From 4750ab5c9bc1b5019c89299b8494db98b9721784 Mon Sep 17 00:00:00 2001 From: tuanaiseo Date: Sat, 4 Apr 2026 22:49:45 +0700 Subject: [PATCH] fix(security): relay token check executes callback before verific In `serverTokenCheck`, the callback is invoked immediately (`callback()`) and its return value is stored, instead of storing the callback function. This means server startup/authenticated actions can run before token validation response is received, allowing unauthorized relay server registration/usage. Affected files: relay.js Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com> --- server/relay/relay.js | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/server/relay/relay.js b/server/relay/relay.js index 759ab163..c5b2bbe2 100644 --- a/server/relay/relay.js +++ b/server/relay/relay.js @@ -44,8 +44,13 @@ Relay = class Relay { try { data = JSON.parse(msg.data); if (data.name === "check_server_token") { - if (data.valid && (this.token_requests[data.token] != null)) { - this.token_requests[data.token](); + if (this.token_requests[data.token] != null) { + if (data.valid && (typeof this.token_requests[data.token].callback === "function")) { + this.token_requests[data.token].callback(); + } + if (this.token_requests[data.token].timeout != null) { + clearTimeout(this.token_requests[data.token].timeout); + } return delete this.token_requests[data.token]; } } @@ -94,7 +99,14 @@ Relay = class Relay { } serverTokenCheck(token, server_id, callback) { - this.token_requests[token] = callback(); + var request; + request = { + callback: callback + }; + request.timeout = setTimeout((() => { + return delete this.token_requests[token]; + }), 30000); + this.token_requests[token] = request; return this.client.send(JSON.stringify({ name: "check_server_token", server_id: server_id,