mirror of
				https://github.com/SillyTavern/SillyTavern.git
				synced 2025-06-05 21:59:27 +02:00 
			
		
		
		
	Persist CSRF and cookie secrets across server launches
This commit is contained in:
		| @@ -18,6 +18,8 @@ basicAuthUser: | ||||
|   password: "password" | ||||
| # Enables CORS proxy middleware | ||||
| enableCorsProxy: false | ||||
| # Used to sign session cookies. Will be auto-generated if not set | ||||
| cookieSecret: '' | ||||
| # Disable security checks - NOT RECOMMENDED | ||||
| securityOverride: false | ||||
| # -- ADVANCED CONFIGURATION -- | ||||
|   | ||||
| @@ -13,6 +13,7 @@ | ||||
|     "exclude": [ | ||||
|         "node_modules", | ||||
|         "**/node_modules/*", | ||||
|         "public/lib" | ||||
|         "public/lib", | ||||
|         "backups/*", | ||||
|     ] | ||||
| } | ||||
|   | ||||
							
								
								
									
										9
									
								
								package-lock.json
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										9
									
								
								package-lock.json
									
									
									
										generated
									
									
									
								
							| @@ -32,6 +32,7 @@ | ||||
|                 "mime-types": "^2.1.35", | ||||
|                 "multer": "^1.4.5-lts.1", | ||||
|                 "node-fetch": "^2.6.11", | ||||
|                 "node-persist": "^4.0.1", | ||||
|                 "open": "^8.4.2", | ||||
|                 "png-chunk-text": "^1.0.0", | ||||
|                 "png-chunks-encode": "^1.0.0", | ||||
| @@ -2735,6 +2736,14 @@ | ||||
|                 } | ||||
|             } | ||||
|         }, | ||||
|         "node_modules/node-persist": { | ||||
|             "version": "4.0.1", | ||||
|             "resolved": "https://registry.npmjs.org/node-persist/-/node-persist-4.0.1.tgz", | ||||
|             "integrity": "sha512-QtRjwAlcOQChQpfG6odtEhxYmA3nS5XYr+bx9JRjwahl1TM3sm9J3CCn51/MI0eoHRb2DrkEsCOFo8sq8jG5sQ==", | ||||
|             "engines": { | ||||
|                 "node": ">=10.12.0" | ||||
|             } | ||||
|         }, | ||||
|         "node_modules/normalize-url": { | ||||
|             "version": "6.1.0", | ||||
|             "license": "MIT", | ||||
|   | ||||
| @@ -22,6 +22,7 @@ | ||||
|         "mime-types": "^2.1.35", | ||||
|         "multer": "^1.4.5-lts.1", | ||||
|         "node-fetch": "^2.6.11", | ||||
|         "node-persist": "^4.0.1", | ||||
|         "open": "^8.4.2", | ||||
|         "png-chunk-text": "^1.0.0", | ||||
|         "png-chunks-encode": "^1.0.0", | ||||
|   | ||||
							
								
								
									
										10
									
								
								server.js
									
									
									
									
									
								
							
							
						
						
									
										10
									
								
								server.js
									
									
									
									
									
