Security additions

sample-verify2_sms_silent_auth-node.code-workspace

@@ -0,0 +1,8 @@
+{
+	"folders": [
+		{
+			"path": "."
+		}
+	],
+	"settings": {}
+}

src/app.js

@@ -6,7 +6,6 @@ if (!process.env.VONAGE_APPLICATION_ID || !process.env.VONAGE_PRIVATE_KEY_PATH)
   process.exit(1);
 }
 
-
 import Express from 'express';
 const app = Express();
 
@@ -17,7 +16,6 @@ app.set('view engine', 'ejs');
 app.set('views', 'src/views');
 
 app.use(Express.static('public'))
-
 app.use(Express.urlencoded({ extended: true }));
 
 app.get('/', (req, res) => { res.render('index') });
@@ -27,14 +25,12 @@ app.get('/sms', smsIndex);
 app.use('/sms/start', smsStart);
 app.use('/sms/check', smsCheck);
 
-
 import { silentIndex, silentStart, silentCallback, silentCheck } from './routes/silent.js';
 app.get('/silent', silentIndex);
 app.use('/silent/start', silentStart);
 app.use('/silent/callback', silentCallback);
 app.use('/silent/check', silentCheck);
 
-
 app.all('*', (req, res) => {
   res.status(404).json({
     status: 404,

src/routes/silent.js

@@ -8,13 +8,12 @@ dotenv.config();
 
 const privateKeyPath = path.join(process.env.VONAGE_PRIVATE_KEY_PATH);
 const privateKey = fs.readFileSync(privateKeyPath, 'utf8').toString();
-
+const silentAuthChecks = [];
 
 export const silentIndex = async (req, res) => {
   res.render('silent');
 };
 
-
 export const silentStart = async (req, res) => {
   const { number, redirect_url } = req.body;
   if (!number) {
@@ -35,34 +34,50 @@ export const silentStart = async (req, res) => {
       },
     );
 
-    if (data.request_id && data.check_url) {
-      res.redirect(data.check_url);
-    } else {
+    if (!data.request_id || !data.check_url) {
       res.render('silent', { error: 'Something went wrong' });
+      return;
     }
+
+    const randomSilentAuthId = Math.random();
+    silentAuthChecks.push({ 'id' : randomSilentAuthId, 'requestId' : data.request_id })
+    res.cookie('session_data', randomSilentAuthId, {'maxAge' : 6000})
+    res.redirect(data.check_url)
   } catch (error) {
     console.log(error);
     res.render('silent', { error: error.message });
   }
 };
 
-
 export const silentCallback = async (req, res) => {
   res.render('silent_callback');
 };
 
-
 export const silentCheck = async (req, res) => {
   const request_id = req.query.request_id;
+  const sessionId = req.cookies.session_data;
+
+  const { requestId } = silentAuthChecks.find(({ id }) => `${id}` === `${sessionId}`) || {}
+  console.log(requestId, request_id);
+
+  // XSS Check
+  if (request_id !== requestId) {
+    res.render('silent', {
+      error: 'Something went wrong. Please try again. 1'
+    });
+    return;
+  }
+
   const code = req.query.code;
   console.log('silentCheck', request_id, code);
 
-  if (!request_id || !code) {
+  if (!code) {
     res.render('silent', {
       error: 'Something went wrong. Please try again.'
     });
     return;
   }
+
   const jwtToken = tokenGenerate(
     process.env.VONAGE_APPLICATION_ID,
     privateKey

src/views/silent_callback.ejs

@@ -7,9 +7,9 @@
 <div class="p-4 text-green-500" id="notice"></div>
 
 <script>
-document.addEventListener('DOMContentLoaded', () => {
-  console.log('DOM Loaded')
-  const url = new URL(window.location.href);
+  document.addEventListener('DOMContentLoaded', () => {
+    console.log('DOM Loaded')
+    const url = new URL(window.location.href);
   document.getElementById('url').innerHTML = url.toString();
   const params = new URLSearchParams(url.hash.substring(1));
   document.getElementById('notice').innerHTML = params.toString();
@@ -22,7 +22,6 @@ document.addEventListener('DOMContentLoaded', () => {
   } else {
     const request_id = params.get('request_id');
     const code = params.get('code');
-    // document.getElementById('url').innerHTML = window.location.origin + '/silent/check?request_id=' + request_id + '&code=' + code
     window.location.href = window.location.origin + '/silent/check?request_id=' + request_id + '&code=' + code;
   }
 })