Merge pull request #4475 from oswaldoacauan/fix-token-security

[HTML5] Add a check for the passed credentials agains the token in Acl
2017-10-10 12:48:41 -04:00 · 2017-10-10 12:48:41 -04:00 · 66f8be63d2
commit 66f8be63d2
parent a49a4f4354 96ea918919
2 changed files with 19 additions and 7 deletions
--- a/bigbluebutton-html5/imports/api/acl/Acl.js
+++ b/bigbluebutton-html5/imports/api/acl/Acl.js
@ -1,8 +1,9 @@
+
+import { Meteor } from 'meteor/meteor';
 import { check } from 'meteor/check';
 import deepMerge from '/imports/utils/deepMerge';

-export class Acl {
-
+export default class Acl {
  constructor(config, Users) {
    this.Users = Users;
    this.config = config;
@ -12,11 +13,22 @@ export class Acl {
    check(permission, String);
    const permissions = this.getPermissions(credentials);

-    if (permissions) {
-      return this.fetchPermission(permission, permissions);
+    return this.checkToken(credentials) && this.fetchPermission(permission, permissions);
  }

-    return false;
+  checkToken(credentials) {
+    // skip token check in client `can` calls since we dont have the authToken in the collection
+    if (!Meteor.isServer) return true;
+
+    const { meetingId, requesterUserId: userId, requesterToken: authToken } = credentials;
+
+    const User = this.Users.findOne({
+      meetingId,
+      userId,
+      authToken,
+    });
+
+    return !!User; // if he found a user means the meeting/user/token is valid
  }

  fetchPermission(permission, permissions) {
--- a/bigbluebutton-html5/imports/startup/acl.js
+++ b/bigbluebutton-html5/imports/startup/acl.js
@ -1,6 +1,6 @@
 import { Meteor } from 'meteor/meteor';
 import Users from '/imports/api/2.0/users';
-import { Acl } from '/imports/api/acl/Acl';
+import Acl from '/imports/api/acl/Acl';

 const AclSingleton = new Acl();