@scrypted/server 0.4.6 → 0.4.9

package/src/plugin/plugin-remote.ts

@@ -1,5 +1,6 @@
-import { Device, DeviceManager, DeviceManifest, DeviceState, EndpointManager, HttpRequest, Logger, MediaManager, ScryptedInterface, ScryptedInterfaceProperty, ScryptedMimeTypes, ScryptedNativeId, ScryptedStatic, SystemDeviceState, SystemManager } from '@scrypted/types';
+import { Device, DeviceManager, DeviceManifest, DeviceState, EndpointManager, Logger, MediaManager, ScryptedInterface, ScryptedInterfaceProperty, ScryptedMimeTypes, ScryptedNativeId, ScryptedStatic, SystemDeviceState, SystemManager } from '@scrypted/types';
 import { RpcPeer, RPCResultError } from '../rpc';
+import { AccessControls } from './acl';
 import { BufferSerializer } from './buffer-serializer';
 import { PluginAPI, PluginLogger, PluginRemote, PluginRemoteLoadZipOptions } from './plugin-api';
 import { createWebSocketClass, WebSocketConnectCallbacks, WebSocketConnection, WebSocketMethods, WebSocketSerializer } from './plugin-remote-websocket';
@@ -121,10 +122,6 @@ class EndpointManagerImpl implements EndpointManager {
         return this.mediaManager.convertMediaObjectToUrl(mo, ScryptedMimeTypes.PushEndpoint);
     }
 
-    async deliverPush(id: string, request: HttpRequest) {
-        return this.api.deliverPush(id, request);
-    }
-
     async getPath(nativeId?: string, options?: { public?: boolean; }): Promise<string> {
         return `/endpoint/${this.getEndpoint(nativeId)}/${options?.public ? 'public/' : ''}`
     }
@@ -133,7 +130,7 @@ class EndpointManagerImpl implements EndpointManager {
         const protocol = options?.insecure ? 'http' : 'https';
         const port = await this.api.getComponent(options?.insecure ? 'SCRYPTED_INSECURE_PORT' : 'SCRYPTED_SECURE_PORT');
         const path = await this.getPath(nativeId, options);
-        const url =  `${protocol}://${await this.getUrlSafeIp()}:${port}${path}`;
+        const url = `${protocol}://${await this.getUrlSafeIp()}:${port}${path}`;
         return url;
     }
 
@@ -368,8 +365,48 @@ export async function setupPluginRemote(peer: RpcPeer, api: PluginAPI, pluginId:
         const getRemote = await peer.getParam('getRemote');
         const remote = await getRemote(api, pluginId) as PluginRemote;
 
-        await remote.setSystemState(getSystemState());
+        const accessControls: AccessControls = peer.tags.acl;
+
+        const getAccessControlDeviceState = (id: string, state?:  { [property: string]: SystemDeviceState } ) => {
+            state = state || getSystemState()[id];
+            if (accessControls && state) {
+                state = Object.assign({}, state);
+                for (const property of Object.keys(state)) {
+                    if (accessControls.shouldRejectProperty(id, property))
+                        delete state[property];
+                }
+                let interfaces: ScryptedInterface[] = state.interfaces?.value;
+                if (interfaces) {
+                    interfaces = interfaces.filter(scryptedInterface => !accessControls.shouldRejectInterface(id, scryptedInterface));
+                    state.interfaces = {
+                        value: interfaces,
+                    }
+                }
+            }
+            return state;
+        }
+
+        const getAccessControlSystemState = () => {
+            let state = getSystemState();
+            if (accessControls) {
+                state = Object.assign({}, state);
+                for (const id of Object.keys(state)) {
+                    if (accessControls.shouldRejectDevice(id)) {
+                        delete state[id];
+                        continue;
+                    }
+                    state[id] = getAccessControlDeviceState(id, state[id]);
+                }
+            }
+
+            return state;
+        }
+
+        await remote.setSystemState(getAccessControlSystemState());
         api.listen((id, eventDetails, eventData) => {
+            if (accessControls?.shouldRejectEvent(eventDetails.property === ScryptedInterfaceProperty.id ? eventData : id, eventDetails))
+                return;
+
             // ScryptedDevice events will be handled specially and repropagated by the remote.
             if (eventDetails.eventInterface === ScryptedInterface.ScryptedDevice) {
                 if (eventDetails.property === ScryptedInterfaceProperty.id) {
@@ -378,7 +415,7 @@ export async function setupPluginRemote(peer: RpcPeer, api: PluginAPI, pluginId:
                 }
                 else {
                     // a change on anything else is a descriptor update
-                    remote.updateDeviceState(id, getSystemState()[id]);
+                    remote.updateDeviceState(id, getAccessControlDeviceState(id));
                 }
                 return;
             }
@@ -429,15 +466,16 @@ export function attachPluginRemote(peer: RpcPeer, options?: PluginRemoteAttachOp
     const retPromise = new Promise<ScryptedStatic>(resolve => done = resolve);
 
