Registration tokens

2022-12-19 22:03:08 +11:00 · 2022-12-19 22:03:08 +11:00 · ddd3c86043
commit ddd3c86043
parent 3227933f28
6 changed files with 77 additions and 12 deletions
--- a/src/api/routes/auth/generate-registration-tokens.ts
+++ b/src/api/routes/auth/generate-registration-tokens.ts
@ -0,0 +1,28 @@
+import { route, random } from "@fosscord/api";
+import { Config, ValidRegistrationToken } from "@fosscord/util";
+import { Request, Response, Router } from "express";
+
+const router: Router = Router();
+export default router;
+
+router.get("/", route({ right: "OPERATOR" }), async (req: Request, res: Response) => {
+	const count = req.query.count ? parseInt(req.query.count as string) : 1;
+	const length = req.query.length ? parseInt(req.query.length as string) : 255;
+
+	let tokens: ValidRegistrationToken[] = [];
+
+	for (let i = 0; i < count; i++) {
+		const token = ValidRegistrationToken.create({
+			token: random(length),
+			expires_at: Date.now() + Config.get().security.defaultRegistrationTokenExpiration
+		});
+		tokens.push(token);
+	}
+
+	// Why are these options used, exactly?
+	await ValidRegistrationToken.save(tokens, { chunk: 1000, reload: false, transaction: false });
+
+	if (req.query.plain) return res.send(tokens.map(x => x.token).join("\n"));
+
+	return res.json({ tokens: tokens.map(x => x.token) });
+}); 
--- a/src/api/routes/auth/register.ts
+++ b/src/api/routes/auth/register.ts
@ -7,6 +7,7 @@ import {
 	User,
 	adjustEmail,
 	RegisterSchema,
+	ValidRegistrationToken,
 } from "@fosscord/util";
 import {
 	route,
@ -17,7 +18,7 @@ import {
 } from "@fosscord/api";
 import bcrypt from "bcrypt";
 import { HTTPError } from "lambert-server";
-import { MoreThan } from "typeorm";
+import { LessThan, MoreThan } from "typeorm";

 const router: Router = Router();

@ -199,7 +200,24 @@ router.post(
 			});
 		}

+		// Reg tokens
+		// They're a one time use token that bypasses registration rate limiter
+		let regTokenUsed = false;
+		if (req.get("Referrer")?.includes("token=")) {	// eg theyre on https://staging.fosscord.com/register?token=whatever
+			const token = req.get("Referrer")!.split("token=")[1].split("&")[0];
+			if (token) {
+				const regToken = await ValidRegistrationToken.findOne({ where: { token, expires_at: MoreThan(new Date()), } });
+				await ValidRegistrationToken.delete({ token });
+				regTokenUsed = true;
+				console.log(`[REGISTER] Registration token ${token} used for registration!`);
+			}
+			else {
+				console.log(`[REGISTER] Invalid registration token ${token} used for registration by ${ip}!`);
+			}
+		}
+
 		if (
+			!regTokenUsed &&
 			limits.absoluteRate.register.enabled &&
 			(await User.count({ where: { created_at: MoreThan(new Date(Date.now() - limits.absoluteRate.register.window)) } }))
 			>= limits.absoluteRate.register.limit
--- a/src/api/util/utility/RandomInviteID.ts
+++ b/src/api/util/utility/RandomInviteID.ts
@ -1,4 +1,8 @@
 import { Snowflake } from "@fosscord/util";
+import crypto from "crypto";
+
+// TODO: 'random'? seriously? who named this?
+// And why is this even here? Just use cryto.randomBytes?

 export function random(length = 6) {
 	// Declare all characters
@ -8,7 +12,7 @@ export function random(length = 6) {
 	// Pick characers randomly
 	let str = "";
 	for (let i = 0; i < length; i++) {
-		str += chars.charAt(Math.floor(Math.random() * chars.length));
+		str += chars.charAt(Math.floor(crypto.randomInt(chars.length)));
 	}

 	return str;
--- a/src/util/config/types/SecurityConfiguration.ts
+++ b/src/util/config/types/SecurityConfiguration.ts
@ -2,16 +2,17 @@ import crypto from "crypto";
 import { CaptchaConfiguration, TwoFactorConfiguration } from ".";

 export class SecurityConfiguration {
-    captcha: CaptchaConfiguration = new CaptchaConfiguration();
-    twoFactor: TwoFactorConfiguration = new TwoFactorConfiguration();
-    autoUpdate: boolean | number = true;
-    requestSignature: string = crypto.randomBytes(32).toString("base64");
-    jwtSecret: string = crypto.randomBytes(256).toString("base64");
-    // header to get the real user ip address
-    // X-Forwarded-For for nginx/reverse proxies
-    // CF-Connecting-IP for cloudflare
-    forwadedFor: string | null = null;
-    ipdataApiKey: string | null = "eca677b284b3bac29eb72f5e496aa9047f26543605efe99ff2ce35c9";
+	captcha: CaptchaConfiguration = new CaptchaConfiguration();
+	twoFactor: TwoFactorConfiguration = new TwoFactorConfiguration();
+	autoUpdate: boolean | number = true;
+	requestSignature: string = crypto.randomBytes(32).toString("base64");
+	jwtSecret: string = crypto.randomBytes(256).toString("base64");
+	// header to get the real user ip address
+	// X-Forwarded-For for nginx/reverse proxies
+	// CF-Connecting-IP for cloudflare
+	forwadedFor: string | null = null;
+	ipdataApiKey: string | null = "eca677b284b3bac29eb72f5e496aa9047f26543605efe99ff2ce35c9";
 	mfaBackupCodeCount: number = 10;
 	statsWorldReadable: boolean = true;
+	defaultRegistrationTokenExpiration: number = 1000 * 60 * 60 * 24 * 7; //1 week
 }
--- a/src/util/entities/ValidRegistrationTokens.ts
+++ b/src/util/entities/ValidRegistrationTokens.ts
@ -0,0 +1,13 @@
+import { BaseEntity, Column, Entity, PrimaryColumn } from "typeorm";
+
+@Entity("valid_registration_tokens")
+export class ValidRegistrationToken extends BaseEntity {
+	@PrimaryColumn()
+	token: string;
+	
+	@Column()
+	created_at: Date = new Date();
+
+	@Column()
+	expires_at: Date;
+}
--- a/src/util/entities/index.ts
+++ b/src/util/entities/index.ts
@ -32,3 +32,4 @@ export * from "./ClientRelease";
 export * from "./BackupCodes";
 export * from "./Note";
 export * from "./UserSettings";
+export * from "./ValidRegistrationTokens";