/*Canopy - The next generation of stoner streaming software Copyright (C) 2024-2025 Rainbownapkin and the TTN Community This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. You should have received a copy of the GNU Affero General Public License along with this program. If not, see .*/ //npm imports const {validationResult, matchedData} = require('express-validator'); //Local Imports const config = require('../../config.json'); const {userModel} = require('../schemas/user/userSchema.js'); const userBanModel = require('../schemas/user/userBanSchema.js'); const rememberMeModel = require('../schemas/user/rememberMeSchema.js'); const altchaUtils = require('../utils/altchaUtils.js'); const loggerUtils = require('../utils/loggerUtils.js'); /** * Create failed sign-in cache since it's easier and more preformant to implement it this way than adding extra burdon to the database * Server restarts are far and few between. It would take multiple during a single bruteforce attempt for this to become an issue. */ const failedAttempts = new Map(); /** * How many failed attempts required to throttle with altcha */ const throttleAttempts = 5; /** * How many attempts to lock user account out for the day */ const maxAttempts = 200; /** * Sole and Singular Session Authentication method. * All logins should happen through here, all other site-wide authentication should happen by sessions authenticated by this model. * This is important, as reducing authentication endpoints reduces attack surface. * * Ended up not splitting this in two/three for remember-me tokens. Kind of fucked up it was actually easier this way... * @param {String} identifier - Identifer used to identify account, either username or token UUID * @param {String} secret - Secret to authenticate session with, either password or token secret * @param {express.Request} req - Express request object w/ session to authenticate * @param {Boolean} useRememberMeToken - Whether or not we're using username/pass or remember-me tokens * @returns Username of authticated user upon success */ module.exports.authenticateSession = async function(identifier, secret, req, useRememberMeToken = false){ //Fuck you yoda try{ //Grab previous attempts const attempt = failedAttempts.get(identifier); //If we're proxied use passthrough IP const ip = config.proxied ? req.headers['x-forwarded-for'] : req.ip; //Look for ban by IP const ipBanDB = await userBanModel.checkBanByIP(ip); //If this ip is randy bobandy if(ipBanDB != null){ //Make the number a little prettier despite the lack of precision since we're not doing calculations here :P const expiration = ipBanDB.getDaysUntilExpiration() < 1 ? 0 : ipBanDB.getDaysUntilExpiration(); //If the ban is permanent if(ipBanDB.permanent){ //tell it to fuck off throw loggerUtils.exceptionSmith(`The IP address you are trying to login from has been permanently banned. Your cleartext IP has been saved to the database. Any associated accounts will be nuked in ${expiration} day(s).`, "unauthorized"); }else{ //tell it to fuck off throw loggerUtils.exceptionSmith(`The IP address you are trying to login from has been temporarily banned. Your cleartext IP has been saved to the database until the ban expires in ${expiration} day(s).`, "unauthorized"); } } //If we have failed attempts if(!useRememberMeToken && attempt != null){ //If we have more failed attempts than allowed if(attempt.count > maxAttempts){ throw loggerUtils.exceptionSmith("This account has been locked for at 24 hours due to a large amount of failed log-in attempts", "unauthorized"); } //If we're throttling logins if(attempt.count > throttleAttempts){ //Verification doesnt get sanatized or checked since that would most likely break the cryptography //Since we've already got access to the request and dont need to import anything, why bother getting it from a parameter? if(req.body.verification == null){ throw loggerUtils.exceptionSmith("Verification failed!", "unauthorized"); }else if(!altchaUtils.verify(req.body.verification, identifier)){ throw loggerUtils.exceptionSmith("Verification failed!", ""); } } } //define/scope empty userDB variable let userDB = null; //If we're using remember me tokens if(useRememberMeToken){ userDB = await rememberMeModel.authenticate(identifier, secret); //Otherwise }else{ //Fallback on to username/password authentication userDB = await userModel.authenticate(identifier, secret); } //Check for user ban const userBanDB = await userBanModel.checkBanByUserDoc(userDB); //If the user is banned if(userBanDB){ //Make the number a little prettier despite the lack of precision since we're not doing calculations here :P const expiration = userBanDB.getDaysUntilExpiration() < 1 ? 