security improvements

2025-10-07 13:39:53 -04:00
parent a4aca9c99d
commit 329becfb08
11 changed files with 287 additions and 35 deletions
--- a/server/api/auth/login.post.ts
+++ b/server/api/auth/login.post.ts
@@ -1,8 +1,26 @@
-import { getUserByUsername } from '~/server/utils/database'
-import { setAuthCookie } from '~/server/utils/auth'
+import { getUserByUsername, checkRateLimit, resetRateLimit, createSession } from '~/server/utils/database'
+import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
 import bcrypt from 'bcrypt'

 export default defineEventHandler(async (event) => {
+  // Get client IP for rate limiting
+  const clientIp = getRequestIP(event) || 'unknown'
+  
+  // Log IP for verification (helps ensure correct public IP is captured)
+  console.log(`[LOGIN ATTEMPT] IP: ${clientIp}, Headers:`, {
+    'x-forwarded-for': getHeader(event, 'x-forwarded-for'),
+    'x-real-ip': getHeader(event, 'x-real-ip'),
+    'cf-connecting-ip': getHeader(event, 'cf-connecting-ip')
+  })
+  
+  // Check rate limit: 5 attempts per 15 minutes
+  if (!checkRateLimit(clientIp, 'login', 5, 15)) {
+    throw createError({
+      statusCode: 429,
+      message: 'Too many login attempts. Please try again in 15 minutes.'
+    })
+  }
+
  const body = await readBody(event)
  const { username, password } = body

@@ -16,6 +34,7 @@ export default defineEventHandler(async (event) => {
  const user = getUserByUsername(username.toLowerCase())

  if (!user) {
+    console.log(`[LOGIN FAILED] Username not found: ${username.toLowerCase()}, IP: ${clientIp}`)
    throw createError({
      statusCode: 401,
      message: 'Invalid credentials'
@@ -26,13 +45,26 @@ export default defineEventHandler(async (event) => {
  const passwordMatch = await bcrypt.compare(password, user.password)

  if (!passwordMatch) {
+    console.log(`[LOGIN FAILED] Invalid password for user: ${username.toLowerCase()}, IP: ${clientIp}`)
    throw createError({
      statusCode: 401,
      message: 'Invalid credentials'
    })
  }

-  setAuthCookie(event, user.username)
+  // Generate session token and create session
+  const sessionToken = generateSessionToken()
+  const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString() // 24 hours
+  createSession(sessionToken, user.username, expiresAt)
+  
+  // Set session cookie
+  setAuthCookie(event, sessionToken)
+  
+  // Reset rate limit on successful login
+  resetRateLimit(clientIp, 'login')
+  
+  // Log successful login
+  console.log(`[LOGIN SUCCESS] User: ${user.username}, IP: ${clientIp}`)

  return {
    success: true,
--- a/server/api/auth/logout.post.ts
+++ b/server/api/auth/logout.post.ts
@@ -1,6 +1,16 @@
-import { clearAuthCookie } from '~/server/utils/auth'
+import { clearAuthCookie, getAuthCookie } from '~/server/utils/auth'
+import { deleteSession } from '~/server/utils/database'

 export default defineEventHandler(async (event) => {
+  // Get session token from cookie
+  const sessionToken = getAuthCookie(event)
+  
+  // Delete session from database if it exists
+  if (sessionToken) {
+    deleteSession(sessionToken)
+  }
+  
+  // Clear the cookie
  clearAuthCookie(event)
  
  return {
--- a/server/api/auth/register.post.ts
+++ b/server/api/auth/register.post.ts
@@ -1,7 +1,25 @@
-import { createUser, getUserByUsername, getUserByEmail } from '~/server/utils/database'
-import { setAuthCookie } from '~/server/utils/auth'
+import { createUser, getUserByUsername, getUserByEmail, checkRateLimit, createSession } from '~/server/utils/database'
+import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'

 export default defineEventHandler(async (event) => {
+  // Get client IP for rate limiting
+  const clientIp = getRequestIP(event) || 'unknown'
+  
+  // Log IP for verification
+  console.log(`[REGISTER ATTEMPT] IP: ${clientIp}, Headers:`, {
+    'x-forwarded-for': getHeader(event, 'x-forwarded-for'),
+    'x-real-ip': getHeader(event, 'x-real-ip'),
+    'cf-connecting-ip': getHeader(event, 'cf-connecting-ip')
+  })
+  
+  // Check rate limit: 3 attempts per hour
+  if (!checkRateLimit(clientIp, 'register', 3, 60)) {
+    throw createError({
+      statusCode: 429,
+      message: 'Too many registration attempts. Please try again in 1 hour.'
+    })
+  }
+
  const body = await readBody(event)
  const { username, password, email, firstName, lastName } = body

