push monitor: increase token security (#912)

* increased pushToken security * Merge manually --------- Co-authored-by: Andreas Brett <github@abrett.de> Co-authored-by: Louis Lam <louislam@users.noreply.github.com>
louislam · Oct 11, 2023 · 42bf27f · 42bf27f
1 parent 67d0ef5
commit 42bf27f
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/db/knex_migrations/2023-10-11-1915-push-token-to-32.js b/db/knex_migrations/2023-10-11-1915-push-token-to-32.js
@@ -0,0 +1,14 @@
+exports.up = function (knex) {
+    // update monitor.push_token to 32 length
+    return knex.schema
+        .alterTable("monitor", function (table) {
+            table.string("push_token", 32).alter();
+        });
+};
+
+exports.down = function (knex) {
+    return knex.schema
+        .alterTable("monitor", function (table) {
+            table.string("push_token", 20).alter();
+        });
+};
diff --git a/src/lang/en.json b/src/lang/en.json
@@ -244,6 +244,7 @@
     "successMessage": "Success Message",
     "successMessageExplanation": "MQTT message that will be considered as success",
     "recent": "Recent",
+    "Reset Token": "Reset Token",
     "Done": "Done",
     "Info": "Info",
     "Security": "Security",

diff --git a/src/pages/EditMonitor.vue b/src/pages/EditMonitor.vue
@@ -119,6 +119,9 @@
                                     {{ $t("needPushEvery", [monitor.interval]) }}<br />
                                     {{ $t("pushOptionalParams", ["status, msg, ping"]) }}
                                 </div>
+                                <button class="btn btn-primary" type="button" @click="resetToken">
+                                    {{ $t("Reset Token") }}
+                                </button>
                             </div>
 
                             <!-- Keyword -->
@@ -847,6 +850,8 @@ import { sleep } from "../util";
 
 const toast = useToast();
 
+const pushTokenLength = 32;
+
 const monitorDefaults = {
     type: "http",
     name: "",
@@ -1145,7 +1150,9 @@ message HealthCheckResponse {
         "monitor.type"() {
             if (this.monitor.type === "push") {
                 if (! this.monitor.pushToken) {
-                    this.monitor.pushToken = genSecret(10);
+                    // ideally this would require checking if the generated token is already used
+                    // it's very unlikely to get a collision though (62^32 ~ 2.27265788 * 10^57 unique tokens)
+                    this.monitor.pushToken = genSecret(pushTokenLength);
                 }
             }
 
@@ -1348,6 +1355,10 @@ message HealthCheckResponse {
             return true;
         },
 
+        resetToken() {
+            this.monitor.pushToken = genSecret(pushTokenLength);
+        },
+
         /**
          * Submit the form data for processing
          * @returns {void}