added jwt user_id verification / removed vulnerable user mgmt

solun-pm · Apr 2, 2024 · 332dcc0 · 332dcc0
1 parent 1209cb5
commit 332dcc0
Show file tree

Hide file tree

Showing 30 changed files with 256 additions and 50 deletions.
diff --git a/src/functions/database/save_temp_token.ts b/src/functions/database/save_temp_token.ts
@@ -1,13 +1,20 @@
 import { Request, Response } from 'express';
 import { dbConnect, temp_token } from 'solun-database-package'
+import { getJWTData } from '../../utils/jwt';
 
 export async function handleSaveTempTokenDatabaseRequest(req: Request, res: Response) {
   try {
     const requestData = await req.body;
 
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+
     await dbConnect();
 
-    let user_id = requestData.user_id;
+    let user_id = jwt_data.user_id;
     let fqe = requestData.fqe;
     let service = requestData.service;
     let tempToken = requestData.token;

diff --git a/src/functions/two_factor/disable.ts b/src/functions/two_factor/disable.ts
@@ -1,23 +1,26 @@
 import { Request, Response } from 'express';
 import { dbConnect, findOneDocument, updateOneDocument, User } from 'solun-database-package';
+import { getJWTData } from '../../utils/jwt';
 
 export async function handleDisableTwoFactorRequest(req: Request, res: Response) {
   try {
-    const requestData = req.body;
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
 
-    await dbConnect();
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
 
-    let user_id = requestData.user_id;
+    await dbConnect();
 
-    const user = await findOneDocument(User, { user_id: user_id });
+    const user = await findOneDocument(User, { user_id: jwt_data.user_id });
 
     if (!user) {
         return res.status(400).json({ message: 'User doest not exist or password is incorrect' });
     }
 
     await updateOneDocument(
       User,
-      { user_id: user_id },
+      { user_id: jwt_data.user_id },
       { two_fa: false, two_fa_secret: "" }
     );
 

diff --git a/src/functions/two_factor/enable.ts b/src/functions/two_factor/enable.ts
@@ -1,24 +1,30 @@
 import { Request, Response } from 'express';
 import { dbConnect, findOneDocument, updateOneDocument, User } from 'solun-database-package';
+import { getJWTData } from '../../utils/jwt';
 
 export async function handleEnableTwoFactorRequest(req: Request, res: Response) {
   try {
     const requestData = req.body;
 
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+
     await dbConnect();
 
-    let user_id = requestData.user_id;
     let secret = requestData.secret;
 
-    const user = await findOneDocument(User, { user_id: user_id });
+    const user = await findOneDocument(User, { user_id: jwt_data.user_id });
 
     if (!user) {
         return res.status(400).json({ message: 'User doest not exist or password is incorrect' });
     }
 
     await updateOneDocument(
       User,
-      { user_id: user_id },
+      { user_id: jwt_data.user_id },
       { two_fa: true, two_fa_secret: secret }
     );
 

diff --git a/src/functions/user/alias/add_alias.ts b/src/functions/user/alias/add_alias.ts
@@ -3,9 +3,16 @@ import { dbConnect, findOneDocument, findOneCASEDocument, User, User_Aliases, Us
 import { isValidEmail } from 'solun-general-package';
 const { SolunApiClient } = require("../../../mail/mail");
 import { checkPlanCaps } from '../../../plans/check';
+import { getJWTData } from '../../../utils/jwt';
 
 export async function handleCreateAliasRequest(req: Request, res: Response) {
   try {
+
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
 
     await dbConnect();
 
@@ -14,7 +21,7 @@ export async function handleCreateAliasRequest(req: Request, res: Response) {
       process.env.MAILSERVER_API_KEY
     );
 
-    let user_id = req.body.user_id;
+    let user_id = jwt_data.user_id;
     let aliasName = req.body.aliasName;
     let domain = req.body.domain;
     let goto = req.body.goto;

diff --git a/src/functions/user/alias/alias_active_switch.ts b/src/functions/user/alias/alias_active_switch.ts
@@ -1,17 +1,25 @@
 import { Request, Response } from 'express';
 import { dbConnect, findOneDocument, updateOneDocument, User, User_Aliases } from 'solun-database-package';
+import { getJWTData } from '../../../utils/jwt';
 const { SolunApiClient } = require("../../../mail/mail");
 
 export async function handleSwitchStateAliasRequest(req: Request, res: Response) {
   try {
+
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+
     await dbConnect();
 
     const mcc = new SolunApiClient(
         process.env.MAILSERVER_BASEURL,
         process.env.MAILSERVER_API_KEY
       );
 
