From c136199269380e1a428af2119e3b9d292d6cbccb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kasper=20Rynning-T=C3=B8nnesen?= Date: Wed, 26 Sep 2018 22:33:33 +0200 Subject: [PATCH 1/2] Better hiding of passwords, hiding cookie-logins better --- server/handlers/chat.js | 35 +++++++++---- server/handlers/functions.js | 6 +-- server/handlers/io.js | 4 +- server/handlers/list.js | 28 ++++++---- server/handlers/list_change.js | 78 ++++++++++++++++++---------- server/handlers/list_settings.js | 17 +++--- server/handlers/suggestions.js | 28 ++++++---- server/public/assets/js/listeners.js | 1 + server/routing/client/api.js | 18 +++---- 9 files changed, 140 insertions(+), 75 deletions(-) diff --git a/server/handlers/chat.js b/server/handlers/chat.js index 1283e010..c04814e2 100644 --- a/server/handlers/chat.js +++ b/server/handlers/chat.js @@ -26,11 +26,13 @@ function get_history(channel, all, socket) { if(!query.all) { Functions.getSessionAdminUser(Functions.getSession(socket), channel, function(userpass) { if(userpass != "" || pass == undefined) { - pass = userpass; + pass = userpass + } else { + pass = crypto.createHash('sha256').update(Functions.decrypt_string(pass)).digest('base64') } db.collection(channel + "_settings").find({id: "config"}, function(err, conf) { if(conf.length > 0) { - if(conf[0].userpass == "" || conf[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(pass)).digest('base64')) { + if(conf[0].userpass == "" || conf[0].userpass == pass) { getAndSendLogs(channel, all, socket, pass, query); } } @@ -83,9 +85,11 @@ function chat(msg, guid, offline, socket) { Functions.getSessionAdminUser(Functions.getSession(socket), coll, function(userpass) { if(userpass != "" || msg.pass == undefined) { msg.pass = userpass; + } else { + msg.pass = crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64"); } db.collection(coll + "_settings").find(function(err, docs){ - if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (msg.hasOwnProperty('pass') && docs[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64")))) { + if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (msg.hasOwnProperty('pass') && docs[0].userpass == msg.pass))) { var data = msg.data; Functions.check_inlist(coll, guid, socket, offline, function() { @@ -169,6 +173,7 @@ function namechange(data, guid, socket, tried, callback) { var new_password; var first = false; Functions.getSessionChatPass(Functions.getSession(socket), function(name, pass) { + var fetched = false; if(data.hasOwnProperty("first") && data.first) { pw = pass; name = name; @@ -179,6 +184,8 @@ function namechange(data, guid, socket, tried, callback) { if(typeof(callback) == "function") callback(); return; } + fetched = true; + password = pw; } else { var name = data.name; if(data.hasOwnProperty("first")) { @@ -191,13 +198,17 @@ function namechange(data, guid, socket, tried, callback) { pw = data.old_password; new_password = Functions.decrypt_string(data.new_password); } + password = Functions.decrypt_string(pw); + password = Functions.hash_pass(password); + doubled = true; } if(name == "") { if(typeof(callback) == "function") callback(); return; } - var password = Functions.decrypt_string(pw); + + db.collection("registered_users").find({"_id": name.toLowerCase()}, function(err, docs) { var accepted_password = false; var icon = false; @@ -208,28 +219,30 @@ function namechange(data, guid, socket, tried, callback) { } accepted_password = true; Functions.setSessionChatPass(Functions.getSession(socket), name.toLowerCase(), data.password, function() { - db.collection("registered_users").update({"_id": name.toLowerCase()}, {$set: {password: Functions.hash_pass(password)}}, {upsert: true}, function() { + db.collection("registered_users").update({"_id": name.toLowerCase()}, {$set: {password: password}}, {upsert: true}, function() { }); }); - } else if(docs[0].password == Functions.hash_pass(password)) { + } else if(docs[0].password == password) { if(docs[0].icon) { icon = docs[0].icon; } accepted_password = true; if(new_password) { Functions.setSessionChatPass(Functions.getSession(socket), name.toLowerCase(), data.new_password, function() { - db.collection("registered_users").update({"_id": name.toLowerCase(), password: Functions.hash_pass(password)}, {$set: {password: Functions.hash_pass(new_password)}}, function() { + + db.collection("registered_users").update({"_id": name.toLowerCase(), password: password}, {$set: {password: Functions.hash_pass(new_password)}}, function() { }); }); } else { - Functions.setSessionChatPass(Functions.getSession(socket), name.toLowerCase(), data.password, function() { + Functions.setSessionChatPass(Functions.getSession(socket), name.toLowerCase(), fetched ? data.password : Functions.hash_pass(Functions.decrypt_string(data.password)), function() { }); } } if(accepted_password) { + db.collection("user_names").find({"guid": guid}, function(err, names) { - if(names.length > 0 || (docs.length != 0 && docs[0].password == Functions.hash_pass(password))) { + if(names.length > 0 || (docs.length != 0 && docs[0].password == password)) { var no_name = false; if(names.length == 0) no_name = true; if(!no_name) { @@ -278,7 +291,7 @@ function removename(guid, coll, socket) { Functions.removeSessionChatPass(Functions.getSession(socket), function() { db.collection("user_names").update({"_id": "all_names"}, {$pull: {names: old_name}}, function(err, updated) { db.collection("user_names").remove({"guid": guid}, function(err, removed) { - get_name(guid, {announce: true, old_name: old_name, channel: coll}); + get_name(guid, {announce: true, old_name: old_name, channel: coll, socket: socket}); }); }); }); @@ -349,7 +362,7 @@ function get_name(guid, announce_payload, first) { function get_name_generate(guid, announce_payload, first, channel) { db.collection("user_names").find({"guid": guid}, function(err, docs) { if(docs.length == 0) { - generate_name(guid, announce_payload, channel); + generate_name(guid, announce_payload, undefined); } else { name = docs[0].name; } diff --git a/server/handlers/functions.js b/server/handlers/functions.js index 001d8f14..edc6bbda 100644 --- a/server/handlers/functions.js +++ b/server/handlers/functions.js @@ -236,6 +236,7 @@ function contains(a, obj) { } function hash_pass(adminpass, hex) { + if(adminpass == undefined || adminpass == "") return ""; if(hex) return crypto.createHash('sha256').update(adminpass).digest('hex'); return crypto.createHash('sha256').update(adminpass).digest('base64'); } @@ -247,7 +248,7 @@ function setSessionAdminPass(id, adminpass, list, callback) { return; } - connected_db.collection(id).update({_id: list}, {$set: {adminpass: adminpass}}, {upsert: true}, function(e, d){ + connected_db.collection(id).update({_id: list}, {$set: {adminpass: hash_pass(decrypt_string(adminpass), true)}}, {upsert: true}, function(e, d){ callback(); return; }); @@ -262,7 +263,6 @@ function setSessionChatPass(id, name, pass, callback) { callback(); return; } - connected_db.collection(id).update({_id: "_chat_"}, {$set: {password: pass, name: name}}, {upsert: true}, function(e) { callback(); return; @@ -373,7 +373,7 @@ function removeSessionAdminPass(id, channel, callback) { callback(); return; } - connected_db.collection(id).remove({_id: channel}, function() { + connected_db.collection(id).update({_id: channel}, {$set: {"adminpass": ""}}, function() { callback(); return; }); diff --git a/server/handlers/io.js b/server/handlers/io.js index 90de1d00..5432031d 100644 --- a/server/handlers/io.js +++ b/server/handlers/io.js @@ -698,8 +698,10 @@ module.exports = function() { Functions.getSessionAdminUser(Functions.getSession(socket), coll, function(userpass, adminpass) { if(userpass != "" || obj.pass == undefined) { obj.pass = userpass; + } else { + obj.pass = crypto.createHash('sha256').update(Functions.decrypt_string(obj.pass)).digest("base64") } - if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (obj.hasOwnProperty('pass') && docs[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(obj.pass)).digest("base64")))) { + if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (obj.hasOwnProperty('pass') && docs[0].userpass == obj.pass))) { Functions.check_inlist(coll, guid, socket, offline, undefined, "place 4"); List.send_play(coll, socket); } else { diff --git a/server/handlers/list.js b/server/handlers/list.js index 9464004b..afd06d7c 100644 --- a/server/handlers/list.js +++ b/server/handlers/list.js @@ -35,9 +35,14 @@ function list(msg, guid, coll, offline, socket) { if(typeof(msg) === 'object' && msg !== undefined && msg !