npm - lobstakit-cloud - Versions diffs - 1.0.3 → 1.0.5 - Mend

lobstakit-cloud 1.0.3 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "lobstakit-cloud",
-  "version": "1.0.3",
+  "version": "1.0.5",
   "description": "LobstaKit Cloud — Setup wizard and management for LobstaCloud gateways",
   "main": "server.js",
   "bin": {

package/public/js/setup.js CHANGED Viewed

@@ -600,9 +600,9 @@ async function launchBot() {
             return;
         }
-        if (!password || password.length < 6) {
+        if (!password || password.length < 8) {
             if (passwordErrorEl) {
-                passwordErrorEl.textContent = 'Password must be at least 6 characters';
+                passwordErrorEl.textContent = 'Password must be at least 8 characters';
                 passwordErrorEl.classList.remove('hidden');
             }
             return;
@@ -645,10 +645,14 @@ async function launchBot() {
     if (passwordEl && passwordEl.value) {
         try {
             const email = emailEl ? emailEl.value.trim() : '';
+            const setupPayload = { email, password: passwordEl.value };
+            if (provisionData && provisionData.setupToken) {
+                setupPayload.setupToken = provisionData.setupToken;
+            }
             const authRes = await fetch('/api/auth/setup', {
                 method: 'POST',
                 headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ email, password: passwordEl.value })
+                body: JSON.stringify(setupPayload)
             });
             const authData = await authRes.json();
             if (authData.status === 'ok') {

