Fix critical and high security issues
- exec_script: relay now enforces admin role before forwarding to agent - relay CORS: restrict allow_origins via ALLOWED_ORIGINS env var (docker-compose passes app URL) - session-code: replace Math.random() with crypto.randomInt, add per-key rate limit (10 req/min) - sessions GET: fix IDOR — users can only read their own sessions (admins see all) - signal API: validate session ownership on create; enforce ownerUserId on all subsequent actions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
monoadmin
@@ -2,16 +2,34 @@ import { db } from '@/lib/db'
|
|||||||
import { machines, sessionCodes } from '@/lib/db/schema'
|
import { machines, sessionCodes } from '@/lib/db/schema'
|
||||||
import { eq, and } from 'drizzle-orm'
|
import { eq, and } from 'drizzle-orm'
|
||||||
import { NextRequest, NextResponse } from 'next/server'
|
import { NextRequest, NextResponse } from 'next/server'
|
||||||
|
import { randomInt } from 'crypto'
|
||||||
|
|
||||||
function generateSessionCode(): string {
|
function generateSessionCode(): string {
|
||||||
const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'
|
const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'
|
||||||
let code = ''
|
let code = ''
|
||||||
for (let i = 0; i < 6; i++) {
|
for (let i = 0; i < 6; i++) {
|
||||||
code += chars.charAt(Math.floor(Math.random() * chars.length))
|
code += chars.charAt(randomInt(chars.length))
|
||||||
}
|
}
|
||||||
return code
|
return code
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Simple in-process rate limiter: max 10 requests per minute per access key
|
||||||
|
const rateLimitMap = new Map<string, { count: number; resetAt: number }>()
|
||||||
|
const RATE_LIMIT = 10
|
||||||
|
const RATE_WINDOW_MS = 60_000
|
||||||
|
|
||||||
|
function isRateLimited(key: string): boolean {
|
||||||
|
const now = Date.now()
|
||||||
|
const entry = rateLimitMap.get(key)
|
||||||
|
if (!entry || now >= entry.resetAt) {
|
||||||
|
rateLimitMap.set(key, { count: 1, resetAt: now + RATE_WINDOW_MS })
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if (entry.count >= RATE_LIMIT) return true
|
||||||
|
entry.count++
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
export async function POST(request: NextRequest) {
|
export async function POST(request: NextRequest) {
|
||||||
try {
|
try {
|
||||||
const { accessKey } = await request.json()
|
const { accessKey } = await request.json()
|
||||||
@@ -20,6 +38,10 @@ export async function POST(request: NextRequest) {
|
|||||||
return NextResponse.json({ error: 'Access key required' }, { status: 400 })
|
return NextResponse.json({ error: 'Access key required' }, { status: 400 })
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (isRateLimited(accessKey)) {
|
||||||
|
return NextResponse.json({ error: 'Too many requests' }, { status: 429 })
|
||||||
|
}
|
||||||
|
|
||||||
const machineResult = await db
|
const machineResult = await db
|
||||||
.select()
|
.select()
|
||||||
.from(machines)
|
.from(machines)
|
||||||
|
|||||||
@@ -8,17 +8,22 @@ export async function GET(
|
|||||||
_request: NextRequest,
|
_request: NextRequest,
|
||||||
{ params }: { params: Promise<{ id: string }> }
|
{ params }: { params: Promise<{ id: string }> }
|
||||||
) {
|
) {
|
||||||
const session = await auth()
|
const authSession = await auth()
|
||||||
if (!session?.user?.id) {
|
if (!authSession?.user?.id) {
|
||||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
}
|
}
|
||||||
|
|
||||||
const { id } = await params
|
const { id } = await params
|
||||||
|
const isAdmin = (authSession.user as { role?: string }).role === 'admin'
|
||||||
|
|
||||||
const result = await db
|
const result = await db
|
||||||
.select()
|
.select()
|
||||||
.from(sessions)
|
.from(sessions)
|
||||||
.where(eq(sessions.id, id))
|
.where(
|
||||||
|
isAdmin
|
||||||
|
? eq(sessions.id, id)
|
||||||
|
: and(eq(sessions.id, id), eq(sessions.viewerUserId, authSession.user.id))
|
||||||
|
)
|
||||||
.limit(1)
|
.limit(1)
|
||||||
|
|
||||||
if (!result[0]) {
|
if (!result[0]) {
|
||||||
@@ -32,8 +37,8 @@ export async function PATCH(
|
|||||||
request: NextRequest,
