juice-shop
42 строки · 1.5 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import { type Request, type Response, type NextFunction } from 'express'7import { UserModel } from '../models/user'8import challengeUtils = require('../lib/challengeUtils')9
10import * as utils from '../lib/utils'11const security = require('../lib/insecurity')12const cache = require('../data/datacache')13const challenges = cache.challenges14
15module.exports = function saveLoginIp () {16return (req: Request, res: Response, next: NextFunction) => {17const loggedInUser = security.authenticatedUsers.from(req)18if (loggedInUser !== undefined) {19let lastLoginIp = req.headers['true-client-ip']20if (utils.isChallengeEnabled(challenges.httpHeaderXssChallenge)) {21challengeUtils.solveIf(challenges.httpHeaderXssChallenge, () => { return lastLoginIp === '<iframe src="javascript:alert(`xss`)">' })22} else {23lastLoginIp = security.sanitizeSecure(lastLoginIp)24}25if (lastLoginIp === undefined) {26// @ts-expect-error FIXME types not matching27lastLoginIp = utils.toSimpleIpAddress(req.socket.remoteAddress)28}29UserModel.findByPk(loggedInUser.data.id).then((user: UserModel | null) => {30user?.update({ lastLoginIp: lastLoginIp?.toString() }).then((user: UserModel) => {31res.json(user)32}).catch((error: Error) => {33next(error)34})35}).catch((error: Error) => {36next(error)37})38} else {39res.sendStatus(401)40}41}42}
43