summary refs log tree commit diff
path: root/src/api
diff options
context:
space:
mode:
authorMadeline <46743919+MaddyUnderStars@users.noreply.github.com>2022-12-19 22:19:35 +1100
committerMadeline <46743919+MaddyUnderStars@users.noreply.github.com>2022-12-19 22:23:31 +1100
commite6ae9d32e8379c9214b8711fa896fc0e5e32c902 (patch)
tree6537d4561c3bc8a88e4f8fe447ecefca24619bfa /src/api
parentMessage rate limiting (diff)
downloadserver-e6ae9d32e8379c9214b8711fa896fc0e5e32c902.tar.xz
Reg tokens bypass other restrictions
Diffstat (limited to 'src/api')
-rw-r--r--src/api/routes/auth/register.ts43
1 files changed, 22 insertions, 21 deletions
diff --git a/src/api/routes/auth/register.ts b/src/api/routes/auth/register.ts
index 6ca23158..c8c515e7 100644
--- a/src/api/routes/auth/register.ts
+++ b/src/api/routes/auth/register.ts
@@ -30,11 +30,27 @@ router.post(
 		const { register, security, limits } = Config.get();
 		const ip = getIpAdress(req);
 
+		// Reg tokens
+		// They're a one time use token that bypasses registration limits ( rates, disabled reg, etc )
+		let regTokenUsed = false;
+		if (req.get("Referrer") && req.get("Referrer")?.includes("token=")) {	// eg theyre on https://staging.fosscord.com/register?token=whatever
+			const token = req.get("Referrer")!.split("token=")[1].split("&")[0];
+			if (token) {
+				const regToken = await ValidRegistrationToken.findOne({ where: { token, expires_at: MoreThan(new Date()), } });
+				await ValidRegistrationToken.delete({ token });
+				regTokenUsed = true;
+				console.log(`[REGISTER] Registration token ${token} used for registration!`);
+			}
+			else {
+				console.log(`[REGISTER] Invalid registration token ${token} used for registration by ${ip}!`);
+			}
+		}
+
 		// email will be slightly modified version of the user supplied email -> e.g. protection against GMail Trick
 		let email = adjustEmail(body.email);
 
 		// check if registration is allowed
-		if (!register.allowNewRegistration) {
+		if (!regTokenUsed && !register.allowNewRegistration) {
 			throw FieldErrors({
 				email: {
 					code: "REGISTRATION_DISABLED",
@@ -53,7 +69,7 @@ router.post(
 			});
 		}
 
-		if (register.disabled) {
+		if (!regTokenUsed && register.disabled) {
 			throw FieldErrors({
 				email: {
 					code: "DISABLED",
@@ -62,7 +78,7 @@ router.post(
 			});
 		}
 
-		if (register.requireCaptcha && security.captcha.enabled) {
+		if (!regTokenUsed && register.requireCaptcha && security.captcha.enabled) {
 			const { sitekey, service } = security.captcha;
 			if (!body.captcha_key) {
 				return res?.status(400).json({
@@ -82,7 +98,7 @@ router.post(
 			}
 		}
 
-		if (!register.allowMultipleAccounts) {
+		if (!regTokenUsed && !register.allowMultipleAccounts) {
 			// TODO: check if fingerprint was eligible generated
 			const exists = await User.findOne({
 				where: { fingerprints: body.fingerprint },
@@ -101,7 +117,7 @@ router.post(
 			}
 		}
 
-		if (register.blockProxies) {
+		if (!regTokenUsed && register.blockProxies) {
 			if (isProxy(await IPAnalysis(ip))) {
 				console.log(`proxy ${ip} blocked from registration`);
 				throw new HTTPError("Your IP is blocked from registration");
@@ -187,6 +203,7 @@ router.post(
 		}
 
 		if (
+			!regTokenUsed &&
 			!body.invite &&
 			(register.requireInvite ||
 				(register.guestsRequireInvite && !register.email))
@@ -200,22 +217,6 @@ router.post(
 			});
 		}
 
-		// Reg tokens
-		// They're a one time use token that bypasses registration rate limiter
-		let regTokenUsed = false;
-		if (req.get("Referrer")?.includes("token=")) {	// eg theyre on https://staging.fosscord.com/register?token=whatever
-			const token = req.get("Referrer")!.split("token=")[1].split("&")[0];
-			if (token) {
-				const regToken = await ValidRegistrationToken.findOne({ where: { token, expires_at: MoreThan(new Date()), } });
-				await ValidRegistrationToken.delete({ token });
-				regTokenUsed = true;
-				console.log(`[REGISTER] Registration token ${token} used for registration!`);
-			}
-			else {
-				console.log(`[REGISTER] Invalid registration token ${token} used for registration by ${ip}!`);
-			}
-		}
-
 		if (
 			!regTokenUsed &&
 			limits.absoluteRate.register.enabled &&