Security Updates

2026-03-06 12:30:05 +02:00
parent ffbaf0ee1d
commit ec8e8911ce
8 changed files with 277 additions and 78 deletions
--- a/src/state/manager.go
+++ b/src/state/manager.go
@@ -76,6 +76,10 @@ func (m *Manager) CreateRoom(input CreateRoomInput) (CreateRoomResult, error) {
 	adminToken := randomHex(24)
 	creatorID := newUUIDv4()
 	now := nowUTC()
+	allowVoteChange := true
+	if input.AllowVoteChange != nil {
+		allowVoteChange = *input.AllowVoteChange
+	}

 	settings := RoomSettings{
 		RoomName:         roomName,
@@ -84,6 +88,7 @@ func (m *Manager) CreateRoom(input CreateRoomInput) (CreateRoomResult, error) {
 		AllowSpectators:  input.AllowSpectators,
 		AnonymousVoting:  input.AnonymousVoting,
 		AutoReset:        input.AutoReset,
+		AllowVoteChange:  allowVoteChange,
 		RevealMode:       revealMode,
 		VotingTimeoutSec: max(0, input.VotingTimeoutSec),
 	}
@@ -95,7 +100,8 @@ func (m *Manager) CreateRoom(input CreateRoomInput) (CreateRoomResult, error) {
 	}

 	creator := &Participant{
-		ID:        creatorID,
+		ID:           creatorID,
+		SessionToken: randomHex(24),
 		Username:  creatorUsername,
 		Role:      RoleParticipant,
 		IsAdmin:   true,
@@ -139,6 +145,7 @@ func (m *Manager) CreateRoom(input CreateRoomInput) (CreateRoomResult, error) {
 	result := CreateRoomResult{
 		RoomID:               roomID,
 		CreatorParticipantID: creatorID,
+		CreatorSessionToken:  creator.SessionToken,
 		AdminToken:           adminToken,
 		ParticipantLink:      "/room/" + roomID,
 		AdminLink:            "/room/" + roomID + "?adminToken=" + adminToken,
@@ -183,6 +190,9 @@ func (m *Manager) JoinRoom(roomID string, input JoinRoomInput) (JoinRoomResult,
 		if !ok {
 			return JoinRoomResult{}, ErrParticipantNotFound
 		}
+		if !secureTokenMatches(existing.SessionToken, input.SessionToken) {
+			return JoinRoomResult{}, ErrUnauthorized
+		}

 		wasConnected := existing.Connected
 		existing.Username = username
@@ -203,6 +213,7 @@ func (m *Manager) JoinRoom(roomID string, input JoinRoomInput) (JoinRoomResult,
 		go m.broadcastRoom(room.ID)
 		return JoinRoomResult{
 			ParticipantID: existing.ID,
+			SessionToken:  existing.SessionToken,
 			IsAdmin:       existing.IsAdmin,
 			Role:          existing.Role,
 			Username:      existing.Username,
@@ -226,7 +237,8 @@ func (m *Manager) JoinRoom(roomID string, input JoinRoomInput) (JoinRoomResult,
 	}

 	participant := &Participant{
-		ID:        newUUIDv4(),
+		ID:           newUUIDv4(),
+		SessionToken: randomHex(24),
 		Username:  username,
 		Role:      role,
 		IsAdmin:   isAdminByToken,
@@ -247,13 +259,14 @@ func (m *Manager) JoinRoom(roomID string, input JoinRoomInput) (JoinRoomResult,
 	go m.broadcastRoom(room.ID)
 	return JoinRoomResult{
 		ParticipantID: participant.ID,
+		SessionToken:  participant.SessionToken,
 		IsAdmin:       participant.IsAdmin,
 		Role:          participant.Role,
 		Username:      participant.Username,
 	}, nil
 }

-func (m *Manager) LeaveRoom(roomID, participantID string) error {
+func (m *Manager) LeaveRoom(roomID, participantID, sessionToken string) error {
 	room, err := m.getRoom(roomID)
 	if err != nil {
 		return err
@@ -262,9 +275,9 @@ func (m *Manager) LeaveRoom(roomID, participantID string) error {
 	room.mu.Lock()
 	defer room.mu.Unlock()

-	participant, ok := room.Participants[participantID]
-	if !ok {
-		return ErrParticipantNotFound
+	participant, err := m.authorizeParticipantLocked(room, participantID, sessionToken)
+	if err != nil {
+		return err
 	}

 	if !participant.Connected {
@@ -281,7 +294,7 @@ func (m *Manager) LeaveRoom(roomID, participantID string) error {
 	return nil
 }

-func (m *Manager) CastVote(roomID, participantID, card string) error {
+func (m *Manager) CastVote(roomID, participantID, sessionToken, card string) error {
 	room, err := m.getRoom(roomID)
 	if err != nil {
 		return err
@@ -290,9 +303,9 @@ func (m *Manager) CastVote(roomID, participantID, card string) error {
 	room.mu.Lock()
 	defer room.mu.Unlock()

