dani/vroom
1
0
Fork 0
mirror of https://github.com/dani/vroom.git synced 2024-06-28 17:53:42 +02:00
Code Issues Projects Releases Wiki Activity

Rewrite signalmaster auth part

Browse Source 
Actually check the auth (previous way didn't worked correctly)
Also escape queries (even if input was validated before)
This commit is contained in:
Daniel Berteaud 2014-06-24 11:56:27 +02:00
parent dd17af3190
commit 8559b5f100
1 changed files with 25 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
signalmaster/server.js
View File

@ -37,15 +37,21 @@ function safeCb(cb) {
}
}
function checkRoom(room,token,user) {
var q = "SELECT participant FROM participants WHERE participant='" + user + "' AND id IN (SELECT id FROM rooms WHERE name='" + room + "' AND token='" + token + "');";
function checkRoom(room,token,user,cb) {
var q = "SELECT `participant` FROM `participants` WHERE `participant`=" + sql.escape(user) + " AND `id` IN (SELECT `id` FROM `rooms` WHERE `name`=" + sql.escape(room) + " AND `token`=" + sql.escape(token) + ");";
console.log('Checking if ' + user + ' is allowed to join room ' + room + ' using token ' + token);
sql.query(q, function(err, rows, fields) {
if (err) throw err;
if (err){
throw err;
}
// No result ? This user hasn't joined this room through our frontend
if (rows.length < 1) return false;
if (rows.length > 0){
cb(true);
}
else{
cb(false);
}
});
return true;
}
io.configure(function(){
@ -58,7 +64,7 @@ io.configure(function(){
var session = data.cookie['vroomsession'];
if (typeof session != 'string'){
console.log('Cookie vroomsession not found, access unauthorized');
return ('error', false);
accept('vroomsession cookie not found', false);
}
// vroomsession is base64(user:room:token) so let's decode this !
session = new Buffer(session, encoding='base64');
@ -69,17 +75,22 @@ io.configure(function(){
// sanitize user input, we don't want to pass random junk to MySQL do we ?
if (!user.match(/^[\w\@\.\-]{1,40}$/i) || !room.match(/^[\w\-]{1,50}$/) || !token.match(/^[a-zA-Z0-9]{50}$/)){
console.log('Forbidden chars found in either participant session, room name or token, sorry, cannot allow this');
return ('error', false);
accept('Forbidden characters found', false);
}
// Ok, now check if this user has joined the room (with the correct token) through vroom frontend
if (checkRoom(room,token,user) == false){
console.log('Sorry, but ' + participant + ' is not allowed to join room ' + name);
return ('error', false);
}
return accept(null, true);
checkRoom(room,token,user, function(res){
if (res){
accept(null, true);
}
else{
console.log('User' + user + ' is not allowed to join room ' + room + ' with token ' + tohen);
accept('not allowed', false);
}
});
}
else{
accept('No cookie found', false);
}
console.log('No cookies were found, access unauthorized');
return accept('error', false);
});
});