From 7f5592e00ca99861cd2fd61a65f0c8765131ff6f Mon Sep 17 00:00:00 2001
From: Sainan <sainan@calamity.inc>
Date: Sun, 23 Mar 2025 09:05:47 -0700
Subject: [PATCH] chore: improve authentication and Dropped logic (#1296)

- Dropped is now also unset by getAccountForRequest
- Improved how nonce is validated to avoid possible parser mismatch issues to smuggle a 0
- Updated ircDroppedController to perform only a single MongoDB operation

Reviewed-on: https://onlyg.it/OpenWF/SpaceNinjaServer/pulls/1296
---
 .../custom/ircDroppedController.ts            | 23 +++++++++++++++----
 src/services/loginService.ts                  | 17 +++++++-------
 2 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/src/controllers/custom/ircDroppedController.ts b/src/controllers/custom/ircDroppedController.ts
index 8927c5bb..1621defc 100644
--- a/src/controllers/custom/ircDroppedController.ts
+++ b/src/controllers/custom/ircDroppedController.ts
@@ -1,9 +1,24 @@
-import { getAccountForRequest } from "@/src/services/loginService";
+import { Account } from "@/src/models/loginModel";
 import { RequestHandler } from "express";
 
 export const ircDroppedController: RequestHandler = async (req, res) => {
-    const account = await getAccountForRequest(req);
-    account.Dropped = true;
-    await account.save();
+    if (!req.query.accountId) {
+        throw new Error("Request is missing accountId parameter");
+    }
+    const nonce: number = parseInt(req.query.nonce as string);
+    if (!nonce) {
+        throw new Error("Request is missing nonce parameter");
+    }
+
+    await Account.updateOne(
+        {
+            _id: req.query.accountId,
+            Nonce: nonce
+        },
+        {
+            Dropped: true
+        }
+    );
+
     res.end();
 };
diff --git a/src/services/loginService.ts b/src/services/loginService.ts
index 099103be..6509d8be 100644
--- a/src/services/loginService.ts
+++ b/src/services/loginService.ts
@@ -69,26 +69,27 @@ export const getAccountForRequest = async (req: Request): Promise<TAccountDocume
     if (!req.query.accountId) {
         throw new Error("Request is missing accountId parameter");
     }
-    if (!req.query.nonce || parseInt(req.query.nonce as string) === 0) {
+    const nonce: number = parseInt(req.query.nonce as string);
+    if (!nonce) {
         throw new Error("Request is missing nonce parameter");
     }
+
     const account = await Account.findOne({
         _id: req.query.accountId,
-        Nonce: req.query.nonce
+        Nonce: nonce
     });
     if (!account) {
         throw new Error("Invalid accountId-nonce pair");
     }
+    if (account.Dropped && req.query.ct) {
+        account.Dropped = undefined;
+        await account.save();
+    }
     return account;
 };
 
 export const getAccountIdForRequest = async (req: Request): Promise<string> => {
-    const account = await getAccountForRequest(req);
-    if (account.Dropped && req.query.ct) {
-        account.Dropped = undefined;
-        await account.save();
-    }
-    return account._id.toString();
+    return (await getAccountForRequest(req))._id.toString();
 };
 
 export const isAdministrator = (account: TAccountDocument): boolean => {