mirror of
https://github.com/spacebarchat/server.git
synced 2024-11-22 10:22:39 +01:00
Reg tokens bypass other restrictions
This commit is contained in:
parent
bdda215005
commit
e6ae9d32e8
@ -30,11 +30,27 @@ router.post(
|
|||||||
const { register, security, limits } = Config.get();
|
const { register, security, limits } = Config.get();
|
||||||
const ip = getIpAdress(req);
|
const ip = getIpAdress(req);
|
||||||
|
|
||||||
|
// Reg tokens
|
||||||
|
// They're a one time use token that bypasses registration limits ( rates, disabled reg, etc )
|
||||||
|
let regTokenUsed = false;
|
||||||
|
if (req.get("Referrer") && req.get("Referrer")?.includes("token=")) { // eg theyre on https://staging.fosscord.com/register?token=whatever
|
||||||
|
const token = req.get("Referrer")!.split("token=")[1].split("&")[0];
|
||||||
|
if (token) {
|
||||||
|
const regToken = await ValidRegistrationToken.findOne({ where: { token, expires_at: MoreThan(new Date()), } });
|
||||||
|
await ValidRegistrationToken.delete({ token });
|
||||||
|
regTokenUsed = true;
|
||||||
|
console.log(`[REGISTER] Registration token ${token} used for registration!`);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
console.log(`[REGISTER] Invalid registration token ${token} used for registration by ${ip}!`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// email will be slightly modified version of the user supplied email -> e.g. protection against GMail Trick
|
// email will be slightly modified version of the user supplied email -> e.g. protection against GMail Trick
|
||||||
let email = adjustEmail(body.email);
|
let email = adjustEmail(body.email);
|
||||||
|
|
||||||
// check if registration is allowed
|
// check if registration is allowed
|
||||||
if (!register.allowNewRegistration) {
|
if (!regTokenUsed && !register.allowNewRegistration) {
|
||||||
throw FieldErrors({
|
throw FieldErrors({
|
||||||
email: {
|
email: {
|
||||||
code: "REGISTRATION_DISABLED",
|
code: "REGISTRATION_DISABLED",
|
||||||
@ -53,7 +69,7 @@ router.post(
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
if (register.disabled) {
|
if (!regTokenUsed && register.disabled) {
|
||||||
throw FieldErrors({
|
throw FieldErrors({
|
||||||
email: {
|
email: {
|
||||||
code: "DISABLED",
|
code: "DISABLED",
|
||||||
@ -62,7 +78,7 @@ router.post(
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
if (register.requireCaptcha && security.captcha.enabled) {
|
if (!regTokenUsed && register.requireCaptcha && security.captcha.enabled) {
|
||||||
const { sitekey, service } = security.captcha;
|
const { sitekey, service } = security.captcha;
|
||||||
if (!body.captcha_key) {
|
if (!body.captcha_key) {
|
||||||
return res?.status(400).json({
|
return res?.status(400).json({
|
||||||
@ -82,7 +98,7 @@ router.post(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!register.allowMultipleAccounts) {
|
if (!regTokenUsed && !register.allowMultipleAccounts) {
|
||||||
// TODO: check if fingerprint was eligible generated
|
// TODO: check if fingerprint was eligible generated
|
||||||
const exists = await User.findOne({
|
const exists = await User.findOne({
|
||||||
where: { fingerprints: body.fingerprint },
|
where: { fingerprints: body.fingerprint },
|
||||||
@ -101,7 +117,7 @@ router.post(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (register.blockProxies) {
|
if (!regTokenUsed && register.blockProxies) {
|
||||||
if (isProxy(await IPAnalysis(ip))) {
|
if (isProxy(await IPAnalysis(ip))) {
|
||||||
console.log(`proxy ${ip} blocked from registration`);
|
console.log(`proxy ${ip} blocked from registration`);
|
||||||
throw new HTTPError("Your IP is blocked from registration");
|
throw new HTTPError("Your IP is blocked from registration");
|
||||||
@ -187,6 +203,7 @@ router.post(
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (
|
if (
|
||||||
|
!regTokenUsed &&
|
||||||
!body.invite &&
|
!body.invite &&
|
||||||
(register.requireInvite ||
|
(register.requireInvite ||
|
||||||
(register.guestsRequireInvite && !register.email))
|
(register.guestsRequireInvite && !register.email))
|
||||||
@ -200,22 +217,6 @@ router.post(
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
// Reg tokens
|
|
||||||
// They're a one time use token that bypasses registration rate limiter
|
|
||||||
let regTokenUsed = false;
|
|
||||||
if (req.get("Referrer")?.includes("token=")) { // eg theyre on https://staging.fosscord.com/register?token=whatever
|
|
||||||
const token = req.get("Referrer")!.split("token=")[1].split("&")[0];
|
|
||||||
if (token) {
|
|
||||||
const regToken = await ValidRegistrationToken.findOne({ where: { token, expires_at: MoreThan(new Date()), } });
|
|
||||||
await ValidRegistrationToken.delete({ token });
|
|
||||||
regTokenUsed = true;
|
|
||||||
console.log(`[REGISTER] Registration token ${token} used for registration!`);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
console.log(`[REGISTER] Invalid registration token ${token} used for registration by ${ip}!`);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (
|
if (
|
||||||
!regTokenUsed &&
|
!regTokenUsed &&
|
||||||
limits.absoluteRate.register.enabled &&
|
limits.absoluteRate.register.enabled &&
|
||||||
|
Loading…
Reference in New Issue
Block a user