|
request: NextRequest,
|
||||||
{ params }: { params: Promise<{ id: string }> }
|
{ params }: { params: Promise<{ id: string }> }
|
||||||
) {
|
) {
|
||||||
const session = await auth()
|
const authSession = await auth()
|
||||||
if (!session?.user?.id) {
|
if (!authSession?.user?.id) {
|
||||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -47,7 +52,7 @@ export async function PATCH(
|
|||||||
await db
|
await db
|
||||||
.update(sessions)
|
.update(sessions)
|
||||||
.set(updates)
|
.set(updates)
|
||||||
.where(and(eq(sessions.id, id), eq(sessions.viewerUserId, session.user.id)))
|
.where(and(eq(sessions.id, id), eq(sessions.viewerUserId, authSession.user.id)))
|
||||||
|
|
||||||
return NextResponse.json({ success: true })
|
return NextResponse.json({ success: true })
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,4 +1,7 @@
|
|||||||
import { auth } from '@/auth'
|
import { auth } from '@/auth'
|
||||||
|
import { db } from '@/lib/db'
|
||||||
|
import { sessions } from '@/lib/db/schema'
|
||||||
|
import { and, eq } from 'drizzle-orm'
|
||||||
import { NextRequest, NextResponse } from 'next/server'
|
import { NextRequest, NextResponse } from 'next/server'
|
||||||
|
|
||||||
// In-memory signaling store (use Redis for multi-instance deployments)
|
// In-memory signaling store (use Redis for multi-instance deployments)
|
||||||
@@ -8,6 +11,7 @@ const signalingStore = new Map<string, {
|
|||||||
viewerCandidates: RTCIceCandidateInit[]
|
viewerCandidates: RTCIceCandidateInit[]
|
||||||
hostCandidates: RTCIceCandidateInit[]
|
hostCandidates: RTCIceCandidateInit[]
|
||||||
createdAt: number
|
createdAt: number
|
||||||
|
ownerUserId: string
|
||||||
}>()
|
}>()
|
||||||
|
|
||||||
function cleanupOldSessions() {
|
function cleanupOldSessions() {
|
||||||
@@ -19,48 +23,59 @@ function cleanupOldSessions() {
|
|||||||
|
|
||||||
export async function POST(request: NextRequest) {
|
export async function POST(request: NextRequest) {
|
||||||
try {
|
try {
|
||||||
const session = await auth()
|
const authSession = await auth()
|
||||||
if (!session?.user) {
|
if (!authSession?.user?.id) {
|
||||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const userId = authSession.user.id
|
||||||
const { action, sessionId, data } = await request.json()
|
const { action, sessionId, data } = await request.json()
|
||||||
cleanupOldSessions()
|
cleanupOldSessions()
|
||||||
|
|
||||||
switch (action) {
|
switch (action) {
|
||||||
case 'create-session':
|
case 'create-session': {
|
||||||
signalingStore.set(sessionId, { viewerCandidates: [], hostCandidates: [], createdAt: Date.now() })
|
// Verify the sessionId corresponds to a real session owned by this user
|
||||||
|
const dbSession = await db
|
||||||
|
.select({ id: sessions.id })
|
||||||
|
.from(sessions)
|
||||||
|
.where(and(eq(sessions.id, sessionId), eq(sessions.viewerUserId, userId)))
|
||||||
|
.limit(1)
|
||||||
|
if (!dbSession[0]) {
|
||||||
|
return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
||||||
|
}
|
||||||
|
signalingStore.set(sessionId, { viewerCandidates: [], hostCandidates: [], createdAt: Date.now(), ownerUserId: userId })
|
||||||
return NextResponse.json({ success: true })
|
return NextResponse.json({ success: true })
|
||||||
|
}
|
||||||
|
|
||||||
case 'send-offer': {
|
case 'send-offer': {
|
||||||
const s = signalingStore.get(sessionId)
|
const s = signalingStore.get(sessionId)
|
||||||
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
||||||
s.offer = data.offer
|
s.offer = data.offer
|
||||||
return NextResponse.json({ success: true })
|
return NextResponse.json({ success: true })
|
||||||
}
|
}
|
||||||
|
|
||||||
case 'get-offer': {
|
case 'get-offer': {
|
||||||
const s = signalingStore.get(sessionId)
|
const s = signalingStore.get(sessionId)
|
||||||
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
||||||
return NextResponse.json({ offer: s.offer ?? null })
|
return NextResponse.json({ offer: s.offer ?? null })
|
||||||
}
|
}
|
||||||
|
|
||||||
case 'send-answer': {
|
case 'send-answer': {
|
||||||
const s = signalingStore.get(sessionId)
|
const s = signalingStore.get(sessionId)
