[release] v0.12.6-unstable

package.json

@@ -1,6 +1,6 @@
 {
   "name": "cosmos-server",
-  "version": "0.12.5",
+  "version": "0.12.6-unstable",
   "description": "",
   "main": "test-server.js",
   "bugs": {

src/httpServer.go

@@ -344,6 +344,10 @@ func InitServer() *mux.Router {
 	
 	srapi := router.PathPrefix("/cosmos").Subrouter()
 	
+	srapi.HandleFunc("/api/login", user.UserLogin)
+	srapi.HandleFunc("/api/password-reset", user.ResetPassword)
+	srapi.HandleFunc("/api/mfa", user.API2FA)
+
 	srapi.HandleFunc("/api/dns", GetDNSRoute)
 	srapi.HandleFunc("/api/dns-check", CheckDNSRoute)
 	srapi.Use(utils.SetSecurityHeaders)
@@ -353,13 +357,10 @@ func InitServer() *mux.Router {
 	srapi.HandleFunc("/api/favicon", GetFavicon)
 	srapi.HandleFunc("/api/ping", PingURL)
 	srapi.HandleFunc("/api/newInstall", NewInstallRoute)
-	srapi.HandleFunc("/api/login", user.UserLogin)
 	srapi.HandleFunc("/api/logout", user.UserLogout)
 	srapi.HandleFunc("/api/register", user.UserRegister)
 	srapi.HandleFunc("/api/invite", user.UserResendInviteLink)
 	srapi.HandleFunc("/api/me", user.Me)
-	srapi.HandleFunc("/api/mfa", user.API2FA)
-	srapi.HandleFunc("/api/password-reset", user.ResetPassword)
 	srapi.HandleFunc("/api/config", configapi.ConfigRoute)
 	srapi.HandleFunc("/api/restart", configapi.ConfigApiRestart)
 
@@ -417,6 +418,8 @@ func InitServer() *mux.Router {
 		srapi.Use(utils.EnsureHostname)
 	}
 	
+	srapi.Use(utils.EnsureHostnameCosmosAPI)
+
 	SecureAPI(srapi, false, false)
 	
 	pwd,_ := os.Getwd()

src/user/login.go

@@ -21,6 +21,12 @@ func UserLogin(w http.ResponseWriter, req *http.Request) {
 	if(req.Method == "POST") {
 		time.Sleep(time.Duration(rand.Float64()*2)*time.Second)
 		
+		if utils.IsLoggedIn(req) {
+			utils.Error("UserLogin: User already logged ing", nil)
+			utils.HTTPError(w, "User is already logged in", http.StatusUnauthorized, "UL002")
+			return
+		} 
+
 		var request LoginRequestJSON
 		err1 := json.NewDecoder(req.Body).Decode(&request)
 		if err1 != nil {

src/user/password_reset.go

@@ -23,6 +23,12 @@ func ResetPassword(w http.ResponseWriter, req *http.Request) {
 
 		time.Sleep(time.Duration(rand.Float64()*2)*time.Second)
 		
+		if utils.IsLoggedIn(req) {
+			utils.Error("UserLogin: User already logged ing", nil)
+			utils.HTTPError(w, "User is already logged in", http.StatusUnauthorized, "UL002")
+			return
+		} 
+
 		var request PasswordResetRequestJSON
 		err1 := json.NewDecoder(req.Body).Decode(&request)
 		if err1 != nil {

src/utils/loggedIn.go

@@ -74,6 +74,18 @@ func LoggedInWeakOnly(w http.ResponseWriter, req *http.Request) error {
 	return nil
 }
 
+func IsLoggedIn(req *http.Request) bool {
+	userNickname := req.Header.Get("x-cosmos-user")
+	role, _ := strconv.Atoi(req.Header.Get("x-cosmos-role"))
+	isUserLoggedIn := role > 0
+
+	if !isUserLoggedIn || userNickname == "" {
+		return false
+	}
+
+	return true
+}
+
 func LoggedInOnly(w http.ResponseWriter, req *http.Request) error {
 	userNickname := req.Header.Get("x-cosmos-user")
 	role, _ := strconv.Atoi(req.Header.Get("x-cosmos-role"))

src/utils/middleware.go

@@ -346,6 +346,51 @@ func EnsureHostname(next http.Handler) http.Handler {
 	})
 }
 
+func EnsureHostnameCosmosAPI(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		og := GetMainConfig().HTTPConfig.Hostname
+		ni := GetMainConfig().NewInstall
+
+		isLogin := !strings.HasPrefix(r.URL.Path, "/cosmos/api") ||
+						   strings.HasPrefix(r.URL.Path, "/cosmos/api/login") ||
+							 strings.HasPrefix(r.URL.Path, "/cosmos/api/password-reset") ||
+							 strings.HasPrefix(r.URL.Path, "/cosmos/api/mfa")
+
+		if ni || og == "0.0.0.0" || isLogin {
+			next.ServeHTTP(w, r)
+			return
+		}
+		
+		reqHostNoPort := strings.Split(r.Host, ":")[0]
+
+		if og != reqHostNoPort {
+			PushShieldMetrics("hostname")
+			Error("Invalid Hostname " + r.Host + " for request.", nil)
+			w.WriteHeader(http.StatusBadRequest)
+			http.Error(w, "Bad Request: Invalid hostname. Use your domain instead of your IP to access your server. Check logs if more details are needed.", http.StatusBadRequest)
+			
+			ip, _, _ := net.SplitHostPort(r.RemoteAddr)
+			if ip != "" {
+				TriggerEvent(
+					"cosmos.proxy.shield.hostname",
+					"Proxy Shield hostname blocked",
+					"warning",
+					"",
+					map[string]interface{}{
+					"clientID": ip,
+					"hostname": r.Host,
+					"url": r.URL.String(),
+				})
+				IncrementIPAbuseCounter(ip)
+			}
+
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
 func IsValidHostname(hostname string) bool {
 	og := GetMainConfig().HTTPConfig.Hostname
 	ni := GetMainConfig().NewInstall