecret, csrfSecret);
+    }
+
+    return csrfSecret;
 }

 /**
@ -348,5 +403,7 @@ module.exports = {
    getUserDirectories,
    userDataMiddleware,
    migrateUserData,
+    getCsrfSecret,
+    getCookieSecret,
    router,
 };
--- a/src/util.js
+++ b/src/util.js
@ -15,38 +15,19 @@ const { PUBLIC_DIRECTORIES } = require('./constants');
 * @returns {object} Config object
 */
 function getConfig() {
-    function getNewConfig() {
-        try {
-            const config = yaml.parse(fs.readFileSync(path.join(process.cwd(), './config.yaml'), 'utf8'));
-            return config;
-        } catch (error) {
-            console.warn('Failed to read config.yaml');
-            return {};
-        }
+    if (!fs.existsSync('./config.yaml')) {
+        console.error(color.red('No config file found. Please create a config.yaml file. The default config file can be found in the /default folder.'));
+        console.error(color.red('The program will now exit.'));
+        process.exit(1);
    }

-    function getLegacyConfig() {
-        try {
-            console.log(color.yellow('WARNING: config.conf is deprecated. Please run "npm run postinstall" to convert to config.yaml'));
-            const config = require(path.join(process.cwd(), './config.conf'));
-            return config;
-        } catch (error) {
-            console.warn('Failed to read config.conf');
-            return {};
-        }
+    try {
+        const config = yaml.parse(fs.readFileSync(path.join(process.cwd(), './config.yaml'), 'utf8'));
+        return config;
+    } catch (error) {
+        console.warn('Failed to read config.yaml');
+        return {};
    }
-
-    if (fs.existsSync('./config.yaml')) {
-        return getNewConfig();
-    }
-
-    if (fs.existsSync('./config.conf')) {
-        return getLegacyConfig();
-    }
-
-    console.error(color.red('No config file found. Please create a config.yaml file. The default config file can be found in the /default folder.'));
-    console.error(color.red('The program will now exit.'));
-    process.exit(1);
 }

 /**
@ -60,6 +41,17 @@ function getConfigValue(key, defaultValue = null) {
    return _.get(config, key, defaultValue);
 }

+/**
+ * Sets a value for the given key in the config object and writes it to the config.yaml file.
+ * @param {string} key Key to set
+ * @param {any} value Value to set
+ */
+function setConfigValue(key, value) {
+    const config = getConfig();
+    _.set(config, key, value);
+    fs.writeFileSync('./config.yaml', yaml.stringify(config));
+}
+
 /**
 * Encodes the Basic Auth header value for the given user and password.
 * @param {string} auth username:password
@ -600,6 +592,7 @@ class Cache {
 module.exports = {
    getConfig,
    getConfigValue,
+    setConfigValue,
    getVersion,
    getBasicAuthHeader,
    extractFileFromZipBuffer,