nyaoouo/SpaceNinjaServer
1
0
Fork 0
forked from OpenWF/SpaceNinjaServer
Code Pull Requests Activity

chore: improve authentication and Dropped logic (#1296)

Browse Source 
- Dropped is now also unset by getAccountForRequest
- Improved how nonce is validated to avoid possible parser mismatch issues to smuggle a 0
- Updated ircDroppedController to perform only a single MongoDB operation

Reviewed-on: OpenWF/SpaceNinjaServer#1296
This commit is contained in:
Sainan 2025-03-23 09:05:47 -07:00
parent c3d7ae33c2
commit 7f5592e00c
2 changed files with 28 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/controllers/custom/ircDroppedController.ts
View File

@ -1,9 +1,24 @@
import { getAccountForRequest } from "@/src/services/loginService"; import { Account } from "@/src/models/loginModel";
import { RequestHandler } from "express"; import { RequestHandler } from "express";
export const ircDroppedController: RequestHandler = async (req, res) => { export const ircDroppedController: RequestHandler = async (req, res) => {
const account = await getAccountForRequest(req); if (!req.query.accountId) {
account.Dropped = true; throw new Error("Request is missing accountId parameter");
await account.save(); }
const nonce: number = parseInt(req.query.nonce as string);
if (!nonce) {
throw new Error("Request is missing nonce parameter");
}
await Account.updateOne(
{
_id: req.query.accountId,
Nonce: nonce
},
{
Dropped: true
}
);
res.end(); res.end();
}; };

17
src/services/loginService.ts
View File

@ -69,26 +69,27 @@ export const getAccountForRequest = async (req: Request): Promise<TAccountDocume
if (!req.query.accountId) { if (!req.query.accountId) {
throw new Error("Request is missing accountId parameter"); throw new Error("Request is missing accountId parameter");
} }
if (!req.query.nonce || parseInt(req.query.nonce as string) === 0) { const nonce: number = parseInt(req.query.nonce as string);
if (!nonce) {
throw new Error("Request is missing nonce parameter"); throw new Error("Request is missing nonce parameter");
} }
const account = await Account.findOne({ const account = await Account.findOne({
_id: req.query.accountId, _id: req.query.accountId,
Nonce: req.query.nonce Nonce: nonce
}); });
if (!account) { if (!account) {
throw new Error("Invalid accountId-nonce pair"); throw new Error("Invalid accountId-nonce pair");
} }
if (account.Dropped && req.query.ct) {
account.Dropped = undefined;
await account.save();
}
return account; return account;
}; };
export const getAccountIdForRequest = async (req: Request): Promise<string> => { export const getAccountIdForRequest = async (req: Request): Promise<string> => {
const account = await getAccountForRequest(req); return (await getAccountForRequest(req))._id.toString();
if (account.Dropped && req.query.ct) {
account.Dropped = undefined;
await account.save();
}
return account._id.toString();
}; };
export const isAdministrator = (account: TAccountDocument): boolean => { export const isAdministrator = (account: TAccountDocument): boolean => {