Bugfix for repeated getting new bypass when tor user didnt need one. not necessarily a big problem but it means they would keep getting new ids. this could actually be leveraged for a scuffed auto-refresh system in future

configs/main.js.example

@@ -19,7 +19,7 @@ module.exports = {
 	ipHashSecret: 'long random string',
 	postPasswordSecret: 'long random string',
 
-	//enable secure cookies, only use with https
+	//enable secure cookies, only use with https/not tor
 	secureCookies: true,
 
 	//check referrer to prevent some CSRF attack
@@ -31,7 +31,7 @@ module.exports = {
 	//header for country codes, for cloudflare, use 'Cf-Ipcountry'
 	countryCodeHeader: 'x-country-code',
 	//header for visitor IP, for cloudflare use 'CF-Connecting-IP'
-	ipHeader: 'X-Real-IP',
+	ipHeader: 'x-real-ip',
 
 	//data used in opengraph meta tags. used to generate link previews in e.g. discord, twitter, etc
 	meta: {
@@ -108,7 +108,7 @@ module.exports = {
 	thumbExtension: '.jpg',
 
 	//max thumb dimensions (square) in px. images smaller than this are not thumbnailed
-	thumbSize: 220,
+	thumbSize: 250,
 
 	/* extra mime types for files to be uploaded as attachments (no thumbnails) e.g. text files/archives
 		NOTE: appropriate extensions will need to be added to nginx configuration, and uncommend the provided

controllers/forms.js

@@ -79,12 +79,12 @@ router.post('/global/editaccounts', useSession, sessionRefresh, csrf, calcPerms,
 router.post('/global/settings', useSession, sessionRefresh, csrf, calcPerms, isLoggedIn, hasPerms(0), paramConverter, globalSettingsController); //global settings
 
 //create board
-router.post('/create', /*geoAndTor, torPreBypassCheck, processIp,*/ useSession, sessionRefresh, isLoggedIn, verifyCaptcha, calcPerms, hasPerms(4), createBoardController);
+router.post('/create', geoAndTor, torPreBypassCheck, processIp, useSession, sessionRefresh, isLoggedIn, verifyCaptcha, calcPerms, hasPerms(4), createBoardController);
 //accounts
 router.post('/login', useSession, loginController);
 router.post('/logout', useSession, logout);
-router.post('/register', /*geoAndTor, torPreBypassCheck, processIp,*/ useSession, sessionRefresh, verifyCaptcha, calcPerms, registerController);
+router.post('/register', geoAndTor, torPreBypassCheck, processIp, useSession, sessionRefresh, verifyCaptcha, calcPerms, registerController);
-router.post('/changepassword', /*geoAndTor, torPreBypassCheck, processIp,*/ useSession, sessionRefresh, verifyCaptcha, changePasswordController);
+router.post('/changepassword', geoAndTor, torPreBypassCheck, processIp, useSession, sessionRefresh, verifyCaptcha, changePasswordController);
 
 //removes captcha cookie, for refreshing for noscript users
 router.post('/newcaptcha', newCaptcha);

gulp/res/css/style.css

@@ -2,7 +2,7 @@
 	--attachment-img: url('/file/attachment.png');
 	--spoiler-img: url('/file/spoiler.png');
 	--audio-img: url('/file/audio.png');
-	--thumbnail-size: 220px;
+	--thumbnail-size: 250px;
 }
 
 body {

helpers/checks/blockbypass.js

@@ -9,7 +9,7 @@ const { Bypass } = require(__dirname+'/../../db/')
 
 module.exports = async (req, res, next) => {
 
-	if (!blockBypass.enabled && !res.locals.tor) { //for now, tor MUST solve a bypass
+	if (res.locals.preFetchedBypassId || !blockBypass.enabled && !res.locals.tor) { //for now, tor MUST solve a bypass
 		return next();
 	}
 

helpers/checks/torprebypass.js

@@ -10,7 +10,6 @@ const { Bypass, Captchas } = require(__dirname+'/../../db/')
 
 module.exports = async (req, res, next) => {
 
-console.log('TOR PRE BYPASS')
 	//early byapss is only needed for tor users
 	if (!res.locals.tor) {
 		return next();
@@ -26,7 +25,8 @@ console.log('TOR PRE BYPASS')
 		});
 	}
 	const captchaId = req.cookies.captchaid;
-	if (input) {
+	let bypassId = req.signedCookies.bypassid;
+	if (input && !bypassId) {
 		// try to get the captcha from the DB
 		let captcha;
 		try {
@@ -52,6 +52,8 @@ console.log('TOR PRE BYPASS')
 		//they dont have a valid bypass, but just solved a captcha, so give them a new one
 		const newBypass = await Bypass.getBypass();
 		const newBypassId = newBypass.insertedId;
+		bypassId = newBypassId.toString();
+		res.locals.preFetchedBypassId = bypassId;
 		res.locals.blockBypass = newBypass.ops[0];
 		res.cookie('bypassid', newBypassId.toString(), {
 			'maxAge': blockBypass.expireAfterTime,
@@ -63,7 +65,6 @@ console.log('TOR PRE BYPASS')
 	}
 
 	//check if blockbypass exists and right length
-	const bypassId = req.signedCookies.bypassid;
 	if (!bypassId || bypassId.length !== 24) {
 		return dynamicResponse(req, res, 403, 'message', {
 			'title': 'Forbidden',
@@ -76,7 +77,6 @@ console.log('TOR PRE BYPASS')
 		});
 	}
 
-console.log('in tor pre bypass', bypassId)
 	return next();
 
 }

helpers/filemiddlewares.js

@@ -46,8 +46,6 @@ module.exports = {
 	}),
 
 	handlePostFilesEarlyTor:  (req, res, next) => {
-console.log('handlePostFilesEarlyTor')
-console.log(res.locals.tor, postFiles)
 		if (res.locals.tor) {
 			return postFiles(req, res, next);
 		}
@@ -55,7 +53,6 @@ console.log(res.locals.tor, postFiles)
 	},
 
 	handlePostFiles: (req, res, next) => {
-console.log('handlePostFiles')
 		if (res.locals.tor) {
 			return next();
 		}

helpers/processip.js

@@ -8,14 +8,14 @@ const { ipHeader, ipHashPermLevel } = require(__dirname+'/../configs/main.js')
 
 module.exports = (req, res, next) => {
 
-	//tor user ip uses bypassid, if they dont have one send to blockbypass
+	//tor user ip uses bypass id, if they dont have one send to blockbypass
 	if (res.locals.tor) {
-		const bypassId = req.signedCookies.bypassid;
+		const pseudoIp = res.locals.preFetchedBypassId || req.signedCookies.bypassid;
 		res.locals.ip = {
-			raw: bypassId,
+			raw: pseudoIp,
-			single: bypassId,
+			single: pseudoIp,
-			qrange: bypassId,
+			qrange: pseudoIp,
-			hrange: bypassId,
+			hrange: pseudoIp,
 		};
 		return next();
 	}