search

discord-tickets / bot

The most popular open-source and self-hosted ticket management bot for Discord - a free alternative to the premium and white-label plans of other popular ticketing bots.
https://discordtickets.app
GNU General Public License v3.0
873 stars 454 forks source link

Update fastify dependencies #461

Closed Rossebma closed 6 months ago

Rossebma commented 1 year ago

Is there an existing issue for this?

Current Behavior

The bot itself seems to run, however the settings webpanel is not reachable and I get huge Festify Errors dureing startup.

Expected Behavior

Well I would expect the webpanel to work. (Sry. I don't know how to really describe it other than that.)

Steps To Reproduce

  1. Environment:

    • Bot running in standalone mode
    • Note that I have an apache2 webserver already running on the server

  2. Config:

    DB_CONNECTION_URL=mysql://ticketbot:sensoredpassword@localhost/tickets
DB_PROVIDER=mysql
DISCORD_SECRET=sensoredkey
DISCORD_TOKEN=sensoredtoken
ENCRYPTION_KEY=sensoredkey
HTTP_EXTERNAL=http://00.000.00.00 #(real-ip | sensored for security)
HTTP_HOST=0.0.0.0
HTTP_PORT=8169
HTTP_TRUST_PROXY=false
NODE_ENV=production
OVERRIDE_ARCHIVE=
PUBLIC_BOT=false
PUBLISH_COMMANDS=false
SUPER=319467558166069248,mysensoreddiscordid

  3. Run: node .

  4. See error:

    
16/07/23 09:40:10  [SUCCESS] Connected to Discord as "[LoR] Support System#7623"
16/07/23 09:40:10  [INFO] (PRISMA) quaint::pooled Starting a mysql pool with 17 connections.
16/07/23 09:40:10  [NOTICE] Discord Tickets v4.0.7 on Node.js v19.6.0 (linux)
16/07/23 09:40:10  [WARN] Uncaught exception
16/07/23 09:40:10  [ERROR] FastifyError [Error]: The decorator 'parseCookie' has already been added!
at decorate (/root/Discord/bots/ticket/node_modules/fastify/lib/decorate.js:23:11)
at Object.decorateFastify [as decorate] (/root/Discord/bots/ticket/node_modules/fastify/lib/decorate.js:67:3)
at plugin (/root/Discord/bots/ticket/node_modules/@fastify/cookie/plugin.js:60:11)
at Plugin.exec (/root/Discord/bots/ticket/node_modules/avvio/plugin.js:130:19)
at Boot.loadPlugin (/root/Discord/bots/ticket/node_modules/avvio/plugin.js:272:10)
at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
code: 'FST_ERR_DEC_ALREADY_PRESENT',
statusCode: 500
}
16/07/23 09:40:10  [INFO] Cached ticket count of 0 categories (0 open tickets)
16/07/23 09:40:10  [INFO] Loaded 0 active cooldowns
16/07/23 09:40:10  [INFO] Closed 0 deleted tickets
16/07/23 09:40:10  [INFO] Checking for updates...
16/07/23 09:40:10  [INFO] No updates available
16/07/23 09:40:11  [SUCCESS] Posted client stats
16/07/23 09:40:20  [ERROR] (HTTP) FastifyError [Error]: fastify-plugin: Plugin did not start in time: 'fastify-cookie'. You may have forgotten to call 'done' function or to resolve a Promise
at manageErr (/root/Discord/bots/ticket/node_modules/fastify/fastify.js:576:33)
at /root/Discord/bots/ticket/node_modules/fastify/fastify.js:563:11
at Object._encapsulateThreeParam (/root/Discord/bots/ticket/node_modules/avvio/boot.js:562:7)
at Boot.timeoutCall (/root/Discord/bots/ticket/node_modules/avvio/boot.js:458:5)
at Boot.callWithCbOrNextTick (/root/Discord/bots/ticket/node_modules/avvio/boot.js:440:19)
at release (/root/Discord/bots/ticket/node_modules/fastq/queue.js:149:16)
at Object.resume (/root/Discord/bots/ticket/node_modules/fastq/queue.js:82:7)
at /root/Discord/bots/ticket/node_modules/avvio/boot.js:174:18
at /root/Discord/bots/ticket/node_modules/avvio/plugin.js:275:7
at done (/root/Discord/bots/ticket/node_modules/avvio/plugin.js:200:5) {
code: 'FST_ERR_PLUGIN_TIMEOUT',
statusCode: 500,
cause: AvvioError [Error]: Plugin did not start in time: 'fastify-cookie'. You may have forgotten to call 'done' function or to resolve a Promise
  at Timeout._onTimeout (/root/Discord/bots/ticket/node_modules/avvio/plugin.js:122:19)
  at listOnTimeout (node:internal/timers:568:17)
  at process.processTimers (node:internal/timers:511:7) {
code: 'AVV_ERR_READY_TIMEOUT',
fn: <ref *1> [Function: plugin] {
  default: [Circular *1],
  fastifyCookie: [Circular *1],
}
}
}

