nodebb-plugin-anti-account-sharing 1.0.4 → 1.0.5

package/library.js

@@ -1,91 +1,130 @@
 'use strict';
 
-const db = require.main.require('./src/database');
-const user = require.main.require('./src/user');
+const crypto = require('crypto');
+const winston = require.main.require('winston');
+const meta = require.main.require('./src/meta');
 
-const Plugin = {};
+const PLUGIN_ID = 'nodebb-plugin-anti-account-sharing';
 
-// --- AYARLAR ---
-const MAX_DEVICES = 1; // kaç bilgisayar?
+const DEFAULTS = {
+  enabled: true,
 
-function isMobile(req) {
-  const ua = req?.headers?.['user-agent'] || '';
-  return /Mobile|Android|iPhone|iPad|iPod/i.test(ua);
-}
+  // Fingerprint değişince ne yapalım?
+  // "kick" => diğer oturumları kır
+  // "block" => isteği 403 ile engelle (giriş yapanı bile)
+  enforcement: 'kick',
 
-Plugin.init = async function () {
-  console.log(`[Anti-Share] Aktif ✅ (Limit: ${MAX_DEVICES} PC)`);
-};
+  // Aynı kullanıcı için fingerprint değişimini kaç saniye "şüpheli" sayalım?
+  // Örn: 300 => son 5 dakikada farklı fingerprint görürse tetikle
+  windowSeconds: 300,
 
-// Login olduğunda session ekle (req gelmezse bile sorun değil, aşağıda fallback var)
-Plugin.recordSession = async function (data) {
-  const req = data?.req;
-  const uid = data?.uid;
+  // Log seviyesi: "debug" | "info" | "warn" | "error"
+  logLevel: 'info',
 
-  if (!req || !uid || !req.sessionID) return;
-  if (isMobile(req)) return;
+  // Fingerprint: ip + user-agent (+ accept-language opsiyonel)
+  includeAcceptLanguage: false,
 
-  const key = `antishare:sessionsz:${uid}`; // <-- DİKKAT: yeni key (zset)
-  const sid = req.sessionID;
+  // Reverse-proxy arkasında doğru ip için
+  trustProxy: true,
+};
 
-  // Eğer yoksa ekle (varsa score'u güncelleme!)
-  const all = await db.getSortedSetRevRange(key, 0, -1);
-  if (!all.includes(sid)) {
-    await db.sortedSetAdd(key, Date.now(), sid);
-  }
+function toBool(v) {
+  if (typeof v === 'boolean') return v;
+  if (typeof v === 'string') return ['1', 'true', 'yes', 'on'].includes(v.toLowerCase());
+  return !!v;
+}
 
-  // sadece son MAX_DEVICES tut
-  const newest = await db.getSortedSetRevRange(key, 0, -1);
-  const toRemove = newest.slice(MAX_DEVICES);
-  if (toRemove.length) {
-    await db.sortedSetRemove(key, toRemove);
+function toInt(v, dflt) {
+  const n = parseInt(v, 10);
+  return Number.isFinite(n) ? n : dflt;
+}
+
+async function getSettings() {
+  // ACP -> Settings -> Anti Account Sharing (meta settings) varsa buradan okur
+  // Yoksa defaults kullanır.
+  let s = {};
+  try {
+    s = await meta.settings.get(PLUGIN_ID);
+  } catch (e) {
+    s = {};
   }
-};
 
-// Her page + api isteğinde kontrol
-Plugin.checkSession = async function (data) {
-  const req = data?.req;
-  const res = data?.res;
+  const out = {
+    enabled: toBool(s.enabled ?? DEFAULTS.enabled),
+    enforcement: (s.enforcement || DEFAULTS.enforcement).toLowerCase(),
+    windowSeconds: toInt(s.windowSeconds ?? DEFAULTS.windowSeconds, DEFAULTS.windowSeconds),
+    logLevel: (s.logLevel || DEFAULTS.logLevel).toLowerCase(),
+    includeAcceptLanguage: toBool(s.includeAcceptLanguage ?? DEFAULTS.includeAcceptLanguage),
+    trustProxy: toBool(s.trustProxy ?? DEFAULTS.trustProxy),
+  };
 
