rezidir/GeoShare
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add registration security: bcrypt secret key, length validation, duplicate check, rate limiting

Browse Source
This commit is contained in:
dmit.b
2026-06-25 11:55:55 +03:00
parent efe68ef9a2
commit 6797f3d3c8
6 changed files with 172 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+2 -2
View File
@@ -11,5 +11,5 @@ POSTGRES_USER="user"
POSTGRES_PASSWORD="pwd" POSTGRES_PASSWORD="pwd"
# TOKEN_LIFETIME in minutes # TOKEN_LIFETIME in minutes
TOKEN_LIFETIME=600 TOKEN_LIFETIME=600
# Secret key for registration (MD5 hash of this key must be sent by the user) # Secret key for registration (bcrypt hash, client sends plaintext key)
REGISTRATION_SECRET_KEY=reg REGISTRATION_SECRET_KEY=$2a$10$example.bcrypt.hash.here
api.yaml
+8 -3
View File
@@ -241,16 +241,21 @@ components:
required: required:
- login - login
- password - password
- secret_key
properties: properties:
login: login:
type: string type: string
description: Desired login / username description: Desired login / username (minimum 5 characters)
example: "john_doe" example: "john_doe"
password: password:
type: string type: string
format: password format: password
description: Desired password (will be hashed with bcrypt) description: Desired password (minimum 9 characters, will be hashed with bcrypt)
example: "secret123" example: "securePass123"
secret_key:
type: string
description: Plaintext registration secret key (REGISTRATION_SECRET_KEY from server .env)
example: "FtracKer*1405."
LoginResponse: LoginResponse:
type: object type: object
bin/.env
+2 -2
View File
@@ -11,5 +11,5 @@ POSTGRES_USER="postgres"
POSTGRES_PASSWORD="postgres" POSTGRES_PASSWORD="postgres"
# TOKEN_LIFETIME in minutes # TOKEN_LIFETIME in minutes
TOKEN_LIFETIME=600 TOKEN_LIFETIME=600
# Secret key for registration (MD5 hash of this key must be sent by the user) # Secret key for registration (bcrypt hash, client sends plaintext)
REGISTRATION_SECRET_KEY=FtracKer*1405. REGISTRATION_SECRET_KEY=$2a$10$mSo1MvV6U7GazfxceLFDl.gBNPm6lnjClWYsFQesx0SalObvBLIF6
bin/database/database_provider.dart
+5
View File
@@ -127,6 +127,11 @@ class DatabaseProvider {
} }
Future<User> createUser(String login, String password) async { Future<User> createUser(String login, String password) async {
final existingUser = await findUserByLogin(login);
if (existingUser != null) {
throw Exception('User already exists');
}
final hashedPassword = BCrypt.hashpw(password, BCrypt.gensalt()); final hashedPassword = BCrypt.hashpw(password, BCrypt.gensalt());
final results = await _dbConnection.execute( final results = await _dbConnection.execute(
bin/routes/auth_routes.dart
+66 -3
View File
@@ -1,8 +1,8 @@
import 'package:bcrypt/bcrypt.dart';
import 'package:dotenv/dotenv.dart';
import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
import 'package:shelf/shelf.dart'; import 'package:shelf/shelf.dart';
import 'package:shelf_router/shelf_router.dart'; import 'package:shelf_router/shelf_router.dart';
import 'package:bcrypt/bcrypt.dart';
import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
import 'package:dotenv/dotenv.dart';
import '../database/database_provider.dart'; import '../database/database_provider.dart';
import '../middleware/auth_middleware.dart'; import '../middleware/auth_middleware.dart';
import '../middleware/request_logger.dart'; import '../middleware/request_logger.dart';
@@ -11,6 +11,7 @@ import 'dart:io';
class AuthRoutes { class AuthRoutes {
final DatabaseProvider database; final DatabaseProvider database;
final Map<String, DateTime> _lastRequest = {};
AuthRoutes(this.database); AuthRoutes(this.database);
@@ -23,7 +24,34 @@ class AuthRoutes {
return router; return router;
} }
String _getClientIp(Request request) {
final forwarded = request.headers['x-forwarded-for'];
if (forwarded != null) {
return forwarded.split(',').first.trim();
}
final xRealIp = request.headers['x-real-ip'];
if (xRealIp != null) {
return xRealIp;
}
return '127.0.0.1';
}
Future<Response?> _rateLimitCheck(Request request, String key) async {
final ip = _getClientIp(request);
final rateKey = '$key:$ip';
final now = DateTime.now();
final lastRequest = _lastRequest[rateKey];
if (lastRequest != null && now.difference(lastRequest).inSeconds < 10) {
