Prevent updates of specific keys via API (#256)

prevent non-admin from updating settings
prevent password updates in multi-user mdoe

server/endpoints/system.js

@@ -239,6 +239,16 @@ function systemEndpoints(app) {
     async (request, response) => {
       try {
         const body = reqBody(request);
+
+        // Only admins can update the ENV settings.
+        if (multiUserMode(response)) {
+          const user = await userFromSession(request, response);
+          if (!user || user?.role !== "admin") {
+            response.sendStatus(401).end();
+            return;
+          }
+        }
+
         const { newValues, error } = updateENV(body);
         if (process.env.NODE_ENV === "production") await dumpENV();
         response.status(200).json({ newValues, error });
@@ -254,11 +264,21 @@ function systemEndpoints(app) {
     [validatedRequest],
     async (request, response) => {
       try {
+        // Cannot update password in multi - user mode.
+        if (multiUserMode(response)) {
+          response.sendStatus(401).end();
+          return;
+        }
+
         const { usePassword, newPassword } = reqBody(request);
-        const { error } = updateENV({
-          AuthToken: usePassword ? newPassword : "",
-          JWTSecret: usePassword ? v4() : "",
-        });
+        const { error } = updateENV(
+          {
+            AuthToken: usePassword ? newPassword : "",
+            JWTSecret: usePassword ? v4() : "",
+          },
+          true
+        );
+        if (process.env.NODE_ENV === "production") await dumpENV();
         response.status(200).json({ success: !error, error });
       } catch (e) {
         console.log(e.message, e);
@@ -293,8 +313,15 @@ function systemEndpoints(app) {
           limit_user_messages: false,
           message_limit: 25,
         });
-        process.env.AUTH_TOKEN = null;
-        process.env.JWT_SECRET = process.env.JWT_SECRET ?? v4(); // Make sure JWT_SECRET is set for JWT issuance.
+
+        updateENV(
+          {
+            AuthToken: null,
+            JWTSecret: process.env.JWT_SECRET ?? v4(),
+          },
+          true
+        );
+        if (process.env.NODE_ENV === "production") await dumpENV();
         await Telemetry.sendTelemetry("enabled_multi_user_mode");
         response.status(200).json({ success: !!user, error });
       } catch (e) {

server/utils/helpers/updateENV.js

@@ -72,11 +72,11 @@ const KEY_MAPPING = {
   // System Settings
   AuthToken: {
     envKey: "AUTH_TOKEN",
-    checks: [],
+    checks: [requiresForceMode],
   },
   JWTSecret: {
     envKey: "JWT_SECRET",
-    checks: [],
+    checks: [requiresForceMode],
   },
   // Not supported yet.
   // 'StorageDir': 'STORAGE_DIR',
@@ -143,11 +143,15 @@ function validAzureURL(input = "") {
   }
 }
 
+function requiresForceMode(_, forceModeEnabled = false) {
+  return forceModeEnabled === true ? null : "Cannot set this setting.";
+}
+
 // This will force update .env variables which for any which reason were not able to be parsed or
 // read from an ENV file as this seems to be a complicating step for many so allowing people to write
 // to the process will at least alleviate that issue. It does not perform comprehensive validity checks or sanity checks
 // and is simply for debugging when the .env not found issue many come across.
-function updateENV(newENVs = {}) {
+function updateENV(newENVs = {}, force = false) {
   let error = "";
   const validKeys = Object.keys(KEY_MAPPING);
   const ENV_KEYS = Object.keys(newENVs).filter(
@@ -159,7 +163,7 @@ function updateENV(newENVs = {}) {
     const { envKey, checks } = KEY_MAPPING[key];
     const value = newENVs[key];
     const errors = checks
-      .map((validityCheck) => validityCheck(value))
+      .map((validityCheck) => validityCheck(value, force))
       .filter((err) => typeof err === "string");
 
     if (errors.length > 0) {

server/utils/prisma/migrateFromSqlite.js

@@ -253,7 +253,7 @@ async function migrateTable(tableName, migrateRowFunc) {
   // Check table exists
   const { count } = await db.get(
     `SELECT COUNT(*) as count FROM sqlite_master WHERE name='${tableName}'`
-  )
+  );
   if (count === 0) {
     console.log(
       `${tableName} does not exist in legacy DB - nothing to migrate - skipping.`