-  if (!req || !res) return data;
-  if (!req.uid || req.uid <= 0 || isMobile(req)) return data;
+  if (!['kick', 'block'].includes(out.enforcement)) out.enforcement = DEFAULTS.enforcement;
+  if (!['debug', 'info', 'warn', 'error'].includes(out.logLevel)) out.logLevel = DEFAULTS.logLevel;
+  if (out.windowSeconds < 0) out.windowSeconds = DEFAULTS.windowSeconds;
 
-  const isAdmin = await user.isAdministrator(req.uid);
-  if (isAdmin) return data;
+  return out;
+}
 
-  const sid = req.sessionID;
-  if (!sid) return data;
+function sha1(input) {
+  return crypto.createHash('sha1').update(String(input)).digest('hex');
+}
 
-  const key = `antishare:sessionsz:${req.uid}`;
+function getClientIp(req, trustProxy) {
+  // NodeBB/Express: trust proxy açık değilse x-forwarded-for güvenilmez olur.
+  if (trustProxy) {
+    const xff = (req.headers['x-forwarded-for'] || '').toString();
+    if (xff) return xff.split(',')[0].trim();
+  }
+  return (
+    req.ip ||
+    (req.connection && req.connection.remoteAddress) ||
+    (req.socket && req.socket.remoteAddress) ||
+    ''
+  );
+}
 
-  // Sadece en yeni MAX_DEVICES session allowed
-  const allowed = await db.getSortedSetRevRange(key, 0, MAX_DEVICES - 1);
+function getFingerprint(req, settings) {
+  const ip = getClientIp(req, settings.trustProxy);
+  const ua = (req.headers['user-agent'] || '').toString();
+  const al = (req.headers['accept-language'] || '').toString();
+  const raw = settings.includeAcceptLanguage ? `${ip}|${ua}|${al}` : `${ip}|${ua}`;
+  return sha1(raw);
+}
 
-  // Eğer henüz kayıt yoksa (çok nadir) karışma
-  if (!Array.isArray(allowed) || !allowed.length) return data;
+function buildLogger(settings) {
+  // winston ile NodeBB loglarına düşer, ayrıca console’a da basar.
+  const level = settings?.logLevel || 'info';
 
-  // allowed değilse -> kick
-  if (!allowed.includes(sid)) {
-    try { req.logout?.(); } catch (e) {}
-    if (req.session) {
-      try { req.session.destroy(() => {}); } catch (e) {}
-    }
+  function log(lvl, msg, metaObj) {
+    const line = `[AAS] ${msg}${metaObj ? ` ${safeJson(metaObj)}` : ''}`;
+    // NodeBB winston
+    if (winston && typeof winston[lvl] === 'function') winston[lvl](line);
+    else if (winston && typeof winston.info === 'function') winston.info(line);
 
-    const wantsJson =
-      req.xhr ||
-      (req.headers.accept && req.headers.accept.includes('json')) ||
-      req.originalUrl?.startsWith('/api/');
+    // console fallback (docker logs)
+    if (lvl === 'error') console.error(line);
+    else if (lvl === 'warn') console.warn(line);
+    else console.log(line);
+  }
 
-    if (wantsJson) {
-      res.status(401).json({ error: 'session_terminated', message: 'Maksimum cihaz sınırına ulaşıldı.' });
-      return;
-    }
+  return {
+    debug: (msg, metaObj) => (['debug'].includes(level) ? log('info', `DEBUG: ${msg}`, metaObj) : null),
+    info: (msg, metaObj) => (['debug', 'info'].includes(level) ? log('info', msg, metaObj) : null),
+    warn: (msg, metaObj) => (['debug', 'info', 'warn'].includes(level) ? log('warn', msg, metaObj) : null),
+    error: (msg, metaObj) => log('error', msg, metaObj),
+  };
+}
 
