feat: improve ux and security
This commit is contained in:
@@ -1,3 +1,4 @@
|
||||
import { timingSafeEqual } from "node:crypto";
|
||||
import { z } from "zod";
|
||||
import { env } from "#server/env";
|
||||
|
||||
@@ -6,10 +7,44 @@ const bodySchema = z.object({
|
||||
password: z.string(),
|
||||
});
|
||||
|
||||
const attempts = new Map<string, { count: number; resetAt: number }>();
|
||||
const MAX_ATTEMPTS = 10;
|
||||
const WINDOW_MS = 60_000;
|
||||
|
||||
const isRateLimited = (ip: string): boolean => {
|
||||
const now = Date.now();
|
||||
const entry = attempts.get(ip);
|
||||
|
||||
if (!entry || now > entry.resetAt) {
|
||||
attempts.set(ip, { count: 1, resetAt: now + WINDOW_MS });
|
||||
return false;
|
||||
}
|
||||
|
||||
if (entry.count >= MAX_ATTEMPTS) return true;
|
||||
entry.count++;
|
||||
return false;
|
||||
};
|
||||
|
||||
const safeEqual = (a: string, b: string): boolean => {
|
||||
const aBuf = Buffer.from(a);
|
||||
const bBuf = Buffer.from(b);
|
||||
if (aBuf.length !== bBuf.length) {
|
||||
timingSafeEqual(aBuf, aBuf);
|
||||
return false;
|
||||
}
|
||||
return timingSafeEqual(aBuf, bBuf);
|
||||
};
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const ip = getRequestIP(event) ?? "unknown";
|
||||
if (isRateLimited(ip)) {
|
||||
throw createError({ statusCode: 429, message: "Too many attempts, try again later" });
|
||||
}
|
||||
|
||||
const body = await readValidatedBody(event, bodySchema.parse);
|
||||
|
||||
if (body.username !== env.ADMIN_USERNAME || body.password !== env.ADMIN_PASSWORD) {
|
||||
const valid = safeEqual(body.username, env.ADMIN_USERNAME) && safeEqual(body.password, env.ADMIN_PASSWORD);
|
||||
if (!valid) {
|
||||
throw createError({ statusCode: 401, message: "Invalid credentials" });
|
||||
}
|
||||
|
||||
|
||||
@@ -7,12 +7,16 @@ const paramsSchema = z.object({
|
||||
id: z.string().transform(Number),
|
||||
});
|
||||
|
||||
const bodySchema = z.object({
|
||||
name: z.string().min(1).optional(),
|
||||
path: z.string().min(1).optional(),
|
||||
url: z.url().optional(),
|
||||
disabled: z.boolean().optional(),
|
||||
});
|
||||
const bodySchema = z
|
||||
.object({
|
||||
name: z.string().min(1).optional(),
|
||||
path: z.string().min(1).startsWith("/").optional(),
|
||||
url: z.url().optional(),
|
||||
disabled: z.boolean().optional(),
|
||||
})
|
||||
.refine((data) => Object.values(data).some((v) => v !== undefined), {
|
||||
message: "At least one field must be provided",
|
||||
});
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const params = await getValidatedRouterParams(event, paramsSchema.parse);
|
||||
|
||||
@@ -4,7 +4,7 @@ import { z } from "zod";
|
||||
|
||||
const bodySchema = z.object({
|
||||
name: z.string().min(1),
|
||||
path: z.string().min(1),
|
||||
path: z.string().min(1).startsWith("/"),
|
||||
url: z.url(),
|
||||
disabled: z.boolean().optional(),
|
||||
});
|
||||
|
||||
@@ -4,6 +4,6 @@ export const links = sqliteTable("links", {
|
||||
id: integer("id").primaryKey({ autoIncrement: true }),
|
||||
name: text("name").notNull().unique(),
|
||||
path: text("path").notNull().unique(),
|
||||
url: text("url").notNull().unique(),
|
||||
url: text("url").notNull(),
|
||||
disabled: integer("disabled", { mode: "boolean" }).notNull().default(false),
|
||||
});
|
||||
|
||||
@@ -2,7 +2,7 @@ import { db } from "#server/db";
|
||||
import * as tables from "#server/db/schema";
|
||||
import { and, eq, ne } from "drizzle-orm";
|
||||
|
||||
const UNIQUE_FIELDS = ["name", "path", "url"] as const;
|
||||
const UNIQUE_FIELDS = ["name", "path"] as const;
|
||||
type UniqueField = (typeof UNIQUE_FIELDS)[number];
|
||||
|
||||
export const joinFields = (fields: string[]): string => {
|
||||
|
||||
Reference in New Issue
Block a user