@@ -80,8 +98,16 @@ export default defineEventHandler(async (event) => {
    // Create the new user with all fields
    createUser(username.toLowerCase(), password, email.toLowerCase(), firstName, lastName)
    
-    // Log them in automatically
-    setAuthCookie(event, username.toLowerCase())
+    // Generate session token and create session for auto-login
+    const sessionToken = generateSessionToken()
+    const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString() // 24 hours
+    createSession(sessionToken, username.toLowerCase(), expiresAt)
+    
+    // Set session cookie
+    setAuthCookie(event, sessionToken)
+    
+    // Log successful registration
+    console.log(`[REGISTER SUCCESS] User: ${username.toLowerCase()}, IP: ${clientIp}`)

    return {
      success: true,
--- a/server/api/auth/verify.get.ts
+++ b/server/api/auth/verify.get.ts
@@ -1,8 +1,8 @@
-import { getAuthCookie, clearAuthCookie } from '~/server/utils/auth'
+import { getSessionUsername, clearAuthCookie } from '~/server/utils/auth'
 import { getUserByUsername } from '~/server/utils/database'

 export default defineEventHandler(async (event) => {
-  const username = getAuthCookie(event)
+  const username = await getSessionUsername(event)
  
  if (!username) {
    return {
--- a/server/api/sermons/archive/[id].post.ts
+++ b/server/api/sermons/archive/[id].post.ts
@@ -1,15 +1,27 @@
-import { isAuthenticated } from '~/server/utils/auth'
-import { archiveSermon } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+import { archiveSermon, getUserByUsername } from '~/server/utils/database'

 export default defineEventHandler(async (event) => {
  // Check authentication
-  if (!isAuthenticated(event)) {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
    throw createError({
      statusCode: 401,
      message: 'Unauthorized'
    })
  }

+  // Check admin role
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
  const id = getRouterParam(event, 'id')
  
  if (!id) {
--- a/server/api/sermons/delete/[id].delete.ts
+++ b/server/api/sermons/delete/[id].delete.ts
@@ -1,15 +1,27 @@
-import { isAuthenticated } from '~/server/utils/auth'
-import { getDatabase } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+import { getDatabase, getUserByUsername } from '~/server/utils/database'

 export default defineEventHandler(async (event) => {
  // Check authentication
-  if (!isAuthenticated(event)) {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
    throw createError({
      statusCode: 401,
      message: 'Unauthorized'
    })
  }

+  // Check admin role
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
  const id = getRouterParam(event, 'id')
  
  if (!id) {
--- a/server/api/sermons/index.post.ts
+++ b/server/api/sermons/index.post.ts
@@ -1,15 +1,27 @@
-import { createSermon } from '~/server/utils/database'
-import { isAuthenticated } from '~/server/utils/auth'
+import { createSermon, getUserByUsername } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'

 export default defineEventHandler(async (event) => {
  // Check authentication
-  if (!isAuthenticated(event)) {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
    throw createError({
      statusCode: 401,
      message: 'Unauthorized'
    })
  }

+  // Check admin role
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
  const body = await readBody(event)
  const { slug, title, date, dates, bible_references, personal_appliance, pastors_challenge, worship_songs } = body

--- a/server/api/sermons/unarchive/[id].post.ts
+++ b/server/api/sermons/unarchive/[id].post.ts
@@ -1,15 +1,27 @@
-import { isAuthenticated } from '~/server/utils/auth'
-import { getDatabase } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+import { getDatabase, getUserByUsername } from '~/server/utils/database'

 export default defineEventHandler(async (event) => {
  // Check authentication
-  if (!isAuthenticated(event)) {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
    throw createError({
      statusCode: 401,
      message: 'Unauthorized'
    })
  }

+  // Check admin role
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
  const id = getRouterParam(event, 'id')
  
  if (!id) {
--- a/server/api/sermons/update/[id].put.ts
+++ b/server/api/sermons/update/[id].put.ts
@@ -1,15 +1,27 @@
-import { isAuthenticated } from '~/server/utils/auth'
-import { getDatabase } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+import { getDatabase, getUserByUsername } from '~/server/utils/database'

 export default defineEventHandler(async (event) => {
  // Check authentication
-  if (!isAuthenticated(event)) {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
    throw createError({
      statusCode: 401,
      message: 'Unauthorized'
    })
  }

+  // Check admin role
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
  const id = getRouterParam(event, 'id')
  
  if (!id) {