Skip to content

Commit

Permalink
fix: redirection token expiration and device UUID check (#1098)
Browse files Browse the repository at this point in the history
  • Loading branch information
@madhavilosetty-intel
madhavilosetty-intel authored Oct 6, 2023
1 parent 1b30f38 commit 42fdb7a
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 16 deletions.
54 changes: 42 additions & 12 deletions src/server/webserver.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import { Environment } from '../utils/Environment'
import { IncomingMessage } from 'http'
import { Socket } from 'net'
import { devices } from './mpsserver'
import { signature } from '../routes/auth/signature'
Environment.Config = config

let certs: certificatesType
Expand Down Expand Up @@ -67,14 +68,40 @@ describe('webserver tests', () => {
const result = web.verifyClientToken(info)
expect(result).toBe(false)
})
it('should return false when client jwt token is for invalid device', () => {
const inValidToken = signature(5, '4c4c4544-004d-4d10-8050-b3c04f325133')
const info = {
req: {
url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004b-4210-8033-b6c04f504633&port=16994&tls=0&tls1only=0',
headers: {
'sec-websocket-protocol': inValidToken
}
}
}
const result = web.verifyClientToken(info)
expect(result).toBe(false)
})
it('should return false when client jwt token is expired', () => {
const info = {
req: {
url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004d-4d10-8050-b3c04f325133&port=16994&tls=0&tls1only=0',
headers: {
'sec-websocket-protocol': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRJZCI6IiIsImlzcyI6IjlFbVJKVGJJaUliNGJJZVNzbWdjV0lqclI2SHlFVHFjIiwiZGV2aWNlSWQiOiI0YzRjNDU0NC0wMDRkLTRkMTAtODA1MC1iM2MwNGYzMjUxMzMiLCJleHAiOjE2OTY2MDk5NTN9.52h9jO1f8F4PmckqZeGyrpd3F5Wmq2d8041tO9cFrBc'
}
}
}
const result = web.verifyClientToken(info)
expect(result).toBe(false)
})
it('should return true when client jwt token is valid', () => {
const jwsSpy = jest.spyOn(web.jws, 'verify')
const validToken = signature(5, '4c4c4544-004b-4210-8033-b6c04f504633')
devices['4c4c4544-004b-4210-8033-b6c04f504633'] = {} as any
jwsSpy.mockImplementationOnce(() => true)
const info = {
req: {
url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004b-4210-8033-b6c04f504633&port=16994&tls=0&tls1only=0',
headers: ['sec-websocket-protocol:supersecret']
headers: {
'sec-websocket-protocol': validToken
}
}
}
const result = web.verifyClientToken(info)
Expand All @@ -95,39 +122,42 @@ describe('webserver tests', () => {
expect(result).toBe(false)
})
it('should allow KVM connection when no KVM connection', () => {
const jwsSpy = jest.spyOn(web.jws, 'verify')
jwsSpy.mockImplementationOnce(() => true)
const validToken = signature(5, '4c4c4544-004b-4210-8033-b6c04f504633')
devices['4c4c4544-004b-4210-8033-b6c04f504633'].kvmConnect = false // {} as any
const info = {
req: {
url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004b-4210-8033-b6c04f504633&port=16994&tls=0&tls1only=0',
headers: ['sec-websocket-protocol:supersecret']
headers: {
'sec-websocket-protocol': validToken
}
}
}
const result = web.verifyClientToken(info)
expect(result).toBe(true)
})
it('should not allow KVM connection when KVM connection active', () => {
const jwsSpy = jest.spyOn(web.jws, 'verify')
jwsSpy.mockImplementationOnce(() => true)
const validToken = signature(5, '4c4c4544-004b-4210-8033-b6c04f504633')
devices['4c4c4544-004b-4210-8033-b6c04f504633'].kvmConnect = true // {} as any
const info = {
req: {
url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004b-4210-8033-b6c04f504633&port=16994&tls=0&tls1only=0',
headers: ['sec-websocket-protocol:supersecret']
headers: {
'sec-websocket-protocol': validToken
}
}
}
const result = web.verifyClientToken(info)
expect(result).toBe(false)
})
it('should not allow KVM connection when no connection exists', () => {
const jwsSpy = jest.spyOn(web.jws, 'verify')
jwsSpy.mockImplementationOnce(() => true)
const validToken = signature(5, '4c4c4544-004b-4210-8033-b6c04f504633')
devices['4c4c4544-004b-4210-8033-b6c04f504633'] = null
const info = {
req: {
url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004b-4210-8033-b6c04f504633&port=16994&tls=0&tls1only=0',
headers: ['sec-websocket-protocol:supersecret']
headers: {
'sec-websocket-protocol': validToken
}
}
}
const result = web.verifyClientToken(info)
Expand Down
16 changes: 12 additions & 4 deletions src/server/webserver.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,11 +189,19 @@ export class WebServer {
// verify JWT
try {
const valid = this.jws.verify(info.req.headers['sec-websocket-protocol'], 'HS256', Environment.Config.jwt_secret)
if (!valid) {
return false
const decodedToken = this.jws.decode(info.req.headers['sec-websocket-protocol'])
const currentTimestamp = Math.floor(Date.now() / 1000) // Current timestamp in seconds
const deviceId = decodedToken.payload.deviceId
const reqUrl = info.req.url
const urlSearchParams = new URL(`http://dummy.com/${reqUrl}`)
const reqDeviceId = urlSearchParams.searchParams.get('host')

if (!valid || !(decodedToken.payload.exp && decodedToken.payload.exp > currentTimestamp) || !(deviceId === reqDeviceId)) {
logger.error('Redirection token invalid')
return false // reject connection if problem with verify
}
} catch (err) { // reject connection if problem with verify
return false
} catch (error) {
logger.error(`Error verifying the token: ${error.message}`)
}
// Test if device has an established KVM session
const startIndex = info.req.url.indexOf('host=')
Expand Down

0 comments on commit 42fdb7a

Please sign in to comment.