feat: Security

2026-06-05 18:34:01 +02:00
parent ee293d7daf
commit 45675192a5
134 changed files with 4128 additions and 446 deletions
--- a/server/src/websocket/handler.ts
+++ b/server/src/websocket/handler.ts
@@ -7,7 +7,12 @@ import {
  getUniqueUsersInServer,
  isOderIdConnectedToServer
 } from './broadcast';
-import { authorizeWebSocketJoin } from '../services/server-access.service';
+import {
+  authorizeWebSocketJoin,
+  findServerMembership,
+  usersShareServerMembership
+} from '../services/server-access.service';
+import { consumeSessionToken } from '../services/session-auth.service';
 import {
  getPluginRequirementsSnapshot,
  PluginSupportError,
@@ -131,8 +136,67 @@ async function sendPluginRequirements(user: ConnectedUser, serverId: string): Pr
  }
 }

-function handleIdentify(user: ConnectedUser, message: WsMessage, connectionId: string): void {
-  const newOderId = readMessageId(message['oderId']) ?? connectionId;
+const DIRECT_SIGNALING_TYPES = new Set([
+  'direct-message',
+  'direct-message-status',
+  'direct-message-mutation',
+  'direct-message-typing',
+  'direct-message-sync-request',
+  'direct-message-sync',
+  'direct-call'
+]);
+const SERVER_SCOPED_SIGNALING_TYPES = new Set([
+  'server_icon_peer_request',
+  'server_icon_peer_data',
+  'server_icon_available',
+  'server_icon_sync_request'
+]);
+
+function sendAuthRequired(user: ConnectedUser): void {
+  user.ws.send(JSON.stringify({
+    type: 'auth_required',
+    message: 'identify with a valid session token before sending messages'
+  }));
+}
+
+async function handleIdentify(user: ConnectedUser, message: WsMessage, connectionId: string): Promise<void> {
+  const token = typeof message['token'] === 'string' ? message['token'].trim() : '';
+
+  if (!token) {
+    user.ws.send(JSON.stringify({
+      type: 'auth_error',
+      code: 'MISSING_TOKEN',
+      message: 'identify requires a session token'
+    }));
+
+    return;
+  }
+
+  const session = await consumeSessionToken(token);
+
+  if (!session) {
+    user.ws.send(JSON.stringify({
+      type: 'auth_error',
+      code: 'INVALID_TOKEN',
+      message: 'invalid or expired session token'
+    }));
+
+    return;
+  }
+
+  const claimedOderId = readMessageId(message['oderId']);
+
+  if (claimedOderId && claimedOderId !== session.user.id) {
+    user.ws.send(JSON.stringify({
+      type: 'auth_error',
+      code: 'USER_ID_MISMATCH',
+      message: 'oderId must match the authenticated user'
+    }));
+
+    return;
+  }
+
+  const newOderId = session.user.id;
  const newScope = typeof message['connectionScope'] === 'string' ? message['connectionScope'] : undefined;
  const previousDisplayName = normalizeDisplayName(user.displayName);
  const previousDescription = user.description;
@@ -140,6 +204,7 @@ function handleIdentify(user: ConnectedUser, message: WsMessage, connectionId: s
  const previousHomeSignalServerUrl = user.homeSignalServerUrl;

  user.oderId = newOderId;
+  user.authenticated = true;
  user.displayName = normalizeDisplayName(message['displayName'], normalizeDisplayName(user.displayName));

  if (Object.prototype.hasOwnProperty.call(message, 'description')) {
@@ -277,11 +342,45 @@ function handleLeaveServer(user: ConnectedUser, message: WsMessage, connectionId
  );
 }

-function forwardRtcMessage(user: ConnectedUser, message: WsMessage): void {
+async function canForwardRtcMessage(user: ConnectedUser, message: WsMessage, targetUserId: string): Promise<boolean> {
+  if (!targetUserId || targetUserId === user.oderId) {
+    return false;
+  }
+
+  if (DIRECT_SIGNALING_TYPES.has(message.type)) {
+    return true;
+  }
+
+  if (SERVER_SCOPED_SIGNALING_TYPES.has(message.type)) {
+    const serverId = readMessageId(message['serverId']);
+
+    if (!serverId) {
+      return false;
+    }
+
+    const senderMembership = await findServerMembership(serverId, user.oderId);
+    const targetMembership = await findServerMembership(serverId, targetUserId);
+
+    return !!senderMembership && !!targetMembership;
+  }
+
+  if (message.type === 'offer' || message.type === 'answer' || message.type === 'ice_candidate') {
+    return true;
+  }
+
+  return usersShareServerMembership(user.oderId, targetUserId);
+}
+
+async function forwardRtcMessage(user: ConnectedUser, message: WsMessage): Promise<void> {
  const targetUserId = readMessageId(message['targetUserId']) ?? '';

  console.log(`Forwarding ${message.type} from ${user.oderId} to ${targetUserId}`);

+  if (!(await canForwardRtcMessage(user, message, targetUserId))) {
+    console.log(`Blocked ${message.type} relay from ${user.oderId} to ${targetUserId}`);
+    return;
+  }
+
  const targetUser = findUserByOderId(targetUserId);

  if (targetUser) {
@@ -482,13 +581,18 @@ export async function handleWebSocketMessage(connectionId: string, message: WsMe
  user.lastPong = Date.now();
  connectedUsers.set(connectionId, user);

+  if (!user.authenticated && message.type !== 'identify' && message.type !== 'keepalive') {
+    sendAuthRequired(user);
+    return;
+  }
+
  switch (message.type) {
    case 'keepalive':
      user.ws.send(JSON.stringify({ type: 'keepalive_ack', serverTime: Date.now() }));
      break;

    case 'identify':
-      handleIdentify(user, message, connectionId);
+      await handleIdentify(user, message, connectionId);
      break;

    case 'join_server':
@@ -515,7 +619,7 @@ export async function handleWebSocketMessage(connectionId: string, message: WsMe
    case 'direct-call':
    case 'server_icon_peer_request':
    case 'server_icon_peer_data':
-      forwardRtcMessage(user, message);
+      await forwardRtcMessage(user, message);
      break;

    case 'chat_message':