From c320822ee5916bdbd9cbdea9fe2996bdd413a7c3 Mon Sep 17 00:00:00 2001 From: Dobromir Popov Date: Mon, 3 Jun 2024 18:44:13 +0300 Subject: [PATCH 1/3] tightening local accounts security. added logging --- .env | 1 + _deploy/deoloy.azure.production.yml | 1 + _deploy/deoloy.azure.staging.yml | 1 + _doc/ToDo.md | 2 ++ components/PwaManager.tsx | 3 ++- components/PwaManagerNotifications.tsx | 3 ++- pages/api/auth/[...nextauth].ts | 10 +++++++--- 7 files changed, 16 insertions(+), 5 deletions(-) diff --git a/.env b/.env index c608057..04278f6 100644 --- a/.env +++ b/.env @@ -11,6 +11,7 @@ NODE_ENV=development DATABASE=mysql://cart:cartpw@localhost:3306/cart # DATABASE=mysql://cart:cartpw@192.168.0.10:3306/cart_dev NEXT_PUBLIC_PUBLIC_URL=https://localhost:3003 +ADMIN_PASSWORD=123456 # // owner: dobromir.popov@gmail.com | Специално Свидетелстване София # // https://console.cloud.google.com/apis/credentials/oauthclient/926212607479-d3m8hm8f8esp3rf1639prskn445sa01v.apps.googleusercontent.com?project=grand-forge-108716 diff --git a/_deploy/deoloy.azure.production.yml b/_deploy/deoloy.azure.production.yml index 025a825..55a11d4 100644 --- a/_deploy/deoloy.azure.production.yml +++ b/_deploy/deoloy.azure.production.yml @@ -18,6 +18,7 @@ services: - GIT_BRANCH=production - GIT_USERNAME=deploy - GIT_PASSWORD=L3Kr2R438u4F7 + - ADMIN_PASSWORD=changeme command: sh -c " cd /app && npm install && npm run prod; tail -f /dev/null" #command: sh -c " cd /app && tail -f /dev/null" tty: true diff --git a/_deploy/deoloy.azure.staging.yml b/_deploy/deoloy.azure.staging.yml index d7a5af1..2fad3a5 100644 --- a/_deploy/deoloy.azure.staging.yml +++ b/_deploy/deoloy.azure.staging.yml @@ -15,6 +15,7 @@ services: - GIT_BRANCH=main - GIT_USERNAME=deploy - GIT_PASSWORD=L3Kr2R438u4F7 + - ADMIN_PASSWORD=kolichkisofia2024 command: sh -c " cd /app && npm install && npx next build && npm run start-env; tail -f /dev/null" tty: true stdin_open: true diff --git a/_doc/ToDo.md b/_doc/ToDo.md index 4a49898..fa13d7e 100644 --- a/_doc/ToDo.md +++ b/_doc/ToDo.md @@ -250,6 +250,7 @@ in schedule admin - if a publisher is always pair & family is not in the shift - [] invalidate one/all user sessions [] log deletions [] add user permissions [with logging when used] +[] ? store sessions in DB ? [] improve reports page(s) @@ -261,3 +262,4 @@ in schedule admin - if a publisher is always pair & family is not in the shift - [] allow blocking of inputs (different from publishing) [] user - add createdAt field +[] FIX insecure logins \ No newline at end of file diff --git a/components/PwaManager.tsx b/components/PwaManager.tsx index fd4c86d..5fe808f 100644 --- a/components/PwaManager.tsx +++ b/components/PwaManager.tsx @@ -141,7 +141,8 @@ function PwaManager({ subs }) { body: JSON.stringify({ subscription: sub, id: session.user.id }) }).then(async response => { if (!response.ok) { - throw new Error('Failed to save subscription data on server.'); + //throw new Error('Failed to save subscription data on server.'); + console.log('Failed to save subscription data on server.'); } else { console.log('Subscription data saved on server.'); diff --git a/components/PwaManagerNotifications.tsx b/components/PwaManagerNotifications.tsx index 653f66e..8459061 100644 --- a/components/PwaManagerNotifications.tsx +++ b/components/PwaManagerNotifications.tsx @@ -102,7 +102,8 @@ function PwaManagerNotifications() { body: JSON.stringify({ subscription: sub, id: session.user.id }) }).then(async response => { if (!response.ok) { - throw new Error('Failed to save subscription data on server.'); + // throw new Error('Failed to save subscription data on server.'); + console.log('Failed to save subscription data on server.'); } else { console.log('Subscription data saved on server.'); diff --git a/pages/api/auth/[...nextauth].ts b/pages/api/auth/[...nextauth].ts index 428f78e..2162848 100644 --- a/pages/api/auth/[...nextauth].ts +++ b/pages/api/auth/[...nextauth].ts @@ -72,10 +72,9 @@ export const authOptions: NextAuthOptions = { password: { label: "Парола", type: "password" } }, async authorize(credentials, req) { + const users = [ - { id: "1", name: "admin", email: "admin@example.com", password: "admin123", role: "ADMIN", static: true }, - { id: "2", name: "krasi", email: "krasi@example.com", password: "krasi123", role: "ADMIN", static: true }, - { id: "3", name: "popov", email: "popov@example.com", password: "popov123", role: "ADMIN", static: true } + { id: "1", name: "admin", email: "admin@example.com", password: process.env.ADMIN_PASSWORD, role: "ADMIN", static: true } ]; const user = users.find(user => @@ -83,6 +82,11 @@ export const authOptions: NextAuthOptions = { ); if (user) { + const remoteIP = req.headers['x-forwarded-for'] || req.connection.remoteAddress; + const userAgent = req.headers['user-agent']; + const message = "login form built-in admin account from ip:" + remoteIP + " user-agent:" + userAgent; + console.log(message); + logger.info(message); return user; } else { From 6bb1b988a1c22b8a8a4c7a8bd031ff4473cbf74e Mon Sep 17 00:00:00 2001 From: Dobromir Popov Date: Mon, 3 Jun 2024 19:21:02 +0300 Subject: [PATCH 2/3] fix error message if undexisting user login --- pages/api/auth/[...nextauth].ts | 52 +++++++++++++++++---------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/pages/api/auth/[...nextauth].ts b/pages/api/auth/[...nextauth].ts index 2162848..6d5aeab 100644 --- a/pages/api/auth/[...nextauth].ts +++ b/pages/api/auth/[...nextauth].ts @@ -122,35 +122,37 @@ export const authOptions: NextAuthOptions = { } } else { - const pub = await prisma.publisher.findUnique({ where: { email: credentials.username } }); - if (pub) { - const passHash = await bcrypt.hash(credentials.password, 10); - const mailVerifyToken = await bcrypt.hash(pub.email, 10); - const date = new Date().getTime(); - const emailVerifyToken = date + "_" + mailVerifyToken; - const newUser = await prisma.user.create({ - data: { - name: credentials.username, - email: credentials.username, - passwordHashLocalAccount: passHash, - emailVerifyToken: emailVerifyToken - } - }); - console.log("New local credential user created for publisher ", pub.firstName, " ", pub.lastName, " (", pub.email, ")"); - logger.info("New local credential user created for publisher ", pub.firstName, " ", pub.lastName, " (", pub.email, ")"); - emailHelper.SendEmail_ValidateTemplate(pub.email, emailVerifyToken, pub.firstName, pub.lastName); - //return newUser; - throw new Error("Моля проверете вашия имейл '" + credentials?.username + "' за да потвърдите регистрацията си."); - } - else { - + try { + const pub = await prisma.publisher.findUnique({ where: { email: credentials.username } }); + if (pub) { + const passHash = await bcrypt.hash(credentials.password, 10); + const mailVerifyToken = await bcrypt.hash(pub.email, 10); + const date = new Date().getTime(); + const emailVerifyToken = date + "_" + mailVerifyToken; + const newUser = await prisma.user.create({ + data: { + name: credentials.username, + email: credentials.username, + passwordHashLocalAccount: passHash, + emailVerifyToken: emailVerifyToken + } + }); + console.log("New local credential user created for publisher ", pub.firstName, " ", pub.lastName, " (", pub.email, ")"); + logger.info("New local credential user created for publisher ", pub.firstName, " ", pub.lastName, " (", pub.email, ")"); + emailHelper.SendEmail_ValidateTemplate(pub.email, emailVerifyToken, pub.firstName, pub.lastName); + //return newUser; + throw new Error("Моля проверете вашия имейл '" + credentials?.username + "' за да потвърдите регистрацията си."); + } + else { + throw new Error("Не можем да намерим твоя имейл '" + credentials?.username + "' в участниците в ССОМ. Моля свържи се с нас за да те регистрираме ако искаш да ползваш този имейл."); + } + } catch (err) { + console.log("Error in credentials authorize:", err); throw new Error("Не можем да намерим твоя имейл '" + credentials?.username + "' в участниците в ССОМ. Моля свържи се с нас за да те регистрираме ако искаш да ползваш този имейл."); } - } } - } - }) + }) /* EmailProvider({ server: { From 8ca0884acda8febcd015d33782c46859de7f6fc9 Mon Sep 17 00:00:00 2001 From: Dobromir Popov Date: Mon, 3 Jun 2024 19:22:26 +0300 Subject: [PATCH 3/3] fix --- pages/api/auth/[...nextauth].ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pages/api/auth/[...nextauth].ts b/pages/api/auth/[...nextauth].ts index 6d5aeab..26490d2 100644 --- a/pages/api/auth/[...nextauth].ts +++ b/pages/api/auth/[...nextauth].ts @@ -144,6 +144,7 @@ export const authOptions: NextAuthOptions = { throw new Error("Моля проверете вашия имейл '" + credentials?.username + "' за да потвърдите регистрацията си."); } else { + throw new Error("Не можем да намерим твоя имейл '" + credentials?.username + "' в участниците в ССОМ. Моля свържи се с нас за да те регистрираме ако искаш да ползваш този имейл."); } } catch (err) { @@ -152,7 +153,8 @@ export const authOptions: NextAuthOptions = { } } } - }) + } + }) /* EmailProvider({ server: {