security improvements
This commit is contained in:
@@ -1,8 +1,26 @@
|
||||
import { getUserByUsername } from '~/server/utils/database'
|
||||
import { setAuthCookie } from '~/server/utils/auth'
|
||||
import { getUserByUsername, checkRateLimit, resetRateLimit, createSession } from '~/server/utils/database'
|
||||
import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
|
||||
import bcrypt from 'bcrypt'
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
// Get client IP for rate limiting
|
||||
const clientIp = getRequestIP(event) || 'unknown'
|
||||
|
||||
// Log IP for verification (helps ensure correct public IP is captured)
|
||||
console.log(`[LOGIN ATTEMPT] IP: ${clientIp}, Headers:`, {
|
||||
'x-forwarded-for': getHeader(event, 'x-forwarded-for'),
|
||||
'x-real-ip': getHeader(event, 'x-real-ip'),
|
||||
'cf-connecting-ip': getHeader(event, 'cf-connecting-ip')
|
||||
})
|
||||
|
||||
// Check rate limit: 5 attempts per 15 minutes
|
||||
if (!checkRateLimit(clientIp, 'login', 5, 15)) {
|
||||
throw createError({
|
||||
statusCode: 429,
|
||||
message: 'Too many login attempts. Please try again in 15 minutes.'
|
||||
})
|
||||
}
|
||||
|
||||
const body = await readBody(event)
|
||||
const { username, password } = body
|
||||
|
||||
@@ -16,6 +34,7 @@ export default defineEventHandler(async (event) => {
|
||||
const user = getUserByUsername(username.toLowerCase())
|
||||
|
||||
if (!user) {
|
||||
console.log(`[LOGIN FAILED] Username not found: ${username.toLowerCase()}, IP: ${clientIp}`)
|
||||
throw createError({
|
||||
statusCode: 401,
|
||||
message: 'Invalid credentials'
|
||||
@@ -26,13 +45,26 @@ export default defineEventHandler(async (event) => {
|
||||
const passwordMatch = await bcrypt.compare(password, user.password)
|
||||
|
||||
if (!passwordMatch) {
|
||||
console.log(`[LOGIN FAILED] Invalid password for user: ${username.toLowerCase()}, IP: ${clientIp}`)
|
||||
throw createError({
|
||||
statusCode: 401,
|
||||
message: 'Invalid credentials'
|
||||
})
|
||||
}
|
||||
|
||||
setAuthCookie(event, user.username)
|
||||
// Generate session token and create session
|
||||
const sessionToken = generateSessionToken()
|
||||
const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString() // 24 hours
|
||||
createSession(sessionToken, user.username, expiresAt)
|
||||
|
||||
// Set session cookie
|
||||
setAuthCookie(event, sessionToken)
|
||||
|
||||
// Reset rate limit on successful login
|
||||
resetRateLimit(clientIp, 'login')
|
||||
|
||||
// Log successful login
|
||||
console.log(`[LOGIN SUCCESS] User: ${user.username}, IP: ${clientIp}`)
|
||||
|
||||
return {
|
||||
success: true,
|
||||
|
||||
Reference in New Issue
Block a user