chore: improve authentication and Dropped logic (#1296)

- Dropped is now also unset by getAccountForRequest - Improved how nonce is validated to avoid possible parser mismatch issues to smuggle a 0 - Updated ircDroppedController to perform only a single MongoDB operation Reviewed-on: OpenWF/SpaceNinjaServer#1296
2025-03-23 09:05:47 -07:00 · 2025-03-23 09:05:47 -07:00 · 7f5592e00c
commit 7f5592e00c
parent c3d7ae33c2
2 changed files with 28 additions and 12 deletions
--- a/src/controllers/custom/ircDroppedController.ts
+++ b/src/controllers/custom/ircDroppedController.ts
@ -1,9 +1,24 @@
-import { getAccountForRequest } from "@/src/services/loginService";
+import { Account } from "@/src/models/loginModel";
 import { RequestHandler } from "express";

 export const ircDroppedController: RequestHandler = async (req, res) => {
-    const account = await getAccountForRequest(req);
-    account.Dropped = true;
-    await account.save();
+    if (!req.query.accountId) {
+        throw new Error("Request is missing accountId parameter");
+    }
+    const nonce: number = parseInt(req.query.nonce as string);
+    if (!nonce) {
+        throw new Error("Request is missing nonce parameter");
+    }
+
+    await Account.updateOne(
+        {
+            _id: req.query.accountId,
+            Nonce: nonce
+        },
+        {
+            Dropped: true
+        }
+    );
+
    res.end();
 };
--- a/src/services/loginService.ts
+++ b/src/services/loginService.ts
@ -69,26 +69,27 @@ export const getAccountForRequest = async (req: Request): Promise<TAccountDocume
    if (!req.query.accountId) {
        throw new Error("Request is missing accountId parameter");
    }
-    if (!req.query.nonce || parseInt(req.query.nonce as string) === 0) {
+    const nonce: number = parseInt(req.query.nonce as string);
+    if (!nonce) {
        throw new Error("Request is missing nonce parameter");
    }
+
    const account = await Account.findOne({
        _id: req.query.accountId,
-        Nonce: req.query.nonce
+        Nonce: nonce
    });
    if (!account) {
        throw new Error("Invalid accountId-nonce pair");
    }
+    if (account.Dropped && req.query.ct) {
+        account.Dropped = undefined;
+        await account.save();
+    }
    return account;
 };

 export const getAccountIdForRequest = async (req: Request): Promise<string> => {
-    const account = await getAccountForRequest(req);
-    if (account.Dropped && req.query.ct) {
-        account.Dropped = undefined;
-        await account.save();
-    }
-    return account._id.toString();
+    return (await getAccountForRequest(req))._id.toString();
 };

 export const isAdministrator = (account: TAccountDocument): boolean => {