Compare commits
13 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Ratstail91
|
8ab786b934 | ||
|
Ratstail91
|
72a4b0e101 | ||
|
Ratstail91
|
59c610bdd8 | ||
|
Ratstail91
|
1908413bd2 | ||
|
Kayne Ruse
|
3c790f51c7 | ||
|
Kayne Ruse
|
44e19154ab | ||
|
Kayne Ruse
|
fd0c40d444 | ||
|
Kayne Ruse
|
d3e90f7d5d | ||
|
Kayne Ruse
|
98887eecce | ||
|
Kayne Ruse
|
95e6bd178e | ||
|
Kayne Ruse
|
ac7c8d04ed | ||
|
Kayne Ruse
|
fd44712e37 | ||
|
Kayne Ruse
|
b3c7f7cb5e |
@@ -4,7 +4,7 @@ WEB_RESET_ADDRESS=localhost/reset
|
||||
WEB_PORT=3200
|
||||
WEB_ORIGIN=http://localhost:3001
|
||||
|
||||
DB_HOSTNAME=database
|
||||
DB_HOSTNAME=localhost
|
||||
DB_DATABASE=auth
|
||||
DB_USERNAME=auth
|
||||
DB_PASSWORD=charizard
|
||||
|
||||
+2
-2
@@ -1,7 +1,7 @@
|
||||
|
||||
FROM node:18-bullseye-slim
|
||||
FROM node:21-bookworm-slim
|
||||
WORKDIR "/app"
|
||||
COPY package*.json ./
|
||||
COPY package*.json /app
|
||||
RUN npm install --production
|
||||
COPY . /app
|
||||
EXPOSE 3200
|
||||
|
||||
+3
-4
@@ -55,8 +55,7 @@ const question = (prompt, def = null) => {
|
||||
|
||||
//generate the files
|
||||
const ymlfile = `
|
||||
version: '3'
|
||||
|
||||
version: '3.8'
|
||||
services:
|
||||
${appName}:
|
||||
build:
|
||||
@@ -108,7 +107,7 @@ services:
|
||||
- ./startup.sql:/docker-entrypoint-initdb.d/startup.sql:ro
|
||||
traefik_${appName}:
|
||||
container_name: ${appName}_traefik
|
||||
image: "traefik:v2.4"
|
||||
image: "traefik:v2.10"
|
||||
container_name: "traefik"
|
||||
command:
|
||||
- "--log.level=ERROR"
|
||||
@@ -133,7 +132,7 @@ networks:
|
||||
`;
|
||||
|
||||
const dockerfile = `
|
||||
FROM node:18-bullseye-slim
|
||||
FROM node:21-bookworm-slim
|
||||
WORKDIR "/app"
|
||||
COPY package*.json ./
|
||||
RUN npm install --production
|
||||
|
||||
Generated
+3134
-137
File diff suppressed because it is too large
Load Diff
+10
-9
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "auth-server",
|
||||
"version": "1.7.5",
|
||||
"version": "1.8.2",
|
||||
"description": "An API centric auth server. Uses Sequelize and mariaDB by default.",
|
||||
"main": "server/server.js",
|
||||
"scripts": {
|
||||
@@ -22,16 +22,17 @@
|
||||
"bcryptjs": "^2.4.3",
|
||||
"cookie-parser": "^1.4.6",
|
||||
"cors": "^2.8.5",
|
||||
"dotenv": "^16.0.3",
|
||||
"dotenv": "^16.3.1",
|
||||
"express": "^4.18.2",
|
||||
"jsonwebtoken": "^9.0.0",
|
||||
"mariadb": "^3.1.1",
|
||||
"node-cron": "^3.0.2",
|
||||
"node-fetch": "^2.6.9",
|
||||
"nodemailer": "^6.9.1",
|
||||
"sequelize": "^6.31.1"
|
||||
"jsonwebtoken": "^9.0.2",
|
||||
"mariadb": "^3.2.3",
|
||||
"node-cron": "^3.0.3",
|
||||
"node-fetch": "^2.7.0",
|
||||
"nodemailer": "^6.9.7",
|
||||
"npm": "^9.9.2",
|
||||
"sequelize": "^6.35.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
"nodemon": "^2.0.22"
|
||||
"nodemon": "^3.0.2"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -11,9 +11,6 @@ router.post('/signup', require('./signup'));
|
||||
router.get('/validation', require('./validation'));
|
||||
router.post('/login', require('./login'));
|
||||
|
||||
//refresh token
|
||||
router.post('/token', require('./token'));
|
||||
|
||||
//password recover and reset
|
||||
router.post('/recover', require('./password-recover'));
|
||||
router.get('/reset', require('./password-redirect'));
|
||||
@@ -22,9 +19,10 @@ router.patch('/reset', require('./password-reset'));
|
||||
//logouts allowed when banned, and when the token itself is invalid
|
||||
router.delete('/logout', require('./logout'));
|
||||
|
||||
//middleware
|
||||
//authenticate token
|
||||
router.use(tokenAuth);
|
||||
|
||||
//middleware
|
||||
router.use(async (req, res, next) => {
|
||||
const record = await accounts.findOne({
|
||||
where: {
|
||||
@@ -43,6 +41,9 @@ router.use(async (req, res, next) => {
|
||||
next();
|
||||
});
|
||||
|
||||
//refresh token
|
||||
router.post('/token', require('./token'));
|
||||
|
||||
//basic account management (needs a token)
|
||||
router.get('/account', require('./account-query'));
|
||||
