adolforeyna/EMI-Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: adolforeyna/EMI-Backend:codex/password-security-plan-comments
Branches Tags
adolforeyna/EMI-Backend:master adolforeyna/EMI-Backend:codex/live-captions adolforeyna/EMI-Backend:codex/sessionchecker-json-unauthorized adolforeyna/EMI-Backend:codex/universal-chat-room adolforeyna/EMI-Backend:codex/password-security-plan-comments adolforeyna/EMI-Backend:codex/fix-502-feed-profile
..
compare: adolforeyna/EMI-Backend:822e2bc0d6e2275f0ab29446d1eed3585f686597
Branches Tags
adolforeyna/EMI-Backend:master adolforeyna/EMI-Backend:codex/live-captions adolforeyna/EMI-Backend:codex/sessionchecker-json-unauthorized adolforeyna/EMI-Backend:codex/universal-chat-room adolforeyna/EMI-Backend:codex/password-security-plan-comments adolforeyna/EMI-Backend:codex/fix-502-feed-profile

1 Commits
codex/password-security-plan-comments .. 822e2bc0d6

Author SHA1 Message Date
adolforeyna 822e2bc0d6 Merge pull request 'codex/fix-502-feed-profile' (#1) from codex/fix-502-feed-profile into master 
Reviewed-on: http://192.168.68.119:3000/adolforeyna/EMI-Backend/pulls/1
 2026-02-21 00:46:34 +00:00
4 changed files with 93 additions and 291 deletions
Expand all files Collapse all files
auth/authEmail.js
+85 -105
View File
@@ -9,48 +9,15 @@ const Notifications = require("../notifications");
// Object Definitions // Object Definitions
const Post = require("../def/post.js") const Post = require("../def/post.js")
const Profile = require("../def/profile.js"); const Profile = require("../def/profile.js");
const DUMMY_BCRYPT_HASH = '$2b$10$2zQfAaxK0cN13N7V2Q5hAOL3wxY5E9OQj1YxDCEV4VpWw2X2gYd6C';
const PASSWORD_TOKEN_TTL_MINUTES = parseInt(process.env.PASSWORD_TOKEN_TTL_MINUTES || '20', 10);
const PASSWORD_TOKEN_PATH = process.env.PASSWORD_TOKEN_PATH || '/token-login';
const FRONTEND_URL = (process.env.FRONTEND_URL || 'https://social.emmint.com').replace(/\/+$/, '');
const createPasswordTokenHash = (rawToken) =>
crypto.createHash('sha256').update(rawToken).digest('hex');
const createSessionFromUser = async ({ DB, user, req, res }) => {
const sessionObj = await DB.newSession(user._id);
res.cookie('user_sid', user._id, cookiesOptions);
res.cookie('session_id', sessionObj.insertedId, cookiesOptions);
const latestUpdatedProfile = await DB.latestProfile(user._id);
if (latestUpdatedProfile && latestUpdatedProfile._id) {
res.cookie('profile_id', latestUpdatedProfile._id, cookiesOptions);
}
client_logger.identify({
distinctId: user._id,
properties: {
name: latestUpdatedProfile?.profile?.firstName || '',
}
});
client_logger.capture({
distinctId: user._id,
event: 'server@' + req.method + '@' + req.originalUrl,
});
return {
status: "ok",
user_sid: user._id,
session_id: sessionObj.insertedId,
profile_id: latestUpdatedProfile?._id
};
};
// Function to Singup new users. An user is a combination of a user obj and a profile. // Function to Singup new users. An user is a combination of a user obj and a profile.
// When new users are subscribed, they have a single profile, which is the personal one. // When new users are subscribed, they have a single profile, which is the personal one.
// Other profiles can be link to that user, like groups or courses. // Other profiles can be link to that user, like groups or courses.
const signup = async function (req, res) { const signup = async function (req, res) {
const username = (req.body.username || "").trim().toLowerCase(); const username = req.query.username || req.body.username;
const password = req.body.password; const password = req.query.password || req.body.password;
const email = (req.body.email || "").trim().toLowerCase(); const email = req.query.email || req.body.email;
const profile = req.body.profile; const profile = req.query.profile || req.body.profile;
if (!username || !password || !email) return res.json({ status: "Incomplete information!" }); if (!username || !password || !email) return res.json({ status: "Incomplete information!" });
// Check if the new user has an invitation. // Check if the new user has an invitation.
const DB = await MongoDB.getDB; const DB = await MongoDB.getDB;
@@ -67,10 +34,12 @@ const signup = async function (req, res) {
} }
let isUserAlreadyRegistered = await DB.getUser(email); let isUserAlreadyRegistered = await DB.getUser(email);
if (isUserAlreadyRegistered && isUserAlreadyRegistered._id) return res.json({ status: "This user is already registered" }); if (isUserAlreadyRegistered && isUserAlreadyRegistered._id) return res.json({ status: "This user is already registered" });
// Hash password to be stored on the DB.
