@oneuptime/common 8.0.5587 → 9.0.5595

package/Models/DatabaseModels/StatusPage.ts

@@ -30,6 +30,7 @@ import { JSONObject } from "../../Types/JSON";
 import ObjectID from "../../Types/ObjectID";
 import Permission from "../../Types/Permission";
 import Timezone from "../../Types/Timezone";
+import HashedString from "../../Types/HashedString";
 import {
   Column,
   Entity,
@@ -883,6 +884,78 @@ export default class StatusPage extends BaseModel {
   })
   public isPublicStatusPage?: boolean = undefined;
 
+  @ColumnAccessControl({
+    create: [
+      Permission.ProjectOwner,
+      Permission.ProjectAdmin,
+      Permission.ProjectMember,
+      Permission.CreateProjectStatusPage,
+    ],
+    read: [
+      Permission.ProjectOwner,
+      Permission.ProjectAdmin,
+      Permission.ProjectMember,
+      Permission.ReadProjectStatusPage,
+    ],
+    update: [
+      Permission.ProjectOwner,
+      Permission.ProjectAdmin,
+      Permission.ProjectMember,
+      Permission.EditProjectStatusPage,
+    ],
+  })
+  @TableColumn({
+    isDefaultValueColumn: true,
+    type: TableColumnType.Boolean,
+    title: "Enable Master Password",
+    description:
+      "Require visitors to enter a master password before viewing a private status page.",
+    defaultValue: false,
+  })
+  @Column({
+    type: ColumnType.Boolean,
+    default: false,
+  })
+  public enableMasterPassword?: boolean = undefined;
+
+  @ColumnAccessControl({
+    create: [
+      Permission.ProjectOwner,
+      Permission.ProjectAdmin,
+      Permission.ProjectMember,
+      Permission.CreateProjectStatusPage,
+    ],
+
+    // This is a hashed column. So, reading the value is does not affect anything.
+    read: [
+      Permission.ProjectOwner,
+      Permission.ProjectAdmin,
+      Permission.ProjectMember,
+      Permission.ReadProjectStatusPage,
+    ],
+    update: [
+      Permission.ProjectOwner,
+      Permission.ProjectAdmin,
+      Permission.ProjectMember,
+      Permission.EditProjectStatusPage,
+    ],
+  })
+  @TableColumn({
+    title: "Master Password",
+    description:
+      "Password required to unlock a private status page. This value is stored as a secure hash.",
+    hashed: true,
+    type: TableColumnType.HashedString,
+    placeholder: "Enter a new master password",
+  })
+  @Column({
+    type: ColumnType.HashedString,
+    length: ColumnLength.HashedString,
+    nullable: true,
+    transformer: HashedString.getDatabaseTransformer(),
+  })
+  public masterPassword?: HashedString = undefined;
+
   @ColumnAccessControl({
     create: [
       Permission.ProjectOwner,

package/Server/API/StatusPageAPI.ts

@@ -49,6 +49,7 @@ import JSONFunctions from "../../Types/JSONFunctions";
 import ObjectID from "../../Types/ObjectID";
 import Phone from "../../Types/Phone";
 import PositiveNumber from "../../Types/PositiveNumber";
+import HashedString from "../../Types/HashedString";
 import AcmeChallenge from "../../Models/DatabaseModels/AcmeChallenge";
 import Incident from "../../Models/DatabaseModels/Incident";
 import IncidentPublicNote from "../../Models/DatabaseModels/IncidentPublicNote";
@@ -87,10 +88,13 @@ import EmailTemplateType from "../../Types/Email/EmailTemplateType";
 import Hostname from "../../Types/API/Hostname";
 import Protocol from "../../Types/API/Protocol";
 import DatabaseConfig from "../DatabaseConfig";
+import CookieUtil from "../Utils/Cookie";
+import { EncryptionSecret } from "../EnvironmentConfig";
 import { StatusPageApiRoute } from "../../ServiceRoute";
 import ProjectSmtpConfigService from "../Services/ProjectSmtpConfigService";
 import ForbiddenException from "../../Types/Exception/ForbiddenException";
 import SlackUtil from "../Utils/Workspace/Slack/Slack";
+import { MASTER_PASSWORD_INVALID_MESSAGE } from "../../Types/StatusPage/MasterPassword";
 
