diff --git a/package-lock.json b/package-lock.json index e9ab808..4da0315 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2738,8 +2738,8 @@ "integrity": "sha512-q0M/9eZHzmr0AulXyPwNfZjtwZ/RBZlbN3K3CErVrk50T2ASYI7Bye0EvekFY3IP1Nt2DHu0re+V2ZHIpMkuWg==" }, "pinski": { - "version": "github:cloudrac3r/pinski#61809e18606265ec47813f3bdab80928c70ae203", - "from": "github:cloudrac3r/pinski#61809e18606265ec47813f3bdab80928c70ae203", + "version": "github:cloudrac3r/pinski#059bfb3c07f36b7e175bce52e4715646b6acfebd", + "from": "github:cloudrac3r/pinski#059bfb3c07f36b7e175bce52e4715646b6acfebd", "requires": { "mime": "^2.4.4", "pug": "^2.0.3", diff --git a/package.json b/package.json index 5cbcfe0..fb68c2c 100644 --- a/package.json +++ b/package.json @@ -19,7 +19,7 @@ "mixin-deep": "^2.0.1", "node-dir": "^0.1.17", "node-fetch": "^2.6.0", - "pinski": "github:cloudrac3r/pinski#61809e18606265ec47813f3bdab80928c70ae203", + "pinski": "github:cloudrac3r/pinski#059bfb3c07f36b7e175bce52e4715646b6acfebd", "pug": "^2.0.4", "semver": "^7.2.1", "sharp": "^0.25.2", diff --git a/src/lib/constants.js b/src/lib/constants.js index a873ef4..43c0c31 100644 --- a/src/lib/constants.js +++ b/src/lib/constants.js @@ -166,6 +166,7 @@ let constants = { instance_list_cache_time: 3*60*1000, updater_cache_time: 2*60*1000, cache_sweep_interval: 3*60*1000, + csrf_time: 60*60*1000, self_blocked_status: { enabled: true, time: 2*60*60*1000, @@ -232,7 +233,7 @@ let constants = { additional_routes: [], - database_version: 6 + database_version: 7 } // Override values from config and export the result diff --git a/src/lib/utils/upgradedb.js b/src/lib/utils/upgradedb.js index 54aa4e3..d512387 100644 --- a/src/lib/utils/upgradedb.js +++ b/src/lib/utils/upgradedb.js @@ -85,6 +85,15 @@ const deltas = new Map([ db.prepare("ALTER TABLE UserSettings ADD COLUMN rewrite_twitter TEXT NOT NULL DEFAULT ''") .run() })() + }], + // version 6 to version 7 + [7, function() { + db.transaction(() => { + db.prepare("DROP TABLE IF EXISTS CSRFTokens") + .run() + db.prepare("CREATE TABLE CSRFTokens (token TEXT NOT NULL, expires INTEGER NOT NULL, PRIMARY KEY (token))") + .run() + })() }] ]) diff --git a/src/site/api/settings.js b/src/site/api/settings.js index d5205a2..ffc32a2 100644 --- a/src/site/api/settings.js +++ b/src/site/api/settings.js @@ -1,6 +1,6 @@ const constants = require("../../lib/constants") const {render, redirect} = require("pinski/plugins") -const {getSettings} = require("./utils/getsettings") +const {getSettings, getToken, generateCSRF, checkCSRF} = require("./utils/getsettings") const crypto = require("crypto") const db = require("../../lib/db") @@ -9,13 +9,22 @@ module.exports = [ route: "/settings", methods: ["GET"], code: async ({req, url}) => { const settings = getSettings(req) // console.log(settings) - const saved = url.searchParams.has("saved") - return render(200, "pug/settings.pug", {saved, constants, settings}) + const csrf = generateCSRF() + const message = url.searchParams.get("message") + const status = url.searchParams.get("status") + return render(200, "pug/settings.pug", {constants, settings, csrf, status, message}) } }, { - route: "/settings", methods: ["POST"], upload: true, code: async ({body}) => { + route: "/settings", methods: ["POST"], upload: true, code: async ({req, body}) => { + const oldToken = getToken(req) const params = new URLSearchParams(body.toString()) + if (!checkCSRF(params.get("csrf"))) { + const returnParams = new URLSearchParams() + returnParams.append("status", "fail") + returnParams.append("message", "Form timed out or reused.\n(Invalid or missing CSRF token.)") + return redirect("/settings?" + returnParams.toString(), 303) + } const prepared = {} for (const setting of constants.user_settings) { let valueOrDefault @@ -42,14 +51,15 @@ module.exports = [ prepared.created = Date.now() const fields = constants.user_settings.map(s => s.name) db.prepare(`INSERT INTO UserSettings (token, created, ${fields.join(", ")}) VALUES (@token, @created, ${fields.map(f => "@"+f).join(", ")})`).run(prepared) + db.prepare("DELETE FROM UserSettings WHERE token = ?").run(oldToken) const expires = new Date(Date.now() + 4000*24*60*60*1000).toUTCString() return { statusCode: 303, headers: { - "Location": "/settings?saved=1", - "Set-Cookie": `settings=${prepared.token}; Path=/; Expires=${expires}; SameSite=Strict` + "Location": "/settings?status=success&message=Saved.", + "Set-Cookie": `settings=${prepared.token}; Path=/; Expires=${expires}; SameSite=Lax` }, - contentType: "text/html", + contentType: "text/html; charset=UTF-8", content: "Redirecting..." } } diff --git a/src/site/api/utils/getsettings.js b/src/site/api/utils/getsettings.js index c61f55b..b6b526b 100644 --- a/src/site/api/utils/getsettings.js +++ b/src/site/api/utils/getsettings.js @@ -1,3 +1,4 @@ +const crypto = require("crypto") const {parse} = require("cookie") const constants = require("../../../lib/constants") @@ -19,14 +20,49 @@ function addDefaults(input = {}) { return result } -function getSettings(req) { - if (!req.headers.cookie) return addDefaults() +function getToken(req) { + if (!req.headers.cookie) return null const cookie = parse(req.headers.cookie) - const settings = cookie.settings - if (!settings) return addDefaults() - const row = db.prepare("SELECT * FROM UserSettings WHERE token = ?").get(settings) - if (!row) return addDefaults() - return addDefaults(row) + const token = cookie.settings + if (token) return token + else return null } +function getSettings(req) { + const token = getToken(req) + if (token) { + const row = db.prepare("SELECT * FROM UserSettings WHERE token = ?").get(token) + if (row) { + return addDefaults(row) + } + } + return addDefaults() +} + +function generateCSRF() { + const token = crypto.randomBytes(16).toString("hex") + const expires = Date.now() + constants.caching.csrf_time + db.prepare("INSERT INTO CSRFTokens (token, expires) VALUES (?, ?)").run(token, expires) + return token +} + +function checkCSRF(token) { + const row = db.prepare("SELECT * FROM CSRFTokens WHERE token = ? AND expires > ?").get(token, Date.now()) + if (row) { + db.prepare("DELETE FROM CSRFTokens WHERE token = ?").run(token) + return true + } else { + return false + } +} + +function cleanCSRF() { + db.prepare("DELETE FROM CSRFTokens WHERE expires <= ?").run(Date.now()) +} +cleanCSRF() +setInterval(cleanCSRF, constants.caching.csrf_time) + +module.exports.getToken = getToken module.exports.getSettings = getSettings +module.exports.generateCSRF = generateCSRF +module.exports.checkCSRF = checkCSRF diff --git a/src/site/pug/home.pug b/src/site/pug/home.pug index fd78450..fdb7bbe 100644 --- a/src/site/pug/home.pug +++ b/src/site/pug/home.pug @@ -9,6 +9,7 @@ html header h1.banner img.banner-image(src="/static/img/banner-min.svg" alt="Bibliogram") + .go-sections-container .go-sections section @@ -21,6 +22,7 @@ html form(method="get" action="/p").pair-entry input(type="text" name="p" placeholder="Shortcode or URL").text input(type="submit" value="Go").button + .about-container section.about h2 About Bibliogram @@ -31,23 +33,25 @@ html p. Bibliogram does #[em not] allow you to anonymously post, like, comment, follow, or view private profiles. It does not preserve deleted posts. + h2 About this instance ul + li: a(href="/settings") Settings if hasPrivacyPolicy li: a(href="/privacy") Privacy policy else li Owner has not written a privacy policy li Instance is #{allUnblocked ? "not blocked" : "blocked"} li RSS feeds are #{rssEnabled ? "enabled" : "disabled"} - li Tor is #{torAvailable ? "enabled" : "not available"} + h2 External links - ul.link-list + ul - const links = [ ["https://github.com/cloudrac3r/bibliogram", "GitHub repository"], ["https://riot.im/app/#/room/#bibliogram:matrix.org", "Discussion room on Matrix"], ["https://github.com/cloudrac3r/bibliogram/wiki/Instances", "Other Bibliogram instances"], - ["https://github.com/cloudrac3r/bibliogram/projects/1?fullscreen=true", "Project board"], + ["https://github.com/cloudrac3r/bibliogram/projects/1?fullscreen=true", "Project roadmap"], ["https://cadence.moe/about/contact", "Contact the developer"] ] each entry in links diff --git a/src/site/pug/settings.pug b/src/site/pug/settings.pug index 11c3bda..e58fc24 100644 --- a/src/site/pug/settings.pug +++ b/src/site/pug/settings.pug @@ -1,4 +1,4 @@ -//- Needs saved, settings +//- Needs constants, settings, csrf, status, message mixin fieldset(name) fieldset @@ -31,12 +31,14 @@ html title Settings | Bibliogram include includes/head body.settings-page - if saved - .status-notice Saved. + if status && message + .status-notice(class=status)= message script. history.replaceState(null, "", "/settings") main.settings form(action="/settings" method="post" enctype="application/x-www-form-urlencoded") + input(type="hidden" name="csrf" value=csrf) + h1 Settings +fieldset("Features") diff --git a/src/site/sass/includes/_main.sass b/src/site/sass/includes/_main.sass index 677530a..56c25b3 100644 --- a/src/site/sass/includes/_main.sass +++ b/src/site/sass/includes/_main.sass @@ -668,10 +668,16 @@ body .status-notice padding: 15px font-size: 24px - line-height: 1 + line-height: 1.36 text-align: center - background-color: map-get($theme, "background-banner-success") color: map-get($theme, "foreground-banner") + white-space: pre-line + + &.success + background-color: map-get($theme, "background-banner-success") + + &.fail + background-color: map-get($theme, "background-banner-fail") .action-container margin-top: 20px diff --git a/src/site/sass/themes/_classic.scss b/src/site/sass/themes/_classic.scss index 7766bc0..b269334 100644 --- a/src/site/sass/themes/_classic.scss +++ b/src/site/sass/themes/_classic.scss @@ -22,6 +22,7 @@ $theme: ( "background-primary-quote": #ccc, "background-error-page": #191919, "background-alert": #282828, + "background-banner-fail": #5f1111, "background-banner-success": #0b420b, "foreground-primary": #111, "foreground-header": #000,