evo/evoleasing-account
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

move origins to env; add next.js ecosystem to gitignore; fix SMS bombing & SSRF in-auth possibilities

Browse Source
This commit is contained in:
merelendor 2024-09-08 21:03:46 +00:00
parent f5bb389c85
commit f75709f4a1
23 changed files with 151 additions and 179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -37,3 +37,4 @@ yarn-error.log*
/.vscode/
start.sh
dev.sh
ecosystem.config.js

29
actions/authActions.js
View File

@ -32,9 +32,6 @@ export const sendLoginFormEmail = ({ email, password, dispatch }) =>
axios.post(`${ process.env.NEXT_PUBLIC_API_HOST }/api/account/auth/email/`, { email, password })
.then((response) =>
{
//console.log("sendLoginFormEmail RESPONSE");
//console.log(response.data);
if(response.data.status === "success")
{
const cookies = new Cookies();
@ -48,14 +45,12 @@ export const sendLoginFormEmail = ({ email, password, dispatch }) =>
dispatch({ type: actionTypes.COMPANIES, data: { list: response.data.companies } });
resolve();
//Router.push('/');
window.location = "/";
})
.catch(() =>
{
reject();
});
//dispatch({ type: actionTypes.COMPANY, data: response.data.company });
}
else
{
@ -64,8 +59,6 @@ export const sendLoginFormEmail = ({ email, password, dispatch }) =>
})
.catch((error) =>
{
//console.log("error");
console.error(error);
reject();
@ -80,21 +73,12 @@ export const sendLoginFormPhone = ({ phone }) =>
axios.post(`${ process.env.NEXT_PUBLIC_SELF_API_HOST }/api/auth/phone/check`, { phone })
.then((response) =>
{
//console.log("sendLoginFormPhone RESPONSE");
//console.log(response.data);
if(response.data)
{
//console.log("DATA? ");
resolve();
}
else
{
//console.log("DATA ! ");
reject();
}
})
@ -115,9 +99,6 @@ export const sendSmsCode = ({ dispatch, phone, code }) =>
axios.post(`${ process.env.NEXT_PUBLIC_SELF_API_HOST }/api/auth/phone/code`, { phone, code })
.then((response) =>
{
//console.log("sendSmsCode RESPONSE");
//console.log(response.data);
if(response.data.status === "success")
{
const cookies = new Cookies();
@ -130,7 +111,6 @@ export const sendSmsCode = ({ dispatch, phone, code }) =>
dispatch({ type: actionTypes.USER, data: response.data.user });
resolve();
//Router.push('/');
window.location = "/";
})
.catch(() =>
@ -177,7 +157,6 @@ export const logout = ({ dispatch, redirect = true }) =>
resolve();
if(redirect)
{
//Router.push('/');
window.location = "/";
}
});
@ -185,19 +164,11 @@ export const logout = ({ dispatch, redirect = true }) =>
export const sendOffstageToken = ({ token, dispatch }) =>
{
//console.log("ACTION", "sendOffstageToken()", `${ process.env.NEXT_PUBLIC_SELF_API_HOST }/api/auth/offstage/`);
return new Promise((resolve, reject) =>
{
axios.post(`${ process.env.NEXT_PUBLIC_SELF_API_HOST }/api/auth/offstage/`, { token })
.then((response) =>
{
//console.log("sendOffstageToken RESPONSE");
//console.log(response.data);
if(response.data.status === "success")
{
const cookies = new Cookies();

2
lib/CRMRequest/index.js
View File

@ -82,7 +82,7 @@ export default async function CRMRequest(req, res, path, method, data, log = fal
}
else
{
res.status(403);
res.status(403).send();
}
}
}

2
lib/CRMRequestGet/index.js
View File

@ -101,7 +101,7 @@ export default async function CRMRequestGet({ req, res, path, params, data = und
}
else
{
res.status(403);
res.status(403).send();
}
}
}

2
lib/CRMRequestPost/index.js
View File

@ -86,7 +86,7 @@ export default async function CRMRequestPost({ req, res, path, params, headers =
}
else
{
res.status(403);
res.status(403).send();
}
}
}

