Merge pull request #1208 from adrianeastles/feature/setup-token-security

Add setup token security for initial server setup

server/db/pg/schema.ts

@@ -593,6 +593,14 @@ export const webauthnChallenge = pgTable("webauthnChallenge", {
     expiresAt: bigint("expiresAt", { mode: "number" }).notNull() // Unix timestamp
 });
 
+export const setupTokens = pgTable("setupTokens", {
+    tokenId: varchar("tokenId").primaryKey(),
+    token: varchar("token").notNull(),
+    used: boolean("used").notNull().default(false),
+    dateCreated: varchar("dateCreated").notNull(),
+    dateUsed: varchar("dateUsed")
+});
+
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -638,3 +646,4 @@ export type OlmSession = InferSelectModel<typeof olmSessions>;
 export type UserClient = InferSelectModel<typeof userClients>;
 export type RoleClient = InferSelectModel<typeof roleClients>;
 export type OrgDomains = InferSelectModel<typeof orgDomains>;
+export type SetupToken = InferSelectModel<typeof setupTokens>;

server/db/sqlite/schema.ts

@@ -187,6 +187,14 @@ export const webauthnChallenge = sqliteTable("webauthnChallenge", {
     expiresAt: integer("expiresAt").notNull() // Unix timestamp
 });
 
+export const setupTokens = sqliteTable("setupTokens", {
+    tokenId: text("tokenId").primaryKey(),
+    token: text("token").notNull(),
+    used: integer("used", { mode: "boolean" }).notNull().default(false),
+    dateCreated: text("dateCreated").notNull(),
+    dateUsed: text("dateUsed")
+});
+
 export const newts = sqliteTable("newt", {
     newtId: text("id").primaryKey(),
     secretHash: text("secretHash").notNull(),
@@ -680,3 +688,4 @@ export type ApiKey = InferSelectModel<typeof apiKeys>;
 export type ApiKeyAction = InferSelectModel<typeof apiKeyActions>;
 export type ApiKeyOrg = InferSelectModel<typeof apiKeyOrg>;
 export type OrgDomains = InferSelectModel<typeof orgDomains>;
+export type SetupToken = InferSelectModel<typeof setupTokens>;

server/routers/auth/index.ts

@@ -10,6 +10,7 @@ export * from "./resetPassword";
 export * from "./requestPasswordReset";
 export * from "./setServerAdmin";
 export * from "./initialSetupComplete";
+export * from "./validateSetupToken";
 export * from "./changePassword";
 export * from "./checkResourceSession";
 export * from "./securityKey";

server/routers/auth/setServerAdmin.ts

@@ -8,14 +8,15 @@ import logger from "@server/logger";
 import { hashPassword } from "@server/auth/password";
 import { passwordSchema } from "@server/auth/passwordSchema";
 import { response } from "@server/lib";
-import { db, users } from "@server/db";
-import { eq } from "drizzle-orm";
+import { db, users, setupTokens } from "@server/db";
+import { eq, and } from "drizzle-orm";
 import { UserType } from "@server/types/UserTypes";
 import moment from "moment";
 
 export const bodySchema = z.object({
     email: z.string().toLowerCase().email(),
-    password: passwordSchema
+    password: passwordSchema,
+    setupToken: z.string().min(1, "Setup token is required")
 });
 
 export type SetServerAdminBody = z.infer<typeof bodySchema>;
@@ -39,7 +40,27 @@ export async function setServerAdmin(
             );
         }
 
-        const { email, password } = parsedBody.data;
+        const { email, password, setupToken } = parsedBody.data;
+
+        // Validate setup token
+        const [validToken] = await db
+            .select()
+            .from(setupTokens)
+            .where(
+                and(
+                    eq(setupTokens.token, setupToken),
+                    eq(setupTokens.used, false)
+                )
+            );
+
+        if (!validToken) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Invalid or expired setup token"
+                )
+            );
+        }
 
         const [existing] = await db
             .select()
@@ -58,15 +79,27 @@ export async function setServerAdmin(
         const passwordHash = await hashPassword(password);
         const userId = generateId(15);
 