-    res.redirect('/login?error=session-conflict');
-    return;
-  }
-  
-  return data;
-};
+function safeJson(x) {
+  try { return JSON.stringify(x); } catch (e) { return '[unjsonable]'; }
+}
 
-module.exports = Plugin;
+module.exports = {
+  PLUGIN_ID,
+  DEFAULTS,
+  getSettings,
+  getFingerprint,
+  getClientIp,
+  sha1,
+  buildLogger,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-anti-account-sharing",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "Prevents account sharing by enforcing a single active session policy for desktop devices.",
   "main": "library.js",
   "keywords": [

package/static/security.js

@@ -1,97 +1,206 @@
 'use strict';
 
-(function () {
-  function showSecurityModal() {
-    // Varsa eski modalları temizle
-    $('#antishare-modal').remove();
-
-    const modalHtml = `
-      <div id="antishare-modal" style="
-        position: fixed; top: 0; left: 0; width: 100%; height: 100%;
-        background: rgba(0,0,0,0.92); z-index: 999999;
-        display: flex; flex-direction: column; align-items: center; justify-content: center;
-        text-align: center; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-        animation: fadeIn 0.3s ease;
-      ">
-        <div style="
-          background: #ffffff; padding: 40px; border-radius: 16px; 
-          max-width: 90%; width: 400px; box-shadow: 0 10px 40px rgba(0,0,0,0.5);
-          position: relative; overflow: hidden;
-        ">
-          <div style="position: absolute; top:0; left:0; width:100%; height:6px; background:#d9534f;"></div>
-
-          <div style="
-            width: 70px; height: 70px; background: #fdf2f2; border-radius: 50%; 
-            display: flex; align-items: center; justify-content: center; margin: 0 auto 20px;
-          ">
-            <i class="fa fa-shield" style="font-size: 32px; color: #d9534f;"></i>
-          </div>
-
-          <h2 style="color: #333; margin: 0 0 10px; font-size: 22px; font-weight: 700;">Oturum Sonlandırıldı</h2>
-
-          <p style="color: #666; font-size: 14px; line-height: 1.6; margin: 0 0 30px;">
-            Hesabınıza <strong>başka bir bilgisayardan</strong> giriş yapıldığı tespit edildi.<br><br>
-            Hesap güvenliğiniz için önceki cihazdaki oturum otomatik olarak kapatılmıştır.
-          </p>
-
-          <a href="/login" style="
-            display: block; width: 100%; padding: 14px 0;
-            background: #d9534f; color: #fff; text-decoration: none;
-            font-weight: 600; border-radius: 8px; font-size: 15px;
-            transition: background 0.2s;
-          " onmouseover="this.style.background='#c9302c'" onmouseout="this.style.background='#d9534f'">
-            TEKRAR GİRİŞ YAP
-          </a>
-
-          <div style="margin-top: 20px; font-size: 12px; color: #999;">
-            Mobil cihazlarınız bu durumdan etkilenmez.
-          </div>
-        </div>
-      </div>
-      <style>@keyframes fadeIn { from { opacity:0; transform:scale(0.95); } to { opacity:1; transform:scale(1); } }</style>
-    `;
-
-    $('body').append(modalHtml);
-    $('body').css('overflow', 'hidden');
+const db = require.main.require('./src/database');
+const user = require.main.require('./src/user');
+
+const {
+  getSettings,
+  getFingerprint,
+  buildLogger,
+  PLUGIN_ID,
+} = require('./library');
+
+const KEY_LAST_FP = (uid) => `uid:${uid}:aas:lastfp`;
+const KEY_LAST_SEEN = (uid) => `uid:${uid}:aas:lastseen`; // epoch seconds
+const KEY_LAST_IP = (uid) => `uid:${uid}:aas:lastip`;
+const KEY_LAST_UA = (uid) => `uid:${uid}:aas:lastua`;
+
+const SESS_SET = (uid) => `uid:${uid}:sessions`;
+
+// NodeBB’de yaygın session obj key isimleri (kuruluma göre değişebiliyor)
+function sessionObjectKeys(sid) {
+  return [
+    `sess:${sid}`,
+    `session:${sid}`,
+    `sessions:${sid}`,
+  ];
+}
+
+async function getUserSessionIds(uid) {
+  // NodeBB genelde sorted set tutar
+  try {
+    const sids = await db.getSortedSetRange(SESS_SET(uid), 0, -1);
+    return Array.isArray(sids) ? sids : [];
+  } catch (e) {
+    return [];
   }
+}
 