package/server.js CHANGED Viewed

@@ -50,6 +50,44 @@ function saveLobstaKitConfig(cfg) {
 // Active sessions (in-memory, cleared on restart)
 const activeSessions = new Map();
+// ─── Email Masking ───────────────────────────────────────────────────────────
+function maskEmail(email) {
+  if (!email || !email.includes('@')) return email;
+  const [local, domain] = email.split('@');
+  const maskedLocal = local[0] + '***';
+  const domainParts = domain.split('.');
+  const maskedDomain = domainParts[0][0] + '***.' + domainParts.slice(1).join('.');
+  return maskedLocal + '@' + maskedDomain;
+}
+// ─── Rate Limiting (Login Brute Force Protection) ────────────────────────────
+const loginAttempts = new Map(); // ip -> { count, firstAttempt }
+const RATE_LIMIT_MAX = 5;
+const RATE_LIMIT_WINDOW_MS = 15 * 60 * 1000; // 15 minutes
+// Clean up stale rate limit entries every 5 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [ip, data] of loginAttempts.entries()) {
+    if (now - data.firstAttempt > RATE_LIMIT_WINDOW_MS) {
+      loginAttempts.delete(ip);
+    }
+  }
+}, 5 * 60 * 1000);
+// ─── Session Expiration ──────────────────────────────────────────────────────
+const SESSION_MAX_LIFETIME_MS = 24 * 60 * 60 * 1000; // 24 hours
+// Clean up expired sessions every 30 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [token, session] of activeSessions.entries()) {
+    if (now - session.created > SESSION_MAX_LIFETIME_MS) {
+      activeSessions.delete(token);
+    }
+  }
+}, 30 * 60 * 1000);
 // Auth middleware — protect API routes (except auth endpoints, health, and static files)
 function requireAuth(req, res, next) {
   const publicPaths = ['/api/auth/login', '/api/auth/setup', '/api/auth/status', '/api/health', '/api/provision'];
@@ -66,6 +104,12 @@ function requireAuth(req, res, next) {
   if (!token || !activeSessions.has(token)) {
     return res.status(401).json({ error: 'Authentication required' });
   }
+  // Check session expiration (24h max lifetime)
+  const session = activeSessions.get(token);
+  if (Date.now() - session.created > SESSION_MAX_LIFETIME_MS) {
+    activeSessions.delete(token);
+    return res.status(401).json({ error: 'Session expired. Please log in again.' });
+  }
   next();
 }
@@ -84,11 +128,18 @@ app.post('/api/auth/setup', (req, res) => {
   if (lobstaConfig.passwordHash) {
     return res.status(403).json({ error: 'Account already set up. Use /api/auth/change to update.' });
   }
-  let { email, password } = req.body;
+  let { email, password, setupToken } = req.body;
+  // Validate setup token if provisioned (prevents setup race condition — MEDIUM-3)
+  const provision = getProvisionData();
+  if (provision && provision.setupToken) {
+    if (!setupToken || setupToken !== provision.setupToken) {
+      return res.status(403).json({ error: 'Invalid setup token. Please use the setup link provided in your welcome email.' });
+    }
+  }
   // Fallback to provision email if not provided
   if (!email) {
-    const provision = getProvisionData();
     if (provision && provision.email) {
       email = provision.email;
     }
@@ -97,8 +148,8 @@ app.post('/api/auth/setup', (req, res) => {
   if (!email || !email.includes('@')) {
     return res.status(400).json({ error: 'A valid email address is required' });
   }
-  if (!password || password.length < 6) {
-    return res.status(400).json({ error: 'Password must be at least 6 characters' });
+  if (!password || password.length < 8) {
+    return res.status(400).json({ error: 'Password must be at least 8 characters' });
   }
   const salt = crypto.randomBytes(16).toString('hex');
   const hash = crypto.scryptSync(password, salt, 64).toString('hex');
@@ -122,21 +173,47 @@ app.post('/api/auth/login', (req, res) => {
   if (!lobstaConfig.passwordHash) {
     return res.status(400).json({ error: 'No account set up. Complete setup first.' });
   }
+  // Rate limiting — check failed attempts for this IP (HIGH-5)
+  const clientIp = req.ip || req.connection.remoteAddress;
+  const attempts = loginAttempts.get(clientIp);
+  if (attempts && attempts.count >= RATE_LIMIT_MAX) {
+    const elapsed = Date.now() - attempts.firstAttempt;
+    if (elapsed < RATE_LIMIT_WINDOW_MS) {
+      const retryAfter = Math.ceil((RATE_LIMIT_WINDOW_MS - elapsed) / 1000);
+      res.set('Retry-After', String(retryAfter));
+      return res.status(429).json({ error: 'Too many login attempts. Please try again later.', retryAfter });
+    }
+    // Window expired, reset
+    loginAttempts.delete(clientIp);
+  }
   const { email, password } = req.body;
   // Verify email matches (case-insensitive)
   const storedEmail = (lobstaConfig.email || '').toLowerCase().trim();
   const providedEmail = (email || '').toLowerCase().trim();
   if (!providedEmail || providedEmail !== storedEmail) {
+    // Track failed attempt
+    const current = loginAttempts.get(clientIp) || { count: 0, firstAttempt: Date.now() };
+    current.count++;
+    loginAttempts.set(clientIp, current);
     return res.status(401).json({ error: 'Incorrect email or password' });
   }
   // Verify password
   const hash = crypto.scryptSync(password || '', lobstaConfig.passwordSalt, 64).toString('hex');
   if (hash !== lobstaConfig.passwordHash) {
+    // Track failed attempt
+    const current = loginAttempts.get(clientIp) || { count: 0, firstAttempt: Date.now() };
+    current.count++;
+    loginAttempts.set(clientIp, current);
     return res.status(401).json({ error: 'Incorrect email or password' });
   }
+  // Successful login — clear rate limit for this IP
+  loginAttempts.delete(clientIp);
   const sessionToken = crypto.randomBytes(32).toString('hex');
   activeSessions.set(sessionToken, { created: Date.now(), ip: req.ip });
@@ -160,15 +237,25 @@ app.post('/api/auth/logout', (req, res) => {
 app.get('/api/auth/status', (req, res) => {
   const lobstaConfig = getLobstaKitConfig();
   const token = req.headers.authorization?.replace('Bearer ', '');
-  const isAuthenticated = token && activeSessions.has(token);
+  let isAuthenticated = !!(token && activeSessions.has(token));
+  // Check session expiration for auth status
+  if (isAuthenticated) {
+    const session = activeSessions.get(token);
+    if (session && Date.now() - session.created > SESSION_MAX_LIFETIME_MS) {
+      activeSessions.delete(token);
+      isAuthenticated = false;
+    }
+  }
   const response = {
     setupComplete: !!lobstaConfig.setupComplete,
     passwordSet: !!lobstaConfig.passwordHash,
     authenticated: isAuthenticated
   };
-  // Include email for login pre-fill (always — it's just an email, not a secret)
+  // Return full email only when authenticated; mask otherwise (HIGH-4)
   if (lobstaConfig.email) {
-    response.email = lobstaConfig.email;
+    response.email = isAuthenticated ? lobstaConfig.email : maskEmail(lobstaConfig.email);
   }
   res.json(response);
 });
@@ -197,7 +284,7 @@ app.post('/api/auth/change', (req, res) => {
   // Update password if provided
   if (newPassword) {
-    if (newPassword.length < 6) return res.status(400).json({ error: 'New password must be at least 6 characters' });
+    if (newPassword.length < 8) return res.status(400).json({ error: 'New password must be at least 8 characters' });
     const salt = crypto.randomBytes(16).toString('hex');
     lobstaConfig.passwordHash = crypto.scryptSync(newPassword, salt, 64).toString('hex');
     lobstaConfig.passwordSalt = salt;
@@ -217,7 +304,15 @@ app.post('/api/auth/change', (req, res) => {
 app.get('/api/provision', (req, res) => {
   const provision = getProvisionData();
   if (provision) {
-    res.json({ provisioned: true, email: provision.email || null, subdomain: provision.subdomain || null, plan: provision.plan || null });
+    const token = req.headers.authorization?.replace('Bearer ', '');
+    const isAuthenticated = token && activeSessions.has(token);
+    res.json({
+      provisioned: true,
+      email: isAuthenticated ? (provision.email || null) : maskEmail(provision.email || ''),
+      subdomain: provision.subdomain || null,
+      plan: provision.plan || null,
+      setupToken: provision.setupToken || null
+    });
   } else {
     res.json({ provisioned: false });
   }
@@ -977,10 +1072,10 @@ app.post('/api/tailscale/connect', (req, res) => {
       return res.status(400).json({ error: 'Auth key is required' });
     }
-    // Validate auth key format (tskey-auth-...)
-    if (!authKey.startsWith('tskey-auth-') && !authKey.startsWith('tskey-')) {
+    // Strict validation: Tailscale auth keys are alphanumeric + hyphens only (CRITICAL-1: prevent command injection)
+    if (!/^tskey-auth-[a-zA-Z0-9-]+$/.test(authKey)) {
       return res.status(400).json({
-        error: 'Invalid auth key format. Tailscale auth keys start with tskey-auth-'
+        error: 'Invalid auth key format. Tailscale auth keys start with tskey-auth- and contain only alphanumeric characters and hyphens.'
       });
     }
@@ -1007,6 +1102,7 @@ app.post('/api/tailscale/connect', (req, res) => {
     // Run tailscale up with the auth key
     try {
+      // SAFE: authKey validated above with /^tskey-auth-[a-zA-Z0-9-]+$/ — no injection possible
       execSync(`tailscale up --authkey=${authKey} --accept-routes --accept-dns`, {
         stdio: 'pipe',
         timeout: 30000