fix(authentication-form): Prevent re-using the same authentication fo…

…rm url
postalsys · Oct 31, 2023 · b13d9b9 · b13d9b9
1 parent e5a2f50
commit b13d9b9
Show file tree

Hide file tree

Showing 16 changed files with 404 additions and 342 deletions.
diff --git a/lib/consts.js b/lib/consts.js
@@ -150,6 +150,11 @@ module.exports = {
     // hard limit for subscript execution (does not include waiting for promises)
     SUBSCRIPT_RUNTIME_TIMEOUT: 30 * 1000,
 
+    // how long is an authentication form valid
+    MAX_FORM_TTL: 1 * 24 * 3600 * 1000,
+
+    NONCE_BYTES: 16,
+
     generateWebhookTable() {
         let entries = [];
 

diff --git a/lib/routes-ui.js b/lib/routes-ui.js
diff --git a/lib/tools.js b/lib/tools.js
@@ -29,7 +29,7 @@ const uuid = require('uuid');
 const mimeTypes = require('nodemailer/lib/mime-funcs/mime-types');
 const { v3: murmurhash } = require('murmurhash');
 const { compare: compareVersions, validate: validateVersion } = require('compare-versions');
-const { REDIS_PREFIX, TLS_DEFAULTS, FETCH_TIMEOUT } = require('./consts');
+const { REDIS_PREFIX, TLS_DEFAULTS, FETCH_TIMEOUT, MAX_FORM_TTL } = require('./consts');
 const ipaddr = require('ipaddr.js');
 const bullmqPackage = require('bullmq/package.json');
 const v8 = require('node:v8');
@@ -765,7 +765,7 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV3QUiYsp13nD9suD1/ZkEXnuMoSg
                 }
 
                 const ignoreMailCertErrors = await settings.get('ignoreMailCertErrors');
-                if (ignoreMailCertErrors && imapConfig?.tls?.rejectUnauthorized !== false) {
+                if (ignoreMailCertErrors && imapConfig && imapConfig.tls && imapConfig.tls.rejectUnauthorized !== false) {
                     imapConfig.tls = imapConfig.tls || {};
                     imapConfig.tls.rejectUnauthorized = false;
                 }
@@ -868,7 +868,7 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV3QUiYsp13nD9suD1/ZkEXnuMoSg
                 smtpConfig.forceAuth = true;
 
                 const ignoreMailCertErrors = await settings.get('ignoreMailCertErrors');
-                if (ignoreMailCertErrors && smtpConfig?.tls?.rejectUnauthorized !== false) {
+                if (ignoreMailCertErrors && smtpConfig && smtpConfig.tls && smtpConfig.tls.rejectUnauthorized !== false) {
                     smtpConfig.tls = smtpConfig.tls || {};
                     smtpConfig.tls.rejectUnauthorized = false;
                 }
@@ -1308,7 +1308,9 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV3QUiYsp13nD9suD1/ZkEXnuMoSg
                           notifyFrom: (opts.notifyFrom && opts.notifyFrom.toISOString()) || null,
                           subconnections: opts.subconnections && opts.subconnections.length ? opts.subconnections : null,
                           redirectUrl: opts.redirectUrl,
-                          delegated: opts.delegated
+                          delegated: opts.delegated,
+                          n: opts.n,
+                          t: opts.t
                       })
             )
         );
@@ -1322,6 +1324,35 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV3QUiYsp13nD9suD1/ZkEXnuMoSg
         return { data: data.toString('base64url'), signature };
     },
 
+    async parseSignedFormData(redis, payload, gt) {
+        let data = Buffer.from(payload.data, 'base64url').toString();
+        let serviceSecret = await settings.get('serviceSecret');
+        if (serviceSecret) {
+            let hmac = createHmac('sha256', serviceSecret);
+            hmac.update(data);
+            if (hmac.digest('base64url') !== payload.sig) {
+                let error = Boom.boomify(new Error(gt.gettext('Signature validation failed')), { statusCode: 403 });
+                throw error;
+            }
+        }
+
+        data = JSON.parse(data);
+
+        if (data.n && data.t) {
+            if (data.t < Date.now() - (MAX_FORM_TTL - 60 * 1000)) {
+                let error = Boom.boomify(new Error(gt.gettext('Invalid or expired account setup URL')), { statusCode: 403 });
+                throw error;
+            }
+            const nonceSeen = await redis.exists(`${REDIS_PREFIX}account:form:${data.n}`);
+            if (nonceSeen) {
+                let error = Boom.boomify(new Error(gt.gettext('Invalid or expired account setup URL')), { statusCode: 403 });
+                throw error;
+            }
+        }
+
+        return data;
+    },
+
     async setLicense(licenseData, licenseFile) {
         await settings.setLicense(licenseData, licenseFile);
     },

