updated security
This commit is contained in:
parent
91d052a46a
commit
8a8992451a
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -4,4 +4,4 @@ node_modules/
|
|||
|
||||
certs/
|
||||
|
||||
/pass.json
|
||||
json/user.json
|
|
@ -96,6 +96,28 @@
|
|||
return (promise)
|
||||
}
|
||||
let pub = ''
|
||||
function setCookie(name, value, days) {
|
||||
var expires = "";
|
||||
if (days) {
|
||||
var date = new Date();
|
||||
date.setTime(date.getTime() + (days * 24 * 60 * 60 * 1000));
|
||||
expires = "; expires=" + date.toUTCString();
|
||||
}
|
||||
document.cookie = name + "=" + (value || "") + expires + "; path=/";
|
||||
}
|
||||
function getCookie(name) {
|
||||
var nameEQ = name + "=";
|
||||
var ca = document.cookie.split(';');
|
||||
for (var i = 0; i < ca.length; i++) {
|
||||
var c = ca[i];
|
||||
while (c.charAt(0) == ' ') c = c.substring(1, c.length);
|
||||
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
function eraseCookie(name) {
|
||||
document.cookie = name + '=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;';
|
||||
}
|
||||
function submit() {
|
||||
//{body:{json:boolean,enc:boolean,data:string,sid:keyof keyring}}
|
||||
var xhr = new XMLHttpRequest();
|
||||
|
@ -107,6 +129,11 @@
|
|||
if (JSON.parse(xhr.responseText).html) {
|
||||
document.body.innerHTML = dec
|
||||
}
|
||||
if (JSON.parse(xhr.responseText).json && JSON.parse(xhr.responseText).type == 'key') {
|
||||
let decc = new TextDecoder().decode(dec)
|
||||
//console.log(JSON.parse(decc))
|
||||
setCookie('login_key', JSON.parse(decc).login_key, 7)
|
||||
}
|
||||
}
|
||||
}
|
||||
let user = document.getElementById('user').value
|
||||
|
|
|
@ -3,12 +3,45 @@
|
|||
<head>
|
||||
<title>mail</title>
|
||||
<script src="/src/bundle.js"></script>
|
||||
<style>
|
||||
.split {
|
||||
height: 100%;
|
||||
width: 50%;
|
||||
position: fixed;
|
||||
z-index: 1;
|
||||
top: 0;
|
||||
overflow-x: hidden;
|
||||
padding-top: 20px;
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
|
||||
<body onload="load()">
|
||||
<script>
|
||||
const sid = makeid(20)
|
||||
window.sid = sid
|
||||
function setCookie(name, value, days) {
|
||||
var expires = "";
|
||||
if (days) {
|
||||
var date = new Date();
|
||||
date.setTime(date.getTime() + (days * 24 * 60 * 60 * 1000));
|
||||
expires = "; expires=" + date.toUTCString();
|
||||
}
|
||||
document.cookie = name + "=" + (value || "") + expires + "; path=/";
|
||||
}
|
||||
function getCookie(name) {
|
||||
var nameEQ = name + "=";
|
||||
var ca = document.cookie.split(';');
|
||||
for (var i = 0; i < ca.length; i++) {
|
||||
var c = ca[i];
|
||||
while (c.charAt(0) == ' ') c = c.substring(1, c.length);
|
||||
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
function eraseCookie(name) {
|
||||
document.cookie = name + '=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;';
|
||||
}
|
||||
function makeid(length) {
|
||||
var result = '';
|
||||
var characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
|
||||
|
@ -63,13 +96,18 @@
|
|||
let emails = []
|
||||
function update() {
|
||||
//console.log('hi')
|
||||
sendenc('/get', { 'user': 'root', 'pass': 'password' }).then(res => {
|
||||
sendenc('/get', { 'user': 'root', 'pass': 'password', 'requested': 0, 'login_key': getCookie('login_key') }).then(res => {
|
||||
res = JSON.parse(res)
|
||||
console.log('parsed')
|
||||
emails = res.reverse()
|
||||
})
|
||||
}
|
||||
let mypriv, mypub, pub, kekw
|