 type ResolveStatusPageIdOrThrowFunction = (
   statusPageIdOrDomain: string,
@@ -798,6 +802,7 @@ export default class StatusPageAPI extends BaseAPI<
             enableMicrosoftTeamsSubscribers: true,
             enableSmsSubscribers: true,
             isPublicStatusPage: true,
+            enableMasterPassword: true,
             allowSubscribersToChooseResources: true,
             allowSubscribersToChooseEventTypes: true,
             requireSsoForLogin: true,
@@ -910,6 +915,80 @@ export default class StatusPageAPI extends BaseAPI<
       },
     );
 
+    this.router.post(
+      `${new this.entityType()
+        .getCrudApiPath()
+        ?.toString()}/master-password/:statusPageId`,
+      UserMiddleware.getUserMiddleware,
+      async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
+        try {
+          if (!req.params["statusPageId"]) {
+            throw new BadDataException("Status Page ID not found");
+          }
+
+          const statusPageId: ObjectID = new ObjectID(
+            req.params["statusPageId"] as string,
+          );
+
+          const password: string | undefined =
+            req.body && (req.body["password"] as string);
+
+          if (!password) {
+            throw new BadDataException("Master password is required.");
+          }
+
+          const statusPage: StatusPage | null =
+            await StatusPageService.findOneById({
+              id: statusPageId,
+              select: {
+                _id: true,
+                projectId: true,
+                enableMasterPassword: true,
+                masterPassword: true,
+                isPublicStatusPage: true,
+              },
+              props: {
+                isRoot: true,
+              },
+            });
+
+          if (!statusPage) {
+            throw new NotFoundException("Status Page not found");
+          }
+
+          if (statusPage.isPublicStatusPage) {
+            throw new BadDataException(
+              "This status page is already visible to everyone.",
+            );
+          }
+
+          if (!statusPage.enableMasterPassword || !statusPage.masterPassword) {
+            throw new BadDataException(
+              "Master password has not been configured for this status page.",
+            );
+          }
+
+          const hashedInput: string = await HashedString.hashValue(
+            password,
+            EncryptionSecret,
+          );
+
+          if (hashedInput !== statusPage.masterPassword.toString()) {
+            throw new BadDataException(MASTER_PASSWORD_INVALID_MESSAGE);
+          }
+
+          CookieUtil.setStatusPageMasterPasswordCookie({
+            expressResponse: res,
+            statusPageId,
+          });
+
+          return Response.sendEmptySuccessResponse(req, res);
+        } catch (err) {
+          next(err);
+        }
+      },
+    );
+
     this.router.post(
       `${new this.entityType().getCrudApiPath()?.toString()}/sso/:statusPageId`,
       UserMiddleware.getUserMiddleware,

package/Server/Infrastructure/Postgres/SchemaMigrations/1763643080445-MigrationName.ts

@@ -0,0 +1,23 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class MigrationName1763643080445 implements MigrationInterface {
+  public name = "MigrationName1763643080445";
+
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(
+      `ALTER TABLE "StatusPage" ADD "enableMasterPassword" boolean NOT NULL DEFAULT false`,
+    );
+    await queryRunner.query(
+      `ALTER TABLE "StatusPage" ADD "masterPassword" character varying(64)`,
+    );
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(
+      `ALTER TABLE "StatusPage" DROP COLUMN "masterPassword"`,
+    );
+    await queryRunner.query(
+      `ALTER TABLE "StatusPage" DROP COLUMN "enableMasterPassword"`,
+    );
+  }
+}

