Anonymous can read and write to chat despite settings

[ByteAfterlife]

When in the plugin settings someone disables anonymous accounts from sending and receiving messages, anybody can still infact do it. It is hidden in the UI when the settings are chosen but the actual API never questions you twice.
When you run the curl command (or use any other HTTP client):
curl 'http://YOUR_HFS_DOMAIN/~/api/get_notifications?channel=chat' -H 'Accept: text/event-stream' -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,sr;q=0.7' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Referer: http://YOUR_HFS_DOMAIN/' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin'

You are now connected to an EventStream, which shows you any new messages sent. Now, when someone sends a message, it's given straight to you in JSON.

I have not tested the separate list method to list previously sent messages, but I would suggest looking into that method as well.

You can also send messages as anonymous, again, despite settings.

curl 'http://YOUR_HFS_DOMAIN/~/api/chat/add' -H 'Accept: */*' -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,sr;q=0.7' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'Content-Type: text/plain;charset=UTF-8' -H 'Pragma: no-cache' -H 'Referer: http://YOUR_HFS_DOMAIN/' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' --data-raw '{"m":"Oh, you thought settings would save you?"}'

Then, you can check in HFS for the message, or you could check via my found method of just curling it, and you'd see, that the user "[anon]" sent a message saying "Oh, you thought settings would save you?"

As you can see, in both requests there are no cookies, meaning I am not presenting any authentication to the server. Yet it still accepts my message.

[ByteAfterlife]

Also, I could not find a way to properly disclose this as you do not have a SECURITY.md file setup in this repository.

[rejetto]

great find!

[rejetto]

@damienzonly just published a new version fixing this (supposedly)

[ByteAfterlife]

@damienzonly just published a new version fixing this (supposedly)

Thanks for the update! I'll test it as soon as I get back to my computer. Sorry for the late response.

[ByteAfterlife]

Hi!

It seems to be working correctly now, I am getting the Forbidden error when the settings are correct, a small change I think would be good is:

If Anonymous can view messages is on, I connect to the Viewing endpoint (http://(HFS_DOMAIN):8080/~/api/get_notifications?channel=chat) and then people are sending messages and so on, then the admin disables Anonymous can view messages, the anonymous eventstream is not terminated. Meaning any new messages sent will still be visible until I terminate the connection that I created when anonymous was allowed to view.

Steps to reproduce:

1. Enable "Anonymous can view" in plugin config
2. Run this curl command in terminal or equivalent in your preferred API client to establish a connection: curl 'http://(YOUR_HFS_DOMAIN):8080/~/api/get_notifications?channel=chat' -H 'Accept: text/event-stream' -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,sr;q=0.7' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -b 'nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true' -H 'Referer: http://(YOUR_HFS_DOMAIN):8080/'
3. Disable "Anonymous can view" without terminating the eventstream connection you made in step 2
4. Send a message into the chat
5. The anonymous eventstream will see it

My solution idea: When the setting (Anonymous can view) is changed from true to false, terminate all eventstream connections that didnt provide authentication if possible.