From 42fdb7af98172fa01dc99fe8cd55ab7704801546 Mon Sep 17 00:00:00 2001 From: madhavilosetty-intel Date: Fri, 6 Oct 2023 11:21:04 -0700 Subject: [PATCH] fix: redirection token expiration and device UUID check (#1098) --- src/server/webserver.test.ts | 54 ++++++++++++++++++++++++++++-------- src/server/webserver.ts | 16 ++++++++--- 2 files changed, 54 insertions(+), 16 deletions(-) diff --git a/src/server/webserver.test.ts b/src/server/webserver.test.ts index 22f639c1d..6b3ede53c 100644 --- a/src/server/webserver.test.ts +++ b/src/server/webserver.test.ts @@ -11,6 +11,7 @@ import { Environment } from '../utils/Environment' import { IncomingMessage } from 'http' import { Socket } from 'net' import { devices } from './mpsserver' +import { signature } from '../routes/auth/signature' Environment.Config = config let certs: certificatesType @@ -67,14 +68,40 @@ describe('webserver tests', () => { const result = web.verifyClientToken(info) expect(result).toBe(false) }) + it('should return false when client jwt token is for invalid device', () => { + const inValidToken = signature(5, '4c4c4544-004d-4d10-8050-b3c04f325133') + const info = { + req: { + url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004b-4210-8033-b6c04f504633&port=16994&tls=0&tls1only=0', + headers: { + 'sec-websocket-protocol': inValidToken + } + } + } + const result = web.verifyClientToken(info) + expect(result).toBe(false) + }) + it('should return false when client jwt token is expired', () => { + const info = { + req: { + url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004d-4d10-8050-b3c04f325133&port=16994&tls=0&tls1only=0', + headers: { + 'sec-websocket-protocol': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRJZCI6IiIsImlzcyI6IjlFbVJKVGJJaUliNGJJZVNzbWdjV0lqclI2SHlFVHFjIiwiZGV2aWNlSWQiOiI0YzRjNDU0NC0wMDRkLTRkMTAtODA1MC1iM2MwNGYzMjUxMzMiLCJleHAiOjE2OTY2MDk5NTN9.52h9jO1f8F4PmckqZeGyrpd3F5Wmq2d8041tO9cFrBc' + } + } + } + const result = web.verifyClientToken(info) + expect(result).toBe(false) + }) it('should return true when client jwt token is valid', () => { - const jwsSpy = jest.spyOn(web.jws, 'verify') + const validToken = signature(5, '4c4c4544-004b-4210-8033-b6c04f504633') devices['4c4c4544-004b-4210-8033-b6c04f504633'] = {} as any - jwsSpy.mockImplementationOnce(() => true) const info = { req: { url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004b-4210-8033-b6c04f504633&port=16994&tls=0&tls1only=0', - headers: ['sec-websocket-protocol:supersecret'] + headers: { + 'sec-websocket-protocol': validToken + } } } const result = web.verifyClientToken(info) @@ -95,39 +122,42 @@ describe('webserver tests', () => { expect(result).toBe(false) }) it('should allow KVM connection when no KVM connection', () => { - const jwsSpy = jest.spyOn(web.jws, 'verify') - jwsSpy.mockImplementationOnce(() => true) + const validToken = signature(5, '4c4c4544-004b-4210-8033-b6c04f504633') devices['4c4c4544-004b-4210-8033-b6c04f504633'].kvmConnect = false // {} as any const info = { req: { url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004b-4210-8033-b6c04f504633&port=16994&tls=0&tls1only=0', - headers: ['sec-websocket-protocol:supersecret'] + headers: { + 'sec-websocket-protocol': validToken + } } } const result = web.verifyClientToken(info) expect(result).toBe(true) }) it('should not allow KVM connection when KVM connection active', () => { - const jwsSpy = jest.spyOn(web.jws, 'verify') - jwsSpy.mockImplementationOnce(() => true) + const validToken = signature(5, '4c4c4544-004b-4210-8033-b6c04f504633') devices['4c4c4544-004b-4210-8033-b6c04f504633'].kvmConnect = true // {} as any const info = { req: { url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004b-4210-8033-b6c04f504633&port=16994&tls=0&tls1only=0', - headers: ['sec-websocket-protocol:supersecret'] + headers: { + 'sec-websocket-protocol': validToken + } } } const result = web.verifyClientToken(info) expect(result).toBe(false) }) it('should not allow KVM connection when no connection exists', () => { - const jwsSpy = jest.spyOn(web.jws, 'verify') - jwsSpy.mockImplementationOnce(() => true) + const validToken = signature(5, '4c4c4544-004b-4210-8033-b6c04f504633') devices['4c4c4544-004b-4210-8033-b6c04f504633'] = null const info = { req: { url: '/relay/webrelay.ashx?p=2&host=4c4c4544-004b-4210-8033-b6c04f504633&port=16994&tls=0&tls1only=0', - headers: ['sec-websocket-protocol:supersecret'] + headers: { + 'sec-websocket-protocol': validToken + } } } const result = web.verifyClientToken(info) diff --git a/src/server/webserver.ts b/src/server/webserver.ts index 2311835b9..9740cfdf2 100644 --- a/src/server/webserver.ts +++ b/src/server/webserver.ts @@ -189,11 +189,19 @@ export class WebServer { // verify JWT try { const valid = this.jws.verify(info.req.headers['sec-websocket-protocol'], 'HS256', Environment.Config.jwt_secret) - if (!valid) { - return false + const decodedToken = this.jws.decode(info.req.headers['sec-websocket-protocol']) + const currentTimestamp = Math.floor(Date.now() / 1000) // Current timestamp in seconds + const deviceId = decodedToken.payload.deviceId + const reqUrl = info.req.url + const urlSearchParams = new URL(`http://dummy.com/${reqUrl}`) + const reqDeviceId = urlSearchParams.searchParams.get('host') + + if (!valid || !(decodedToken.payload.exp && decodedToken.payload.exp > currentTimestamp) || !(deviceId === reqDeviceId)) { + logger.error('Redirection token invalid') + return false // reject connection if problem with verify } - } catch (err) { // reject connection if problem with verify - return false + } catch (error) { + logger.error(`Error verifying the token: ${error.message}`) } // Test if device has an established KVM session const startIndex = info.req.url.indexOf('host=')