juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import { type Request, type Response, type NextFunction } from 'express'
7
import { UserModel } from '../models/user'
8
import challengeUtils = require('../lib/challengeUtils')
9

10
import * as utils from '../lib/utils'
11
const security = require('../lib/insecurity')
12
const cache = require('../data/datacache')
13
const challenges = cache.challenges
14

15
module.exports = function saveLoginIp () {
16
  return (req: Request, res: Response, next: NextFunction) => {
17
    const loggedInUser = security.authenticatedUsers.from(req)
18
    if (loggedInUser !== undefined) {
19
      let lastLoginIp = req.headers['true-client-ip']
20
      if (utils.isChallengeEnabled(challenges.httpHeaderXssChallenge)) {
21
        challengeUtils.solveIf(challenges.httpHeaderXssChallenge, () => { return lastLoginIp === '<iframe src="javascript:alert(`xss`)">' })
22
      } else {
23
        lastLoginIp = security.sanitizeSecure(lastLoginIp)
24
      }
25
      if (lastLoginIp === undefined) {
26
        // @ts-expect-error FIXME types not matching
27
        lastLoginIp = utils.toSimpleIpAddress(req.socket.remoteAddress)
28
      }
29
      UserModel.findByPk(loggedInUser.data.id).then((user: UserModel | null) => {
30
        user?.update({ lastLoginIp: lastLoginIp?.toString() }).then((user: UserModel) => {
31
          res.json(user)
32
        }).catch((error: Error) => {
33
          next(error)
34
        })
35
      }).catch((error: Error) => {
36
        next(error)
37
      })
38
    } else {
39
      res.sendStatus(401)
40
    }
41
  }
42
}
43