-        await db.insert(users).values({
-            userId: userId,
-            email: email,
-            type: UserType.Internal,
-            username: email,
-            passwordHash,
-            dateCreated: moment().toISOString(),
-            serverAdmin: true,
-            emailVerified: true
+        await db.transaction(async (trx) => {
+            // Mark the token as used
+            await trx
+                .update(setupTokens)
+                .set({
+                    used: true,
+                    dateUsed: moment().toISOString()
+                })
+                .where(eq(setupTokens.tokenId, validToken.tokenId));
+
+            // Create the server admin user
+            await trx.insert(users).values({
+                userId: userId,
+                email: email,
+                type: UserType.Internal,
+                username: email,
+                passwordHash,
+                dateCreated: moment().toISOString(),
+                serverAdmin: true,
+                emailVerified: true
+            });
         });
 
         return response<SetServerAdminResponse>(res, {

server/routers/auth/validateSetupToken.ts

@@ -0,0 +1,84 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db, setupTokens } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+
+const validateSetupTokenSchema = z
+    .object({
+        token: z.string().min(1, "Token is required")
+    })
+    .strict();
+
+export type ValidateSetupTokenResponse = {
+    valid: boolean;
+    message: string;
+};
+
+export async function validateSetupToken(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedBody = validateSetupTokenSchema.safeParse(req.body);
+
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { token } = parsedBody.data;
+
+        // Find the token in the database
+        const [setupToken] = await db
+            .select()
+            .from(setupTokens)
+            .where(
+                and(
+                    eq(setupTokens.token, token),
+                    eq(setupTokens.used, false)
+                )
+            );
+
+        if (!setupToken) {
+            return response<ValidateSetupTokenResponse>(res, {
+                data: {
+                    valid: false,
+                    message: "Invalid or expired setup token"
+                },
+                success: true,
+                error: false,
+                message: "Token validation completed",
+                status: HttpCode.OK
+            });
+        }
+
+        return response<ValidateSetupTokenResponse>(res, {
+            data: {
+                valid: true,
+                message: "Setup token is valid"
+            },
+            success: true,
+            error: false,
+            message: "Token validation completed",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to validate setup token"
+            )
+        );
+    }
+} 

server/routers/external.ts

@@ -1033,6 +1033,7 @@ authRouter.post("/idp/:idpId/oidc/validate-callback", idp.validateOidcCallback);
 
 authRouter.put("/set-server-admin", auth.setServerAdmin);
 authRouter.get("/initial-setup-complete", auth.initialSetupComplete);
+authRouter.post("/validate-setup-token", auth.validateSetupToken);
 
 // Security Key routes
 authRouter.post(

server/setup/ensureSetupToken.ts

@@ -0,0 +1,73 @@
+import { db, setupTokens, users } from "@server/db";
+import { eq } from "drizzle-orm";
+import { generateRandomString, RandomReader } from "@oslojs/crypto/random";
+import moment from "moment";
+import logger from "@server/logger";
+
+const random: RandomReader = {
+    read(bytes: Uint8Array): void {
+        crypto.getRandomValues(bytes);
+    }
+};
+
+function generateToken(): string {
+    // Generate a 32-character alphanumeric token
+    const alphabet = "abcdefghijklmnopqrstuvwxyz0123456789";
+    return generateRandomString(random, alphabet, 32);
+}
+
+function generateId(length: number): string {
+    const alphabet = "abcdefghijklmnopqrstuvwxyz0123456789";
+    return generateRandomString(random, alphabet, length);
+}
+
+export async function ensureSetupToken() {
+    try {
+        // Check if a server admin already exists
+        const [existingAdmin] = await db
+            .select()
+            .from(users)
+            .where(eq(users.serverAdmin, true));
+
+        // If admin exists, no need for setup token
+        if (existingAdmin) {
+            logger.warn("Server admin exists. Setup token generation skipped.");
+            return;
+        }
+
+        // Check if a setup token already exists
+        const existingTokens = await db
+            .select()
+            .from(setupTokens)
+            .where(eq(setupTokens.used, false));
+
+        // If unused token exists, display it instead of creating a new one
+        if (existingTokens.length > 0) {
+            console.log("=== SETUP TOKEN EXISTS ===");
+            console.log("Token:", existingTokens[0].token);
+            console.log("Use this token on the initial setup page");
+            console.log("================================");
+            return;
+        }
+
+        // Generate a new setup token
+        const token = generateToken();
+        const tokenId = generateId(15);
+
+        await db.insert(setupTokens).values({
+            tokenId: tokenId,
+            token: token,
+            used: false,
+            dateCreated: moment().toISOString(),
+            dateUsed: null
+        });
+
+        console.log("=== SETUP TOKEN GENERATED ===");
+        console.log("Token:", token);
+        console.log("Use this token on the initial setup page");
+        console.log("================================");
+    } catch (error) {
+        console.error("Failed to ensure setup token:", error);
+        throw error;
+    }
+} 

