Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
provider: "phone",
user_id,
uid: this.session.uid,
phone,
verified: false,
confirmation_code
});
}
console.log(
'-- /submit_mobile -->',
this.session.uid,
this.session.user,
phone,
mid.id
);
const ip = getRemoteIp(this.req);
// const twilioResult = yield twilioVerify(phone);
// console.log('-- /submit_mobile twilioResult -->', twilioResult);
//
// if (twilioResult === 'block') {
// mid.update({score: 111111});
// this.flash = { error: 'Unable to verify your phone number. Please try a different phone number.' };
// this.redirect(enterMobileUrl);
// return;
// }
const verifyResult = yield teleSignVerify({
mobile: phone,
confirmation_code,
ip,
ignore_score: true //twilioResult === 'pass'
.sha256(crypto.randomBytes(32))
.toString('hex');
yield user.update({ creation_hash: creationHash });
// disable session/multi account for now
// const existing_created_account = yield models.Account.findOne({
// attributes: ['id'],
// where: {user_id, ignored: false, created: true},
// order: 'id DESC'
// });
// if (existing_created_account) {
// throw new Error("Only one Steem account per user is allowed in order to prevent abuse");
// }
const remote_ip = getRemoteIp(this.req);
// rate limit account creation to one per IP every 10 minutes
const same_ip_account = yield models.Account.findOne({
attributes: ['created_at'],
where: { remote_ip: esc(remote_ip), created: true },
order: 'id DESC',
});
if (same_ip_account) {
const minutes =
(Date.now() - same_ip_account.created_at) / 60000;
if (minutes < 10) {
console.log(
`api /accounts: IP rate limit for user ${
this.session.uid
} #${user_id}, IP ${remote_ip}`
);
throw new Error(
.sha256(crypto.randomBytes(32))
.toString('hex');
yield user.update({ creation_hash: creationHash });
// disable session/multi account for now
// const existing_created_account = yield models.Account.findOne({
// attributes: ['id'],
// where: {user_id, ignored: false, created: true},
// order: 'id DESC'
// });
// if (existing_created_account) {
// throw new Error("Only one Steem account per user is allowed in order to prevent abuse");
// }
const remote_ip = getRemoteIp(this.req);
// rate limit account creation to one per IP every 10 minutes
const same_ip_account = yield models.Account.findOne({
attributes: ['created_at'],
where: { remote_ip: esc(remote_ip), created: true },
order: 'id DESC',
});
if (same_ip_account) {
const minutes =
(Date.now() - same_ip_account.created_at) / 60000;
if (minutes < 10) {
console.log(
`api /accounts: IP rate limit for user ${
this.session.uid
} #${user_id}, IP ${remote_ip}`
);
throw new Error(
router.post('/initiate_account_recovery', koaBody, function *() {
if (rateLimitReq(this, this.req)) return;
let params = this.request.body;
params = typeof(params) === 'string' ? JSON.parse(params) : params;
if (!checkCSRF(this, params.csrf)) return;
console.log('-- /initiate_account_recovery -->', this.session.uid, params);
this.session.recover_account = null;
if (!params.account_name) {
this.status = 500;
this.body = 'please provide account name';
return;
}
const attrs = {uid: this.session.uid, status: 'open', ...params};
attrs.remote_ip = getRemoteIp(this.req);
const request = yield models.AccountRecoveryRequest.create(escAttrs(attrs));
console.log('-- /initiate_account_recovery request id -->', this.session.uid, request.id);
this.session.arec = request.id;
this.redirect('/connect/' + params.provider);
});
},
} = chainAccount;
verify(
'posting',
signatures.posting,
posting_pubkey,
weight,
weight_threshold
);
if (auth.posting) this.session.a = account;
}
}
}
this.body = JSON.stringify({ status: 'ok' });
const remote_ip = getRemoteIp(this.req);
if (mixpanel) {
mixpanel.people.set(this.session.uid, {
ip: remote_ip,
$ip: remote_ip,
});
mixpanel.people.increment(this.session.uid, 'Logins', 1);
}
} catch (error) {
console.error(
'Error in /login_account api call',
this.session.uid,
error.message
);
this.body = JSON.stringify({ error: error.message });
this.status = 500;
}
verify(
'posting',
signatures.posting,
posting_pubkey,
weight,
weight_threshold
);
if (auth.posting) this.session.a = account;
}
}
}
this.body = JSON.stringify({
status: 'ok',
});
const remote_ip = getRemoteIp(this.req);
if (mixpanel) {
mixpanel.people.set(this.session.uid, {
ip: remote_ip,
$ip: remote_ip,
});
mixpanel.people.increment(this.session.uid, 'Logins', 1);
}
} catch (error) {
console.error(
'Error in /login_account api call',
this.session.uid,
error.message
);
this.body = JSON.stringify({
error: error.message,
});
if (!checkCSRF(this, csrf)) return;
console.log('-- /initiate_account_recovery_with_email -->', this.session.uid, contact_email, account_name, owner_key);
if (!account_name || !contact_email || !owner_key) {
this.body = JSON.stringify({status: 'error'});
return;
}
const arec = yield models.AccountRecoveryRequest.findOne({
attributes: ['id'],
where: escAttrs({account_name, contact_email})
});
if (arec) {
this.body = JSON.stringify({status: 'duplicate'});
return;
}
const attrs = {uid: this.session.uid, status: 'open', contact_email, account_name, owner_key, provider: 'email'};
attrs.remote_ip = getRemoteIp(this.req);
const request = yield models.AccountRecoveryRequest.create(escAttrs(attrs));
console.log('-- initiate_account_recovery_with_email -->', this.session.uid, request.id, account_name, owner_key);
this.body = JSON.stringify({status: 'ok'});
});
}
router.post('/accounts_wait', koaBody, function*() {
if (rateLimitReq(this, this.req)) return;
const params = this.request.body;
const account =
typeof params === 'string' ? JSON.parse(params) : params;
const remote_ip = getRemoteIp(this.req);
if (!checkCSRF(this, account.csrf)) return;
logRequest('accounts_wait', this, { account });
const user_id = this.session.user;
try {
models.Account.create(
escAttrs({
user_id,
name: account.name,
owner_key: account.owner_key,
active_key: account.active_key,
posting_key: account.posting_key,
memo_key: account.memo_key,
remote_ip,
referrer: this.session.r,
created: false,
})
function logRequest(path, ctx, extra) {
let d = { ip: getRemoteIp(ctx.req) };
if (ctx.session) {
if (ctx.session.user) {
d.user = ctx.session.user;
}
if (ctx.session.uid) {
d.uid = ctx.session.uid;
}
if (ctx.session.a) {
d.account = ctx.session.a;
}
}
if (extra) {
Object.keys(extra).forEach(k => {
const nk = d[k] ? '_' + k : k;
d[nk] = extra[k];
});
function logRequest(path, ctx, extra) {
let d = { ip: getRemoteIp(ctx.req) };
if (ctx.session) {
if (ctx.session.user) {
d.user = ctx.session.user;
}
if (ctx.session.uid) {
d.uid = ctx.session.uid;
}
if (ctx.session.a) {
d.account = ctx.session.a;
}
}
if (extra) {
Object.keys(extra).forEach(k => {
const nk = d[k] ? '_' + k : k;
d[nk] = extra[k];
});