From 42bf27fe5a7492d62308557c40b6b54c230238eb Mon Sep 17 00:00:00 2001 From: Andreas Brett Date: Wed, 11 Oct 2023 13:28:06 +0200 Subject: [PATCH] push monitor: increase token security (#912) * increased pushToken security * Merge manually --------- Co-authored-by: Andreas Brett Co-authored-by: Louis Lam --- .../2023-10-11-1915-push-token-to-32.js | 14 ++++++++++++++ src/lang/en.json | 1 + src/pages/EditMonitor.vue | 13 ++++++++++++- 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 db/knex_migrations/2023-10-11-1915-push-token-to-32.js diff --git a/db/knex_migrations/2023-10-11-1915-push-token-to-32.js b/db/knex_migrations/2023-10-11-1915-push-token-to-32.js new file mode 100644 index 00000000..47e5ac0b --- /dev/null +++ b/db/knex_migrations/2023-10-11-1915-push-token-to-32.js @@ -0,0 +1,14 @@ +exports.up = function (knex) { + // update monitor.push_token to 32 length + return knex.schema + .alterTable("monitor", function (table) { + table.string("push_token", 32).alter(); + }); +}; + +exports.down = function (knex) { + return knex.schema + .alterTable("monitor", function (table) { + table.string("push_token", 20).alter(); + }); +}; diff --git a/src/lang/en.json b/src/lang/en.json index c75dd7c8..5600254a 100644 --- a/src/lang/en.json +++ b/src/lang/en.json @@ -244,6 +244,7 @@ "successMessage": "Success Message", "successMessageExplanation": "MQTT message that will be considered as success", "recent": "Recent", + "Reset Token": "Reset Token", "Done": "Done", "Info": "Info", "Security": "Security", diff --git a/src/pages/EditMonitor.vue b/src/pages/EditMonitor.vue index b8e6b713..cab85fe9 100644 --- a/src/pages/EditMonitor.vue +++ b/src/pages/EditMonitor.vue @@ -119,6 +119,9 @@ {{ $t("needPushEvery", [monitor.interval]) }}
{{ $t("pushOptionalParams", ["status, msg, ping"]) }} + @@ -847,6 +850,8 @@ import { sleep } from "../util"; const toast = useToast(); +const pushTokenLength = 32; + const monitorDefaults = { type: "http", name: "", @@ -1145,7 +1150,9 @@ message HealthCheckResponse { "monitor.type"() { if (this.monitor.type === "push") { if (! this.monitor.pushToken) { - this.monitor.pushToken = genSecret(10); + // ideally this would require checking if the generated token is already used + // it's very unlikely to get a collision though (62^32 ~ 2.27265788 * 10^57 unique tokens) + this.monitor.pushToken = genSecret(pushTokenLength); } } @@ -1348,6 +1355,10 @@ message HealthCheckResponse { return true; }, + resetToken() { + this.monitor.pushToken = genSecret(pushTokenLength); + }, + /** * Submit the form data for processing * @returns {void}