diff options
author | Madeline <46743919+MaddyUnderStars@users.noreply.github.com> | 2022-12-19 22:19:35 +1100 |
---|---|---|
committer | Madeline <46743919+MaddyUnderStars@users.noreply.github.com> | 2022-12-19 22:23:31 +1100 |
commit | e6ae9d32e8379c9214b8711fa896fc0e5e32c902 (patch) | |
tree | 6537d4561c3bc8a88e4f8fe447ecefca24619bfa /src/api | |
parent | Message rate limiting (diff) | |
download | server-e6ae9d32e8379c9214b8711fa896fc0e5e32c902.tar.xz |
Reg tokens bypass other restrictions
Diffstat (limited to 'src/api')
-rw-r--r-- | src/api/routes/auth/register.ts | 43 |
1 files changed, 22 insertions, 21 deletions
diff --git a/src/api/routes/auth/register.ts b/src/api/routes/auth/register.ts index 6ca23158..c8c515e7 100644 --- a/src/api/routes/auth/register.ts +++ b/src/api/routes/auth/register.ts @@ -30,11 +30,27 @@ router.post( const { register, security, limits } = Config.get(); const ip = getIpAdress(req); + // Reg tokens + // They're a one time use token that bypasses registration limits ( rates, disabled reg, etc ) + let regTokenUsed = false; + if (req.get("Referrer") && req.get("Referrer")?.includes("token=")) { // eg theyre on https://staging.fosscord.com/register?token=whatever + const token = req.get("Referrer")!.split("token=")[1].split("&")[0]; + if (token) { + const regToken = await ValidRegistrationToken.findOne({ where: { token, expires_at: MoreThan(new Date()), } }); + await ValidRegistrationToken.delete({ token }); + regTokenUsed = true; + console.log(`[REGISTER] Registration token ${token} used for registration!`); + } + else { + console.log(`[REGISTER] Invalid registration token ${token} used for registration by ${ip}!`); + } + } + // email will be slightly modified version of the user supplied email -> e.g. protection against GMail Trick let email = adjustEmail(body.email); // check if registration is allowed - if (!register.allowNewRegistration) { + if (!regTokenUsed && !register.allowNewRegistration) { throw FieldErrors({ email: { code: "REGISTRATION_DISABLED", @@ -53,7 +69,7 @@ router.post( }); } - if (register.disabled) { + if (!regTokenUsed && register.disabled) { throw FieldErrors({ email: { code: "DISABLED", @@ -62,7 +78,7 @@ router.post( }); } - if (register.requireCaptcha && security.captcha.enabled) { + if (!regTokenUsed && register.requireCaptcha && security.captcha.enabled) { const { sitekey, service } = security.captcha; if (!body.captcha_key) { return res?.status(400).json({ @@ -82,7 +98,7 @@ router.post( } } - if (!register.allowMultipleAccounts) { + if (!regTokenUsed && !register.allowMultipleAccounts) { // TODO: check if fingerprint was eligible generated const exists = await User.findOne({ where: { fingerprints: body.fingerprint }, @@ -101,7 +117,7 @@ router.post( } } - if (register.blockProxies) { + if (!regTokenUsed && register.blockProxies) { if (isProxy(await IPAnalysis(ip))) { console.log(`proxy ${ip} blocked from registration`); throw new HTTPError("Your IP is blocked from registration"); @@ -187,6 +203,7 @@ router.post( } if ( + !regTokenUsed && !body.invite && (register.requireInvite || (register.guestsRequireInvite && !register.email)) @@ -200,22 +217,6 @@ router.post( }); } - // Reg tokens - // They're a one time use token that bypasses registration rate limiter - let regTokenUsed = false; - if (req.get("Referrer")?.includes("token=")) { // eg theyre on https://staging.fosscord.com/register?token=whatever - const token = req.get("Referrer")!.split("token=")[1].split("&")[0]; - if (token) { - const regToken = await ValidRegistrationToken.findOne({ where: { token, expires_at: MoreThan(new Date()), } }); - await ValidRegistrationToken.delete({ token }); - regTokenUsed = true; - console.log(`[REGISTER] Registration token ${token} used for registration!`); - } - else { - console.log(`[REGISTER] Invalid registration token ${token} used for registration by ${ip}!`); - } - } - if ( !regTokenUsed && limits.absoluteRate.register.enabled && |