diff --git a/src/api/routes/auth/generate-registration-tokens.ts b/src/api/routes/auth/generate-registration-tokens.ts
new file mode 100644
index 00000000..e328fe5e
--- /dev/null
+++ b/src/api/routes/auth/generate-registration-tokens.ts
@@ -0,0 +1,28 @@
+import { route, random } from "@fosscord/api";
+import { Config, ValidRegistrationToken } from "@fosscord/util";
+import { Request, Response, Router } from "express";
+
+const router: Router = Router();
+export default router;
+
+router.get("/", route({ right: "OPERATOR" }), async (req: Request, res: Response) => {
+ const count = req.query.count ? parseInt(req.query.count as string) : 1;
+ const length = req.query.length ? parseInt(req.query.length as string) : 255;
+
+ let tokens: ValidRegistrationToken[] = [];
+
+ for (let i = 0; i < count; i++) {
+ const token = ValidRegistrationToken.create({
+ token: random(length),
+ expires_at: Date.now() + Config.get().security.defaultRegistrationTokenExpiration
+ });
+ tokens.push(token);
+ }
+
+ // Why are these options used, exactly?
+ await ValidRegistrationToken.save(tokens, { chunk: 1000, reload: false, transaction: false });
+
+ if (req.query.plain) return res.send(tokens.map(x => x.token).join("\n"));
+
+ return res.json({ tokens: tokens.map(x => x.token) });
+});
\ No newline at end of file
diff --git a/src/api/routes/auth/register.ts b/src/api/routes/auth/register.ts
index eba86f77..6ca23158 100644
--- a/src/api/routes/auth/register.ts
+++ b/src/api/routes/auth/register.ts
@@ -7,6 +7,7 @@ import {
User,
adjustEmail,
RegisterSchema,
+ ValidRegistrationToken,
} from "@fosscord/util";
import {
route,
@@ -17,7 +18,7 @@ import {
} from "@fosscord/api";
import bcrypt from "bcrypt";
import { HTTPError } from "lambert-server";
-import { MoreThan } from "typeorm";
+import { LessThan, MoreThan } from "typeorm";
const router: Router = Router();
@@ -199,7 +200,24 @@ router.post(
});
}
+ // Reg tokens
+ // They're a one time use token that bypasses registration rate limiter
+ let regTokenUsed = false;
+ if (req.get("Referrer")?.includes("token=")) { // eg theyre on https://staging.fosscord.com/register?token=whatever
+ const token = req.get("Referrer")!.split("token=")[1].split("&")[0];
+ if (token) {
+ const regToken = await ValidRegistrationToken.findOne({ where: { token, expires_at: MoreThan(new Date()), } });
+ await ValidRegistrationToken.delete({ token });
+ regTokenUsed = true;
+ console.log(`[REGISTER] Registration token ${token} used for registration!`);
+ }
+ else {
+ console.log(`[REGISTER] Invalid registration token ${token} used for registration by ${ip}!`);
+ }
+ }
+
if (
+ !regTokenUsed &&
limits.absoluteRate.register.enabled &&
(await User.count({ where: { created_at: MoreThan(new Date(Date.now() - limits.absoluteRate.register.window)) } }))
>= limits.absoluteRate.register.limit
diff --git a/src/api/util/utility/RandomInviteID.ts b/src/api/util/utility/RandomInviteID.ts
index bfed65bb..fa484bd5 100644
--- a/src/api/util/utility/RandomInviteID.ts
+++ b/src/api/util/utility/RandomInviteID.ts
@@ -1,4 +1,8 @@
import { Snowflake } from "@fosscord/util";
+import crypto from "crypto";
+
+// TODO: 'random'? seriously? who named this?
+// And why is this even here? Just use cryto.randomBytes?
export function random(length = 6) {
// Declare all characters
@@ -8,7 +12,7 @@ export function random(length = 6) {
// Pick characers randomly
let str = "";
for (let i = 0; i < length; i++) {
- str += chars.charAt(Math.floor(Math.random() * chars.length));
+ str += chars.charAt(Math.floor(crypto.randomInt(chars.length)));
}
return str;
diff --git a/src/util/config/types/SecurityConfiguration.ts b/src/util/config/types/SecurityConfiguration.ts
index ca610216..0fa396c9 100644
--- a/src/util/config/types/SecurityConfiguration.ts
+++ b/src/util/config/types/SecurityConfiguration.ts
@@ -2,16 +2,17 @@ import crypto from "crypto";
import { CaptchaConfiguration, TwoFactorConfiguration } from ".";
export class SecurityConfiguration {
- captcha: CaptchaConfiguration = new CaptchaConfiguration();
- twoFactor: TwoFactorConfiguration = new TwoFactorConfiguration();
- autoUpdate: boolean | number = true;
- requestSignature: string = crypto.randomBytes(32).toString("base64");
- jwtSecret: string = crypto.randomBytes(256).toString("base64");
- // header to get the real user ip address
- // X-Forwarded-For for nginx/reverse proxies
- // CF-Connecting-IP for cloudflare
- forwadedFor: string | null = null;
- ipdataApiKey: string | null = "eca677b284b3bac29eb72f5e496aa9047f26543605efe99ff2ce35c9";
+ captcha: CaptchaConfiguration = new CaptchaConfiguration();
+ twoFactor: TwoFactorConfiguration = new TwoFactorConfiguration();
+ autoUpdate: boolean | number = true;
+ requestSignature: string = crypto.randomBytes(32).toString("base64");
+ jwtSecret: string = crypto.randomBytes(256).toString("base64");
+ // header to get the real user ip address
+ // X-Forwarded-For for nginx/reverse proxies
+ // CF-Connecting-IP for cloudflare
+ forwadedFor: string | null = null;
+ ipdataApiKey: string | null = "eca677b284b3bac29eb72f5e496aa9047f26543605efe99ff2ce35c9";
mfaBackupCodeCount: number = 10;
statsWorldReadable: boolean = true;
+ defaultRegistrationTokenExpiration: number = 1000 * 60 * 60 * 24 * 7; //1 week
}
diff --git a/src/util/entities/ValidRegistrationTokens.ts b/src/util/entities/ValidRegistrationTokens.ts
new file mode 100644
index 00000000..00839324
--- /dev/null
+++ b/src/util/entities/ValidRegistrationTokens.ts
@@ -0,0 +1,13 @@
+import { BaseEntity, Column, Entity, PrimaryColumn } from "typeorm";
+
+@Entity("valid_registration_tokens")
+export class ValidRegistrationToken extends BaseEntity {
+ @PrimaryColumn()
+ token: string;
+
+ @Column()
+ created_at: Date = new Date();
+
+ @Column()
+ expires_at: Date;
+}
\ No newline at end of file
diff --git a/src/util/entities/index.ts b/src/util/entities/index.ts
index 7b24e21c..40260ba4 100644
--- a/src/util/entities/index.ts
+++ b/src/util/entities/index.ts
@@ -32,3 +32,4 @@ export * from "./ClientRelease";
export * from "./BackupCodes";
export * from "./Note";
export * from "./UserSettings";
+export * from "./ValidRegistrationTokens";
\ No newline at end of file
|
