NFo control panel node.js library

This is used for general discussion that is not necessarily server-related.
User avatar
Vortire
A semi-regular
A semi-regular
Posts: 24
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Sat Mar 21, 2020 3:32 am
Location: United Kingdom
Contact:

Re: NFo control panel node.js library

Post by Vortire »

I've updated my API to V2. It now supports custom syntax, profiles and instructions to make calling the API quicker and easier to understand.

https://gist.github.com/Vortire/5583ff0 ... 71c833ba5c

Documentation:

Code: Select all

##############################################################
#
#  NFO2 API C# - Vortire.com - 2021
#
#   "//" or "#" at the beginning of a line signifies a comment.
#
#   You can create profiles, instructions, send GET and POST
#   requests as shown below.
#
#   By default, this introduction will send a GET request
#   using "profile1" to the current events page of NFO.
#
#
#   To call this API using this test syntax, create a text
#   file called "test.txt" and call the NFO2 API like so:
#
#   string[] x = NFO2.Parse(File.ReadAllText("test.txt"));
#   foreach(string y in x) { Console.WriteLine(y); }
#
##############################################################

// Ensure we let the parser know we are using " -> " instead of "->"
{{spaced-seperators}}

// Create new profile
Create_Profile -> Named:profile1 -> WithEmail:example@example.com -> WithPassword:example -> WithServiceName:exampleservice

// Send GET request
Send_Get -> To:https://www.nfoservers.com/control/events.pl -> WithProfile:profile1 -> SetResultTo:currentserverstatus


# Uncomment below lines to perform POST requests
// Creating the instruction to shutdown a server
// Create_Instruction -> Named:shutd -> WithData:%shutdown%

// Requesting server shutdown
// Send_Post -> To:example.pl -> WithProfile:profile1 -> WithInstruction:shutd

Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: NFo control panel node.js library

Post by Naleksuh »

Hi Vortire, unfortunately I will not be able to complete the additions I promised earlier, as in order to do this I required staff assistance which has been denied for internal reasons. However, I only started working on it due to the lack of an API to begin with! Thanks for the help with porting my code to C#.
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: NFo control panel node.js library

Post by Naleksuh »

knowcretz wrote: Thu Mar 02, 2023 2:46 am I've used the GET methods to create a system that automatically notifies me if my service is experiencing any attacks (thanks to Cloudflare I haven't had any in months). As if anyone else has used it, I'm unsure.
Isn't it against NFO TOS to use Cloudflare with NFO hosting? Also, how is not having attacks "thanks to" a security-through-obscurity tunneling MITM tool?
User avatar
TimeX
Staff
Staff
Posts: 1730
Joined: Thu Jul 22, 2004 12:24 am
Location: Big Bear, CA

Re: NFo control panel node.js library

Post by TimeX »

Naleksuh wrote: Thu Mar 02, 2023 3:40 pm Isn't it against NFO TOS to use Cloudflare with NFO hosting?
It is not against the TOS, however it is not recommended, and Cloudflare services are often incompatible with our systems.

Also, what you were replying to was a spam bot that I have now removed.
TimeX
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: NFo control panel node.js library

Post by Naleksuh »

TimeX wrote: Fri Mar 03, 2023 6:35 am
Naleksuh wrote: Thu Mar 02, 2023 3:40 pm Isn't it against NFO TOS to use Cloudflare with NFO hosting?
It is not against the TOS, however it is not recommended, and Cloudflare services are often incompatible with our systems.
Hm. I recall one case in which Cloudflare was amplifying an attack because someone had used Cloudflare, their website was being attacked, and Cloudflare literally proxied the attack. I thought after that it was no longer allowed to use Cloudflare but maybe I misremembered.
Also, what you were replying to was a spam bot that I have now removed.
Damn, I did not notice that. I have seen (and ignored) a lot of spam posts here but those bots keep getting smarter D: Like the ones that copy human posts, have disguised links, ones that paraphrase human posts, ones that make legit posts but hide spam in their profile, two bots having a fake conversation with each other, one that was impersonating a staff member (I think the username was "TjmeX"?) and even more stuff that i have forgotten about. Real scary stuff
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: NFo control panel node.js library

Post by Edge100x »

I'm sure we'll be seeing a lot start using ChatGPT, too, for more realistic-sounding content that can't be directly found elsewhere.
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: NFo control panel node.js library

Post by Edge100x »

The login system was changed today in a way that may break unofficial automation utilities. Specifically, "cookietoken" was renamed to the more-apt "csrftoken". This will impact POSTs that submit with an email and password specified through a cookie (when an email and password are specified through POST variables, they should not need to specify a csrftoken).

Specifying an email and password through a cookie is also now deprecated (it currently still works but will likely removed in the future). Email and password are now specified as POST variables during the initial login, and the system will then set a token cookie. This token will continue to be used by the same browser.

Please also note that two-step verification will be an option for user accounts shortly. If an account has 2-step verification enabled, only the token system can be used, and specifying an email and password through POST beyond the initial login page submission will not work. After a token is assigned, an appropriate security code must be entered for the login process to be completed and the token fully activated for use.
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: NFo control panel node.js library

Post by Naleksuh »

Edge100x wrote: Mon Mar 13, 2023 10:01 am The login system was changed today in a way that may break unofficial automation utilities. Specifically, "cookietoken" was renamed to the more-apt "csrftoken". This will impact POSTs that submit with an email and password specified through a cookie (when an email and password are specified through POST variables, they should not need to specify a csrftoken).

Specifying an email and password through a cookie is also now deprecated (it currently still works but will likely removed in the future). Email and password are now specified as POST variables during the initial login, and the system will then set a token cookie. This token will continue to be used by the same browser.

