Merge pull request #10504 from jfsiebel/prevent-ejected-user-validate-auth-token-spam
Prevent validateAuthToken spamming for ejected users
This commit is contained in:
commit
3c6c1f5b7c
@ -3,6 +3,7 @@ import RedisPubSub from '/imports/startup/server/redis';
|
|||||||
import Logger from '/imports/startup/server/logger';
|
import Logger from '/imports/startup/server/logger';
|
||||||
import pendingAuthenticationsStore from '../store/pendingAuthentications';
|
import pendingAuthenticationsStore from '../store/pendingAuthentications';
|
||||||
import BannedUsers from '../store/bannedUsers';
|
import BannedUsers from '../store/bannedUsers';
|
||||||
|
import Users from '/imports/api/users';
|
||||||
|
|
||||||
export default function validateAuthToken(meetingId, requesterUserId, requesterToken, externalId) {
|
export default function validateAuthToken(meetingId, requesterUserId, requesterToken, externalId) {
|
||||||
const REDIS_CONFIG = Meteor.settings.private.redis;
|
const REDIS_CONFIG = Meteor.settings.private.redis;
|
||||||
@ -13,10 +14,18 @@ export default function validateAuthToken(meetingId, requesterUserId, requesterT
|
|||||||
if (externalId) {
|
if (externalId) {
|
||||||
if (BannedUsers.has(meetingId, externalId)) {
|
if (BannedUsers.has(meetingId, externalId)) {
|
||||||
Logger.warn(`A banned user with extId ${externalId} tried to enter in meeting ${meetingId}`);
|
Logger.warn(`A banned user with extId ${externalId} tried to enter in meeting ${meetingId}`);
|
||||||
return;
|
return { invalid: true, reason: 'User has been banned.' };
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if a removed user is trying to access the meeting using the same sessionToken
|
||||||
|
const isUserEjected = Users.findOne({ meetingId, authToken: requesterToken, ejected: true });
|
||||||
|
|
||||||
|
if (isUserEjected) {
|
||||||
|
Logger.warn(`An invalid sessionToken tried to validateAuthToken meetingId=${meetingId} authToken=${requesterToken}`);
|
||||||
|
return { invalid: true, reason: 'User has been ejected.' };
|
||||||
|
}
|
||||||
|
|
||||||
// Store reference of methodInvocationObject ( to postpone the connection userId definition )
|
// Store reference of methodInvocationObject ( to postpone the connection userId definition )
|
||||||
pendingAuthenticationsStore.add(meetingId, requesterUserId, requesterToken, this);
|
pendingAuthenticationsStore.add(meetingId, requesterUserId, requesterToken, this);
|
||||||
|
|
||||||
|
@ -220,11 +220,11 @@ class Auth {
|
|||||||
|
|
||||||
const result = await makeCall('validateAuthToken', this.meetingID, this.userID, this.token, this.externUserID);
|
const result = await makeCall('validateAuthToken', this.meetingID, this.userID, this.token, this.externUserID);
|
||||||
|
|
||||||
if (!result) {
|
if (result && result.invalid) {
|
||||||
clearTimeout(validationTimeout);
|
clearTimeout(validationTimeout);
|
||||||
reject({
|
reject({
|
||||||
error: 401,
|
error: 401,
|
||||||
description: 'User has been banned.',
|
description: result.reason,
|
||||||
});
|
});
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user