     peer.params.getRemote = async (api: PluginAPI, pluginId: string) => {
-        websocketSerializer.WebSocket = createWebSocketClass((url: string, callbacks: WebSocketConnectCallbacks) => {
+        websocketSerializer.WebSocket = createWebSocketClass((connection, callbacks) => {
+            const { url } = connection;
             if (url.startsWith('io://') || url.startsWith('ws://')) {
                 const id = url.substring('xx://'.length);
 
                 ioSockets[id] = callbacks;
 
                 callbacks.connect(undefined, {
-                    close: () => api.ioClose(id),
-                    send: (message: string) => api.ioSend(id, message),
+                    close: (message) => connection.close(message),
+                    send: (message) => connection.send(message),
                 });
             }
             else {

package/src/rpc.ts

@@ -4,19 +4,29 @@ type CompileFunction = (code: string, params?: ReadonlyArray<string>, options?:
 export function startPeriodicGarbageCollection() {
     if (!global.gc) {
         console.warn('rpc peer garbage collection not available: global.gc is not exposed.');
-        return;
     }
+    let g: typeof global;
     try {
-        const g = global;
-        if (g.gc) {
-            return setInterval(() => {
-                g.gc!();
-            }, 10000);
-        }
+        g = global;
     }
     catch (e) {
-
     }
+
+    // periodically see if new objects were created or finalized,
+    // and collect gc if so.
+    let lastCollection = 0;
+    return setInterval(() => {
+        const now = Date.now();
+        const sinceLastCollection = now - lastCollection;
+        const remotesCreated = RpcPeer.remotesCreated;
+        RpcPeer.remotesCreated = 0;
+        const remotesCollected = RpcPeer.remotesCollected;
+        RpcPeer.remotesCollected = 0;
+        if (remotesCreated || remotesCollected || sinceLastCollection > 5 * 60 * 1000) {
+            lastCollection = now;
+            g?.gc?.();
+        }
+    }, 10000);
 }
 
 export interface RpcMessage {
@@ -219,8 +229,12 @@ export class RpcPeer {
     transportSafeArgumentTypes = RpcPeer.getDefaultTransportSafeArgumentTypes();
     killed: Promise<void>;
     killedDeferred: Deferred;
+    tags: any = {};
 
     static readonly finalizerIdSymbol = Symbol('rpcFinalizerId');
+    static remotesCollected = 0;
+    static remotesCreated = 0;
+    static activeRpcPeer: RpcPeer;
 
     static isRpcProxy(value: any) {
         return !!value?.[RpcPeer.PROPERTY_PROXY_ID];
@@ -315,6 +329,8 @@ export class RpcPeer {
     }
 
     finalize(entry: LocalProxiedEntry) {
+        RpcPeer.remotesCollected++;
+
         delete this.remoteWeakProxies[entry.id];
         const rpcFinalize: RpcFinalize = {
             __local_proxy_id: entry.id,
@@ -378,6 +394,12 @@ export class RpcPeer {
             if (!proxy)
                 proxy = this.newProxy(__remote_proxy_id, __remote_constructor_name, __remote_proxy_props, __remote_proxy_oneway_methods);
             proxy[RpcPeer.finalizerIdSymbol] = __remote_proxy_finalizer_id;
+
+            const deserializer = this.nameDeserializerMap.get(__remote_constructor_name);
+            if (deserializer) {
+                return deserializer.deserialize(proxy, deserializationContext);
+            }
+
             return proxy;
         }
 
@@ -471,6 +493,8 @@ export class RpcPeer {
     }
 
     newProxy(proxyId: string, proxyConstructorName: string, proxyProps: any, proxyOneWayMethods: string[]) {
+        RpcPeer.remotesCreated++;
+
         const localProxiedEntry: LocalProxiedEntry = {
             id: proxyId,
             finalizerId: undefined,
@@ -484,7 +508,17 @@ export class RpcPeer {
         return proxy;
     }
 
