From 2753870c3b908d1bb3f0c9294524fe0948bd0908 Mon Sep 17 00:00:00 2001 From: Miroslav Pejic Date: Mon, 24 Apr 2023 11:12:00 +0200 Subject: [PATCH] [mirotalksfu] - improve security & minor fix --- app/src/Logger.js | 6 ++++-- app/src/Server.js | 38 +++++++++++++++++++++++++++++++------- app/src/config.template.js | 3 +++ public/js/LocalStorage.js | 8 ++++++++ public/js/Room.js | 13 ++++++++++++- public/js/RoomClient.js | 13 +++++++++++-- 6 files changed, 69 insertions(+), 12 deletions(-) diff --git a/app/src/Logger.js b/app/src/Logger.js index c421ff39..a5ccf1ea 100644 --- a/app/src/Logger.js +++ b/app/src/Logger.js @@ -4,6 +4,8 @@ const util = require('util'); const colors = require('colors'); +const config = require('./config'); + colors.enable(); //colors.disable(); const options = { @@ -11,9 +13,9 @@ const options = { colors: true, }; module.exports = class Logger { - constructor(appName = 'miroTalkSfu', debugOn = true) { + constructor(appName = 'miroTalkSfu') { this.appName = colors.yellow(appName); - this.debugOn = debugOn; + this.debugOn = config.console.debug; this.timeStart = Date.now(); this.timeEnd = null; this.timeElapsedMs = null; diff --git a/app/src/Server.js b/app/src/Server.js index 24e24279..bd90a006 100644 --- a/app/src/Server.js +++ b/app/src/Server.js @@ -563,14 +563,17 @@ function startServer() { roomList.get(socket.room_id).broadCast(socket.id, 'cmd', data); }); - socket.on('roomAction', (dataObject) => { + socket.on('roomAction', async (dataObject) => { if (!roomList.has(socket.room_id)) return; const data = checkXSS(dataObject); + const isPresenter = await isPeerPresenter(socket.room_id, data.peer_name, data.peer_uuid); + log.debug('Room action:', data); switch (data.action) { case 'lock': + if (!isPresenter) return; if (!roomList.get(socket.room_id).isLocked()) { roomList.get(socket.room_id).setLocked(true, data.password); roomList.get(socket.room_id).broadCast(socket.id, 'roomAction', data.action); @@ -588,14 +591,17 @@ function startServer() { roomList.get(socket.room_id).sendTo(socket.id, 'roomPassword', roomData); break; case 'unlock': + if (!isPresenter) return; roomList.get(socket.room_id).setLocked(false); roomList.get(socket.room_id).broadCast(socket.id, 'roomAction', data.action); break; case 'lobbyOn': + if (!isPresenter) return; roomList.get(socket.room_id).setLobbyEnabled(true); roomList.get(socket.room_id).broadCast(socket.id, 'roomAction', data.action); break; case 'lobbyOff': + if (!isPresenter) return; roomList.get(socket.room_id).setLobbyEnabled(false); roomList.get(socket.room_id).broadCast(socket.id, 'roomAction', data.action); break; @@ -630,13 +636,19 @@ function startServer() { } }); - socket.on('peerAction', (dataObject) => { + socket.on('peerAction', async (dataObject) => { if (!roomList.has(socket.room_id)) return; const data = checkXSS(dataObject); log.debug('Peer action', data); + const presenterActions = ['mute', 'hide', 'eject']; + if (presenterActions.some((v) => data.action === v)) { + const isPresenter = await isPeerPresenter(socket.room_id, data.from_peer_name, data.from_peer_uuid); + if (!isPresenter) return; + } + if (data.broadcast) { roomList.get(socket.room_id).broadCast(data.peer_id, 'peerAction', data); } else { @@ -1067,11 +1079,23 @@ function startServer() { }); async function isPeerPresenter(room_id, peer_name, peer_uuid) { - const isPresenter = - Object.keys(presenters[room_id]).length > 1 && - presenters[room_id]['peer_name'] === peer_name && - presenters[room_id]['peer_uuid'] === peer_uuid; - log.debug(peer_name, { isPresenter: isPresenter }); + let isPresenter = false; + try { + isPresenter = + typeof presenters === 'object' && + Object.keys(presenters[room_id]).length > 1 && + presenters[room_id]['peer_name'] === peer_name && + presenters[room_id]['peer_uuid'] === peer_uuid; + } catch (err) { + log.error('isPeerPresenter', err); + return false; + } + log.debug('isPeerPresenter', { + room_id: room_id, + peer_name: peer_name, + peer_uuid: peer_uuid, + isPresenter: isPresenter, + }); return isPresenter; } diff --git a/app/src/config.template.js b/app/src/config.template.js index 83626039..ba2ec0a4 100644 --- a/app/src/config.template.js +++ b/app/src/config.template.js @@ -44,6 +44,9 @@ module.exports = { username: 'username', password: 'password', }, + console: { + debug: true, + }, ngrok: { /* Ngrok diff --git a/public/js/LocalStorage.js b/public/js/LocalStorage.js index cc6fffcb..376920e1 100644 --- a/public/js/LocalStorage.js +++ b/public/js/LocalStorage.js @@ -59,4 +59,12 @@ class LocalStorage { getLocalStorageDevices() { return JSON.parse(localStorage.getItem('LOCAL_STORAGE_DEVICES')); } + + setItemLocalStorage(key, value) { + localStorage.setItem(key, value); + } + + getItemLocalStorage(key) { + localStorage.getItem(key); + } } diff --git a/public/js/Room.js b/public/js/Room.js index 4a5b7879..b5156889 100644 --- a/public/js/Room.js +++ b/public/js/Room.js @@ -71,6 +71,7 @@ let chatMessagesId = 0; let room_id = getRoomId(); let room_password = getRoomPassword(); let peer_name = getPeerName(); +let peer_uuid = getPeerUUID(); let isScreenAllowed = getScreen(); let notify = getNotify(); @@ -415,6 +416,15 @@ function getPeerName() { return name; } +function getPeerUUID() { + if (lS.getItemLocalStorage('peer_uuid')) { + return lS.getItemLocalStorage('peer_uuid'); + } + const peer_uuid = getUUID(); + lS.setItemLocalStorage('peer_uuid', peer_uuid); + return peer_uuid; +} + function getRoomPassword() { let qs = new URLSearchParams(window.location.search); let roomPassword = filterXSS(qs.get('password')); @@ -435,7 +445,7 @@ function getRoomPassword() { function getPeerInfo() { peer_info = { join_data_time: getDataTimeString(), - peer_uuid: getUUID(), + peer_uuid: peer_uuid, peer_id: socket.id, peer_name: peer_name, peer_presenter: isPresenter, @@ -707,6 +717,7 @@ function joinRoom(peer_name, room_id) { socket, room_id, peer_name, + peer_uuid, peer_info, isAudioAllowed, isVideoAllowed, diff --git a/public/js/RoomClient.js b/public/js/RoomClient.js index bd14481b..f29262b4 100644 --- a/public/js/RoomClient.js +++ b/public/js/RoomClient.js @@ -116,6 +116,7 @@ class RoomClient { socket, room_id, peer_name, + peer_uuid, peer_info, isAudioAllowed, isVideoAllowed, @@ -133,6 +134,7 @@ class RoomClient { this.room_id = room_id; this.peer_id = socket.id; this.peer_name = peer_name; + this.peer_uuid = peer_uuid; this.peer_info = peer_info; this.isAudioAllowed = isAudioAllowed; @@ -3810,6 +3812,10 @@ class RoomClient { roomAction(action, emit = true) { let data = { + room_id: this.room_id, + peer_id: this.peer_id, + peer_name: this.peer_name, + peer_uuid: this.peer_uuid, action: action, password: null, }; @@ -3943,7 +3949,7 @@ class RoomClient { let lobbyTr = ''; let peer_id = data.peer_id; let peer_name = data.peer_name; - let avatarImg = getParticipantAvatar(peer_name); + let avatarImg = this.genAvatarSvg(peer_name, 32); let lobbyTb = this.getId('lobbyTb'); let lobbyAccept = _PEER.acceptPeer; let lobbyReject = _PEER.ejectPeer; @@ -3952,7 +3958,7 @@ class RoomClient { lobbyTr += ` - + ${peer_name} @@ -4333,6 +4339,8 @@ class RoomClient { if (emit) { let data = { from_peer_name: this.peer_name, + from_peer_id: this.peer_id, + from_peer_uuid: this.peer_uuid, peer_id: peer_id, action: action, broadcast: broadcast, @@ -4346,6 +4354,7 @@ class RoomClient { switch (action) { case 'eject': if (peer_id === this.peer_id || broadcast) { + this.exit(true); this.sound(action); this.peerActionProgress(from_peer_name, 'Will eject you from the room', 5000, action); }