Security hardening for JWT lifecycle and Socket.IO admin operations (#2379)

unocelli · web-flow · commit 4fa47d0a2a85 · 2026-05-25T16:19:50.000+02:00
* security: jwt lifecycle GHSA-rg7m-xwqc-mjw6

* security: SSRF hardening for `device-webapi-request` GHSA-wrg6-49wh-46pw

* security: Unauthenticated Socket.IO read events GHSA-rh5p-m38p-2w75

* security: clean
diff --git a/client/src/app/_services/auth.service.ts b/client/src/app/_services/auth.service.ts
@@ -113,12 +113,24 @@ export class AuthService {
         return false;
     }
 
-	setNewToken(token: string) {
+	setNewToken(token: string, userData?: Partial<UserProfile>) {
 		if (!this.currentUser) {
 			return;
 		}
+		if (userData) {
+			this.currentUser.username = userData.username ?? this.currentUser.username;
+			this.currentUser.fullname = userData.fullname ?? this.currentUser.fullname;
+			this.currentUser.groups = userData.groups ?? this.currentUser.groups;
+			this.currentUser.info = userData.info ?? this.currentUser.info;
+			if (this.currentUser.info) {
+				this.currentUser.infoRoles = JSON.parse(this.currentUser.info)?.roles;
+			} else {
+				this.currentUser.infoRoles = null;
+			}
+		}
 		this.currentUser.token = token;
 		this.saveUserToken(this.currentUser);
+		this.currentUser$.next(this.currentUser);
 	}
 
 	// to check by page refresh
@@ -180,8 +192,8 @@ export class AuthService {
 						...(this.currentUser || {}),
 						username: result.data.username || this.currentUser?.username,
 						fullname: result.data.fullname || this.currentUser?.fullname,
-						groups: result.data.groups || this.currentUser?.groups,
-						info: result.data.info || this.currentUser?.info,
+						groups: result.data.groups ?? this.currentUser?.groups,
+						info: result.data.info ?? this.currentUser?.info,
 						token: result.data.token
 					};
 					if (refreshed.info) {
diff --git a/client/src/app/_services/heartbeat.service.ts b/client/src/app/_services/heartbeat.service.ts
@@ -29,7 +29,7 @@ export class HeartbeatService {
 			this.heartbeatSubscription = interval(this.heartbeatInterval).subscribe(() => {
 				this.server.heartbeat(this.activity).subscribe(res => {
 					if (res?.message === 'tokenRefresh' && res?.token) {
-						this.authService.setNewToken(res.token);
+						this.authService.setNewToken(res.token, res.data);
 					} else if (res?.message === 'guest' && res?.token) {
 						this.authService.signOut();
 					}
diff --git a/server/api/auth/index.js b/server/api/auth/index.js
@@ -52,7 +52,7 @@ function buildAccessToken(user) {
 }
 
 function buildRefreshToken(user) {
-    return jwt.sign({ id: user.username, groups: user.groups, type: 'refresh' }, secretCode, { expiresIn: refreshTokenExpiresIn });
+    return jwt.sign({ id: user.username, type: 'refresh' }, secretCode, { expiresIn: refreshTokenExpiresIn });
 }
 
 function setRefreshCookie(res, token) {
@@ -155,20 +155,18 @@ module.exports = {
                     return res.status(401).json({ status: 'error', message: 'Invalid refresh token' });
                 }
 
-                let userData = null;
-                try {
-                    const users = await runtime.users.getUsers({ username: decoded.id });
-                    if (users && users.length) {
-                        userData = users[0];
-                    }
-                } catch (err) {
-                    runtime.logger.error(`api refresh: user lookup failed ${err}`);
+                const users = await runtime.users.getUsers({ username: decoded.id });
+                if (!users || !users.length) {
+                    clearRefreshCookie(res);
+                    return res.status(401).json({ status: 'error', message: 'Invalid refresh token' });
                 }
 
+                const userData = users[0];
+
                 const user = {
                     username: decoded.id,
                     fullname: userData?.fullname,
-                    groups: userData?.groups || decoded.groups,
+                    groups: userData?.groups,
                     info: userData?.info
                 };
 
diff --git a/server/api/index.js b/server/api/index.js
@@ -185,7 +185,7 @@ function init(_server, _runtime) {
             /**
              * GET Heartbeat to check token
              */
-            apiApp.post('/api/heartbeat', authMiddleware, function (req, res) {
+            apiApp.post('/api/heartbeat', authMiddleware, async function (req, res) {
 
                 if (!runtime.settings.secureEnabled) {
                     return res.end();
@@ -200,10 +200,17 @@ function init(_server, _runtime) {
                         });
                     }
 
