From 22952ef928808d4112e0bd3c2a5b867d3e4c4b1a Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Fri, 8 Apr 2022 11:02:11 +0300 Subject: enforce the rights --- api/src/util/handlers/Message.ts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'api/src/util') diff --git a/api/src/util/handlers/Message.ts b/api/src/util/handlers/Message.ts index 2d9f7032..f0ecf416 100644 --- a/api/src/util/handlers/Message.ts +++ b/api/src/util/handlers/Message.ts @@ -7,6 +7,7 @@ import { MessageCreateEvent, MessageUpdateEvent, getPermission, + getRights, CHANNEL_MENTION, Snowflake, USER_MENTION, @@ -61,17 +62,18 @@ export async function handleMessage(opts: MessageOptions): Promise { throw new HTTPError("Content length over max character limit") } - // TODO: are tts messages allowed in dm channels? should permission be checked? if (opts.author_id) { message.author = await User.getPublicUser(opts.author_id); - } + const rights = await getRights(opts.author_id); + rights.hasThrow("SEND_MESSAGES"); + } if (opts.application_id) { message.application = await Application.findOneOrFail({ id: opts.application_id }); } if (opts.webhook_id) { message.webhook = await Webhook.findOneOrFail({ id: opts.webhook_id }); } - + const permission = await getPermission(opts.author_id, channel.guild_id, opts.channel_id); permission.hasThrow("SEND_MESSAGES"); // TODO: add the rights check if (permission.cache.member) { -- cgit 1.5.1 From be3f796f3462ce925c445d710e848425ac1f9d94 Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Fri, 8 Apr 2022 11:05:19 +0300 Subject: remove todos that are implemented --- api/src/util/handlers/Message.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'api/src/util') diff --git a/api/src/util/handlers/Message.ts b/api/src/util/handlers/Message.ts index f0ecf416..5a5ac666 100644 --- a/api/src/util/handlers/Message.ts +++ b/api/src/util/handlers/Message.ts @@ -75,7 +75,7 @@ export async function handleMessage(opts: MessageOptions): Promise { } const permission = await getPermission(opts.author_id, channel.guild_id, opts.channel_id); - permission.hasThrow("SEND_MESSAGES"); // TODO: add the rights check + permission.hasThrow("SEND_MESSAGES"); if (permission.cache.member) { message.member = permission.cache.member; } @@ -83,7 +83,7 @@ export async function handleMessage(opts: MessageOptions): Promise { if (opts.tts) permission.hasThrow("SEND_TTS_MESSAGES"); if (opts.message_reference) { permission.hasThrow("READ_MESSAGE_HISTORY"); - // code below has to be redone when we add custom message routing and cross-channel replies + // code below has to be redone when we add custom message routing if (message.guild_id !== null) { const guild = await Guild.findOneOrFail({ id: channel.guild_id }); if (!guild.features.includes("CROSS_CHANNEL_REPLIES")) { @@ -91,7 +91,7 @@ export async function handleMessage(opts: MessageOptions): Promise { if (opts.message_reference.channel_id !== opts.channel_id) throw new HTTPError("You can only reference messages from this channel"); } } - // TODO: should be checked if the referenced message exists? + // Q: should be checked if the referenced message exists? ANSWER: NO // @ts-ignore message.type = MessageType.REPLY; } -- cgit 1.5.1 From 2e6599654046291832b7138e452777e75d45f4b3 Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Sat, 9 Apr 2022 21:45:45 +0300 Subject: add an elegant entropy check --- api/src/util/utility/passwordStrength.ts | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) (limited to 'api/src/util') diff --git a/api/src/util/utility/passwordStrength.ts b/api/src/util/utility/passwordStrength.ts index 047df008..81ac2559 100644 --- a/api/src/util/utility/passwordStrength.ts +++ b/api/src/util/utility/passwordStrength.ts @@ -13,6 +13,7 @@ const blocklist: string[] = []; // TODO: update ones passwordblocklist is stored * - min numbers * - min symbols * - min uppercase chars + * - shannon entropy divided by password entropy * * Returns: 0 > pw > 1 */ @@ -22,28 +23,38 @@ export function checkPassword(password: string): number { // checks for total password len if (password.length >= minLength - 1) { - strength += 0.25; + strength += 0.05; } // checks for amount of Numbers if (password.count(reNUMBER) >= minNumbers - 1) { - strength += 0.25; + strength += 0.05; } // checks for amount of Uppercase Letters if (password.count(reUPPERCASELETTER) >= minUpperCase - 1) { - strength += 0.25; + strength += 0.05; } // checks