From fa39f8a10537982953fd7ee708c621b2d2ead6e0 Mon Sep 17 00:00:00 2001
From: si458 <simonsmith5521@gmail.com>
Date: Fri, 16 Aug 2024 16:02:21 +0100
Subject: [PATCH] fix meshctrl with key=xxx and loginkey #6328

Signed-off-by: si458 <simonsmith5521@gmail.com>
---
 meshctrl.js  | 6 ++++--
 webserver.js | 7 ++++++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/meshctrl.js b/meshctrl.js
index f3186f41..32937d20 100644
--- a/meshctrl.js
+++ b/meshctrl.js
@@ -1270,10 +1270,10 @@ function serverConnect() {
         var domainid = '', username = 'admin';
         if (args.logindomain != null) { domainid = args.logindomain; }
         if (args.loginuser != null) { username = args.loginuser; }
-        url += '?auth=' + encodeCookie({ userid: 'user/' + domainid + '/' + username, domainid: domainid }, ckey);
+        url += (url.indexOf('?key=') >= 0 ? '&auth=' : '?auth=') + encodeCookie({ userid: 'user/' + domainid + '/' + username, domainid: domainid }, ckey);
     } else {
         if (args.logindomain != null) { console.log("--logindomain can only be used along with --loginkey."); process.exit(); return; }
-        if (loginCookie != null) { url += '?auth=' + loginCookie; }
+        if (loginCookie != null) { url += (url.indexOf('?key=') >= 0 ? '&auth=' : '?auth=') + loginCookie; }
     }
 
     const ws = new WebSocket(url, options);
@@ -2401,6 +2401,8 @@ function serverConnect() {
                 if (data.cause == 'noauth') {
                     if (data.msg == 'tokenrequired') {
                         console.log('Authentication token required, use --token [number].');
+                    } else if (data.msg == 'nokey') {
+                        console.log('URL key is invalid or missing, please specify ?key=xxx in url');
                     } else {
                         if ((args.loginkeyfile != null) || (args.loginkey != null)) {
                             console.log('Invalid login, check the login key and that this computer has the correct time.');
diff --git a/webserver.js b/webserver.js
index 37bfe53c..4a81e6ba 100644
--- a/webserver.js
+++ b/webserver.js
@@ -6573,12 +6573,17 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
                             try { ws.close(); } catch (ex) { }
                             return;
                         }
-                        if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { ws.close(); return; } // Check 3FA URL key
+                        if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { // Check 3FA URL key
+                            try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'nokey' })); } catch (ex) { }
+                            try { ws.close(); } catch (ex) { }
+                            return;
+                        }
                         PerformWSSessionAuth(ws, req, true, function (ws1, req1, domain, user, cookie, authData) {
                             if (user == null) { // User is not authenticated, perform inner server authentication
                                 if (req.headers['x-meshauth'] === '*') {
                                     PerformWSSessionInnerAuth(ws, req, domain, function (ws1, req1, domain, user) { obj.meshUserHandler.CreateMeshUser(obj, obj.db, ws1, req1, obj.args, domain, user, authData); }); // User is authenticated
                                 } else {
+                                    try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'noauth' })); } catch (ex) { }
                                     try { ws.close(); } catch (ex) { } // user is not authenticated and inner authentication was not requested, disconnect now.
                                 }
                             } else {