return Response(429, body: jsonEncode({'error': 'Too many requests. Please wait 10 seconds.'}), headers: {'Content-Type': 'application/json'});
}
_lastRequest[rateKey] = now;
return null;
}
Future<Response> _login(Request request) async { Future<Response> _login(Request request) async {
final rateLimit = await _rateLimitCheck(request, 'login');
if (rateLimit != null) return rateLimit;
final body = await request.readAsString(); final body = await request.readAsString();
final data = jsonDecode(body); final data = jsonDecode(body);
@@ -58,6 +86,9 @@ class AuthRoutes {
} }
Future<Response> _register(Request request) async { Future<Response> _register(Request request) async {
final rateLimit = await _rateLimitCheck(request, 'reg');
if (rateLimit != null) return rateLimit;
final stopwatch = Stopwatch()..start(); final stopwatch = Stopwatch()..start();
final body = await request.readAsString(); final body = await request.readAsString();
logRequest(method: 'POST', url: '/reg', status: 444, duration: stopwatch.elapsed, body: body); logRequest(method: 'POST', url: '/reg', status: 444, duration: stopwatch.elapsed, body: body);
@@ -65,9 +96,41 @@ class AuthRoutes {
final login = data['login']; final login = data['login'];
final password = data['password']; final password = data['password'];
final secretKey = data['secret_key'];
if (login is! String || login.length <= 4) {
stopwatch.stop();
final response = Response(400, body: jsonEncode({'error': 'Login must be more than 4 characters'}), headers: {'Content-Type': 'application/json'});
logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
return response;
}
if (password is! String || password.length <= 8) {
stopwatch.stop();
final response = Response(400, body: jsonEncode({'error': 'Password must be more than 8 characters'}), headers: {'Content-Type': 'application/json'});
logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
return response;
}
final envDotenv = DotEnv();
final storedHash = envDotenv['REGISTRATION_SECRET_KEY'] ?? '';
if (!BCrypt.checkpw(secretKey, storedHash)) {
stopwatch.stop();
final response = Response(403, body: jsonEncode({'error': 'Invalid registration key'}), headers: {'Content-Type': 'application/json'});
logRequest(method: 'POST', url: '/reg', status: 403, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
return response;
}
try {
await database.createUser(login, password); await database.createUser(login, password);
await database.createLog(login, 'User registration'); await database.createLog(login, 'User registration');
} catch (e) {
stopwatch.stop();
final response = Response(400, body: jsonEncode({'error': e.toString()}), headers: {'Content-Type': 'application/json'});
logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
return response;
}
stopwatch.stop(); stopwatch.stop();
final response = Response(201, body: jsonEncode({'message': 'User registered'}), headers: {'Content-Type': 'application/json'}); final response = Response(201, body: jsonEncode({'message': 'User registered'}), headers: {'Content-Type': 'application/json'});
logRequest(method: 'POST', url: '/reg', status: 201, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers); logRequest(method: 'POST', url: '/reg', status: 201, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
test/server_test.dart
+85 -5
View File
@@ -1,6 +1,7 @@
import 'dart:convert'; import 'dart:convert';
import 'dart:io'; import 'dart:io';
import 'package:dotenv/dotenv.dart';
import 'package:http/http.dart' as http; import 'package:http/http.dart' as http;
import 'package:test/test.dart'; import 'package:test/test.dart';
@@ -9,20 +10,25 @@ void main() {
final host = 'http://localhost:$port'; final host = 'http://localhost:$port';
late Process p; late Process p;
String? authToken; String? authToken;
late String registrationSecretKey;
Future<String?> getAuthToken() async { Future<String?> getAuthToken() async {
if (authToken != null) return authToken; if (authToken != null) return authToken;
final regResponse = await http.post( await Future.delayed(Duration(seconds: 11));
await http.post(
