Handle upstream tokens more safely

This commit is contained in:
Travis Ralston 2019-04-17 23:34:14 -06:00
parent 109bceb924
commit be66dd04f9
8 changed files with 36 additions and 7 deletions

View File

@ -33,7 +33,7 @@ export class ScalarService {
* @returns {Promise<string>} Resolves to the owner's user ID if the token is valid.
* @throws {ApiError} Thrown with a status code of 401 if the token is invalid.
*/
public static async getTokenOwner(scalarToken: string, ignoreUpstreams?: boolean): Promise<string> {
public static async getTokenOwner(scalarToken: string, ignoreUpstreams = false): Promise<string> {
const cachedUserId = Cache.for(CACHE_SCALAR_ACCOUNTS).get(scalarToken);
if (cachedUserId) return cachedUserId;

View File

@ -150,7 +150,7 @@ export class NebStore {
const botUserId = null; // TODO: For github
const botConfig = await proxy.getServiceConfiguration(i.integration, roomId);
const bot = new ComplexBot(i.integration, notifUserId, botUserId, botConfig);
bot.isOnline = !!bot.botUserId;
bot.isOnline = !!bot.notificationUserId;
return bot;
} catch (e) {
LogService.error("NebStore", e);

View File

@ -33,7 +33,7 @@ export class ScalarStore {
return true;
}
public static async getTokenOwner(scalarToken: string, ignoreUpstreams?: boolean): Promise<User> {
public static async getTokenOwner(scalarToken: string, ignoreUpstreams = false): Promise<User> {
const tokens = await UserScalarToken.findAll({
where: {isDimensionToken: true, scalarToken: scalarToken},
include: [User]
@ -104,6 +104,14 @@ export class ScalarStore {
}
}
const user = await User.findByPk(testUserId);
if (!user) {
await User.create({
userId: testUserId,
isSelfBot: true,
});
}
const openId = await MatrixStickerBot.getOpenId();
const token = await scalarClient.register(openId);
await UserScalarToken.create({

View File

@ -0,0 +1,17 @@
import { QueryInterface } from "sequelize";
import { DataType } from "sequelize-typescript";
export default {
up: (queryInterface: QueryInterface) => {
return Promise.resolve()
.then(() => queryInterface.addColumn("dimension_users", "isSelfBot", {
type: DataType.BOOLEAN,
allowNull: false,
defaultValue: false,
}));
},
down: (queryInterface: QueryInterface) => {
return Promise.resolve()
.then(() => queryInterface.removeColumn("dimension_users", "isSelfBot"));
}
}

View File

@ -11,4 +11,7 @@ export default class User extends Model<User> {
@PrimaryKey
@Column
userId: string;
@Column
isSelfBot: boolean;
}

View File

@ -4,8 +4,8 @@ import { DimensionStore } from "./db/DimensionStore";
import Webserver from "./api/Webserver";
import { CURRENT_VERSION } from "./version";
import { MatrixStickerBot } from "./matrix/MatrixStickerBot";
import UserScalarToken from "./db/models/UserScalarToken";
import * as BotSdk from "matrix-bot-sdk";
import User from "./db/models/User";
LogService.configure(config.logging);
LogService.info("index", "Starting dimension " + CURRENT_VERSION);
@ -25,8 +25,8 @@ async function startup() {
await webserver.start();
const userId = await MatrixStickerBot.getUserId();
const tokens = await UserScalarToken.findAll({where: {userId: userId}});
if (tokens.length > 0) {
const users = await User.findAll({where: {userId: userId, isSelfBot: false}});
if (users.length > 0) {
LogService.error("index", "The access token configured for Dimension belongs to a user which is also " +
"a user known to Dimension. This usually indicates that the access token is not a dedicated user " +
"account for Dimension. To prevent potential confusion to this user, Dimension will refuse to start " +

View File

@ -49,7 +49,7 @@ export class MatrixLiteClient {
return await doClientApiCall(
"POST",
`/_matrix/client/r0/user/${await this.whoAmI()}/openid/request_token`,
{access_token: this.accessToken},
{access_token: this.accessToken}, {},
);
}

View File

@ -39,6 +39,7 @@ export class ScalarClient {
method: "GET",
url: this.upstream.scalarUrl + "/account",
qs: {v: SCALAR_API_VERSION, scalar_token: token},
json: true,
}, (err, res, _body) => {
if (err) {
LogService.error("ScalarClient", "Error getting information for token");