CSRF and various enhancements

2025-12-16 11:08:49 +00:00 · 2020-05-10 03:20:13 +12:00
parent 270a662c75
commit 47cc40bc5a
10 changed files with 95 additions and 26 deletions
--- a/src/site/api/settings.js
+++ b/src/site/api/settings.js
@@ -1,6 +1,6 @@
 const constants = require("../../lib/constants")
 const {render, redirect} = require("pinski/plugins")
-const {getSettings} = require("./utils/getsettings")
+const {getSettings, getToken, generateCSRF, checkCSRF} = require("./utils/getsettings")
 const crypto = require("crypto")
 const db = require("../../lib/db")

@@ -9,13 +9,22 @@ module.exports = [
 		route: "/settings", methods: ["GET"], code: async ({req, url}) => {
 			const settings = getSettings(req)
 			// console.log(settings)
-			const saved = url.searchParams.has("saved")
-			return render(200, "pug/settings.pug", {saved, constants, settings})
+			const csrf = generateCSRF()
+			const message = url.searchParams.get("message")
+			const status = url.searchParams.get("status")
+			return render(200, "pug/settings.pug", {constants, settings, csrf, status, message})
 		}
 	},
 	{
-		route: "/settings", methods: ["POST"], upload: true, code: async ({body}) => {
+		route: "/settings", methods: ["POST"], upload: true, code: async ({req, body}) => {
+			const oldToken = getToken(req)
 			const params = new URLSearchParams(body.toString())
+			if (!checkCSRF(params.get("csrf"))) {
+				const returnParams = new URLSearchParams()
+				returnParams.append("status", "fail")
+				returnParams.append("message", "Form timed out or reused.\n(Invalid or missing CSRF token.)")
+				return redirect("/settings?" + returnParams.toString(), 303)
+			}
 			const prepared = {}
 			for (const setting of constants.user_settings) {
 				let valueOrDefault
@@ -42,14 +51,15 @@ module.exports = [
 			prepared.created = Date.now()
 			const fields = constants.user_settings.map(s => s.name)
 			db.prepare(`INSERT INTO UserSettings (token, created, ${fields.join(", ")}) VALUES (@token, @created, ${fields.map(f => "@"+f).join(", ")})`).run(prepared)
+			db.prepare("DELETE FROM UserSettings WHERE token = ?").run(oldToken)
 			const expires = new Date(Date.now() + 4000*24*60*60*1000).toUTCString()
 			return {
 				statusCode: 303,
 				headers: {
-					"Location": "/settings?saved=1",
-					"Set-Cookie": `settings=${prepared.token}; Path=/; Expires=${expires}; SameSite=Strict`
+					"Location": "/settings?status=success&message=Saved.",
+					"Set-Cookie": `settings=${prepared.token}; Path=/; Expires=${expires}; SameSite=Lax`
 				},
-				contentType: "text/html",
+				contentType: "text/html; charset=UTF-8",
 				content: "Redirecting..."
 			}
 		}
--- a/src/site/api/utils/getsettings.js
+++ b/src/site/api/utils/getsettings.js
@@ -1,3 +1,4 @@
+const crypto = require("crypto")
 const {parse} = require("cookie")

 const constants = require("../../../lib/constants")
@@ -19,14 +20,49 @@ function addDefaults(input = {}) {
 	return result
 }

-function getSettings(req) {
-	if (!req.headers.cookie) return addDefaults()
+function getToken(req) {
+	if (!req.headers.cookie) return null
 	const cookie = parse(req.headers.cookie)
-	const settings = cookie.settings
-	if (!settings) return addDefaults()
-	const row = db.prepare("SELECT * FROM UserSettings WHERE token = ?").get(settings)
-	if (!row) return addDefaults()
-	return addDefaults(row)
+	const token = cookie.settings
+	if (token) return token
+	else return null
 }

+function getSettings(req) {
+	const token = getToken(req)
+	if (token) {
+		const row = db.prepare("SELECT * FROM UserSettings WHERE token = ?").get(token)
+		if (row) {
+			return addDefaults(row)
+		}
+	}
+	return addDefaults()
+}
+
+function generateCSRF() {
+	const token = crypto.randomBytes(16).toString("hex")
+	const expires = Date.now() + constants.caching.csrf_time
+	db.prepare("INSERT INTO CSRFTokens (token, expires) VALUES (?, ?)").run(token, expires)
+	return token
+}
+
+function checkCSRF(token) {
+	const row = db.prepare("SELECT * FROM CSRFTokens WHERE token = ? AND expires > ?").get(token, Date.now())
+	if (row) {
+		db.prepare("DELETE FROM CSRFTokens WHERE token = ?").run(token)
+		return true
+	} else {
+		return false
+	}
+}
+
+function cleanCSRF() {
+	db.prepare("DELETE FROM CSRFTokens WHERE expires <= ?").run(Date.now())
+}
+cleanCSRF()
+setInterval(cleanCSRF, constants.caching.csrf_time)
+
+module.exports.getToken = getToken
 module.exports.getSettings = getSettings
+module.exports.generateCSRF = generateCSRF
+module.exports.checkCSRF = checkCSRF