mirror of https://gitgud.io/fatchan/jschan.git
fix conditions for when to render bypass vs message page on failed captchas use crypto timingsafeequal for comparing input to answermerge-requests/208/head
parent
6d7c8d5989
commit
28fdb8af81
5 changed files with 57 additions and 61 deletions
@ -0,0 +1,31 @@ |
||||
'use strict'; |
||||
|
||||
const { Captchas } = require(__dirname+'/../../db/') |
||||
, { ObjectId } = require(__dirname+'/../../db/db.js') |
||||
, { timingSafeEqual } = require('crypto') |
||||
|
||||
module.exports = async (captchaInput, captchaId) => { |
||||
|
||||
//check if captcha field in form is valid
|
||||
if (!captchaInput || captchaInput.length !== 6) { |
||||
throw 'Incorrect captcha answer'; |
||||
} |
||||
|
||||
//make sure they have captcha cookie and its 24 chars
|
||||
if (!captchaId || captchaId.length !== 24) { |
||||
throw 'Captcha expired'; |
||||
} |
||||
|
||||
// try to get the captcha from the DB
|
||||
const captchaMongoId = ObjectId(captchaId); |
||||
let captcha = await Captchas.findOneAndDelete(captchaMongoId, captchaInput); |
||||
|
||||
//check that it exists and matches captcha in DB
|
||||
if (!captcha || !captcha.value |
||||
|| !timingSafeEqual(Buffer.from(captcha.value.text), Buffer.from(captchaInput))) { |
||||
throw 'Incorrect captcha answer'; |
||||
} |
||||
|
||||
return true; |
||||
|
||||
} |
Loading…
Reference in new issue