// TODO: I think this is missing a Salt factor to improve security
const hashedPassword = await bcrypt.hash(password, 10); const hashedPassword = await bcrypt.hash(password, 10);
const newUserObject = await DB.newUser({ const newUserObject = await DB.newUser({
username, username: username.toLowerCase(),
email, email: email.toLowerCase(),
password: hashedPassword password: hashedPassword
}); });
// If newUserObject it's an error message, we check by looking toLowerCase function // If newUserObject it's an error message, we check by looking toLowerCase function
@@ -110,23 +79,47 @@ const login = async function (req, res) {
const userInfo = await DB.checkSessionOnDB(session_id, user_sid); const userInfo = await DB.checkSessionOnDB(session_id, user_sid);
if (userInfo) return res.redirect('/'); if (userInfo) return res.redirect('/');
} }
const invalidCredentials = () => res.status(401).json({ status: "Invalid credentials" }); const username = req.body.username || req.query.username;
const username = (req.body.username || req.body.email || "").trim().toLowerCase(); const password = req.body.password || req.query.password || "";
const password = req.body.password || "";
if (!username || !password) return invalidCredentials();
const user = await DB.getUser(username); const user = await DB.getUser(username);
if (!user) { if (!user) {
client_logger.capture({ client_logger.capture({
distinctId: 'app_level', distinctId: 'app_level',
event: 'server@' + req.method + '@' + req.originalUrl + '@invalidCredentials', event: 'server@' + req.method + '@' + req.originalUrl + '@userNotFound',
properties: { username }, properties: {
username: username,
}
}); });
return res.json({ status: "user not founded" });
} }
const isSamePassword = await bcrypt.compare(password, user?.password || DUMMY_BCRYPT_HASH); // TODO: Also add salt parameter here.
if (!user || !isSamePassword) return invalidCredentials(); const isSamePassword = await bcrypt.compare(password, user.password);
if (!isSamePassword) return res.json({ status: "incorrect password" });
try { try {
return res.json(await createSessionFromUser({ DB, user, req, res })); // Store a new session loging on DB, and use ID as session ID
const sessionObj = await DB.newSession(user._id);
// Create coockies with information for Auth
res.cookie('user_sid', user._id, cookiesOptions);
res.cookie('session_id', sessionObj.insertedId, cookiesOptions);
// Chooses the most recent update profile as current active profile
const latestUpdatedProfile = await DB.latestProfile(user._id);
res.cookie('profile_id', latestUpdatedProfile._id, cookiesOptions);
client_logger.identify({
distinctId: user._id,
properties: {
name: latestUpdatedProfile.profile.firstName,
}
});
client_logger.capture({
distinctId: user._id,
event: 'server@' + req.method + '@' + req.originalUrl,
});
return res.json({
status: "ok",
user_sid: user._id,
session_id: sessionObj.insertedId,
profile_id: latestUpdatedProfile._id
});
} catch (error) { } catch (error) {
console.error(error); console.error(error);
client_logger.capture({ client_logger.capture({
@@ -158,43 +151,51 @@ const logout = async function (req, res) {
} }
} }
const resetPassword = async function (req, res) { // Util function for generating new random password for users.
const DB = await MongoDB.getDB; function generatePassword(length = 12) {
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+";
return Array.from(crypto.randomFillSync(new Uint8Array(length)))
.map((x) => charset[x % charset.length])
.join("");
}
const genericResetResponse = { const resetPassword = async function (req, res) {
status: "ok", const session_id = getSessionId(req);
details: "If the account exists, check your email for next steps" const user_sid = getUserId(req);
}; const DB = await MongoDB.getDB;
if (session_id && user_sid) {
// Sadly reusing this endpoint to change password to legged in users.
// TODO: Move change password logic to its own endpoint.
const userInfo = await DB.checkSessionOnDB(session_id, user_sid);
if (userInfo) {
const password = req.body.password;
const hashedPassword = await bcrypt.hash(password, 10);
// TODO: Add salt to password here as well.
