rainbownapkin/canopy
1
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions

Basic brute force detection added. Accounts throttle by captcha after 5 failed attempts, and locked out for 24 hours after 200 attempts.

Browse source
This commit is contained in:
rainbow napkin 2024-12-26 17:46:35 -05:00
parent e0f53df176
commit 9c18c23ad5
13 changed files with 463 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/utils/altchaUtils.js
View file

@ -25,7 +25,7 @@ const spent = [];
//Captcha lifetime in minutes
const lifetime = 2;
module.exports.genCaptcha = async function(){
module.exports.genCaptcha = async function(difficulty = 2, uniqueSecret = ''){
//Set altcha expiration date
const expiration = new Date();
@ -34,13 +34,13 @@ module.exports.genCaptcha = async function(){
//Generate Altcha Challenge
return await createChallenge({
hmacKey: config.altchaSecret,
maxNumber: 200000,
hmacKey: [config.altchaSecret, uniqueSecret].join(''),
maxNumber: 100000 * difficulty,
expires: expiration
});
}
module.exports.verify = async function(payload){
module.exports.verify = async function(payload, uniqueSecret = ''){
//If we already checked this payload
if(spent.indexOf(payload) != -1){
//Fuck off and die
@ -57,5 +57,5 @@ module.exports.verify = async function(payload){
setTimeout(() => {spent.splice(payloadIndex,1);}, lifetime * 60 * 1000);
//Return verification results
return await verifySolution(payload, config.altchaSecret);
return await verifySolution(payload, [config.altchaSecret, uniqueSecret].join(''));
}

3
src/utils/scheduler.js
View file

@ -21,6 +21,7 @@ const cron = require('node-cron');
const {userModel} = require('../schemas/userSchema');
const userBanModel = require('../schemas/userBanSchema');
const channelModel = require('../schemas/channel/channelSchema');
const sessionUtils = require('./sessionUtils');
module.exports.schedule = function(){
//Process hashed IP Records that haven't been recorded in a week or more
@ -29,6 +30,8 @@ module.exports.schedule = function(){
cron.schedule('0 0 * * *', ()=>{userBanModel.processExpiredBans()},{scheduled: true, timezone: "UTC"});
//Process expired channel bans every night at midnight
cron.schedule('0 0 * * *', ()=>{channelModel.processExpiredBans()},{scheduled: true, timezone: "UTC"});
//Process expired failed login attempts every night at midnight
cron.schedule('0 0 * * *', ()=>{sessionUtils.processExpiredAttempts()},{scheduled: true, timezone: "UTC"});
}
module.exports.kickoff = function(){

