Spaces:
Paused
Paused
| import crypto from 'node:crypto'; | |
| import storage from 'node-persist'; | |
| import express from 'express'; | |
| import { RateLimiterMemory, RateLimiterRes } from 'rate-limiter-flexible'; | |
| import { getIpFromRequest, getRealIpFromHeader } from '../express-common.js'; | |
| import { color, Cache, getConfigValue } from '../util.js'; | |
| import { KEY_PREFIX, getUserAvatar, toKey, getPasswordHash, getPasswordSalt } from '../users.js'; | |
| const DISCREET_LOGIN = getConfigValue('enableDiscreetLogin', false, 'boolean'); | |
| const PREFER_REAL_IP_HEADER = getConfigValue('rateLimiting.preferRealIpHeader', false, 'boolean'); | |
| const MFA_CACHE = new Cache(5 * 60 * 1000); | |
| const getIpAddress = (request) => PREFER_REAL_IP_HEADER ? getRealIpFromHeader(request) : getIpFromRequest(request); | |
| export const router = express.Router(); | |
| const loginLimiter = new RateLimiterMemory({ | |
| points: 5, | |
| duration: 60, | |
| }); | |
| const recoverLimiter = new RateLimiterMemory({ | |
| points: 5, | |
| duration: 300, | |
| }); | |
| router.post('/list', async (_request, response) => { | |
| try { | |
| if (DISCREET_LOGIN) { | |
| return response.sendStatus(204); | |
| } | |
| /** @type {import('../users.js').User[]} */ | |
| const users = await storage.values(x => x.key.startsWith(KEY_PREFIX)); | |
| /** @type {Promise<import('../users.js').UserViewModel>[]} */ | |
| const viewModelPromises = users | |
| .filter(x => x.enabled) | |
| .map(user => new Promise(async (resolve) => { | |
| getUserAvatar(user.handle).then(avatar => | |
| resolve({ | |
| handle: user.handle, | |
| name: user.name, | |
| created: user.created, | |
| avatar: avatar, | |
| password: !!user.password, | |
| }), | |
| ); | |
| })); | |
| const viewModels = await Promise.all(viewModelPromises); | |
| viewModels.sort((x, y) => (x.created ?? 0) - (y.created ?? 0)); | |
| return response.json(viewModels); | |
| } catch (error) { | |
| console.error('User list failed:', error); | |
| return response.sendStatus(500); | |
| } | |
| }); | |
| router.post('/login', async (request, response) => { | |
| try { | |
| if (!request.body.handle) { | |
| console.warn('Login failed: Missing required fields'); | |
| return response.status(400).json({ error: 'Missing required fields' }); | |
| } | |
| const ip = getIpAddress(request); | |
| await loginLimiter.consume(ip); | |
| /** @type {import('../users.js').User} */ | |
| const user = await storage.getItem(toKey(request.body.handle)); | |
| if (!user) { | |
| console.error('Login failed: User', request.body.handle, 'not found'); | |
| return response.status(403).json({ error: 'Incorrect credentials' }); | |
| } | |
| if (!user.enabled) { | |
| console.warn('Login failed: User', user.handle, 'is disabled'); | |
| return response.status(403).json({ error: 'User is disabled' }); | |
| } | |
| if (user.password && user.password !== getPasswordHash(request.body.password, user.salt)) { | |
| console.warn('Login failed: Incorrect password for', user.handle); | |
| return response.status(403).json({ error: 'Incorrect credentials' }); | |
| } | |
| if (!request.session) { | |
| console.error('Session not available'); | |
| return response.sendStatus(500); | |
| } | |
| await loginLimiter.delete(ip); | |
| request.session.handle = user.handle; | |
| console.info('Login successful:', user.handle, 'from', ip, 'at', new Date().toLocaleString()); | |
| return response.json({ handle: user.handle }); | |
| } catch (error) { | |
| if (error instanceof RateLimiterRes) { | |
| console.error('Login failed: Rate limited from', getIpAddress(request)); | |
