Merge pull request #1940 from thelounge/xpaw/fix-1934

Hash user tokens, increase token entropy
2024-11-21 19:43:07 +00:00 · 2018-01-11 13:34:14 +02:00 · 2018-01-11 13:34:14 +02:00 · 98c3108bde
commit 98c3108bde
parent 40aadf7c95 eac092e661
2 changed files with 41 additions and 10 deletions
--- a/src/client.js
+++ b/src/client.js
@ -94,6 +94,27 @@ function Client(manager, name, config) {

 	if (typeof client.config.sessions !== "object") {
 		client.config.sessions = {};
+	} else {
+		// TODO: This is just for backwards compatibility. Remove in v3.0.0
+		const newSessions = {};
+		let changed = false;
+
+		_.forOwn(client.config.sessions, (session, key) => {
+			if (key.length !== 128) {
+				key = client.calculateTokenHash(key);
+				changed = true;
+			}
+
+			newSessions[key] = session;
+		});
+
+		if (changed) {
+			log.info(`User ${colors.bold(client.name)} has been updated with new security requirements for tokens.`);
+
+			delete client.config.token;
+			client.config.sessions = newSessions;
+			client.save();
+		}
 	}

 	_.forOwn(client.config.sessions, (session) => {
@ -282,7 +303,7 @@ Client.prototype.connect = function(args) {
 };

 Client.prototype.generateToken = function(callback) {
-	crypto.randomBytes(48, (err, buf) => {
+	crypto.randomBytes(64, (err, buf) => {
 		if (err) {
 			throw err;
 		}
@ -291,6 +312,10 @@ Client.prototype.generateToken = function(callback) {
 	});
 };

+Client.prototype.calculateTokenHash = function(token) {
+	return crypto.createHash("sha512").update(token).digest("hex");
+};
+
 Client.prototype.updateSession = function(token, ip, request) {
 	const client = this;
 	const agent = UAParser(request.headers["user-agent"] || "");
--- a/src/server.js
+++ b/src/server.js
@ -389,7 +389,7 @@ function initializeClient(socket, client, token, lastMessage) {
 	});

 	socket.on("push:register", (subscription) => {
-		if (!client.isRegistered() || !client.config.sessions[token]) {
+		if (!client.isRegistered() || !client.config.sessions.hasOwnProperty(token)) {
 			return;
 		}

@ -434,7 +434,7 @@ function initializeClient(socket, client, token, lastMessage) {
 			tokenToSignOut = token;
 		}

-		if (!(tokenToSignOut in client.config.sessions)) {
+		if (!client.config.sessions.hasOwnProperty(tokenToSignOut)) {
 			return;
 		}

@ -475,11 +475,11 @@ function initializeClient(socket, client, token, lastMessage) {

 	if (!Helper.config.public && token === null) {
 		client.generateToken((newToken) => {
-			client.attachedClients[socket.id].token = token = newToken;
+			client.attachedClients[socket.id].token = token = client.calculateTokenHash(newToken);

 			client.updateSession(token, getClientIp(socket), socket.request);

-			sendInitEvent(token);
+			sendInitEvent(newToken);
 		});
 	} else {
 		sendInitEvent(null);
@ -519,8 +519,9 @@ function getServerConfiguration() {
 function performAuthentication(data) {
 	const socket = this;
 	let client;
+	let token = null;

-	const finalInit = () => initializeClient(socket, client, data.token || null, data.lastMessage || -1);
+	const finalInit = () => initializeClient(socket, client, token, data.lastMessage || -1);

 	const initClient = () => {
 		socket.emit("configuration", getClientConfiguration());
@ -572,11 +573,16 @@ function performAuthentication(data) {
 	client = manager.findClient(data.user);

 	// We have found an existing user and client has provided a token
-	if (client && data.token && typeof client.config.sessions[data.token] !== "undefined") {
-		client.updateSession(data.token, getClientIp(socket), socket.request);
+	if (client && data.token) {
+		const providedToken = client.calculateTokenHash(data.token);

-		authCallback(true);
-		return;
+		if (client.config.sessions.hasOwnProperty(providedToken)) {
+			token = providedToken;
+
+			client.updateSession(providedToken, getClientIp(socket), socket.request);
+
+			return authCallback(true);
+		}
 	}

 	// Perform password checking