From 49ac6e2e6b6f03011b2714c65b6fee092e470ffb Mon Sep 17 00:00:00 2001 From: June Kelly Date: Fri, 24 Sep 2021 09:32:05 +0100 Subject: [PATCH] Merge pull request #4929 from overleaf/jk-fix-disconnect-users Fix /disconnectAllUsers endpoint security GitOrigin-RevId: 57858daa5a076c37332bc575e76ffd6b1a1bd914 --- .../Features/ServerAdmin/AdminController.js | 13 +++++++----- services/web/app/src/router.js | 5 ----- services/web/scripts/disconnect_all_users.js | 20 +++++++++++++++++++ 3 files changed, 28 insertions(+), 10 deletions(-) create mode 100644 services/web/scripts/disconnect_all_users.js diff --git a/services/web/app/src/Features/ServerAdmin/AdminController.js b/services/web/app/src/Features/ServerAdmin/AdminController.js index 5c77a5b963..836a594344 100644 --- a/services/web/app/src/Features/ServerAdmin/AdminController.js +++ b/services/web/app/src/Features/ServerAdmin/AdminController.js @@ -52,6 +52,13 @@ var updateOpenConnetionsMetrics = function () { setTimeout(updateOpenConnetionsMetrics, oneMinInMs) const AdminController = { + _sendDisconnectAllUsersMessage: delay => { + return EditorRealTimeController.emitToAll( + 'forceDisconnect', + 'Sorry, we are performing a quick update to the editor and need to close it down. Please refresh the page to continue.', + delay + ) + }, index: (req, res, next) => { let agents, url let agent @@ -101,11 +108,7 @@ const AdminController = { disconnectAllUsers: (req, res) => { logger.warn('disconecting everyone') const delay = (req.query && req.query.delay) > 0 ? req.query.delay : 10 - EditorRealTimeController.emitToAll( - 'forceDisconnect', - 'Sorry, we are performing a quick update to the editor and need to close it down. Please refresh the page to continue.', - delay - ) + this._sendDisconnectAllUsersMessage(delay) return res.sendStatus(200) }, diff --git a/services/web/app/src/router.js b/services/web/app/src/router.js index 8fff0b2ef2..75f8ffac25 100644 --- a/services/web/app/src/router.js +++ b/services/web/app/src/router.js @@ -996,11 +996,6 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) { AdminController.unregisterServiceWorker ) - privateApiRouter.post( - '/disconnectAllUsers', - AdminController.disconnectAllUsers - ) - privateApiRouter.get('/perfTest', (req, res) => res.send('hello')) publicApiRouter.get('/status', (req, res) => { diff --git a/services/web/scripts/disconnect_all_users.js b/services/web/scripts/disconnect_all_users.js new file mode 100644 index 0000000000..a50e58b693 --- /dev/null +++ b/services/web/scripts/disconnect_all_users.js @@ -0,0 +1,20 @@ +const AdminController = require('../app/src/Features/ServerAdmin/AdminController') + +if (require.main === module) { + if (['--help', 'help'].includes(process.argv[2])) { + console.log('\n usage: node disconnect_all_users.js [delay-in-seconds]\n') + process.exit(1) + } + const delaySecondsString = process.argv[2] + const delay = parseInt(delaySecondsString, 10) || 10 + console.log(`Disconnect all users, with delay ${delay}`) + AdminController._sendDisconnectAllUsersMessage(delay) + .then(() => { + console.error('Done.') + process.exit(0) + }) + .catch(err => { + console.error('Error', err) + process.exit(1) + }) +}