| return response.status(429).send({ error: 'Too many attempts. Try again later or recover your password.' }); | |
| } | |
| console.error('Login failed:', error); | |
| return response.sendStatus(500); | |
| } | |
| }); | |
| router.post('/recover-step1', async (request, response) => { | |
| try { | |
| if (!request.body.handle) { | |
| console.warn('Recover step 1 failed: Missing required fields'); | |
| return response.status(400).json({ error: 'Missing required fields' }); | |
| } | |
| const ip = getIpAddress(request); | |
| await recoverLimiter.consume(ip); | |
| /** @type {import('../users.js').User} */ | |
| const user = await storage.getItem(toKey(request.body.handle)); | |
| if (!user) { | |
| console.error('Recover step 1 failed: User', request.body.handle, 'not found'); | |
| return response.status(404).json({ error: 'User not found' }); | |
| } | |
| if (!user.enabled) { | |
| console.error('Recover step 1 failed: User', user.handle, 'is disabled'); | |
| return response.status(403).json({ error: 'User is disabled' }); | |
| } | |
| const mfaCode = String(crypto.randomInt(1000, 9999)); | |
| console.log(); | |
| console.log(color.blue(`${user.name}, your password recovery code is: `) + color.magenta(mfaCode)); | |
| console.log(); | |
| MFA_CACHE.set(user.handle, mfaCode); | |
| return response.sendStatus(204); | |
| } catch (error) { | |
| if (error instanceof RateLimiterRes) { | |
| console.error('Recover step 1 failed: Rate limited from', getIpAddress(request)); | |
| return response.status(429).send({ error: 'Too many attempts. Try again later or contact your admin.' }); | |
| } | |
| console.error('Recover step 1 failed:', error); | |
| return response.sendStatus(500); | |
| } | |
| }); | |
| router.post('/recover-step2', async (request, response) => { | |
| try { | |
| if (!request.body.handle || !request.body.code) { | |
| console.warn('Recover step 2 failed: Missing required fields'); | |
| return response.status(400).json({ error: 'Missing required fields' }); | |
| } | |
| /** @type {import('../users.js').User} */ | |
| const user = await storage.getItem(toKey(request.body.handle)); | |
| const ip = getIpAddress(request); | |
| if (!user) { | |
| console.error('Recover step 2 failed: User', request.body.handle, 'not found'); | |
| return response.status(404).json({ error: 'User not found' }); | |
| } | |
| if (!user.enabled) { | |
| console.warn('Recover step 2 failed: User', user.handle, 'is disabled'); | |
| return response.status(403).json({ error: 'User is disabled' }); | |
| } | |
| const mfaCode = MFA_CACHE.get(user.handle); | |
| if (request.body.code !== mfaCode) { | |
| await recoverLimiter.consume(ip); | |
| console.warn('Recover step 2 failed: Incorrect code'); | |
| return response.status(403).json({ error: 'Incorrect code' }); | |
| } | |
| if (request.body.newPassword) { | |
| const salt = getPasswordSalt(); | |
| user.password = getPasswordHash(request.body.newPassword, salt); | |
| user.salt = salt; | |
| await storage.setItem(toKey(user.handle), user); | |
| } else { | |
| user.password = ''; | |
| user.salt = ''; | |
| await storage.setItem(toKey(user.handle), user); | |
| } | |
| await recoverLimiter.delete(ip); | |
| MFA_CACHE.remove(user.handle); | |
| return response.sendStatus(204); | |
| } catch (error) { | |
| if (error instanceof RateLimiterRes) { | |
| console.error('Recover step 2 failed: Rate limited from', getIpAddress(request)); | |
| return response.status(429).send({ error: 'Too many attempts. Try again later or contact your admin.' }); | |
| } | |
| console.error('Recover step 2 failed:', error); | |
| return response.sendStatus(500); | |
| } | |
| }); | |