mbkauthe 3.0.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +98 -16
- package/docs/api.md +212 -117
- package/docs/db.md +71 -16
- package/docs/env.md +91 -8
- package/index.d.ts +59 -21
- package/lib/config/index.js +48 -1
- package/lib/main.js +27 -1
- package/lib/middleware/index.js +4 -2
- package/lib/routes/auth.js +25 -3
- package/lib/routes/misc.js +29 -17
- package/lib/routes/oauth.js +379 -264
- package/lib/utils/response.js +2 -2
- package/package.json +30 -10
- package/test.spec.js +196 -0
- package/views/2fa.handlebars +2 -2
- package/views/loginmbkauthe.handlebars +35 -5
- package/views/sharedStyles.handlebars +5 -0
- package/views/showmessage.handlebars +27 -1
- package/.env.example +0 -3
- package/.github/PACKAGE.md +0 -17
- package/.github/workflows/codeql.yml +0 -98
- package/.github/workflows/publish.yml +0 -87
package/lib/routes/misc.js
CHANGED
|
@@ -1,19 +1,20 @@
|
|
|
1
1
|
import express from "express";
|
|
2
2
|
import fetch from 'node-fetch';
|
|
3
3
|
import rateLimit from 'express-rate-limit';
|
|
4
|
-
import { fileURLToPath } from "url";
|
|
5
|
-
import fs from "fs";
|
|
6
|
-
import path from "path";
|
|
7
4
|
import { mbkautheVar, packageJson, appVersion } from "../config/index.js";
|
|
8
5
|
import { renderError } from "../utils/response.js";
|
|
9
6
|
import { authenticate, validateSession } from "../middleware/auth.js";
|
|
10
7
|
import { ErrorCodes, ErrorMessages } from "../utils/errors.js";
|
|
11
8
|
import { dblogin } from "../database/pool.js";
|
|
12
9
|
import { clearSessionCookies } from "../config/cookies.js";
|
|
10
|
+
import { fileURLToPath } from "url";
|
|
11
|
+
import path from "path";
|
|
12
|
+
import fs from "fs";
|
|
13
13
|
|
|
14
|
-
const router = express.Router();
|
|
15
14
|
const __dirname = path.dirname(fileURLToPath(import.meta.url));
|
|
16
15
|
|
|
16
|
+
|
|
17
|
+
const router = express.Router();
|
|
17
18
|
// Rate limiter for info/test routes
|
|
18
19
|
const LoginLimit = rateLimit({
|
|
19
20
|
windowMs: 1 * 60 * 1000,
|
|
@@ -21,6 +22,21 @@ const LoginLimit = rateLimit({
|
|
|
21
22
|
message: { success: false, message: "Too many attempts, please try again later" },
|
|
22
23
|
skip: (req) => {
|
|
23
24
|
return !!req.session.user;
|
|
25
|
+
},
|
|
26
|
+
validate: {
|
|
27
|
+
trustProxy: false,
|
|
28
|
+
xForwardedForHeader: false
|
|
29
|
+
}
|
|
30
|
+
});
|
|
31
|
+
|
|
32
|
+
// Rate limiter for admin operations
|
|
33
|
+
const AdminOperationLimit = rateLimit({
|
|
34
|
+
windowMs: 5 * 60 * 1000,
|
|
35
|
+
max: 3,
|
|
36
|
+
message: { success: false, message: "Too many admin operations, please try again later" },
|
|
37
|
+
validate: {
|
|
38
|
+
trustProxy: false,
|
|
39
|
+
xForwardedForHeader: false
|
|
24
40
|
}
|
|
25
41
|
});
|
|
26
42
|
|
|
@@ -30,16 +46,6 @@ router.get('/main.js', (req, res) => {
|
|
|
30
46
|
res.sendFile(path.join(__dirname, '..', '..', 'public', 'main.js'));
|
|
31
47
|
});
|
|
32
48
|
|
|
33
|
-
router.get('/icon.svg', (req, res) => {
|
|
34
|
-
res.setHeader('Cache-Control', 'public, max-age=31536000');
|
|
35
|
-
res.sendFile(path.join(__dirname, '..', '..', 'public', 'icon.svg'));
|
|
36
|
-
});
|
|
37
|
-
|
|
38
|
-
router.get(['/favicon.ico', '/icon.ico'], (req, res) => {
|
|
39
|
-
res.setHeader('Cache-Control', 'public, max-age=31536000');
|
|
40
|
-
res.sendFile(path.join(__dirname, '..', '..', 'public', 'icon.ico'));
|
|
41
|
-
});
|
|
42
|
-
|
|
43
49
|
router.get("/bg.webp", (req, res) => {
|
|
44
50
|
const imgPath = path.join(__dirname, "..", "..", "public", "bg.webp");
|
|
45
51
|
res.setHeader('Content-Type', 'image/webp');
|
|
@@ -241,12 +247,18 @@ router.get(["/info", "/i"], LoginLimit, async (req, res) => {
|
|
|
241
247
|
});
|
|
242
248
|
|
|
243
249
|
// Terminate all sessions (admin endpoint)
|
|
244
|
-
router.post("/api/terminateAllSessions", authenticate(mbkautheVar.Main_SECRET_TOKEN), async (req, res) => {
|
|
250
|
+
router.post("/api/terminateAllSessions", AdminOperationLimit, authenticate(mbkautheVar.Main_SECRET_TOKEN), async (req, res) => {
|
|
245
251
|
try {
|
|
246
252
|
// Run both operations in parallel for better performance
|
|
247
253
|
await Promise.all([
|
|
248
|
-
dblogin.query({
|
|
249
|
-
|
|
254
|
+
dblogin.query({
|
|
255
|
+
name: 'terminate-all-user-sessions',
|
|
256
|
+
text: 'UPDATE "Users" SET "SessionId" = NULL WHERE "SessionId" IS NOT NULL'
|
|
257
|
+
}),
|
|
258
|
+
dblogin.query({
|
|
259
|
+
name: 'terminate-all-db-sessions',
|
|
260
|
+
text: 'DELETE FROM "session" WHERE expire > NOW()'
|
|
261
|
+
})
|
|
250
262
|
]);
|
|
251
263
|
|
|
252
264
|
req.session.destroy((err) => {
|