-	participant, ok := room.Participants[participantID]
-	if !ok {
-		return ErrParticipantNotFound
+	participant, err := m.authorizeParticipantLocked(room, participantID, sessionToken)
+	if err != nil {
+		return err
 	}
 	if participant.Role != RoleParticipant {
 		return ErrUnauthorized
@@ -303,19 +316,26 @@ func (m *Manager) CastVote(roomID, participantID, card string) error {
 		return ErrInvalidCard
 	}

-	if room.Round.Revealed {
-		if room.Settings.AutoReset {
-			m.resetVotesLocked(room)
-		} else {
-			return ErrUnauthorized
+	if participant.HasVoted {
+		if participant.VoteValue == normalizedCard {
+			return nil
+		}
+		if !room.Settings.AllowVoteChange {
+			return ErrVoteChangeLocked
 		}
 	}

+	previousVote := participant.VoteValue
+	hadVoted := participant.HasVoted
 	participant.HasVoted = true
 	participant.VoteValue = normalizedCard
 	participant.UpdatedAt = nowUTC()
 	room.UpdatedAt = nowUTC()
-	m.appendActivityLogLocked(room, "%s voted %s.", participant.Username, normalizedCard)
+	if hadVoted {
+		m.appendActivityLogLocked(room, "%s changed vote from %s to %s.", participant.Username, previousVote, normalizedCard)
+	} else {
+		m.appendActivityLogLocked(room, "%s voted %s.", participant.Username, normalizedCard)
+	}

 	if room.Settings.RevealMode == RevealModeAutoAll && allActiveParticipantsVoted(room) {
 		room.Round.Revealed = true
@@ -330,7 +350,7 @@ func (m *Manager) CastVote(roomID, participantID, card string) error {
 	return nil
 }

-func (m *Manager) RevealVotes(roomID, participantID string) error {
+func (m *Manager) RevealVotes(roomID, participantID, sessionToken string) error {
 	room, err := m.getRoom(roomID)
 	if err != nil {
 		return err
@@ -339,9 +359,9 @@ func (m *Manager) RevealVotes(roomID, participantID string) error {
 	room.mu.Lock()
 	defer room.mu.Unlock()

-	participant, ok := room.Participants[participantID]
-	if !ok {
-		return ErrParticipantNotFound
+	participant, err := m.authorizeParticipantLocked(room, participantID, sessionToken)
+	if err != nil {
+		return err
 	}
 	if !participant.IsAdmin {
 		return ErrUnauthorized
@@ -359,7 +379,7 @@ func (m *Manager) RevealVotes(roomID, participantID string) error {
 	return nil
 }

-func (m *Manager) ResetVotes(roomID, participantID string) error {
+func (m *Manager) ResetVotes(roomID, participantID, sessionToken string) error {
 	room, err := m.getRoom(roomID)
 	if err != nil {
 		return err
@@ -368,9 +388,9 @@ func (m *Manager) ResetVotes(roomID, participantID string) error {
 	room.mu.Lock()
 	defer room.mu.Unlock()

-	participant, ok := room.Participants[participantID]
-	if !ok {
-		return ErrParticipantNotFound
+	participant, err := m.authorizeParticipantLocked(room, participantID, sessionToken)
+	if err != nil {
+		return err
 	}
 	if !participant.IsAdmin {
 		return ErrUnauthorized
@@ -388,17 +408,17 @@ func (m *Manager) ResetVotes(roomID, participantID string) error {
 	return nil
 }

-func (m *Manager) Subscribe(roomID, participantID string) (<-chan []byte, []byte, func(), error) {
+func (m *Manager) Subscribe(roomID, participantID, sessionToken string) (<-chan []byte, []byte, func(), error) {
 	room, err := m.getRoom(roomID)
 	if err != nil {
 		return nil, nil, nil, err
 	}

 	room.mu.Lock()
-	participant, ok := room.Participants[participantID]
-	if !ok {
+	participant, authErr := m.authorizeParticipantLocked(room, participantID, sessionToken)
+	if authErr != nil {
 		room.mu.Unlock()
-		return nil, nil, nil, ErrParticipantNotFound
+		return nil, nil, nil, authErr
 	}

 	participant.Connected = true
@@ -466,6 +486,17 @@ func (m *Manager) getRoom(roomID string) (*Room, error) {
 	return room, nil
 }

