From 96f22b6a82db502bf91df4b624d148803f480e98 Mon Sep 17 00:00:00 2001 From: posimai Date: Sun, 19 Apr 2026 13:06:14 +0900 Subject: [PATCH] fix(together): close JWT legacy-fallback impersonation hole When JWT is present but strict member check fails, verify the body username belongs to the JWT user before allowing legacy access. JWT-less clients (no Authorization header) are unaffected. Co-Authored-By: Claude Sonnet 4.6 --- server.js | 180 +++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 137 insertions(+), 43 deletions(-) diff --git a/server.js b/server.js index fcf61d62..6976a052 100644 --- a/server.js +++ b/server.js @@ -715,6 +715,13 @@ async function initDB() { `ALTER TABLE users ADD COLUMN IF NOT EXISTS plan VARCHAR(20) NOT NULL DEFAULT 'free'`, `ALTER TABLE users ADD COLUMN IF NOT EXISTS stripe_customer_id TEXT`, `ALTER TABLE users ADD COLUMN IF NOT EXISTS stripe_subscription_id TEXT`, + + // Together: メンバーと Posimai ログインユーザーの紐付け(JWT 強化用・既存 PK は維持) + `ALTER TABLE together_members ADD COLUMN IF NOT EXISTS user_id VARCHAR(50)`, + `CREATE INDEX IF NOT EXISTS idx_together_members_user_id ON together_members(user_id) WHERE user_id IS NOT NULL`, + // username = users.user_id または users.name と一致する行のみ自動紐付け(冪等) + `UPDATE together_members tm SET user_id = u.user_id FROM users u + WHERE tm.user_id IS NULL AND (tm.username = u.user_id OR tm.username = u.name)`, ]; for (const sql of migrations) { await pool.query(sql).catch(e => console.warn('[DB] Migration warning:', e.message)); @@ -730,6 +737,117 @@ async function initDB() { console.log('[DB] Schema ready. Users:', Object.values(KEY_MAP).join(', ')); } +// ── Together: 任意 JWT(Authorization のみ。GET の query key は使わない)──────── +function getOptionalJwtUserIdFromHeader(req) { + const auth = req.headers.authorization || ''; + if (!auth.toLowerCase().startsWith('bearer ')) return null; + const token = auth.substring(7).trim(); + if (!token || token.startsWith('pk_') || !token.includes('.')) return null; + try { + const payload = jwt.verify(token, JWT_SECRET); + return payload.userId || null; + } catch (_) { + return null; + } +} + +function getTogetherJwtUserId(req) { + if (process.env.TOGETHER_DISABLE_JWT === '1' || /^true$/i.test(process.env.TOGETHER_DISABLE_JWT || '')) { + return null; + } + return getOptionalJwtUserIdFromHeader(req); +} + +/** + * Together メンバー確認。JWT なしのときは従来どおり username のみ(完全互換)。 + * JWT ありのときは user_id 一致、または未紐付けメンバーで username が JWT ユーザーの user_id/name と一致する場合は厳格一致。 + * それ以外の未紐付けニックネームは従来クエリで許可し warn ログ(運用互換)。 + */ +async function togetherEnsureMember(pool, res, groupId, username, jwtUserId) { + if (!username || typeof username !== 'string') { + res.status(400).json({ error: 'username が不正です' }); + return false; + } + const gidNum = parseInt(String(groupId), 10); + if (Number.isNaN(gidNum)) { + res.status(400).json({ error: 'invalid groupId' }); + return false; + } + try { + if (jwtUserId) { + const strict = await pool.query( + `SELECT 1 FROM together_members m + WHERE m.group_id = $1 AND ( + m.user_id = $2 + OR ( + (m.user_id IS NULL OR btrim(COALESCE(m.user_id, '')) = '') + AND m.username = $3 + AND EXISTS ( + SELECT 1 FROM users u + WHERE u.user_id = $2 AND (u.user_id = $3 OR u.name = $3) + ) + ) + )`, + [gidNum, jwtUserId, username] + ); + if (strict.rows.length > 0) return true; + + const legacy = await pool.query( + 'SELECT 1 FROM together_members WHERE group_id=$1 AND username=$2', + [gidNum, username] + ); + if (legacy.rows.length > 0) { + // JWT ユーザーが送信した username の本人であることを確認(なりすまし防止) + const userCheck = await pool.query( + 'SELECT 1 FROM users WHERE user_id=$1 AND (user_id=$2 OR name=$2)', + [jwtUserId, username] + ); + if (userCheck.rows.length === 0) { + res.status(403).json({ error: 'グループのメンバーではありません' }); + return false; + } + console.warn('[Together] legacy path used user=%s username=%s group=%s', jwtUserId, username, gidNum); + return true; + } + res.status(403).json({ error: 'グループのメンバーではありません' }); + return false; + } + const