-    async handleMessage(message: RpcMessage, deserializationContext?: any) {
+    handleMessage(message: RpcMessage, deserializationContext?: any) {
+        try {
+            RpcPeer.activeRpcPeer = this;
+            this.handleMessageInternal(message, deserializationContext);
+        }
+        finally {
+            RpcPeer.activeRpcPeer = undefined;
+        }
+    }
+
+    private async handleMessageInternal(message: RpcMessage, deserializationContext?: any) {
         if (Object.isFrozen(this.pendingResults))
             return;
 

package/src/runtime.ts

@@ -1,4 +1,4 @@
-import { Device, DeviceInformation, EngineIOHandler, HttpRequest, HttpRequestHandler, OauthClient, PushHandler, ScryptedDevice, ScryptedInterface, ScryptedInterfaceProperty, ScryptedNativeId } from '@scrypted/types';
+import { Device, DeviceInformation, DeviceProvider, EngineIOHandler, HttpRequest, HttpRequestHandler, OauthClient, ScryptedDevice, ScryptedInterface, ScryptedInterfaceMethod, ScryptedInterfaceProperty, ScryptedNativeId, ScryptedUser as SU } from '@scrypted/types';
 import AdmZip from 'adm-zip';
 import axios from 'axios';
 import * as io from 'engine.io';
@@ -14,13 +14,14 @@ import { PassThrough } from 'stream';
 import tar from 'tar';
 import { URL } from "url";
 import WebSocket, { Server as WebSocketServer } from "ws";
-import { Plugin, PluginDevice, ScryptedAlert } from './db-types';
+import { Plugin, PluginDevice, ScryptedAlert, ScryptedUser } from './db-types';
 import { createResponseInterface } from './http-interfaces';
 import { getDisplayName, getDisplayRoom, getDisplayType, getProvidedNameOrDefault, getProvidedRoomOrDefault, getProvidedTypeOrDefault } from './infer-defaults';
 import { IOServer } from './io';
 import { Level } from './level';
 import { LogEntry, Logger, makeAlertId } from './logger';
-import { hasMixinCycle } from './mixin/mixin-cycle';
+import { getMixins, hasMixinCycle } from './mixin/mixin-cycle';
+import { AccessControls } from './plugin/acl';
 import { PluginDebug } from './plugin/plugin-debug';
 import { PluginDeviceProxyHandler } from './plugin/plugin-device';
 import { PluginHost } from './plugin/plugin-host';
@@ -34,6 +35,7 @@ import { CORSControl, CORSServer } from './services/cors';
 import { Info } from './services/info';
 import { PluginComponent } from './services/plugin';
 import { ServiceControl } from './services/service-control';
+import { UsersService } from './services/users';
 import { getState, ScryptedStateManager, setState } from './state';
 
 interface DeviceProxyPair {
@@ -76,6 +78,7 @@ export class ScryptedRuntime extends PluginHttp<HttpPluginData> {
     alerts = new Alerts(this);
     corsControl = new CORSControl(this);
     addressSettings = new AddressSettings(this);
+    usersService = new UsersService(this);
 
     constructor(datastore: Level, insecure: http.Server, secure: https.Server, app: express.Application) {
         super(app);
@@ -91,6 +94,11 @@ export class ScryptedRuntime extends PluginHttp<HttpPluginData> {
         });
 
         app.all('/engine.io/shell', (req, res) => {
+            if (res.locals.aclId) {
+                res.writeHead(401);
+                res.end();
+                return;
+            }
             this.shellHandler(req, res);
         });
 
@@ -251,21 +259,6 @@ export class ScryptedRuntime extends PluginHttp<HttpPluginData> {
         };
     }
 
-    async deliverPush(endpoint: string, request: HttpRequest) {
-        const { pluginHost, pluginDevice } = await this.getPluginForEndpoint(endpoint);
-        if (!pluginDevice) {
-            console.error('plugin device missing for', endpoint);
-            return;
-        }
-
-        if (!pluginDevice?.state.interfaces.value.includes(ScryptedInterface.PushHandler)) {
-            return;
-        }
-
-        const handler = this.getDevice<PushHandler>(pluginDevice._id);
-        return handler.onPush(request);
-    }
-
     async shellHandler(req: Request, res: Response) {
         const isUpgrade = isConnectionUpgrade(req.headers);
 
