Merge pull request #15 from Newtbot/anti-csrf-token
anti csrf token generated upon login
This commit is contained in:
BIG2EYEZ
GitHub
commit
f2a9facfaf
253
Sean/server.js
253
Sean/server.js
@ -31,6 +31,18 @@ app.use(
|
|||||||
},
|
},
|
||||||
})
|
})
|
||||||
);
|
);
|
||||||
|
|
||||||
|
app.use((req, res, next) => {
|
||||||
|
if (!req.session.csrfToken) {
|
||||||
|
req.session.csrfToken = crypto.randomBytes(32).toString('hex');
|
||||||
|
}
|
||||||
|
|
||||||
|
// Make the CSRF token available in the response context
|
||||||
|
res.locals.csrfToken = req.session.csrfToken;
|
||||||
|
console.log(`Server-side CSRF Token: ${req.session.csrfToken}`);
|
||||||
|
next();
|
||||||
|
});
|
||||||
|
|
||||||
app.set("view engine", "ejs");
|
app.set("view engine", "ejs");
|
||||||
|
|
||||||
function isAuthenticated(req, res, next) {
|
function isAuthenticated(req, res, next) {
|
||||||
@ -129,115 +141,138 @@ const logActivity = async (username, success, message) => {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
app.post('/login', [
|
||||||
// Login route
|
body('username').escape().trim().isLength({ min: 1 }).withMessage('Username must not be empty'),
|
||||||
app.post('/login',[
|
body('password').escape().trim().isLength({ min: 1 }).withMessage('Password must not be empty'),
|
||||||
body('username').escape().trim().isLength({ min: 1 }).withMessage('Username must not be empty'),
|
body('csrf_token').escape().trim().isLength({ min: 1 }).withMessage('CSRF token must not be empty'),
|
||||||
body('password').escape().trim().isLength({ min: 1 }).withMessage('Password must not be empty'),
|
],
|
||||||
],
|
async (req, res) => {
|
||||||
async (req, res) => {
|
try {
|
||||||
try {
|
const errors = validationResult(req);
|
||||||
const errors = validationResult(req);
|
|
||||||
|
// Validate CSRF token
|
||||||
if (!errors.isEmpty()) {
|
if (req.body.csrf_token !== req.session.csrfToken) {
|
||||||
// Handle validation errors, e.g., return an error message to the client
|
return res.status(403).send("Invalid CSRF token");
|
||||||
return res.render('login', { error: 'Invalid input. Please check your credentials.' });
|
}
|
||||||
}
|
|
||||||
|
if (!errors.isEmpty()) {
|
||||||
let { username, password } = req.body;
|
// Handle validation errors, e.g., return an error message to the client
|
||||||
username = username.trim();
|
return res.render('login', { error: 'Invalid input. Please check your credentials.', csrfToken: req.session.csrfToken });
|
||||||
|
}
|
||||||
const loginSql = "SELECT * FROM users WHERE username = ?";
|
|
||||||
|
let { username, password } = req.body;
|
||||||
connection.query(loginSql, [username], async (error, results) => {
|
username = username.trim();
|
||||||
if (error) {
|
|
||||||
console.error("Error executing login query:", error);
|
const loginSql = "SELECT * FROM users WHERE username = ?";
|
||||||
res.status(500).send("Internal Server Error");
|
|
||||||
return;
|
connection.query(loginSql, [username], async (error, results) => {
|
||||||
}
|
if (error) {
|
||||||
|
console.error("Error executing login query:", error);
|
||||||
if (results.length > 0) {
|
res.status(500).send("Internal Server Error");
|
||||||
const isLoginSuccessful = await bcrypt.compare(password, results[0].password);
|
return;
|
||||||
|
}
|
||||||
if (isLoginSuccessful) {
|
|
||||||
// Log successful login attempt
|
if (results.length > 0) {
|
||||||
await logActivity(username, true, "Credentials entered correctly");
|
const isLoginSuccessful = await bcrypt.compare(password, results[0].password);