router.patch('/account', require('./account-update'));
|
||||
|
||||
@@ -49,7 +49,7 @@ const route = async (req, res) => {
|
||||
}
|
||||
|
||||
//generate the JWTs
|
||||
const { accessToken, refreshToken } = tokenGenerateRefresh(account.index, account.email, account.username, account.type, account.admin, account.mod);
|
||||
const { accessToken, refreshToken } = await tokenGenerateRefresh(account.index, account.email, account.username, account.type, account.admin, account.mod);
|
||||
|
||||
//set the cookie
|
||||
res.cookie('refreshToken', refreshToken, { path: '/', httpOnly: true, secure: true, sameSite: 'none', maxAge: 60 * 60 * 24 * 30 * 1000 }); //30 days
|
||||
|
||||
+16
-2
@@ -22,7 +22,7 @@ const route = async (req, res) => {
|
||||
//script throttle
|
||||
const throttle = await checkThrottle(req.body.email);
|
||||
if (throttle) {
|
||||
console.warn(`Spam attack detected: ${req.body.email} (${req.body.username})`);
|
||||
console.warn(`Spam Throttled\t${req.body.email} (${req.body.username})`);
|
||||
return res.status(401).send(throttle);
|
||||
}
|
||||
|
||||
@@ -121,7 +121,21 @@ const checkThrottle = async (email) => {
|
||||
}
|
||||
|
||||
const registerPendingSignup = async (body, hash, token) => {
|
||||
const record = await pendingSignups.upsert({
|
||||
//BUGFIX: delete existing pending signups that clash
|
||||
await pendingSignups.destroy({
|
||||
where: {
|
||||
email: body.email
|
||||
}
|
||||
});
|
||||
|
||||
await pendingSignups.destroy({
|
||||
where: {
|
||||
username: body.username
|
||||
}
|
||||
});
|
||||
|
||||
//record it
|
||||
const record = await pendingSignups.create({
|
||||
email: body.email,
|
||||
username: body.username,
|
||||
hash: hash,
|
||||
|
||||
@@ -1,10 +1,8 @@
|
||||
const jwt = require('jsonwebtoken');
|
||||
|
||||
const tokenRefresh = require('../utilities/token-refresh');
|
||||
|
||||
//auth/token
|
||||
module.exports = async (req, res) => {
|
||||
return tokenRefresh(req.cookies.refreshToken || '', (err, accessToken, refreshToken) => {
|
||||
return await tokenRefresh(req.cookies.refreshToken || '', (err, accessToken, refreshToken) => {
|
||||
if (err) {
|
||||
return res.status(err).end();
|
||||
}
|
||||
|
||||
@@ -44,7 +44,7 @@ const route = async (req, res) => {
|
||||
hooks = JSON.parse(process.env.HOOK_POST_VALIDATION_ARRAY);
|
||||
|
||||
if (!Array.isArray(hooks)) {
|
||||
throw 'isArray() check failed';
|
||||
throw 'post validation hook isArray() check failed';
|
||||
}
|
||||
|
||||
//authenticate the hooks
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
const Sequelize = require('sequelize');
|
||||
const sequelize = require('..');
|
||||
|
||||
//DOCS: this isn't set by anything - it's a stub for now
|
||||
|
||||
module.exports = sequelize.define('bannedIPAddresses', {
|
||||
content: {
|
||||
type: 'varchar(320)',
|
||||
unique: true
|
||||
},
|
||||
|
||||
expiry: {
|
||||
type: 'DATETIME',
|
||||
allowNull: true,
|
||||
defaultValue: null
|
||||
},
|
||||
});
|
||||
@@ -2,5 +2,6 @@ module.exports = {
|
||||
tokens: require('./tokens'),
|
||||
accounts: require('./accounts'),
|
||||
pendingSignups: require('./pending-signups'),
|
||||
recovery: require('./recovery')
|
||||
recovery: require('./recovery'),
|
||||
bannedIPAddresses: require("./banned-ip-addresses"),
|
||||
};
|
||||
@@ -23,6 +23,9 @@ app.use(cookieParser());
|
||||
//database connection
|
||||
const database = require('./database');
|
||||
|
||||
//ip-based management
|
||||
app.use(require('./utilities/banned-ip-addresses-middleware'));
|
||||
|
||||
//access the admin
|
||||
app.use('/admin', require('./admin'));
|
||||
|
||||
|
||||
@@ -0,0 +1,33 @@
|
||||
const { Op } = require("sequelize");
|
||||
const { bannedIPAddresses } = require('../database/models');
|
||||
|
||||
//middleware to manage banned IP addresses
|
||||
module.exports = async (req, res, next) => {
|
||||
const address = req.header('x-forwarded-for') || req.socket.remoteAddress;
|
||||
|
||||
const record = await bannedIPAddresses.findOne({
|
||||
where: {