-  function checkUrlParam() {
-    const urlParams = new URLSearchParams(window.location.search);
-    if (urlParams.get('error') === 'session-conflict') {
-      showSecurityModal();
+async function deleteSession(sid, logger) {
+  // session obj key’leri silmeyi dener
+  for (const k of sessionObjectKeys(sid)) {
+    try {
+      await db.delete(k);
+      logger.debug('Deleted session object', { key: k });
+    } catch (e) {
+      // ignore
     }
   }
+}
+
+async function kickOtherSessions(uid, keepSid, logger) {
+  const all = await getUserSessionIds(uid);
+  if (!all.length) return { total: 0, removed: 0 };
 
-  // --- 1) İlk yükleme + SPA geçişleri ---
-  $(document).ready(checkUrlParam);
-  $(window).on('action:ajaxify.end', checkUrlParam);
+  let removed = 0;
+  for (const sid of all) {
+    if (!sid) continue;
+    if (keepSid && sid === keepSid) continue;
 
-  // --- 2) jQuery AJAX 401 yakala ---
-  $(document).ajaxError(function (event, jqxhr) {
-    if (jqxhr && jqxhr.status === 401 && jqxhr.responseJSON && jqxhr.responseJSON.error === 'session_terminated') {
-      showSecurityModal();
+    try {
+      await db.sortedSetRemove(SESS_SET(uid), sid);
+      removed += 1;
+      logger.info('Removed session from uid sessions set', { uid, sid });
+    } catch (e) {
+      logger.warn('Failed removing session from sessions set', { uid, sid, err: e.message });
     }
-  });
 
-  // --- 3) FETCH 401 yakala (asıl eksik buydu) ---
-  const _fetch = window.fetch;
-  window.fetch = async function (...args) {
-    const res = await _fetch.apply(this, args);
+    await deleteSession(sid, logger);
+  }
+  return { total: all.length, removed };
+}
+
+function getCurrentSessionId(req) {
+  // Express-session genelde req.sessionID verir
+  if (req && req.sessionID) return req.sessionID;
+
+  // Cookie’den yakalamayı dene (connect.sid vb.)
+  const cookie = (req.headers && req.headers.cookie) ? String(req.headers.cookie) : '';
+  // connect.sid=s%3Axxxxx.yyyyy
+  const m = cookie.match(/connect\.sid=([^;]+)/i);
+  if (m && m[1]) return decodeURIComponent(m[1]).replace(/^s:/, '').split('.')[0];
+  return null;
+}
+
+async function shouldTrigger(uid, fp, nowSec, settings) {
+  const [lastfp, lastseen] = await Promise.all([
+    db.getObjectField(KEY_LAST_FP(uid), 'v'),
+    db.getObjectField(KEY_LAST_SEEN(uid), 'v'),
+  ]);
+
+  const lastSeenNum = parseInt(lastseen, 10);
+  const lastFpStr = lastfp ? String(lastfp) : '';
+
+  if (!lastFpStr) return { trigger: false, reason: 'no_last_fp' };
+  if (lastFpStr === fp) return { trigger: false, reason: 'same_fp' };
+
+  if (!Number.isFinite(lastSeenNum)) return { trigger: true, reason: 'fp_changed_no_lastseen' };
+
+  const diff = nowSec - lastSeenNum;
+  if (diff <= settings.windowSeconds) {
+    return { trigger: true, reason: `fp_changed_within_${settings.windowSeconds}s` };
+  }
+  return { trigger: false, reason: `fp_changed_outside_window(${diff}s)` };
+}
+
+async function updateLast(uid, fp, req, nowSec) {
+  const ip = (req.headers && (req.headers['x-forwarded-for'] || req.ip || '')) || '';
+  const ua = (req.headers && req.headers['user-agent']) || '';
 