DB.resetUserPassword(userInfo.username, hashedPassword);
return res.json({
status: "ok",
details: 'password changed!' // This should be an enum that syncs with clients.
});
}
}
// Logic for non-logged in users. // Logic for non-logged in users.
const username = (req.body.username || req.body.email || "").trim().toLowerCase(); const username = req.body.username;
if (!username) return res.json(genericResetResponse);
const user = await DB.getUser(username); const user = await DB.getUser(username);
if (!user) { if (!user) return res.json({ status: "user not founded" });
client_logger.capture({ const password = generatePassword();
distinctId: 'app_level', const hashedPassword = await bcrypt.hash(password, 10);
event: 'server@' + req.method + '@' + req.originalUrl + '@resetRequestedUnknownUser', // TODO: Add salt to password here as well.
properties: { username } // TODO: We need to limit this to every 2 hours or something like this.
}); // TODO: Move this template to the Notif file.
return res.json(genericResetResponse); DB.resetUserPassword(username, hashedPassword);
} Notifications.sendEmail(username, "Your new credentials",
const rawToken = crypto.randomBytes(32).toString('hex');
const tokenHash = createPasswordTokenHash(rawToken);
const expiresAt = new Date(Date.now() + PASSWORD_TOKEN_TTL_MINUTES * 60 * 1000);
const tokenStored = await DB.createPasswordLoginToken(user._id, tokenHash, expiresAt);
if (!tokenStored) {
return res.json(genericResetResponse);
}
const loginUrl = `${FRONTEND_URL}${PASSWORD_TOKEN_PATH}?token=${rawToken}`;
Notifications.sendEmail(username, "Your secure sign-in link",
` `
<p>Hello,</p> <p> Hello,</p>
<p>Use this one-time sign-in link to access your account:</p> <p> This is your new password: ${password}</p>
<p><a href="${loginUrl}">${loginUrl}</a></p> <p><a href="https://social.emmint.com/">Log in</a></p>
<p>This link expires in ${PASSWORD_TOKEN_TTL_MINUTES} minutes and can only be used once.</p>
<p>If you did not request this, you can ignore this email.</p>
<p>Blessings</p> <p>Blessings</p>
<p>Emmanuel International Ministries</p> <p>Emmanuel International Ministries</p>
`); `)
client_logger.capture({ client_logger.capture({
distinctId: user._id, distinctId: user._id,
event: 'server@' + req.method + '@' + req.originalUrl, event: 'server@' + req.method + '@' + req.originalUrl,
@@ -202,30 +203,10 @@ const resetPassword = async function (req, res) {
username: username, username: username,
} }
}); });
return res.json(genericResetResponse); return res.json({
} status: "ok",
details: 'Check your email for new password' // Enum of details?
const loginWithPasswordToken = async function (req, res) { });
const DB = await MongoDB.getDB;
const token = (req.body.token || "").trim();
if (!token || token.length < 32) {
return res.status(401).json({ status: "Invalid or expired token" });
}
const tokenHash = createPasswordTokenHash(token);
const tokenDoc = await DB.consumePasswordLoginToken(tokenHash);
if (!tokenDoc || !tokenDoc.userId) {
return res.status(401).json({ status: "Invalid or expired token" });
}
const user = await DB.getUserById(tokenDoc.userId);
if (!user || !user._id) {
return res.status(401).json({ status: "Invalid or expired token" });
}
try {
return res.json(await createSessionFromUser({ DB, user, req, res }));
} catch (error) {
console.error("Token login error", error);
return res.status(500).json({ status: "Internal server error" });
}
} }
@@ -234,5 +215,4 @@ module.exports = {
login, login,
logout, logout,
resetPassword, resetPassword,
loginWithPasswordToken,
} }
index.js
+6 -29
View File
@@ -9,7 +9,6 @@ require('dotenv').config();
const express = require('express'); const express = require('express');
const app = express(); const app = express();
const port = process.env.PORT || 3000; const port = process.env.PORT || 3000;
app.set('trust proxy', true);
// -- Accept request from other origins // -- Accept request from other origins
const cors = require('cors'); const cors = require('cors');
const { corsOptions } = require('./config/corsOptions'); const { corsOptions } = require('./config/corsOptions');
@@ -35,11 +34,11 @@ const limiter = rateLimit({
return ip.includes(":") ? ip.split(":")[0] : ip; // Remove port if present return ip.includes(":") ? ip.split(":")[0] : ip; // Remove port if present
} }
}); });
app.set('trust proxy', true);
app.use(limiter); app.use(limiter);
// Authentication // Authentication
const { signup, login, logout, resetPassword, loginWithPasswordToken } = require('./auth/authEmail.js'); const { signup, login, logout, resetPassword } = require('./auth/authEmail.js');
const { authRateLimiter } = require('./middleware/authRateLimiter');
/** /**
* @swagger * @swagger
* /signup: * /signup:
@@ -72,7 +71,7 @@ const { authRateLimiter } = require('./middleware/authRateLimiter');
* 400: * 400:
* description: Bad request. * description: Bad request.