+                    const currentUser = await getCurrentTokenUser(req);
+                    if (!currentUser) {
+                        return res.status(401).json({ error: 'unauthorized_error', message: 'Unauthorized!' });
+                    }
+
+                    req.userGroups = currentUser.groups;
                     const token = authJwt.getNewTokenFromRequest(req);
                     return res.status(200).json({
                         message: 'tokenRefresh',
-                        token
+                        token,
+                        data: currentUser
                     });
                 }
 
@@ -279,6 +286,28 @@ function mergeUserSettings(settings) {
     }
 }
 
+async function getCurrentTokenUser(req) {
+    if (!req.isAuthenticated || authJwt.isGuestUser(req.userId, req.userGroups)) {
+        return null;
+    }
+
+    try {
+        const users = await runtime.users.getUsers({ username: req.userId });
+        if (users && users.length && !utils.isNullOrUndefined(users[0].groups)) {
+            return {
+                username: users[0].username,
+                fullname: users[0].fullname,
+                groups: users[0].groups,
+                info: users[0].info
+            };
+        }
+    } catch (err) {
+        runtime.logger.error(`api heartbeat: user lookup failed ${err}`);
+    }
+
+    return null;
+}
+
 function verifyGroups(req) {
     if (runtime.settings && runtime.settings.secureEnabled) {
         if (req.apiKey) {
@@ -288,6 +317,9 @@ function verifyGroups(req) {
             return (runtime.settings.userRole) ? null : 0;
         }
         const userInfo = runtime.users.getUserCache(req.userId);
+        if (req.isAuthenticated && !authJwt.isGuestUser(req.userId, req.userGroups) && !userInfo) {
+            return null;
+        }
         return (runtime.settings.userRole && req.userId !== 'admin') ? userInfo : userInfo ? userInfo.groups : req.userGroups;
     } else {
         return authJwt.adminGroups[0];
diff --git a/server/api/jwt-helper.js b/server/api/jwt-helper.js
@@ -72,27 +72,6 @@ function verifyToken (req, res, next) {
 }
 
 function requireAuth (req, res, next) {
-    // Allow requests from FUXA interface (iframe embedding)
-    // Check for common FUXA referer patterns
-    const referer = req.headers.referer;
-    if (referer) {
-        // Allow if referer is from the same host (to support IP access without specific paths)
-        const requestHost = req.headers.host;
-        if (referer.startsWith(`http://${requestHost}`) || referer.startsWith(`https://${requestHost}`)) {
-            return next();
-        }
-        // Allow if referer contains common FUXA paths or is from the same server
-        const fuxaPatterns = [
-            '/fuxa', '/editor', '/viewer', '/lab', '/home',
-            'localhost:', '127.0.0.1:', '0.0.0.0:'
-        ];
-        const hasFuxaReferer = fuxaPatterns.some(pattern => referer.includes(pattern));
-        if (hasFuxaReferer) {
-            return next();
-        }
-    }
-
-    // For direct access, require authentication
     let token = req.headers['x-access-token'];
 
     if (!token) {
diff --git a/server/api/users/index.js b/server/api/users/index.js
@@ -8,6 +8,22 @@ var runtime;
 var secureFnc;
 var checkGroupsFnc;
 
+function sanitizeUser(user) {
+    if (!user || typeof user !== 'object') {
+        return user;
+    }
+    const sanitized = Object.assign({}, user);
+    delete sanitized.password;
+    return sanitized;
+}
+
+function sanitizeUsers(users) {
+    if (Array.isArray(users)) {
+        return users.map(sanitizeUser);
+    }
+    return sanitizeUser(users);
+}
+
 module.exports = {
     init: function (_runtime, _secureFnc, _checkGroupsFnc) {
         runtime = _runtime;
@@ -40,7 +56,7 @@ module.exports = {
                     // res.header("Access-Control-Allow-Origin", "*");
                     // res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
                     if (result) {
-                        res.json(result);
+                        res.json(sanitizeUsers(result));
                     } else {
                         res.end();
                     }
@@ -185,4 +201,4 @@ module.exports = {
         });
         return usersApp;
     }
-}
+}
diff --git a/server/runtime/index.js b/server/runtime/index.js
@@ -40,6 +40,13 @@ function isSocketWriteAuthorized(socket) {
     return !!(socket && socket.isAuthenticated);
 }
 
