Merge pull request #4929 from overleaf/jk-fix-disconnect-users

Fix /disconnectAllUsers endpoint security

GitOrigin-RevId: 57858daa5a076c37332bc575e76ffd6b1a1bd914

services/web/app/src/Features/ServerAdmin/AdminController.js

@@ -52,6 +52,13 @@ var updateOpenConnetionsMetrics = function () {
 setTimeout(updateOpenConnetionsMetrics, oneMinInMs)
 
 const AdminController = {
+  _sendDisconnectAllUsersMessage: delay => {
+    return EditorRealTimeController.emitToAll(
+      'forceDisconnect',
+      'Sorry, we are performing a quick update to the editor and need to close it down. Please refresh the page to continue.',
+      delay
+    )
+  },
   index: (req, res, next) => {
     let agents, url
     let agent
@@ -101,11 +108,7 @@ const AdminController = {
   disconnectAllUsers: (req, res) => {
     logger.warn('disconecting everyone')
     const delay = (req.query && req.query.delay) > 0 ? req.query.delay : 10
-    EditorRealTimeController.emitToAll(
-      'forceDisconnect',
-      'Sorry, we are performing a quick update to the editor and need to close it down. Please refresh the page to continue.',
-      delay
-    )
+    this._sendDisconnectAllUsersMessage(delay)
     return res.sendStatus(200)
   },
 

services/web/app/src/router.js

@@ -996,11 +996,6 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
     AdminController.unregisterServiceWorker
   )
 
-  privateApiRouter.post(
-    '/disconnectAllUsers',
-    AdminController.disconnectAllUsers
-  )
-
   privateApiRouter.get('/perfTest', (req, res) => res.send('hello'))
 
   publicApiRouter.get('/status', (req, res) => {

services/web/scripts/disconnect_all_users.js

@@ -0,0 +1,20 @@
+const AdminController = require('../app/src/Features/ServerAdmin/AdminController')
+
+if (require.main === module) {
+  if (['--help', 'help'].includes(process.argv[2])) {
+    console.log('\n  usage: node disconnect_all_users.js [delay-in-seconds]\n')
+    process.exit(1)
+  }
+  const delaySecondsString = process.argv[2]
+  const delay = parseInt(delaySecondsString, 10) || 10
+  console.log(`Disconnect all users, with delay ${delay}`)
+  AdminController._sendDisconnectAllUsersMessage(delay)
+    .then(() => {
+      console.error('Done.')
+      process.exit(0)
+    })
+    .catch(err => {
+      console.error('Error', err)
+      process.exit(1)
+    })
+}