cory/tildefriends
5
6
Fork 2
Code Issues 37 Pull Requests 1 Actions Releases 29 Wiki Activity

security: Respect the autologin setting better.
Some checks failed
Build Tilde Friends / Build-All (push) Failing after 31m15s
Details

Browse Source
This commit is contained in:
Cory McWilliams 2025-02-16 14:07:14 -05:00
parent 0fa8acc264
commit 11e89622d4
1 changed files with 69 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
src/httpd.js.c
View File

@ -2166,56 +2166,48 @@ static void _httpd_endpoint_logout(tf_http_request_t* request)
tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0); tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0);
} }
static bool _task_arg_is_mobile(tf_task_t* task)
{
bool result = false;
JSContext* context = tf_task_get_context(task);
JSValue global = JS_GetGlobalObject(context);
JSValue tildefriends = JS_GetPropertyStr(context, global, "tildefriends");
JSValue args = JS_GetPropertyStr(context, tildefriends, "args");
JSValue mobile = JS_GetPropertyStr(context, args, "mobile");
result = JS_ToBool(context, mobile) != 0;
JS_FreeValue(context, mobile);
JS_FreeValue(context, args);
JS_FreeValue(context, tildefriends);
JS_FreeValue(context, global);
return result;
}
typedef struct _auto_login_t typedef struct _auto_login_t
{ {
tf_http_request_t* request; tf_http_request_t* request;
bool autologin;
const char* users; const char* users;
} auto_login_t; } auto_login_t;
static void _httpd_auto_login_work(tf_ssb_t* ssb, void* user_data) static void _httpd_auto_login_work(tf_ssb_t* ssb, void* user_data)
{ {
auto_login_t* request = user_data; auto_login_t* request = user_data;
request->users = tf_ssb_db_get_property(ssb, "auth", "users"); sqlite3* db = tf_ssb_acquire_db_reader(ssb);
if (request->users && strcmp(request->users, "[]") == 0) tf_ssb_db_get_global_setting_bool(db, "autologin", &request->autologin);
{ tf_ssb_release_db_reader(ssb, db);
tf_free((void*)request->users);
request->users = NULL;
}
if (!request->users) if (request->autologin)
{ {
JSMallocFunctions funcs = { 0 };
tf_get_js_malloc_functions(&funcs);
JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
JSContext* context = JS_NewContext(runtime);
static const char* k_account_name = "mobile";
sqlite3* db = tf_ssb_acquire_db_writer(ssb);
bool registered = tf_ssb_db_register_account(tf_ssb_get_loop(ssb), db, context, k_account_name, k_account_name);
tf_ssb_release_db_writer(ssb, db);
if (registered)
{
_make_administrator_if_first(ssb, context, k_account_name, true);
}
JS_FreeContext(context);
JS_FreeRuntime(runtime);
request->users = tf_ssb_db_get_property(ssb, "auth", "users"); request->users = tf_ssb_db_get_property(ssb, "auth", "users");
if (request->users && strcmp(request->users, "[]") == 0)
{
tf_free((void*)request->users);
request->users = NULL;
}
if (!request->users)
{
JSMallocFunctions funcs = { 0 };
tf_get_js_malloc_functions(&funcs);
JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
JSContext* context = JS_NewContext(runtime);
static const char* k_account_name = "mobile";
sqlite3* db = tf_ssb_acquire_db_writer(ssb);
bool registered = tf_ssb_db_register_account(tf_ssb_get_loop(ssb), db, context, k_account_name, k_account_name);
tf_ssb_release_db_writer(ssb, db);
if (registered)
{
_make_administrator_if_first(ssb, context, k_account_name, true);
}
JS_FreeContext(context);
JS_FreeRuntime(runtime);
request->users = tf_ssb_db_get_property(ssb, "auth", "users");
}
} }
} }
@ -2224,36 +2216,44 @@ static void _httpd_auto_login_after_work(tf_ssb_t* ssb, int status, void* user_d
auto_login_t* work = user_data; auto_login_t* work = user_data;
JSContext* context = tf_ssb_get_context(ssb); JSContext* context = tf_ssb_get_context(ssb);
const char* session_token = NULL; const char* session_token = NULL;
if (work->users) if (!work->autologin)
{ {
JSValue json = JS_ParseJSON(context, work->users, strlen(work->users), NULL); const char* k_payload = tf_http_status_text(404);
JSValue user = JS_GetPropertyUint32(context, json, 0); tf_http_respond(work->request, 404, NULL, 0, k_payload, strlen(k_payload));
const char* user_string = JS_ToCString(context, user);
session_token = _make_session_jwt(context, ssb, user_string);
JS_FreeCString(context, user_string);
JS_FreeValue(context, user);
JS_FreeValue(context, json);
}
if (session_token)
{
const char* cookie = _make_set_session_cookie_header(work->request, session_token);
tf_free((void*)session_token);
const char* headers[] = {
"Set-Cookie",
cookie,
"Location",
"/",
};
tf_http_respond(work->request, 303, headers, tf_countof(headers) / 2, NULL, 0);
tf_free((void*)cookie);
} }
else else
{ {
const char* headers[] = { if (work->users)
"Location", {
"/", JSValue json = JS_ParseJSON(context, work->users, strlen(work->users), NULL);
}; JSValue user = JS_GetPropertyUint32(context, json, 0);
tf_http_respond(work->request, 303, headers, tf_countof(headers) / 2, NULL, 0); const char* user_string = JS_ToCString(context, user);
session_token = _make_session_jwt(context, ssb, user_string);
JS_FreeCString(context, user_string);
JS_FreeValue(context, user);
JS_FreeValue(context, json);
}
if (session_token)
{
const char* cookie = _make_set_session_cookie_header(work->request, session_token);
tf_free((void*)session_token);
const char* headers[] = {
"Set-Cookie",
cookie,
"Location",
"/",
};
tf_http_respond(work->request, 303, headers, tf_countof(headers) / 2, NULL, 0);
tf_free((void*)cookie);
}
else
{
const char* headers[] = {
"Location",
"/",
};
tf_http_respond(work->request, 303, headers, tf_countof(headers) / 2, NULL, 0);
}
} }
tf_http_request_unref(work->request); tf_http_request_unref(work->request);
tf_free((void*)work->users); tf_free((void*)work->users);
@ -2263,20 +2263,12 @@ static void _httpd_auto_login_after_work(tf_ssb_t* ssb, int status, void* user_d
static void _httpd_endpoint_login_auto(tf_http_request_t* request) static void _httpd_endpoint_login_auto(tf_http_request_t* request)
{ {
tf_task_t* task = request->user_data; tf_task_t* task = request->user_data;
if (tf_util_is_mobile() || _task_arg_is_mobile(task)) tf_http_request_ref(request);
{ tf_ssb_t* ssb = tf_task_get_ssb(task);
tf_http_request_ref(request);
tf_ssb_t* ssb = tf_task_get_ssb(task);
auto_login_t* work = tf_malloc(sizeof(auto_login_t)); auto_login_t* work = tf_malloc(sizeof(auto_login_t));
*work = (auto_login_t) { .request = request }; *work = (auto_login_t) { .request = request };
tf_ssb_run_work(ssb, _httpd_auto_login_work, _httpd_auto_login_after_work, work); tf_ssb_run_work(ssb, _httpd_auto_login_work, _httpd_auto_login_after_work, work);
}
else
{
const char* k_payload = tf_http_status_text(404);
tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
}
} }
static void _httpd_endpoint_app_socket(tf_http_request_t* request) static void _httpd_endpoint_app_socket(tf_http_request_t* request)