package/Server/Infrastructure/Postgres/SchemaMigrations/Index.ts

@@ -185,6 +185,7 @@ import { MigrationName1762890441920 } from "./1762890441920-MigrationName";
 import { MigrationName1763471659817 } from "./1763471659817-MigrationName";
 import { MigrationName1763477560906 } from "./1763477560906-MigrationName";
 import { MigrationName1763480947474 } from "./1763480947474-MigrationName";
+import { MigrationName1763643080445 } from "./1763643080445-MigrationName";
 
 export default [
   InitialMigration,
@@ -374,4 +375,5 @@ export default [
   MigrationName1763471659817,
   MigrationName1763477560906,
   MigrationName1763480947474,
+  MigrationName1763643080445,
 ];

package/Server/Services/StatusPageService.ts

@@ -47,6 +47,7 @@ import ProjectSMTPConfigService from "./ProjectSmtpConfigService";
 import StatusPageResource from "../../Models/DatabaseModels/StatusPageResource";
 import StatusPageResourceService from "./StatusPageResourceService";
 import Dictionary from "../../Types/Dictionary";
+import { JSONObject } from "../../Types/JSON";
 import MonitorGroupResource from "../../Models/DatabaseModels/MonitorGroupResource";
 import MonitorGroupResourceService from "./MonitorGroupResourceService";
 import QueryHelper from "../Types/Database/QueryHelper";
@@ -61,6 +62,11 @@ import IP from "../../Types/IP/IP";
 import NotAuthenticatedException from "../../Types/Exception/NotAuthenticatedException";
 import ForbiddenException from "../../Types/Exception/ForbiddenException";
 import CommonAPI from "../API/CommonAPI";
+import MasterPasswordRequiredException from "../../Types/Exception/MasterPasswordRequiredException";
+import {
+  MASTER_PASSWORD_COOKIE_IDENTIFIER,
+  MASTER_PASSWORD_REQUIRED_MESSAGE,
+} from "../../Types/StatusPage/MasterPassword";
 
 export interface StatusPageReportItem {
   resourceName: string;
@@ -389,6 +395,8 @@ export class Service extends DatabaseService<StatusPage> {
           _id: true,
           isPublicStatusPage: true,
           ipWhitelist: true,
+          enableMasterPassword: true,
+          masterPassword: true,
         },
       });
 
@@ -462,6 +470,34 @@ export class Service extends DatabaseService<StatusPage> {
         }
       }
 
+      const shouldEnforceMasterPassword: boolean = Boolean(
+        statusPage &&
+          statusPage.enableMasterPassword &&
+          statusPage.masterPassword &&
+          !statusPage.isPublicStatusPage,
+      );
+
+      if (shouldEnforceMasterPassword) {
+        const hasValidMasterPassword: boolean =
+          this.hasValidMasterPasswordCookie({
+            req,
+            statusPageId,
+          });
+
+        if (hasValidMasterPassword) {
+          return {
+            hasReadAccess: true,
+          };
+        }
+
+        return {
+          hasReadAccess: false,
+          error: new MasterPasswordRequiredException(
+            MASTER_PASSWORD_REQUIRED_MESSAGE,
+          ),
+        };
+      }
+
       // if it does not have public access, check if this user has access.
 
       const items: Array<StatusPage> = await this.findBy({
@@ -493,6 +529,33 @@ export class Service extends DatabaseService<StatusPage> {
     };
   }
 
+  private hasValidMasterPasswordCookie(data: {
+    req: ExpressRequest;
+    statusPageId: ObjectID;
+  }): boolean {
+    const token: string | undefined = CookieUtil.getCookieFromExpressRequest(
+      data.req,
+      CookieUtil.getStatusPageMasterPasswordKey(data.statusPageId),
+    );
+
+    if (!token) {
+      return false;
+    }
+
+    try {
+      const payload: JSONObject = JSONWebToken.decodeJsonPayload(token);
+
+      return (
+        payload["statusPageId"] === data.statusPageId.toString() &&
+        payload["type"] === MASTER_PASSWORD_COOKIE_IDENTIFIER
+      );
+    } catch (err) {
+      logger.error(err);
+    }
+
+    return false;
+  }
+
   @CaptureSpan()
   public async getMonitorStatusTimelineForStatusPage(data: {
     monitorIds: Array<ObjectID>;

