mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-22 08:26:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 25

SecurityManager: Restrict valid author token values

Browse source
This commit is contained in:
Richard Hansen 2022-02-28 19:27:52 -05:00
parent b89ae69202
commit 6d4085f5f0
3 changed files with 25 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/node/db/SecurityManager.js
View file

@ -28,6 +28,7 @@ const settings = require('../utils/Settings');
const webaccess = require('../hooks/express/webaccess');
const log4js = require('log4js');
const authLogger = log4js.getLogger('auth');
const {padutils} = require('../../static/js/pad_utils');
const DENY = Object.freeze({accessStatus: 'deny'});
@ -106,6 +107,11 @@ exports.checkAccess = async (padID, sessionCookie, token, userSettings) => {
authLogger.debug('access denied: HTTP API session is required');
return DENY;
}
if (!sessionAuthorID && token != null && !padutils.isValidAuthorToken(token)) {
// The author token should be kept secret, so do not log it.
authLogger.debug('access denied: invalid author token');
return DENY;
}
const grant = {
accessStatus: 'grant',