||||
let preview = -1
|
||||
async function lm(index) {
|
||||
console.log()
|
||||
document.getElementById('view').innerHTML = emails[index]['body[1]']
|
||||
}
|
||||
async function load() {
|
||||
|
||||
kekw = await nodersa({ b: 512 })
|
||||
|
@ -87,7 +125,7 @@
|
|||
c = '#395B64'
|
||||
}
|
||||
evo = !evo
|
||||
ret += '<div style="color:#A5C9CA;border-radius:10px;max-width:50%;min-width:400px;padding:20px;background-color:' + c + ';">'
|
||||
ret += '<div onclick="lm(' + emails.indexOf(email) + ')" style="color:#A5C9CA;border-radius:10px;max-width:40%;min-width:400px;padding:20px;background-color:' + c + ';">'
|
||||
ret += '<tt><b><font size="4">sub:' + email.envelope.subject + '</font></b></br>frm:' + email.envelope.from[0].address + '</br><sub style="color:#E7F6F2;">' + email.envelope.date + '</sub></tt></br></div><div style="height:2px;"></div>'
|
||||
}
|
||||
|
||||
|
@ -97,6 +135,11 @@
|
|||
//<button onclick="update()">update mail</button>
|
||||
</script>
|
||||
<div id="emails"></div>
|
||||
<div id="box" class="split" style="background-color:red;right:0;margin:40px;">
|
||||
<div id="view">
|
||||
fneoutvbnoruitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>uitnvorntvo</br>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
||||
|
||||
|
|
91
index.ts
91
index.ts
|
@ -1,4 +1,4 @@
|
|||
import { readFileSync } from "fs"
|
||||
import { readFileSync, writeFileSync } from "fs"
|
||||
var privateKey = readFileSync('certs/selfsigned.key', 'utf8');
|
||||
var certificate = readFileSync('certs/selfsigned.crt', 'utf8');
|
||||
var http = require('http');
|
||||
|
@ -12,10 +12,35 @@ app.use(bodyParser.urlencoded({ extended: false }));
|
|||
app.use(bodyParser.json());
|
||||
const NodeRSA = require('node-rsa');
|
||||
var ip = require("ip")
|
||||
var crypt = require('crypto');
|
||||
|
||||
const IV = "5183666c72eec9e4"; //!not really sure what this is lol
|
||||
//TODO: learn what IV is
|
||||
var encrypt = ((val:any,ENC_KEY:any) => {
|
||||
let cipher = crypt.createCipheriv('aes-256-cbc', ENC_KEY, IV);
|
||||
let encrypted = cipher.update(val, 'utf8', 'base64');
|
||||
encrypted += cipher.final('base64');
|
||||
return encrypted;
|
||||
});
|
||||
var decrypt = ((encrypted:any,ENC_KEY:any) => {
|
||||
try{
|
||||
let decipher = crypt.createDecipheriv('aes-256-cbc', ENC_KEY, IV);
|
||||
let decrypted = decipher.update(encrypted, 'base64', 'utf8');
|
||||
return (decrypted + decipher.final('utf8'));
|
||||
} catch(err){
|
||||
return('false')
|
||||
}
|
||||
});
|
||||
//
|
||||
function log(m:any){
|
||||
var date = new Date;
|
||||
console.log('['+date.getHours()+':'+date.getMinutes()+':'+date.getSeconds()+'] ' + m.toString())
|
||||
}
|
||||
function d(){
|
||||
var date = new Date;
|
||||
return(date.getHours()+''+date.getMinutes()+''+date.getSeconds())
|
||||
|
||||
}
|
||||
interface keyring{
|
||||
[sid: string]: {
|
||||
mypub:string,
|
||||
|
@ -26,24 +51,37 @@ interface keyring{
|
|||
let keyring = {} as keyring
|
||||
let key:any;
|
||||
var ImapClient = require('emailjs-imap-client').default
|
||||
let pass = JSON.parse(readFileSync('pass.json').toString()).pass
|
||||
//let pass = JSON.parse(readFileSync('pass.json').toString()).pass
|
||||
|
||||
app.post('/mail/get',(req:any,res:any)=>{
|
||||
var client = new ImapClient('disroot.org', 993, {
|
||||
const key = new NodeRSA({b: 1024})
|
||||
|
||||
key.importKey(keyring[req.body.sid].mypriv,'pkcs1-private')
|
||||
