Persist CSRF and cookie secrets across server launches

2025-04-18 04:37:22 +02:00 · 2024-04-07 16:41:23 +03:00 · 2024-04-07 16:41:23 +03:00 · b07aef02c7
commit b07aef02c7
parent 11193896b2
8 changed files with 106 additions and 37 deletions
--- a/default/config.yaml
+++ b/default/config.yaml
@ -18,6 +18,8 @@ basicAuthUser:
  password: "password"
 # Enables CORS proxy middleware
 enableCorsProxy: false
 # Used to sign session cookies. Will be auto-generated if not set
 cookieSecret: ''
 # Disable security checks - NOT RECOMMENDED
 securityOverride: false
 # -- ADVANCED CONFIGURATION --
--- a/jsconfig.json
+++ b/jsconfig.json
@ -13,6 +13,7 @@
    "exclude": [
        "node_modules",
        "**/node_modules/*",
-        "public/lib"
+        "public/lib",
        "backups/*",
    ]
 }
--- a/package-lock.json
+++ b/package-lock.json
@ -32,6 +32,7 @@
                "mime-types": "^2.1.35",
                "multer": "^1.4.5-lts.1",
                "node-fetch": "^2.6.11",
                "node-persist": "^4.0.1",
                "open": "^8.4.2",
                "png-chunk-text": "^1.0.0",
                "png-chunks-encode": "^1.0.0",
@ -2735,6 +2736,14 @@
                }
            }
        },
        "node_modules/node-persist": {
            "version": "4.0.1",
            "resolved": "https://registry.npmjs.org/node-persist/-/node-persist-4.0.1.tgz",
            "integrity": "sha512-QtRjwAlcOQChQpfG6odtEhxYmA3nS5XYr+bx9JRjwahl1TM3sm9J3CCn51/MI0eoHRb2DrkEsCOFo8sq8jG5sQ==",
            "engines": {
                "node": ">=10.12.0"
            }
        },
        "node_modules/normalize-url": {
            "version": "6.1.0",
            "license": "MIT",
--- a/package.json
+++ b/package.json
@ -22,6 +22,7 @@
        "mime-types": "^2.1.35",
        "multer": "^1.4.5-lts.1",
        "node-fetch": "^2.6.11",
        "node-persist": "^4.0.1",
        "open": "^8.4.2",
        "png-chunk-text": "^1.0.0",
        "png-chunks-encode": "^1.0.0",
--- a/server.js
+++ b/server.js
@ -1,7 +1,6 @@
 #!/usr/bin/env node
 // native node modules
 const crypto = require('crypto');
 const fs = require('fs');
 const http = require('http');
 const https = require('https');
@ -39,6 +38,8 @@ const {
    getUserDirectories,
    getAllUserHandles,
    migrateUserData,
    getCsrfSecret,
    getCookieSecret,
 } = require('./src/users');
 const basicAuthMiddleware = require('./src/middleware/basicAuth');
 const whitelistMiddleware = require('./src/middleware/whitelist');
@ -132,14 +133,14 @@ app.use(CORS);
 if (listen && basicAuthMode) app.use(basicAuthMiddleware);
 app.use(whitelistMiddleware(listen));
 app.use(userDataMiddleware());
 // CSRF Protection //
 if (!cliArguments.disableCsrf) {
-    const CSRF_SECRET = crypto.randomBytes(8).toString('hex');
+    const COOKIES_SECRET = getCookieSecret();
    const COOKIES_SECRET = crypto.randomBytes(8).toString('hex');
    const { generateToken, doubleCsrfProtection } = doubleCsrf({
-        getSecret: () => CSRF_SECRET,
+        getSecret: getCsrfSecret,
        cookieName: 'X-CSRF-Token',
        cookieOptions: {
            httpOnly: true,
@ -218,7 +219,6 @@ if (enableCorsProxy) {
 }
 app.use(express.static(process.cwd() + '/public', {}));
 app.use(userDataMiddleware());
 app.use('/', require('./src/users').router);
 app.use(multer({ dest: UPLOADS_PATH, limits: { fieldSize: 10 * 1024 * 1024 } }).single('avatar'));
--- a/src/constants.js
+++ b/src/constants.js
@ -40,12 +40,18 @@ const USER_DIRECTORY_TEMPLATE = Object.freeze({
    vectors: 'vectors',
 });
 /**
 * @type {import('./users').User}
 * @readonly
 */
 const DEFAULT_USER = Object.freeze({
    uuid: '00000000-0000-0000-0000-000000000000',
    handle: 'user0',
    name: 'User',
    created: 0,
    password: '',
    admin: true,
    enabled: true,
 });
 const UNSAFE_EXTENSIONS = [
--- a/src/users.js
+++ b/src/users.js
@ -1,11 +1,20 @@
 const path = require('path');
 const fs = require('fs');
 const crypto = require('crypto');
 const storage = require('node-persist');
 const { USER_DIRECTORY_TEMPLATE, DEFAULT_USER, PUBLIC_DIRECTORIES } = require('./constants');
-const { getConfigValue, color, delay } = require('./util');
+const { getConfigValue, color, delay, setConfigValue } = require('./util');
 const express = require('express');
 const { readSecret, writeSecret } = require('./endpoints/secrets');
 const DATA_ROOT = getConfigValue('dataRoot', './data');
 const STORAGE_KEYS = {
    users: 'users',
    csrfSecret: 'csrfSecret',
    cookieSecret: 'cookieSecret',
 };
 /**
 * @typedef {Object} User
 * @property {string} uuid - The user's id
@ -13,6 +22,8 @@ const DATA_ROOT = getConfigValue('dataRoot', './data');
 * @property {string} name - The user's name. Displayed in the UI
 * @property {number} created - The timestamp when the user was created
 * @property {string} password - SHA256 hash of the user's password
 * @property {boolean} enabled - Whether the user is enabled
 * @property {boolean} admin - Whether the user is an admin (can manage other users)
 */
 /**
@ -246,7 +257,51 @@ async function migrateUserData() {
 * @returns {Promise<void>}
 */
 async function initUserStorage() {
-    return Promise.resolve();
+    await storage.init({
        dir: path.join(DATA_ROOT, '_storage'),
    });
    const users = await storage.getItem('users');
    if (!users) {
        await storage.setItem('users', [DEFAULT_USER]);
    }
 }
 /**
 * Get the cookie secret from the config. If it doesn't exist, generate a new one.
