From 78ead44d17bae36cde4ca8d25f267663e1caf9b6 Mon Sep 17 00:00:00 2001 From: Joao Siebel Date: Thu, 1 Oct 2020 14:31:38 -0300 Subject: [PATCH 1/2] Fix reconnection flow --- .../users/server/methods/validateAuthToken.js | 25 ++++++++++++++++++- .../imports/ui/services/auth/index.js | 2 +- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/bigbluebutton-html5/imports/api/users/server/methods/validateAuthToken.js b/bigbluebutton-html5/imports/api/users/server/methods/validateAuthToken.js index 0f01fb0c2d..dc7f37e7da 100644 --- a/bigbluebutton-html5/imports/api/users/server/methods/validateAuthToken.js +++ b/bigbluebutton-html5/imports/api/users/server/methods/validateAuthToken.js @@ -2,12 +2,35 @@ import { Meteor } from 'meteor/meteor'; import RedisPubSub from '/imports/startup/server/redis'; import Logger from '/imports/startup/server/logger'; import pendingAuthenticationsStore from '../store/pendingAuthentications'; +import BannedUsers from '../store/bannedUsers'; +import Users from '/imports/api/users'; -export default function validateAuthToken(meetingId, requesterUserId, requesterToken) { +export default function validateAuthToken(meetingId, requesterUserId, requesterToken, externalId) { const REDIS_CONFIG = Meteor.settings.private.redis; const CHANNEL = REDIS_CONFIG.channels.toAkkaApps; const EVENT_NAME = 'ValidateAuthTokenReqMsg'; + // Check if externalId is banned from the meeting + if (externalId) { + if (BannedUsers.has(meetingId, externalId)) { + Logger.warn(`A banned user with extId ${externalId} tried to enter in meeting ${meetingId}`); + return { invalid: true, reason: 'User has been banned' }; + } + } + + // Prevent users who have left or been ejected to use the same sessionToken again. + const isUserInvalid = Users.findOne({ + meetingId, + userId: requesterUserId, + authToken: requesterToken, + $or: [{ ejected: true }, { loggedOut: true }], + }); + + if (isUserInvalid) { + Logger.warn(`An invalid sessionToken tried to validateAuthToken meetingId=${meetingId} authToken=${requesterToken}`); + return { invalid: true, reason: 'User has an invalid sessionToken' }; + } + // Store reference of methodInvocationObject ( to postpone the connection userId definition ) pendingAuthenticationsStore.add(meetingId, requesterUserId, requesterToken, this); diff --git a/bigbluebutton-html5/imports/ui/services/auth/index.js b/bigbluebutton-html5/imports/ui/services/auth/index.js index cc1c7fbf58..3810c9a0e4 100755 --- a/bigbluebutton-html5/imports/ui/services/auth/index.js +++ b/bigbluebutton-html5/imports/ui/services/auth/index.js @@ -218,7 +218,7 @@ class Auth { }); }, CONNECTION_TIMEOUT); - const result = await makeCall('checkSessionToken', this.meetingID, this.userID, this.token, this.externUserID); + const result = await makeCall('validateAuthToken', this.meetingID, this.userID, this.token, this.externUserID); if (result && result.invalid) { clearTimeout(validationTimeout); From 895e82f260f2b6f0048d6263338eede062ccc2f7 Mon Sep 17 00:00:00 2001 From: Joao Siebel Date: Thu, 1 Oct 2020 15:32:24 -0300 Subject: [PATCH 2/2] Remove unused method --- .../imports/api/users/server/methods.js | 2 -- .../users/server/methods/checkSessionToken.js | 28 ------------------- 2 files changed, 30 deletions(-) delete mode 100644 bigbluebutton-html5/imports/api/users/server/methods/checkSessionToken.js diff --git a/bigbluebutton-html5/imports/api/users/server/methods.js b/bigbluebutton-html5/imports/api/users/server/methods.js index 7630793f14..98aa67982f 100644 --- a/bigbluebutton-html5/imports/api/users/server/methods.js +++ b/bigbluebutton-html5/imports/api/users/server/methods.js @@ -8,7 +8,6 @@ import toggleUserLock from './methods/toggleUserLock'; import setUserEffectiveConnectionType from './methods/setUserEffectiveConnectionType'; import userActivitySign from './methods/userActivitySign'; import userLeftMeeting from './methods/userLeftMeeting'; -import checkSessionToken from './methods/checkSessionToken'; Meteor.methods({ setEmojiStatus, @@ -20,5 +19,4 @@ Meteor.methods({ setUserEffectiveConnectionType, userActivitySign, userLeftMeeting, - checkSessionToken, }); diff --git a/bigbluebutton-html5/imports/api/users/server/methods/checkSessionToken.js b/bigbluebutton-html5/imports/api/users/server/methods/checkSessionToken.js deleted file mode 100644 index 9d6c0a139b..0000000000 --- a/bigbluebutton-html5/imports/api/users/server/methods/checkSessionToken.js +++ /dev/null @@ -1,28 +0,0 @@ -import Users from '/imports/api/users'; -import Logger from '/imports/startup/server/logger'; -import BannedUsers from '../store/bannedUsers'; - -export default function checkSessionToken(meetingId, requesterUserId, requesterToken, externalId) { - // Check if externalId is banned from the meeting - if (externalId) { - if (BannedUsers.has(meetingId, externalId)) { - Logger.warn(`A banned user with extId ${externalId} tried to enter in meeting ${meetingId}`); - return { invalid: true, reason: 'User has been banned' }; - } - } - - // Prevent users who have left or been ejected to use the same sessionToken again. - const isUserInvalid = Users.findOne({ - meetingId, - userId: requesterUserId, - authToken: requesterToken, - $or: [{ ejected: true }, { loggedOut: true }], - }); - - if (isUserInvalid) { - Logger.warn(`An invalid sessionToken tried to validateAuthToken meetingId=${meetingId} authToken=${requesterToken}`); - return { invalid: true, reason: 'User has an invalid sessionToken' }; - } - - return { invalid: false }; -}