diff --git a/package.json b/package.json
@@ -16,7 +16,7 @@
         "build-dist": "npx pkg --compress Brotli package.json && npm install && node winconf.js",
         "build-dist-fast": "npx pkg --debug package.json && npm install && node winconf.js",
         "licenses": "license-checker --excludePackages emailengine-app --json | node license-table.js > static/licenses.html",
-        "gettext": "find ./views -name \"*.hbs\" -print0 | xargs -0 xgettext-template -L Handlebars -o translations/messages.pot --force-po && jsxgettext lib/routes-ui.js workers/api.js -j -o translations/messages.pot",
+        "gettext": "find ./views -name \"*.hbs\" -print0 | xargs -0 xgettext-template -L Handlebars -o translations/messages.pot --force-po && jsxgettext lib/routes-ui.js workers/api.js lib/tools.js -j -o translations/messages.pot",
         "prepare-docker": "echo \"EE_DOCKER_LEGACY=$EE_DOCKER_LEGACY\" >> system.env && cat system.env",
         "update": "rm -rf node_modules package-lock.json && ncu -u && npm install && ./copy-static-files.sh && npm run licenses"
     },

diff --git a/translations/de.mo b/translations/de.mo
diff --git a/translations/de.po b/translations/de.po
@@ -1,7 +1,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: \n"
-"POT-Creation-Date: 2023-08-15 13:09+0000\n"
+"POT-Creation-Date: 2023-10-31 12:21+0000\n"
 "PO-Revision-Date: \n"
 "Last-Translator: \n"
 "Language-Team: \n"
@@ -18,10 +18,6 @@ msgid_plural "%d days"
 msgstr[0] "%d Tag"
 msgstr[1] "%d Tage"
 
-#: views/redirect.hbs:1
-msgid "Click <a href=\"%s\">here</a> to continue&mldr;"
-msgstr "Klicken Sie <a href=\"%s\">hier</a>, um fortzufahren&mldr;"
-
 #: views/unsubscribe.hbs:1 views/unsubscribe.hbs:79
 msgid "Unsubscribe"
 msgstr "Abmelden"
@@ -65,6 +61,10 @@ msgstr "E-Mail-Adresse"
 msgid "Enter your email address"
 msgstr "Geben Sie Ihre E-Mail-Adresse ein"
 
+#: views/redirect.hbs:1
+msgid "Click <a href=\"%s\">here</a> to continue&mldr;"
+msgstr "Klicken Sie <a href=\"%s\">hier</a>, um fortzufahren&mldr;"
+
 #: views/accounts/register/imap.hbs:11
 msgid "Your name"
 msgstr "Ihr Name"
@@ -88,6 +88,14 @@ msgstr "Passwort für Ihr Konto eingeben"
 msgid "Continue"
 msgstr "Weiter"
 
+#: views/accounts/register/index.hbs:2
+msgid "Choose your email account provider"
+msgstr "Wählen Sie Ihren E-Mail-Kontoanbieter"
+
+#: views/accounts/register/index.hbs:15
+msgid "Standard IMAP"
+msgstr "Standard IMAP"
+
 #: views/accounts/register/imap-server.hbs:18
 msgid "IMAP"
 msgstr "IMAP"
@@ -196,45 +204,41 @@ msgstr "Der SMTP-Server antwortete mit der folgenden Meldung:"
 msgid "HTTP error!"
 msgstr "HTTP-Fehler!"
 
-#: views/accounts/register/index.hbs:2
-msgid "Choose your email account provider"
-msgstr "Wählen Sie Ihren E-Mail-Kontoanbieter"
-
-#: views/accounts/register/index.hbs:15
-msgid "Standard IMAP"
-msgstr "Standard IMAP"
-
-#: lib/routes-ui.js:557
+#: lib/routes-ui.js:603
 msgid "Invalid API key for OpenAI"
 msgstr "Ungültiger API-Schlüssel für OpenAI"
 
-#: lib/routes-ui.js:4193 lib/routes-ui.js:6143 lib/routes-ui.js:6154
+#: lib/routes-ui.js:4573 lib/routes-ui.js:6491 lib/routes-ui.js:6502
 msgid "Server hostname was not found"
 msgstr "Server-Hostname wurde nicht gefunden"
 
-#: lib/routes-ui.js:4196 lib/routes-ui.js:6146 lib/routes-ui.js:6157
+#: lib/routes-ui.js:4576 lib/routes-ui.js:6494 lib/routes-ui.js:6505
 msgid "Invalid username or password"
 msgstr "Ungültiger Benutzername oder Passwort"
 
-#: lib/routes-ui.js:4200 lib/routes-ui.js:6161
+#: lib/routes-ui.js:4580 lib/routes-ui.js:6509
 msgid "TLS protocol error"
 msgstr "TLS-Protokollfehler"
 
-#: lib/routes-ui.js:5907 lib/routes-ui.js:6018 lib/routes-ui.js:6246
-msgid "Signature validation failed"
-msgstr "Signaturüberprüfung fehlgeschlagen"
-
-#: lib/routes-ui.js:5944 lib/routes-ui.js:5984 lib/routes-ui.js:8621
+#: lib/routes-ui.js:6303 lib/routes-ui.js:6343 lib/routes-ui.js:9037
 msgid "Failed to validate request arguments"
 msgstr "Validierung der Anforderungsargumente fehlgeschlagen"
 