								
							| @@ -1,7 +1,6 @@ | ||||
| #!/usr/bin/env node | ||||
|  | ||||
| // native node modules | ||||
| const crypto = require('crypto'); | ||||
| const fs = require('fs'); | ||||
| const http = require('http'); | ||||
| const https = require('https'); | ||||
| @@ -39,6 +38,8 @@ const { | ||||
|     getUserDirectories, | ||||
|     getAllUserHandles, | ||||
|     migrateUserData, | ||||
|     getCsrfSecret, | ||||
|     getCookieSecret, | ||||
| } = require('./src/users'); | ||||
| const basicAuthMiddleware = require('./src/middleware/basicAuth'); | ||||
| const whitelistMiddleware = require('./src/middleware/whitelist'); | ||||
| @@ -132,14 +133,14 @@ app.use(CORS); | ||||
| if (listen && basicAuthMode) app.use(basicAuthMiddleware); | ||||
|  | ||||
| app.use(whitelistMiddleware(listen)); | ||||
| app.use(userDataMiddleware()); | ||||
|  | ||||
| // CSRF Protection // | ||||
| if (!cliArguments.disableCsrf) { | ||||
|     const CSRF_SECRET = crypto.randomBytes(8).toString('hex'); | ||||
|     const COOKIES_SECRET = crypto.randomBytes(8).toString('hex'); | ||||
|     const COOKIES_SECRET = getCookieSecret(); | ||||
|  | ||||
|     const { generateToken, doubleCsrfProtection } = doubleCsrf({ | ||||
|         getSecret: () => CSRF_SECRET, | ||||
|         getSecret: getCsrfSecret, | ||||
|         cookieName: 'X-CSRF-Token', | ||||
|         cookieOptions: { | ||||
|             httpOnly: true, | ||||
| @@ -218,7 +219,6 @@ if (enableCorsProxy) { | ||||
| } | ||||
|  | ||||
| app.use(express.static(process.cwd() + '/public', {})); | ||||
| app.use(userDataMiddleware()); | ||||
| app.use('/', require('./src/users').router); | ||||
|  | ||||
| app.use(multer({ dest: UPLOADS_PATH, limits: { fieldSize: 10 * 1024 * 1024 } }).single('avatar')); | ||||
|   | ||||
| @@ -40,12 +40,18 @@ const USER_DIRECTORY_TEMPLATE = Object.freeze({ | ||||
|     vectors: 'vectors', | ||||
| }); | ||||
|  | ||||
| /** | ||||
|  * @type {import('./users').User} | ||||
|  * @readonly | ||||
|  */ | ||||
| const DEFAULT_USER = Object.freeze({ | ||||
|     uuid: '00000000-0000-0000-0000-000000000000', | ||||
|     handle: 'user0', | ||||
|     name: 'User', | ||||
|     created: 0, | ||||
|     password: '', | ||||
|     admin: true, | ||||
|     enabled: true, | ||||
| }); | ||||
|  | ||||
| const UNSAFE_EXTENSIONS = [ | ||||
|   | ||||
							
								
								
									
										61
									
								
								src/users.js
									
									
									
									
									
								
							
							
						
						
									
										61
									
								
								src/users.js
									
									
									
									
									
								
							| @@ -1,11 +1,20 @@ | ||||
| const path = require('path'); | ||||
| const fs = require('fs'); | ||||
| const crypto = require('crypto'); | ||||
| const storage = require('node-persist'); | ||||
| const { USER_DIRECTORY_TEMPLATE, DEFAULT_USER, PUBLIC_DIRECTORIES } = require('./constants'); | ||||
| const { getConfigValue, color, delay } = require('./util'); | ||||
| const { getConfigValue, color, delay, setConfigValue } = require('./util'); | ||||
| const express = require('express'); | ||||
| const { readSecret, writeSecret } = require('./endpoints/secrets'); | ||||
|  | ||||
| const DATA_ROOT = getConfigValue('dataRoot', './data'); | ||||
|  | ||||
| const STORAGE_KEYS = { | ||||
|     users: 'users', | ||||
|     csrfSecret: 'csrfSecret', | ||||
|     cookieSecret: 'cookieSecret', | ||||
| }; | ||||
|  | ||||
| /** | ||||
|  * @typedef {Object} User | ||||
|  * @property {string} uuid - The user's id | ||||
| @@ -13,6 +22,8 @@ const DATA_ROOT = getConfigValue('dataRoot', './data'); | ||||
|  * @property {string} name - The user's name. Displayed in the UI | ||||
|  * @property {number} created - The timestamp when the user was created | ||||
|  * @property {string} password - SHA256 hash of the user's password | ||||
|  * @property {boolean} enabled - Whether the user is enabled | ||||
|  * @property {boolean} admin - Whether the user is an admin (can manage other users) | ||||
|  */ | ||||
|  | ||||
| /** | ||||
| @@ -246,7 +257,51 @@ async function migrateUserData() { | ||||
|  * @returns {Promise<void>} | ||||
|  */ | ||||
| async function initUserStorage() { | ||||
|     return Promise.resolve(); | ||||
|     await storage.init({ | ||||
|         dir: path.join(DATA_ROOT, '_storage'), | ||||
|     }); | ||||
|  | ||||
|     const users = await storage.getItem('users'); | ||||
|  | ||||
|     if (!users) { | ||||
|         await storage.setItem('users', [DEFAULT_USER]); | ||||
|     } | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Get the cookie secret from the config. If it doesn't exist, generate a new one. | ||||
|  * @returns {string} The cookie secret | ||||
|  */ | ||||
| function getCookieSecret() { | ||||
|     let secret = getConfigValue(STORAGE_KEYS.cookieSecret); | ||||
|  | ||||
|     if (!secret) { | ||||
|         console.warn(color.yellow('Cookie secret is missing from config.yaml. Generating a new one...')); | ||||
|         secret = crypto.randomBytes(64).toString('base64'); | ||||
|         setConfigValue(STORAGE_KEYS.cookieSecret, secret); | ||||
|     } | ||||
|  | ||||
|     return secret; | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Get the CSRF secret from the storage. | ||||
|  * @param {import('express').Request} [request] HTTP request object | ||||
|  * @returns {string} The CSRF secret | ||||
|  */ | ||||
| function getCsrfSecret(request) { | ||||
|     if (!request || !request.user) { | ||||
|         throw new Error('Request object is required to get the CSRF secret.'); | ||||
|     } | ||||
|  | ||||
|     let csrfSecret = readSecret(request.user.directories, STORAGE_KEYS.csrfSecret); | ||||
|  | ||||
|     if (!csrfSecret) { | ||||
|         csrfSecret = crypto.randomBytes(64).toString('base64'); | ||||
|         writeSecret(request.user.directories, STORAGE_KEYS.csrfSecret, csrfSecret); | ||||
|     } | ||||
|  | ||||
|     return csrfSecret; | ||||
| } | ||||
|  | ||||
| /** | ||||
| @@ -348,5 +403,7 @@ module.exports = { | ||||
|     getUserDirectories, | ||||
|     userDataMiddleware, | ||||
|     migrateUserData, | ||||
|     getCsrfSecret, | ||||
|     getCookieSecret, | ||||
|     router, | ||||
| }; | ||||
|   | ||||
							
