settings site changes

settings-site/server.js

@@ -20,6 +20,7 @@ const PORT = parseInt(process.env.SETTINGS_PORT) || 12752;
 const INTERNAL_URL = process.env.INTERNAL_API_URL || `http://127.0.0.1:${process.env.INTERNAL_API_PORT || 12753}/internal`;
 const SECRET = process.env.INTERNAL_API_SECRET;
 const ADMIN_PASSWORD = process.env.SETTINGS_ADMIN_PASSWORD;
+const ADMIN_PASSWORD_2 = process.env.SETTINGS_ADMIN_PASSWORD_2;
 const SESSION_SECRET = process.env.SESSION_SECRET;
 const IS_PROD = process.env.NODE_ENV === 'production';
 
@@ -65,7 +66,11 @@ app.use(express.urlencoded({ extended: true, limit: '64kb' }));
 app.use(session({
   secret: SESSION_SECRET,
   resave: false,
-  saveUninitialized: false,
+  // Required true: csrf-csrf binds its token signature to req.sessionID. With
+  // `false`, the session cookie isn't sent until the session is modified, so
+  // each pre-login request gets a fresh sessionID and CSRF validation always
+  // fails. See the "audit" commit (33b1f27) which inadvertently flipped this.
+  saveUninitialized: true,
   cookie: {
     httpOnly: true,
     secure: IS_PROD,
@@ -175,7 +180,9 @@ app.get('/login', (req, res) => {
 });
 
 app.post('/login', loginLimiter, (req, res) => {
-  if (safeEqual(req.body.password, ADMIN_PASSWORD)) {
+  const matchesPrimary = safeEqual(req.body.password, ADMIN_PASSWORD);
+  const matchesSecondary = ADMIN_PASSWORD_2 && safeEqual(req.body.password, ADMIN_PASSWORD_2);
+  if (matchesPrimary || matchesSecondary) {
     req.session.authed = true;
     return res.json({ ok: true });
   }