beenull/Cosmos-Server
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

[release] v0.12.6-unstable

Browse source
This commit is contained in:
Yann Stepienik 2023-11-15 15:32:26 +00:00
parent 3d2932f385
commit 9644600f0d
6 changed files with 76 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
package.json
View file

@ -1,6 +1,6 @@
{ {
"name": "cosmos-server", "name": "cosmos-server",
"version": "0.12.5", "version": "0.12.6-unstable",
"description": "", "description": "",
"main": "test-server.js", "main": "test-server.js",
"bugs": { "bugs": {

9
src/httpServer.go
View file

@ -343,6 +343,10 @@ func InitServer() *mux.Router {
srapi := router.PathPrefix("/cosmos").Subrouter() srapi := router.PathPrefix("/cosmos").Subrouter()
srapi.HandleFunc("/api/login", user.UserLogin)
srapi.HandleFunc("/api/password-reset", user.ResetPassword)
srapi.HandleFunc("/api/mfa", user.API2FA)
srapi.HandleFunc("/api/dns", GetDNSRoute) srapi.HandleFunc("/api/dns", GetDNSRoute)
srapi.HandleFunc("/api/dns-check", CheckDNSRoute) srapi.HandleFunc("/api/dns-check", CheckDNSRoute)
@ -353,13 +357,10 @@ func InitServer() *mux.Router {
srapi.HandleFunc("/api/favicon", GetFavicon) srapi.HandleFunc("/api/favicon", GetFavicon)
srapi.HandleFunc("/api/ping", PingURL) srapi.HandleFunc("/api/ping", PingURL)
srapi.HandleFunc("/api/newInstall", NewInstallRoute) srapi.HandleFunc("/api/newInstall", NewInstallRoute)
srapi.HandleFunc("/api/login", user.UserLogin)
srapi.HandleFunc("/api/logout", user.UserLogout) srapi.HandleFunc("/api/logout", user.UserLogout)
srapi.HandleFunc("/api/register", user.UserRegister) srapi.HandleFunc("/api/register", user.UserRegister)
srapi.HandleFunc("/api/invite", user.UserResendInviteLink) srapi.HandleFunc("/api/invite", user.UserResendInviteLink)
srapi.HandleFunc("/api/me", user.Me) srapi.HandleFunc("/api/me", user.Me)
srapi.HandleFunc("/api/mfa", user.API2FA)
srapi.HandleFunc("/api/password-reset", user.ResetPassword)
srapi.HandleFunc("/api/config", configapi.ConfigRoute) srapi.HandleFunc("/api/config", configapi.ConfigRoute)
srapi.HandleFunc("/api/restart", configapi.ConfigApiRestart) srapi.HandleFunc("/api/restart", configapi.ConfigApiRestart)
@ -416,6 +417,8 @@ func InitServer() *mux.Router {
if(!config.HTTPConfig.AcceptAllInsecureHostname) { if(!config.HTTPConfig.AcceptAllInsecureHostname) {
srapi.Use(utils.EnsureHostname) srapi.Use(utils.EnsureHostname)
} }
srapi.Use(utils.EnsureHostnameCosmosAPI)
SecureAPI(srapi, false, false) SecureAPI(srapi, false, false)

6
src/user/login.go
View file

@ -20,6 +20,12 @@ type LoginRequestJSON struct {
func UserLogin(w http.ResponseWriter, req *http.Request) { func UserLogin(w http.ResponseWriter, req *http.Request) {
if(req.Method == "POST") { if(req.Method == "POST") {
time.Sleep(time.Duration(rand.Float64()*2)*time.Second) time.Sleep(time.Duration(rand.Float64()*2)*time.Second)
if utils.IsLoggedIn(req) {
utils.Error("UserLogin: User already logged ing", nil)
utils.HTTPError(w, "User is already logged in", http.StatusUnauthorized, "UL002")
return
}
var request LoginRequestJSON var request LoginRequestJSON
err1 := json.NewDecoder(req.Body).Decode(&request) err1 := json.NewDecoder(req.Body).Decode(&request)

6
src/user/password_reset.go
View file

@ -22,6 +22,12 @@ func ResetPassword(w http.ResponseWriter, req *http.Request) {
} }
time.Sleep(time.Duration(rand.Float64()*2)*time.Second) time.Sleep(time.Duration(rand.Float64()*2)*time.Second)
if utils.IsLoggedIn(req) {
utils.Error("UserLogin: User already logged ing", nil)
utils.HTTPError(w, "User is already logged in", http.StatusUnauthorized, "UL002")
return
}
var request PasswordResetRequestJSON var request PasswordResetRequestJSON
err1 := json.NewDecoder(req.Body).Decode(&request) err1 := json.NewDecoder(req.Body).Decode(&request)

12
src/utils/loggedIn.go
View file

@ -74,6 +74,18 @@ func LoggedInWeakOnly(w http.ResponseWriter, req *http.Request) error {
return nil return nil
} }
func IsLoggedIn(req *http.Request) bool {
userNickname := req.Header.Get("x-cosmos-user")
role, _ := strconv.Atoi(req.Header.Get("x-cosmos-role"))
isUserLoggedIn := role > 0
if !isUserLoggedIn || userNickname == "" {
return false
}
return true
}
func LoggedInOnly(w http.ResponseWriter, req *http.Request) error { func LoggedInOnly(w http.ResponseWriter, req *http.Request) error {
userNickname := req.Header.Get("x-cosmos-user") userNickname := req.Header.Get("x-cosmos-user")
role, _ := strconv.Atoi(req.Header.Get("x-cosmos-role")) role, _ := strconv.Atoi(req.Header.Get("x-cosmos-role"))

45
src/utils/middleware.go
View file

@ -346,6 +346,51 @@ func EnsureHostname(next http.Handler) http.Handler {
}) })
} }
func EnsureHostnameCosmosAPI(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
og := GetMainConfig().HTTPConfig.Hostname
ni := GetMainConfig().NewInstall
isLogin := !strings.HasPrefix(r.URL.Path, "/cosmos/api") ||
strings.HasPrefix(r.URL.Path, "/cosmos/api/login") ||
strings.HasPrefix(r.URL.Path, "/cosmos/api/password-reset") ||
strings.HasPrefix(r.URL.Path, "/cosmos/api/mfa")
if ni || og == "0.0.0.0" || isLogin {
next.ServeHTTP(w, r)
return
}
reqHostNoPort := strings.Split(r.Host, ":")[0]
if og != reqHostNoPort {
PushShieldMetrics("hostname")
Error("Invalid Hostname " + r.Host + " for request.", nil)
w.WriteHeader(http.StatusBadRequest)
http.Error(w, "Bad Request: Invalid hostname. Use your domain instead of your IP to access your server. Check logs if more details are needed.", http.StatusBadRequest)
ip, _, _ := net.SplitHostPort(r.RemoteAddr)
if ip != "" {
TriggerEvent(
"cosmos.proxy.shield.hostname",
"Proxy Shield hostname blocked",
"warning",
"",
map[string]interface{}{
"clientID": ip,
"hostname": r.Host,
"url": r.URL.String(),
})
IncrementIPAbuseCounter(ip)
}
return
}
next.ServeHTTP(w, r)
})
}
func IsValidHostname(hostname string) bool { func IsValidHostname(hostname string) bool {
og := GetMainConfig().HTTPConfig.Hostname og := GetMainConfig().HTTPConfig.Hostname
ni := GetMainConfig().NewInstall ni := GetMainConfig().NewInstall