Browse Source
improve security (#2661)
* disable basic auth when password auth disabled
* clarify otl security
pull/2664/head
Bernd Storath
3 weeks ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with
23 additions and
0 deletions
-
src/server/database/repositories/oneTimeLink/service.ts
-
src/server/routes/cnf/[oneTimeLink].ts
-
src/server/utils/session.ts
|
|
|
@ -52,6 +52,10 @@ export class OneTimeLinkService { |
|
|
|
} |
|
|
|
|
|
|
|
generate(id: ID) { |
|
|
|
// SECURITY
|
|
|
|
// This is known to be vulnerable to brute force attacks
|
|
|
|
// Mitigations: Small Window, One Time Use
|
|
|
|
// Making it longer defeats the whole purpose
|
|
|
|
const key = `${id}-${Math.floor(Math.random() * 1000)}`; |
|
|
|
const oneTimeLink = Math.abs(CRC32.str(key)).toString(16); |
|
|
|
const expiresAt = new Date(Date.now() + 5 * 60 * 1000).toISOString(); |
|
|
|
@ -60,6 +64,11 @@ export class OneTimeLinkService { |
|
|
|
} |
|
|
|
|
|
|
|
erase(id: ID) { |
|
|
|
// SECURITY
|
|
|
|
// This is known the extend the Window for brute force attacks
|
|
|
|
// Reason: Set the expiresAt to 10 seconds in the future to allow a second request to get the otl
|
|
|
|
// some browser apparently make two requests when downloading a file
|
|
|
|
// cant find the bug report anymore, maybe this can be removed?
|
|
|
|
const expiresAt = new Date(Date.now() + 10 * 1000).toISOString(); |
|
|
|
return this.#statements.erase.execute({ id, expiresAt }); |
|
|
|
} |
|
|
|
|
|
|
|
@ -14,6 +14,13 @@ export default defineEventHandler(async (event) => { |
|
|
|
}); |
|
|
|
} |
|
|
|
|
|
|
|
if (new Date() > new Date(otl.expiresAt)) { |
|
|
|
throw createError({ |
|
|
|
statusCode: 410, |
|
|
|
statusMessage: 'One Time Link has expired', |
|
|
|
}); |
|
|
|
} |
|
|
|
|
|
|
|
const client = await Database.clients.get(otl.id); |
|
|
|
if (!client) { |
|
|
|
throw createError({ |
|
|
|
|
|
|
|
@ -54,6 +54,13 @@ export async function getCurrentUser(event: H3Event) { |
|
|
|
// Handle if authenticating using Session
|
|
|
|
user = await Database.users.get(session.data.userId); |
|
|
|
} else if (authorization) { |
|
|
|
if (WG_ENV.DISABLE_PASSWORD_AUTH) { |
|
|
|
throw createError({ |
|
|
|
statusCode: 403, |
|
|
|
statusMessage: 'Password authentication is disabled', |
|
|
|
}); |
|
|
|
} |
|
|
|
|
|
|
|
// Handle if authenticating using Header
|
|
|
|
const [method, value] = authorization.split(' '); |
|
|
|
// Support Basic Authentication
|
|
|
|
|