|
||||||
|
|
||||||
const user = results[0];
|
if (isLoginSuccessful) {
|
||||||
const { otp, expirationTime } = generateOTP();
|
// Log successful login attempt
|
||||||
|
await logActivity(username, true, "Credentials entered correctly");
|
||||||
// Store the OTP and expiration time in the session for verification
|
|
||||||
req.session.otp = otp;
|
const user = results[0];
|
||||||
req.session.otpExpiration = expirationTime;
|
const { otp, expirationTime } = generateOTP();
|
||||||
req.session.save();
|
|
||||||
|
// Store the OTP and expiration time in the session for verification
|
||||||
// Send OTP via email
|
req.session.otp = otp;
|
||||||
try {
|
req.session.otpExpiration = expirationTime;
|
||||||
await sendOTPByEmail(user.email, otp);
|
req.session.save();
|
||||||
// Log successful OTP sending
|
|
||||||
await logActivity(username, true, "OTP successfully sent to user");
|
// Send OTP via email
|
||||||
} catch (sendOTPError) {
|
try {
|
||||||
// Log unsuccessful OTP sending
|
await sendOTPByEmail(user.email, otp);
|
||||||
await logActivity(username, false, "OTP failed to send to user");
|
// Log successful OTP sending
|
||||||
console.error("Error sending OTP:", sendOTPError);
|
await logActivity(username, true, "OTP successfully sent to user");
|
||||||
res.status(500).send("Internal Server Error");
|
} catch (sendOTPError) {
|
||||||
return;
|
// Log unsuccessful OTP sending
|
||||||
}
|
await logActivity(username, false, "OTP failed to send to user");
|
||||||
|
console.error("Error sending OTP:", sendOTPError);
|
||||||
// Render OTP input page
|
res.status(500).send("Internal Server Error");
|
||||||
res.render("otp", { error: null, username: user.username });
|
return;
|
||||||
} else {
|
}
|
||||||
// Log unsuccessful login attempt
|
|
||||||
await logActivity(username, false, "Incorrect password");
|
// Render OTP input page
|
||||||
res.render("login", { error: "Invalid username or password" });
|
res.render("otp", { error: null, username: user.username, csrfToken: req.session.csrfToken });
|
||||||
}
|
} else {
|
||||||
} else {
|
// Log unsuccessful login attempt
|
||||||
// Log unsuccessful login attempt
|
await logActivity(username, false, "Incorrect password");
|
||||||
await logActivity(username, false, "User not found");
|
res.render("login", { error: "Invalid username or password", csrfToken: req.session.csrfToken });
|
||||||
res.render("login", { error: "Invalid username or password" });
|
}
|
||||||
}
|
} else {
|
||||||
});
|
// Log unsuccessful login attempt
|
||||||
} catch (error) {
|
await logActivity(username, false, "User not found");
|
||||||
console.error("Error in login route:", error);
|
res.render("login", { error: "Invalid username or password", csrfToken: req.session.csrfToken });
|
||||||
res.status(500).send("Internal Server Error");
|
}
|
||||||
}
|
});
|
||||||
}
|
} catch (error) {
|
||||||
);
|
console.error("Error in login route:", error);
|
||||||
app.post("/verify-otp", async (req, res) => {
|
res.status(500).send("Internal Server Error");
|
||||||
try {
|
}
|
||||||
const enteredOTP = req.body.otp;
|
});
|
||||||
|
|
||||||
if (enteredOTP === req.session.otp) {
|
// OTP verification route
|
||||||
// Log successful OTP entry and login
|
app.post("/verify-otp", [
|
||||||
if (req.body.username) {
|
body('otp').escape().trim().isLength({ min: 1 }).withMessage('OTP must not be empty'),
|
||||||
await logActivity(req.body.username, true, "OTP entered correctly. Successful login");
|
