supernets/hardlounge
supernets/hardlounge
4
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

vapid: keep the file secret

Browse Source 
Contains a secret key, so we probably should keep it, well, secret.
Warn if the file is world readable.
This commit is contained in:
Reto Brunner 2021-11-23 17:53:00 +01:00
parent 212212fe70
commit dc3a387120
1 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/plugins/webpush.js
View File

@ -11,7 +11,28 @@ class WebPush {
constructor() { constructor() {
const vapidPath = path.join(Helper.getHomePath(), "vapid.json"); const vapidPath = path.join(Helper.getHomePath(), "vapid.json");
if (fs.existsSync(vapidPath)) { let vapidStat = undefined;
try {
vapidStat = fs.statSync(vapidPath);
} catch {
// ignored on purpose, node v14.17.0 will give us {throwIfNoEntry: false}
}
if (vapidStat) {
const isWorldReadable = (vapidStat.mode & 0o004) !== 0;
if (isWorldReadable) {
log.warn(
vapidPath,
"is world readable. The file contains secrets. Please fix the permissions"
);
if (require("os").platform() !== "win32") {
log.warn(`run \`chmod o= ${vapidPath}\` to correct it`);
}
}
const data = fs.readFileSync(vapidPath, "utf-8"); const data = fs.readFileSync(vapidPath, "utf-8");
const parsedData = JSON.parse(data); const parsedData = JSON.parse(data);
@ -29,7 +50,9 @@ class WebPush {
if (!this.vapidKeys) { if (!this.vapidKeys) {
this.vapidKeys = WebPushAPI.generateVAPIDKeys(); this.vapidKeys = WebPushAPI.generateVAPIDKeys();
fs.writeFileSync(vapidPath, JSON.stringify(this.vapidKeys, null, "\t")); fs.writeFileSync(vapidPath, JSON.stringify(this.vapidKeys, null, "\t"), {
mode: 0o600,
});
log.info("New VAPID key pair has been generated for use with push subscription."); log.info("New VAPID key pair has been generated for use with push subscription.");
} }