*/ */
app.post('/signup', signup); app.route('/signup').get(signup).post(signup);
/** /**
* @swagger * @swagger
* /login: * /login:
@@ -105,7 +104,7 @@ app.post('/signup', signup);
* 401: * 401:
* description: Invalid credentials. * description: Invalid credentials.
*/ */
app.post('/login', authRateLimiter('login'), login); app.route('/login').get(login).post(login);
/** /**
* @swagger * @swagger
* /logout: * /logout:
@@ -128,7 +127,7 @@ app.get('/logout', logout);
* @swagger * @swagger
* /resetPassword: * /resetPassword:
* post: * post:
* summary: Sends a one-time sign-in link if the account exists * summary: Resets a user's password
* tags: [Auth] * tags: [Auth]
* requestBody: * requestBody:
* required: true * required: true
@@ -153,29 +152,7 @@ app.get('/logout', logout);
* 400: * 400:
* description: Bad request. * description: Bad request.
*/ */
app.route('/resetPassword').post(authRateLimiter('reset'), resetPassword); app.route('/resetPassword').post(resetPassword);
/**
* @swagger
* /password/token-login:
* post:
* summary: Consumes a one-time password token and starts a session
* tags: [Auth]
* requestBody:
* required: true
* content:
* application/json:
* schema:
* type: object
* properties:
* token:
* type: string
* responses:
* 200:
* description: Logged in with one-time token
* 401:
* description: Invalid or expired token
*/
app.post('/password/token-login', authRateLimiter('token'), loginWithPasswordToken);
// Routes // Routes
const profileRoute = require('./routes/profile.js'); const profileRoute = require('./routes/profile.js');
middleware/authRateLimiter.js
-116
View File
@@ -1,116 +0,0 @@
const crypto = require('crypto');
const { client_logger } = require('../utils/analyticsLogger');
const AUTH_ATTEMPT_WINDOW_MS = Math.max(60 * 1000, parseInt(process.env.AUTH_ATTEMPT_WINDOW_MS || `${15 * 60 * 1000}`, 10));
const AUTH_ATTEMPT_MAX = Math.max(1, parseInt(process.env.AUTH_ATTEMPT_MAX || '5', 10));
const AUTH_BLOCK_BASE_MS = Math.max(30 * 1000, parseInt(process.env.AUTH_BLOCK_BASE_MS || `${5 * 60 * 1000}`, 10));
const AUTH_BLOCK_MAX_MS = Math.max(AUTH_BLOCK_BASE_MS, parseInt(process.env.AUTH_BLOCK_MAX_MS || `${60 * 60 * 1000}`, 10));
const limiterStore = new Map();
let lastPruneAt = 0;
const getClientIp = (req) => {
const forwarded = req.headers['x-forwarded-for']?.split(',')[0]?.trim();
const rawIp = forwarded || req.ip || req.connection?.remoteAddress || 'unknown';
return rawIp.replace('::ffff:', '');
};
const hashValue = (value) =>
crypto.createHash('sha256').update(String(value)).digest('hex').slice(0, 16);
const getIdentity = (req, mode) => {
if (mode === 'token') {
const token = (req.body?.token || '').trim();
return token ? `token:${hashValue(token)}` : 'token:anonymous';
}
const username = (req.body?.username || req.body?.email || '').trim().toLowerCase();
return username ? `acct:${hashValue(username)}` : 'acct:anonymous';
};
const getLimiterKey = (req, mode) => `${mode}:${getIdentity(req, mode)}:ip:${getClientIp(req)}`;
const getOrInitRecord = (key, now) => {
const existing = limiterStore.get(key);
if (existing) {
return existing;
}
const record = {
count: 0,
windowStartedAt: now,
blockedUntil: 0,
blockLevel: 0,
};
limiterStore.set(key, record);
return record;
};
const computeBlockMs = (blockLevel) =>
Math.min(AUTH_BLOCK_BASE_MS * (2 ** Math.max(0, blockLevel - 1)), AUTH_BLOCK_MAX_MS);
const authRateLimiter = (mode) => (req, res, next) => {
const now = Date.now();
if (now - lastPruneAt > 5 * 60 * 1000) {
for (const [storeKey, storeValue] of limiterStore.entries()) {
