Registration tokens

2022-12-19 22:03:08 +11:00 · 2022-12-19 22:03:08 +11:00 · ddd3c86043
commit ddd3c86043
parent 3227933f28
6 changed files with 77 additions and 12 deletions
--- a/src/api/routes/auth/generate-registration-tokens.ts
+++ b/src/api/routes/auth/generate-registration-tokens.ts
@ -0,0 +1,28 @@
 import { route, random } from "@fosscord/api";
 import { Config, ValidRegistrationToken } from "@fosscord/util";
 import { Request, Response, Router } from "express";
 const router: Router = Router();
 export default router;
 router.get("/", route({ right: "OPERATOR" }), async (req: Request, res: Response) => {
 	const count = req.query.count ? parseInt(req.query.count as string) : 1;
 	const length = req.query.length ? parseInt(req.query.length as string) : 255;
 	let tokens: ValidRegistrationToken[] = [];
 	for (let i = 0; i < count; i++) {
 		const token = ValidRegistrationToken.create({
 			token: random(length),
 			expires_at: Date.now() + Config.get().security.defaultRegistrationTokenExpiration
 		});
 		tokens.push(token);
 	}
 	// Why are these options used, exactly?
 	await ValidRegistrationToken.save(tokens, { chunk: 1000, reload: false, transaction: false });
 	if (req.query.plain) return res.send(tokens.map(x => x.token).join("\n"));
 	return res.json({ tokens: tokens.map(x => x.token) });
 }); 
--- a/src/api/routes/auth/register.ts
+++ b/src/api/routes/auth/register.ts
@ -7,6 +7,7 @@ import {
 	User,
 	adjustEmail,
 	RegisterSchema,
 	ValidRegistrationToken,
 } from "@fosscord/util";
 import {
 	route,
@ -17,7 +18,7 @@ import {
 } from "@fosscord/api";
 import bcrypt from "bcrypt";
 import { HTTPError } from "lambert-server";
-import { MoreThan } from "typeorm";
+import { LessThan, MoreThan } from "typeorm";
 const router: Router = Router();
@ -199,7 +200,24 @@ router.post(
 			});
 		}
 		// Reg tokens
 		// They're a one time use token that bypasses registration rate limiter
 		let regTokenUsed = false;
 		if (req.get("Referrer")?.includes("token=")) {	// eg theyre on https://staging.fosscord.com/register?token=whatever
 			const token = req.get("Referrer")!.split("token=")[1].split("&")[0];
 			if (token) {
 				const regToken = await ValidRegistrationToken.findOne({ where: { token, expires_at: MoreThan(new Date()), } });
 				await ValidRegistrationToken.delete({ token });
 				regTokenUsed = true;
 				console.log(`[REGISTER] Registration token ${token} used for registration!`);
 			}
 			else {
 				console.log(`[REGISTER] Invalid registration token ${token} used for registration by ${ip}!`);
 			}
 		}
 		if (
 			!regTokenUsed &&
 			limits.absoluteRate.register.enabled &&
 			(await User.count({ where: { created_at: MoreThan(new Date(Date.now() - limits.absoluteRate.register.window)) } }))
 			>= limits.absoluteRate.register.limit
--- a/src/api/util/utility/RandomInviteID.ts
+++ b/src/api/util/utility/RandomInviteID.ts
@ -1,4 +1,8 @@
 import { Snowflake } from "@fosscord/util";
 import crypto from "crypto";
 // TODO: 'random'? seriously? who named this?
 // And why is this even here? Just use cryto.randomBytes?
 export function random(length = 6) {
 	// Declare all characters
@ -8,7 +12,7 @@ export function random(length = 6) {
 	// Pick characers randomly
 	let str = "";
 	for (let i = 0; i < length; i++) {
-		str += chars.charAt(Math.floor(Math.random() * chars.length));
+		str += chars.charAt(Math.floor(crypto.randomInt(chars.length)));
 	}
 	return str;
--- a/src/util/config/types/SecurityConfiguration.ts
+++ b/src/util/config/types/SecurityConfiguration.ts
@ -2,16 +2,17 @@ import crypto from "crypto";
 import { CaptchaConfiguration, TwoFactorConfiguration } from ".";
 export class SecurityConfiguration {
-    captcha: CaptchaConfiguration = new CaptchaConfiguration();
+	captcha: CaptchaConfiguration = new CaptchaConfiguration();
-    twoFactor: TwoFactorConfiguration = new TwoFactorConfiguration();
+	twoFactor: TwoFactorConfiguration = new TwoFactorConfiguration();
-    autoUpdate: boolean | number = true;
+	autoUpdate: boolean | number = true;
-    requestSignature: string = crypto.randomBytes(32).toString("base64");
+	requestSignature: string = crypto.randomBytes(32).toString("base64");
-    jwtSecret: string = crypto.randomBytes(256).toString("base64");
+	jwtSecret: string = crypto.randomBytes(256).toString("base64");
-    // header to get the real user ip address
+	// header to get the real user ip address
-    // X-Forwarded-For for nginx/reverse proxies
+	// X-Forwarded-For for nginx/reverse proxies
-    // CF-Connecting-IP for cloudflare
+	// CF-Connecting-IP for cloudflare
-    forwadedFor: string | null = null;
+	forwadedFor: string | null = null;
-    ipdataApiKey: string | null = "eca677b284b3bac29eb72f5e496aa9047f26543605efe99ff2ce35c9";
+	ipdataApiKey: string | null = "eca677b284b3bac29eb72f5e496aa9047f26543605efe99ff2ce35c9";
 	mfaBackupCodeCount: number = 10;
 	statsWorldReadable: boolean = true;
 	defaultRegistrationTokenExpiration: number = 1000 * 60 * 60 * 24 * 7; //1 week
 }
--- a/src/util/entities/ValidRegistrationTokens.ts
+++ b/src/util/entities/ValidRegistrationTokens.ts
@ -0,0 +1,13 @@
 import { BaseEntity, Column, Entity, PrimaryColumn } from "typeorm";
@Entity("valid_registration_tokens")
 export class ValidRegistrationToken extends BaseEntity {
 	@PrimaryColumn()
 	token: string;
 	@Column()
 	created_at: Date = new Date();
 	@Column()
 	expires_at: Date;
 }
--- a/src/util/entities/index.ts
+++ b/src/util/entities/index.ts
@ -32,3 +32,4 @@ export * from "./ClientRelease";
 export * from "./BackupCodes";
 export * from "./Note";
 export * from "./UserSettings";
 export * from "./ValidRegistrationTokens";