Uri.parse('$host/reg'), Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'}, headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'testuser', 'password': 'testpass'}), body: jsonEncode({'login': 'testuser', 'password': 'testpassword', 'secret_key': registrationSecretKey}),
); );
await Future.delayed(Duration(seconds: 11));
final loginResponse = await http.post( final loginResponse = await http.post(
Uri.parse('$host/login'), Uri.parse('$host/login'),
headers: {'Content-Type': 'application/json'}, headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'testuser', 'password': 'testpass'}), body: jsonEncode({'login': 'testuser', 'password': 'testpassword'}),
); );
if (loginResponse.statusCode == 200) { if (loginResponse.statusCode == 200) {
@@ -33,6 +39,10 @@ void main() {
} }
setUpAll(() async { setUpAll(() async {
final env = DotEnv();
env.load(['bin/.env']);
registrationSecretKey = 'FtracKer*1405.';
stdout.writeln("Starting server..."); stdout.writeln("Starting server...");
p = await Process.start( p = await Process.start(
'dart', 'dart',
@@ -75,11 +85,59 @@ void main() {
final response = await http.post( final response = await http.post(
Uri.parse('$host/reg'), Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'}, headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'newuser', 'password': 'newpass'}), body: jsonEncode({'login': 'newuser', 'password': 'newpassword', 'secret_key': registrationSecretKey}),
); );
expect(response.statusCode, 201); expect(response.statusCode, 201);
final data = jsonDecode(response.body); final data = jsonDecode(response.body);
expect(data['login'], 'newuser'); expect(data['message'], 'User registered');
});
test('POST /reg - Invalid secret key', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'baduser', 'password': 'badpassword', 'secret_key': 'wrong_key'}),
);
expect(response.statusCode, 403);
});
test('POST /reg - Login too short', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'abc', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response.statusCode, 400);
});
test('POST /reg - Password too short', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'validuser', 'password': 'short', 'secret_key': registrationSecretKey}),
);
expect(response.statusCode, 400);
});
test('POST /reg - Duplicate user', () async {
await Future.delayed(Duration(seconds: 11));
final response1 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'dupuser', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response1.statusCode, 201);
await Future.delayed(Duration(seconds: 11));
final response2 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'dupuser', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response2.statusCode, 400);
}); });
}); });
@@ -90,6 +148,7 @@ void main() {
}); });
test('POST /login - Invalid credentials', () async { test('POST /login - Invalid credentials', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post( final response = await http.post(
Uri.parse('$host/login'), Uri.parse('$host/login'),
headers: {'Content-Type': 'application/json'}, headers: {'Content-Type': 'application/json'},
@@ -99,9 +158,29 @@ void main() {
}); });
}); });
group('Rate limiting', () {
test('POST /reg - Too many requests', () async {
await Future.delayed(Duration(seconds: 11));
final response1 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'ratetest1', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response1.statusCode, 201);
final response2 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'ratetest2', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response2.statusCode, 429);
});
});
group('Geo operations', () { group('Geo operations', () {
test('POST /share - Create share link', () async { test('POST /share - Create share link', () async {
await getAuthToken(); await getAuthToken();
await Future.delayed(Duration(seconds: 11));
final response = await http.post( final response = await http.post(
Uri.parse('$host/share'), Uri.parse('$host/share'),
headers: { headers: {
@@ -116,6 +195,7 @@ void main() {
}); });
test('POST /share - No auth token', () async { test('POST /share - No auth token', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post( final response = await http.post(
Uri.parse('$host/share'), Uri.parse('$host/share'),
headers: {'Content-Type': 'application/json'}, headers: {'Content-Type': 'application/json'},