Added instance-unique salt to IP hashes

config.example.json

@@ -7,6 +7,7 @@
     "domain": "localhost",
     "sessionSecret": "CHANGE_ME",
     "altchaSecret": "CHANGE_ME",
+    "ipSecret": "CHANGE_ME",
     "ssl":{
         "cert": "./server.cert",
         "key": "./server.key"

src/server.js

@@ -180,8 +180,6 @@ app.use(errorMiddleware);
 //Basic 404 handler
 app.use(fileNotFoundController);
 
-
-
 //Increment launch counter
 statModel.incrementLaunchCount();
 

src/utils/configCheck.js

@@ -47,6 +47,11 @@ module.exports.securityCheck = function(){
         loggerUtil.consoleWarn("Insecure Altcha Secret! Change Altcha Secret!");
     }
 
+    //check ipHash secret
+    if(!validator.isStrongPassword(config.ipSecret) || config.ipSecret == "CHANGE_ME"){
+        loggerUtil.consoleWarn("Insecure IP Hashing Secret! Change IP Hashing Secret!");
+    }
+
     //check DB pass
     if(!validator.isStrongPassword(config.db.pass) || config.db.pass == "CHANGE_ME" || config.db.pass == config.db.user){
         loggerUtil.consoleWarn("Insecure Database Password! Change Database password!");
@@ -56,5 +61,4 @@ module.exports.securityCheck = function(){
     if(!validator.isStrongPassword(config.mail.pass) || config.mail.pass == "CHANGE_ME"){
         loggerUtil.consoleWarn("Insecure Email Password! Change Email password!");
     }
-
 }

src/utils/hashUtils.js

@@ -14,6 +14,9 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
+//Config
+const config = require('../../config.json');
+
 //Node Imports
 const crypto = require('node:crypto');
 
@@ -33,8 +36,8 @@ module.exports.hashIP = function(ip){
     //Create hash object
     const hashObj = crypto.createHash('md5');
 
-    //add IP to the hash
-    hashObj.update(ip);
+    //add IP and salt to the hash
+    hashObj.update(`${ip}${config.ipSecret}`);
 
     //return the IP hash as a string
     return hashObj.digest('hex');