@@ -345,7 +338,14 @@ export class ScryptedRuntime extends PluginHttp<HttpPluginData> {
         });
 
         // @ts-expect-error
-        await handler.onConnection(httpRequest, new WebSocketConnection(`ws://${id}`));
+        await handler.onConnection(httpRequest, new WebSocketConnection(`ws://${id}`, {
+            send(message) {
+                ws.send(message);
+            },
+            close(message) {
+                ws.close();
+            },
+        }));
     }
 
     async getComponent(componentId: string): Promise<any> {
@@ -370,6 +370,8 @@ export class ScryptedRuntime extends PluginHttp<HttpPluginData> {
                 return this.corsControl;
             case 'addresses':
                 return this.addressSettings;
+            case "users":
+                return this.usersService;
         }
     }
 
@@ -385,9 +387,31 @@ export class ScryptedRuntime extends PluginHttp<HttpPluginData> {
         return packageJson;
     }
 
-    handleEngineIOEndpoint(req: Request, res: ServerResponse, endpointRequest: HttpRequest, pluginData: HttpPluginData) {
+    async handleEngineIOEndpoint(req: Request, res: ServerResponse & { locals: any }, endpointRequest: HttpRequest, pluginData: HttpPluginData) {
         const { pluginHost, pluginDevice } = pluginData;
 
+        const { username } = res.locals;
+        let accessControls: AccessControls;
+        if (username) {
+            const user = await this.datastore.tryGet(ScryptedUser, username);
+            if (user.aclId) {
+                const accessControl = this.getDevice<SU>(user.aclId);
+                try {
+                    const acls = await accessControl.getScryptedUserAccessControl();
+                    if (acls) {
+                        accessControls = new AccessControls(acls);
+                        if (accessControls.shouldRejectMethod(pluginDevice._id, ScryptedInterfaceMethod.onConnection))
+                            accessControls.deny();
+                    }
+                }
+                catch (e) {
+                    res.writeHead(401);
+                    res.end();
+                    return;
+                }
+            }
+        }
+
         if (!pluginHost || !pluginDevice) {
             console.error('plugin does not exist or is still starting up.');
             res.writeHead(500);
@@ -398,6 +422,7 @@ export class ScryptedRuntime extends PluginHttp<HttpPluginData> {
         (req as any).scrypted = {
             endpointRequest,
             pluginDevice,
+            accessControls,
         };
         if ((req as any).upgradeHead)
             pluginHost.io.handleUpgrade(req, res.socket, (req as any).upgradeHead)
@@ -627,8 +652,23 @@ export class ScryptedRuntime extends PluginHttp<HttpPluginData> {
         this.setupPluginHostAutoRestart(pluginHost);
         this.plugins[pluginId] = pluginHost;
 
+        const pluginDeviceSet = new Set<string>();
         for (const pluginDevice of pluginDevices) {
-            this.getDevice(pluginDevice._id)?.probe().catch(() => {});
+            if (pluginDeviceSet.has(pluginDevice._id))
+                continue;
+            pluginDeviceSet.add(pluginDevice._id);
+            this.getDevice(pluginDevice._id)?.probe().catch(() => { });
+        }
+
+        for (const pluginDevice of Object.values(this.pluginDevices)) {
+            const { _id } = pluginDevice;
+            if (pluginDeviceSet.has(_id))
+                continue;
+            for (const mixinId of getMixins(this, _id)) {
+                if (pluginDeviceSet.has(mixinId)) {
+                    this.getDevice(_id)?.probe().catch(() => { });
+                }
+            }
         }
 
         return pluginHost;
@@ -684,6 +724,7 @@ export class ScryptedRuntime extends PluginHttp<HttpPluginData> {
                 continue;
             await this.removeDevice(provided);
         }
+        const providerId = device.state?.providerId?.value;
         device.state = undefined;
 
         this.invalidatePluginDevice(device._id);
@@ -706,6 +747,8 @@ export class ScryptedRuntime extends PluginHttp<HttpPluginData> {
                 // notify the plugin that a device was removed.
                 const plugin = this.plugins[device.pluginId];
                 await plugin.remote.setNativeId(device.nativeId, undefined, undefined);
+                const provider = this.getDevice<DeviceProvider>(providerId);
+                await provider?.releaseDevice(device._id, device.nativeId);
             }
             catch (e) {
                 // may throw if the plugin is killed, etc.

