Add in registration token requirement to prevent unauthorised registrations.

2025-04-25 23:54:55 +01:00 · 2025-04-25 23:54:55 +01:00 · 0d277e3035
commit 0d277e3035
parent 5268d6aecd
4 changed files with 50 additions and 8 deletions
--- a/src-server/routes/auth.js
+++ b/src-server/routes/auth.js
@ -9,6 +9,7 @@ import {
 import { isoBase64URL } from '@simplewebauthn/server/helpers'; // Ensure this is imported if not already
 import prisma from '../database.js';
 import { rpID, rpName, origin, challengeStore } from '../server.js'; // Import RP details and challenge store
+import { getSetting } from '../utils/settings.js';

 const router = express.Router();

@ -49,13 +50,21 @@ async function getAuthenticatorByCredentialID(credentialID)
 router.post('/generate-registration-options', async(req, res) =>
 {
  // Destructure username, email, and fullName from the request body
-  const { username, email, fullName } = req.body;
+  const { username, email, fullName, registrationToken } = req.body;

  if (!username)
  {
    return res.status(400).json({ error: 'Username is required' });
  }

+  //Check if the registrationToken matches the setting
+  const registrationTokenSetting = await getSetting('REGISTRATION_TOKEN');
+
+  if (registrationTokenSetting !== registrationToken)
+  {
+    return res.status(403).json({ error: 'Invalid registration token' });
+  }
+
  try
  {
    let user = await getUserByUsername(username);
@ -71,7 +80,6 @@ router.post('/generate-registration-options', async(req, res) =>
        data: userData,
      });
    }
-    // ... rest of the existing logic ...

    const userAuthenticators = await getUserAuthenticators(user.id);