From 247f0b7eb130d35cc6d6a214a55c6a8f8afb5dd2 Mon Sep 17 00:00:00 2001
From: fufesou <13586388+fufesou@users.noreply.github.com>
Date: Wed, 23 Jul 2025 15:43:55 +0800
Subject: [PATCH] fix: terminal, check service_id (#12384)

Signed-off-by: fufesou <linlong1266@gmail.com>
---
 src/server/connection.rs       | 25 ++++++++++++++++++++++++-
 src/server/terminal_service.rs | 16 ++++++++++++++--
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/src/server/connection.rs b/src/server/connection.rs
index 7da629508..e02b24918 100644
--- a/src/server/connection.rs
+++ b/src/server/connection.rs
@@ -1989,6 +1989,25 @@ impl Connection {
                         sleep(1.).await;
                         return false;
                     }
+
+                    #[cfg(not(any(target_os = "android", target_os = "ios")))]
+                    if let Some(is_user) =
+                        terminal_service::is_service_specified_user(&self.terminal_service_id)
+                    {
+                        if let Some(user_token) = &self.terminal_user_token {
+                            let has_service_token =
+                                user_token.to_terminal_service_token().is_some();
+                            if is_user != has_service_token {
+                                // This occurs when the service id (in the configuration) is manually changed by the user, causing a mismatch in validation.
+                                log::error!("Terminal service user mismatch detected. The service ID may have been manually changed in the configuration, causing validation to fail.");
+                                // No need to translate the following message, because it is in an abnormal case.
+                                self.send_login_error("Terminal service user mismatch detected.")
+                                    .await;
+                                sleep(1.).await;
+                                return false;
+                            }
+                        }
+                    }
                 }
                 Some(login_request::Union::PortForward(mut pf)) => {
                     if !Connection::permission("enable-tunnel") {
@@ -2944,7 +2963,11 @@ impl Connection {
     }
 
     #[cfg(any(target_os = "linux", target_os = "macos"))]
-    fn fill_terminal_user_token(&mut self, _username: &str, _password: &str) -> Option<&'static str> {
+    fn fill_terminal_user_token(
+        &mut self,
+        _username: &str,
+        _password: &str,
+    ) -> Option<&'static str> {
         self.terminal_user_token = Some(TerminalUserToken::SelfUser);
         None
     }
diff --git a/src/server/terminal_service.rs b/src/server/terminal_service.rs
index 3a3bcdb87..945ae27bd 100644
--- a/src/server/terminal_service.rs
+++ b/src/server/terminal_service.rs
@@ -98,10 +98,15 @@ fn get_default_shell() -> String {
     }
 }
 
+pub fn is_service_specified_user(service_id: &str) -> Option<bool> {
+    get_service(service_id).map(|s| s.lock().unwrap().is_specified_user)
+}
+
 /// Get or create a persistent terminal service
 fn get_or_create_service(
     service_id: String,
     is_persistent: bool,
+    is_specified_user: bool,
 ) -> Result<Arc<Mutex<PersistentTerminalService>>> {
     let mut services = TERMINAL_SERVICES.lock().unwrap();
 
@@ -124,6 +129,7 @@ fn get_or_create_service(
             Arc::new(Mutex::new(PersistentTerminalService::new(
                 service_id.clone(),
                 is_persistent,
+                is_specified_user,
             )))
         })
         .clone();
@@ -306,7 +312,11 @@ pub fn new(
     user_token: Option<UserToken>,
 ) -> GenericService {
     // Create the service with initial persistence setting
-    allow_err!(get_or_create_service(service_id.clone(), is_persistent));
+    allow_err!(get_or_create_service(
+        service_id.clone(),
+        is_persistent,
+        user_token.is_some()
+    ));
     let svc = TerminalService {
         sp: GenericService::new(service_id.clone(), false),
         user_token,
@@ -546,10 +556,11 @@ pub struct PersistentTerminalService {
     last_activity: Instant,
     pub is_persistent: bool,
     needs_session_sync: bool,
+    is_specified_user: bool,
 }
 
 impl PersistentTerminalService {
-    pub fn new(service_id: String, is_persistent: bool) -> Self {
+    pub fn new(service_id: String, is_persistent: bool, is_specified_user: bool) -> Self {
         Self {
             service_id,
             sessions: HashMap::new(),
@@ -557,6 +568,7 @@ impl PersistentTerminalService {
             last_activity: Instant::now(),
             is_persistent,
             needs_session_sync: false,
+            is_specified_user,
         }
     }