From a3cf7cd98e3cc43b5502f9f333f3ccaf7bd250ff Mon Sep 17 00:00:00 2001 From: Joao Siebel Date: Mon, 21 Sep 2020 15:50:54 -0300 Subject: [PATCH] Prevent validateAuthToken spamming. If an ejected user tries to enter in the meeting using the current url html5 client keep trying to validate that user, but without success causing a validateAuthToken message spam until the connection times out. --- .../api/users/server/methods/validateAuthToken.js | 11 ++++++++++- bigbluebutton-html5/imports/ui/services/auth/index.js | 4 ++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/bigbluebutton-html5/imports/api/users/server/methods/validateAuthToken.js b/bigbluebutton-html5/imports/api/users/server/methods/validateAuthToken.js index 7303caa2ba..cc1014c218 100644 --- a/bigbluebutton-html5/imports/api/users/server/methods/validateAuthToken.js +++ b/bigbluebutton-html5/imports/api/users/server/methods/validateAuthToken.js @@ -3,6 +3,7 @@ import RedisPubSub from '/imports/startup/server/redis'; import Logger from '/imports/startup/server/logger'; import pendingAuthenticationsStore from '../store/pendingAuthentications'; import BannedUsers from '../store/bannedUsers'; +import Users from '/imports/api/users'; export default function validateAuthToken(meetingId, requesterUserId, requesterToken, externalId) { const REDIS_CONFIG = Meteor.settings.private.redis; @@ -13,10 +14,18 @@ export default function validateAuthToken(meetingId, requesterUserId, requesterT if (externalId) { if (BannedUsers.has(meetingId, externalId)) { Logger.warn(`A banned user with extId ${externalId} tried to enter in meeting ${meetingId}`); - return; + return { invalid: true, reason: 'User has been banned.' }; } } + // Check if a removed user is trying to access the meeting using the same sessionToken + const isUserEjected = Users.findOne({ meetingId, authToken: requesterToken, ejected: true }); + + if (isUserEjected) { + Logger.warn(`An invalid sessionToken tried to validateAuthToken meetingId=${meetingId} authToken=${requesterToken}`); + return { invalid: true, reason: 'User has been ejected.' }; + } + // Store reference of methodInvocationObject ( to postpone the connection userId definition ) pendingAuthenticationsStore.add(meetingId, requesterUserId, requesterToken, this); diff --git a/bigbluebutton-html5/imports/ui/services/auth/index.js b/bigbluebutton-html5/imports/ui/services/auth/index.js index b866da0b3b..02368a6e98 100755 --- a/bigbluebutton-html5/imports/ui/services/auth/index.js +++ b/bigbluebutton-html5/imports/ui/services/auth/index.js @@ -220,11 +220,11 @@ class Auth { const result = await makeCall('validateAuthToken', this.meetingID, this.userID, this.token, this.externUserID); - if (!result) { + if (result && result.invalid) { clearTimeout(validationTimeout); reject({ error: 401, - description: 'User has been banned.', + description: result.reason, }); return; }