Prevent updates of specific keys via API (#256)

prevent non-admin from updating settings prevent password updates in multi-user mdoe
2024-10-04 01:40:12 +02:00 · 2023-09-29 19:44:40 +02:00 · 2023-09-29 19:44:40 +02:00 · d5b1f84a4c
commit d5b1f84a4c
parent 61777c837b
3 changed files with 42 additions and 11 deletions
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@ -239,6 +239,16 @@ function systemEndpoints(app) {
    async (request, response) => {
      try {
        const body = reqBody(request);
        // Only admins can update the ENV settings.
        if (multiUserMode(response)) {
          const user = await userFromSession(request, response);
          if (!user || user?.role !== "admin") {
            response.sendStatus(401).end();
            return;
          }
        }
        const { newValues, error } = updateENV(body);
        if (process.env.NODE_ENV === "production") await dumpENV();
        response.status(200).json({ newValues, error });
@ -254,11 +264,21 @@ function systemEndpoints(app) {
    [validatedRequest],
    async (request, response) => {
      try {
        // Cannot update password in multi - user mode.
        if (multiUserMode(response)) {
          response.sendStatus(401).end();
          return;
        }
        const { usePassword, newPassword } = reqBody(request);
-        const { error } = updateENV({
+        const { error } = updateENV(
          {
            AuthToken: usePassword ? newPassword : "",
            JWTSecret: usePassword ? v4() : "",
-        });
+          },
          true
        );
        if (process.env.NODE_ENV === "production") await dumpENV();
        response.status(200).json({ success: !error, error });
      } catch (e) {
        console.log(e.message, e);
@ -293,8 +313,15 @@ function systemEndpoints(app) {
          limit_user_messages: false,
          message_limit: 25,
        });
-        process.env.AUTH_TOKEN = null;
+
-        process.env.JWT_SECRET = process.env.JWT_SECRET ?? v4(); // Make sure JWT_SECRET is set for JWT issuance.
+        updateENV(
          {
            AuthToken: null,
            JWTSecret: process.env.JWT_SECRET ?? v4(),
          },
          true
        );
        if (process.env.NODE_ENV === "production") await dumpENV();
        await Telemetry.sendTelemetry("enabled_multi_user_mode");
        response.status(200).json({ success: !!user, error });
      } catch (e) {
--- a/server/utils/helpers/updateENV.js
+++ b/server/utils/helpers/updateENV.js
@ -72,11 +72,11 @@ const KEY_MAPPING = {
  // System Settings
  AuthToken: {
    envKey: "AUTH_TOKEN",
-    checks: [],
+    checks: [requiresForceMode],
  },
  JWTSecret: {
    envKey: "JWT_SECRET",
-    checks: [],
+    checks: [requiresForceMode],
  },
  // Not supported yet.
  // 'StorageDir': 'STORAGE_DIR',
@ -143,11 +143,15 @@ function validAzureURL(input = "") {
  }
 }
 function requiresForceMode(_, forceModeEnabled = false) {
  return forceModeEnabled === true ? null : "Cannot set this setting.";
 }
 // This will force update .env variables which for any which reason were not able to be parsed or
 // read from an ENV file as this seems to be a complicating step for many so allowing people to write
 // to the process will at least alleviate that issue. It does not perform comprehensive validity checks or sanity checks
 // and is simply for debugging when the .env not found issue many come across.
-function updateENV(newENVs = {}) {
+function updateENV(newENVs = {}, force = false) {
  let error = "";
  const validKeys = Object.keys(KEY_MAPPING);
  const ENV_KEYS = Object.keys(newENVs).filter(
@ -159,7 +163,7 @@ function updateENV(newENVs = {}) {
    const { envKey, checks } = KEY_MAPPING[key];
    const value = newENVs[key];
    const errors = checks
-      .map((validityCheck) => validityCheck(value))
+      .map((validityCheck) => validityCheck(value, force))
      .filter((err) => typeof err === "string");
    if (errors.length > 0) {
--- a/server/utils/prisma/migrateFromSqlite.js
+++ b/server/utils/prisma/migrateFromSqlite.js
@ -253,7 +253,7 @@ async function migrateTable(tableName, migrateRowFunc) {
  // Check table exists
  const { count } = await db.get(
    `SELECT COUNT(*) as count FROM sqlite_master WHERE name='${tableName}'`
-  )
+  );
  if (count === 0) {
    console.log(
      `${tableName} does not exist in legacy DB - nothing to migrate - skipping.`