								
								
									
										51
									
								
								src/util.js
									
									
									
									
									
								
							
							
						
						
									
										51
									
								
								src/util.js
									
									
									
									
									
								
							| @@ -15,38 +15,19 @@ const { PUBLIC_DIRECTORIES } = require('./constants'); | ||||
|  * @returns {object} Config object | ||||
|  */ | ||||
| function getConfig() { | ||||
|     function getNewConfig() { | ||||
|         try { | ||||
|             const config = yaml.parse(fs.readFileSync(path.join(process.cwd(), './config.yaml'), 'utf8')); | ||||
|             return config; | ||||
|         } catch (error) { | ||||
|             console.warn('Failed to read config.yaml'); | ||||
|             return {}; | ||||
|         } | ||||
|     if (!fs.existsSync('./config.yaml')) { | ||||
|         console.error(color.red('No config file found. Please create a config.yaml file. The default config file can be found in the /default folder.')); | ||||
|         console.error(color.red('The program will now exit.')); | ||||
|         process.exit(1); | ||||
|     } | ||||
|  | ||||
|     function getLegacyConfig() { | ||||
|         try { | ||||
|             console.log(color.yellow('WARNING: config.conf is deprecated. Please run "npm run postinstall" to convert to config.yaml')); | ||||
|             const config = require(path.join(process.cwd(), './config.conf')); | ||||
|             return config; | ||||
|         } catch (error) { | ||||
|             console.warn('Failed to read config.conf'); | ||||
|             return {}; | ||||
|         } | ||||
|     try { | ||||
|         const config = yaml.parse(fs.readFileSync(path.join(process.cwd(), './config.yaml'), 'utf8')); | ||||
|         return config; | ||||
|     } catch (error) { | ||||
|         console.warn('Failed to read config.yaml'); | ||||
|         return {}; | ||||
|     } | ||||
|  | ||||
|     if (fs.existsSync('./config.yaml')) { | ||||
|         return getNewConfig(); | ||||
|     } | ||||
|  | ||||
|     if (fs.existsSync('./config.conf')) { | ||||
|         return getLegacyConfig(); | ||||
|     } | ||||
|  | ||||
|     console.error(color.red('No config file found. Please create a config.yaml file. The default config file can be found in the /default folder.')); | ||||
|     console.error(color.red('The program will now exit.')); | ||||
|     process.exit(1); | ||||
| } | ||||
|  | ||||
| /** | ||||
| @@ -60,6 +41,17 @@ function getConfigValue(key, defaultValue = null) { | ||||
|     return _.get(config, key, defaultValue); | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Sets a value for the given key in the config object and writes it to the config.yaml file. | ||||
|  * @param {string} key Key to set | ||||
|  * @param {any} value Value to set | ||||
|  */ | ||||
| function setConfigValue(key, value) { | ||||
|     const config = getConfig(); | ||||
|     _.set(config, key, value); | ||||
|     fs.writeFileSync('./config.yaml', yaml.stringify(config)); | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Encodes the Basic Auth header value for the given user and password. | ||||
|  * @param {string} auth username:password | ||||
| @@ -600,6 +592,7 @@ class Cache { | ||||
| module.exports = { | ||||
|     getConfig, | ||||
|     getConfigValue, | ||||
|     setConfigValue, | ||||
|     getVersion, | ||||
|     getBasicAuthHeader, | ||||
|     extractFileFromZipBuffer, | ||||
|   | ||||
		Reference in New Issue
	
	Block a user