Fixing security warnings. (#163)

* Putting ssl cert auth behind a config flag `DisableSSLCert`

* Removing bad password storing example.

* Handling exceptions on dyanmic method calls

* Adding rate limiting to http requests (60 requests per min)

* Fixing missing csrf security warning.

* Adding warning message to disabled self signed certs

SignallingWebServer/cirrus.js

@@ -31,7 +31,8 @@ const defaultConfig = {
 	HttpsPort: 443,
 	StreamerPort: 8888,
 	SFUPort: 8889,
-	MaxPlayerCount: -1
+	MaxPlayerCount: -1,
+	DisableSSLCert: true
 };
 
 const argv = require('yargs').argv;
@@ -78,8 +79,11 @@ if (config.UseFrontend) {
 	var httpPort = 3000;
 	var httpsPort = 8000;
 
-	//Required for self signed certs otherwise just get an error back when sending request to frontend see https://stackoverflow.com/a/35633993
-	process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"
+	if (config.UseHTTPS && config.DisableSSLCert) {
+		//Required for self signed certs otherwise just get an error back when sending request to frontend see https://stackoverflow.com/a/35633993
+		console.warn('WARNING: config.DisableSSLCert is true. Unauthorized SSL certificates will be allowed! This is convenient for local testing but please DO NOT SHIP THIS IN PRODUCTION. To remove this warning please set DisableSSLCert to false in your config.json.');
+		process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"
+	}
 
 	const httpsClient = require('./modules/httpsClient.js');
 	var webRequest = new httpsClient();
@@ -189,6 +193,16 @@ if (config.UseHTTPS) {
 
 sendGameSessionData();
 
+// set up rate limiter: maximum of five requests per minute
+var RateLimit = require('express-rate-limit');
+var limiter = RateLimit({
+  windowMs: 1*60*1000, // 1 minute
+  max: 60
+});
+
+// apply rate limiter to all requests
+app.use(limiter);
+
 //Setup the login page if we are using authentication
 if(config.UseAuthentication){
 	if(config.EnableWebserver) {
@@ -365,7 +379,6 @@ function logForward(srcName, destName, msg) {
 
 let WebSocket = require('ws');
 
-let streamerMessageHandlers = new Map();
 let sfuMessageHandlers = new Map();
 let playerMessageHandlers = new Map();
 
@@ -449,6 +462,7 @@ function forwardStreamerMessageToPlayer(streamer, msg) {
 	}
 }
 
+let streamerMessageHandlers = new Map();
 streamerMessageHandlers.set('endpointId', onStreamerMessageId);
 streamerMessageHandlers.set('ping', onStreamerMessagePing);
 streamerMessageHandlers.set('offer', forwardStreamerMessageToPlayer);
@@ -475,7 +489,7 @@ streamerServer.on('connection', function (ws, req) {
 		}
 
 		let handler = streamerMessageHandlers.get(msg.type);
-		if (!handler) {
+		if (!handler || (typeof handler != 'function')) {
 			if (config.LogVerbose) {
 				console.logColor(logging.White, "\x1b[37m-> %s\x1b[34m: %s", streamer.id, msgRaw);
 			}
@@ -577,7 +591,7 @@ sfuServer.on('connection', function (ws, req) {
 		}
 
 		let handler = sfuMessageHandlers.get(msg.type);
-		if (!handler) {
+		if (!handler || (typeof handler != 'function')) {
 			if (config.LogVerbose) {
 				console.logColor(logging.White, "\x1b[37m-> %s\x1b[34m: %s", SFUPlayerId, msgRaw);
 			}
@@ -718,7 +732,7 @@ playerServer.on('connection', function (ws, req) {
 		}
 
 		let handler = playerMessageHandlers.get(msg.type);
-		if (!handler) {
+		if (!handler || (typeof handler != 'function')) {
 			if (config.LogVerbose) {
 				console.logColor(logging.White, "\x1b[37m-> %s\x1b[34m: %s", playerId, msgRaw);
 			}

SignallingWebServer/modules/authentication/init.js

@@ -11,6 +11,7 @@ const bcrypt = require('bcryptjs');
 const LocalStrategy = require('passport-local').Strategy;
 const path = require('path');
 const fs = require('fs');
+const csrf = require('lusca').csrf;
 var db = require('./db');
 
 function initPassport (app) {
@@ -33,6 +34,8 @@ function initPassport (app) {
 		fs.writeFileSync(configPath, content);
 	}
 
+	app.use(csrf());
+
 	// Setup session id settings
 	app.use(session({
 		secret: config.sessionSecret,

SignallingWebServer/package.json

@@ -22,8 +22,10 @@
   "dependencies": {
     "bcryptjs": "^2.4.3",
     "express": "^4.18.2",
+    "express-rate-limit": "^6.7.0",
     "express-session": "^1.15.6",
     "helmet": "^3.21.3",
+    "lusca": "^1.7.0",
     "passport": "^0.6.0",
     "passport-local": "^1.0.0",
     "run-script-os": "^1.1.6",