Updated dependencies, bumped patch version

Fixed a logout bug
Fixed a filename typo
2023-06-26 23:05:26 +10:00 · 2023-06-26 22:26:06 +10:00 · 2023-05-27 23:56:22 +10:00 · 2023-05-15 11:33:32 +10:00 · 2023-05-15 11:02:51 +10:00 · 2023-05-15 10:38:10 +10:00
8 changed files with 3133 additions and 90 deletions
@@ -1,6 +1,6 @@
 {
  "name": "auth-server",
-  "version": "1.7.3",
+  "version": "1.7.9",
  "description": "An API centric auth server. Uses Sequelize and mariaDB by default.",
  "main": "server/server.js",
  "scripts": {
@@ -22,16 +22,20 @@
    "bcryptjs": "^2.4.3",
    "cookie-parser": "^1.4.6",
    "cors": "^2.8.5",
-    "dotenv": "^16.0.3",
+    "dotenv": "^16.3.1",
    "express": "^4.18.2",
    "jsonwebtoken": "^9.0.0",
-    "mariadb": "^3.1.1",
+    "mariadb": "^3.2.0",
    "node-cron": "^3.0.2",
-    "node-fetch": "^2.6.9",
-    "nodemailer": "^6.9.1",
-    "sequelize": "^6.31.1"
+    "node-fetch": "^2.6.11",
+    "nodemailer": "^6.9.3",
+    "npm": "^9.7.2",
+    "sequelize": "^6.32.1"
  },
  "devDependencies": {
    "nodemon": "^2.0.22"
+  },
+  "overrides": {
+    "semver": "^7.5.2"
  }
 }
@@ -19,6 +19,13 @@ const route = async (req, res) => {
 		return res.status(401).send(validateErr);
 	}

+	//script throttle
+	const throttle = await checkThrottle(req.body.email);
+	if (throttle) {
+		console.warn(`Spam Throttled\t${req.body.email} (${req.body.username})`);
+		return res.status(401).send(throttle);
+	}
+
 	//generate the password hash
 	const hash = await bcrypt.hash(req.body.password, await bcrypt.genSalt(11));

@@ -83,6 +90,10 @@ const validateDetails = async (body) => {
 		return 'Missing password';
 	}

+	if (typeof body.password != "string") {
+		return 'Invalid password';
+	}
+
 	if (body.password.length < 8) {
 		return 'Password too short';
 	}
@@ -90,8 +101,41 @@ const validateDetails = async (body) => {
 	return null;
 };

+const checkThrottle = async (email) => {
+	//check email delay
+	const prev = await pendingSignups.findOne({
+		where: {
+			email: email,
+		}
+	});
+
+	const DateOffset = ( offset ) => { //Thanks, SO!
+		return new Date( +new Date + offset );
+	}
+
+	if (!!prev && prev.updatedAt > DateOffset( -5000 )) {
+		return "An unknown error occurred";
+	}
+
+	return null;
+}
+
 const registerPendingSignup = async (body, hash, token) => {
-	const record = await pendingSignups.upsert({
+	//BUGFIX: delete existing pending signups that clash
+	await pendingSignups.destroy({
+		where: {
+			email: body.email
+		}
+	});
+
+	await pendingSignups.destroy({
+		where: {
+			username: body.username
+		}
+	});
+
+	//record it
+	const record = await pendingSignups.create({
 		email: body.email,
 		username: body.username,
 		hash: hash,
@@ -0,0 +1,17 @@
+const Sequelize = require('sequelize');
+const sequelize = require('..');
+
+//DOCS: this isn't set by anything - it's a stub for now
+
+module.exports = sequelize.define('bannedIPAddresses', {
+	content: {
+		type: 'varchar(320)',
+		unique: true
+	},
+
+	expiry: {
+		type: 'DATETIME',
+		allowNull: true,
+		defaultValue: null
+	},
+});
@@ -2,5 +2,6 @@ module.exports = {
 	tokens: require('./tokens'),
 	accounts: require('./accounts'),
 	pendingSignups: require('./pending-signups'),
-	recovery: require('./recovery')
+	recovery: require('./recovery'),
+	bannedIPAddresses: require("./banned-ip-addresses"),
 };
@@ -23,6 +23,9 @@ app.use(cookieParser());
 //database connection
 const database = require('./database');

+//ip-based management
+app.use(require('./utilities/banned-ip-addresses-middleware'));
+
 //access the admin
 app.use('/admin', require('./admin'));

@@ -0,0 +1,33 @@
+const { Op } = require("sequelize");
+const { bannedIPAddresses } = require('../database/models');
+
+//middleware to manage banned IP addresses
+module.exports = async (req, res, next) => {
+	const address = req.header('x-forwarded-for') || req.socket.remoteAddress;
+
+	const record = await bannedIPAddresses.findOne({
+		where: {
+			content: address,
+
+			expiry: {
+				[Op.or]: {
+					//future or forever
+					[Op.gt]: Date.now(),
+					[Op.eq]: null,
+				}
+			}
+		}
+	});
+
+	//log the access timestamp
+	const date = new Date();
+
+	if (!!record) {
+		console.log(`IP blocked\t${address}\t\t\t${date.toTimeString()}`);
+		return res.status(403).send("IP address banned");
+	}
+
+	// console.log(`IP allowed\t${address}\t\t\t${date.toTimeString()}`);
+
+	return next();
+};
@@ -31,7 +31,7 @@ const TokenProvider = props => {
 		let bearer = accessToken;

 		//if expired (10 minutes, normally)
-		const expired = new Date(decode(accessToken).exp * 1000) < Date.now();
+		const expired = new Date(decode(accessToken).exp + 600) < Date.now();

 		if (expired) {
 			//BUGFIX: if logging out, just skip over the refresh token
Author	SHA1	Message	Date
Kayne Ruse	d3e90f7d5d	Updated dependencies, bumped patch version	2023-06-26 23:05:26 +10:00
Kayne Ruse	98887eecce	Fixed a logout bug	2023-06-26 22:26:06 +10:00
Kayne Ruse	95e6bd178e	Fixed a filename typo	2023-05-27 23:56:22 +10:00
Kayne Ruse	ac7c8d04ed	Last patch today, I'm happy with this rn	2023-05-15 11:33:32 +10:00
Kayne Ruse	fd44712e37	BUGFIX: clashing pending signups fixed	2023-05-15 11:02:51 +10:00
Kayne Ruse	b3c7f7cb5e	Added ip-banning middleware, under development	2023-05-15 10:38:10 +10:00
Kayne Ruse	db03373892	Spam attack throttling added	2023-05-15 09:13:09 +10:00
Kayne Ruse	267ecaa705	Added a typecheck to password field	2023-05-15 08:03:54 +10:00
Kayne Ruse	3a8cfd39ed	BUGFIX: force a logout if refresh token is too old	2023-05-05 03:56:24 +10:00