package/src/scrypted-server-main.ts

@@ -25,6 +25,7 @@ import { PluginError } from './plugin/plugin-error';
 import { getScryptedVolume } from './plugin/plugin-volume';
 import { ONE_DAY_MILLISECONDS, UserToken } from './usertoken';
 import os from 'os';
+import { setScryptedUserPassword } from './services/users';
 
 if (!semver.gte(process.version, '16.0.0')) {
     throw new Error('"node" version out of date. Please update node to v16 or higher.')
@@ -123,7 +124,8 @@ async function start() {
         realm: 'Scrypted',
     }, async (username, password, callback) => {
         const user = await db.tryGet(ScryptedUser, username);
-        if (!user) {
+        // disallow basic auth for non-admin as it can deploy plugins, etc.
+        if (!user || user.aclId) {
             callback(false);
             return;
         }
@@ -159,13 +161,6 @@ async function start() {
         next();
     })
 
-    app.options('*', (req, res) => {
-        // add more?
-        res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Content-Length, X-Requested-With');
-        res.send(200);
-    });
-
     const authSalt = crypto.randomBytes(16);
     const createAuthorizationToken = (login_user_token: string) => {
         const salted = login_user_token + authSalt;
@@ -188,7 +183,7 @@ async function start() {
 
         const userToken = getSignedLoginUserToken(req);
         if (userToken) {
-            const { username } = userToken;
+            const { username, aclId } = userToken;
 
             // this database lookup on every web request is not necessary, the cookie
             // itself is the auth, and is signed. furthermore, this is currently
@@ -202,6 +197,7 @@ async function start() {
             // }
 
             res.locals.username = username;
+            res.locals.aclId = aclId;
         }
         else if (req.headers.authorization?.startsWith('Bearer ')) {
             const [checkHash, ...tokenParts] = req.headers.authorization.substring('Bearer '.length).split('#');
@@ -216,6 +212,7 @@ async function start() {
                     const userToken = validateToken(tokenPart);
                     if (userToken)
                         res.locals.username = userToken.username;
+                    res.locals.aclId = userToken.aclId;
                 }
             }
         }
@@ -240,7 +237,7 @@ async function start() {
 
     // verify all plugin related requests have some sort of auth
     app.all('/web/component/*', (req, res, next) => {
-        if (!res.locals.username) {
+        if (!res.locals.username || res.locals.aclId) {
             res.status(401);
             res.send('Not Authorized');
             return;
@@ -466,7 +463,7 @@ async function start() {
                 return;
             }
 
-            const userToken = new UserToken(username, timestamp, maxAge);
+            const userToken = new UserToken(username, user.aclId, timestamp, maxAge);
             const login_user_token = userToken.toString();
             res.cookie(getLoginUserToken(req.secure), login_user_token, {
                 maxAge,
@@ -476,9 +473,7 @@ async function start() {
             });
 
             if (change_password) {
-                user.salt = crypto.randomBytes(64).toString('base64');
-                user.passwordHash = crypto.createHash('sha256').update(user.salt + change_password).digest().toString('hex');
-                user.passwordDate = timestamp;
+                setScryptedUserPassword(user, change_password, timestamp);
                 await db.upsert(user);
             }
 
@@ -502,14 +497,12 @@ async function start() {
 
         const user = new ScryptedUser();
         user._id = username;
-        user.salt = crypto.randomBytes(64).toString('base64');
-        user.passwordHash = crypto.createHash('sha256').update(user.salt + password).digest().toString('hex');
-        user.passwordDate = timestamp;
+        setScryptedUserPassword(user, password, timestamp);
         user.token = crypto.randomBytes(16).toString('hex');
         await db.upsert(user);
         hasLogin = true;
 
-        const userToken = new UserToken(username, timestamp);
+        const userToken = new UserToken(username, user.aclId, timestamp);
         const login_user_token = userToken.toString();
         res.cookie(getLoginUserToken(req.secure), login_user_token, {
             maxAge,

package/src/services/plugin.ts

@@ -29,12 +29,10 @@ export class PluginComponent {
         await this.reload(pluginDevice.pluginId);
     }
 