8
lib/SmsCenter/index.js
View File

@ -7,9 +7,6 @@ class SmsCenter
{
static send(phoneNumber, code)
{
//console.log("SmsCenter", "propagateUser");
return new Promise((resolve, reject) =>
{
const packet = qs.stringify({
@ -22,16 +19,11 @@ class SmsCenter
fmt: 3,
});
//console.log(packet);
axios.post(SMS_API_HOST, packet, {
"Content-Type": "application/x-www-form-urlencoded"
})
.then((smsSendResponse) =>
{
//console.log(smsSendResponse.data);
resolve();
})
.catch((smsSendError) =>

8
lib/cors.js
View File

@ -2,9 +2,6 @@ import Cors from 'cors';
function initMiddleware(middleware)
{
//console.log("CORS initMiddleware !!!!");
return (req, res) =>
new Promise((resolve, reject) =>
{
@ -20,12 +17,9 @@ function initMiddleware(middleware)
});
}
// Initialize the cors middleware
const cors = initMiddleware(
// You can read more about the available options here: https://github.com/expressjs/cors#configuration-options
Cors({
origin: ["https://localhost:3000", "http://localhost:3000", "localhost", "localhost:3000", "http://localhost", "https://lk-evo.quickcode.ru"],
// Only allow requests with GET, POST and OPTIONS
origin: JSON.parse(process.env.ORIGINS),
methods: ['GET', 'POST', 'OPTIONS'],
})
)

35
next.config.js
View File

@ -3,31 +3,13 @@ const withFonts = require('next-fonts');
const withLess = require("next-with-less");
const { withSentryConfig } = require("@sentry/nextjs");
console.log({ "ORIGINS": JSON.parse(process.env.ORIGINS) });
module.exports = withSentryConfig(withImages(withFonts(withLess({
images: {
domains: [ 'lk-evo.quickcode.ru', 'wow.evoleasing.ru', 'www.evoleasing.ru', 'lk.evoleasing.ru', 'evoleasing.ru', 'localhost', 'localhost:3000'],
domains: JSON.parse(process.env.ORIGINS),
},
reactStrictMode: false,
/*
async headers()
{
return [
{
source: '/api/:path*',
headers: [
{
key: 'Access-Control-Allow-Origin',
value: '*',
},
{
key: 'Access-Control-Allow-Methods',
value: 'POST, GET, OPTIONS',
}
],
},
]
},
*/
async redirects()
{
return [
@ -37,11 +19,6 @@ module.exports = withSentryConfig(withImages(withFonts(withLess({
destination: '/support/faq',
permanent: false,
},
//{
//source: '/special',
//destination: '/special/with_producer',
//permanent: true,
//},
]
},
async rewrites()
@ -88,16 +65,10 @@ module.exports = withSentryConfig(withImages(withFonts(withLess({
source: "/support/faq",
destination: "/support",
},
//{
//source: "/about/reviews/:page(\\d{1,})",
//destination: "/about/reviews",
//},
],
}
},
sentry: {
hideSourceMaps: true,
//tunnelRoute: "/errors",
// silent: true,
},
}))));

