diff options
author | gumi <git@gumi.ca> | 2020-03-31 14:36:40 -0400 |
---|---|---|
committer | gumi <git@gumi.ca> | 2020-03-31 14:36:40 -0400 |
commit | 4d6545e66feb0e7ec53c76a3bf0247c1c3629dd4 (patch) | |
tree | 51bac6e432726a472fc5b7163f6f35c2823a565f /src/routers/vault/utils | |
parent | 930485dfe22db16f5b613750eb9518bb64b4fe4f (diff) | |
download | api-4d6545e66feb0e7ec53c76a3bf0247c1c3629dd4.tar.gz api-4d6545e66feb0e7ec53c76a3bf0247c1c3629dd4.tar.bz2 api-4d6545e66feb0e7ec53c76a3bf0247c1c3629dd4.tar.xz api-4d6545e66feb0e7ec53c76a3bf0247c1c3629dd4.zip |
add support for nanoid for session tokens
Diffstat (limited to 'src/routers/vault/utils')
-rw-r--r-- | src/routers/vault/utils/validate.js | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/routers/vault/utils/validate.js b/src/routers/vault/utils/validate.js index 5f2f2a6..3432d30 100644 --- a/src/routers/vault/utils/validate.js +++ b/src/routers/vault/utils/validate.js @@ -1,5 +1,6 @@ "use strict"; const Session = require("../types/Session.js"); +const nolookalikes = require("nanoid-dictionary/nolookalikes"); /** thrown when the user attempts to bypass security measures */ class BypassAttempt extends Error {}; @@ -10,6 +11,10 @@ class ValidationError extends Error {}; const regexes = { /** a Universally Unique Identifier */ uuid: /^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$/i, + /** nolookalikes nanoid */ + nano23: new RegExp(`^[${nolookalikes}]{23}$`), + /** nanoid */ + nano36: /^[A-Za-z0-9_-]{36}$/, /** tmwa password */ any23: /^[^\s][^\t\r\n]{2,21}[^\s]$/, /** hercules password */ @@ -79,7 +84,7 @@ const get_prop = (req, prop, regex = null) => { const get_secret = (req, res) => { const token = req.get("X-VAULT-TOKEN") || ""; - if (!token.match(regexes.uuid)) { + if (!token.match(regexes.nano36)) { res.status(400).json({ status: "error", error: "missing secret key", @@ -101,7 +106,7 @@ const get_secret = (req, res) => { const get_raw_session = (req, res) => { const token = String(req.get("X-VAULT-SESSION") || ""); - if (!token.match(regexes.uuid)) { + if (!token.match(regexes.nano23)) { res.status(400).json({ status: "error", error: "missing session key", |