mirror of https://gitgud.io/fatchan/jschan.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
102 lines
3.3 KiB
102 lines
3.3 KiB
'use strict';
|
|
|
|
const { Bypass } = require(__dirname+'/../../../db/')
|
|
, { ObjectId } = require(__dirname+'/../../../db/db.js')
|
|
, config = require(__dirname+'/../../misc/config.js')
|
|
, deleteTempFiles = require(__dirname+'/../../file/deletetempfiles.js')
|
|
, dynamicResponse = require(__dirname+'/../../misc/dynamic.js')
|
|
, production = process.env.NODE_ENV === 'production'
|
|
, Permissions = require(__dirname+'/../../permission/permissions.js');
|
|
|
|
module.exports = {
|
|
|
|
check: async (req, res, next) => {
|
|
|
|
const { secureCookies, blockBypass } = config.get;
|
|
|
|
//bypass captcha permission
|
|
if (res.locals.permissions &&
|
|
res.locals.permissions.get(Permissions.BYPASS_CAPTCHA)) {
|
|
res.locals.solvedCaptcha = true;
|
|
}
|
|
|
|
//check if blockbypass exists and right length
|
|
const bypassId = req.signedCookies.bypassid;
|
|
if (!res.locals.solvedCaptcha && (!bypassId || bypassId.length !== 24)) {
|
|
deleteTempFiles(req).catch(console.error);
|
|
return dynamicResponse(req, res, 403, 'message', {
|
|
'title': 'Forbidden',
|
|
'message': 'Please complete a block bypass to continue',
|
|
'frame': '/bypass_minimal.html',
|
|
'link': {
|
|
'href': '/bypass.html',
|
|
'text': 'Get block bypass',
|
|
},
|
|
});
|
|
}
|
|
|
|
//try to get bypass from db
|
|
let bypass;
|
|
if (bypassId && bypassId.length === 24) {
|
|
try {
|
|
const bypassMongoId = ObjectId(bypassId);
|
|
bypass = await Bypass.checkBypass(bypassMongoId, res.locals.anonymizer);
|
|
} catch (err) {
|
|
return next(err);
|
|
}
|
|
}
|
|
|
|
//next if they have a valid bypass
|
|
if (bypass != null) {
|
|
res.locals.blockBypass = true;
|
|
return next();
|
|
}
|
|
|
|
if (res.locals.solvedCaptcha) {
|
|
//they dont have a valid bypass, but just solved board captcha, so give them a new one
|
|
const newBypass = await Bypass.getBypass(res.locals.anonymizer, res.locals.pseudoIp, blockBypass.expireAfterUses);
|
|
const newBypassId = newBypass.upsertedId || newBypass.insertedId || res.locals.pseudoIp;
|
|
res.locals.blockBypass = true;
|
|
res.cookie('bypassid', newBypassId.toString(), {
|
|
'maxAge': blockBypass.expireAfterTime,
|
|
'secure': production && secureCookies && (req.headers['x-forwarded-proto'] === 'https'),
|
|
'sameSite': 'strict',
|
|
'signed': true
|
|
});
|
|
return next();
|
|
}
|
|
|
|
deleteTempFiles(req).catch(console.error);
|
|
res.clearCookie('bypassid');
|
|
return dynamicResponse(req, res, 403, 'message', {
|
|
'title': 'Forbidden',
|
|
'message': 'Block bypass expired or exceeded max uses',
|
|
'frame': '/bypass_minimal.html',
|
|
'link': {
|
|
'href': '/bypass.html',
|
|
'text': 'Get block bypass',
|
|
},
|
|
});
|
|
|
|
},
|
|
|
|
middleware: async (req, res, next) => {
|
|
const { blockBypass, secureCookies } = config.get;
|
|
//skip bypass check if not enabled, and not forced for anonymizer or we arent an anonymizer
|
|
if (!blockBypass.enabled &&
|
|
(!blockBypass.forceAnonymizers || !res.locals.anonymizer)) {
|
|
if (res.locals.anonymizer) {
|
|
//dummy for anonymizers, wont work once bypasses are enabled. just allows them to keep same ip/userId for session
|
|
res.cookie('bypassid', res.locals.pseudoIp, {
|
|
'maxAge': blockBypass.expireAfterTime,
|
|
'secure': production && secureCookies && (req.headers['x-forwarded-proto'] === 'https'),
|
|
'sameSite': 'strict',
|
|
'signed': true
|
|
});
|
|
}
|
|
return next();
|
|
}
|
|
return module.exports.check(req, res, next);
|
|
},
|
|
|
|
};
|
|
|