101
pages/api/auth/phone/check.js
View File

@ -17,57 +17,72 @@ export default async function handler(req, res)
let { phone } = req.body;
phone = phone.replace(/[^0-9.]/g, '');
const response = await new Promise((resolve, reject) =>
const key = md5(`sms_code_${ phone }`);
const key_block = md5(`phone_change_sms_block_${ phone }`);
const existed_phone = await RedisClient.get(key_block);
if(existed_phone === null)
{
console.log("POST", `${ process.env.NEXT_PUBLIC_API_HOST }/api/account/auth/phone/`);
axios.post(`${ process.env.NEXT_PUBLIC_API_HOST }/api/account/auth/phone/`, {
phone: phone,
})
.then((api_response) =>
const response = await new Promise((resolve, reject) =>
{
console.log("RESPONSE");
console.log(api_response.data);
console.log("POST", `${ process.env.NEXT_PUBLIC_API_HOST }/api/account/auth/phone/`);
axios.post(`${ process.env.NEXT_PUBLIC_API_HOST }/api/account/auth/phone/`, {
phone: phone,
})
.then((api_response) =>
{
console.log("RESPONSE");
console.log(api_response.data);
resolve(api_response.data);
})
.catch((error) =>
{
console.log("error");
console.error(error);
resolve(api_response.data);
})
.catch((error) =>
{
console.log("error");
console.error(error);
reject();
});
});
console.log("CHECK response");
console.log(response);
console.log("-".repeat(50));
if(response.status === "success")
{
let code = ``;
for(let i = 0; i < 6; i++) { code = `${code}${Math.floor(Math.random()*10)}`; }
response.code = code;
const key = md5(`sms_code_${ phone }`);
await RedisClient.set(key, JSON.stringify(response), 'EX', 300);
const smsResult = await SmsCenter.send(phone, code)
.then(() =>
{
res.status(200).json({
status: "success",
reject();
});
})
.catch((error) =>
{
console.error("SmsCenter.send", "catch");
res.status(404).json();
});
console.log("CHECK response");
console.log(response);
console.log("-".repeat(50));
if(response.status === "success")
{
await RedisClient.set(key_block, key_block, 'EX', 60);
let code = ``;
for(let i = 0; i < 6; i++) { code = `${ code }${ Math.floor(Math.random() * 10) }`; }
response.code = code;
await RedisClient.set(key, JSON.stringify(response), 'EX', 300);
await SmsCenter.send(phone, code)
.then(() =>
{
res.status(200).json({
status: "success",
});
})
.catch((error) =>
{
console.error("SmsCenter.send", "catch");
res.status(404).json();
});
}
else
{
res.status(404).json();
}
}
else
{
res.status(404).json();
res.status(200).json({
status: "await",
});
}
}

6
pages/api/calendar.js
View File

@ -34,18 +34,18 @@ export default async function handler(req, res)
.catch((error) =>
{
console.error(error);
res.status(500);
res.status(500).send();
});
}
catch(e)
{
console.error(e);
res.status(500);
res.status(500).send();
}
}
else
{
res.status(403);
res.status(403).send();
}
}
}

45
pages/api/change/phone/send.js
View File

@ -18,24 +18,39 @@ export default async function handler(req, res)
let { email, phone } = req.body;
phone = phone.replace(/[^0-9.]/g, '');
let code = ``;
for(let i = 0; i < 6; i++) { code = `${code}${Math.floor(Math.random()*10)}`; }
const key = md5(`phone_change_sms_code_${ phone }`);
await RedisClient.set(key, JSON.stringify({
email, phone, code
}), 'EX', 300);
const key_block = md5(`phone_change_sms_block_${ phone }`);
const smsResult = await SmsCenter.send(phone, code)
.then(() =>
const existed_phone = await RedisClient.get(key_block);
if(existed_phone === null)
{
await RedisClient.set(key_block, key_block, 'EX', 60);
let code = ``;
for(let i = 0; i < 6; i++) { code = `${ code }${ Math.floor(Math.random() * 10) }`; }
await RedisClient.set(key, JSON.stringify({
email, phone, code
}), 'EX', 300);
await SmsCenter.send(phone, code)
.then(() =>
{
res.status(200).json({
status: "success",
});
})
.catch((error) =>
{
console.error("SmsCenter.send", "catch");
res.status(404).json();
});
}
else
{
res.status(200).json({
status: "success",
status: "await",
});
})
.catch((error) =>
{
console.error("SmsCenter.send", "catch");
res.status(404).json();
});
}
}

6
pages/api/contracts.js
View File

@ -51,18 +51,18 @@ export default async function handler(req, res)
.catch((error) =>
{
console.error(error);
res.status(500);
res.status(500).send();
});
}
catch(e)
{
console.error(e);
res.status(500);
res.status(500).send();
}
}
else
{
res.status(403);
res.status(403).send();
}
}
}

