diff --git a/relay/src/index.ts b/relay/src/index.ts index 316ef0bf..e46931be 100644 --- a/relay/src/index.ts +++ b/relay/src/index.ts @@ -171,7 +171,10 @@ async function initializeServer() { // Se ha headers, verifica il token if (msg && msg.headers && msg.headers.token) { - const hasValidAuth = msg.headers.token === authConfig.adminPassword; + const tokenHash = hashToken(msg.headers.token); + const adminHash = hashToken(authConfig.adminPassword || ""); + const hasValidAuth = secureCompare(tokenHash, adminHash); + if (hasValidAuth) { loggers.server.info(`🔍 PUT allowed - valid token: ${msg.headers}`); return true; @@ -372,10 +375,13 @@ async function initializeServer() { const authHeader = req.headers["authorization"]; const bearerToken = authHeader && authHeader.split(" ")[1]; const customToken = req.headers["token"]; - const formToken = req.query["_auth_token"]; // Token inviato tramite form + const formToken = req.query["_auth_token"] as string | undefined; // Token inviato tramite form const token = bearerToken || customToken || formToken; - if (token === authConfig.adminPassword) { + const tokenHash = hashToken(token || ""); + const adminHash = hashToken(authConfig.adminPassword || ""); + + if (token && secureCompare(tokenHash, adminHash)) { next(); } else { loggers.server.warn(`❌ Accesso negato a ${path} - Token mancante o non valido`); diff --git a/relay/src/routes/index.ts b/relay/src/routes/index.ts index 86cc7b07..55e97d77 100644 --- a/relay/src/routes/index.ts +++ b/relay/src/routes/index.ts @@ -395,7 +395,10 @@ export default (app: express.Application) => { (req.headers["authorization"] && (req.headers["authorization"] as string).split(" ")[1]) || req.headers["token"]; - if (token === authConfig.adminPassword) { + const tokenHash = hashToken((token as string) || ""); + const adminHash = hashToken(authConfig.adminPassword || ""); + + if (token && secureCompare(tokenHash, adminHash)) { res.redirect("/api/v1/ipfs/webui/?auth_token=" + encodeURIComponent(token as string)); return; } @@ -641,7 +644,10 @@ export default (app: express.Application) => { const customToken = req.headers["token"]; const token = bearerToken || customToken; - if (token === authConfig.adminPassword) { + const tokenHash = hashToken((token as string) || ""); + const adminHash = hashToken(authConfig.adminPassword || ""); + + if (token && secureCompare(tokenHash, adminHash)) { next(); } else { res.status(401).json({ success: false, error: "Unauthorized" }); diff --git a/relay/src/routes/ipfs/upload-directory.ts b/relay/src/routes/ipfs/upload-directory.ts index 2c01c3be..43d4a6fc 100644 --- a/relay/src/routes/ipfs/upload-directory.ts +++ b/relay/src/routes/ipfs/upload-directory.ts @@ -3,6 +3,7 @@ import multer from "multer"; import FormData from "form-data"; import { loggers } from "../../utils/logger"; import { authConfig, ipfsConfig } from "../../config"; +import { secureCompare, hashToken } from "../../utils/security"; import { ipfsUpload } from "../../utils/ipfs-client"; import type { CustomRequest } from "./types"; import { GUN_PATHS } from "../../utils/gun-paths"; @@ -24,7 +25,14 @@ router.post( const bearerToken = authHeader && authHeader.split(" ")[1]; const customToken = req.headers["token"]; const adminToken = bearerToken || customToken; - const isAdmin = adminToken === authConfig.adminPassword; + const adminTokenStr = Array.isArray(adminToken) ? adminToken[0] : adminToken; + + let isAdmin = false; + if (adminTokenStr && typeof adminTokenStr === "string") { + const tokenHash = hashToken(adminTokenStr); + const adminHash = hashToken(authConfig.adminPassword || ""); + isAdmin = secureCompare(tokenHash, adminHash); + } const userAddressRaw = req.headers["x-user-address"]; const userAddress = Array.isArray(userAddressRaw) ? userAddressRaw[0] : userAddressRaw; diff --git a/relay/src/routes/ipfs/upload.ts b/relay/src/routes/ipfs/upload.ts index 13125652..5eabc971 100644 --- a/relay/src/routes/ipfs/upload.ts +++ b/relay/src/routes/ipfs/upload.ts @@ -4,6 +4,7 @@ import multer from "multer"; import FormData from "form-data"; import { loggers } from "../../utils/logger"; import { authConfig, ipfsConfig } from "../../config"; +import { secureCompare, hashToken } from "../../utils/security"; import { ipfsUpload } from "../../utils/ipfs-client"; import type { CustomRequest, IpfsRequestOptions } from "./types"; import { IPFS_API_TOKEN, verifyWalletSignature } from "./utils"; @@ -39,7 +40,10 @@ router.post( if (adminTokenStr && typeof adminTokenStr === "string") { // Check admin password - if (adminTokenStr === authConfig.adminPassword) { + const tokenHash = hashToken(adminTokenStr); + const adminHash = hashToken(authConfig.adminPassword || ""); + + if (secureCompare(tokenHash, adminHash)) { isAdmin = true; } else if (adminTokenStr.startsWith("shogun-api-")) { // Check API key diff --git a/relay/src/utils/relay-user.ts b/relay/src/utils/relay-user.ts index 2d096a5a..7a7fb421 100644 --- a/relay/src/utils/relay-user.ts +++ b/relay/src/utils/relay-user.ts @@ -12,6 +12,7 @@ import { loggers } from "./logger"; const log = loggers.relayUser; import { authConfig } from "../config/env-config"; +import { secureCompare, hashToken } from "./security"; import { GUN_PATHS, getGunNode } from "./gun-paths"; // Module state @@ -281,7 +282,10 @@ export const adminAuthMiddleware = (req: any, res: any, next: any) => { return res.status(401).json({ success: false, error: "Unauthorized - Token required" }); } - if (token === authConfig.adminPassword) { + const tokenHash = hashToken(token); + const adminHash = hashToken(authConfig.adminPassword || ""); + + if (secureCompare(tokenHash, adminHash)) { next(); } else { return res.status(401).json({ success: false, error: "Unauthorized - Invalid token" });