== null) { Functions.getSessionAdminUser(Functions.getSession(socket), coll, function(userpass, adminpass, gotten) { + console.log(gotten, userpass, msg.hasOwnProperty("pass")); if(gotten && userpass != "" && !msg.hasOwnProperty("pass")) { msg.pass = userpass; + } else { + msg.pass = crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64"); } + console.log(msg.pass); + adminpass = Functions.hash_pass(adminpass); if(!msg.hasOwnProperty('version') || !msg.hasOwnProperty("channel") || msg.version != VERSION || msg.version == undefined || typeof(msg.channel) != "string") { @@ -61,7 +66,7 @@ function list(msg, guid, coll, offline, socket) { coll = msg.channel.toLowerCase(); //.replace(/ /g,''); coll = Functions.removeEmojis(coll).toLowerCase(); //coll = filter.clean(coll); - var pass = crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64"); + var pass = msg.pass; db.collection('frontpage_lists').find({"_id": coll}, function(err, frontpage_lists){ if(frontpage_lists.length == 1) { db.collection(coll + "_settings").find(function(err, docs) { @@ -70,7 +75,7 @@ function list(msg, guid, coll, offline, socket) { Functions.setSessionUserPass(Functions.getSession(socket), msg.pass, coll, function(){}) socket.emit("auth_accepted", {value: true}); } - if(docs.length > 0 && docs[0].hasOwnProperty("adminpass") && docs[0].adminpass != "" && docs[0].adminpass == Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(adminpass), true))) { + if(docs.length > 0 && docs[0].hasOwnProperty("adminpass") && docs[0].adminpass != "" && docs[0].adminpass == adminpass) { socket.emit("pw", true); } in_list = true; @@ -161,14 +166,20 @@ function skip(list, guid, coll, offline, socket) { list.id = list.id + ""; Functions.getSessionAdminUser(Functions.getSession(socket), coll, function(userpass, adminpass) { if(adminpass != "" || list.pass == undefined) { - list.pass = adminpass; + list.pass = Functions.hash_pass(adminpass); + } else if(list.pass != "") { + list.pass = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(list.pass),true));; + } else { + list.pass = ""; } if(userpass != "" || list.userpass == undefined) { list.userpass = userpass; + } else { + list.userpass = crypto.createHash('sha256').update(Functions.decrypt_string(list.userpass)).digest("base64"); } db.collection(coll + "_settings").find(function(err, docs){ - if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (list.hasOwnProperty('userpass') && docs[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(list.userpass)).digest("base64")))) { + if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (list.hasOwnProperty('userpass') && docs[0].userpass == list.userpass))) { Functions.check_inlist(coll, guid, socket, offline, undefined, "place 12"); @@ -184,10 +195,7 @@ function skip(list, guid, coll, offline, socket) { error = true; } - if(adminpass !== undefined && adminpass !== null && adminpass !== "") - hash = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(adminpass),true)); - else - hash = ""; + hash = adminpass; //db.collection(coll + "_settings").find(function(err, docs){ @@ -611,8 +619,10 @@ function end(obj, coll, guid, offline, socket) { callback_function(Functions.getSession(socket), coll, function(userpass) { if(userpass != "" || obj.pass == undefined) { obj.pass = userpass; + } else { + obj.pass = crypto.createHash('sha256').update(Functions.decrypt_string(obj.pass)).digest("base64"); } - if(!authentication_needed || (authentication_needed && obj.hasOwnProperty('pass') && docs[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(obj.pass)).digest("base64"))) { + if(!authentication_needed || (authentication_needed && obj.hasOwnProperty('pass') && docs[0].userpass == obj.pass)) { Functions.check_inlist(coll, guid, socket, offline, undefined, "place 13"); db.collection(coll).find({now_playing:true}, function(err, np){ if(err !