[GH-ISSUE #1815] Login verification bugs when using fp-multiuser #1432

New issue

Closed

opened 2026-05-05 12:54:28 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented 2026-05-05 12:54:28 -06:00

Owner

Copy link

Originally created by @Erik-37 on GitHub (May 20, 2020).
Original GitHub issue: https://github.com/fatedier/frp/issues/1815

What version of frp are you using (./frpc -v or ./frps -v)?
0.32.1

What operating system and processor architecture are you using (go env)?
linux_amd64
darwin_amd64

Configures you used:
frps:

bind_addr = 0.0.0.0
bind_port = 7100
bind_udp_port = 7001

log_level = trace
enable_prometheus = true
dashboard_addr = 0.0.0.0
dashboard_port = 7300

vhost_http_port = 8080

[plugin.multiuser]
addr = 127.0.0.1:7200
path = /handler
ops = Login

token:

frpc1=123
frpc2=abc 

frpc1

[common]
server_addr = x.x.x.x
server_port = 7100
user = frpc_worker1
meta_token = 123

admin_addr = 0.0.0.0
admin_port = 7400
admin_user = admin
admin_pwd = admin

[test_server]
type = stcp
local_ip = 127.0.0.1
local_port = 22

frpc2:

[common]
server_addr = x.x.x.x
server_port = 7100

[test_visitor]
type = stcp
role = visitor
server_name = test_server
bind_addr = 127.0.0.1
bind_port = 6000

Steps to reproduce the issue:

1. ./fp-multiuser -l 127.0.0.1:7200 -f ./tokens
2. Delete user and meta_token,but it can be successful sign in frps.

Describe the results you expected:
login to server failed: invalid meta token

Originally created by @Erik-37 on GitHub (May 20, 2020). Original GitHub issue: https://github.com/fatedier/frp/issues/1815 **What version of frp are you using (./frpc -v or ./frps -v)?** 0.32.1 **What operating system and processor architecture are you using (`go env`)?** linux_amd64 darwin_amd64 **Configures you used:** frps: ``` [common] bind_addr = 0.0.0.0 bind_port = 7100 bind_udp_port = 7001 log_level = trace enable_prometheus = true dashboard_addr = 0.0.0.0 dashboard_port = 7300 vhost_http_port = 8080 [plugin.multiuser] addr = 127.0.0.1:7200 path = /handler ops = Login ``` token: ``` frpc1=123 frpc2=abc ``` frpc1 ``` [common] server_addr = x.x.x.x server_port = 7100 user = frpc_worker1 meta_token = 123 admin_addr = 0.0.0.0 admin_port = 7400 admin_user = admin admin_pwd = admin [test_server] type = stcp local_ip = 127.0.0.1 local_port = 22 ``` frpc2: ``` [common] server_addr = x.x.x.x server_port = 7100 [test_visitor] type = stcp role = visitor server_name = test_server bind_addr = 127.0.0.1 bind_port = 6000 ``` **Steps to reproduce the issue:** 1. ./fp-multiuser -l 127.0.0.1:7200 -f ./tokens 2. Delete user and meta_token,but it can be successful sign in frps. **Describe the results you expected:** login to server failed: invalid meta token

gitea-mirror closed this issue 2026-05-05 12:54:29 -06:00

gitea-mirror commented 2026-05-05 12:54:31 -06:00

Author

Owner

Copy link

@brvphoenix commented on GitHub (May 20, 2020):

Modify the conditional logic in the this line and recompile it yourself.