legacyOnly = await pool.query( + 'SELECT 1 FROM together_members WHERE group_id=$1 AND username=$2', + [gidNum, username] + ); + if (legacyOnly.rows.length === 0) { + res.status(403).json({ error: 'グループのメンバーではありません' }); + return false; + } + return true; + } catch (e) { + console.error('[Together] togetherEnsureMember', e.message); + res.status(500).json({ error: 'Internal server error' }); + return false; + } +} + +/** share_id 経由で group を解決し、username がそのグループのメンバーか(JWT 強化込み) */ +async function togetherEnsureMemberForShare(pool, res, shareId, username, jwtUserId) { + if (!username || typeof username !== 'string') { + res.status(400).json({ error: 'username が不正です' }); + return false; + } + try { + const g = await pool.query('SELECT group_id FROM together_shares WHERE id=$1', [shareId]); + if (g.rows.length === 0) { + res.status(404).json({ error: '見つかりません' }); + return false; + } + return togetherEnsureMember(pool, res, g.rows[0].group_id, username, jwtUserId); + } catch (e) { + console.error('[Together] togetherEnsureMemberForShare', e.message); + res.status(500).json({ error: 'Internal server error' }); + return false; + } +} + // ── ルーター ────────────────────────────── function buildRouter() { const r = express.Router(); @@ -2485,12 +2603,9 @@ ${excerpt} r.get('/together/members/:groupId', async (req, res) => { const username = req.query.u; if (!username) return res.status(400).json({ error: 'u (username) は必須です' }); + const jwtUserId = getTogetherJwtUserId(req); try { - const memberCheck = await pool.query( - 'SELECT 1 FROM together_members WHERE group_id=$1 AND username=$2', - [req.params.groupId, username] - ); - if (memberCheck.rows.length === 0) return res.status(403).json({ error: 'グループのメンバーではありません' }); + if (!(await togetherEnsureMember(pool, res, req.params.groupId, username, jwtUserId))) return; const result = await pool.query( 'SELECT username, joined_at FROM together_members WHERE group_id=$1 ORDER BY joined_at', @@ -2509,16 +2624,12 @@ ${excerpt} if (url) { if (!isSsrfSafe(url)) return res.status(400).json({ error: 'url は http/https のみ有効です' }); } + const jwtUserId = getTogetherJwtUserId(req); try { const grpCheck = await pool.query('SELECT id FROM together_groups WHERE id=$1', [group_id]); if (grpCheck.rows.length === 0) return res.status(404).json({ error: 'グループが見つかりません' }); - // グループメンバーであることを確認(非メンバーの投稿を防止) - const memberCheck = await pool.query( - 'SELECT 1 FROM together_members WHERE group_id=$1 AND username=$2', - [group_id, shared_by] - ); - if (memberCheck.rows.length === 0) return res.status(403).json({ error: 'グループのメンバーではありません' }); + if (!(await togetherEnsureMember(pool, res, group_id, shared_by, jwtUserId))) return; const result = await pool.query( `INSERT INTO together_shares (group_id, shared_by, url, title, message, tags) @@ -2540,7 +2651,10 @@ ${excerpt} r.delete('/together/share/:id', async (req, res) => { const { username } = req.body || {}; if (!username) return res.status(400).json({ error: 'username は必須です' }); + const jwtUserId = getTogetherJwtUserId(req); try { + if (!(await togetherEnsureMemberForShare(pool, res, req.params.id, username, jwtUserId))) return; + // shared_by が一致する行のみ削除(なければ 403) const result = await pool.query( 'DELETE FROM together_shares WHERE id=$1 AND shared_by=$2 RETURNING id', @@ -2559,12 +2673,9 @@ ${excerpt} r.get('/together/feed/:groupId', async (req, res) => { const username = req.query.u; if (!username) return res.status(400).json({ error: 'u (username) は必須です' }); + const jwtUserId = getTogetherJwtUserId(req); try { - const memberCheck = await pool.query( - 'SELECT 1 FROM together_members WHERE group_id=$1 AND username=$2', - [req.params.groupId, username] - ); - if (memberCheck.rows.length === 0) return res.status(403).json({ error: 'グループのメンバーではありません' }); + if (!