bigbluebutton-Github/bigbluebutton-html5/imports/api/users/server/handlers/validateAuthToken.js

import { check } from 'meteor/check';
import Logger from '/imports/startup/server/logger';
import Users from '/imports/api/users';
import userJoin from './userJoin';
import pendingAuthenticationsStore from '../store/pendingAuthentications';
import createDummyUser from '../modifiers/createDummyUser';
import ClientConnections from '/imports/startup/server/ClientConnections';

import upsertValidationState from '/imports/api/auth-token-validation/server/modifiers/upsertValidationState';
import { ValidationStates } from '/imports/api/auth-token-validation';

const clearOtherSessions = (sessionUserId, current = false) => {
  const serverSessions = Meteor.server.sessions;
  Object.keys(serverSessions)
    .filter(i => serverSessions[i].userId === sessionUserId)
    .filter(i => i !== current)
    .forEach(i => serverSessions[i].close());
};

export default function handleValidateAuthToken({ body }, meetingId) {
  const {
    userId,
    valid,
    authToken,
    waitForApproval,
    registeredOn,
    authTokenValidatedOn,
    reasonCode,
  } = body;

  check(userId, String);
  check(authToken, String);
  check(valid, Boolean);
  check(waitForApproval, Boolean);
  check(registeredOn, Number);
  check(authTokenValidatedOn, Number);
  check(reasonCode, String);

  const pendingAuths = pendingAuthenticationsStore.take(meetingId, userId, authToken);
  Logger.info(`PendingAuths length [${pendingAuths.length}]`);
  if (pendingAuths.length === 0) return;

  if (!valid) {
    pendingAuths.forEach(
      (pendingAuth) => {
        try {
          const { methodInvocationObject } = pendingAuth;
          const connectionId = methodInvocationObject.connection.id;

          upsertValidationState(meetingId, userId, ValidationStates.INVALID, connectionId, reasonCode);

          // Schedule socket disconnection for this user, giving some time for client receiving the reason of disconnection
          Meteor.setTimeout(() => {
            methodInvocationObject.connection.close();
          }, 2000);

          Logger.info(`Closed connection ${connectionId} due to invalid auth token.`);
        } catch (e) {
          Logger.error(`Error closing socket for meetingId '${meetingId}', userId '${userId}', authToken ${authToken}`);
        }
      },
    );

    return;
  }

  // Define user ID on connections
  pendingAuths.forEach(
    (pendingAuth) => {
      const { methodInvocationObject } = pendingAuth;

      /* Logic migrated from validateAuthToken method ( postponed to only run in case of success response ) - Begin */
      const sessionId = `${meetingId}--${userId}`;

      methodInvocationObject.setUserId(sessionId);

      const User = Users.findOne({
        meetingId,
        userId,
      });

      if (!User) {
        createDummyUser(meetingId, userId, authToken);
      }

      ClientConnections.add(sessionId, methodInvocationObject.connection);
      upsertValidationState(meetingId, userId, ValidationStates.VALIDATED, methodInvocationObject.connection.id);

      /* End of logic migrated from validateAuthToken */
    },
  );

  const selector = {
    meetingId,
    userId,
    clientType: 'HTML5',
  };

  const User = Users.findOne(selector);

  // If we dont find the user on our collection is a flash user and we can skip
  if (!User) return;

  // Publish user join message
  if (!waitForApproval) {
    Logger.info('User=', User);
    userJoin(meetingId, userId, User.authToken);
  }

  const modifier = {
    $set: {
      validated: valid,
      approved: !waitForApproval,
      loginTime: registeredOn,
      authTokenValidatedTime: authTokenValidatedOn,
      inactivityCheck: false,
    },
  };

  try {
    const numberAffected = Users.update(selector, modifier);

    if (numberAffected) {
      const sessionUserId = `${meetingId}-${userId}`;
      const currentConnectionId = User.connectionId ? User.connectionId : false;
      clearOtherSessions(sessionUserId, currentConnectionId);