141
src/utils/sessionUtils.js
View file

@ -17,44 +17,125 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.*/
//local imports
const {userModel} = require('../schemas/userSchema');
const userBanModel = require('../schemas/userBanSchema')
const altchaUtils = require('../utils/altchaUtils');
//Create failed sign-in cache since it's easier and more preformant to implement it this way than adding extra burdon to the database
//Server restarts are far and few between. It would take multiple during a single bruteforce attempt for this to become an issue.
const failedAttempts = new Map();
const throttleAttempts = 5;
const maxAttempts = 200;
//this module is good for keeping wrappers for userModel and other shit in that does more session handling than database access/modification.
module.exports.authenticateSession = async function(user, pass, req){
//Fuck you yoda
try{
//Grab previous attempts
const attempt = failedAttempts.get(user);
//Authenticate the session
const userDB = await userModel.authenticate(user, pass);
const banDB = await userBanModel.checkBanByUserDoc(userDB);
//If we have failed attempts
if(attempt != null){
//If we have more failed attempts than allowed
if(attempt.count > maxAttempts){
throw new Error("This account has been locked for at 24 hours due to a large amount of failed log-in attempts");
}
if(banDB){
//Make the number a little prettier despite the lack of precision since we're not doing calculations here :P
const expiration = banDB.getDaysUntilExpiration() < 1 ? 0 : banDB.getDaysUntilExpiration();
if(banDB.permanent){
throw new Error(`Your account has been permanently banned, and will be nuked from the database in: ${expiration} day(s)`);
}else{
throw new Error(`Your account has been temporarily banned, and will be reinstated in: ${expiration} day(s)`);
//If we're throttling logins
if(attempt.count > throttleAttempts){
//Verification doesnt get sanatized or checked since that would most likely break the cryptography
//Since we've already got access to the request and dont need to import anything, why bother getting it from a parameter?
if(req.body.verification == null){
throw new Error("Verification failed!");
}else if(!altchaUtils.verify(req.body.verification, user)){
throw new Error("Verification failed!");
}
}
}
//Authenticate the session
const userDB = await userModel.authenticate(user, pass);
const banDB = await userBanModel.checkBanByUserDoc(userDB);
//If the user is banned
if(banDB){
//Make the number a little prettier despite the lack of precision since we're not doing calculations here :P
const expiration = banDB.getDaysUntilExpiration() < 1 ? 0 : banDB.getDaysUntilExpiration();
if(banDB.permanent){
throw new Error(`Your account has been permanently banned, and will be nuked from the database in: ${expiration} day(s)`);
}else{
throw new Error(`Your account has been temporarily banned, and will be reinstated in: ${expiration} day(s)`);
}
}
//Tattoo the session with user and metadata
//unfortunately store.all() does not return sessions w/ their ID so we had to improvise...
//Not sure if this is just how connect-mongo is implemented or if it's an express issue, but connect-mongodb-session seems to not implement the all() function what so ever...
req.session.seshid = req.session.id;
req.session.authdate = new Date();
req.session.authip = req.ip;
req.session.user = {
user: userDB.user,
id: userDB.id,
rank: userDB.rank
}
//Tattoo hashed IP address to user account for seven days
userDB.tattooIPRecord(req.ip);
//If we got to here then the log-in was successful. We should clear-out any failed attempts.
failedAttempts.delete(user);
//return user
return userDB.user;
}catch(err){
//Look for previous failed attempts
var attempt = failedAttempts.get(user);
//If this is the first attempt
if(attempt == null){
//Create new attempt object
attempt = {
count: 1,
lastAttempt: new Date()
}
}else{
//Create updated attempt object
attempt = {
count: attempt.count + 1,
lastAttempt: new Date()
}
}
//Commit the failed attempt to the failed sign-in cache
failedAttempts.set(user, attempt);
//y33t
throw err;
}
//Tattoo the session with user and metadata
//unfortunately store.all() does not return sessions w/ their ID so we had to improvise...
//Not sure if this is just how connect-mongo is implemented or if it's an express issue, but connect-mongodb-session seems to not implement the all() function what so ever...
req.session.seshid = req.session.id;
req.session.authdate = new Date();
req.session.authip = req.ip;
req.session.user = {
user: userDB.user,
id: userDB.id,
rank: userDB.rank
}
//Tattoo hashed IP address to user account for seven days
userDB.tattooIPRecord(req.ip);
//return user
return userDB.user;
}
module.exports.killSession = async function(session){
session.destroy();
}
}
module.exports.getLoginAttempts = function(user){
//Read the code, i'm not explaining this
return failedAttempts.get(user);
}
module.exports.processExpiredAttempts = function(){
for(user of failedAttempts.keys()){
//Get attempt by user
const attempt = failedAttempts.get(user);
//Check how long its been
const daysSinceLastAttempt = ((new Date() - attempt.lastAttempt) / (1000 * 60 * 60 * 24)).toFixed(1);
//If it's been more than a day since anyones tried to log in as this user
if(daysSinceLastAttempt >= 1){
//Clear out the attempts so that they don't need to fuck with a captcha anymore
failedAttempts.delete(user);
}
}
}
module.exports.throttleAttempts = throttleAttempts;
module.exports.maxAttempts = maxAttempts;