kamp/anything-llm
1
0
Fork 0
mirror of https://github.com/Mintplex-Labs/anything-llm.git synced 2024-07-07 09:30:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
88e809e40c
anything-llm/server/utils/middleware/validatedRequest.js
Timothy Carambat 3c859ba303
Change pwd check to O(1) check to prevent timing attacks - single user mode (#575) 
Change pwd check to O(1) check to prevent timing attacks
2024-01-11 10:54:55 -08:00

92 lines
2.1 KiB
JavaScript
Raw Blame History

const { SystemSettings } = require("../../models/systemSettings");
const { User } = require("../../models/user");
const { decodeJWT } = require("../http");
async function validatedRequest(request, response, next) {
const multiUserMode = await SystemSettings.isMultiUserMode();
response.locals.multiUserMode = multiUserMode;
if (multiUserMode)
return await validateMultiUserRequest(request, response, next);
// When in development passthrough auth token for ease of development.
// Or if the user simply did not set an Auth token or JWT Secret
if (
process.env.NODE_ENV === "development" ||
!process.env.AUTH_TOKEN ||
!process.env.JWT_SECRET
) {
next();
return;
}
if (!process.env.AUTH_TOKEN) {
response.status(401).json({
error: "You need to set an AUTH_TOKEN environment variable.",
});
return;
}
const auth = request.header("Authorization");
const token = auth ? auth.split(" ")[1] : null;
if (!token) {
response.status(401).json({
error: "No auth token found.",
});
return;
}
const bcrypt = require("bcrypt");
const { p } = decodeJWT(token);
if (!bcrypt.compareSync(p, bcrypt.hashSync(process.env.AUTH_TOKEN, 10))) {
response.status(401).json({
error: "Invalid auth token found.",
});
return;
}
next();
}
async function validateMultiUserRequest(request, response, next) {
const auth = request.header("Authorization");
const token = auth ? auth.split(" ")[1] : null;
if (!token) {
response.status(401).json({
error: "No auth token found.",
});
return;
}
const valid = decodeJWT(token);
if (!valid || !valid.id) {
response.status(401).json({
error: "Invalid auth token.",
});
return;
}
const user = await User.get({ id: valid.id });
if (!user) {
response.status(401).json({
error: "Invalid auth for user.",
});
return;
}
if (user.suspended) {
response.status(401).json({
error: "User is suspended from system",
});
return;
}
response.locals.user = user;
next();
}
module.exports = {
validatedRequest,
};
Reference in New Issue View Git Blame Copy Permalink