      Logger.info(`Validated auth token as ${valid} user=${userId} meeting=${meetingId}`);
    } else {
      Logger.info('No auth to validate');
    }
  } catch (err) {
    Logger.error(`Validating auth token: ${err}`);
  }
}
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`import { check } from 'meteor/check';`
			`import Logger from '/imports/startup/server/logger';`
Changed imports and removed 'initializeCursor.js' since it's not needed 2017-10-12 10:00:28 +08:00			`import Users from '/imports/api/users';`
utilize Meteor connection id instead of trusting client side meetingId, userId 2020-02-07 04:47:28 +08:00			`import userJoin from './userJoin';`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`import pendingAuthenticationsStore from '../store/pendingAuthentications';`
			`import createDummyUser from '../modifiers/createDummyUser';`
Sync users in collection with server active connections 2021-01-27 03:22:32 +08:00			`import ClientConnections from '/imports/startup/server/ClientConnections';`
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00
Create ClientConnections structure and auth-token-validation collection 2020-09-01 20:07:56 +08:00			`import upsertValidationState from '/imports/api/auth-token-validation/server/modifiers/upsertValidationState';`
			`import { ValidationStates } from '/imports/api/auth-token-validation';`

Impl user-session based connections on server. Fix #5150 Implement a connectionId for each user, each time a user try to validate we change their connectionId and end all other connections of that user. 2018-02-20 22:21:51 +08:00			`const clearOtherSessions = (sessionUserId, current = false) => {`
			`const serverSessions = Meteor.server.sessions;`
			`Object.keys(serverSessions)`
			`.filter(i => serverSessions[i].userId === sessionUserId)`
			`.filter(i => i !== current)`
			`.forEach(i => serverSessions[i].close());`
			`};`

Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`export default function handleValidateAuthToken({ body }, meetingId) {`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`const {`
			`userId,`
			`valid,`
			`authToken,`
			`waitForApproval,`
Removes loginTime creation from Meteor and use the registeredOn date created on Akka. Makes Akka send the registeredOn date throught PubSub messages: UserRegisteredRespMsg, GuestsWaitingForApprovalEvtMsg and ValidateAuthTokenRespMsg. 2021-02-17 01:46:30 +08:00			`registeredOn,`
Adds lastAuthTokenValidatedOn to users in Akka, send it in ValidateAuthTokenRespMsg pubSub msg, makes Meteor store it as authTokenValidatedTime 2021-02-26 03:52:20 +08:00			`authTokenValidatedOn,`
Remove banned users structure and handle reasonCode in validateAuthToken 2021-03-30 21:09:25 +08:00			`reasonCode,`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`} = body;`
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00
			`check(userId, String);`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`check(authToken, String);`
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`check(valid, Boolean);`
			`check(waitForApproval, Boolean);`
Replace registeredOn params to Long (timestamp) instead of String (ISO_OFFSET_DATE_TIME) 2021-02-17 20:20:55 +08:00			`check(registeredOn, Number);`
Adds lastAuthTokenValidatedOn to users in Akka, send it in ValidateAuthTokenRespMsg pubSub msg, makes Meteor store it as authTokenValidatedTime 2021-02-26 03:52:20 +08:00			`check(authTokenValidatedOn, Number);`
Remove banned users structure and handle reasonCode in validateAuthToken 2021-03-30 21:09:25 +08:00			`check(reasonCode, String);`
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`const pendingAuths = pendingAuthenticationsStore.take(meetingId, userId, authToken);`
Split Meteor roles backend-frontend revisit 2021-02-06 01:47:46 +08:00			Logger.info(`PendingAuths length [${pendingAuths.length}]`);
			`if (pendingAuths.length === 0) return;`

Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`if (!valid) {`
			`pendingAuths.forEach(`
			`(pendingAuth) => {`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`try {`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`const { methodInvocationObject } = pendingAuth;`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`const connectionId = methodInvocationObject.connection.id;`

Remove banned users structure and handle reasonCode in validateAuthToken 2021-03-30 21:09:25 +08:00			`upsertValidationState(meetingId, userId, ValidationStates.INVALID, connectionId, reasonCode);`
Create ClientConnections structure and auth-token-validation collection 2020-09-01 20:07:56 +08:00
Postpone websocket close for a failed authToken 2020-05-09 06:08:50 +08:00			`// Schedule socket disconnection for this user, giving some time for client receiving the reason of disconnection`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`Meteor.setTimeout(() => {`
Postpone websocket close for a failed authToken 2020-05-09 06:08:50 +08:00			`methodInvocationObject.connection.close();`
			`}, 2000);`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			Logger.info(`Closed connection ${connectionId} due to invalid auth token.`);
			`} catch (e) {`
			Logger.error(`Error closing socket for meetingId '${meetingId}', userId '${userId}', authToken ${authToken}`);
			`}`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`},`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`);`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`return;`
			`}`

