diff options
| author | gumi <git@gumi.ca> | 2020-03-08 15:01:20 -0400 |
|---|---|---|
| committer | gumi <git@gumi.ca> | 2020-03-08 15:01:20 -0400 |
| commit | 00e707bffa2157df7772e417a5d48e66229e4013 (patch) | |
| tree | 0e8675a5acdaef6e818a47c15abd733925842460 | |
| parent | f7eeeccb0811887449149b46cf0592c30b9919a2 (diff) | |
| download | api-00e707bffa2157df7772e417a5d48e66229e4013.tar.gz api-00e707bffa2157df7772e417a5d48e66229e4013.tar.bz2 api-00e707bffa2157df7772e417a5d48e66229e4013.tar.xz api-00e707bffa2157df7772e417a5d48e66229e4013.zip | |
immediately swap the uuid after login and check the email
| -rw-r--r-- | src/routers/vault/middlewares/session.js | 42 | ||||
| -rw-r--r-- | src/routers/vault/types/Session.js | 2 |
2 files changed, 42 insertions, 2 deletions
diff --git a/src/routers/vault/middlewares/session.js b/src/routers/vault/middlewares/session.js index 4451080..d5aa521 100644 --- a/src/routers/vault/middlewares/session.js +++ b/src/routers/vault/middlewares/session.js @@ -110,6 +110,37 @@ const auth_session = async (req, res, next) => { return; } + if (!req.query || !Reflect.has(req.query, "email") || + !req.query.email.match(/^(?:[a-zA-Z0-9.$&+=_~-]{1,255}@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,255}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,255}[a-zA-Z0-9])?){1,9})$/) || + req.query.email.length >= 320) { + res.status(400).json({ + status: "error", + error: "invalid email address", + }); + req.app.locals.cooldown(req, 1e3); + return; + } + + if (req.query.email.toLowerCase() !== session.email) { + res.status(410).json({ + status: "error", + error: "session expired", + session: { + expires: 0, + identity: null, + } + }); + + // max 3 attempts per 15 minutes + if (req.app.locals.brute.consume(req, 3, 9e5)) { + req.app.locals.cooldown(req, 1e3); + } else { + req.app.locals.logger.warn(`Vault.session: authentication request flood [${req.ip}]`); + req.app.locals.cooldown(req, 3.6e6); + } + return; + } + if (session.vault === null && session.identity === null) { // this is a new account const user = await req.app.locals.vault.login.create({}); @@ -212,9 +243,18 @@ const auth_session = async (req, res, next) => { } } + // immediately change the session uuid + const new_uuid = uuidv4(); + req.app.locals.session.set(new_uuid, session); + req.app.locals.session.delete(token); + res.status(200).json({ status: "success", - session, + session: { + key: new_uuid, + expires: session.expires, + identity: session.identity, + }, }); }; diff --git a/src/routers/vault/types/Session.js b/src/routers/vault/types/Session.js index ff7e20d..9f0cd95 100644 --- a/src/routers/vault/types/Session.js +++ b/src/routers/vault/types/Session.js @@ -29,7 +29,7 @@ module.exports = class Session { constructor (ip, email) { this.ip = ip; - this.email = email; + this.email = email.toLowerCase(); } /** |