import crypto from 'node:crypto'; import storage from 'node-persist'; import express from 'express'; import { RateLimiterMemory, RateLimiterRes } from 'rate-limiter-flexible'; import { getIpFromRequest, getRealIpFromHeader } from '../express-common.js'; import { color, Cache, getConfigValue } from '../util.js'; import { KEY_PREFIX, getUserAvatar, toKey, getPasswordHash, getPasswordSalt } from '../users.js'; const DISCREET_LOGIN = getConfigValue('enableDiscreetLogin', false, 'boolean'); const PREFER_REAL_IP_HEADER = getConfigValue('rateLimiting.preferRealIpHeader', false, 'boolean'); const MFA_CACHE = new Cache(5 * 60 * 1000); const getIpAddress = (request) => PREFER_REAL_IP_HEADER ? getRealIpFromHeader(request) : getIpFromRequest(request); export const router = express.Router(); const loginLimiter = new RateLimiterMemory({ points: 5, duration: 60, }); const recoverLimiter = new RateLimiterMemory({ points: 5, duration: 300, }); router.post('/list', async (_request, response) => { try { if (DISCREET_LOGIN) { return response.sendStatus(204); } /** @type {import('../users.js').User[]} */ const users = await storage.values(x => x.key.startsWith(KEY_PREFIX)); /** @type {Promise[]} */ const viewModelPromises = users .filter(x => x.enabled) .map(user => new Promise(async (resolve) => { getUserAvatar(user.handle).then(avatar => resolve({ handle: user.handle, name: user.name, created: user.created, avatar: avatar, password: !!user.password, }), ); })); const viewModels = await Promise.all(viewModelPromises); viewModels.sort((x, y) => (x.created ?? 0) - (y.created ?? 0)); return response.json(viewModels); } catch (error) { console.error('User list failed:', error); return response.sendStatus(500); } }); router.post('/login', async (request, response) => { try { if (!request.body.handle) { console.warn('Login failed: Missing required fields'); return response.status(400).json({ error: 'Missing required fields' }); } const ip = getIpAddress(request); await loginLimiter.consume(ip); /** @type {import('../users.js').User} */ const user = await storage.getItem(toKey(request.body.handle)); if (!user) { console.error('Login failed: User', request.body.handle, 'not found'); return response.status(403).json({ error: 'Incorrect credentials' }); } if (!user.enabled) { console.warn('Login failed: User', user.handle, 'is disabled'); return response.status(403).json({ error: 'User is disabled' }); } if (user.password && user.password !== getPasswordHash(request.body.password, user.salt)) { console.warn('Login failed: Incorrect password for', user.handle); return response.status(403).json({ error: 'Incorrect credentials' }); } if (!request.session) { console.error('Session not available'); return response.sendStatus(500); } await loginLimiter.delete(ip); request.session.handle = user.handle; console.info('Login successful:', user.handle, 'from', ip, 'at', new Date().toLocaleString()); return response.json({ handle: user.handle }); } catch (error) { if (error instanceof RateLimiterRes) { console.error('Login failed: Rate limited from', getIpAddress(request)); return response.status(429).send({ error: 'Too many attempts. Try again later or recover your password.' }); } console.error('Login failed:', error); return response.sendStatus(500); } }); router.post('/recover-step1', async (request, response) => { try { if (!request.body.handle) { console.warn('Recover step 1 failed: Missing required fields'); return response.status(400).json({ error: 'Missing required fields' }); } const ip = getIpAddress(request); await recoverLimiter.consume(ip); /** @type {import('../users.js').User} */ const user = await storage.getItem(toKey(request.body.handle)); if (!user) { console.error('Recover step 1 failed: User', request.body.handle, 'not found'); return response.status(404).json({ error: 'User not found' }); } if (!user.enabled) { console.error('Recover step 1 failed: User', user.handle, 'is disabled'); return response.status(403).json({ error: 'User is disabled' }); } const mfaCode = String(crypto.randomInt(1000, 9999)); console.log(); console.log(color.blue(`${user.name}, your password recovery code is: `) + color.magenta(mfaCode)); console.log(); MFA_CACHE.set(user.handle, mfaCode); return response.sendStatus(204); } catch (error) { if (error instanceof RateLimiterRes) { console.error('Recover step 1 failed: Rate limited from', getIpAddress(request)); return response.status(429).send({ error: 'Too many attempts. Try again later or contact your admin.' }); } console.error('Recover step 1 failed:', error); return response.sendStatus(500); } }); router.post('/recover-step2', async (request, response) => { try { if (!request.body.handle || !request.body.code) { console.warn('Recover step 2 failed: Missing required fields'); return response.status(400).json({ error: 'Missing required fields' }); } /** @type {import('../users.js').User} */ const user = await storage.getItem(toKey(request.body.handle)); const ip = getIpAddress(request); if (!user) { console.error('Recover step 2 failed: User', request.body.handle, 'not found'); return response.status(404).json({ error: 'User not found' }); } if (!user.enabled) { console.warn('Recover step 2 failed: User', user.handle, 'is disabled'); return response.status(403).json({ error: 'User is disabled' }); } const mfaCode = MFA_CACHE.get(user.handle); if (request.body.code !== mfaCode) { await recoverLimiter.consume(ip); console.warn('Recover step 2 failed: Incorrect code'); return response.status(403).json({ error: 'Incorrect code' }); } if (request.body.newPassword) { const salt = getPasswordSalt(); user.password = getPasswordHash(request.body.newPassword, salt); user.salt = salt; await storage.setItem(toKey(user.handle), user); } else { user.password = ''; user.salt = ''; await storage.setItem(toKey(user.handle), user); } await recoverLimiter.delete(ip); MFA_CACHE.remove(user.handle); return response.sendStatus(204); } catch (error) { if (error instanceof RateLimiterRes) { console.error('Recover step 2 failed: Rate limited from', getIpAddress(request)); return response.status(429).send({ error: 'Too many attempts. Try again later or contact your admin.' }); } console.error('Recover step 2 failed:', error); return response.sendStatus(500); } });