Fix session and login vulnerabilities

.gitignore

@@ -38,3 +38,6 @@ jspm_packages
 
 # Optional REPL history
 .node_repl_history
+
+# Environment files
+.env

README.md

@@ -20,7 +20,7 @@ YES, indeed it is powered by `Node.js v6` on `Raspberry PI 3`.
 
 
 
-## 2. Reuqirements
+## 2. Requirements
 ### 2.1 Equipment
 * [**Raspberry PI 3 Model B**](https://www.raspberrypi.org/products/raspberry-pi-3-model-b/) with the latest **Raspbian OS** installed
 * **Node.js v6.0**

create_env.js

@@ -0,0 +1,31 @@
+const fs = require('fs');
+const crypto = require('crypto');
+const bcrypt = require('bcrypt');
+const prompt = require('prompt');
+
+prompt.start();
+
+
+prompt.get({
+    properties: {
+      username: {
+        pattern: /^[a-zA-Z\s\-]+$/,
+        message: 'Username must be only letters, spaces, or dashes',
+        required: true
+      },
+      password: {
+        hidden: true
+      }
+    }
+  }, function (err, result) {
+    if (err) console.error('Failed to create a .env file');
+
+    const password = bcrypt.hashSync(result.password, 10)
+
+    fs.writeFile(
+        '.env',
+        'COOKIE_SECRET=' + crypto.randomBytes(40).toString('hex') + '\n' +
+        'USERNAME=' + result.username + '\n' +
+        'PASSWORD=' + password + '\n'
+    );
+});

lib/app.js

@@ -4,13 +4,15 @@ const express = require("express");
 const path = require("path");
 const session = require("express-session");
 const FileStore = require('session-file-store')(session);
-
+const dotenv = require('dotenv');
+var crypto = require("crypto");
 
 /**
  * Setup express app
  */
 const app = express();
 const passport = require("./passport");
+dotenv.config();
 
 /**
  * Parsers
@@ -19,7 +21,8 @@ app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: false }));
 app.use(cookieParser());
 app.use(session({
-    secret: "aedf1829f7",
+    secret: (process.env.COOKIE_SECRET && process.env.COOKIE_SECRET !== '') ?
+        process.env.COOKIE_SECRET : crypto.randomBytes(40).toString('hex'),
     resave: false,
     saveUninitialized: true,
     cookie: { secure: false, maxAge: 1000 * 60 * 60 * 24 * 100 },

lib/passport.js

@@ -1,13 +1,22 @@
 const LocalStrategy = require("passport-local").Strategy;
 const md5 = require("md5");
+const bcrypt = require('bcrypt');
 const passport = require("passport");
+const dotenv = require('dotenv');
+dotenv.config();
 
 passport.use("local", new LocalStrategy({
         usernameField: 'username',
         passwordField: 'password'
     },
     (username, password, done) => {
-        if (username === "admin" && md5(password) === "a99e2bc0efaa6c17888f2946aedc6be8")
+        const serverUsername = (process.env.USERNAME && process.env.USERNAME !== '') ?
+            process.env.USERNAME : 'admin';
+        const serverPassword = (process.env.PASSWORD && process.env.PASSWORD !== '') ?
+            process.env.PASSWORD : '$2y$10$BiQ8hbUWvjnu4Yi59i4e/u0LKMcoOzAn/5oeZjh5JrzekAeVn4oX.';
+
+        if (!process.env.PASSWORD) password = md5(password)
+        if (username === serverUsername && bcrypt.compareSync(password, serverPassword))
         {
             return done(null, {
                 id: "admin"

package.json

@@ -17,15 +17,18 @@
   },
   "homepage": "https://github.com/MagicCube/rpi-man#readme",
   "dependencies": {
+    "bcrypt": "3.0.6",
     "body-parser": "^1.15.2",
     "cookie-parser": "^1.4.3",
+    "dotenv": "8.0.0",
     "express": "^4.14.0",
     "express-session": "^1.14.0",
     "md5": "^2.1.0",
     "os-utils": "0.0.14",
     "passport": "^0.3.2",
     "passport-local": "^1.0.0",
     "pty.js": "^0.3.1",
+    "prompt": "1.0.0",
     "session-file-store": "^0.2.0",
     "socket.io": "^1.4.8"
   },

rpi-man-get

@@ -9,6 +9,8 @@ install()
 {
     echo "Installing rpi-man..."
     install_dependencies
+    echo "Generating .env file"
+    node create_env.js
     echo "Make rpi-man-server as global command..."
     ln -s $path/bin/rpi-man-server $bin_path
     echo "Make rpi-man-server run at startup..."