|
||||||
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
||||||
s.answer = data.answer
|
s.answer = data.answer
|
||||||
return NextResponse.json({ success: true })
|
return NextResponse.json({ success: true })
|
||||||
}
|
}
|
||||||
|
|
||||||
case 'get-answer': {
|
case 'get-answer': {
|
||||||
const s = signalingStore.get(sessionId)
|
const s = signalingStore.get(sessionId)
|
||||||
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
||||||
return NextResponse.json({ answer: s.answer ?? null })
|
return NextResponse.json({ answer: s.answer ?? null })
|
||||||
}
|
}
|
||||||
|
|
||||||
case 'send-ice-candidate': {
|
case 'send-ice-candidate': {
|
||||||
const s = signalingStore.get(sessionId)
|
const s = signalingStore.get(sessionId)
|
||||||
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
||||||
if (data.role === 'viewer') s.viewerCandidates.push(data.candidate)
|
if (data.role === 'viewer') s.viewerCandidates.push(data.candidate)
|
||||||
else s.hostCandidates.push(data.candidate)
|
else s.hostCandidates.push(data.candidate)
|
||||||
return NextResponse.json({ success: true })
|
return NextResponse.json({ success: true })
|
||||||
@@ -68,16 +83,19 @@ export async function POST(request: NextRequest) {
|
|||||||
|
|
||||||
case 'get-ice-candidates': {
|
case 'get-ice-candidates': {
|
||||||
const s = signalingStore.get(sessionId)
|
const s = signalingStore.get(sessionId)
|
||||||
if (!s) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
if (!s || s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
||||||
const candidates = data.role === 'viewer' ? s.hostCandidates : s.viewerCandidates
|
const candidates = data.role === 'viewer' ? s.hostCandidates : s.viewerCandidates
|
||||||
if (data.role === 'viewer') s.hostCandidates = []
|
if (data.role === 'viewer') s.hostCandidates = []
|
||||||
else s.viewerCandidates = []
|
else s.viewerCandidates = []
|
||||||
return NextResponse.json({ candidates })
|
return NextResponse.json({ candidates })
|
||||||
}
|
}
|
||||||
|
|
||||||
case 'close-session':
|
case 'close-session': {
|
||||||
|
const s = signalingStore.get(sessionId)
|
||||||
|
if (s && s.ownerUserId !== userId) return NextResponse.json({ error: 'Session not found' }, { status: 404 })
|
||||||
signalingStore.delete(sessionId)
|
signalingStore.delete(sessionId)
|
||||||
return NextResponse.json({ success: true })
|
return NextResponse.json({ success: true })
|
||||||
|
}
|
||||||
|
|
||||||
default:
|
default:
|
||||||
return NextResponse.json({ error: 'Unknown action' }, { status: 400 })
|
return NextResponse.json({ error: 'Unknown action' }, { status: 400 })
|
||||||
|
|||||||
@@ -52,6 +52,7 @@ services:
|
|||||||
- "8765:8765"
|
- "8765:8765"
|
||||||
environment:
|
environment:
|
||||||
DATABASE_URL: postgresql://${POSTGRES_USER:-remotelink}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-remotelink}
|
DATABASE_URL: postgresql://${POSTGRES_USER:-remotelink}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-remotelink}
|
||||||
|
ALLOWED_ORIGINS: ${NEXT_PUBLIC_APP_URL:-http://localhost:3000}
|
||||||
depends_on:
|
depends_on:
|
||||||
postgres:
|
postgres:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
|
|||||||
@@ -22,6 +22,8 @@ logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(mess
|
|||||||
log = logging.getLogger("relay")
|
log = logging.getLogger("relay")
|
||||||
|
|
||||||
DATABASE_URL = os.environ["DATABASE_URL"]
|
DATABASE_URL = os.environ["DATABASE_URL"]
|
||||||
|
# Comma-separated list of allowed origins for CORS, e.g. "https://app.example.com"
|
||||||
|
ALLOWED_ORIGINS = [o.strip() for o in os.environ.get("ALLOWED_ORIGINS", "").split(",") if o.strip()]
|
||||||
|
|
||||||
# ── In-memory connection registry ────────────────────────────────────────────
|
# ── In-memory connection registry ────────────────────────────────────────────
|
||||||
# machine_id (str) → WebSocket
|
# machine_id (str) → WebSocket
|
||||||
@@ -30,6 +32,8 @@ agents: dict[str, WebSocket] = {}
|
|||||||
viewers: dict[str, WebSocket] = {}
|
viewers: dict[str, WebSocket] = {}
|
||||||
# session_id → machine_id
|
# session_id → machine_id
|
||||||