-      let user_id = req.body.user_id;
+      let user_id = jwt_data.user_id;
       let fqa = req.body.fqa;
       let alias_state = req.body.alias_state;
 

diff --git a/src/functions/user/alias/delete_alias.ts b/src/functions/user/alias/delete_alias.ts
@@ -1,17 +1,25 @@
 import { Request, Response } from 'express';
 import { dbConnect, findOneDocument, deleteOneDocument, User, User_Aliases } from 'solun-database-package';
+import { getJWTData } from '../../../utils/jwt';
 const { SolunApiClient } = require("../../../mail/mail");
 
 export async function handleDeleteAliasRequest(req: Request, res: Response) {
   try {
+
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+
     await dbConnect();
 
     const mcc = new SolunApiClient(
       process.env.MAILSERVER_BASEURL,
       process.env.MAILSERVER_API_KEY
     );
 
-    let user_id = req.body.user_id;
+    let user_id = jwt_data.user_id;
     let fqa = req.body.fqa;
 
     const user = await findOneDocument(User, { user_id: user_id });

diff --git a/src/functions/user/alias/get_alias.ts b/src/functions/user/alias/get_alias.ts
@@ -1,11 +1,19 @@
 import { Request, Response } from 'express';
 import { dbConnect, findOneDocument, User, User_Aliases } from 'solun-database-package';
+import { getJWTData } from '../../../utils/jwt';
 
 export async function handleGetAliasRequest(req: Request, res: Response) {
   try {
+
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+
     await dbConnect();
 
-    let user_id = req.body.user_id;
+    let user_id = jwt_data.user_id;
 
     const user = await findOneDocument(User, { user_id: user_id });
 

diff --git a/src/functions/user/alias/get_domains.ts b/src/functions/user/alias/get_domains.ts
@@ -1,11 +1,19 @@
 import { Request, Response } from 'express';
 import { dbConnect, findDocuments, findOneDocument, User, User_Domains } from 'solun-database-package';
+import { getJWTData } from '../../../utils/jwt';
 
 export async function handleGetDomainsAliasRequest(req: Request, res: Response) {
   try {
+
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+
     await dbConnect();
 
-    let user_id = req.body.user_id;
+    let user_id = jwt_data.user_id;
 
     const user = await findOneDocument(User, { user_id: user_id });
     const user_domains = await findDocuments(User_Domains, { user_id: user_id, verification_status: "active" });

diff --git a/src/functions/user/alias/get_gotos.ts b/src/functions/user/alias/get_gotos.ts
@@ -1,11 +1,19 @@
 import { Request, Response } from 'express';
 import { dbConnect, findDocuments, findOneDocument, User, User_Domains, User_Mailboxes } from 'solun-database-package';
+import { getJWTData } from '../../../utils/jwt';
 
 export async function handleGetGotosAliasRequest(req: Request, res: Response) {
   try {
+
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+
     await dbConnect();
 
-    let user_id = req.body.user_id;
+    let user_id = jwt_data.user_id;
 
     const user = await findOneDocument(User, { user_id: user_id });
     const user_domains = await findDocuments(User_Domains, { user_id: user_id, verification_status: "active" });

diff --git a/src/functions/user/api_access.ts b/src/functions/user/api_access.ts
@@ -1,25 +1,31 @@
 import { Request, Response } from 'express';
 import { dbConnect, findOneDocument, updateOneDocument, User, api_keys, deleteOneDocument } from 'solun-database-package';
 import { generateToken } from 'solun-general-package';
+import { getJWTData } from '../../utils/jwt';
 
 export async function handleApiAccessUserRequest(req: Request, res: Response) {
   try {
     const requestData = req.body;
 
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+
     await dbConnect();
 
-    let user_id = requestData.user_id;
     let api_access = requestData.api_access;
 