+  await Promise.allSettled([
+    db.setObjectField(KEY_LAST_FP(uid), 'v', fp),
+    db.setObjectField(KEY_LAST_SEEN(uid), 'v', String(nowSec)),
+    db.setObjectField(KEY_LAST_IP(uid), 'v', String(ip).slice(0, 200)),
+    db.setObjectField(KEY_LAST_UA(uid), 'v', String(ua).slice(0, 300)),
+  ]);
+}
+
+function createSecurityMiddleware(settings, logger) {
+  return async function antiAccountSharingMiddleware(req, res, next) {
     try {
-      if (res && res.status === 401) {
-        // response body json olabilir; klonlayıp okuyalım
-        const clone = res.clone();
-        const data = await clone.json().catch(() => null);
+      if (!settings.enabled) return next();
+
+      // NodeBB: req.uid login olmuş kullanıcı
+      const uid = parseInt(req.uid, 10);
+      if (!Number.isFinite(uid) || uid <= 0) return next();
+
+      // Bazı route’larda user obj yoksa da problem değil
+      // (Bunu loglamak istersen aç)
+      // const u = await user.getUserFields(uid, ['username']);
+      // const username = u?.username;
+
+      const fp = getFingerprint(req, settings);
+      const nowSec = Math.floor(Date.now() / 1000);
+
+      const check = await shouldTrigger(uid, fp, nowSec, settings);
+
+      if (check.trigger) {
+        const keepSid = getCurrentSessionId(req);
 
-        if (data && data.error === 'session_terminated') {
-          showSecurityModal();
+        logger.warn('Account sharing suspected (fingerprint changed)', {
+          uid,
+          reason: check.reason,
+          keepSid: keepSid || '',
+          path: req.originalUrl || req.url,
+        });
+
+        if (settings.enforcement === 'block') {
+          // current request’i de engelle
+          await updateLast(uid, fp, req, nowSec);
+          res.status(403).json({
+            error: 'account-sharing-detected',
+            message: 'Bu hesap farklı cihaz/ağ üzerinden aynı anda kullanılıyor olabilir.',
+          });
+          return;
         }
+
+        // kick mode: diğer session’ları kır
+        const result = await kickOtherSessions(uid, keepSid, logger);
+        logger.info('Kick result', { uid, ...result });
+
+        // (İsteğe bağlı) burada kullanıcıya bildirim de basılabilir
       }
+
+      // her request sonunda last’i güncelle
+      await updateLast(uid, fp, req, nowSec);
+      return next();
     } catch (e) {
-      // sessiz geç
+      logger.error('Middleware error', { err: e.message });
+      return next();
     }
-
-    return res;
   };
-})();
+}
+
+const Security = {};
+
+Security.init = async function (params) {
+  // NodeBB hook: static:app.load (en yaygın)
+  // params: { app, router, middleware, controllers }
+  const { app } = params;
+  const settings = await getSettings();
+  const logger = buildLogger(settings);
+
+  logger.info('Loading security middleware', {
+    enabled: settings.enabled,
+    enforcement: settings.enforcement,
+    windowSeconds: settings.windowSeconds,
+    trustProxy: settings.trustProxy,
+  });
+
+  if (!app) {
+    logger.warn('No express app passed to security.init (static:app.load?)');
+    return;
+  }
+
+  // trust proxy opsiyonel (reverse proxy varsa doğru ip için)
+  try {
+    app.set('trust proxy', !!settings.trustProxy);
+  } catch (e) {}
+
+  // NodeBB’nin auth middleware’inden sonra çalışması için genelde app.use yeterli
+  app.use(createSecurityMiddleware(settings, logger));
+
+  logger.info('Security middleware attached', { plugin: PLUGIN_ID });
+};
+
+module.exports = Security;