37
pages/api/file/bitrix.js
View File

@ -20,30 +20,43 @@ export default async function handler(req, res)
try
{
console.log("API", "file", "bitrix", "url", req.query.url);
const url = req.query.url;
axios.get(url, {
responseType: 'arraybuffer',
})
.then((bitrix_response) =>
const url_parser = new URL(url);
const origins = JSON.parse(process.env.ORIGINS);
if(origins.indexOf(url_parser.host) > -1)
{
res.status(200).send(bitrix_response.data);
})
.catch((error) =>
axios.get(url, {
responseType: 'arraybuffer',
})
.then((bitrix_response) =>
{
res.status(200).send(bitrix_response.data);
})
.catch((error) =>
{
console.error(error);
res.status(500).send();
});
}
else
{
console.error(error);
res.status(500);
});
console.error("API", "file", "bitrix", "url", "wrong URL for file downloading", url);
res.status(403).send();
}
}
catch(e)
{
console.error(e);
res.status(500);
res.status(403).send();
}
}
}
else
{
res.status(403);
res.status(403).send();
}
}
}

6
pages/api/file/contract/debt.js
View File

@ -36,18 +36,18 @@ export default async function handler(req, res)
.catch((error) =>
{
console.error(error);
res.status(500);
res.status(500).send();
});
}
catch(e)
{
console.error(e);
res.status(500);
res.status(500).send();
}
}
else
{
res.status(403);
res.status(403).send();
}
}
}

6
pages/api/file/contract/graphic.js
View File

@ -40,18 +40,18 @@ export default async function handler(req, res)
.catch((error) =>
{
console.error(error);
res.status(500);
res.status(500).send();
});
}
catch(e)
{
console.error(e);
res.status(500);
res.status(500).send();
}
}
else
{
res.status(403);
res.status(403).send();
}
}
}

6
pages/api/file/contract/penalty.js
View File

@ -36,18 +36,18 @@ export default async function handler(req, res)
.catch((error) =>
{
console.error(error);
res.status(500);
res.status(500).send();
});
}
catch(e)
{
console.error(e);
res.status(500);
res.status(500).send();
}
}
else
{
res.status(403);
res.status(403).send();
}
}
}

6
pages/api/file/fine-after-accrual.js
View File

@ -34,18 +34,18 @@ export default async function handler(req, res)
.catch((error) =>
{
console.error(error);
res.status(500);
res.status(500).send();
});
}
catch(e)
{
console.error(e);
res.status(500);
res.status(500).send();
}
}
else
{
res.status(403);
res.status(403).send();
}
}
}

6
pages/api/file/fine-before-accrual.js
View File

@ -34,18 +34,18 @@ export default async function handler(req, res)
.catch((error) =>
{
console.error(error);
res.status(500);
res.status(500).send();
});
}
catch(e)
{
console.error(e);
res.status(500);
res.status(500).send();
}
}
else
{
res.status(403);
res.status(403).send();
}
}
}

8
pages/api/file/image.js
View File

@ -36,22 +36,22 @@ export default async function handler(req, res)
catch(e)
{
//console.error(e);
res.status(500);
res.status(500).send();
}
})
.catch((error) =>
{
//console.error(error);
res.status(500);
res.status(500).send();
});
}
else
{
res.status(403);
res.status(403).send();
}
}
else
{
res.status(403);
res.status(403).send();
}
}

2
pages/api/navigation/programs.js
View File

@ -10,5 +10,5 @@ export default async function handler(req, res)
{
//await cors(req, res);
res.status(200);
res.status(200).send();
}

4
pages/api/questionnaire/get.js
View File

@ -113,13 +113,13 @@ export default async function handler(req, res)
}
else
{
res.status(403);
res.status(403).send();
resolve();
}
}
else
{
res.status(403);
res.status(403).send();
resolve();
}
});

2
pages/api/questionnaire/read.js
View File

@ -54,7 +54,7 @@ export default async function handler(req, res)
}
else
{
res.status(403);
res.status(403).send();
}
}
}

2
pages/api/support/request.js
View File

@ -63,7 +63,7 @@ export default async function handler(req, res)
}
else
{
res.status(403);
res.status(403).send();
}
}
}