body('csrf_token').escape().trim().isLength({ min: 1 }).withMessage('CSRF token must not be empty'),
|
||||||
}
|
],
|
||||||
|
async (req, res) => {
|
||||||
// Correct OTP, generate a session token
|
try {
|
||||||
const sessionToken = crypto.randomBytes(32).toString('hex');
|
const errors = validationResult(req);
|
||||||
|
|
||||||
// Store the session token in the session
|
// Validate CSRF token
|
||||||
req.session.authenticated = true;
|
if (req.body.csrf_token !== req.session.csrfToken) {
|
||||||
req.session.username = req.body.username;
|
return res.status(403).send("Invalid CSRF token");
|
||||||
req.session.sessionToken = sessionToken;
|
}
|
||||||
console.log(`Generated Session Token: ${sessionToken}`);
|
|
||||||
|
if (!errors.isEmpty()) {
|
||||||
// Redirect to home page with session token
|
// Handle validation errors, e.g., return an error message to the client
|
||||||
res.redirect("/home");
|
return res.render('otp', { error: 'Invalid OTP. Please try again.', username: req.body.username, csrfToken: req.session.csrfToken });
|
||||||
} else {
|
}
|
||||||
// Log unsuccessful OTP entry
|
|
||||||
if (req.body.username) {
|
const enteredOTP = req.body.otp;
|
||||||
await logActivity(req.body.username, false, "Incorrect OTP entered");
|
|
||||||
}
|
if (enteredOTP === req.session.otp) {
|
||||||
|
// Log successful OTP entry and login
|
||||||
// Incorrect OTP, render login page with error
|
if (req.body.username) {
|
||||||
res.render("login", { error: "Incorrect OTP. Please try again." });
|
await logActivity(req.body.username, true, "OTP entered correctly. Successful login");
|
||||||
}
|
}
|
||||||
} catch (error) {
|
|
||||||
console.error("Error in OTP verification route:", error);
|
// Correct OTP, generate a session token
|
||||||
res.status(500).send("Internal Server Error");
|
const sessionToken = crypto.randomBytes(32).toString('hex');
|
||||||
}
|
|
||||||
});
|
// Store the session token in the session
|
||||||
|
req.session.authenticated = true;
|
||||||
|
req.session.username = req.body.username;
|
||||||
|
req.session.sessionToken = sessionToken;
|
||||||
|
res.locals.csrfToken = req.session.csrfToken;
|
||||||
|
console.log(`Server-side CSRF Token: ${req.session.csrfToken}`);
|
||||||
|
console.log(`Generated Session Token: ${sessionToken}`);
|
||||||
|
|
||||||
|
// Redirect to home page with session token
|
||||||
|
res.redirect("/home");
|
||||||
|
} else {
|
||||||
|
// Log unsuccessful OTP entry
|
||||||
|
if (req.body.username) {
|
||||||
|
await logActivity(req.body.username, false, "Incorrect OTP entered");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Incorrect OTP, render login page with error
|
||||||
|
res.render("login", { error: "Incorrect OTP. Please try again.", csrfToken: req.session.csrfToken });
|
||||||
|
}
|
||||||
|
} catch (error) {
|
||||||
|
console.error("Error in OTP verification route:", error);
|
||||||
|
res.status(500).send("Internal Server Error");
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
app.get("/logout", (req, res) => {
|
app.get("/logout", (req, res) => {
|
||||||
try {
|
try {
|
||||||
|
|||||||
@ -96,6 +96,7 @@
|
|||||||
</select>
|
</select>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
<input type="hidden" name="csrf_token" value="<%= csrfToken %>">
|
||||||
<div class="button">
|
<div class="button">
|
||||||
<input type="submit" value="Register">
|
<input type="submit" value="Register">
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
@ -86,7 +86,7 @@ button:hover {
|
|||||||
|
|
||||||
<label for="password">Password</label>
|
