Merge pull request #4475 from oswaldoacauan/fix-token-security

[HTML5] Add a check for the passed credentials agains the token in Acl

Merge pull request #4475 from oswaldoacauan/fix-token-security
66f8be63 · Anton Georgiev · GitHub · a49a4f43 · 96ea9189 · 66f8be63
Commit 66f8be63 authored 7 years ago by Anton Georgiev Committed by GitHub 7 years ago
--- a/bigbluebutton-html5/imports/api/acl/Acl.js
+++ b/bigbluebutton-html5/imports/api/acl/Acl.js
+
+import { Meteor } from 'meteor/meteor';
 import { check } from 'meteor/check';
 import deepMerge from '/imports/utils/deepMerge';

-export class Acl {
-
+export default class Acl {
  constructor(config, Users) {
    this.Users = Users;
    this.config = config;
@@ -12,11 +13,22 @@ export class Acl {
    check(permission, String);
    const permissions = this.getPermissions(credentials);

-    if (permissions) {
-      return this.fetchPermission(permission, permissions);
-    }
+    return this.checkToken(credentials) && this.fetchPermission(permission, permissions);
+  }

-    return false;
+  checkToken(credentials) {
+    // skip token check in client `can` calls since we dont have the authToken in the collection
+    if (!Meteor.isServer) return true;
+
+    const { meetingId, requesterUserId: userId, requesterToken: authToken } = credentials;
+
+    const User = this.Users.findOne({
+      meetingId,
+      userId,
+      authToken,
+    });
+
+    return !!User; // if he found a user means the meeting/user/token is valid
  }

  fetchPermission(permission, permissions) {

--- a/bigbluebutton-html5/imports/startup/acl.js
+++ b/bigbluebutton-html5/imports/startup/acl.js
 import { Meteor } from 'meteor/meteor';
 import Users from '/imports/api/2.0/users';
-import { Acl } from '/imports/api/acl/Acl';
+import Acl from '/imports/api/acl/Acl';

 const AclSingleton = new Acl();