Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 51s
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 51s
This commit is contained in:
Torsten Schulz (local)
@@ -1,6 +1,8 @@
|
||||
import { readUsers, hashPassword, writeUsers } from '../../utils/auth.js'
|
||||
import nodemailer from 'nodemailer'
|
||||
import crypto from 'crypto'
|
||||
import { assertRateLimit, getClientIp, registerRateLimitFailure, registerRateLimitSuccess } from '../../utils/rate-limit.js'
|
||||
import { writeAuditLog } from '../../utils/audit-log.js'
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
try {
|
||||
@@ -14,12 +16,34 @@ export default defineEventHandler(async (event) => {
|
||||
})
|
||||
}
|
||||
|
||||
const ip = getClientIp(event)
|
||||
const emailKey = String(email || '').trim().toLowerCase()
|
||||
|
||||
// Rate Limiting (IP + Account)
|
||||
assertRateLimit(event, {
|
||||
name: 'auth:reset:ip',
|
||||
keyParts: [ip],
|
||||
windowMs: 60 * 60 * 1000,
|
||||
maxAttempts: 20,
|
||||
lockoutMs: 30 * 60 * 1000
|
||||
})
|
||||
assertRateLimit(event, {
|
||||
name: 'auth:reset:account',
|
||||
keyParts: [emailKey],
|
||||
windowMs: 60 * 60 * 1000,
|
||||
maxAttempts: 5,
|
||||
lockoutMs: 60 * 60 * 1000
|
||||
})
|
||||
|
||||
// Find user
|
||||
const users = await readUsers()
|
||||
const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())
|
||||
|
||||
// Always return success (security: don't reveal if email exists)
|
||||
if (!user) {
|
||||
await registerRateLimitFailure(event, { name: 'auth:reset:ip', keyParts: [ip] })
|
||||
await registerRateLimitFailure(event, { name: 'auth:reset:account', keyParts: [emailKey] })
|
||||
await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: false })
|
||||
return {
|
||||
success: true,
|
||||
message: 'Falls ein Konto mit dieser E-Mail existiert, wurde eine E-Mail gesendet.'
|
||||
@@ -36,6 +60,9 @@ export default defineEventHandler(async (event) => {
|
||||
const updatedUsers = users.map(u => u.id === user.id ? user : u)
|
||||
await writeUsers(updatedUsers)
|
||||
|
||||
registerRateLimitSuccess(event, { name: 'auth:reset:account', keyParts: [emailKey] })
|
||||
await writeAuditLog('auth.reset.request', { ip, email: emailKey, userFound: true, userId: user.id })
|
||||
|
||||
// Send email with temporary password
|
||||
const smtpUser = process.env.SMTP_USER
|
||||
const smtpPass = process.env.SMTP_PASS
|
||||
|
||||
Reference in New Issue
Block a user