<label for="password">Password</label>
|
||||||
<input type="password" id="password" name="password" placeholder="Enter your password" required>
|
<input type="password" id="password" name="password" placeholder="Enter your password" required>
|
||||||
|
<input type="hidden" name="csrf_token" value="<%= csrfToken %>">
|
||||||
<button type="submit">Login</button>
|
<button type="submit">Login</button>
|
||||||
</form>
|
</form>
|
||||||
|
|
||||||
@ -95,4 +95,5 @@ button:hover {
|
|||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</body>
|
</body>
|
||||||
|
|
||||||
</html>
|
</html>
|
||||||
|
|||||||
@ -69,6 +69,7 @@
|
|||||||
<label for="otp">OTP:</label>
|
<label for="otp">OTP:</label>
|
||||||
<input type="text" id="otp" name="otp" required>
|
<input type="text" id="otp" name="otp" required>
|
||||||
<br>
|
<br>
|
||||||
|
<input type="hidden" name="csrf_token" value="<%= csrfToken %>">
|
||||||
<button type="submit">Submit OTP</button>
|
<button type="submit">Submit OTP</button>
|
||||||
</form>
|
</form>
|
||||||
</body>
|
</body>
|
||||||
|
|||||||
86
package-lock.json
generated
86
package-lock.json
generated
@ -305,11 +305,87 @@
|
|||||||
"resolved": "https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz",
|
"resolved": "https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz",
|
||||||
"integrity": "sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw=="
|
"integrity": "sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw=="
|
||||||
},
|
},
|
||||||
|
"cookie-parser": {
|
||||||
|
"version": "1.4.6",
|
||||||
|
"resolved": "https://registry.npmjs.org/cookie-parser/-/cookie-parser-1.4.6.tgz",
|
||||||
|
"integrity": "sha512-z3IzaNjdwUC2olLIB5/ITd0/setiaFMLYiZJle7xg5Fe9KWAceil7xszYfHHBtDFYLSgJduS2Ty0P1uJdPDJeA==",
|
||||||
|
"requires": {
|
||||||
|
"cookie": "0.4.1",
|
||||||
|
"cookie-signature": "1.0.6"
|
||||||
|
},
|
||||||
|
"dependencies": {
|
||||||
|
"cookie": {
|
||||||
|
"version": "0.4.1",
|
||||||
|
"resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.1.tgz",
|
||||||
|
"integrity": "sha512-ZwrFkGJxUR3EIoXtO+yVE69Eb7KlixbaeAWfBQB9vVsNn/o+Yw69gBWSSDK825hQNdN+wF8zELf3dFNl/kxkUA=="
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
"cookie-signature": {
|
"cookie-signature": {
|
||||||
"version": "1.0.6",
|
"version": "1.0.6",
|
||||||
"resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
|
"resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
|
||||||
"integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ=="
|
"integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ=="
|
||||||
},
|
},
|
||||||
|
"csrf": {
|
||||||
|
"version": "3.1.0",
|
||||||
|
"resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz",
|
||||||
|
"integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==",
|
||||||
|
"requires": {
|
||||||
|
"rndm": "1.2.0",
|
||||||
|
"tsscmp": "1.0.6",
|
||||||
|
"uid-safe": "2.1.5"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"csurf": {
|
||||||
|
"version": "1.11.0",
|
||||||
|
"resolved": "https://registry.npmjs.org/csurf/-/csurf-1.11.0.tgz",
|
||||||
|
"integrity": "sha512-UCtehyEExKTxgiu8UHdGvHj4tnpE/Qctue03Giq5gPgMQ9cg/ciod5blZQ5a4uCEenNQjxyGuzygLdKUmee/bQ==",
|
||||||
|
"requires": {
|
||||||
|
"cookie": "0.4.0",
|
||||||
|
"cookie-signature": "1.0.6",
|
||||||
|
"csrf": "3.1.0",
|
||||||
|
"http-errors": "~1.7.3"
|
||||||
|
},
|
||||||
|
"dependencies": {
|
||||||
|
"cookie": {
|
||||||
|
"version": "0.4.0",
|
||||||
|
"resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz",
|
||||||
|
"integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg=="
|
||||||
|
},
|
||||||
|
"depd": {
|
||||||
|
"version": "1.1.2",
|
||||||
|
"resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
|
||||||
|
"integrity": "sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ=="
|
||||||
|
},
|
||||||
|
"http-errors": {
|
||||||
|
"version": "1.7.3",
|
||||||
|
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.3.tgz",
|
||||||
|
"integrity": "sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==",
|
||||||
|
"requires": {
|
||||||
|
"depd": "~1.1.2",
|
||||||
|
"inherits": "2.0.4",
|
||||||
|
"setprototypeof": "1.1.1",
|
||||||
|
"statuses": ">= 1.5.0 < 2",
|
||||||
|
"toidentifier": "1.0.0"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"setprototypeof": {
|
||||||
|
"version": "1.1.1",
|
||||||
|
"resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.1.tgz",
|
||||||
|
"integrity": "sha512-JvdAWfbXeIGaZ9cILp38HntZSFSo3mWg6xGcJJsd+d4aRMOqauag1C63dJfDw7OaMYwEbHMOxEZ1lqVRYP2OAw=="
|
||||||
|
},
|
||||||
|
"statuses": {
|
||||||
|
"version": "1.5.0",
|
||||||
|
"resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
|
||||||
|
"integrity": "sha512-OpZ3zP+jT1PI7I8nemJX4AKmAX070ZkYPVWV/AaKTJl+tXCTGyVdC1a4SL8RUQYEwk/f34ZX8UTykN68FwrqAA=="
|
||||||
|
},
|
||||||
|
"toidentifier": {
|
||||||
|
"version": "1.0.0",
|
||||||
|
"resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.0.tgz",
|
||||||
|
"integrity": "sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw=="
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
"debug": {
|
"debug": {
|
||||||
"version": "4.3.4",
|
"version": "4.3.4",
|
||||||
"resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
|
"resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
|
||||||
@ -1288,6 +1364,11 @@
|
|||||||
"glob": "^7.1.3"
|
"glob": "^7.1.3"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"rndm": {
|
||||||
|
"version": "1.2.0",
|
||||||
|
"resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz",
|
||||||
|
"integrity": "sha512-fJhQQI5tLrQvYIYFpOnFinzv9dwmR7hRnUz1XqP3OJ1jIweTNOd6aTO4jwQSgcBSFUB+/KHJxuGneime+FdzOw=="
|
||||||
|
},
|
||||||
"safe-buffer": {
|
"safe-buffer": {
|
||||||
"version": "5.2.1",
|
"version": "5.2.1",
|
||||||
"resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
|
"resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
|
||||||
@ -1530,6 +1611,11 @@
|
|||||||
"resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
|
"resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
|
||||||
"integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
|
"integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
|
||||||
},
|
},
|
||||||
|
"tsscmp": {
|
||||||
|
"version": "1.0.6",
|
||||||
|
"resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz",
|
||||||
|
"integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA=="
|
||||||
|
},
|
||||||
"type-is": {
|
"type-is": {
|
||||||
"version": "1.6.18",
|
"version": "1.6.18",
|
||||||
"resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
|
"resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
|
||||||
|
|||||||
@ -19,6 +19,8 @@
|
|||||||
"dependencies": {
|
"dependencies": {
|
||||||
"bcrypt": "^5.1.1",
|
"bcrypt": "^5.1.1",
|
||||||
"body-parser": "^1.20.2",
|
"body-parser": "^1.20.2",
|
||||||
|
"cookie-parser": "^1.4.6",
|
||||||
|
"csurf": "^1.11.0",
|
||||||
"dotenv": "^16.3.1",
|
"dotenv": "^16.3.1",
|
||||||
"ejs": "^3.1.9",
|
"ejs": "^3.1.9",
|
||||||
"express": "^4.18.2",
|
"express": "^4.18.2",
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user