From 1be82b45d8f4c6aa63eefc470627ec555ac16d7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A5var=20Aamb=C3=B8=20Fosstveit?= <havar@fosstveit.net>
Date: Thu, 24 Oct 2019 00:01:24 +0200
Subject: [PATCH] Fixed server security issues.

---
 server/package.json |  3 +++
 server/server.js    | 47 +++++++++++++++++++++++++++++++--------------
 2 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/server/package.json b/server/package.json
index 4a80107..67da924 100644
--- a/server/package.json
+++ b/server/package.json
@@ -9,12 +9,15 @@
 	"dependencies": {
 		"awaitqueue": "^1.0.0",
 		"base-64": "^0.1.0",
+		"body-parser": "^1.19.0",
 		"colors": "^1.4.0",
 		"compression": "^1.7.4",
+		"cookie-parser": "^1.4.4",
 		"debug": "^4.1.1",
 		"express": "^4.17.1",
 		"express-session": "^1.17.0",
 		"express-socket.io-session": "^1.3.5",
+		"helmet": "^3.21.2",
 		"mediasoup": "^3.0.12",
 		"openid-client": "^3.7.3",
 		"passport": "^0.4.0",
diff --git a/server/server.js b/server/server.js
index 32d953d..8d6ccdb 100755
--- a/server/server.js
+++ b/server/server.js
@@ -7,12 +7,15 @@ const fs = require('fs');
 const http = require('http');
 const spdy = require('spdy');
 const express = require('express');
+const bodyParser = require('body-parser');
+const cookieParser = require('cookie-parser');
 const compression = require('compression');
 const mediasoup = require('mediasoup');
 const AwaitQueue = require('awaitqueue');
 const Logger = require('./lib/Logger');
 const Room = require('./lib/Room');
 const base64 = require('base-64');
+const helmet = require('helmet');
 // auth
 const passport = require('passport');
 const { Issuer, Strategy } = require('openid-client');
@@ -49,20 +52,24 @@ const tls =
 
 const app = express();
 
+app.use(helmet.hsts());
+
+app.use(cookieParser());
+app.use(bodyParser.json());
+app.use(bodyParser.urlencoded({ extended: true }));
+
 const session = expressSession({
 	secret            : config.cookieSecret,
 	resave            : true,
 	saveUninitialized : true,
-	cookie            : { secure: true }
+	cookie            : {
+		secure   : true,
+		httpOnly : true
+	}
 });
 
 app.use(session);
 
-let httpsServer;
-let io;
-let oidcClient;
-let oidcStrategy;
-
 passport.serializeUser((user, done) =>
 {
 	done(null, user);
@@ -73,6 +80,11 @@ passport.deserializeUser((user, done) =>
 	done(null, user);
 });
 
+let httpsServer;
+let io;
+let oidcClient;
+let oidcStrategy;
+
 const auth = config.auth;
 
 async function run()
@@ -261,15 +273,20 @@ async function setupAuth(oidcIssuer)
 
 			room.peerAuthenticated(state.peerId);
 
-			io.sockets.socket(state.id).emit('notification',
-				{
-					method : 'auth',
-					data   :
+			const socket = io.sockets.socket(state.id);
+
+			if (socket)
+			{
+				socket.emit('notification',
 					{
-						displayName : displayName,
-						picture     : photo
-					}
-				});
+						method : 'auth',
+						data   :
+						{
+							displayName : displayName,
+							picture     : photo
+						}
+					});
+			}
 
 			res.send('');
 		}
@@ -335,6 +352,8 @@ async function runWebSocketServer()
 	{
 		const { roomId, peerId } = socket.handshake.query;
 
+		logger.info('socket.io "connection" | [session:"%o"]', socket.handshake.session);
+
 		if (!roomId || !peerId)
 		{
 			logger.warn('connection request without roomId and/or peerId');