diff --git a/src/api/routes/auth/generate-registration-tokens.ts b/src/api/routes/auth/generate-registration-tokens.ts
new file mode 100644
index 00000000..e328fe5e
--- /dev/null
+++ b/src/api/routes/auth/generate-registration-tokens.ts
@@ -0,0 +1,28 @@
+import { route, random } from "@fosscord/api";
+import { Config, ValidRegistrationToken } from "@fosscord/util";
+import { Request, Response, Router } from "express";
+
+const router: Router = Router();
+export default router;
+
+router.get("/", route({ right: "OPERATOR" }), async (req: Request, res: Response) => {
+ const count = req.query.count ? parseInt(req.query.count as string) : 1;
+ const length = req.query.length ? parseInt(req.query.length as string) : 255;
+
+ let tokens: ValidRegistrationToken[] = [];
+
+ for (let i = 0; i < count; i++) {
+ const token = ValidRegistrationToken.create({
+ token: random(length),
+ expires_at: Date.now() + Config.get().security.defaultRegistrationTokenExpiration
+ });
+ tokens.push(token);
+ }
+
+ // Why are these options used, exactly?
+ await ValidRegistrationToken.save(tokens, { chunk: 1000, reload: false, transaction: false });
+
+ if (req.query.plain) return res.send(tokens.map(x => x.token).join("\n"));
+
+ return res.json({ tokens: tokens.map(x => x.token) });
+});
\ No newline at end of file
diff --git a/src/api/routes/auth/register.ts b/src/api/routes/auth/register.ts
index eba86f77..6ca23158 100644
--- a/src/api/routes/auth/register.ts
+++ b/src/api/routes/auth/register.ts
@@ -7,6 +7,7 @@ import {
User,
adjustEmail,
RegisterSchema,
+ ValidRegistrationToken,
} from "@fosscord/util";
import {
route,
@@ -17,7 +18,7 @@ import {
} from "@fosscord/api";
import bcrypt from "bcrypt";
import { HTTPError } from "lambert-server";
-import { MoreThan } from "typeorm";
+import { LessThan, MoreThan } from "typeorm";
const router: Router = Router();
@@ -199,7 +200,24 @@ router.post(
});
}
+ // Reg tokens
+ // They're a one time use token that bypasses registration rate limiter
+ let regTokenUsed = false;
+ if (req.get("Referrer")?.includes("token=")) { // eg theyre on https://staging.fosscord.com/register?token=whatever
+ const token = req.get("Referrer")!.split("token=")[1].split("&")[0];
+ if (token) {
+ const regToken = await ValidRegistrationToken.findOne({ where: { token, expires_at: MoreThan(new Date()), } });
+ await ValidRegistrationToken.delete({ token });
+ regTokenUsed = true;
+ console.log(`[REGISTER] Registration token ${token} used for registration!`);
+ }
+ else {
+ console.log(`[REGISTER] Invalid registration token ${token} used for registration by ${ip}!`);
+ }
+ }
+
if (
+ !regTokenUsed &&
limits.absoluteRate.register.enabled &&
(await User.count({ where: { created_at: MoreThan(new Date(Date.now() - limits.absoluteRate.register.window)) } }))
>= limits.absoluteRate.register.limit
diff --git a/src/api/util/utility/RandomInviteID.ts b/src/api/util/utility/RandomInviteID.ts
index bfed65bb..fa484bd5 100644
--- a/src/api/util/utility/RandomInviteID.ts
+++ b/src/api/util/utility/RandomInviteID.ts
@@ -1,4 +1,8 @@
import { Snowflake } from "@fosscord/util";
+import crypto from "crypto";
+
+// TODO: 'random'? seriously? who named this?
+// And why is this even here? Just use cryto.randomBytes?
export function random(length = 6) {
// Declare all characters
@@ -8,7 +12,7 @@ export function random(length = 6) {
// Pick characers randomly
let str = "";
for (let i = 0; i < length; i++) {
- str += chars.charAt(Math.floor(Math.random() * chars.length));
+ str += chars.charAt(Math.floor(crypto.randomInt(chars.length)));
}
return str;
|
