10 files changed, 99 insertions, 50 deletions

diff --git a/src/api/util/entities/AssetCacheItem.ts b/src/api/util/entities/AssetCacheItem.ts
index 160dece6..958d5a61 100644
--- a/src/api/util/entities/AssetCacheItem.ts
+++ b/src/api/util/entities/AssetCacheItem.ts
@@ -1,3 +1,3 @@
 export class AssetCacheItem {
 	constructor(public Key: string, public FilePath: string = "", public Headers: any = null as any) {}
-}
\ No newline at end of file
+}
diff --git a/src/api/util/handlers/Instance.ts b/src/api/util/handlers/Instance.ts
index 7c337270..e03c9488 100644
--- a/src/api/util/handlers/Instance.ts
+++ b/src/api/util/handlers/Instance.ts
@@ -1,5 +1,4 @@
 import { Config, Guild, Session } from "@fosscord/util";
-import { createQueryBuilder } from "typeorm";
 
 export async function initInstance() {
 	// TODO: clean up database and delete tombstone data
@@ -10,7 +9,7 @@ export async function initInstance() {
 	const { autoJoin } = Config.get().guild;
 
 	if (autoJoin.enabled && !autoJoin.guilds?.length) {
-		let guild = await Guild.findOne({where: {}, order: {id: "ASC"}});
+		let guild = await Guild.findOne({ where: {}, order: { id: "ASC" } });
 		if (guild) {
 			// @ts-ignore
 			await Config.set({ guild: { autoJoin: { guilds: [guild.id] } } });
diff --git a/src/api/util/handlers/Message.ts b/src/api/util/handlers/Message.ts
index ff5ece75..d760d27c 100644
--- a/src/api/util/handlers/Message.ts
+++ b/src/api/util/handlers/Message.ts
@@ -1,32 +1,31 @@
 import {
+	Application,
+	Attachment,
 	Channel,
+	CHANNEL_MENTION,
+	Config,
 	Embed,
 	emitEvent,
+	EVERYONE_MENTION,
+	getPermission,
+	getRights,
 	Guild,
+	HERE_MENTION,
+	HTTPError,
 	Message,
 	MessageCreateEvent,
+	MessageCreateSchema,
+	MessageType,
 	MessageUpdateEvent,
-	getPermission,
-	getRights,
-	CHANNEL_MENTION,
-	Snowflake,
-	USER_MENTION,
-	ROLE_MENTION,
+	OrmUtils,
 	Role,
-	EVERYONE_MENTION,
-	HERE_MENTION,
-	MessageType,
+	ROLE_MENTION,
 	User,
-	Application,
-	Webhook,
-	Attachment,
-	Config,
-	MessageCreateSchema,
+	USER_MENTION,
+	Webhook
 } from "@fosscord/util";
-import { HTTPError } from "@fosscord/util";
-import fetch from "node-fetch";
 import cheerio from "cheerio";
-import { OrmUtils } from "@fosscord/util";
+import fetch from "node-fetch";
 
 const allow_empty = false;
 // TODO: check webhook, application, system author, stickers
@@ -61,21 +60,21 @@ export async function handleMessage(opts: MessageOptions): Promise<Message> {
 	});
 
 	if (message.content && message.content.length > Config.get().limits.message.maxCharacters) {
-		throw new HTTPError("Content length over max character limit")
+		throw new HTTPError("Content length over max character limit");
 	}
 
 	if (opts.author_id) {
 		message.author = await User.getPublicUser(opts.author_id);
 		const rights = await getRights(opts.author_id);
 		rights.hasThrow("SEND_MESSAGES");
-	}	
+	}
 	if (opts.application_id) {
 		message.application = await Application.findOneOrFail({ where: { id: opts.application_id } });
 	}
 	if (opts.webhook_id) {
 		message.webhook = await Webhook.findOneOrFail({ where: { id: opts.webhook_id } });
 	}
-	
+
 	const permission = await getPermission(opts.author_id, channel.guild_id, opts.channel_id);
 	permission.hasThrow("SEND_MESSAGES");
 	if (permission.cache.member) {
@@ -89,8 +88,10 @@ export async function handleMessage(opts: MessageOptions): Promise<Message> {
 		if (message.guild_id !== null) {
 			const guild = await Guild.findOneOrFail({ where: { id: channel.guild_id } });
 			if (!guild.features.includes("CROSS_CHANNEL_REPLIES")) {
-				if (opts.message_reference.guild_id !== channel.guild_id) throw new HTTPError("You can only reference messages from this guild");
-				if (opts.message_reference.channel_id !== opts.channel_id) throw new HTTPError("You can only reference messages from this channel");
+				if (opts.message_reference.guild_id !== channel.guild_id)
+					throw new HTTPError("You can only reference messages from this guild");
+				if (opts.message_reference.channel_id !== opts.channel_id)
+					throw new HTTPError("You can only reference messages from this channel");
 			}
 		}
 		/** Q: should be checked if the referenced message exists? ANSWER: NO
@@ -100,7 +101,7 @@ export async function handleMessage(opts: MessageOptions): Promise<Message> {
 	}
 