const isWindowExpired = now - storeValue.windowStartedAt > AUTH_ATTEMPT_WINDOW_MS;
const isNotBlocked = storeValue.blockedUntil <= now;
if (isWindowExpired && isNotBlocked) {
limiterStore.delete(storeKey);
}
}
lastPruneAt = now;
}
const key = getLimiterKey(req, mode);
const record = getOrInitRecord(key, now);
if (now - record.windowStartedAt > AUTH_ATTEMPT_WINDOW_MS) {
record.count = 0;
record.windowStartedAt = now;
}
if (record.blockedUntil > now) {
const retryAfterSec = Math.ceil((record.blockedUntil - now) / 1000);
res.set('Retry-After', retryAfterSec.toString());
client_logger.capture({
distinctId: 'app_level',
event: 'security@auth@rate_limited',
properties: {
route: req.originalUrl,
method: req.method,
mode,
keyHash: hashValue(key),
retryAfterSec,
blockLevel: record.blockLevel,
}
});
return res.status(429).json({ status: 'Too many attempts. Please try again later.' });
}
record.count += 1;
if (record.count > AUTH_ATTEMPT_MAX) {
record.blockLevel += 1;
const blockMs = computeBlockMs(record.blockLevel);
record.blockedUntil = now + blockMs;
record.count = 0;
record.windowStartedAt = now;
res.set('Retry-After', Math.ceil(blockMs / 1000).toString());
client_logger.capture({
distinctId: 'app_level',
event: 'security@auth@rate_limited',
properties: {
route: req.originalUrl,
method: req.method,
mode,
keyHash: hashValue(key),
retryAfterSec: Math.ceil(blockMs / 1000),
blockLevel: record.blockLevel,
}
});
return res.status(429).json({ status: 'Too many attempts. Please try again later.' });
}
return next();
};
module.exports = {
authRateLimiter,
};
mongoDB.js
-39
View File
@@ -41,9 +41,6 @@ const getDB = new Promise((resolve, reject) => {
DB.usersCol = db.db(DBName).collection("users"); DB.usersCol = db.db(DBName).collection("users");
DB.tokensCol = db.db(DBName).collection("tokens"); DB.tokensCol = db.db(DBName).collection("tokens");
DB.invitationCol = db.db(DBName).collection("invitation"); DB.invitationCol = db.db(DBName).collection("invitation");
DB.passwordLoginTokensCol = db.db(DBName).collection("password_login_tokens");
DB.passwordLoginTokensCol.createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 }).catch(console.error);
DB.passwordLoginTokensCol.createIndex({ tokenHash: 1 }, { unique: true }).catch(console.error);
DB.checkSessionOnDB = async (session_id, user_sid)=>{ DB.checkSessionOnDB = async (session_id, user_sid)=>{
const temp_id = new mongo.ObjectID(session_id); const temp_id = new mongo.ObjectID(session_id);
@@ -81,42 +78,6 @@ const getDB = new Promise((resolve, reject) => {
return DB.usersCol.findOne({ _id }); return DB.usersCol.findOne({ _id });
} }
DB.createPasswordLoginToken = async (userId, tokenHash, expiresAt) => {
const userObjectId = mongo.ObjectID.isValid(userId) ? new mongo.ObjectID(userId) : userId;
const tokenDoc = {
userId: userObjectId,
tokenHash,
createdAt: new Date(),
expiresAt,
usedAt: null,
};
return DB.passwordLoginTokensCol.insertOne(tokenDoc).catch((err) => {
console.log(err);
return false;
});
};
DB.consumePasswordLoginToken = async (tokenHash) => {
const now = new Date();
const result = await DB.passwordLoginTokensCol.findOneAndUpdate(
{
tokenHash,
usedAt: null,
expiresAt: { $gt: now }
},
{
$set: { usedAt: now }
},
{
returnOriginal: false
}
).catch((err) => {
console.log(err);
return false;
});
return result?.value || null;
};
let usernamesCache = {} let usernamesCache = {}
DB.getUsernameByIdCache = async (userid)=>{ DB.getUsernameByIdCache = async (userid)=>{
if(!userid) return {}; if(!userid) return {};