juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import { type Request, type Response, type NextFunction } from 'express'
7
import { ImageCaptchaModel } from '../models/imageCaptcha'
8
import { Op } from 'sequelize'
9

10
const svgCaptcha = require('svg-captcha')
11
const security = require('../lib/insecurity')
12

13
function imageCaptchas () {
14
  return (req: Request, res: Response) => {
15
    const captcha = svgCaptcha.create({ size: 5, noise: 2, color: true })
16

17
    const imageCaptcha = {
18
      image: captcha.data,
19
      answer: captcha.text,
20
      UserId: security.authenticatedUsers.from(req).data.id
21
    }
22
    const imageCaptchaInstance = ImageCaptchaModel.build(imageCaptcha)
23
    imageCaptchaInstance.save().then(() => {
24
      res.json(imageCaptcha)
25
    }).catch(() => {
26
      res.status(400).send(res.__('Unable to create CAPTCHA. Please try again.'))
27
    })
28
  }
29
}
30

31
imageCaptchas.verifyCaptcha = () => (req: Request, res: Response, next: NextFunction) => {
32
  const user = security.authenticatedUsers.from(req)
33
  const UserId = user ? user.data ? user.data.id : undefined : undefined
34
  ImageCaptchaModel.findAll({
35
    limit: 1,
36
    where: {
37
      UserId,
38
      createdAt: {
39
        [Op.gt]: new Date(Date.now() - 300000)
40
      }
41
    },
42
    order: [['createdAt', 'DESC']]
43
  }).then(captchas => {
44
    if (!captchas[0] || req.body.answer === captchas[0].answer) {
45
      next()
46
    } else {
47
      res.status(401).send(res.__('Wrong answer to CAPTCHA. Please try again.'))
48
    }
49
  }).catch(() => {
50
    res.status(401).send(res.__('Something went wrong while submitting CAPTCHA. Please try again.'))
51
  })
52
}
53

54
module.exports = imageCaptchas
55