### Environment

```markdown
- OS: Debian 10.13
- Node: 19.6.0
- NPM: 9.4.1
- Bot: 4.0.7
- MySql: 8.0.33

Anything else?

No response

RooRay commented 1 year ago

This looks like a bigger issue, I'll assign earth to it. In the meantime, is your apache2 webserver proxying the bot panel?

Rossebma commented 1 year ago

So I fixed the Issue for me. Sadly not in a way that would be perticularly helpful for you. The first problem was that I didn't setup the proxy for the web server. (I wanted to run it in secure mode (https)). But before I fixed this I completely reinstalled the Bot. And when I did, I did two things different:

  1. I didn't use the newest version, rather one, I viewed as stable.
  2. I didn't run npm audit fix (I think it was sth like that. But I remember the word "force" somewhere in the command...). This was recommended during both installations and the second time I didn't do it.

I hope this gives you at least clues where to look. If you need any further information feel free to ask me here or via discord (Name: rossebma)

eartharoid commented 11 months ago

I'm still unable to reproduce this error.

chrisbadley commented 11 months ago

image

I think Rossebma is talking about that, which relates to this:

image

I think if you do run "npm audit fix --force", it causes the error originally posted.

It can be resolved by taking aback up of the database and env, deleting the entire directory that contains Discord tickets, installing again from git clone, running "npm i --production", copying back the .env file, run "npm run postinstall" and re-importing the database, then try "node ." again

You will then be on the latest Discord Tickets BUT one of the dependency will have a high risk vulnerability. This project needs to be made compatible with the safe and updated version of the dependency.

eartharoid commented 11 months ago

Related:

Impact

All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it.

Patches

v7.2.0 changes the default behavior to store the state in a cookie with the http-only and same-site=lax attributes set. The state is now by default generated for every user.

Note that this contains a breaking change in the checkStateFunction function, which now accepts the full Request object.

Workarounds

There are no known workarounds.

References

eartharoid commented 11 months ago

Thank you for the clarification @chrisbadley. Errors are to be expected as the patched version of @fastify/oauth2 introduces breaking changes, however, the fact that this obvious flaw was in the package from the beginning and the fact that the state parameter is optional makes me question the "high" severity. Anyway, Discord Tickets already uses random state parameters to provide the redirects, so I think this vulnerability and patch can be safely ignored, and the solution is to not force-fix npm audits.

https://github.com/discord-tickets/bot/blob/fb7a11fc78c3f48e01ad2671d9efa59e00f17748/src/http.js#L14-L38

With that said, I will eventually need to upgrade all of the fastify dependencies and update any affected code so the patched version is compatible. This will allow npm audit fix to be used in the future, so I'll keep this issue open for now. Also need to update this to delete used states.

https://github.com/discord-tickets/bot/blob/fb7a11fc78c3f48e01ad2671d9efa59e00f17748/src/http.js#L17-L20