Please also note that two-step verification will be an option for user accounts shortly. If an account has 2-step verification enabled, only the token system can be used, and specifying an email and password through POST beyond the initial login page submission will not work. After a token is assigned, an appropriate security code must be entered for the login process to be completed and the token fully activated for use.
Cool, these are some neat updates and I appreciate you telling that. Especially because they are unofficial some people would just not mention it and let it break. But, it is cool to let people know especially in lieu of an official API. I am currently using an automation system for federated access to game servers through a website (though this website is hosting on NFO servers).

Though, I do think cookietoken was a better name than csrftoken because CSRF tokens are usually stored server-side, and not client-side via a cookie. But it's better than having email and password stored in a cookie. Are there any plans to move CSRF tokens to server-side, instead of relying on a cookie that can be whatever you want? (For me it's just "a" always)

What I would like to see next, if you are open to customer suggestions, is reducing the reliance on staff and contact-us feature. While it's very cool the amount of work NFO puts into the support system, too many features require contacting staff to set it up. Also the help desk is closed from 1am to 6am, not a big deal right now but I am moving to Europe this year and there it will be closed from 10am to 3pm, restricting what I can do with my own servers until mid-afternoon!

Edit: The new login system is stuck in a redirect with http://www.nfoservers.com/?errorcode=Em ... d%20needed
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: NFo control panel node.js library

Post by Edge100x »

Having the CSRF token in a cookie is the standard way of handling it -- you may be thinking of a different type of token, such as a PHP session token. A CSRF token doesn't need to be stored server-side.

With CSRF, the idea is that an attacker could trick a user into making a page submission, using GET or POST, that performs some action desired by the attacker. The attacker won't be able to see the page returned by the link, because the attacker doesn't have that level of control of the victim's browser. Requiring a secret code for any submission that performs an action makes it impossible for the attacker to include it in a link; storing the code in a client-side cookie is great way to do this, because the attacker won't be able to view that cookie, and the server can simply match it up with what was submitted.

Our systems are heavily automated, and I am not sure what you mean about having too many features requiring staff to set up. We intentionally automate anything that regularly comes up, so that clients don't have to contact us. You'll have to be more specific on the time-sensitive automatable task you are referring to, so that we can evaluate whether it is worth prioritizing its implementation over other work.

I'm not seeing the stuck redirect that you're referring to on this end.
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: NFo control panel node.js library

Post by Naleksuh »

I understand what CSRF tokens are, but I just mean many applications store the CSRF token on the server backend and then put them into a page form rather than having them on a cookie. One possible issue specific to NFO though is that anyone can create their own subdomain of nfoservers.com and set cookies from it. It looks like browsers will reject the cookie if there's already a secure one there, but you can set the csrftoken cookie for anyone who has cleared it.

The redirect is from pushing Login without entering anything, which gets you this:
Image

It looks like logging out (even via normal means) gets you the same error, but at nfoservers.com's root page instead of with the weird URL with spaces.

For the support issue, I normally just think of them as I come up. I mainly meant in reference to things that other companies allow automated use of, but NFO says to Contact Us for. I will let you know the next time I have one of these issues.
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: NFo control panel node.js library

Post by Edge100x »

Some applications may, but I wouldn't expect that to be widespread, since using the cookie method for CSRF is a cleaner and more maintainable way.

That would be a fairly complicated attack vector (somehow forcing just the user's csrfcookie to be cleared, then have the user visit another link that sets a new one from a different subdomain) and I would have to look at it in more depth. But I'm not immediately familiar with a way to force a user to delete a cookie through a link on a different page.

I'm not seeing a redirect problem in Firefox, Chrome, or Edge using the URL you gave, whether I am logged in or not. It is properly showing the main page with "Email and password needed" as an error on the login form. You may have something going on with plugins.
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: NFo control panel node.js library

Post by Naleksuh »

I don't mean clicking on that URL. I mean this:
1) While logged out, go to www.nfoservers.com
2) Without entering any information into email or password, click "login"

You should get an error (I am using Firefox on Linux).

This also happens when logging out.
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: NFo control panel node.js library

Post by Edge100x »

Yes, I tried that as well. No problems with it in Firefox 102.9.0esr, Chrome 111.0.5563.65, Edge 110.0.1587.69, or Safari on IOS 16.3.1. Correctly shows the error. Seems as though you may either have a plugin issue, identified a bug in your specific combination of browser and platform, or have a configuration problem (as the error says).

Also no issues with logout on these platforms (either through the CP or that page).
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: NFo control panel node.js library

Post by Edge100x »

It looks like it was redirecting to a http:// URL instead of https://. This shouldn't cause problems, because it would just redirect again upon the http:// page load, but you must have had a plugin or other configuration that interfered. Possibly an old and buggy https-everywhere type of plugin?

(This wasn't new, either. That code's been in there for years!)
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: NFo control panel node.js library

Post by Naleksuh »

The only extensions that I have are uBlock Origin (which blocks the Facebook and Twitter trackers that NFO has on its homepage) and Tampermonkey (does nothing on NFO, but does some stuff on other sites). I do however have "HTTPS-Only mode" enabled which is a core feature in Firefox. It looks like turning that off fixed it. However, I don't think I am the only one with this enabled, so is it possible to work around this issue, e.g. by not using spaces in the query message? (From the code it looks like it doesn't even directly display the string anyway, just use that to choose a string)

Update with new post: Yes, that may have been it and that's why it was triggering. There are a lot of references to http:// - even the link to the forums is http://www.nfoservers.com/forums even though the forums have been on a different domain entirely for 8 years. With them now going to https://, will that be fixed or do the spaces also cause an issue?
Post Reply