server/setup/index.ts

@@ -1,9 +1,11 @@
 import { ensureActions } from "./ensureActions";
 import { copyInConfig } from "./copyInConfig";
 import { clearStaleData } from "./clearStaleData";
+import { ensureSetupToken } from "./ensureSetupToken";
 
 export async function runSetupFunctions() {
     await copyInConfig(); // copy in the config to the db as needed
     await ensureActions(); // make sure all of the actions are in the db and the roles
     await clearStaleData();
+    await ensureSetupToken(); // ensure setup token exists for initial setup
 }

server/setup/migrationsPg.ts

@@ -8,6 +8,7 @@ import path from "path";
 import m1 from "./scriptsPg/1.6.0";
 import m2 from "./scriptsPg/1.7.0";
 import m3 from "./scriptsPg/1.8.0";
+import m4 from "./scriptsPg/1.9.0";
 
 // THIS CANNOT IMPORT ANYTHING FROM THE SERVER
 // EXCEPT FOR THE DATABASE AND THE SCHEMA
@@ -16,7 +17,8 @@ import m3 from "./scriptsPg/1.8.0";
 const migrations = [
     { version: "1.6.0", run: m1 },
     { version: "1.7.0", run: m2 },
-    { version: "1.8.0", run: m3 }
+    { version: "1.8.0", run: m3 },
+    { version: "1.9.0", run: m4 }
     // Add new migrations here as they are created
 ] as {
     version: string;

server/setup/migrationsSqlite.ts

@@ -25,6 +25,7 @@ import m20 from "./scriptsSqlite/1.5.0";
 import m21 from "./scriptsSqlite/1.6.0";
 import m22 from "./scriptsSqlite/1.7.0";
 import m23 from "./scriptsSqlite/1.8.0";
+import m24 from "./scriptsSqlite/1.9.0";
 
 // THIS CANNOT IMPORT ANYTHING FROM THE SERVER
 // EXCEPT FOR THE DATABASE AND THE SCHEMA
@@ -49,6 +50,7 @@ const migrations = [
     { version: "1.6.0", run: m21 },
     { version: "1.7.0", run: m22 },
     { version: "1.8.0", run: m23 },
+    { version: "1.9.0", run: m24 },
     // Add new migrations here as they are created
 ] as const;
 

server/setup/scriptsPg/1.9.0.ts

@@ -0,0 +1,25 @@
+import { db } from "@server/db/pg/driver";
+import { sql } from "drizzle-orm";
+
+const version = "1.9.0";
+
+export default async function migration() {
+    console.log(`Running setup script ${version}...`);
+
+    try {
+        await db.execute(sql`
+            CREATE TABLE "setupTokens" (
+                "tokenId" varchar PRIMARY KEY NOT NULL,
+                "token" varchar NOT NULL,
+                "used" boolean DEFAULT false NOT NULL,
+                "dateCreated" varchar NOT NULL,
+                "dateUsed" varchar
+            );
+        `);
+
+        console.log(`Added setupTokens table`);
+    } catch (e) {
+        console.log("Unable to add setupTokens table:", e);
+        throw e;
+    }
+} 

server/setup/scriptsSqlite/1.9.0.ts

@@ -0,0 +1,35 @@
+import { APP_PATH } from "@server/lib/consts";
+import Database from "better-sqlite3";
+import path from "path";
+
+const version = "1.9.0";
+
+export default async function migration() {
+    console.log(`Running setup script ${version}...`);
+
+    const location = path.join(APP_PATH, "db", "db.sqlite");
+    const db = new Database(location);
+
+    try {
+        db.pragma("foreign_keys = OFF");
+
+        db.transaction(() => {
+            db.exec(`
+                CREATE TABLE 'setupTokens' (
+                    'tokenId' text PRIMARY KEY NOT NULL,
+                    'token' text NOT NULL,
+                    'used' integer DEFAULT 0 NOT NULL,
+                    'dateCreated' text NOT NULL,
+                    'dateUsed' text
+                );
+            `);
+        })();
+
+        db.pragma("foreign_keys = ON");
+
+        console.log(`Added setupTokens table`);
+    } catch (e) {
+        console.log("Unable to add setupTokens table:", e);
+        throw e;
+    }
+}