Merge pull request #10548 from jfsiebel/rework-session-token-check

Add extra check for sessionToken

bigbluebutton-html5/imports/api/users/server/methods.js

@@ -8,6 +8,7 @@ import toggleUserLock from './methods/toggleUserLock';
 import setUserEffectiveConnectionType from './methods/setUserEffectiveConnectionType';
 import userActivitySign from './methods/userActivitySign';
 import userLeftMeeting from './methods/userLeftMeeting';
+import checkSessionToken from './methods/checkSessionToken';
 
 Meteor.methods({
   setEmojiStatus,
@@ -19,4 +20,5 @@ Meteor.methods({
   setUserEffectiveConnectionType,
   userActivitySign,
   userLeftMeeting,
+  checkSessionToken,
 });

bigbluebutton-html5/imports/api/users/server/methods/checkSessionToken.js

@@ -0,0 +1,28 @@
+import Users from '/imports/api/users';
+import Logger from '/imports/startup/server/logger';
+import BannedUsers from '../store/bannedUsers';
+
+export default function checkSessionToken(meetingId, requesterUserId, requesterToken, externalId) {
+  // Check if externalId is banned from the meeting
+  if (externalId) {
+    if (BannedUsers.has(meetingId, externalId)) {
+      Logger.warn(`A banned user with extId ${externalId} tried to enter in meeting ${meetingId}`);
+      return { invalid: true, reason: 'User has been banned' };
+    }
+  }
+
+  // Prevent users who have left or been ejected to use the same sessionToken again.
+  const isUserInvalid = Users.findOne({
+    meetingId,
+    userId: requesterUserId,
+    authToken: requesterToken,
+    $or: [{ ejected: true }, { loggedOut: true }],
+  });
+
+  if (isUserInvalid) {
+    Logger.warn(`An invalid sessionToken tried to validateAuthToken meetingId=${meetingId} authToken=${requesterToken}`);
+    return { invalid: true, reason: 'User has an invalid sessionToken' };
+  }
+
+  return { invalid: false };
+}

bigbluebutton-html5/imports/api/users/server/methods/validateAuthToken.js

@@ -2,30 +2,12 @@ import { Meteor } from 'meteor/meteor';
 import RedisPubSub from '/imports/startup/server/redis';
 import Logger from '/imports/startup/server/logger';
 import pendingAuthenticationsStore from '../store/pendingAuthentications';
-import BannedUsers from '../store/bannedUsers';
-import Users from '/imports/api/users';
 
-export default function validateAuthToken(meetingId, requesterUserId, requesterToken, externalId) {
+export default function validateAuthToken(meetingId, requesterUserId, requesterToken) {
   const REDIS_CONFIG = Meteor.settings.private.redis;
   const CHANNEL = REDIS_CONFIG.channels.toAkkaApps;
   const EVENT_NAME = 'ValidateAuthTokenReqMsg';
 
-  // Check if externalId is banned from the meeting
-  if (externalId) {
-    if (BannedUsers.has(meetingId, externalId)) {
-      Logger.warn(`A banned user with extId ${externalId} tried to enter in meeting ${meetingId}`);
-      return { invalid: true, reason: 'User has been banned.' };
-    }
-  }
-
-  // Check if a removed user is trying to access the meeting using the same sessionToken
-  const isUserEjected = Users.findOne({ meetingId, authToken: requesterToken, ejected: true });
-
-  if (isUserEjected) {
-    Logger.warn(`An invalid sessionToken tried to validateAuthToken meetingId=${meetingId} authToken=${requesterToken}`);
-    return { invalid: true, reason: 'User has been ejected.' };
-  }
-
   // Store reference of methodInvocationObject ( to postpone the connection userId definition )
   pendingAuthenticationsStore.add(meetingId, requesterUserId, requesterToken, this);
 

bigbluebutton-html5/imports/ui/services/auth/index.js

@@ -218,7 +218,7 @@ class Auth {
         });
       }, CONNECTION_TIMEOUT);
 
-      const result = await makeCall('validateAuthToken', this.meetingID, this.userID, this.token, this.externUserID);
+      const result = await makeCall('checkSessionToken', this.meetingID, this.userID, this.token, this.externUserID);
 
       if (result && result.invalid) {
         clearTimeout(validationTimeout);