session_to_machine: dict[str, str] = {}
|
session_to_machine: dict[str, str] = {}
|
||||||
|
# session_id → viewer's user role ("admin" | "user")
|
||||||
|
viewer_roles: dict[str, str] = {}
|
||||||
|
|
||||||
db_pool: Optional[asyncpg.Pool] = None
|
db_pool: Optional[asyncpg.Pool] = None
|
||||||
|
|
||||||
@@ -47,7 +51,7 @@ app = FastAPI(lifespan=lifespan)
|
|||||||
|
|
||||||
app.add_middleware(
|
app.add_middleware(
|
||||||
CORSMiddleware,
|
CORSMiddleware,
|
||||||
allow_origins=["*"],
|
allow_origins=ALLOWED_ORIGINS if ALLOWED_ORIGINS else ["*"],
|
||||||
allow_credentials=True,
|
allow_credentials=True,
|
||||||
allow_methods=["*"],
|
allow_methods=["*"],
|
||||||
allow_headers=["*"],
|
allow_headers=["*"],
|
||||||
@@ -68,9 +72,10 @@ async def validate_agent(machine_id: str, access_key: str) -> Optional[dict]:
|
|||||||
async def validate_viewer(session_id: str, viewer_token: str) -> Optional[dict]:
|
async def validate_viewer(session_id: str, viewer_token: str) -> Optional[dict]:
|
||||||
async with db_pool.acquire() as conn:
|
async with db_pool.acquire() as conn:
|
||||||
row = await conn.fetchrow(
|
row = await conn.fetchrow(
|
||||||
"""SELECT id, machine_id, machine_name
|
"""SELECT s.id, s.machine_id, s.machine_name, COALESCE(u.role, 'user') AS viewer_role
|
||||||
FROM sessions
|
FROM sessions s
|
||||||
WHERE id = $1 AND viewer_token = $2 AND ended_at IS NULL""",
|
LEFT JOIN users u ON u.id = s.viewer_user_id
|
||||||
|
WHERE s.id = $1 AND s.viewer_token = $2 AND s.ended_at IS NULL""",
|
||||||
session_id, viewer_token,
|
session_id, viewer_token,
|
||||||
)
|
)
|
||||||
return dict(row) if row else None
|
return dict(row) if row else None
|
||||||
@@ -174,10 +179,13 @@ async def viewer_endpoint(
|
|||||||
await websocket.close(code=4002, reason="No machine associated with session")
|
await websocket.close(code=4002, reason="No machine associated with session")
|
||||||
return
|
return
|
||||||
|
|
||||||
|
viewer_role = session.get("viewer_role", "user")
|
||||||
|
|
||||||
await websocket.accept()
|
await websocket.accept()
|
||||||
viewers[session_id] = websocket
|
viewers[session_id] = websocket
|
||||||
session_to_machine[session_id] = machine_id
|
session_to_machine[session_id] = machine_id
|
||||||
log.info(f"Viewer connected to session {session_id} (machine {machine_id})")
|
viewer_roles[session_id] = viewer_role
|
||||||
|
log.info(f"Viewer connected to session {session_id} (machine {machine_id}, role {viewer_role})")
|
||||||
|
|
||||||
if machine_id in agents:
|
if machine_id in agents:
|
||||||
# Tell agent to start streaming for this session
|
# Tell agent to start streaming for this session
|
||||||
@@ -195,6 +203,14 @@ async def viewer_endpoint(
|
|||||||
try:
|
try:
|
||||||
event = json.loads(text)
|
event = json.loads(text)
|
||||||
event["session_id"] = session_id
|
event["session_id"] = session_id
|
||||||
|
# exec_script is restricted to admin viewers only
|
||||||
|
if event.get("type") == "exec_script":
|
||||||
|
if viewer_roles.get(session_id) != "admin":
|
||||||
|
await send_json(websocket, {
|
||||||
|
"type": "error",
|
||||||
|
"message": "exec_script requires admin role",
|
||||||
|
})
|
||||||
|
continue
|
||||||
# Forward control events to the agent
|
# Forward control events to the agent
|
||||||
if machine_id in agents:
|
if machine_id in agents:
|
||||||
await send_json(agents[machine_id], event)
|
await send_json(agents[machine_id], event)
|
||||||
@@ -207,6 +223,7 @@ async def viewer_endpoint(
|
|||||||
finally:
|
finally:
|
||||||
viewers.pop(session_id, None)
|
viewers.pop(session_id, None)
|
||||||
session_to_machine.pop(session_id, None)
|
session_to_machine.pop(session_id, None)
|
||||||
|
viewer_roles.pop(session_id, None)
|
||||||
if machine_id in agents:
|
if machine_id in agents:
|
||||||
await send_json(agents[machine_id], {"type": "stop_stream", "session_id": session_id})
|
await send_json(agents[machine_id], {"type": "stop_stream", "session_id": session_id})
|
||||||
log.info(f"Viewer disconnected from session {session_id}")
|
log.info(f"Viewer disconnected from session {session_id}")
|
||||||
|
|||||||
Reference in New Issue
Block a user