#RI-4454 - Restrict loopback

Author: egor-zalenski

configs/webpack.config.renderer.prod.ts

@@ -23,8 +23,6 @@ const devtoolsConfig =
 const configuration: webpack.Configuration = {
   ...devtoolsConfig,
 
-  devtool: 'source-map',
-
   mode: 'production',
 
   target: ['web', 'electron-renderer'],

configs/webpack.config.renderer.stage.ts

@@ -10,6 +10,8 @@ DeleteSourceMaps();
 export default merge(baseConfig, {
   ...rendererProdConfig,
 
+  devtool: 'source-map',
+
   plugins: [
     ...rendererProdConfig.plugins,
 

redisinsight/api/package.json

@@ -21,7 +21,7 @@
     "format": "prettier --write \"src/**/*.ts\"",
     "lint": "eslint --ext .ts .",
     "start": "nest start",
-    "start:dev": "cross-env NODE_ENV=development SERVER_STATIC_CONTENT=1 nest start --watch",
+    "start:dev": "cross-env NODE_ENV=development BUILD_TYPE=DOCKER_ON_PREMISE SERVER_STATIC_CONTENT=1 nest start --watch",
     "start:debug": "nest start --debug --watch",
     "start:stage": "cross-env NODE_ENV=staging SERVER_STATIC_CONTENT=true node dist/src/main",
     "start:prod": "cross-env NODE_ENV=production node dist/src/main",

redisinsight/api/src/common/constants/api.ts

@@ -1,3 +1,4 @@
 export const API_PARAM_DATABASE_ID = 'dbInstance';
 export const API_HEADER_DATABASE_INDEX = 'ri-db-index';
+export const API_HEADER_WINDOW_ID = 'ri-window-id';
 export const API_PARAM_CLI_CLIENT_ID = 'uuid';

redisinsight/api/src/constants/error-messages.ts

@@ -64,4 +64,6 @@ export default {
   APP_SETTINGS_NOT_FOUND: () => 'Could not find application settings.',
   SERVER_INFO_NOT_FOUND: () => 'Could not find server info.',
   INCREASE_MINIMUM_LIMIT: (count: string) => `Set MAXSEARCHRESULTS to at least ${count}.`,
+  INVALID_WINDOW_ID: 'Invalid window id.',
+  UNDEFINED_WINDOW_ID: 'Undefined window id.',
 };

redisinsight/api/src/core.module.ts

@@ -10,6 +10,7 @@ import { AnalyticsModule } from 'src/modules/analytics/analytics.module';
 import { SshModule } from 'src/modules/ssh/ssh.module';
 import { NestjsFormDataModule } from 'nestjs-form-data';
 import { FeatureModule } from 'src/modules/feature/feature.module';
+import { AuthModule } from 'src/modules/auth/auth.module';
 
 @Global()
 @Module({
@@ -25,6 +26,7 @@ import { FeatureModule } from 'src/modules/feature/feature.module';
     SshModule,
     NestjsFormDataModule,
     FeatureModule.register(),
+    AuthModule.register(),
   ],
   exports: [
     EncryptionModule,

redisinsight/api/src/main.ts

@@ -1,7 +1,7 @@
 import 'dotenv/config';
 import { NestFactory } from '@nestjs/core';
 import { SwaggerModule } from '@nestjs/swagger';
-import { NestApplicationOptions } from '@nestjs/common';
+import { INestApplication, NestApplicationOptions } from '@nestjs/common';
 import * as bodyParser from 'body-parser';
 import { WinstonModule } from 'nest-winston';
 import { GlobalExceptionFilter } from 'src/exceptions/global-exception.filter';
@@ -14,7 +14,12 @@ import LOGGER_CONFIG from '../config/logger';
 
 const serverConfig = get('server');
 
-export default async function bootstrap(): Promise<Function> {
+interface IApp {
+  app: INestApplication
+  gracefulShutdown: Function
+}
+
+export default async function bootstrap(): Promise<IApp> {
   await migrateHomeFolder();
 
   const port = process.env.API_PORT || serverConfig.port;
@@ -67,7 +72,7 @@ export default async function bootstrap(): Promise<Function> {
   process.on('SIGTERM', gracefulShutdown);
   process.on('SIGINT', gracefulShutdown);
 
-  return gracefulShutdown;
+  return { app, gracefulShutdown };
 }
 
 if (process.env.APP_ENV !== 'electron') {

redisinsight/api/src/modules/auth/auth.module.ts

@@ -0,0 +1,22 @@
+import { Module } from '@nestjs/common';
+import config from 'src/utils/config';
+import { WindowAuthModule } from './window-auth/window-auth.module';
+import { BuildType } from '../server/models/server';
+
+const SERVER_CONFIG = config.get('server');
+
+@Module({})
+export class AuthModule {
+  static register() {
+    const imports = [];
+
+    if (SERVER_CONFIG.buildType === BuildType.Electron) {
+      imports.push(WindowAuthModule);
+    }
+
+    return {
+      module: AuthModule,
+      imports,
+    };
+  }
+}

redisinsight/api/src/modules/auth/window-auth/constants/exceptions.ts

@@ -0,0 +1,14 @@
+import { HttpException, HttpStatus } from '@nestjs/common';
+
+export class WindowUnauthorizedException extends HttpException {
+  constructor(message) {
+    super(
+      {
+        statusCode: HttpStatus.UNAUTHORIZED,
+        message,
+        error: 'Unauthorized',
+      },
+      HttpStatus.UNAUTHORIZED,
+    );
+  }
+}

redisinsight/api/src/modules/auth/window-auth/middleware/window.auth.middleware.ts

@@ -0,0 +1,42 @@
+import {
+  Injectable,
+  Logger,
+  NestMiddleware,
+} from '@nestjs/common';
+import { NextFunction, Request, Response } from 'express';
+import ERROR_MESSAGES from 'src/constants/error-messages';
+import { API_HEADER_WINDOW_ID } from 'src/common/constants';
+import { WindowAuthManager } from '../window-auth.manager';
+import { WindowUnauthorizedException } from '../constants/exceptions';
+
+@Injectable()
+export class WindowAuthMiddleware implements NestMiddleware {
+  private logger = new Logger('WindowAuthMiddleware');
+
+  constructor(
+    private windowAuthService: WindowAuthManager,
+  ) {}
+
+  async use(req: Request, res: Response, next: NextFunction): Promise<any> {
+    const { windowId } = WindowAuthMiddleware.getWindowIdFromReq(req);
+    const { isExists: isWindowExists = false } = await this.windowAuthService.getStrategy()?.isWindowExists(windowId)
+      ?? {};
+
+    if (!isWindowExists) {
+      this.throwError(req, ERROR_MESSAGES.UNDEFINED_WINDOW_ID);
+    }
+
+    next();
+  }
+
+  private static getWindowIdFromReq(req: Request) {
+    return { windowId: `${req?.headers?.[API_HEADER_WINDOW_ID]}` };
+  }
+
+  private throwError(req: Request, message: string) {
+    const { method, url } = req;
+    this.logger.error(`${message} ${method} ${url}`);
+
+    throw new WindowUnauthorizedException(message);
+  }
+}