Added config security check.

src/server.js

@@ -30,6 +30,7 @@ globalThis.crypto = require('node:crypto').webcrypto;
 //Application
 const channelManager = require('./app/channel/channelManager');
 //Util
+const configCheck = require('./utils/configCheck');
 const scheduler = require('./utils/scheduler');
 //DB Model
 const statModel = require('./schemas/statSchema');
@@ -60,6 +61,9 @@ const config = require('../config.json');
 const port = config.port;
 const dbUrl = `mongodb://${config.db.user}:${config.db.pass}@${config.db.address}:${config.db.port}/${config.db.database}`;
 
+//Check for insecure config
+configCheck.securityCheck();
+
 //Define express
 const app = express();
 
@@ -78,10 +82,6 @@ const sessionMiddleware = session({
 const httpServer = createServer(app);
 const io = new Server(httpServer, {});
 
-if(config.protocol == 'http'){
-    console.warn("Starting in HTTP mode. This server should be used for development purposes only!");
-}
-
 //Connect mongoose to the database
 mongoose.set("sanitizeFilter", true).connect(dbUrl).then(() => {
     console.log("Connected to DB");

src/utils/configCheck.js

@@ -0,0 +1,60 @@
+/*Canopy - The next generation of stoner streaming software
+Copyright (C) 2024  Rainbownapkin and the TTN Community
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
+
+//Config
+const config = require('../../config.json');
+
+//Local
+const loggerUtil = require('./loggerUtils');
+
+//NPM Imports
+const validator = require('validator');//We need validators for express-less code too!
+
+
+module.exports.securityCheck = function(){
+    //Check Protocol
+    if(config.protocol == 'http'){
+        //If it's insecure then warn the admin
+        loggerUtil.consoleWarn("Starting in HTTP mode. This server should be used for development purposes only!");
+    }
+
+    //Check mail protocol
+    if(!config.mail.secure){
+        //If it's insecure then warn the admin
+        loggerUtil.consoleWarn("Mail transport security disabled! THis server should be used for development purposes only!");
+    }
+
+    //check session secret
+    if(!validator.isStrongPassword(config.sessionSecret) || config.sessionSecret == "CHANGE_ME"){
+        loggerUtil.consoleWarn("Insecure Session Secret! Change Session Secret!");
+    }
+
+    //check altcha secret
+    if(!validator.isStrongPassword(config.altchaSecret) || config.altchaSecret == "CHANGE_ME"){
+        loggerUtil.consoleWarn("Insecure Altcha Secret! Change Altcha Secret!");
+    }
+
+    //check DB pass
+    if(!validator.isStrongPassword(config.db.pass) || config.db.pass == "CHANGE_ME" || config.db.pass == config.db.user){
+        loggerUtil.consoleWarn("Insecure Database Password! Change Database password!");
+    }
+
+    //check email pass
+    if(!validator.isStrongPassword(config.mail.pass) || config.mail.pass == "CHANGE_ME"){
+        loggerUtil.consoleWarn("Insecure Email Password! Change Email password!");
+    }
+
+}

src/utils/loggerUtils.js

@@ -34,4 +34,8 @@ module.exports.socketCriticalExceptionHandler = function(socket, err){
         //if not yell at the browser for fucking up, and tell it what it did wrong.
         socket.emit("kick", {type: "Disconnected", reason: `Server Error: ${err.message}`});
         return socket.disconnect();
+}
+
+module.exports.consoleWarn = function(string){
+        console.warn('\x1b[31m\x1b[4m%s\x1b[0m',string);
 }