:lock: prevent passwort denial of server

11 files changed, 14 insertions, 12 deletions

diff --git a/src/routes/api/v8/auth/login.ts b/src/routes/api/v8/auth/login.ts
index 92676971..d8cab00a 100644
--- a/src/routes/api/v8/auth/login.ts
+++ b/src/routes/api/v8/auth/login.ts
@@ -1,6 +1,6 @@
 import { Request, Response, Router } from "express";
 import db from "../../../../util/Database";
-import { check, FieldErrors } from "../../../../util/instanceOf";
+import { check, FieldErrors, Length } from "../../../../util/instanceOf";
 import bcrypt from "bcrypt";
 import jwt from "jsonwebtoken";
 import Config from "../../../../util/Config";
@@ -11,8 +11,8 @@ const router: Router = Router();
 router.post(
 	"/",
 	check({
-		login: String, // email or telephone
-		password: String,
+		login: new Length(String, 2, 100), // email or telephone
+		password: new Length(String, 8, 64),
 		$undelete: Boolean,
 		$captcha_key: String,
 		$login_source: String,
diff --git a/src/routes/api/v8/auth/register.ts b/src/routes/api/v8/auth/register.ts
index 410c7f50..5c163890 100644
--- a/src/routes/api/v8/auth/register.ts
+++ b/src/routes/api/v8/auth/register.ts
@@ -2,22 +2,24 @@ import { NextFunction, Request, Response, Router } from "express";
 import Config from "../../../../util/Config";
 import db from "../../../../util/Database";
 import bcrypt from "bcrypt";
-import { check, Email, EMAIL_REGEX, FieldErrors } from "../../../../util/instanceOf";
+import { check, Email, EMAIL_REGEX, FieldErrors, Length } from "../../../../util/instanceOf";
 import { Snowflake } from "../../../../util/Snowflake";
 import "missing-native-js-functions";
 import { User } from "../../../../models/User";
 import { generateToken } from "./login";
-import { checkLength, trimSpecial } from "../../../../util/String";
+import { trimSpecial } from "../../../../util/String";
 
 const router: Router = Router();
 
 router.post(
 	"/",
 	check({
-		username: String,
-		password: String,
+		username: new Length(String, 2, 32),
+		// TODO: check min password length in config
+		// prevent Denial of Service with max length of 64 chars
+		password: new Length(String, 8, 64),
 		consent: Boolean,
-		$email: Email,
+		$email: new Length(Email, 5, 100),
 		$fingerprint: String,
 		$invite: String,
 		$date_of_birth: Date, // "2000-04-03"
@@ -52,9 +54,6 @@ router.post(
 		// discriminator will be randomly generated
 		let discriminator = "";
 
-		checkLength(adjusted_username, 2, 32, "username", req);
-		checkLength(password, 8, 100, "password", req);
-
 		const { register } = Config.get();
 
 		// check if registration is allowed
@@ -146,7 +145,10 @@ router.post(
 		adjusted_password = await bcrypt.hash(password, 12);
 
 		let exists;
-		// TODO: is there any better way to generate a random discriminator only once, without checking if it already exists in the database?
+		// randomly generates a discriminator between 1 and 9999 and checks max five times if it already exists
+		// if it all five times already exists, abort with USERNAME_TOO_MANY_USERS error
+		// else just continue
+		// TODO: is there any better way to generate a random discriminator only once, without checking if it already exists in the mongodb database?
 		for (let tries = 0; tries < 5; tries++) {
 			discriminator = Math.randomIntBetween(1, 9999).toString().padStart(4, "0");
 			exists = await db.data.users({ discriminator, username: adjusted_username }).get({ id: true });
diff --git a/src/routes/api/v8/channel/#CHANNELID/followers.ts b/src/routes/api/v8/channels/#CHANNELID/followers.ts
index 9a4e81fa..9a4e81fa 100644
--- a/src/routes/api/v8/channel/#CHANNELID/followers.ts
+++ b/src/routes/api/v8/channels/#CHANNELID/followers.ts
diff --git a/src/routes/api/v8/channel/#CHANNELID/index.ts b/src/routes/api/v8/channels/#CHANNELID/index.ts
index 9a4e81fa..9a4e81fa 100644
--- a/src/routes/api/v8/channel/#CHANNELID/index.ts
+++ b/src/routes/api/v8/channels/#CHANNELID/index.ts
diff --git a/src/routes/api/v8/channel/#CHANNELID/invites.ts b/src/routes/api/v8/channels/#CHANNELID/invites.ts
index 9a4e81fa..9a4e81fa 100644
--- a/src/routes/api/v8/channel/#CHANNELID/invites.ts
+++ b/src/routes/api/v8/channels/#CHANNELID/invites.ts
diff --git a/src/routes/api/v8/channel/#CHANNELID/messages.ts b/src/routes/api/v8/channels/#CHANNELID/messages.ts
index 9a4e81fa..9a4e81fa 100644
--- a/src/routes/api/v8/channel/#CHANNELID/messages.ts
+++ b/src/routes/api/v8/channels/#CHANNELID/messages.ts
diff --git a/src/routes/api/v8/channel/#CHANNELID/permissions.ts b/src/routes/api/v8/channels/#CHANNELID/permissions.ts
index 9a4e81fa..9a4e81fa 100644
--- a/src/routes/api/v8/channel/#CHANNELID/permissions.ts
+++ b/src/routes/api/v8/channels/#CHANNELID/permissions.ts
diff --git a/src/routes/api/v8/channel/#CHANNELID/pins.ts b/src/routes/api/v8/channels/#CHANNELID/pins.ts
index 9a4e81fa..9a4e81fa 100644
--- a/src/routes/api/v8/channel/#CHANNELID/pins.ts
+++ b/src/routes/api/v8/channels/#CHANNELID/pins.ts
diff --git a/src/routes/api/v8/channel/#CHANNELID/recipients.ts b/src/routes/api/v8/channels/#CHANNELID/recipients.ts
index 9a4e81fa..9a4e81fa 100644
--- a/src/routes/api/v8/channel/#CHANNELID/recipients.ts
+++ b/src/routes/api/v8/channels/#CHANNELID/recipients.ts
diff --git a/src/routes/api/v8/channel/#CHANNELID/typing.ts b/src/routes/api/v8/channels/#CHANNELID/typing.ts
index 9a4e81fa..9a4e81fa 100644
--- a/src/routes/api/v8/channel/#CHANNELID/typing.ts
+++ b/src/routes/api/v8/channels/#CHANNELID/typing.ts
diff --git a/src/routes/api/v8/invite/index.ts b/src/routes/api/v8/invites/index.ts
index 9a4e81fa..9a4e81fa 100644
--- a/src/routes/api/v8/invite/index.ts
+++ b/src/routes/api/v8/invites/index.ts