-    const user = await findOneDocument(User, { user_id: user_id });
+    const user = await findOneDocument(User, { user_id: jwt_data.user_id });
 
     if (!user) {
         return res.status(400).json({ message: "User does not exist or password is incorrect" });
     }
 
     await updateOneDocument(
       User,
-      { user_id: user_id },
+      { user_id: jwt_data.user_id },
       { api_access: api_access }
     );
 
@@ -28,19 +34,19 @@ export async function handleApiAccessUserRequest(req: Request, res: Response) {
     if (api_access) {
       token = generateToken();
 
-      const result = await findOneDocument(api_keys, { user_id: user_id });
+      const result = await findOneDocument(api_keys, { user_id: jwt_data.user_id });
       if (result !== null) {
         return res.status(400).json({ message: "Api access already exists" });
       }
 
       const newToken = new api_keys({
-        user_id: user_id,
+        user_id: jwt_data.user_id,
         token: token,
       });
 
       await newToken.save();
     } else {
-      await deleteOneDocument(api_keys, { user_id: user_id });
+      await deleteOneDocument(api_keys, { user_id: jwt_data.user_id });
     }
 
     return res.status(200).json({ message: "Api access updated successfully", token: token });

diff --git a/src/functions/user/beta_features.ts b/src/functions/user/beta_features.ts
@@ -1,24 +1,30 @@
 import { Request, Response } from 'express';
 import { dbConnect, findOneDocument, updateOneDocument, User } from 'solun-database-package';
+import { getJWTData } from '../../utils/jwt';
 
 export async function handleBetaFeaturesUserRequest(req: Request, res: Response) {
   try {
     const requestData = req.body;
 
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+
     await dbConnect();
 
-    let user_id = requestData.user_id;
     let beta_features = requestData.beta_features;
 
-    const user = await findOneDocument(User, { user_id: user_id });
+    const user = await findOneDocument(User, { user_id: jwt_data.user_id });
 
     if (!user) {
         return res.status(400).json({ message: "User does not exist or password is incorrect" });
     }
 
     await updateOneDocument(
       User,
-      { user_id: user_id },
+      { user_id: jwt_data.user_id },
       { beta: beta_features }
     );
 

diff --git a/src/functions/user/change_pwd.ts b/src/functions/user/change_pwd.ts
@@ -1,20 +1,27 @@
 import { Request, Response } from 'express';
 import { dbConnect, findOneDocument, updateOneDocument, User } from 'solun-database-package';
 import { comparePassword, hashPassword, encryptAuthPM, decryptAuthPM } from 'solun-general-package';
+import { getJWTData } from '../../utils/jwt';
 const { SolunApiClient } = require("../../mail/mail");
 
 
 export async function handleChangePWDUserRequest(req: Request, res: Response) {
   try {
     const requestData = req.body;
 
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+
     await dbConnect();
     const mcc = new SolunApiClient(
       process.env.MAILSERVER_BASEURL,
       process.env.MAILSERVER_API_KEY
     );
 
-    let user_id = requestData.user_id;
+    let user_id = jwt_data.user_id;
     let currentPassword = requestData.currentPassword;
     let newPassword = requestData.newPassword;
 

diff --git a/src/functions/user/domain/add_domain.ts b/src/functions/user/domain/add_domain.ts
@@ -2,18 +2,25 @@ import { Request, Response } from 'express';
 import { dbConnect, findOneDocument, findOneCASEDocument, User, User_Domains } from 'solun-database-package';
 const { SolunApiClient } = require("../../../mail/mail");
 import { checkPlanCaps } from '../../../plans/check';
+import { getJWTData } from '../../../utils/jwt';
 
 export async function handleAddDomainRequest(req: Request, res: Response) {
   try {
 
+    const jwt_data = getJWTData(req.body.token) as { user_id: string } | null;
+
+    if (jwt_data == null) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
+
     await dbConnect();
 
     const mcc = new SolunApiClient(
       process.env.MAILSERVER_BASEURL,
       process.env.MAILSERVER_API_KEY
     );
 
-    let user_id = req.body.user_id;
+    let user_id = jwt_data.user_id;
     let domain = req.body.domain;
 
     if (!user_id || !domain) {