+function isSocketAdminAuthorized(socket) {
+    if (!settings || !settings.secureEnabled) {
+        return true;
+    }
+    return !!(socket && socket.isAuthenticated && api?.authJwt?.haveAdminPermission(socket.userGroups));
+}
+
 function init(_io, _api, _settings, _log, eventsMain) {
     io = _io;
     settings = _settings;
@@ -197,6 +204,10 @@ function init(_io, _api, _settings, _log, eventsMain) {
         // client ask device browse
         socket.on(Events.IoEventTypes.DEVICE_BROWSE, (message) => {
             try {
+                if (!isSocketAdminAuthorized(socket)) {
+                    logger.warn(`${Events.IoEventTypes.DEVICE_BROWSE}: unauthorized request from ${socket.userId || 'guest'}`);
+                    return;
+                }
                 if (message) {
                     if (message.device) {
                         devices.browseDevice(message.device, message.node, function (nodes) {
@@ -218,6 +229,10 @@ function init(_io, _api, _settings, _log, eventsMain) {
         // client ask device node attribute
         socket.on(Events.IoEventTypes.DEVICE_NODE_ATTRIBUTE, (message) => {
             try {
+                if (!isSocketAdminAuthorized(socket)) {
+                    logger.warn(`${Events.IoEventTypes.DEVICE_NODE_ATTRIBUTE}: unauthorized request from ${socket.userId || 'guest'}`);
+                    return;
+                }
                 if (message) {
                     if (message.device) {
                         devices.readNodeAttribute(message.device, message.node).then(result => {
@@ -278,6 +293,10 @@ function init(_io, _api, _settings, _log, eventsMain) {
         // client ask host interfaces
         socket.on(Events.IoEventTypes.HOST_INTERFACES, (message) => {
             try {
+                if (!isSocketAdminAuthorized(socket)) {
+                    logger.warn(`${Events.IoEventTypes.HOST_INTERFACES}: unauthorized request from ${socket.userId || 'guest'}`);
+                    return;
+                }
                 if (message === 'get') {
                     message = {};
                     utils.getHostInterfaces().then(result => {
@@ -300,7 +319,7 @@ function init(_io, _api, _settings, _log, eventsMain) {
         // client ask device webapi request and return result
         socket.on(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, (message) => {
             try {
-                if (!isSocketWriteAuthorized(socket)) {
+                if (!isSocketAdminAuthorized(socket)) {
                     logger.warn(`${Events.IoEventTypes.DEVICE_WEBAPI_REQUEST}: unauthorized request from ${socket.userId || 'guest'}`);
                     return;
                 }
@@ -326,6 +345,10 @@ function init(_io, _api, _settings, _log, eventsMain) {
         // client ask device tags configurtions, used for connections that load tags dinamically (webapi)
         socket.on(Events.IoEventTypes.DEVICE_TAGS_REQUEST, (message) => {
             try {
+                if (!isSocketAdminAuthorized(socket)) {
+                    logger.warn(`${Events.IoEventTypes.DEVICE_TAGS_REQUEST}: unauthorized request from ${socket.userId || 'guest'}`);
+                    return;
+                }
                 if (message && message.deviceId) {
                     devices.getDeviceTagsResult(message.deviceId).then(result => {
                         message.result = result;
diff --git a/server/runtime/users/index.js b/server/runtime/users/index.js
@@ -90,6 +90,7 @@ function removeUsers(username) {
     return new Promise(function (resolve, reject) {
         if (username) {
             usrstorage.removeUser(username).then(() => {
+                usersMap.delete(username);
                 resolve();
             }).catch(function (err) {
                 logger.error(`users.usrstorage-remove-users failed! ${err}`);
@@ -207,4 +208,4 @@ module.exports = {
     removeRoles: removeRoles,
     findOne: findOne,
     getUserCache: getUserCache
-};
+};
diff --git a/server/test/authorization/jwtLifecycleSecurity.test.js b/server/test/authorization/jwtLifecycleSecurity.test.js

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ export class HeartbeatService {`
`29`	`29`	`this.heartbeatSubscription = interval(this.heartbeatInterval).subscribe(() => {`
`30`	`30`	`this.server.heartbeat(this.activity).subscribe(res => {`
`31`	`31`	`if (res?.message === 'tokenRefresh' && res?.token) {`
`32`		`- this.authService.setNewToken(res.token);`
	`32`	`+ this.authService.setNewToken(res.token, res.data);`
`33`	`33`	`} else if (res?.message === 'guest' && res?.token) {`
`34`	`34`	`this.authService.signOut();`
`35`	`35`	`}`