[Task] #50, reduced token length and improved error handling

Type-Style · Mar 25, 2024 · 356fe44 · 356fe44
1 parent 7ee7d6b
commit 356fe44
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 11 deletions.
diff --git a/src/controller/login.ts b/src/controller/login.ts
@@ -8,7 +8,7 @@ import { createJWT, createCSRF, validateCSRF } from '@src/scripts/token';
 const router = express.Router();
 
 router.get("/", baseSlowDown, baseRateLimiter, async function login(req: Request, res: Response, next: NextFunction) {
-   loginLimiter(req, res, () => {
+  loginLimiter(req, res, () => {
     const csrfToken = createCSRF(res, next);
     res.locals = {...res.locals, text: 'start', csrfToken: csrfToken};
     res.render("login-form");
@@ -18,16 +18,12 @@ router.get("/", baseSlowDown, baseRateLimiter, async function login(req: Request
 router.post("/", loginSlowDown, async function postLogin(req: Request, res: Response, next: NextFunction) {
   loginLimiter(req, res, async () => {
     let validLogin = false;
-    const validCSRF = validateCSRF(req.body.csrfToken);
+    const token = req.body.csrfToken;
     const user = req.body.user;
     const password = req.body.password;
     let userFound = false;
-    if (!user || !password) {
-      return createError(res, 422, "Body does not contain all expected information", next);
-    }
-    if (!validCSRF) {
-      return createError(res, 403, "Invalid CSRF Token", next);
-    }
+    if (!user || !password) { return createError(res, 422, "Body does not contain all expected information", next); }
+    if (!token || !validateCSRF(req.body.csrfToken)) { return createError(res, 403, "Invalid CSRF Token", next); }
 
     // Loop through all environment variables
     for (const key in process.env) {
@@ -53,7 +49,7 @@ router.post("/", loginSlowDown, async function postLogin(req: Request, res: Resp
       if (!userFound) {
         await crypt(password); // If no matching user is found, perform a dummy password comparison to prevent timing attacks
       }
-      return createError(res, 403, `invalid login credentials`, next);
+      return createError(res, 403, `Invalid credentials`, next);
     }
   });
 });

diff --git a/src/scripts/token.ts b/src/scripts/token.ts
@@ -1,5 +1,4 @@
 import jwt from 'jsonwebtoken';
-import logger from '@src/scripts/logger';
 import { NextFunction, Request, Response } from 'express';
 import crypto from 'crypto';
 import { create as createError } from '@src/middleware/error';
@@ -13,7 +12,7 @@ export function createCSRF(res: Response, next: NextFunction): string {
     createError(res, 503, "Too many tokens", next);
   }
 
-  const token = crypto.randomBytes(32).toString('hex');
+  const token = crypto.randomBytes(16).toString('hex');
   const expiry = Date.now() + (5 * 60 * 1000); // Token expires in 5 minutes
   const csrfToken: CSRFToken = { token, expiry };
   csrfTokens.add(csrfToken);
@@ -22,6 +21,7 @@ export function createCSRF(res: Response, next: NextFunction): string {
 }
 
 export function validateCSRF(token: string): boolean {
+  console.log(csrfTokens, token);
   const currentTime = Date.now();
   let valid: boolean = false;
   for (const entry of csrfTokens) {