Handle upstream tokens more safely

2019-04-17 23:34:14 -06:00 · 2019-04-17 23:34:14 -06:00 · be66dd04f9
parent 109bceb924
commit be66dd04f9
8 changed files with 36 additions and 7 deletions
--- a/src/api/scalar/ScalarService.ts
+++ b/src/api/scalar/ScalarService.ts
@ -33,7 +33,7 @@ export class ScalarService {
     * @returns {Promise<string>} Resolves to the owner's user ID if the token is valid.
     * @throws {ApiError} Thrown with a status code of 401 if the token is invalid.
     */
-    public static async getTokenOwner(scalarToken: string, ignoreUpstreams?: boolean): Promise<string> {
+    public static async getTokenOwner(scalarToken: string, ignoreUpstreams = false): Promise<string> {
        const cachedUserId = Cache.for(CACHE_SCALAR_ACCOUNTS).get(scalarToken);
        if (cachedUserId) return cachedUserId;

--- a/src/db/NebStore.ts
+++ b/src/db/NebStore.ts
@ -150,7 +150,7 @@ export class NebStore {
                const botUserId = null; // TODO: For github
                const botConfig = await proxy.getServiceConfiguration(i.integration, roomId);
                const bot = new ComplexBot(i.integration, notifUserId, botUserId, botConfig);
-                bot.isOnline = !!bot.botUserId;
+                bot.isOnline = !!bot.notificationUserId;
                return bot;
            } catch (e) {
                LogService.error("NebStore", e);
--- a/src/db/ScalarStore.ts
+++ b/src/db/ScalarStore.ts
@ -33,7 +33,7 @@ export class ScalarStore {
        return true;
    }

-    public static async getTokenOwner(scalarToken: string, ignoreUpstreams?: boolean): Promise<User> {
+    public static async getTokenOwner(scalarToken: string, ignoreUpstreams = false): Promise<User> {
        const tokens = await UserScalarToken.findAll({
            where: {isDimensionToken: true, scalarToken: scalarToken},
            include: [User]
@ -104,6 +104,14 @@ export class ScalarStore {
                }
            }

+            const user = await User.findByPk(testUserId);
+            if (!user) {
+                await User.create({
+                    userId: testUserId,
+                    isSelfBot: true,
+                });
+            }
+
            const openId = await MatrixStickerBot.getOpenId();
            const token = await scalarClient.register(openId);
            await UserScalarToken.create({
--- a/src/db/migrations/20190417231045-AddSelfBotFlagToUsers.ts
+++ b/src/db/migrations/20190417231045-AddSelfBotFlagToUsers.ts
@ -0,0 +1,17 @@
+import { QueryInterface } from "sequelize";
+import { DataType } from "sequelize-typescript";
+
+export default {
+    up: (queryInterface: QueryInterface) => {
+        return Promise.resolve()
+            .then(() => queryInterface.addColumn("dimension_users", "isSelfBot", {
+                type: DataType.BOOLEAN,
+                allowNull: false,
+                defaultValue: false,
+            }));
+    },
+    down: (queryInterface: QueryInterface) => {
+        return Promise.resolve()
+            .then(() => queryInterface.removeColumn("dimension_users", "isSelfBot"));
+    }
+}
--- a/src/db/models/User.ts
+++ b/src/db/models/User.ts
@ -11,4 +11,7 @@ export default class User extends Model<User> {
    @PrimaryKey
    @Column
    userId: string;
+
+    @Column
+    isSelfBot: boolean;
 }
--- a/src/index.ts
+++ b/src/index.ts
@ -4,8 +4,8 @@ import { DimensionStore } from "./db/DimensionStore";
 import Webserver from "./api/Webserver";
 import { CURRENT_VERSION } from "./version";
 import { MatrixStickerBot } from "./matrix/MatrixStickerBot";
-import UserScalarToken from "./db/models/UserScalarToken";
 import * as BotSdk from "matrix-bot-sdk";
+import User from "./db/models/User";

 LogService.configure(config.logging);
 LogService.info("index", "Starting dimension " + CURRENT_VERSION);
@ -25,8 +25,8 @@ async function startup() {
    await webserver.start();

    const userId = await MatrixStickerBot.getUserId();
-    const tokens = await UserScalarToken.findAll({where: {userId: userId}});
-    if (tokens.length > 0) {
+    const users = await User.findAll({where: {userId: userId, isSelfBot: false}});
+    if (users.length > 0) {
        LogService.error("index", "The access token configured for Dimension belongs to a user which is also " +
            "a user known to Dimension. This usually indicates that the access token is not a dedicated user " +
            "account for Dimension. To prevent potential confusion to this user, Dimension will refuse to start " +
--- a/src/matrix/MatrixLiteClient.ts
+++ b/src/matrix/MatrixLiteClient.ts
@ -49,7 +49,7 @@ export class MatrixLiteClient {
        return await doClientApiCall(
            "POST",
            `/_matrix/client/r0/user/${await this.whoAmI()}/openid/request_token`,
-            {access_token: this.accessToken},
+            {access_token: this.accessToken}, {},
        );
    }

--- a/src/scalar/ScalarClient.ts
+++ b/src/scalar/ScalarClient.ts
@ -39,6 +39,7 @@ export class ScalarClient {
                method: "GET",
                url: this.upstream.scalarUrl + "/account",
                qs: {v: SCALAR_API_VERSION, scalar_token: token},
+                json: true,
            }, (err, res, _body) => {
                if (err) {
                    LogService.error("ScalarClient", "Error getting information for token");