Merge branch 'master' into master

2023-12-22 14:29:38 +07:00 · 2023-12-22 14:29:38 +07:00 · 7d7a2ff8d7
commit 7d7a2ff8d7
parent 26d60e5ee6 14c855c71c
30 changed files with 3758 additions and 681 deletions
--- a/src/lib/Server.js
+++ b/src/lib/Server.js
@ -1,6 +1,8 @@
 'use strict';

 const path = require('path');
+const bcrypt = require('bcryptjs');
+const crypto = require('node:crypto');

 const express = require('express');
 const expressSession = require('express-session');
@ -12,6 +14,7 @@ const WireGuard = require('../services/WireGuard');

 const {
  PORT,
+  WEBUI_HOST,
  RELEASE,
  PASSWORD,
  LANG,
@ -26,17 +29,20 @@ module.exports = class Server {
      .use('/', express.static(path.join(__dirname, '..', 'www')))
      .use(express.json())
      .use(expressSession({
-        secret: String(Math.random()),
+        secret: crypto.randomBytes(256).toString('hex'),
        resave: true,
        saveUninitialized: true,
+        cookie: {
+          httpOnly: true,
+        },
      }))

      .get('/api/release', (Util.promisify(async () => {
        return RELEASE;
      })))

-      // Authentication
-      .get('/api/session', Util.promisify(async req => {
+    // Authentication
+      .get('/api/session', Util.promisify(async (req) => {
        const requiresPassword = !!process.env.PASSWORD;
        const authenticated = requiresPassword
          ? !!(req.session && req.session.authenticated)
@ -47,7 +53,7 @@ module.exports = class Server {
          authenticated,
        };
      }))
-      .post('/api/session', Util.promisify(async req => {
+      .post('/api/session', Util.promisify(async (req) => {
        const {
          password,
        } = req.body;
@ -66,7 +72,7 @@ module.exports = class Server {
        debug(`New Session: ${req.session.id}`);
      }))

-      // WireGuard
+    // WireGuard
      .use((req, res, next) => {
        if (!PASSWORD) {
          return next();
@ -76,18 +82,34 @@ module.exports = class Server {
          return next();
        }

+        if (req.path.startsWith('/api/') && req.headers['authorization']) {
+          const authorizationHash = bcrypt.createHash('bcrypt')
+            .update(req.headers['authorization'])
+            .digest('hex');
+          const passwordHash = bcrypt.createHash('bcrypt')
+            .update(PASSWORD)
+            .digest('hex');
+          if (bcrypt.timingSafeEqual(Buffer.from(authorizationHash), Buffer.from(passwordHash))) {
+            return next();
+          }
+
+          return res.status(401).json({
+            error: 'Incorrect Password',
+          });
+        }
+
        return res.status(401).json({
          error: 'Not Logged In',
        });
      })
-      .delete('/api/session', Util.promisify(async req => {
+      .delete('/api/session', Util.promisify(async (req) => {
        const sessionId = req.session.id;

        req.session.destroy();

        debug(`Deleted Session: ${sessionId}`);
      }))
-      .get('/api/wireguard/client', Util.promisify(async req => {
+      .get('/api/wireguard/client', Util.promisify(async (req) => {
        return WireGuard.getClients();
      }))
      .get('/api/wireguard/client/:clientId/qrcode.svg', Util.promisify(async (req, res) => {
@ -109,29 +131,41 @@ module.exports = class Server {
        res.header('Content-Type', 'text/plain');
        res.send(config);
      }))
-      .post('/api/wireguard/client', Util.promisify(async req => {
+      .post('/api/wireguard/client', Util.promisify(async (req) => {
        const { name } = req.body;
        return WireGuard.createClient({ name });
      }))
-      .delete('/api/wireguard/client/:clientId', Util.promisify(async req => {
+      .delete('/api/wireguard/client/:clientId', Util.promisify(async (req) => {
        const { clientId } = req.params;
        return WireGuard.deleteClient({ clientId });
      }))
-      .post('/api/wireguard/client/:clientId/enable', Util.promisify(async req => {
+      .post('/api/wireguard/client/:clientId/enable', Util.promisify(async (req, res) => {
        const { clientId } = req.params;
+        if (clientId === '__proto__' || clientId === 'constructor' || clientId === 'prototype') {
+          res.end(403);
+        }
        return WireGuard.enableClient({ clientId });
      }))
-      .post('/api/wireguard/client/:clientId/disable', Util.promisify(async req => {
+      .post('/api/wireguard/client/:clientId/disable', Util.promisify(async (req, res) => {
        const { clientId } = req.params;
+        if (clientId === '__proto__' || clientId === 'constructor' || clientId === 'prototype') {
+          res.end(403);
+        }
        return WireGuard.disableClient({ clientId });
      }))
-      .put('/api/wireguard/client/:clientId/name', Util.promisify(async req => {
+      .put('/api/wireguard/client/:clientId/name', Util.promisify(async (req, res) => {
        const { clientId } = req.params;
+        if (clientId === '__proto__' || clientId === 'constructor' || clientId === 'prototype') {
+          res.end(403);
+        }
        const { name } = req.body;
        return WireGuard.updateClientName({ clientId, name });
      }))
-      .put('/api/wireguard/client/:clientId/address', Util.promisify(async req => {
+      .put('/api/wireguard/client/:clientId/address', Util.promisify(async (req, res) => {
        const { clientId } = req.params;
+        if (clientId === '__proto__' || clientId === 'constructor' || clientId === 'prototype') {
+          res.end(403);
+        }
        const { address } = req.body;
        return WireGuard.updateClientAddress({ clientId, address });
      }))
@ -139,8 +173,8 @@ module.exports = class Server {
        return LANG;
      })))

-      .listen(PORT, () => {
-        debug(`Listening on http://0.0.0.0:${PORT}`);
+      .listen(PORT, WEBUI_HOST, () => {
+        debug(`Listening on http://${WEBUI_HOST}:${PORT}`);
      });
  }