for amount of symbols if (password.replace(reSYMBOLS, "").length >= minSymbols - 1) { - strength += 0.25; + strength += 0.05; } // checks if password only consists of numbers or only consists of chars if (password.length == password.count(reNUMBER) || password.length === password.count(reUPPERCASELETTER)) { strength = 0; } - + + var entropyMap; + for (let i = 0; i < password.length; i++) { + if (entropyMap[password[i]]) entropyMap[password[i]]++; + else entropyMap[password[i]] = 1; + } + + let entropies = Array(entropyMap); + + entropies.map(x => (x / entropyMap.length)); + strength += entropies.reduceRight((a, x), a - (x * Math.log2(x))) / Math.log2(password.length); return strength; } -- cgit 1.5.1 From fd702100ea5a9a88131b387f8ea573a601a1b3ec Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Sat, 9 Apr 2022 21:48:25 +0300 Subject: Update passwordStrength.ts --- api/src/util/utility/passwordStrength.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'api/src/util') diff --git a/api/src/util/utility/passwordStrength.ts b/api/src/util/utility/passwordStrength.ts index 81ac2559..e75e48f6 100644 --- a/api/src/util/utility/passwordStrength.ts +++ b/api/src/util/utility/passwordStrength.ts @@ -46,7 +46,7 @@ export function checkPassword(password: string): number { strength = 0; } - var entropyMap; + let entropyMap; for (let i = 0; i < password.length; i++) { if (entropyMap[password[i]]) entropyMap[password[i]]++; else entropyMap[password[i]] = 1; -- cgit 1.5.1 From 977861ad4e6eff025f0c0a1b4731f0efd283886d Mon Sep 17 00:00:00 2001 From: Madeline <46743919+MaddyUnderStars@users.noreply.github.com> Date: Mon, 11 Apr 2022 00:36:12 +1000 Subject: Fix compile errors in checkPassword's entropy check --- api/src/util/utility/passwordStrength.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'api/src/util') diff --git a/api/src/util/utility/passwordStrength.ts b/api/src/util/utility/passwordStrength.ts index e75e48f6..f3960e48 100644 --- a/api/src/util/utility/passwordStrength.ts +++ b/api/src/util/utility/passwordStrength.ts @@ -46,15 +46,15 @@ export function checkPassword(password: string): number { strength = 0; } - let entropyMap; + let entropyMap: { [key: string]: number } = {}; for (let i = 0; i < password.length; i++) { if (entropyMap[password[i]]) entropyMap[password[i]]++; else entropyMap[password[i]] = 1; } - let entropies = Array(entropyMap); - + let entropies = Object.values(entropyMap); + entropies.map(x => (x / entropyMap.length)); - strength += entropies.reduceRight((a, x), a - (x * Math.log2(x))) / Math.log2(password.length); + strength += entropies.reduceRight((a: number, x: number) => a - (x * Math.log2(x))) / Math.log2(password.length); return strength; } -- cgit 1.5.1 From 0aa100c8e079c60dfee2524ba70775ef276d930f Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Tue, 12 Apr 2022 20:10:30 +0300 Subject: Update passwordStrength.ts --- api/src/util/utility/passwordStrength.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'api/src/util') diff --git a/api/src/util/utility/passwordStrength.ts b/api/src/util/utility/passwordStrength.ts index f3960e48..439700d0 100644 --- a/api/src/util/utility/passwordStrength.ts +++ b/api/src/util/utility/passwordStrength.ts @@ -13,7 +13,7 @@ const blocklist: string[] = []; // TODO: update ones passwordblocklist is stored * - min numbers * - min symbols * - min uppercase chars - * - shannon entropy divided by password entropy + * - shannon entropy folded into [0, 1) interval * * Returns: 0 > pw > 1 */ -- cgit 1.5.1 From 3061c24780a2dcf46dc4960d50c3636cab6b918f Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Mon, 18 Apr 2022 22:02:32 +0300 Subject: general rights enforcement stuff --- api/src/util/handlers/route.ts | 3 +++ 1 file changed, 3 insertions(+) (limited to 'api/src/util') diff --git a/api/src/util/handlers/route.ts b/api/src/util/handlers/route.ts index 0048c4dd..3d3bbc37 100644 --- a/api/src/util/handlers/route.ts +++ b/api/src/util/handlers/route.ts @@ -6,6 +6,7 @@ import { FieldErrors, FosscordApiErrors, getPermission, + getRights, PermissionResolvable, Permissions, RightResolvable, @@ -105,6 +106,8 @@ export function route(opts: RouteOptions) { if (opts.right) { const required = new Rights(opts.right); + req.rights = await getRights(req.user_id); + if (!req.rights || !req.rights.has(required)) { throw FosscordApiErrors.MISSING_RIGHTS.withParams(opts.right as string); } -- cgit 1.5.1