loginKey does not work in MeshCtrl.js

[geekasso]

Describe the bug
Hello. I am having an issue when using a loginKey in config.json and performing a remote MeshCtrl.js command, the MC server does not provide a valid response. Browsing via the URL and adding the key works as expected.

Not sure if it's for specific actions in MeshCtrl.js, but ListDevices is not working in my test. If the ?key=[key] is not used, the response is immediate, however when the ?key=[key] is used, the response takes a long time. Neither produce a valid response, but the timing implies that the ?key parameter is causing MC to not handle it properly.

To Reproduce
Steps to reproduce the behavior:

1. Add 'loginKey': 'bob' to the config.json
2. Restart MC service
3. Call this command from remote MeshCtrl.js:
4. node ./node_modules/meshcentral/meshctrl.js ListDevices --url wss://mydomain.com:443?key=bob --loginkey [encrypted token] --json
5. Hangs

Expected behavior
?key param should return the devices in json, as it does before enabling the loginKey in config.json.

Server Software (please complete the following information):

• OS: Ubuntu
• Network: WAN

Client Device (please complete the following information):

• Remote machine (Windows and/or Linux)

Your config.json file

{
	"$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
	"__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
	"__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
	"settings": {
	  "MaxInvalidLogin": {
		"time": 5,
		"count": 5,
		"coolofftime": 30
	  },
	  "plugins": {
		"enabled": true
	  },
	  "cert": [domain],
	  "port": 443,
	  "redirPort": 80,
	  "wanonly": true,
	  "minify": true,
	  "clickonce": true,
	  "webrtc": true,
	  "allowLoginToken": true,
	  "allowFraming": true,
	  "selfupdate": true,
	  "sessionSameSite": "none",
	  "allowHighQualityDesktop": true,
	  "desktopMultiple": true
	},
	"domains": {
	  "": {
		"allowaccountreset": false,
		"welcomePictureFullScreen": false,
		"siteStyle": 2,
		"title": "Remote Access",
		"title2": "",
		"loginKey": "bob",
		"minify": true,
		"userNameIsEmail": true,
		"allowedOrigin": true,
		"httpHeaders": {
			"Strict-Transport-Security": "max-age=3600",
			"Content-Security-Policy": "frame-src * data: blob:; connect-src * wss:;",
			"Access-Control-Allow-Origin": "*",
			"Access-Control-Allow-Methods": "GET, POST, OPTIONS",
			"Access-Control-Allow-Headers": "Origin, Content-Type, Accept, Authorization"
		},
		"agentConfig": [ 
		 {
			 "skipmaccheck": true
		 }
		],
		"mstsc": true,
		"geoLocation": true,
		"lockAgentDownload": false,
		"userConsentFlags": {
			 "desktopnotify": false,
			 "terminalnotify": false,
			 "filenotify": false,
			 "desktopprompt": false,
			 "terminalprompt": false,
			 "fileprompt": false,
			 "desktopprivacybar": true
		},
		"ipBlockedUserRedirect": "https://somedomain.com",
		"newAccounts": false,
		"allowSavingDeviceCredentials": false
	  }
	},
	"letsencrypt": {
		 "__comment": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
		 "email": [email],
		 "names": [domains],
		 "skipChallengeVerification": true,
		 "production": true
	}
}

[si458]

I will check tomorrow, but i think you are setting the url incorrectly?
I think it's wss://meshserver.com/?key=bob
But I could be mistaken

[si458]

ok ive just checked and it works correctly here?

node meshctrl.js --url wss://mc.myserver.com:443?key=a1b2c3d4 --loginuser simon --loginpass mysecretpassword --token 123456 ListDevices

are you sure you are hexing the loginkey correctly in your url?
how did you generate it/where did you get it from?

[si458]

ok ive just looked, are you sure you are sending all the values that you need?
from the looks of the code
if you use --loginkey,
you need to also specify --loginuser USERNAME otherwise it defaults to admin as the user
ALSO
you need to specify --logindomain MESHDOMAIN if you have multiple domains in meshcentral,
otherwise its the default "" one
you need to also specify --loginuser USERNAME

[si458]

OOO just spotted a bug too can you spot it?
Connecting to wss://mc.myserver.com:443/control.ashx?key=a1b2c3d4?auth=abc123

[si458]

ok ive fixed the meshctrl passing loginkey and key=xxx incorrect at the same time
ive also added some more info in webserver.js so it should return if something is wrong!
fa39f8a

[geekasso]

Loginkey is an encoded cookie. This command works flawlessly without the key parameter when the key is not required in MC.

…

On Fri, Aug 16, 2024, 10:41 AM Simon Smith ***@***.***> wrote: ok ive just checked and it works correctly here? node meshctrl.js --url wss://mc.myserver.com:443?key=a1b2c3d4 --loginuser simon --loginpass mysecretpassword --token 123456 ListDevices are you sure you are hexing the loginkey correctly in your url? how did you generate it/where did you get it from? — Reply to this email directly, view it on GitHub <#6328 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABXXKRCMZEEXJ37LALPOCQLZRYFS7AVCNFSM6AAAAABMS7NJ2KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJTGYZTQNZQGU> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[si458]

@geekasso ah right ok no worries! in that case its the bug i mensioned above!
#6328 (comment)
download and replace meshctrl.js with the master one then and it should work now!
https://github.com/Ylianst/MeshCentral/raw/master/meshctrl.js