 	// TODO: stickers/activity
-	if (!allow_empty && (!opts.content && !opts.embeds?.length && !opts.attachments?.length && !opts.sticker_ids?.length)) {
+	if (!allow_empty && !opts.content && !opts.embeds?.length && !opts.attachments?.length && !opts.sticker_ids?.length) {
 		throw new HTTPError("Empty messages are not allowed", 50006);
 	}
 
@@ -110,7 +111,8 @@ export async function handleMessage(opts: MessageOptions): Promise<Message> {
 	let mention_user_ids = [] as string[];
 	let mention_everyone = false;
 
-	if (content) { // TODO: explicit-only mentions
+	if (content) {
+		// TODO: explicit-only mentions
 		message.content = content.trim();
 		for (const [_, mention] of content.matchAll(CHANNEL_MENTION)) {
 			if (!mention_channel_ids.includes(mention)) mention_channel_ids.push(mention);
@@ -158,7 +160,7 @@ export async function postHandleMessage(message: Message) {
 		try {
 			const request = await fetch(link, {
 				...DEFAULT_FETCH_OPTIONS,
-				size: Config.get().limits.message.maxEmbedDownloadSize,
+				size: Config.get().limits.message.maxEmbedDownloadSize
 			});
 
 			const text = await request.text();
diff --git a/src/api/util/handlers/route.ts b/src/api/util/handlers/route.ts
index 71e14955..d43ae103 100644
--- a/src/api/util/handlers/route.ts
+++ b/src/api/util/handlers/route.ts
@@ -1,8 +1,6 @@
 import {
 	DiscordApiErrors,
 	EVENT,
-	Event,
-	EventData,
 	FieldErrors,
 	FosscordApiErrors,
 	getPermission,
@@ -12,14 +10,14 @@ import {
 	RightResolvable,
 	Rights
 } from "@fosscord/util";
+import Ajv from "ajv";
+import addFormats from "ajv-formats";
+import { AnyValidateFunction } from "ajv/dist/core";
 import { NextFunction, Request, Response } from "express";
 import fs from "fs";
 import path from "path";
-import Ajv from "ajv";
-import { AnyValidateFunction } from "ajv/dist/core";
-import addFormats from "ajv-formats";
 
-const SchemaPath = path.join(__dirname, "..", "..", "..","..", "assets", "schemas.json");
+const SchemaPath = path.join(__dirname, "..", "..", "..", "..", "assets", "schemas.json");
 const schemas = JSON.parse(fs.readFileSync(SchemaPath, { encoding: "utf8" }));
 
 export const ajv = new Ajv({
@@ -117,10 +115,10 @@ export function route(opts: RouteOptions) {
 			const valid = validate(normalizeBody(req.body));
 			if (!valid) {
 				const fields: Record<string, { code?: string; message: string }> = {};
-				if(process.env.LOG_INVALID_BODY) {
-					console.log(`Got invalid request: ${req.method} ${req.originalUrl}`)
-					console.log(req.body)
-					validate.errors?.forEach(x => console.log(x.params))
+				if (process.env.LOG_INVALID_BODY) {
+					console.log(`Got invalid request: ${req.method} ${req.originalUrl}`);
+					console.log(req.body);
+					validate.errors?.forEach((x) => console.log(x.params));
 				}
 				validate.errors?.forEach((x) => (fields[x.instancePath.slice(1)] = { code: x.keyword, message: x.message || "" }));
 				throw FieldErrors(fields);
diff --git a/src/api/util/index.ts b/src/api/util/index.ts
index b3c7559f..31e75325 100644
--- a/src/api/util/index.ts
+++ b/src/api/util/index.ts
@@ -6,4 +6,5 @@ export * from "./utility/Base64";
 export * from "./utility/ipAddress";
 export * from "./utility/passwordStrength";
 export * from "./utility/RandomInviteID";
-export * from "./utility/String";
\ No newline at end of file
+export * from "./utility/String";
+export * from "./utility/captcha";
\ No newline at end of file
diff --git a/src/api/util/utility/RandomInviteID.ts b/src/api/util/utility/RandomInviteID.ts
index 7ea344e0..feebfd3d 100644
--- a/src/api/util/utility/RandomInviteID.ts
+++ b/src/api/util/utility/RandomInviteID.ts
@@ -22,11 +22,10 @@ export function snowflakeBasedInvite() {
 	// snowflakes hold ~10.75 characters worth of entropy;
 	// safe to generate a 8-char invite out of them
 	let str = "";
-	for (let i=0; i < 10; i++) {
-		
+	for (let i = 0; i < 10; i++) {
 		str.concat(chars.charAt(Number(snowflake % base)));
 		snowflake = snowflake / base;
 	}
-	
-	return str.substr(3,8).split("").reverse().join("");
+
+	return str.substr(3, 8).split("").reverse().join("");
 }
diff --git a/src/api/util/utility/String.ts b/src/api/util/utility/String.ts
index 982b7e11..a2e491e4 100644
--- a/src/api/util/utility/String.ts
+++ b/src/api/util/utility/String.ts
@@ -1,6 +1,6 @@
+import { FieldErrors } from "@fosscord/util";
 import { Request } from "express";
 import { ntob } from "./Base64";
-import { FieldErrors } from "@fosscord/util";
 