package/Server/Utils/Cookie.ts

@@ -8,6 +8,10 @@ import StatusPagePrivateUser from "../../Models/DatabaseModels/StatusPagePrivate
 import OneUptimeDate from "../../Types/Date";
 import PositiveNumber from "../../Types/PositiveNumber";
 import CookieName from "../../Types/CookieName";
+import {
+  MASTER_PASSWORD_COOKIE_IDENTIFIER,
+  MASTER_PASSWORD_COOKIE_MAX_AGE_IN_DAYS,
+} from "../../Types/StatusPage/MasterPassword";
 import CaptureSpan from "./Telemetry/CaptureSpan";
 
 export default class CookieUtil {
@@ -233,6 +237,34 @@ export default class CookieUtil {
     return token;
   }
 
+  @CaptureSpan()
+  public static setStatusPageMasterPasswordCookie(data: {
+    expressResponse: ExpressResponse;
+    statusPageId: ObjectID;
+  }): void {
+    const expiresInDays: PositiveNumber = new PositiveNumber(
+      MASTER_PASSWORD_COOKIE_MAX_AGE_IN_DAYS,
+    );
+
+    const token: string = JSONWebToken.signJsonPayload(
+      {
+        statusPageId: data.statusPageId.toString(),
+        type: MASTER_PASSWORD_COOKIE_IDENTIFIER,
+      },
+      OneUptimeDate.getSecondsInDays(expiresInDays),
+    );
+
+    CookieUtil.setCookie(
+      data.expressResponse,
+      CookieUtil.getStatusPageMasterPasswordKey(data.statusPageId),
+      token,
+      {
+        maxAge: OneUptimeDate.getMillisecondsInDays(expiresInDays),
+        httpOnly: true,
+      },
+    );
+  }
+
   @CaptureSpan()
   public static setCookie(
     res: ExpressResponse,
@@ -280,6 +312,17 @@ export default class CookieUtil {
     });
   }
 
+  @CaptureSpan()
+  public static removeStatusPageMasterPasswordCookie(
+    res: ExpressResponse,
+    statusPageId: ObjectID,
+  ): void {
+    CookieUtil.removeCookie(
+      res,
+      CookieUtil.getStatusPageMasterPasswordKey(statusPageId),
+    );
+  }
+
   // get all cookies with express request
   @CaptureSpan()
   public static getAllCookies(req: ExpressRequest): Dictionary<string> {
@@ -304,6 +347,11 @@ export default class CookieUtil {
     return `${CookieName.RefreshToken}-${id.toString()}`;
   }
 
+  @CaptureSpan()
+  public static getStatusPageMasterPasswordKey(id: ObjectID): string {
+    return `${CookieName.StatusPageMasterPassword}-${id.toString()}`;
+  }
+
   @CaptureSpan()
   public static getUserSSOKey(id: ObjectID): string {
     return `${this.getSSOKey()}${id.toString()}`;

package/Types/CookieName.ts

@@ -7,6 +7,7 @@ enum CookieName {
   Timezone = "user-timezone",
   IsMasterAdmin = "user-is-master-admin",
   ProfilePicID = "user-profile-pic-id",
+  StatusPageMasterPassword = "status-page-master-password",
 }
 
 export default CookieName;

package/Types/Exception/MasterPasswordRequiredException.ts

@@ -0,0 +1,7 @@
+import NotAuthenticatedException from "./NotAuthenticatedException";
+
+export default class MasterPasswordRequiredException extends NotAuthenticatedException {
+  public constructor(message: string) {
+    super(message);
+  }
+}

