RyderTech/nlcc-itinerary
1
0
Fork 0
Code Issues Pull Requests Packages Activity

more security improvements

Browse Source
This commit is contained in:
Joshua Ryder
2025-10-07 13:54:29 -04:00
parent 329becfb08
commit ffb721a12c
2 changed files with 31 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
server/api/auth/login.post.ts
View File

@@ -3,14 +3,24 @@ import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
import bcrypt from 'bcrypt' import bcrypt from 'bcrypt'
export default defineEventHandler(async (event) => { export default defineEventHandler(async (event) => {
// Get client IP for rate limiting // Get real client IP from proxy headers (prioritize x-real-ip for NPM)
const clientIp = getRequestIP(event) || 'unknown' const xRealIp = getHeader(event, 'x-real-ip')
const xForwardedFor = getHeader(event, 'x-forwarded-for')
const cfConnectingIp = getHeader(event, 'cf-connecting-ip')
// Log IP for verification (helps ensure correct public IP is captured) // Use x-real-ip first (set by NPM), then x-forwarded-for, then cf-connecting-ip, then fallback
const clientIp = xRealIp ||
(xForwardedFor ? xForwardedFor.split(',')[0].trim() : null) ||
cfConnectingIp ||
getRequestIP(event) ||
'unknown'
// Log IP for verification
console.log(`[LOGIN ATTEMPT] IP: ${clientIp}, Headers:`, { console.log(`[LOGIN ATTEMPT] IP: ${clientIp}, Headers:`, {
'x-forwarded-for': getHeader(event, 'x-forwarded-for'), 'x-forwarded-for': xForwardedFor,
'x-real-ip': getHeader(event, 'x-real-ip'), 'x-real-ip': xRealIp,
'cf-connecting-ip': getHeader(event, 'cf-connecting-ip') 'cf-connecting-ip': cfConnectingIp,
'getRequestIP': getRequestIP(event)
}) })
// Check rate limit: 5 attempts per 15 minutes // Check rate limit: 5 attempts per 15 minutes

20
server/api/auth/register.post.ts
View File

@@ -2,14 +2,24 @@ import { createUser, getUserByUsername, getUserByEmail, checkRateLimit, createSe
import { setAuthCookie, generateSessionToken } from '~/server/utils/auth' import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
export default defineEventHandler(async (event) => { export default defineEventHandler(async (event) => {
// Get client IP for rate limiting // Get real client IP from proxy headers (prioritize x-real-ip for NPM)
const clientIp = getRequestIP(event) || 'unknown' const xRealIp = getHeader(event, 'x-real-ip')
const xForwardedFor = getHeader(event, 'x-forwarded-for')
const cfConnectingIp = getHeader(event, 'cf-connecting-ip')
// Use x-real-ip first (set by NPM), then x-forwarded-for, then cf-connecting-ip, then fallback
const clientIp = xRealIp ||
(xForwardedFor ? xForwardedFor.split(',')[0].trim() : null) ||
cfConnectingIp ||
getRequestIP(event) ||
'unknown'
// Log IP for verification // Log IP for verification
console.log(`[REGISTER ATTEMPT] IP: ${clientIp}, Headers:`, { console.log(`[REGISTER ATTEMPT] IP: ${clientIp}, Headers:`, {
'x-forwarded-for': getHeader(event, 'x-forwarded-for'), 'x-forwarded-for': xForwardedFor,
'x-real-ip': getHeader(event, 'x-real-ip'), 'x-real-ip': xRealIp,
'cf-connecting-ip': getHeader(event, 'cf-connecting-ip') 'cf-connecting-ip': cfConnectingIp,
'getRequestIP': getRequestIP(event)
}) })
// Check rate limit: 3 attempts per hour // Check rate limit: 3 attempts per hour