-    getNativeId(id: string) {
-        return this.scrypted.findPluginDeviceById(id)?.nativeId;
-    }
     getStorage(id: string) {
         return this.scrypted.findPluginDeviceById(id)?.storage || {};
     }
+
     async setStorage(id: string, storage: { [key: string]: string }) {
         const pluginDevice = this.scrypted.findPluginDeviceById(id);
         pluginDevice.storage = storage;
@@ -65,17 +63,9 @@ export class PluginComponent {
     async getIdForNativeId(pluginId: string, nativeId: ScryptedNativeId) {
         return this.scrypted.findPluginDevice(pluginId, nativeId)?._id;
     }
-    /**
-     * @deprecated available as device.pluginId now.
-     * Remove at some point after core/ui rolls out 6/20/2022.
-     */
-    async getPluginId(id: string) {
-        const pluginDevice = this.scrypted.findPluginDeviceById(id);
-        return pluginDevice.pluginId;
-    }
     async reload(pluginId: string) {
         const plugin = await this.scrypted.datastore.tryGet(Plugin, pluginId);
-        await this.scrypted.runPlugin(plugin);
+        this.scrypted.runPlugin(plugin);
     }
     async kill(pluginId: string) {
         return this.scrypted.plugins[pluginId]?.kill();

package/src/services/users.ts

@@ -0,0 +1,43 @@
+import { ScryptedUser } from "../db-types";
+import { ScryptedRuntime } from "../runtime";
+import crypto from 'crypto';
+
+export class UsersService {
+    constructor(public scrypted: ScryptedRuntime) {
+    }
+
+    async getAllUsers() {
+        const users: ScryptedUser[] = [];
+        for await (const user of this.scrypted.datastore.getAll(ScryptedUser)) {
+            users.push(user);
+        }
+
+        return users.map(user => ({
+            username: user._id,
+            admin: !user.aclId,
+        }));
+    }
+
+    async removeUser(username: string) {
+        await this.scrypted.datastore.removeId(ScryptedUser, username);
+    }
+
+    async removeAllUsers() {
+        await this.scrypted.datastore.removeAll(ScryptedUser);
+    }
+
+    async addUser(username: string, password: string, aclId: string) {
+        const user = new ScryptedUser();
+        user._id = username;
+        user.aclId = aclId;
+        setScryptedUserPassword(user, password, Date.now());
+        await this.scrypted.datastore.upsert(user);
+    }
+}
+
+export function setScryptedUserPassword(user: ScryptedUser, password: string, timestamp: number) {
+    user.salt = crypto.randomBytes(64).toString('base64');
+    user.passwordHash = crypto.createHash('sha256').update(user.salt + password).digest().toString('hex');
+    user.passwordDate = timestamp;
+    user.token = crypto.randomBytes(16).toString('hex');
+}

package/src/usertoken.ts

@@ -2,21 +2,27 @@ export const ONE_DAY_MILLISECONDS = 86400000;
 export const ONE_YEAR_MILLISECONDS = ONE_DAY_MILLISECONDS * 365;
 
 export class UserToken {
-    constructor(public username: string, public timestamp = Date.now(), public duration = ONE_DAY_MILLISECONDS) {
+    constructor(public username: string, public aclId: string, public timestamp = Date.now(), public duration = ONE_DAY_MILLISECONDS) {
     }
 
     static validateToken(token: string): UserToken {
-        let json: any;
+        let json: {
+            u: string,
+            a: string,
+            t: number,
+            d: number,
+        };
         try {
             json = JSON.parse(token);
         }
         catch (e) {
             throw new Error('Token malformed, unparseable.');
         }
-        let { u, t, d } = json;
+        let { u, a, t, d } = json;
         u = u?.toString();
-        t = parseInt(t);
-        d = parseInt(d);
+        t = parseInt(t?.toString());
+        d = parseInt(d?.toString());
+        a = a?.toString();
         if (!u || !t || !d)
             throw new Error('Token malformed, missing properties.');
         if (d > ONE_YEAR_MILLISECONDS)
@@ -25,12 +31,13 @@ export class UserToken {
             throw new Error('Token from the future.');
         if (t + d < Date.now())
             throw new Error('Token expired.');
-        return new UserToken(u, t, d);
+        return new UserToken(u, a, t, d);
     }
 
     toString(): string {
         return JSON.stringify({
             u: this.username,
+            a: this.aclId,
             t: this.timestamp,
             d: this.duration,
         })