|
||||
content: address,
|
||||
|
||||
expiry: {
|
||||
[Op.or]: {
|
||||
//future or forever
|
||||
[Op.gt]: Date.now(),
|
||||
[Op.eq]: null,
|
||||
}
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
//log the access timestamp
|
||||
const date = new Date();
|
||||
|
||||
if (!!record) {
|
||||
console.log(`IP blocked\t${address}\t\t\t${date.toTimeString()}`);
|
||||
return res.status(403).send("IP address banned");
|
||||
}
|
||||
|
||||
// console.log(`IP allowed\t${address}\t\t\t${date.toTimeString()}`);
|
||||
|
||||
return next();
|
||||
};
|
||||
@@ -1,7 +1,7 @@
|
||||
const { tokens } = require('../database/models');
|
||||
|
||||
module.exports = (refreshToken) => {
|
||||
tokens.destroy({
|
||||
module.exports = async (refreshToken) => {
|
||||
await tokens.destroy({
|
||||
where: {
|
||||
token: refreshToken || ''
|
||||
}
|
||||
|
||||
@@ -2,7 +2,7 @@ const jwt = require('jsonwebtoken');
|
||||
const { tokens } = require('../database/models');
|
||||
|
||||
//generates a JWT token based on the given arguments
|
||||
module.exports = (index, email, username, type, admin, mod) => {
|
||||
module.exports = async (index, email, username, type, admin, mod) => {
|
||||
const content = {
|
||||
index,
|
||||
email,
|
||||
@@ -16,7 +16,7 @@ module.exports = (index, email, username, type, admin, mod) => {
|
||||
const accessToken = jwt.sign(content, process.env.SECRET_ACCESS, { expiresIn: '10m', issuer: 'auth' });
|
||||
const refreshToken = jwt.sign(content, process.env.SECRET_REFRESH, { expiresIn: '30d', issuer: 'auth' });
|
||||
|
||||
tokens.create({ token: refreshToken, email: email });
|
||||
await tokens.create({ token: refreshToken, email: email });
|
||||
|
||||
return { accessToken, refreshToken };
|
||||
};
|
||||
@@ -19,15 +19,15 @@ module.exports = async (oldRefreshToken, callback) => {
|
||||
return callback(403);
|
||||
}
|
||||
|
||||
jwt.verify(oldRefreshToken, process.env.SECRET_REFRESH, (err, user) => {
|
||||
jwt.verify(oldRefreshToken, process.env.SECRET_REFRESH, async (err, user) => {
|
||||
if (err) {
|
||||
return callback(403);
|
||||
}
|
||||
|
||||
const { accessToken, refreshToken } = generate(user.index, user.email, user.username, user.type, user.admin, user.mod);
|
||||
await destroy(oldRefreshToken);
|
||||
|
||||
destroy(oldRefreshToken);
|
||||
const { accessToken, refreshToken } = await generate(user.index, user.email, user.username, user.type, user.admin, user.mod);
|
||||
|
||||
return callback(null, accessToken, refreshToken);
|
||||
return await callback(null, accessToken, refreshToken);
|
||||
});
|
||||
};
|
||||
@@ -1 +0,0 @@
|
||||
ALTER TABLE `accounts` CHANGE `id` `index` INT( 11 ) NOT NULL AUTO_INCREMENT;
|
||||
@@ -1 +0,0 @@
|
||||
DROP TABLE tokens;
|
||||
@@ -25,18 +25,13 @@ const TokenProvider = props => {
|
||||
localStorage.setItem("accessToken", accessToken);
|
||||
}, [accessToken]);
|
||||
|
||||
//force a logout if refresh token is too old
|
||||
if (accessToken && (new Date(Date.now() - 60 * 60 * 24 * 30 * 1000).getTime() > decode(accessToken).exp * 1000)) {
|
||||
forceLogout();
|
||||
}
|
||||
|
||||
//wrap the default fetch function
|
||||
const tokenFetch = async (url, options) => {
|
||||
//use this?
|
||||
let bearer = accessToken;
|
||||
|
||||
//if expired (10 minutes, normally)
|
||||
const expired = new Date(decode(accessToken).exp * 1000) < Date.now();
|
||||
const expired = new Date(decode(accessToken).exp) < Date.now() / 1000;
|
||||
|
||||
if (expired) {
|
||||
//BUGFIX: if logging out, just skip over the refresh token
|
||||
@@ -85,7 +80,7 @@ const TokenProvider = props => {
|
||||
//access the refreshed token via callback
|
||||
const tokenCallback = async (cb) => {
|
||||
//if expired (10 minutes, normally)
|
||||
const expired = new Date(decode(accessToken).exp * 1000) < Date.now();
|
||||
const expired = new Date(decode(accessToken).exp) < Date.now() / 1000;
|
||||
|
||||
if (expired) {
|
||||
//ping the auth server for a new token
|
||||
|
||||
Reference in New Issue
Block a user