From:
if c.tokens[content.User] == token {
to:
if (len(content.User) > 0 && len(token) > 0) && c.tokens[content.User] == token {

This modification will make it reject clients without the keywords "user" and "meta_token", and you can also test the self-compiled binaries of linux-amd64.
fp-multiuser-linux-amd64.zip

<!-- gh-comment-id:631346286 --> @brvphoenix commented on GitHub (May 20, 2020): Modify the conditional logic in the this [line](https://github.com/gofrp/fp-multiuser/blob/65586dc763a20c4f170edbf569333114665428d7/pkg/server/controller/op.go#L37) and recompile it yourself. From: `if c.tokens[content.User] == token {` to: `if (len(content.User) > 0 && len(token) > 0) && c.tokens[content.User] == token {` This modification will make it reject clients without the keywords "user" and "meta_token", and you can also test the self-compiled binaries of linux-amd64. [fp-multiuser-linux-amd64.zip](https://github.com/fatedier/frp/files/4655729/fp-multiuser-linux-amd64.zip)

gitea-mirror commented 2026-05-05 12:54:32 -06:00

Author

Owner

Copy link

@Erik-37 commented on GitHub (May 20, 2020):

Modify the conditional logic in the this line and recompile it yourself.

From:
if c.tokens[content.User] == token {
to:
if (len(content.User) > 0 && len(token) > 0) && c.tokens[content.User] == token {

This modification will make it reject clients without the keywords "user" and "meta_token", and you can also test the self-compiled binaries of linux-amd64.
fp-multiuser-linux-amd64.zip

Great solution!!! thanks

<!-- gh-comment-id:631369919 --> @Erik-37 commented on GitHub (May 20, 2020): > Modify the conditional logic in the this [line](https://github.com/gofrp/fp-multiuser/blob/65586dc763a20c4f170edbf569333114665428d7/pkg/server/controller/op.go#L37) and recompile it yourself. > > From: > `if c.tokens[content.User] == token {` > to: > `if (len(content.User) > 0 && len(token) > 0) && c.tokens[content.User] == token {` > > This modification will make it reject clients without the keywords "user" and "meta_token", and you can also test the self-compiled binaries of linux-amd64. > [fp-multiuser-linux-amd64.zip](https://github.com/fatedier/frp/files/4655729/fp-multiuser-linux-amd64.zip) Great solution!!! thanks

gitea-mirror commented 2026-05-05 12:54:33 -06:00

Author

Owner

Copy link

@fatedier commented on GitHub (May 21, 2020):

@brvphoenix Can you send a PR with your modification to fp-multiuser.

<!-- gh-comment-id:631851528 --> @fatedier commented on GitHub (May 21, 2020): @brvphoenix Can you send a PR with your modification to [fp-multiuser](https://github.com/gofrp/fp-multiuser).

gitea-mirror commented 2026-05-05 12:54:34 -06:00

Author

Owner

Copy link

@brvphoenix commented on GitHub (May 21, 2020):

@fatedier
https://github.com/gofrp/fp-multiuser/pull/2

<!-- gh-comment-id:631859701 --> @brvphoenix commented on GitHub (May 21, 2020): @fatedier https://github.com/gofrp/fp-multiuser/pull/2

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

new

master

copilot/review-pull-request-5198

v0.68.1

v0.68.0

v0.67.0

v0.66.0

v0.65.0

v0.64.0

v0.63.0

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.0

v0.59.0

v0.58.1

v0.58.0

v0.57.0

v0.56.0

v0.55.1

v0.55.0

v0.54.0

v0.53.2

v0.53.1

v0.53.0

v0.52.3

v0.52.2

v0.52.1

v0.52.0

v0.51.3

v0.51.2

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.1

v0.46.0

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.1

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.3

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.1

v0.32.0

v0.31.2

v0.31.1

v0.31.0

v0.30.0

v0.29.1

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.0

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.1

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

In Progress

  

WIP

  

WaitingForInfo

  

bug

  

doc

  

duplicate

  

easy

  

enhancement

  

future

  

help wanted

  

invalid

  

lifecycle/stale

  

need-issue-template

  

need-usage-help

  

no plan

  

proposal

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

todo

No labels

In Progress

WIP

WaitingForInfo

bug

doc

duplicate

easy

enhancement

future

help wanted

invalid

lifecycle/stale

need-issue-template

need-usage-help

no plan

proposal

pull-request

question

todo

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#1432

No description provided.