Browse Source

improve security (#2661)

* disable basic auth when password auth disabled

* clarify otl security
pull/2664/head
Bernd Storath 3 weeks ago
committed by GitHub
parent
commit
66b292b11b
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
  1. 9
      src/server/database/repositories/oneTimeLink/service.ts
  2. 7
      src/server/routes/cnf/[oneTimeLink].ts
  3. 7
      src/server/utils/session.ts

9
src/server/database/repositories/oneTimeLink/service.ts

@ -52,6 +52,10 @@ export class OneTimeLinkService {
}
generate(id: ID) {
// SECURITY
// This is known to be vulnerable to brute force attacks
// Mitigations: Small Window, One Time Use
// Making it longer defeats the whole purpose
const key = `${id}-${Math.floor(Math.random() * 1000)}`;
const oneTimeLink = Math.abs(CRC32.str(key)).toString(16);
const expiresAt = new Date(Date.now() + 5 * 60 * 1000).toISOString();
@ -60,6 +64,11 @@ export class OneTimeLinkService {
}
erase(id: ID) {
// SECURITY
// This is known the extend the Window for brute force attacks
// Reason: Set the expiresAt to 10 seconds in the future to allow a second request to get the otl
// some browser apparently make two requests when downloading a file
// cant find the bug report anymore, maybe this can be removed?
const expiresAt = new Date(Date.now() + 10 * 1000).toISOString();
return this.#statements.erase.execute({ id, expiresAt });
}

7
src/server/routes/cnf/[oneTimeLink].ts

@ -14,6 +14,13 @@ export default defineEventHandler(async (event) => {
});
}
if (new Date() > new Date(otl.expiresAt)) {
throw createError({
statusCode: 410,
statusMessage: 'One Time Link has expired',
});
}
const client = await Database.clients.get(otl.id);
if (!client) {
throw createError({

7
src/server/utils/session.ts

@ -54,6 +54,13 @@ export async function getCurrentUser(event: H3Event) {
// Handle if authenticating using Session
user = await Database.users.get(session.data.userId);
} else if (authorization) {
if (WG_ENV.DISABLE_PASSWORD_AUTH) {
throw createError({
statusCode: 403,
statusMessage: 'Password authentication is disabled',
});
}
// Handle if authenticating using Header
const [method, value] = authorization.split(' ');
// Support Basic Authentication

Loading…
Cancel
Save