== null) console.log(err); diff --git a/server/handlers/list_change.js b/server/handlers/list_change.js index 68f0da59..83b8ca18 100644 --- a/server/handlers/list_change.js +++ b/server/handlers/list_change.js @@ -41,14 +41,20 @@ function addFromOtherList(arr, guid, offline, socket) { Functions.getSessionAdminUser(Functions.getSession(socket), channel, function(userpass, adminpass) { if(userpass != "" || arr.userpass == undefined) { arr.userpass = userpass; + } else { + arr.userpass = crypto.createHash('sha256').update(Functions.decrypt_string(arr.userpass)).digest('base64') } if(adminpass != "" || arr.adminpass == undefined) { - arr.adminpass = adminpass; + arr.adminpass = Functions.hash_pass(adminpass); + } else { + arr.adminpass = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(arr.adminpass), true)); } Functions.getSessionAdminUser(Functions.getSession(socket), new_channel, function(userpass) { var otheruser = ""; if(userpass != "") { otheruser = userpass; + } else { + otheruser = crypto.createHash('sha256').update(Functions.decrypt_string(otheruser)).digest("base64"); } db.collection(channel).find({now_playing: true}, function(e, np) { @@ -72,10 +78,10 @@ function addFromOtherList(arr, guid, offline, socket) { to_set_np = false; } db.collection(new_channel + "_settings").find({id: "config"}, function(e, this_conf) { - if(this_conf.length > 0 && (this_conf[0].userpass == "" || !this_conf[0].userpass || this_conf[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(otheruser)).digest("base64"))) { + if(this_conf.length > 0 && (this_conf[0].userpass == "" || !this_conf[0].userpass || this_conf[0].userpass == otheruser)) { db.collection(channel + "_settings").find({id: "config"}, function(e, this_conf) { - var hash = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(arr.adminpass), true)); - if((this_conf[0].userpass == "" || !this_conf[0].userpass || this_conf[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(arr.userpass)).digest("base64"))) { + var hash = arr.adminpass; + if((this_conf[0].userpass == "" || !this_conf[0].userpass || this_conf[0].userpass == arr.userpass)) { if(((this_conf[0].addsongs === true && (hash == this_conf[0].adminpass || this_conf[0].adminpass === "")) || this_conf[0].addsongs === false)) { db.collection(new_channel).aggregate([ @@ -105,8 +111,7 @@ function addFromOtherList(arr, guid, offline, socket) { db.collection(channel).find({now_playing: true}, function(e, np_docs) { to_change.id = np_docs[0].id; to_change.title = np_docs[0].title; - - db.collection("frontpage_lists").find({_id: coll}, function(e, doc) { + db.collection("frontpage_lists").find({_id: new_channel}, function(e, doc) { if(doc.length > 0 && ((doc[0].thumbnail != "" && doc[0].thumbnail != undefined && (doc[0].thumbnail.indexOf("https://i1.sndcdn.com") > -1 || doc[0].thumbnail.indexOf("https://w1.sndcdn.com") > -1)) || (doc[0].thumbnail == "" || doc[0].thumbnail == undefined))) { to_change.thumbnail = np_docs[0].thumbnail; } @@ -181,9 +186,13 @@ function addPlaylist(arr, guid, offline, socket) { Functions.getSessionAdminUser(Functions.getSession(socket), channel, function(userpass, adminpass) { if(userpass != "" || arr.userpass == undefined) { arr.userpass = userpass; + } else { + arr.userpass = crypto.createHash('sha256').update(Functions.decrypt_string(arr.userpass)).digest("base64"); } if(adminpass != "" || arr.adminpass == undefined) { - arr.adminpass = adminpass; + arr.adminpass = Functions.hash_pass(adminpass); + } else { + arr.adminpass = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(arr.adminpass), true)) } db.collection(channel).find({now_playing: true}, function(e, np) { var now_playing = false; @@ -194,8 +203,8 @@ function addPlaylist(arr, guid, offline, socket) { return; } if(conf.length > 0) { - var hash = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(arr.adminpass), true)); - if((conf[0].userpass == "" || !conf[0].userpass || conf[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(arr.userpass)).digest("base64"))) { + var hash = arr.adminpass; + if((conf[0].userpass == "" || !conf[0].userpass || conf[0].userpass == arr.userpass)) { if(((conf[0].addsongs === true && (hash == conf[0].adminpass || conf[0].adminpass === "")) || conf[0].addsongs === false)) { var path = require('path'); @@ -386,18 +395,22 @@ function add_function(arr, coll, guid, offline, socket) { //coll = coll.replace(/ /g,''); Functions.getSessionAdminUser(Functions.getSession(socket), coll, function(userpass, adminpass) { if(adminpass != "" || arr.adminpass == undefined) { - arr.adminpass = adminpass; + arr.adminpass = Functions.hash_pass(adminpass); + } else { + arr.adminpass = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(arr.adminpass), true)); } - if(userpass != "" || arr.userpass == undefined) { - arr.userpass = userpass; + if(userpass != "" || arr.pass == undefined) { + arr.pass = userpass; + } else { + arr.pass = crypto.createHash('sha256').update(Functions.decrypt_string(arr.pass)).digest("base64"); } db.collection(coll + "_settings").find(function(err, docs){ - if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (arr.hasOwnProperty('pass') && docs[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(arr.pass)).digest("base64")))) { + if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (arr.hasOwnProperty('pass') && docs[0].userpass == arr.pass))) { Functions.check_inlist(coll, guid, socket, offline, undefined, "place 5"); var id = arr.id + ""; var title = arr.title; - var hash = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(arr.adminpass), true)); + var hash = arr.adminpass; var duration = parseInt(arr.duration); var source = arr.source; /*db.collection(coll + "_settings").find(function(err, docs) @@ -541,14 +554,18 @@ function add_function(arr, coll, guid, offline, socket) { //coll = filter.clean(coll); Functions.getSessionAdminUser(Functions.getSession(socket), coll, function(userpass, adminpass) { if(adminpass != "" || msg.adminpass == undefined) { - msg.adminpass = adminpass; + msg.adminpass = Functions.hash_pass(adminpass); + } else { + msg.adminpass = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(msg.adminpass), true)); } if(userpass != "" || msg.pass == undefined) { msg.pass = userpass; + } else if(msg.hasOwnProperty("pass")){ + msg.pass = crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64"); } db.collection(coll + "_settings").find({id: "config"}, function(err, docs){ - if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (msg.hasOwnProperty('pass') && docs[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64")))) { + if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (msg.hasOwnProperty('pass') && docs[0].userpass == msg.pass))) { Functions.check_inlist(coll, guid, socket, offline, undefined, "place 6"); @@ -556,7 +573,7 @@ function add_function(arr, coll, guid, offline, socket) { del(msg, socket, socketid); } else { var id = msg.id; - var hash = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(msg.adminpass), true)); + var hash = msg.adminpass; if(docs !== null && docs.length !== 0 && ((docs[0].vote === true && (hash == docs[0].adminpass || docs[0].adminpass === "")) || docs[0].vote === false)) { vote(coll, id, guid, socket); @@ -605,10 +622,16 @@ function add_function(arr, coll, guid, offline, socket) { //coll = filter.clean(coll); Functions.getSessionAdminUser(Functions.getSession(socket), coll, function(userpass, adminpass) { if(adminpass != "" || msg.adminpass == undefined) { - msg.adminpass = adminpass; + msg.adminpass = Functions.hash_pass(adminpass); + } else if(msg.adminpass != ""){ + msg.adminpass = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(msg.adminpass),true)); + } else { + msg.adminpass = ""; } if(userpass != "" || msg.pass == undefined) { msg.pass = userpass; + } else if(msg.hasOwnProperty("pass")) { + msg.pass = crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64"); } db.collection("timeout_api").find({ type: "shuffle", @@ -633,11 +656,10 @@ function add_function(arr, coll, guid, offline, socket) { }, }, {upsert: true}, function(err, docs) { Functions.check_inlist(coll, guid, socket, offline, undefined, "place 7"); - var hash; - if(msg.adminpass === "") hash = msg.adminpass; - else hash = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(msg.adminpass),true)); + var hash = msg.adminpass; + db.collection(coll + "_settings").find(function(err, docs){ - if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (msg.hasOwnProperty('pass') && docs[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64")))) { + if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (msg.hasOwnProperty('pass') && docs[0].userpass == msg.pass))) { if(docs !== null && docs.length !== 0 && ((docs[0].adminpass == hash && docs[0].adminpass != "") || docs[0].shuffle === false)) { db.collection(coll).find({now_playing:false}).forEach(function(err, docs){ @@ -677,7 +699,7 @@ function add_function(arr, coll, guid, offline, socket) { //coll = filter.clean(coll); db.collection(coll + "_settings").find(function(err, docs){ - if(docs !== null && docs.length !== 0 && docs[0].adminpass == Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(params.adminpass),true))) + if(docs !== null && docs.length !