Script to create session and store token <> author more throughly (dont create ghosts) (#4012)

2025-04-23 17:06:16 -04:00 · 2020-07-16 10:51:02 +01:00 · 2020-07-16 10:51:02 +01:00 · 78c97d811c
commit 78c97d811c
parent 7b0fd4fb29
3 changed files with 98 additions and 0 deletions
--- a/src/node/db/AuthorManager.js
+++ b/src/node/db/AuthorManager.js
@ -77,6 +77,17 @@ exports.createAuthorIfNotExistsFor = async function(authorMapper, name)
  return author;
 };

+/**
+ * Sets the token <> AuthorID relationship.
+ * Discussion at https://github.com/ether/etherpad-lite/issues/4006
+ * @param {String} token The token (generated by a client)
+ * @param {String} authorID The authorID (returned by the Security Manager)
+ */
+exports.setToken2Author = async function(token, authorID)
+{
+  await db.set("token2author:"+token, authorID);
+}
+
 /**
 * Returns the AuthorID for a mapper. We can map using a mapperkey,
 * so far this is token2author and mapper2author
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@ -918,6 +918,15 @@ async function handleClientReady(client, message)
  let authorColorId = value.colorId;
  let authorName = value.name;

+  /*
+  * Here we know authorID, token and session.  We should ?always? store it..
+  * TODO: I fear that this might allow a user to pass a token for an authorID
+  * meaning that they could in theory "imitate" another author?
+  * Perhaps the fix to this is check to see if it exists first and if it
+  * does then abort..  Details: https://github.com/ether/etherpad-lite/issues/4006
+  */
+  await authorManager.setToken2Author(message.token, statusObject.authorID)
+
  // load the pad-object from the database
  let pad = await padManager.getPad(padIds.padId);