 * @returns {string} The cookie secret
 */
 function getCookieSecret() {
    let secret = getConfigValue(STORAGE_KEYS.cookieSecret);
    if (!secret) {
        console.warn(color.yellow('Cookie secret is missing from config.yaml. Generating a new one...'));
        secret = crypto.randomBytes(64).toString('base64');
        setConfigValue(STORAGE_KEYS.cookieSecret, secret);
    }
    return secret;
 }
 /**
 * Get the CSRF secret from the storage.
 * @param {import('express').Request} [request] HTTP request object
 * @returns {string} The CSRF secret
 */
 function getCsrfSecret(request) {
    if (!request || !request.user) {
        throw new Error('Request object is required to get the CSRF secret.');
    }
    let csrfSecret = readSecret(request.user.directories, STORAGE_KEYS.csrfSecret);
    if (!csrfSecret) {
        csrfSecret = crypto.randomBytes(64).toString('base64');
        writeSecret(request.user.directories, STORAGE_KEYS.csrfSecret, csrfSecret);
    }
    return csrfSecret;
 }
 /**
@ -348,5 +403,7 @@ module.exports = {
    getUserDirectories,
    userDataMiddleware,
    migrateUserData,
    getCsrfSecret,
    getCookieSecret,
    router,
 };
--- a/src/util.js
+++ b/src/util.js
@ -15,38 +15,19 @@ const { PUBLIC_DIRECTORIES } = require('./constants');
 * @returns {object} Config object
 */
 function getConfig() {
-    function getNewConfig() {
+    if (!fs.existsSync('./config.yaml')) {
-        try {
+        console.error(color.red('No config file found. Please create a config.yaml file. The default config file can be found in the /default folder.'));
-            const config = yaml.parse(fs.readFileSync(path.join(process.cwd(), './config.yaml'), 'utf8'));
+        console.error(color.red('The program will now exit.'));
-            return config;
+        process.exit(1);
        } catch (error) {
            console.warn('Failed to read config.yaml');
            return {};
        }
    }
-    function getLegacyConfig() {
+    try {
-        try {
+        const config = yaml.parse(fs.readFileSync(path.join(process.cwd(), './config.yaml'), 'utf8'));
-            console.log(color.yellow('WARNING: config.conf is deprecated. Please run "npm run postinstall" to convert to config.yaml'));
+        return config;
-            const config = require(path.join(process.cwd(), './config.conf'));
+    } catch (error) {
-            return config;
+        console.warn('Failed to read config.yaml');
-        } catch (error) {
+        return {};
            console.warn('Failed to read config.conf');
            return {};
        }
    }
    if (fs.existsSync('./config.yaml')) {
        return getNewConfig();
    }
    if (fs.existsSync('./config.conf')) {
        return getLegacyConfig();
    }
    console.error(color.red('No config file found. Please create a config.yaml file. The default config file can be found in the /default folder.'));
    console.error(color.red('The program will now exit.'));
    process.exit(1);
 }
 /**
@ -60,6 +41,17 @@ function getConfigValue(key, defaultValue = null) {
    return _.get(config, key, defaultValue);
 }
 /**
 * Sets a value for the given key in the config object and writes it to the config.yaml file.
 * @param {string} key Key to set
 * @param {any} value Value to set
 */
 function setConfigValue(key, value) {
    const config = getConfig();
    _.set(config, key, value);
    fs.writeFileSync('./config.yaml', yaml.stringify(config));
 }
 /**
 * Encodes the Basic Auth header value for the given user and password.
 * @param {string} auth username:password
@ -600,6 +592,7 @@ class Cache {
 module.exports = {
    getConfig,
    getConfigValue,
    setConfigValue,
    getVersion,
    getBasicAuthHeader,
    extractFileFromZipBuffer,