0 : userBanDB.getDaysUntilExpiration(); if(userBanDB.permanent){ throw loggerUtils.exceptionSmith(`Your account has been permanently banned, and will be nuked from the database in: ${expiration} day(s)`, "unauthorized"); }else{ throw loggerUtils.exceptionSmith(`Your account has been temporarily banned, and will be reinstated in: ${expiration} day(s)`, "unauthorized"); } } //Tattoo the session with user and metadata //unfortunately store.all() does not return sessions w/ their ID so we had to improvise... //Not sure if this is just how connect-mongo is implemented or if it's an express issue, but connect-mongodb-session seems to not implement the all() function what so ever... req.session.seshid = req.session.id; req.session.authdate = new Date(); req.session.user = { user: userDB.user, id: userDB.id, rank: userDB.rank } //Tattoo hashed IP address to user account for seven days userDB.tattooIPRecord(ip); if(!useRememberMeToken){ //If we got to here then the log-in was successful. We should clear-out any failed attempts. failedAttempts.delete(identifier); } //return user return userDB; }catch(err){ //Failed attempts at good tokens are handled by the token schema by dropping the users effected tokens and screaming bloody murder //Failed attempts with bad tokens don't need to be handled as it's not like attacking a bad UUID is going to get you anywhere anywho //This also makes it way easier to re-use parts of this function if(!useRememberMeToken){ //Look for previous failed attempts var attempt = failedAttempts.get(identifier); //If this is the first attempt if(attempt == null){ //Create new attempt object attempt = { count: 1, lastAttempt: new Date() } }else{ //Create updated attempt object attempt = { count: attempt.count + 1, lastAttempt: new Date() } } //Commit the failed attempt to the failed sign-in cache failedAttempts.set(identifier, attempt); } //y33t throw err; } } /** * Logs user out and destroys all server-side traces of a given session * @param {express-session.session} session */ module.exports.killSession = async function(session){ session.destroy(); } /** * Returns how many failed login attempts within the past day or so since the last login has occured for a given user * @param {String} user - User to check map against * @returns {Number} of failed login attempts */ module.exports.getLoginAttempts = function(user){ //Read the code, i'm not explaining this return failedAttempts.get(user); } /** * Nightly Function Call which iterates through the failed login attempts map, removing any which haven't been attempted in over a da yeahy */ module.exports.processExpiredAttempts = function(){ for(user of failedAttempts.keys()){ //Get attempt by user const attempt = failedAttempts.get(user); //Check how long its been const daysSinceLastAttempt = ((new Date() - attempt.lastAttempt) / (1000 * 60 * 60 * 24)).toFixed(1); //If it's been more than a day since anyones tried to log in as this user if(daysSinceLastAttempt >= 1){ //Clear out the attempts so that they don't need to fuck with a captcha anymore failedAttempts.delete(user); } } } /** * Express Middleware for handling remember-me authentication tokens * @param {express.Request} req - Express Request Object * @param {express.Response} res - Express Response Object * @param {function} next - Function to call upon next middleware */ module.exports.rememberMeMiddleware = function(req, res, next){ //if we have an un-authenticated user if(req.session.user == null || req.session.user == ""){ //Check validation result const validResult = validationResult(req); //if we don't have errors if(validResult.isEmpty()){ //Pull verified data from request const data = matchedData(req); //If we have a valid remember me id and token if(data.rememberme != null && data.rememberme.id != null && data.rememberme.token != null){ //Authenticate against standard auth function in remember me mode module.exports.authenticateSession(data.rememberme.id, data.rememberme.token, req, true).then((userDB)=>{ //Jump to next middleware next(); }).catch((err)=>{ //Clear out remember me fields res.clearCookie('rememberme.id'); res.clearCookie('rememberme.token'); //Quietly handle exceptions without pestering the user loggerUtils.localExceptionHandler(err); //Go on with life next(); }); }else{ //Jump to next middleware, this looks gross but it's only because they made me use .then like a bunch of fucking dicks next(); } }else{ //Jump to next middleware next(); } }else{ //Jump to next middleware next(); } } module.exports.throttleAttempts = throttleAttempts; module.exports.maxAttempts = maxAttempts;