From b30b4f652bf0d8a2bfe2eb31ab17cdd0964cefd2 Mon Sep 17 00:00:00 2001
From: timothycarambat <rambat1010@gmail.com>
Date: Tue, 13 Aug 2024 17:26:57 -0700
Subject: [PATCH] Encrypt/Decrypt pass in JWT value for verification in
 single-user password mode

---
 .github/workflows/dev-build.yaml            |  2 +-
 server/endpoints/system.js                  |  5 +++-
 server/utils/middleware/validatedRequest.js | 28 ++++++++++++++-------
 3 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/dev-build.yaml b/.github/workflows/dev-build.yaml
index e3bb1d556e..aef9a6c35c 100644
--- a/.github/workflows/dev-build.yaml
+++ b/.github/workflows/dev-build.yaml
@@ -6,7 +6,7 @@ concurrency:
 
 on:
   push:
-    branches: ['pipertts-support'] # put your current branch to create a build. Core team only.
+    branches: ['encrypt-jwt-value'] # put your current branch to create a build. Core team only.
     paths-ignore:
       - '**.md'
       - 'cloud-deployments/*'
diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index 5406202306..2b5e5c01b1 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -237,7 +237,10 @@ function systemEndpoints(app) {
         });
         response.status(200).json({
           valid: true,
-          token: makeJWT({ p: new EncryptionManager().encrypt(password) }, "30d"),
+          token: makeJWT(
+            { p: new EncryptionManager().encrypt(password) },
+            "30d"
+          ),
           message: null,
         });
       }
diff --git a/server/utils/middleware/validatedRequest.js b/server/utils/middleware/validatedRequest.js
index 199645f180..f78709de21 100644
--- a/server/utils/middleware/validatedRequest.js
+++ b/server/utils/middleware/validatedRequest.js
@@ -12,14 +12,14 @@ async function validatedRequest(request, response, next) {
 
   // When in development passthrough auth token for ease of development.
   // Or if the user simply did not set an Auth token or JWT Secret
-  // if (
-  //   process.env.NODE_ENV === "development" ||
-  //   !process.env.AUTH_TOKEN ||
-  //   !process.env.JWT_SECRET
-  // ) {
-  //   next();
-  //   return;
-  // }
+  if (
+    process.env.NODE_ENV === "development" ||
+    !process.env.AUTH_TOKEN ||
+    !process.env.JWT_SECRET
+  ) {
+    next();
+    return;
+  }
 
   if (!process.env.AUTH_TOKEN) {
     response.status(401).json({
@@ -48,7 +48,17 @@ async function validatedRequest(request, response, next) {
     return;
   }
 
-  if (!bcrypt.compareSync(EncryptionMgr.decrypt(p), bcrypt.hashSync(process.env.AUTH_TOKEN, 10))) {
+  // Since the blame of this comment we have been encrypting the `p` property of JWTs with the persistent
+  // encryptionManager PEM's. This prevents us from storing the `p` unencrypted in the JWT itself, which could
+  // be unsafe. As a consequence, existing JWTs with invalid `p` values that do not match the regex
+  // in ln:44 will be marked invalid so they can be logged out and forced to log back in and obtain an encrypted token.
+  // This kind of methodology only applies to single-user password mode.
+  if (
+    !bcrypt.compareSync(
+      EncryptionMgr.decrypt(p),
+      bcrypt.hashSync(process.env.AUTH_TOKEN, 10)
+    )
+  ) {
     response.status(401).json({
       error: "Invalid auth credentials.",
     });