+func (m *Manager) authorizeParticipantLocked(room *Room, participantID, sessionToken string) (*Participant, error) {
+	participant, ok := room.Participants[participantID]
+	if !ok {
+		return nil, ErrParticipantNotFound
+	}
+	if !secureTokenMatches(participant.SessionToken, sessionToken) {
+		return nil, ErrUnauthorized
+	}
+	return participant, nil
+}
+
 func (m *Manager) loadFromDisk() error {
 	persistedRooms, err := m.store.LoadAll()
 	if err != nil {
@@ -473,20 +504,52 @@ func (m *Manager) loadFromDisk() error {
 	}

 	for _, persisted := range persistedRooms {
+		allowVoteChange := true
+		if persisted.Settings.AllowVoteChange != nil {
+			allowVoteChange = *persisted.Settings.AllowVoteChange
+		}
+		settings := RoomSettings{
+			RoomName:         persisted.Settings.RoomName,
+			MaxPeople:        persisted.Settings.MaxPeople,
+			Cards:            append([]string(nil), persisted.Settings.Cards...),
+			AllowSpectators:  persisted.Settings.AllowSpectators,
+			AnonymousVoting:  persisted.Settings.AnonymousVoting,
+			AutoReset:        persisted.Settings.AutoReset,
+			AllowVoteChange:  allowVoteChange,
+			RevealMode:       persisted.Settings.RevealMode,
+			VotingTimeoutSec: persisted.Settings.VotingTimeoutSec,
+			PasswordSalt:     persisted.Settings.PasswordSalt,
+			PasswordHash:     persisted.Settings.PasswordHash,
+		}
+
 		room := &Room{
 			ID:           persisted.ID,
 			AdminToken:   persisted.AdminToken,
 			CreatedAt:    persisted.CreatedAt,
 			UpdatedAt:    persisted.UpdatedAt,
-			Settings:     persisted.Settings,
+			Settings:     settings,
 			Round:        persisted.Round,
 			Participants: make(map[string]*Participant, len(persisted.Participants)),
 			ActivityLog:  append([]ActivityLogEntry(nil), persisted.ActivityLog...),
 			subscribers:  map[string]*subscriber{},
 		}
 		for _, participant := range persisted.Participants {
-			participant.Connected = false
-			room.Participants[participant.ID] = participant
+			sessionToken := participant.SessionToken
+			if sessionToken == "" {
+				sessionToken = randomHex(24)
+			}
+			room.Participants[participant.ID] = &Participant{
+				ID:           participant.ID,
+				SessionToken: sessionToken,
+				Username:     participant.Username,
+				Role:         participant.Role,
+				IsAdmin:      participant.IsAdmin,
+				Connected:    false,
+				HasVoted:     participant.HasVoted,
+				VoteValue:    participant.VoteValue,
+				JoinedAt:     participant.JoinedAt,
+				UpdatedAt:    participant.UpdatedAt,
+			}
 		}

 		m.rooms[room.ID] = room
@@ -496,10 +559,21 @@ func (m *Manager) loadFromDisk() error {
 }

 func (room *Room) toPersisted() persistedRoom {
-	participants := make([]*Participant, 0, len(room.Participants))
+	allowVoteChange := room.Settings.AllowVoteChange
+	participants := make([]*persistedParticipant, 0, len(room.Participants))
 	for _, participant := range sortParticipants(room.Participants) {
-		clone := *participant
-		participants = append(participants, &clone)
+		participants = append(participants, &persistedParticipant{
+			ID:           participant.ID,
+			SessionToken: participant.SessionToken,
+			Username:     participant.Username,
+			Role:         participant.Role,
+			IsAdmin:      participant.IsAdmin,
+			Connected:    participant.Connected,
+			HasVoted:     participant.HasVoted,
+			VoteValue:    participant.VoteValue,
+			JoinedAt:     participant.JoinedAt,
+			UpdatedAt:    participant.UpdatedAt,
+		})
 	}

 	return persistedRoom{
@@ -507,7 +581,19 @@ func (room *Room) toPersisted() persistedRoom {
 		AdminToken:   room.AdminToken,
 		CreatedAt:    room.CreatedAt,
 		UpdatedAt:    room.UpdatedAt,
-		Settings:     room.Settings,
+		Settings: persistedRoomSettings{
+			RoomName:         room.Settings.RoomName,
+			MaxPeople:        room.Settings.MaxPeople,
+			Cards:            append([]string(nil), room.Settings.Cards...),
+			AllowSpectators:  room.Settings.AllowSpectators,
+			AnonymousVoting:  room.Settings.AnonymousVoting,
+			AutoReset:        room.Settings.AutoReset,
+			AllowVoteChange:  &allowVoteChange,
+			RevealMode:       room.Settings.RevealMode,
+			VotingTimeoutSec: room.Settings.VotingTimeoutSec,
+			PasswordSalt:     room.Settings.PasswordSalt,
+			PasswordHash:     room.Settings.PasswordHash,
+		},
 		Round:        room.Round,
 		Participants: participants,
 		ActivityLog:  append([]ActivityLogEntry(nil), room.ActivityLog...),
@@ -583,6 +669,7 @@ func (m *Manager) marshalRoomState(room *Room, viewerParticipantID string) ([]by
 		AllowSpectators:   room.Settings.AllowSpectators,
 		AnonymousVoting:   room.Settings.AnonymousVoting,
 		AutoReset:         room.Settings.AutoReset,
+		AllowVoteChange:   room.Settings.AllowVoteChange,
 		VotingTimeoutSec:  room.Settings.VotingTimeoutSec,
 		Participants:      participants,
 		SelfParticipantID: viewerParticipantID,