diff options
author | gumi <git@gumi.ca> | 2020-03-06 15:36:44 -0500 |
---|---|---|
committer | gumi <git@gumi.ca> | 2020-03-06 16:03:34 -0500 |
commit | 86be43f1c0143495abe003654a4e415a154b11d4 (patch) | |
tree | 9ddfd0f8092369ba787ca8f0b49788d8684f4e1c /src/routers/vault/middlewares/account.js | |
parent | 67ee81e912ab26930b3152ab3f35712cc68573e7 (diff) | |
download | api-86be43f1c0143495abe003654a4e415a154b11d4.tar.gz api-86be43f1c0143495abe003654a4e415a154b11d4.tar.bz2 api-86be43f1c0143495abe003654a4e415a154b11d4.tar.xz api-86be43f1c0143495abe003654a4e415a154b11d4.zip |
prevent uuid bruteforcing
Diffstat (limited to 'src/routers/vault/middlewares/account.js')
-rw-r--r-- | src/routers/vault/middlewares/account.js | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/src/routers/vault/middlewares/account.js b/src/routers/vault/middlewares/account.js index 9360728..42a63a4 100644 --- a/src/routers/vault/middlewares/account.js +++ b/src/routers/vault/middlewares/account.js @@ -44,6 +44,7 @@ const get_data = async (req, res, next) => { // TODO: make this a method of Session primaryIdentity: session.primaryIdentity, allowNonPrimary: session.allowNonPrimary, + strictIPCheck: session.strictIPCheck, vaultId: session.vault, }, }); @@ -64,7 +65,7 @@ const update_account = async (req, res, next) => { } if (!req.body || !Reflect.has(req.body, "primary") || !Reflect.has(req.body, "allow") || - !Number.isInteger(req.body.primary)) { + !Reflect.has(req.body, "strict") || !Number.isInteger(req.body.primary)) { res.status(400).json({ status: "error", error: "invalid format", @@ -94,6 +95,17 @@ const update_account = async (req, res, next) => { return; } + if (session.strictIPCheck && session.ip !== req.ip) { + // the ip is not the same + res.status(401).json({ + status: "error", + error: "ip address mismatch", + }); + req.app.locals.logger.warn(`Vault.account: ip address mismatch <${session.vault}@vault> [${req.ip}]`); + req.app.locals.cooldown(req, 3e5); + return; + } + const update_fields = {}; if (session.primaryIdentity !== req.body.primary) { @@ -122,6 +134,10 @@ const update_account = async (req, res, next) => { // update allow non-primary update_fields.allowNonPrimary = !!req.body.allow; } + if (session.strictIPCheck !== !!req.body.strict) { + // update allow non-primary + update_fields.strictIPCheck = !!req.body.strict; + } // update SQL if (Object.keys(update_fields).length) { @@ -132,6 +148,7 @@ const update_account = async (req, res, next) => { // now update our cache session.allowNonPrimary = !!req.body.allow; + session.strictIPCheck = !!req.body.strict; session.primaryIdentity = +req.body.primary; for (const ident of session.identities) { |