== 0 && docs[0].adminpass == params.adminpass) { db.collection(coll).find({id:params.id}, function(err, docs){ var dont_increment = false; @@ -727,13 +749,17 @@ function add_function(arr, coll, guid, offline, socket) { //coll = filter.clean(coll); Functions.getSessionAdminUser(Functions.getSession(socket), coll, function(userpass, adminpass, gotten) { if(adminpass != "" || msg.adminpass == undefined) { - msg.adminpass = adminpass; + msg.adminpass = Functions.hash_pass(adminpass); + } else if(msg.adminpass != "") { + msg.adminpass = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(msg.adminpass),true)); } if(userpass != "" || msg.pass == undefined) { msg.pass = userpass; + } else { + msg.pass = crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64"); } - var hash = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(msg.adminpass),true)); - var hash_userpass = crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64"); + var hash = msg.adminpass; + var hash_userpass = msg.pass; db.collection(coll + "_settings").find(function(err, conf) { if(conf.length == 1 && conf) { conf = conf[0]; diff --git a/server/handlers/list_settings.js b/server/handlers/list_settings.js index 99f84f23..d3691cfe 100644 --- a/server/handlers/list_settings.js +++ b/server/handlers/list_settings.js @@ -45,7 +45,7 @@ function password(inp, coll, guid, offline, socket) { pw = Functions.hash_pass(Functions.decrypt_string(pw), true); Functions.check_inlist(coll, guid, socket, offline, undefined, "place 8"); Functions.getSessionAdminUser(sessionId, coll, function(userpass, adminpass) { - + adminpass = Functions.hash_pass(adminpass); db.collection(coll + "_settings").find(function(err, docs){ if(docs !== null && docs.length !== 0) { @@ -61,7 +61,7 @@ function password(inp, coll, guid, offline, socket) { socket.emit("pw", true); }); }); - } else if(docs[0].adminpass === "" || docs[0].adminpass == Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(adminpass), true))) { + } else if(docs[0].adminpass === "" || docs[0].adminpass == adminpass) { Functions.setSessionAdminPass(sessionId, inp.password, coll, function() { db.collection(coll + "_settings").update({ id: "config" }, {$set:{adminpass:Functions.hash_pass(pw)}}, function(err, docs){ if(adminpass != pw) { @@ -117,7 +117,6 @@ function conf_function(params, coll, guid, offline, socket) { if(gotten) { params.adminpass = adminpass; if(!params.userpass_changed) params.userpass = userpass; - } if(!params.hasOwnProperty('voting') || !params.hasOwnProperty('addsongs') || !params.hasOwnProperty('longsongs') || !params.hasOwnProperty('frontpage') || @@ -191,13 +190,19 @@ function conf_function(params, coll, guid, offline, socket) { var description = ""; var hash; if(params.description) description = params.description; - if(adminpass !== "") { + if(adminpass !== "" && !gotten) { hash = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(adminpass), true)); + } else if(adminpass !== "" && gotten) { + hash = Functions.hash_pass(adminpass); } else { hash = adminpass; } if(userpass != "") { - userpass = crypto.createHash('sha256').update(userpass).digest("base64"); + if(!params.userpass_changed && gotten) { + + } else { + userpass = crypto.createHash('sha256').update(userpass).digest("base64"); + } } db.collection(coll + "_settings").find({id: "config"}, function(err, docs){ if(docs !== null && docs.length !== 0 && (docs[0].adminpass === "" || docs[0].adminpass == hash)) { @@ -221,7 +226,7 @@ function conf_function(params, coll, guid, offline, socket) { db.collection(coll + "_settings").update({ id: "config" }, { $set:obj }, function(err, docs){ - Functions.setSessionUserPass(Functions.getSession(socket), params.userpass, coll, function() { + Functions.setSessionUserPass(Functions.getSession(socket), crypto.createHash('sha256').update(Functions.decrypt_string(params.userpass)).digest('base64'), coll, function() { db.collection(coll + "_settings").find(function(err, docs){ if(docs[0].adminpass !