 export function checkLength(str: string, min: number, max: number, key: string, req: Request) {
 	if (str.length < min || str.length > max) {
diff --git a/src/api/util/utility/captcha.ts b/src/api/util/utility/captcha.ts
new file mode 100644
index 00000000..739647d2
--- /dev/null
+++ b/src/api/util/utility/captcha.ts
@@ -0,0 +1,46 @@
+import { Config } from "@fosscord/util";
+import fetch from "node-fetch";
+
+export interface hcaptchaResponse {
+	success: boolean;
+	challenge_ts: string;
+	hostname: string;
+	credit: boolean;
+	"error-codes": string[];
+	score: number;	// enterprise only
+	score_reason: string[];	// enterprise only
+}
+
+export interface recaptchaResponse {
+	success: boolean;
+	score: number; // between 0 - 1
+	action: string;
+	challenge_ts: string;
+	hostname: string;
+	"error-codes"?: string[];
+}
+
+const verifyEndpoints = {
+	hcaptcha: "https://hcaptcha.com/siteverify",
+	recaptcha: "https://www.google.com/recaptcha/api/siteverify",
+}
+
+export async function verifyCaptcha(response: string, ip?: string) {
+	const { security } = Config.get();
+	const { service, secret, sitekey } = security.captcha;
+
+	if (!service) throw new Error("Cannot verify captcha without service");
+
+	const res = await fetch(verifyEndpoints[service], {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/x-www-form-urlencoded",
+		},
+		body: `response=${encodeURIComponent(response)}`
+			+ `&secret=${encodeURIComponent(secret!)}`
+			+ `&sitekey=${encodeURIComponent(sitekey!)}`
+			+ (ip ? `&remoteip=${encodeURIComponent(ip!)}` : ""),
+	});
+
+	return await res.json() as hcaptchaResponse | recaptchaResponse;
+}
\ No newline at end of file
diff --git a/src/api/util/utility/ipAddress.ts b/src/api/util/utility/ipAddress.ts
index 8d986b26..c96feb9e 100644
--- a/src/api/util/utility/ipAddress.ts
+++ b/src/api/util/utility/ipAddress.ts
@@ -78,7 +78,11 @@ export function isProxy(data: typeof exampleData) {
 
 export function getIpAdress(req: Request): string {
 	// @ts-ignore
-	return req.headers[Config.get().security.forwadedFor] || req.socket.remoteAddress;
+	return (
+		req.headers[Config.get().security.forwadedFor as string] ||
+		req.headers[Config.get().security.forwadedFor?.toLowerCase() as string] ||
+		req.socket.remoteAddress
+	);
 }
 
 export function distanceBetweenLocations(loc1: any, loc2: any): number {
diff --git a/src/api/util/utility/passwordStrength.ts b/src/api/util/utility/passwordStrength.ts
index 8eca63b8..ff83d3df 100644
--- a/src/api/util/utility/passwordStrength.ts
+++ b/src/api/util/utility/passwordStrength.ts
@@ -44,16 +44,16 @@ export function checkPassword(password: string): number {
 	if (password.length == password.count(reNUMBER) || password.length === password.count(reUPPERCASELETTER)) {
 		strength = 0;
 	}
-	
+
 	let entropyMap: { [key: string]: number } = {};
 	for (let i = 0; i < password.length; i++) {
 		if (entropyMap[password[i]]) entropyMap[password[i]]++;
 		else entropyMap[password[i]] = 1;
 	}
-	
+
 	let entropies = Object.values(entropyMap);
-	
-	entropies.map(x => (x / entropyMap.length));
-	strength += entropies.reduceRight((a: number, x: number) => a - (x * Math.log2(x))) / Math.log2(password.length);	
+
+	entropies.map((x) => x / entropyMap.length);
+	strength += entropies.reduceRight((a: number, x: number) => a - x * Math.log2(x)) / Math.log2(password.length);
 	return strength;
 }