bigbluebutton-Github/bigbluebutton-html5/imports/api/users/server/handlers/validateAuthToken.js

import { check } from 'meteor/check';
import Logger from '/imports/startup/server/logger';
import Users from '/imports/api/users';
import userJoin from './userJoin';
import pendingAuthenticationsStore from '../store/pendingAuthentications';
import createDummyUser from '../modifiers/createDummyUser';
import setConnectionIdAndAuthToken from '../modifiers/setConnectionIdAndAuthToken';

const clearOtherSessions = (sessionUserId, current = false) => {
  const serverSessions = Meteor.server.sessions;
  Object.keys(serverSessions)
    .filter(i => serverSessions[i].userId === sessionUserId)
    .filter(i => i !== current)
    .forEach(i => serverSessions[i].close());
};

export default function handleValidateAuthToken({ body }, meetingId) {
  const {
    userId,
    valid,
    authToken,
    waitForApproval,
  } = body;

  check(userId, String);
  check(authToken, String);
  check(valid, Boolean);
  check(waitForApproval, Boolean);

  const pendingAuths = pendingAuthenticationsStore.take(meetingId, userId, authToken);

  if (!valid) {
    pendingAuths.forEach(
      (pendingAuth) => {
        try {
          const { methodInvocationObject } = pendingAuth;
          const connectionId = methodInvocationObject.connection.id;

          // Schedule socket disconnection for this user, giving some time for client receiving the reason of disconnection
          Meteor.setTimeout(() => {
            methodInvocationObject.connection.close();
          }, 2000);

          Logger.info(`Closed connection ${connectionId} due to invalid auth token.`);
        } catch (e) {
          Logger.error(`Error closing socket for meetingId '${meetingId}', userId '${userId}', authToken ${authToken}`);
        }
      },
    );

    return;
  }

  if (valid) {
    // Define user ID on connections
    pendingAuths.forEach(
      (pendingAuth) => {
        const { methodInvocationObject } = pendingAuth;

        /* Logic migrated from validateAuthToken method ( postponed to only run in case of success response ) - Begin */
        const sessionId = `${meetingId}--${userId}`;
        methodInvocationObject.setUserId(sessionId);

        const User = Users.findOne({
          meetingId,
          userId,
        });

        if (!User) {
          createDummyUser(meetingId, userId, authToken);
        }

        setConnectionIdAndAuthToken(meetingId, userId, methodInvocationObject.connection.id, authToken);
        /* End of logic migrated from validateAuthToken */
      },
    );
  }

  const selector = {
    meetingId,
    userId,
    clientType: 'HTML5',
  };

  const User = Users.findOne(selector);

  // If we dont find the user on our collection is a flash user and we can skip
  if (!User) return;

  // Publish user join message
  if (valid && !waitForApproval) {
    Logger.info('User=', User);
    userJoin(meetingId, userId, User.authToken);
  }

  const modifier = {
    $set: {
      validated: valid,
      approved: !waitForApproval,
      loginTime: Date.now(),
      inactivityCheck: false,
    },
  };

  const cb = (err, numChanged) => {
    if (err) {
      return Logger.error(`Validating auth token: ${err}`);
    }

    if (numChanged) {
      if (valid) {
        const sessionUserId = `${meetingId}-${userId}`;
        const currentConnectionId = User.connectionId ? User.connectionId : false;
        clearOtherSessions(sessionUserId, currentConnectionId);
      }

      return Logger.info(`Validated auth token as ${valid} user=${userId} meeting=${meetingId}`);
    }

    return Logger.info('No auth to validate');
  };

  Users.update(selector, modifier, cb);
}
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`import { check } from 'meteor/check';`
			`import Logger from '/imports/startup/server/logger';`
Changed imports and removed 'initializeCursor.js' since it's not needed 2017-10-12 10:00:28 +08:00			`import Users from '/imports/api/users';`
utilize Meteor connection id instead of trusting client side meetingId, userId 2020-02-07 04:47:28 +08:00			`import userJoin from './userJoin';`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`import pendingAuthenticationsStore from '../store/pendingAuthentications';`
			`import createDummyUser from '../modifiers/createDummyUser';`
			`import setConnectionIdAndAuthToken from '../modifiers/setConnectionIdAndAuthToken';`
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00
Impl user-session based connections on server. Fix #5150 Implement a connectionId for each user, each time a user try to validate we change their connectionId and end all other connections of that user. 2018-02-20 22:21:51 +08:00			`const clearOtherSessions = (sessionUserId, current = false) => {`
			`const serverSessions = Meteor.server.sessions;`
			`Object.keys(serverSessions)`
			`.filter(i => serverSessions[i].userId === sessionUserId)`
			`.filter(i => i !== current)`
			`.forEach(i => serverSessions[i].close());`
			`};`

Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`export default function handleValidateAuthToken({ body }, meetingId) {`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`const {`
			`userId,`
			`valid,`
			`authToken,`
			`waitForApproval,`
			`} = body;`
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00
			`check(userId, String);`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`check(authToken, String);`
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`check(valid, Boolean);`
			`check(waitForApproval, Boolean);`
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`const pendingAuths = pendingAuthenticationsStore.take(meetingId, userId, authToken);`

Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`if (!valid) {`
			`pendingAuths.forEach(`
			`(pendingAuth) => {`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`try {`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`const { methodInvocationObject } = pendingAuth;`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`const connectionId = methodInvocationObject.connection.id;`

Postpone websocket close for a failed authToken 2020-05-09 06:08:50 +08:00			`// Schedule socket disconnection for this user, giving some time for client receiving the reason of disconnection`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`Meteor.setTimeout(() => {`
Postpone websocket close for a failed authToken 2020-05-09 06:08:50 +08:00			`methodInvocationObject.connection.close();`
			`}, 2000);`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			Logger.info(`Closed connection ${connectionId} due to invalid auth token.`);
			`} catch (e) {`
			Logger.error(`Error closing socket for meetingId '${meetingId}', userId '${userId}', authToken ${authToken}`);
			`}`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`},`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`);`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`return;`
			`}`

Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`if (valid) {`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`// Define user ID on connections`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00			`pendingAuths.forEach(`
			`(pendingAuth) => {`
			`const { methodInvocationObject } = pendingAuth;`

			`/* Logic migrated from validateAuthToken method ( postponed to only run in case of success response ) - Begin */`
			const sessionId = `${meetingId}--${userId}`;
			`methodInvocationObject.setUserId(sessionId);`

			`const User = Users.findOne({`
			`meetingId,`
			`userId,`
			`});`

			`if (!User) {`
			`createDummyUser(meetingId, userId, authToken);`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`}`
Prevent banned user from trying to validate auth token multiple times. close #9798 2020-06-13 00:24:11 +08:00
			`setConnectionIdAndAuthToken(meetingId, userId, methodInvocationObject.connection.id, authToken);`
			`/* End of logic migrated from validateAuthToken */`
			`},`
Refactor connection definition of userId to wait for validateAuthToken 2020-04-29 11:33:45 +08:00			`);`
			`}`

Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`const selector = {`
			`meetingId,`
			`userId,`
Do not auth validate Flash users (#5695) by @oswaldoacauan 2018-06-15 04:24:55 +08:00			`clientType: 'HTML5',`
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`};`

Skip updating user validated flag if its already valid 2017-03-08 01:18:02 +08:00			`const User = Users.findOne(selector);`

Refactor Authentication flow 2017-03-11 02:33:46 +08:00			`// If we dont find the user on our collection is a flash user and we can skip`
			`if (!User) return;`
Skip updating user validated flag if its already valid 2017-03-08 01:18:02 +08:00
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`// Publish user join message`
Revert "Merge pull request #8759 from capilkey/2.2-join-fix" This reverts commit 5af41dabb45f61aa2f9b6454fa9c8913049c7d97, reversing changes made to 004d872584f5b02398a326073bab8a11a22b2275. 2020-03-26 04:12:36 +08:00			`if (valid && !waitForApproval) {`
update npm packages versions 2019-02-14 03:44:21 +08:00			`Logger.info('User=', User);`
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`userJoin(meetingId, userId, User.authToken);`
			`}`

Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`const modifier = {`
			`$set: {`
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`validated: valid,`
			`approved: !waitForApproval,`
Fix chat alert (push and audio) #6430 2019-01-14 21:23:35 +08:00			`loginTime: Date.now(),`
Add activity check modal 2019-02-27 01:40:01 +08:00			`inactivityCheck: false,`
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`},`
			`};`

			`const cb = (err, numChanged) => {`
			`if (err) {`
			return Logger.error(`Validating auth token: ${err}`);
			`}`

			`if (numChanged) {`
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`if (valid) {`
Impl user-session based connections on server. Fix #5150 Implement a connectionId for each user, each time a user try to validate we change their connectionId and end all other connections of that user. 2018-02-20 22:21:51 +08:00			const sessionUserId = `${meetingId}-${userId}`;
			`const currentConnectionId = User.connectionId ? User.connectionId : false;`
			`clearOtherSessions(sessionUserId, currentConnectionId);`
Fix a bunch of bugs introduced after the refactor 2017-02-24 04:16:10 +08:00			`}`

Fix bug when users re-validate after refresh 2017-12-19 20:19:47 +08:00			return Logger.info(`Validated auth token as ${valid} user=${userId} meeting=${meetingId}`);
Refactor of validate_auth_token and clearUsers 2017-02-24 02:15:13 +08:00			`}`
Fix a bunch of bugs introduced after the refactor 2017-02-24 04:16:10 +08:00
Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`return Logger.info('No auth to validate');`
Fix a bunch of bugs introduced after the refactor 2017-02-24 04:16:10 +08:00			`};`

Merged 2.0 and 1.1 users api 2017-10-12 09:02:23 +08:00			`Users.update(selector, modifier, cb);`
Add a warn when a banned user tries to join the meeting 2020-06-13 03:51:22 +08:00			`}`