-#: lib/routes-ui.js:6081 lib/routes-ui.js:6332
+#: lib/routes-ui.js:6429 lib/routes-ui.js:6683
 msgid "Failed to process account"
 msgstr "Konto konnte nicht bearbeitet werden"
 
-#: lib/routes-ui.js:8721 lib/routes-ui.js:8754
+#: lib/routes-ui.js:9137 lib/routes-ui.js:9170
 msgid "Failed to process request"
 msgstr "Anfrage konnte nicht bearbeitet werden"
 
+#: lib/tools.js:1334
+msgid "Signature validation failed"
+msgstr "Signaturüberprüfung fehlgeschlagen"
+
+#: lib/tools.js:1343 lib/tools.js:1348
+msgid "Invalid or expired account setup URL"
+msgstr "Ungültige oder abgelaufene URL für die Kontoeinrichtung"
+
 #~ msgid "Unknown OAuth provider"
 #~ msgstr "Unbekannter OAuth-Anbieter"
diff --git a/translations/en.mo b/translations/en.mo
diff --git a/translations/en.po b/translations/en.po
@@ -1,8 +1,8 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: \n"
-"POT-Creation-Date: 2023-08-15 13:09+0000\n"
-"PO-Revision-Date: 2023-08-16 11:06+0300\n"
+"POT-Creation-Date: 2023-10-31 12:21+0000\n"
+"PO-Revision-Date: 2023-10-31 14:22+0200\n"
 "Last-Translator: \n"
 "Language-Team: \n"
 "Language: en\n"
@@ -19,10 +19,6 @@ msgid_plural "%d days"
 msgstr[0] ""
 msgstr[1] ""
 
-#: views/redirect.hbs:1
-msgid "Click <a href=\"%s\">here</a> to continue&mldr;"
-msgstr ""
-
 #: views/unsubscribe.hbs:1 views/unsubscribe.hbs:79
 msgid "Unsubscribe"
 msgstr ""
@@ -63,6 +59,10 @@ msgstr ""
 msgid "Enter your email address"
 msgstr ""
 
+#: views/redirect.hbs:1
+msgid "Click <a href=\"%s\">here</a> to continue&mldr;"
+msgstr ""
+
 #: views/accounts/register/imap.hbs:11
 msgid "Your name"
 msgstr ""
@@ -86,6 +86,14 @@ msgstr ""
 msgid "Continue"
 msgstr ""
 
+#: views/accounts/register/index.hbs:2
+msgid "Choose your email account provider"
+msgstr ""
+
+#: views/accounts/register/index.hbs:15
+msgid "Standard IMAP"
+msgstr ""
+
 #: views/accounts/register/imap-server.hbs:18
 msgid "IMAP"
 msgstr ""
@@ -187,42 +195,38 @@ msgstr ""
 msgid "HTTP error!"
 msgstr ""
 
-#: views/accounts/register/index.hbs:2
-msgid "Choose your email account provider"
-msgstr ""
-
-#: views/accounts/register/index.hbs:15
-msgid "Standard IMAP"
-msgstr ""
-
-#: lib/routes-ui.js:557
+#: lib/routes-ui.js:603
 msgid "Invalid API key for OpenAI"
 msgstr ""
 
-#: lib/routes-ui.js:4193 lib/routes-ui.js:6143 lib/routes-ui.js:6154
+#: lib/routes-ui.js:4573 lib/routes-ui.js:6491 lib/routes-ui.js:6502
 msgid "Server hostname was not found"
 msgstr ""
 
-#: lib/routes-ui.js:4196 lib/routes-ui.js:6146 lib/routes-ui.js:6157
+#: lib/routes-ui.js:4576 lib/routes-ui.js:6494 lib/routes-ui.js:6505
 msgid "Invalid username or password"
 msgstr ""
 
-#: lib/routes-ui.js:4200 lib/routes-ui.js:6161
+#: lib/routes-ui.js:4580 lib/routes-ui.js:6509
 msgid "TLS protocol error"
 msgstr ""
 
-#: lib/routes-ui.js:5907 lib/routes-ui.js:6018 lib/routes-ui.js:6246
-msgid "Signature validation failed"
-msgstr ""
-
-#: lib/routes-ui.js:5944 lib/routes-ui.js:5984 lib/routes-ui.js:8621
+#: lib/routes-ui.js:6303 lib/routes-ui.js:6343 lib/routes-ui.js:9037
 msgid "Failed to validate request arguments"
 msgstr ""
 
-#: lib/routes-ui.js:6081 lib/routes-ui.js:6332
+#: lib/routes-ui.js:6429 lib/routes-ui.js:6683
 msgid "Failed to process account"
 msgstr ""
 
-#: lib/routes-ui.js:8721 lib/routes-ui.js:8754
+#: lib/routes-ui.js:9137 lib/routes-ui.js:9170
 msgid "Failed to process request"
 msgstr ""
+
+#: lib/tools.js:1334
+msgid "Signature validation failed"
+msgstr ""
+
+#: lib/tools.js:1343 lib/tools.js:1348
+msgid "Invalid or expired account setup URL"
+msgstr ""
diff --git a/translations/et.mo b/translations/et.mo