== "") docs[0].adminpass = true; if(docs[0].hasOwnProperty("userpass") && docs[0].userpass != "") docs[0].userpass = true; diff --git a/server/handlers/suggestions.js b/server/handlers/suggestions.js index 58ccb79b..b4ec133b 100644 --- a/server/handlers/suggestions.js +++ b/server/handlers/suggestions.js @@ -30,20 +30,24 @@ function thumbnail(msg, coll, guid, offline, socket) { } //coll = coll.replace(/ /g,''); Functions.getSessionAdminUser(Functions.getSession(socket), coll, function(userpass, adminpass) { - if(userpass != "" || msg.userpass == undefined) { - msg.userpass = userpass; + if(userpass != "" || msg.pass == undefined) { + msg.pass = userpass; + } else if(msg.hasOwnProperty("pass")){ + msg.pass = crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64"); } if(adminpass != "" || msg.adminpass == undefined) { - msg.adminpass = adminpass; + msg.adminpass = Functions.hash_pass(adminpass); + } else { + msg.adminpass = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(msg.adminpass),true)); } if(msg.thumbnail != "") { msg.thumbnail = msg.thumbnail.replace(/^https?\:\/\//i, ""); if(msg.thumbnail.substring(0,2) != "//") msg.thumbnail = "//" + msg.thumbnail; } var channel = msg.channel.toLowerCase(); - var hash = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(msg.adminpass),true)); + var hash = msg.adminpass; db.collection(channel + "_settings").find({id: "config"}, function(err, docs){ - if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (msg.hasOwnProperty('pass') && docs[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64")))) { + if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (msg.hasOwnProperty('pass') && docs[0].userpass == msg.pass))) { if(docs !== null && docs.length !== 0 && docs[0].adminpass !== "" && docs[0].adminpass == hash){ db.collection("suggested_thumbnails").update({channel: channel}, {$set:{thumbnail: msg.thumbnail}}, {upsert:true}, function(err, docs){ Notifications.requested_change("thumbnail", msg.thumbnail, channel); @@ -86,16 +90,20 @@ function description(msg, coll, guid, offline, socket) { } //coll = coll.replace(/ /g,''); Functions.getSessionAdminUser(Functions.getSession(socket), coll, function(userpass, adminpass, gotten) { - if(userpass != "" || msg.userpass == undefined) { - msg.userpass = userpass; + if(userpass != "" || msg.pass == undefined) { + msg.pass = userpass; + } else if(msg.hasOwnProperty("pass")) { + msg.pass = crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64"); } if(adminpass != "" || msg.adminpass == undefined) { - msg.adminpass = adminpass; + msg.adminpass = Functions.hash_pass(adminpass); + } else { + msg.adminpass = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(msg.adminpass), true)); } var channel = msg.channel.toLowerCase(); - var hash = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(msg.adminpass), true)); + var hash = msg.adminpass; db.collection(channel + "_settings").find({id: "config"}, function(err, docs){ - if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (msg.hasOwnProperty('pass') && docs[0].userpass == crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64")))) { + if(docs.length > 0 && (docs[0].userpass == undefined || docs[0].userpass == "" || (msg.hasOwnProperty('pass') && docs[0].userpass == msg.pass))) { if(docs !== null && docs.length !== 0 && docs[0].adminpass !== "" && docs[0].adminpass == hash){ db.collection("suggested_descriptions").update({channel: channel}, {$set:{description: msg.description}}, {upsert:true}, function(err, docs){ Notifications.requested_change("description", msg.description, channel); diff --git a/server/public/assets/js/listeners.js b/server/public/assets/js/listeners.js index c6fa7037..ae1c4853 100755 --- a/server/public/assets/js/listeners.js +++ b/server/public/assets/js/listeners.js @@ -1646,6 +1646,7 @@ function addDynamicListeners() { document.querySelector("#import") != document.activeElement && document.querySelector("#find_input") != document.activeElement && document.querySelector("#import_spotify") != document.activeElement && + document.querySelector("#import_zoff") != document.activeElement && document.querySelector("#import_soundcloud") != document.activeElement) { if(chromecastAvailable) { event.preventDefault(); diff --git a/server/routing/client/api.js b/server/routing/client/api.js index 58135a8b..c990b44d 100644 --- a/server/routing/client/api.js +++ b/server/routing/client/api.js @@ -189,10 +189,10 @@ router.route('/api/list/:channel_name/:video_id').delete(function(req, res) { Functions.getSessionAdminUser(cookie, channel_name, function(_u, _a) { if(req.body.adminpass == "") { - adminpass = Functions.hash_pass(crypto.createHash('sha256').update(Functions.decrypt_string(_a), 'utf8').digest("hex")); + adminpass = Functions.hash_pass(_a); } if(req.body.userpass == "") { - userpass = crypto.createHash('sha256').update(Functions.decrypt_string(_u), 'utf8').digest("base64"); + userpass = _u; } token_db.collection("api_token").find({token: token}, function(err, token_docs) { var authorized = false; @@ -344,10 +344,10 @@ router.route('/api/conf/:channel_name').put(function(req, res) { var cookie = req.cookies._uI; Functions.getSessionAdminUser(cookie, channel_name, function(_u, _a) { if(req.body.adminpass == "") { - adminpass = Functions.hash_pass(crypto.createHash('sha256').update(Functions.decrypt_string(_a), 'utf8').digest("hex")); + adminpass = Functions.hash_pass(_a); } if(req.body.userpass == "") { - userpass = crypto.createHash('sha256').update(Functions.decrypt_string(_u), 'utf8').digest("base64"); + userpass = _u; } token_db.collection("api_token").find({token: token}, function(err, token_docs) { var authorized = false; @@ -470,10 +470,10 @@ router.route('/api/list/:channel_name/:video_id').put(function(req,res) { var cookie = req.cookies._uI; Functions.getSessionAdminUser(cookie, channel_name, function(_u, _a) { if(req.body.adminpass == "") { - adminpass = Functions.hash_pass(crypto.createHash('sha256').update(Functions.decrypt_string(_a), 'utf8').digest("hex")); + adminpass = Functions.hash_pass(_a); } if(req.body.userpass == "") { - userpass = crypto.createHash('sha256').update(Functions.decrypt_string(_u), 'utf8').digest("base64"); + userpass = _u; } token_db.collection("api_token").find({token: token}, function(err, token_docs) { var authorized = false; @@ -703,10 +703,10 @@ router.route('/api/list/:channel_name/:video_id').post(function(req,res) { var cookie = req.cookies._uI; Functions.getSessionAdminUser(cookie, channel_name, function(_u, _a) { if(req.body.adminpass == "") { - adminpass = Functions.hash_pass(crypto.createHash('sha256').update(Functions.decrypt_string(_a), 'utf8').digest("hex")); + adminpass = Functions.hash_pass(_a); } if(req.body.userpass == "") { - userpass = crypto.createHash('sha256').update(Functions.decrypt_string(_u), 'utf8').digest("base64"); + userpass = _u; } token_db.collection("api_token").find({token: token}, function(err, token_docs) { var authorized = false; @@ -1102,7 +1102,7 @@ router.route('/api/list/:channel_name').post(function(req, res) { Functions.getSessionAdminUser(cookie, channel_name, function(_u, _a) { if(req.body.userpass == "") { //userpass = Functions.hash_pass(Functions.hash_pass(Functions.decrypt_string(_u))) - userpass = crypto.createHash('sha256').update(Functions.decrypt_string(_u), 'utf8').digest("base64"); + userpass = _u; } token_db.collection("api_token").find({token: token}, function(err, token_docs) { From d501e645f6718a00afcc539d8f4dffa842c5d257 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kasper=20Rynning-T=C3=B8nnesen?= Date: Wed, 26 Sep 2018 22:50:58 +0200 Subject: [PATCH 2/2] Removing userpass if userpass isnt needed on login on channel --- server/handlers/list.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/server/handlers/list.js b/server/handlers/list.js index afd06d7c..44f07739 100644 --- a/server/handlers/list.js +++ b/server/handlers/list.js @@ -35,13 +35,11 @@ function list(msg, guid, coll, offline, socket) { if(typeof(msg) === 'object' && msg !== undefined && msg !== null) { Functions.getSessionAdminUser(Functions.getSession(socket), coll, function(userpass, adminpass, gotten) { - console.log(gotten, userpass, msg.hasOwnProperty("pass")); if(gotten && userpass != "" && !msg.hasOwnProperty("pass")) { msg.pass = userpass; } else { msg.pass = crypto.createHash('sha256').update(Functions.decrypt_string(msg.pass)).digest("base64"); } - console.log(msg.pass); adminpass = Functions.hash_pass(adminpass); if(!msg.hasOwnProperty('version') || !msg.hasOwnProperty("channel") || msg.version != VERSION || msg.version == undefined || @@ -75,6 +73,9 @@ function list(msg, guid, coll, offline, socket) { Functions.setSessionUserPass(Functions.getSession(socket), msg.pass, coll, function(){}) socket.emit("auth_accepted", {value: true}); } + if(docs.length > 0 && docs[0].userpass != pass) { + Functions.setSessionUserPass(Functions.getSession(socket), "", coll, function(){}) + } if(docs.length > 0 && docs[0].hasOwnProperty("adminpass") && docs[0].adminpass != "" && docs[0].adminpass == adminpass) { socket.emit("pw", true); }