package/Types/StatusPage/MasterPassword.ts

@@ -0,0 +1,10 @@
+export const MASTER_PASSWORD_REQUIRED_MESSAGE: string =
+  "Master password required";
+
+export const MASTER_PASSWORD_INVALID_MESSAGE: string =
+  "Invalid master password. Please try again.";
+
+export const MASTER_PASSWORD_COOKIE_IDENTIFIER: string =
+  "status-page-master-password";
+
+export const MASTER_PASSWORD_COOKIE_MAX_AGE_IN_DAYS: number = 7;

package/build/dist/Models/DatabaseModels/StatusPage.js

@@ -37,6 +37,7 @@ import Recurring from "../../Types/Events/Recurring";
 import IconProp from "../../Types/Icon/IconProp";
 import ObjectID from "../../Types/ObjectID";
 import Permission from "../../Types/Permission";
+import HashedString from "../../Types/HashedString";
 import { Column, Entity, Index, JoinColumn, JoinTable, ManyToMany, ManyToOne, } from "typeorm";
 import UptimePrecision from "../../Types/StatusPage/UptimePrecision";
 let StatusPage = class StatusPage extends BaseModel {
@@ -66,6 +67,8 @@ let StatusPage = class StatusPage extends BaseModel {
         this.customCSS = undefined;
         this.customJavaScript = undefined;
         this.isPublicStatusPage = undefined;
+        this.enableMasterPassword = undefined;
+        this.masterPassword = undefined;
         this.showIncidentLabelsOnStatusPage = undefined;
         this.showScheduledEventLabelsOnStatusPage = undefined;
         // This column is Deprectaed.
@@ -899,6 +902,77 @@ __decorate([
     }),
     __metadata("design:type", Boolean)
 ], StatusPage.prototype, "isPublicStatusPage", void 0);
+__decorate([
+    ColumnAccessControl({
+        create: [
+            Permission.ProjectOwner,
+            Permission.ProjectAdmin,
+            Permission.ProjectMember,
+            Permission.CreateProjectStatusPage,
+        ],
+        read: [
+            Permission.ProjectOwner,
+            Permission.ProjectAdmin,
+            Permission.ProjectMember,
+            Permission.ReadProjectStatusPage,
+        ],
+        update: [
+            Permission.ProjectOwner,
+            Permission.ProjectAdmin,
+            Permission.ProjectMember,
+            Permission.EditProjectStatusPage,
+        ],
+    }),
+    TableColumn({
+        isDefaultValueColumn: true,
+        type: TableColumnType.Boolean,
+        title: "Enable Master Password",
+        description: "Require visitors to enter a master password before viewing a private status page.",
+        defaultValue: false,
+    }),
+    Column({
+        type: ColumnType.Boolean,
+        default: false,
+    }),
+    __metadata("design:type", Boolean)
+], StatusPage.prototype, "enableMasterPassword", void 0);
+__decorate([
+    ColumnAccessControl({
+        create: [
+            Permission.ProjectOwner,
+            Permission.ProjectAdmin,
+            Permission.ProjectMember,
+            Permission.CreateProjectStatusPage,
+        ],
+        // This is a hashed column. So, reading the value is does not affect anything.
+        read: [
+            Permission.ProjectOwner,
+            Permission.ProjectAdmin,
+            Permission.ProjectMember,
+            Permission.ReadProjectStatusPage,
+        ],
+        update: [
+            Permission.ProjectOwner,
+            Permission.ProjectAdmin,
+            Permission.ProjectMember,
+            Permission.EditProjectStatusPage,
+        ],
+    }),
+    TableColumn({
+        title: "Master Password",
+        description: "Password required to unlock a private status page. This value is stored as a secure hash.",
+        hashed: true,
+        type: TableColumnType.HashedString,
+        placeholder: "Enter a new master password",
+    }),
+    Column({
+        type: ColumnType.HashedString,
+        length: ColumnLength.HashedString,
+        nullable: true,
+        transformer: HashedString.getDatabaseTransformer(),
+    }),
+    __metadata("design:type", HashedString)
+], StatusPage.prototype, "masterPassword", void 0);
 __decorate([
     ColumnAccessControl({
         create: [