Keysat
f540a473ef
Two P3 multi-user hardening fixes from the 2026-06-13 full-eval. Login timing oracle: both login paths (the UI server action and POST /api/auth) returned immediately on an unknown email but ran bcrypt.compare when the email matched a user, so response latency revealed which emails have accounts. New verifyPasswordOrDummy() in lib/auth runs bcrypt against a fixed dummy hash when there is no user, so every attempt spends exactly one bcrypt; the two error branches in each route collapse into one. exerciseId ownership: exercises are per-user, but the workout create / PATCH (set-replace) / add-sets and CSV import-save routes wrote SetLogs from a client-supplied exerciseId with no ownership check — letting a user attach another user's exercise to their own workout, which leaks that exercise's name/notes on fetch and wires up a cross-user onDelete: Cascade link. All four now reject unowned ids with 400 via the shared lib/exerciseOwnership helper; the pre-existing inline checks in both programs routes are refactored onto the same helper. App-code only — no schema, no API contract change, no data migration.
61 lines
1.8 KiB
TypeScript
61 lines
1.8 KiB
TypeScript
'use server';
|
|
|
|
import { redirect } from 'next/navigation';
|
|
import { cookies, headers } from 'next/headers';
|
|
import { verifyPasswordOrDummy, createSession } from '@/lib/auth';
|
|
import { prisma } from '@/lib/prisma';
|
|
import { rateLimit, clientIpFromHeaders } from '@/lib/rateLimit';
|
|
|
|
export async function loginAction(email: string, password: string) {
|
|
try {
|
|
// Per-IP cap: 10 login attempts per 15 minutes. Slows credential
|
|
// stuffing without locking out legitimate typo-prone users.
|
|
const hdrs = await headers();
|
|
const ip = clientIpFromHeaders(hdrs);
|
|
const limit = rateLimit(`login:${ip}`, { limit: 10, windowMs: 15 * 60_000 });
|
|
if (!limit.ok) {
|
|
return {
|
|
error: `Too many login attempts. Try again in ${limit.retryAfterSec}s.`,
|
|
};
|
|
}
|
|
|
|
// Look up user by email
|
|
const user = await prisma.user.findUnique({
|
|
where: { email },
|
|
});
|
|
|
|
// Always run a bcrypt compare (against a dummy hash when the email is
|
|
// unknown) so response time doesn't reveal whether an account exists.
|
|
const isValid = await verifyPasswordOrDummy(
|
|
password,
|
|
user?.passwordHash ?? null,
|
|
);
|
|
|
|
if (!user || !isValid) {
|
|
return { error: 'Invalid email or password' };
|
|
}
|
|
|
|
// Create a session
|
|
const session = await createSession(user.id);
|
|
|
|
// Set the session cookie
|
|
const cookieStore = await cookies();
|
|
cookieStore.set('sessionToken', session.token, {
|
|
httpOnly: true,
|
|
secure: process.env.NODE_ENV === 'production',
|
|
sameSite: 'lax',
|
|
maxAge: 60 * 60 * 24 * 30, // 30 days
|
|
path: '/',
|
|
});
|
|
|
|
return { success: true };
|
|
} catch (error) {
|
|
console.error('Login error:', error);
|
|
return { error: 'An error occurred during login' };
|
|
}
|
|
}
|
|
|
|
export async function redirectToDashboard() {
|
|
redirect('/main/dashboard');
|
|
}
|