diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts index 5d35ca2a7..445b6f318 100644 --- a/server/private/routers/hybrid.ts +++ b/server/private/routers/hybrid.ts @@ -79,7 +79,10 @@ import logger from "@server/logger"; import { decrypt } from "@server/lib/crypto"; import config from "@server/lib/config"; import { exchangeSession } from "@server/routers/badger"; -import { validateResourceSessionToken } from "@server/auth/sessions/resource"; +import { + ResourceSessionValidationResult, + validateResourceSessionToken +} from "@server/auth/sessions/resource"; import { checkExitNodeOrg, resolveExitNodes } from "#private/lib/exitNodes"; import { maxmindLookup } from "@server/db/maxmind"; import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken"; @@ -1754,11 +1757,34 @@ hybridRouter.post( resourceId ); + // this is for backward compatibility with nodes that did not have the policy id checking + const modifiedResult: ResourceSessionValidationResult = { + ...result, + resourceSession: result.resourceSession + ? { + ...result.resourceSession, + // Prefer policy IDs, but keep legacy IDs populated for older nodes. + pincodeId: + result.resourceSession.policyPincodeId ?? + result.resourceSession.pincodeId ?? + null, + passwordId: + result.resourceSession.policyPasswordId ?? + result.resourceSession.passwordId ?? + null, + whitelistId: + result.resourceSession.policyWhitelistId ?? + result.resourceSession.whitelistId ?? + null + } + : null + }; + return response(res, { - data: result, + data: modifiedResult, success: true, error: false, - message: result.resourceSession + message: modifiedResult.resourceSession ? "Resource session token is valid" : "Resource session token is invalid or expired", status: HttpCode.OK diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts index 1735ed558..0f1b1c23c 100644 --- a/server/routers/badger/verifySession.ts +++ b/server/routers/badger/verifySession.ts @@ -20,7 +20,8 @@ import { ResourcePolicyPincode, ResourcePolicyPassword, ResourcePolicyHeaderAuth, - ResourceRule + ResourceRule, + ResourceSession } from "@server/db"; import config from "@server/lib/config"; import { isIpInCidr, stripPortFromHost } from "@server/lib/ip"; @@ -536,7 +537,8 @@ export async function verifyResourceSession( if (resourceSessionToken) { const sessionCacheKey = `session:${resourceSessionToken}`; - let resourceSession: any = localCache.get(sessionCacheKey); + let resourceSession: ResourceSession | null | undefined = + localCache.get(sessionCacheKey); if (!resourceSession) { const result = await validateResourceSessionToken( @@ -671,7 +673,7 @@ export async function verifyResourceSession( orgId: resource.orgId, location: ipCC, apiKey: { - name: resourceSession.accessTokenTitle, + name: null, apiKeyId: resourceSession.accessTokenId } }, @@ -717,7 +719,7 @@ export async function verifyResourceSession( location: ipCC, user: { username: allowedUserData.username, - userId: resourceSession.userId + userId: allowedUserData.userId } }, parsedBody.data diff --git a/src/app/[orgId]/settings/resources/private/page.tsx b/src/app/[orgId]/settings/resources/private/page.tsx index f90bc91c7..23ff86296 100644 --- a/src/app/[orgId]/settings/resources/private/page.tsx +++ b/src/app/[orgId]/settings/resources/private/page.tsx @@ -108,10 +108,7 @@ export default async function ClientResourcesPage( siteNiceId: siteResource.siteNiceIds[idx], online: siteResource.siteOnlines[idx] })), - mode: - siteResource.pamMode && siteResource.mode === "host" - ? "ssh" - : siteResource.mode, + mode: siteResource.mode, scheme: siteResource.scheme, ssl: siteResource.ssl, siteNames: siteResource.siteNames,