From 0bb8d73ba2969bc2c871c5095de19188a75b2b54 Mon Sep 17 00:00:00 2001
From: Richard Hansen <rhansen@rhansen.org>
Date: Sat, 12 Sep 2020 23:35:41 -0400
Subject: [PATCH] PadMessageHandler: Always save the author ID in the session
 info

Before, the author ID was only saved in the session info during the
initial CLIENT_READY, not when the client sent a CLIENT_READY due to a
reconnect. This caused the handling of subsequent messages to use an
undefined author ID.
---
 src/node/handler/PadMessageHandler.js | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index e311e9db..8f354792 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -53,7 +53,7 @@ const rateLimiter = new RateLimiterMemory({
  *   readonlyPadId = The readonly pad id of the pad
  *   readonly = Wether the client has only read access (true) or read/write access (false)
  *   rev = That last revision that was send to this client
- *   author = the author name of this session
+ *   author = the author ID used for this session
  */
 var sessioninfos = {};
 exports.sessioninfos = sessioninfos;
@@ -219,7 +219,7 @@ exports.handleMessage = async function(client, message)
   }
 
   const {session: {user} = {}} = client.client.request;
-  const {accessStatus} =
+  const {accessStatus, authorID} =
       await securityManager.checkAccess(padId, auth.sessionID, auth.token, auth.password, user);
 
   if (accessStatus !== "grant") {
@@ -227,6 +227,19 @@ exports.handleMessage = async function(client, message)
     client.json.send({ accessStatus });
     return;
   }
+  if (thisSession.author != null && thisSession.author !== authorID) {
+    messageLogger.warn(
+        'Rejecting message from client because the author ID changed mid-session.' +
+        ' Bad or missing token or sessionID?' +
+        ` socket:${client.id}` +
+        ` IP:${settings.disableIPlogging ? ANONYMOUS : remoteAddress[client.id]}` +
+        ` originalAuthorID:${thisSession.author}` +
+        ` newAuthorID:${authorID}` +
+        ` message:${message}`);
+    client.json.send({disconnect: 'rejected'});
+    return;
+  }
+  thisSession.author = authorID;
 
   // Allow plugins to bypass the readonly message blocker
   if ((await hooks.aCallAll('handleMessageSecurity', {client, message})).some((w) => w === true)) {
@@ -1124,8 +1137,6 @@ async function handleClientReady(client, message)
     // Save the current revision in sessioninfos, should be the same as in clientVars
     sessionInfo.rev = pad.getHeadRevisionNumber();
 
-    sessionInfo.author = authorID;
-
     // prepare the notification for the other users on the pad, that this user joined
     let messageToTheOtherUsers = {
        "type": "COLLABROOM",