remove useless conditionals in validateAutoToken handler 2021-05-19 20:20:28 +08:00			`// Define user ID on connections`
			`pendingAuths.forEach(`
			`(pendingAuth) => {`
			`const { methodInvocationObject } = pendingAuth;`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00
remove useless conditionals in validateAutoToken handler 2021-05-19 20:20:28 +08:00			`/* Logic migrated from validateAuthToken method ( postponed to only run in case of success response ) - Begin */`
			const sessionId = `${meetingId}--${userId}`;
Prevent repeated setUserId 2020-09-30 05:02:03 +08:00
remove useless conditionals in validateAutoToken handler 2021-05-19 20:20:28 +08:00			`methodInvocationObject.setUserId(sessionId);`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00
remove useless conditionals in validateAutoToken handler 2021-05-19 20:20:28 +08:00			`const User = Users.findOne({`
			`meetingId,`
			`userId,`
			`});`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00
remove useless conditionals in validateAutoToken handler 2021-05-19 20:20:28 +08:00			`if (!User) {`
			`createDummyUser(meetingId, userId, authToken);`
			`}`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00
remove useless conditionals in validateAutoToken handler 2021-05-19 20:20:28 +08:00			`ClientConnections.add(sessionId, methodInvocationObject.connection);`
			`upsertValidationState(meetingId, userId, ValidationStates.VALIDATED, methodInvocationObject.connection.id);`
Create ClientConnections structure and auth-token-validation collection 2020-09-01 20:07:56 +08:00
remove useless conditionals in validateAutoToken handler 2021-05-19 20:20:28 +08:00			`/* End of logic migrated from validateAuthToken */`
			`},`
			`);`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`const selector = {`
			`meetingId,`
			`userId,`
Do not auth validate Flash users (#5695) by @oswaldoacauan 2018-06-15 04:24:55 +08:00			`clientType: 'HTML5',`
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`};`

Skip updating user validated flag if its already valid 2017-03-08 01:18:02 +08:00			`const User = Users.findOne(selector);`

Refactor Authentication flow 2017-03-11 02:33:46 +08:00			`// If we dont find the user on our collection is a flash user and we can skip`
			`if (!User) return;`
Skip updating user validated flag if its already valid 2017-03-08 01:18:02 +08:00
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`// Publish user join message`
remove useless conditionals in validateAutoToken handler 2021-05-19 20:20:28 +08:00			`if (!waitForApproval) {`
update npm packages versions 2019-02-14 03:44:21 +08:00			`Logger.info('User=', User);`
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`userJoin(meetingId, userId, User.authToken);`
			`}`

Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`const modifier = {`
			`$set: {`
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`validated: valid,`
			`approved: !waitForApproval,`
Replace registeredOn params to Long (timestamp) instead of String (ISO_OFFSET_DATE_TIME) 2021-02-17 20:20:55 +08:00			`loginTime: registeredOn,`
Adds lastAuthTokenValidatedOn to users in Akka, send it in ValidateAuthTokenRespMsg pubSub msg, makes Meteor store it as authTokenValidatedTime 2021-02-26 03:52:20 +08:00			`authTokenValidatedTime: authTokenValidatedOn,`
Add activity check modal 2019-02-27 01:40:01 +08:00			`inactivityCheck: false,`
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`},`
			`};`

WIP remove callback from mongo operations 2020-11-23 21:13:46 +08:00			`try {`
			`const numberAffected = Users.update(selector, modifier);`
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00
WIP remove callback from mongo operations 2020-11-23 21:13:46 +08:00			`if (numberAffected) {`
remove useless conditionals in validateAutoToken handler 2021-05-19 20:20:28 +08:00			const sessionUserId = `${meetingId}-${userId}`;
			`const currentConnectionId = User.connectionId ? User.connectionId : false;`
			`clearOtherSessions(sessionUserId, currentConnectionId);`
Fix a bunch of bugs introduced after the refactor 2017-02-24 04:16:10 +08:00
WIP remove callback from mongo operations 2020-11-23 21:13:46 +08:00			Logger.info(`Validated auth token as ${valid} user=${userId} meeting=${meetingId}`);
			`} else {`
			`Logger.info('No auth to validate');`
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`}`
WIP remove callback from mongo operations 2020-11-23 21:13:46 +08:00			`} catch (err) {`
			Logger.error(`Validating auth token: ${err}`);
			`}`
Add a warn when a banned user tries to join the meeting 2020-06-13 03:51:22 +08:00			`}`