(await togetherEnsureMember(pool, res, req.params.groupId, username, jwtUserId))) return; const limit = Math.min(parseInt(req.query.limit) || 20, 50); const cursor = req.query.cursor; @@ -2603,12 +2714,9 @@ ${excerpt} r.get('/together/article/:shareId', async (req, res) => { const username = req.query.u; if (!username) return res.status(400).json({ error: 'u (username) は必須です' }); + const jwtUserId = getTogetherJwtUserId(req); try { - const memberCheck = await pool.query( - 'SELECT 1 FROM together_members m JOIN together_shares s ON s.group_id=m.group_id WHERE s.id=$1 AND m.username=$2', - [req.params.shareId, username] - ); - if (memberCheck.rows.length === 0) return res.status(403).json({ error: 'グループのメンバーではありません' }); + if (!(await togetherEnsureMemberForShare(pool, res, req.params.shareId, username, jwtUserId))) return; const result = await pool.query( 'SELECT id, title, url, full_content, summary, archive_status, shared_at FROM together_shares WHERE id=$1', @@ -2626,13 +2734,9 @@ ${excerpt} const { share_id, username, type = 'like' } = req.body || {}; if (!share_id || !username) return res.status(400).json({ error: 'share_id と username は必須です' }); if (!['like', 'star', 'fire', 'read'].includes(type)) return res.status(400).json({ error: 'type は like/star/fire/read のみ有効です' }); + const jwtUserId = getTogetherJwtUserId(req); try { - // share の group に対してメンバーであることを確認 - const memberCheck = await pool.query( - 'SELECT 1 FROM together_members m JOIN together_shares s ON s.group_id=m.group_id WHERE s.id=$1 AND m.username=$2', - [share_id, username] - ); - if (memberCheck.rows.length === 0) return res.status(403).json({ error: 'グループのメンバーではありません' }); + if (!(await togetherEnsureMemberForShare(pool, res, share_id, username, jwtUserId))) return; const existing = await pool.query( 'SELECT 1 FROM together_reactions WHERE share_id=$1 AND username=$2 AND type=$3', @@ -2661,12 +2765,9 @@ ${excerpt} r.get('/together/comments/:shareId', async (req, res) => { const username = req.query.u; if (!username) return res.status(400).json({ error: 'u (username) は必須です' }); + const jwtUserId = getTogetherJwtUserId(req); try { - const memberCheck = await pool.query( - 'SELECT 1 FROM together_members m JOIN together_shares s ON s.group_id=m.group_id WHERE s.id=$1 AND m.username=$2', - [req.params.shareId, username] - ); - if (memberCheck.rows.length === 0) return res.status(403).json({ error: 'グループのメンバーではありません' }); + if (!(await togetherEnsureMemberForShare(pool, res, req.params.shareId, username, jwtUserId))) return; const result = await pool.query( 'SELECT * FROM together_comments WHERE share_id=$1 ORDER BY created_at', @@ -2684,13 +2785,9 @@ ${excerpt} if (!share_id || !username || !body?.trim()) { return res.status(400).json({ error: 'share_id, username, body は必須です' }); } + const jwtUserId = getTogetherJwtUserId(req); try { - // share の group に対してメンバーであることを確認 - const memberCheck = await pool.query( - 'SELECT 1 FROM together_members m JOIN together_shares s ON s.group_id=m.group_id WHERE s.id=$1 AND m.username=$2', - [share_id, username] - ); - if (memberCheck.rows.length === 0) return res.status(403).json({ error: 'グループのメンバーではありません' }); + if (!(await togetherEnsureMemberForShare(pool, res, share_id, username, jwtUserId))) return; const result = await pool.query( 'INSERT INTO together_comments (share_id, username, body) VALUES ($1, $2, $3) RETURNING *', @@ -2707,11 +2804,8 @@ ${excerpt} r.get('/together/search/:groupId', async (req, res) => { const { q = '', tag = '', u: username = '' } = req.query; if (!username) return res.status(400).json({ error: 'u (username) は必須です' }); - const memberOk = await pool.query( - 'SELECT 1 FROM together_members WHERE group_id=$1 AND username=$2', - [req.params.groupId, username] - ).then(r => r.rows.length > 0).catch(() => false); - if (!memberOk) return res.status(403).json({ error: 'グループのメンバーではありません' }); + const jwtUserId = getTogetherJwtUserId(req); + if (!(await togetherEnsureMember(pool, res, req.params.groupId, username, jwtUserId))) return; if (!q && !tag) return res.status(400).json({ error: 'q または tag が必要です' }); try { const keyword = q ? `%${q}%` : '';