import { checkStringParam, errorOut, randomElement, reverseString } from '../logic/common.js'; import { Animals } from '../misc/animals.js'; import { reissueToken, generateToken, newTokenExpiry, hashPassword, doesPasswordMatch } from '../logic/security.js'; /** * @param {Object} props * @param {import('fastify').FastifyInstance} props.app * @param {import('sequelize/types').Sequelize} props.db */ function AuthController({app, db}){ const { Users } = db.models; { //validate token header and put .user in every request app.decorateRequest('user', null); app.addHook('preHandler', async (request, reply) => { const unprotectedUrl = (request.url.substring(0, 6) == '/auth/') || (request.url === '/'); if(!unprotectedUrl){ const token = request.headers.authorization; //todo: local cache const user = await Users.findOne({where: {token}}); const tokenNotExpired = user && (new Date() <= user.tokenExpiry); const userNotBanned = true; if(tokenNotExpired && userNotBanned){ request.user = user; }else{ errorOut(reply, 'Unauthorized', 401); return true; //abort } } }); } app.post('/auth/sign-in', async (request) => { const {email, paswd} = request.body || {}; //todo: spam check { //form validation if(!isValidEmail(email)) return errorOut(reply, 'auth.bad_email'); if(!isValidPassword(paswd)) return errorOut(reply, 'auth.bad_paswd'); } const fixedEmail = fixEmail(email); const user = await Users.findOne({where: {email: fixedEmail}}); if(user && doesPasswordMatch(reverseString(paswd), user.paswd)){ let token = user.token; if(new Date() > user.tokenExpiry){ token = await reissueToken(user, Users); } return {token}; }else{ errorOut(reply, 'auth.not_found'); } }); app.post('/auth/sign-up', async (request, reply) => { const {email, username, paswd} = request.body || {}; //todo: spam check { //form validation if(!isValidEmail(email)) return errorOut(reply, 'auth.bad_email'); if(!isValidPassword(paswd)) return errorOut(reply, 'auth.bad_paswd'); if(!isValidUsername(username)) return errorOut(reply, 'auth.bad_username'); } const fixedEmail = fixEmail(email); const fixedUsername = fixUsername(username); { //check if email is already in use const existingUser = await Users.findOne({where: {email: fixedEmail}}); if(existingUser) return errorOut(reply, 'auth.email_taken'); } { //check if username taken const existingUser = await Users.findOne({where: {username: fixedUsername}}); if(existingUser) return errorOut(reply, 'auth.username_taken'); } { //check if this ip already registered a bunch of accounts const countByIp = await Users.count({where: {firstIp: request.ip}}); if(countByIp >= 10) return errorOut(reply, 'error.suspicious'); } const newUser = { email: fixedEmail, username: fixedUsername, token: generateToken(), tokenExpiry: newTokenExpiry(), paswd: hashPassword(reverseString(paswd)), role: 'user', //firstIp: request.ip firstIp: request.hostname }; await Users.create(newUser); return {token: newUser.token}; }); } function fixEmail(email){ const plusPortion = /\+.*@/m; //gmail exploit return email.toLowerCase().replace(plusPortion, ''); } function fixUsername(username){ if(username){ const profanities = /nigger|nigga|faggot/gi; const badSymbols = /[\x00-\x1F\xCC\xCD]/g; return username.replace(profanities, '💩').replace(badSymbols, ''); }else{ const nick = randomElement(Animals); const tag = Date.now().toString(10).slice(-4); return `Little ${nick} #${tag}`; } } function isValidEmail(email){ return checkStringParam(email, 3, 128) && email.match('@'); } function isValidUsername(username){ return (!username) || checkStringParam(username, 3, 64); } function isValidPassword(paswd){ return checkStringParam(paswd, 6, 256); } export default AuthController;