diff --git a/server/src/middleware/auth.ts b/server/src/middleware/auth.ts index 82b7b4547d4f7bbc8647f3e0f5172d7662d64c56..3026469e048065cbf4b358cc3772720ce7be7005 100644 --- a/server/src/middleware/auth.ts +++ b/server/src/middleware/auth.ts @@ -17,9 +17,13 @@ */ import { NextFunction, Request, Response } from 'express' import { HttpStatusCode } from 'jami-web-common' +import { Container } from 'typedi' +import { Accounts } from '../storage/accounts.js' import { verifyJwt } from '../utils/jwt.js' +const accounts = Container.get(Accounts) + function createAuthenticationMiddleware(isAuthenticationRequired: boolean) { return async (req: Request, res: Response, next: NextFunction) => { const authorizationHeader = req.headers.authorization @@ -42,7 +46,14 @@ function createAuthenticationMiddleware(isAuthenticationRequired: boolean) { try { const { payload } = await verifyJwt(token) - res.locals.accountId = payload.accountId + const accountId = String(payload.accountId) + const isValid = accounts.isValidAccountId(accountId) + if (!isValid) { + res.status(HttpStatusCode.Unauthorized).send('Invalid account ID') + return + } + res.locals.accountId = accountId + // si accId next() } catch (e) { res.status(HttpStatusCode.Unauthorized).send('Invalid access token') diff --git a/server/src/storage/accounts.ts b/server/src/storage/accounts.ts index fbda83aa2927a60124334d8d544e1d52d01005d1..820ba11f86fa4c84ba799039fc1d686c4d5bbb78 100644 --- a/server/src/storage/accounts.ts +++ b/server/src/storage/accounts.ts @@ -46,6 +46,7 @@ const METHODS = ['local', 'jams', 'guest', 'openid'] export class Accounts { private readonly filename = paths.data + '/accounts.json' private accounts: AccountsFormat + private accountsIds: Set<string> constructor() { let buffer: Buffer @@ -55,6 +56,21 @@ export class Accounts { buffer = Buffer.from('{"local":{},"jams":{}, "guest":{}, "openid":{}}') } this.accounts = JSON.parse(buffer.toString()) + + this.accountsIds = new Set<string>() + // add the accountIds to the set + for (const accId of Object.keys(this.accounts.guest)) { + this.accountsIds.add(accId) + } + for (const key of Object.keys(this.accounts.jams)) { + this.accountsIds.add(this.accounts.jams[key].accountId) + } + for (const key of Object.keys(this.accounts.local)) { + this.accountsIds.add(this.accounts.local[key].accountId) + } + for (const key of Object.keys(this.accounts.openid)) { + this.accountsIds.add(this.accounts.openid[key].accountId) + } } get(username: string, authMethod: string = 'local') { @@ -126,6 +142,7 @@ export class Accounts { default: throw new Error('Invalid auth method') } + this.accountsIds.add(accountId) } catch (e) { console.log(e) } @@ -145,6 +162,14 @@ export class Accounts { return } + const account = this.accounts[authMethod as keyof AccountsFormat][username.toLowerCase()] + if (typeof account !== 'string') { + this.accountsIds.delete(account.accountId) + } else { + // guest removal + this.accountsIds.delete(username) + } + delete this.accounts[authMethod as keyof AccountsFormat][username.toLowerCase()] } @@ -164,6 +189,10 @@ export class Accounts { return this.accounts.guest } + isValidAccountId(accountId: string) { + return this.accountsIds.has(accountId) + } + async save(): Promise<void> { await writeFile(this.filename, JSON.stringify(this.accounts, null, 2) + '\n') }