Small code quality improvements

- Fix misleading JSDoc comment in cache.ts - Mitigate timing-based username enumeration in Basic auth - Extract duplicated TOTP configuration into private method - Replace manual peer counter with clients.length in Prometheus metrics - Simplify isValidPasswordHash return expression
3 months ago · 6deb2bacbd
5 changed files with 24 additions and 44 deletions
--- a/src/server/database/repositories/user/service.ts
+++ b/src/server/database/repositories/user/service.ts
@ -58,6 +58,17 @@ export class UserService {
    this.#statements = createPreparedStatement(db);
  }

+  #createTotp(user: Pick<UserType, 'username' | 'totpKey'>) {
+    return new TOTP({
+      issuer: 'wg-easy',
+      label: user.username,
+      algorithm: 'SHA1',
+      digits: 6,
+      period: 30,
+      secret: user.totpKey!,
+    });
+  }
+
  async getAll() {
    return this.#statements.findAll.execute();
  }
@ -160,18 +171,8 @@ export class UserService {
            return { success: false, error: 'UNEXPECTED_ERROR' };
          }

-          const totp = new TOTP({
-            issuer: 'wg-easy',
-            label: txUser.username,
-            algorithm: 'SHA1',
-            digits: 6,
-            period: 30,
-            secret: txUser.totpKey,
-          });
-
-          const valid = totp.validate({ token: code, window: 1 });
-
-          if (valid === null) {
+          const totp = this.#createTotp(txUser);
+          if (totp.validate({ token: code, window: 1 }) === null) {
            return { success: false, error: 'INVALID_TOTP_CODE' };
          }
        }
@ -199,18 +200,8 @@ export class UserService {
        throw new Error('TOTP key is not set');
      }

-      const totp = new TOTP({
-        issuer: 'wg-easy',
-        label: txUser.username,
-        algorithm: 'SHA1',
-        digits: 6,
-        period: 30,
-        secret: txUser.totpKey,
-      });
-
-      const valid = totp.validate({ token: code, window: 1 });
-
-      if (valid === null) {
+      const totp = this.#createTotp(txUser);
+      if (totp.validate({ token: code, window: 1 }) === null) {
        throw new Error('Invalid TOTP code');
      }

--- a/src/server/routes/metrics/prometheus.get.ts
+++ b/src/server/routes/metrics/prometheus.get.ts
@ -6,14 +6,12 @@ export default defineMetricsHandler('prometheus', async ({ event }) => {
 async function getPrometheusResponse() {
  const wgInterface = await Database.interfaces.get();
  const clients = await WireGuard.getAllClients();
-  let wireguardPeerCount = 0;
  let wireguardEnabledPeersCount = 0;
  let wireguardConnectedPeersCount = 0;
  const wireguardSentBytes = [];
  const wireguardReceivedBytes = [];
  const wireguardLatestHandshakeSeconds = [];
  for (const client of clients) {
-    wireguardPeerCount++;
    if (client.enabled === true) {
      wireguardEnabledPeersCount++;
    }
@ -41,7 +39,7 @@ async function getPrometheusResponse() {
  const returnText = [
    '# HELP wireguard_configured_peers',
    '# TYPE wireguard_configured_peers gauge',
-    `wireguard_configured_peers{${id}} ${wireguardPeerCount}`,
+    `wireguard_configured_peers{${id}} ${clients.length}`,
    '',
    '# HELP wireguard_enabled_peers',
    '# TYPE wireguard_enabled_peers gauge',
--- a/src/server/utils/cache.ts
+++ b/src/server/utils/cache.ts
@ -6,7 +6,7 @@ type Opts = {
 };

 /**
- * Cache function for 1 hour
+ * Cache the result of a function for the given expiry time
 */
 export function cacheFunction<T>(fn: () => T, { expiry }: Opts): () => T {
  let cache: { value: T; expiry: number } | null = null;
--- a/src/server/utils/password.ts
+++ b/src/server/utils/password.ts
@ -28,11 +28,7 @@ export function isValidPasswordHash(hash: string): boolean {
  try {
    const obj = deserialize(hash);

-    if (obj.id !== 'argon2i' && obj.id !== 'argon2d' && obj.id !== 'argon2id') {
-      return false;
-    }
-
-    return true;
+    return obj.id === 'argon2i' || obj.id === 'argon2d' || obj.id === 'argon2id';
  } catch {
    return false;
  }
--- a/src/server/utils/session.ts
+++ b/src/server/utils/session.ts
@ -70,26 +70,21 @@ export async function getCurrentUser(event: H3Event) {
      });
    }

-    // TODO: timing can be used to enumerate usernames
-
    const foundUser = await Database.users.getByUsername(username);

-    if (!foundUser) {
-      throw createError({
-        statusCode: 401,
-        statusMessage: 'Session failed',
-      });
-    }
-
-    const userHashPassword = foundUser.password;
+    // Always verify password to prevent timing-based username enumeration
+    const userHashPassword =
+      foundUser?.password ??
+      '$argon2id$v=19$m=65536,t=3,p=4$aaaaaaaaaaaaaaaa$bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb';
    const passwordValid = await isPasswordValid(password, userHashPassword);

-    if (!passwordValid) {
+    if (!foundUser || !passwordValid) {
      throw createError({
        statusCode: 401,
        statusMessage: 'Session failed',
      });
    }
+
    user = foundUser;
  } else {
    throw createError({