let dec:any = JSON.parse((atob(key.decrypt(req.body.data,'base64','base64'))))
|
||||
//console.log(key)
|
||||
//console.log(dec.data.login_key)
|
||||
let users = JSON.parse(readFileSync('json/user.json').toString())
|
||||
let logkey,mail
|
||||
for(let user of users){
|
||||
//console.log(user,dec)
|
||||
if(user.name==dec.data.user){
|
||||
logkey = (decrypt(user.login_key,dec.data.login_key))
|
||||
mail =JSON.parse(decrypt(user.mail,logkey)).emails[parseInt(dec.data.requested)]
|
||||
}
|
||||
}
|
||||
//console.log(JSON.parse(decrypt(users[0].mail,logkey)).emails)
|
||||
var client = new ImapClient(mail.host, parseInt(mail.port), {
|
||||
auth: {
|
||||
user: 'grantsquires',
|
||||
pass: pass
|
||||
user: mail.address,
|
||||
pass: mail.creds
|
||||
}
|
||||
});
|
||||
client.connect().then(()=>{
|
||||
//['uid', 'flags','envelope'] for just header stuff
|
||||
//['uid', 'flags','envelope','body']
|
||||
//body 0 is plani, 1 is html
|
||||
client.listMessages('INBOX', '1:*', ['uid', 'flags','envelope','bodystructure'/*,'body[1]'*/]).then((messages:any) => {
|
||||
//console.log(messages[2]['body[]'])
|
||||
client.listMessages('INBOX', '1:*', ['uid', 'flags','envelope','bodystructure','body[1]' ]).then((messages:any) => {
|
||||
const skey = new NodeRSA()
|
||||
console.log(keyring[req.body.sid])
|
||||
//res.send(JSON.stringify({'data':'hello'}))
|
||||
skey.importKey(keyring[req.body.sid].theirpub,'pkcs8-public')
|
||||
res.send(JSON.stringify({data:skey.encrypt(JSON.stringify(messages),'base64'),enc:true,html:true}))
|
||||
client.close()
|
||||
|
@ -58,10 +96,13 @@ app.get('/mail', (req:any, res:any) => {
|
|||
var httpServer = http.createServer(app);
|
||||
var credentials = {key: privateKey, cert: certificate};
|
||||
var httpsServer = https.createServer(credentials, app);
|
||||
httpServer.listen(80,'0.0.0.0', () => {
|
||||
app.listen(8080,()=>{
|
||||
log(`kanna is local http://${ip.address()}:8080`)
|
||||
})
|
||||
httpServer.listen(80, () => {
|
||||
log(`kanna is on http://${ip.address()} click on me click on me! :3`)
|
||||
})
|
||||
httpsServer.listen(443,'0.0.0.0', () => {
|
||||
httpsServer.listen(443, () => {
|
||||
log(`kanna is secure now too!! https://${ip.address()}`)
|
||||
})
|
||||
//end
|
||||
|
@ -89,7 +130,7 @@ app.post('/pub.key', async (req:{body:{json:boolean,sid:keyof keyring,pub:string
|
|||
mypub:key.exportKey('pkcs8-public'),
|
||||
theirpub:req.body.pub}
|
||||
res.send(key.exportKey('pkcs8-public'))
|
||||
console.log(keyring)
|
||||
//console.log(keyring)
|
||||
}
|
||||
})
|
||||
|
||||
|
@ -102,12 +143,34 @@ app.post('/login/submit', async (req:{body:{json:boolean,enc:boolean,data:string
|
|||
let users = JSON.parse(readFileSync('json/user.json').toString())
|
||||
for(let user of users){
|
||||
let use=user as typeof users
|
||||
if(user.name==dec.user&&user.pass==dec.pass){
|
||||
let hash = crypt.createHash('md5').update(dec.pass).digest('hex');
|
||||
if(user.name==dec.user&&hash==decrypt(user.hash,hash)){
|
||||
|
||||
const skey = new NodeRSA()
|
||||
skey.importKey(keyring[req.body.sid].theirpub,'pkcs8-public')
|
||||
res.send(JSON.stringify({data:skey.encrypt('<h1>hello!</h1>','base64'),enc:true,html:true}))
|
||||
let logkey = crypt.createHash('md5').update(crypt.randomBytes(64).toString('hex')).digest('hex')
|
||||
res.send(JSON.stringify({data:skey.encrypt(JSON.stringify({login_key:logkey}),'base64'),enc:true,html:false,json:true,type:'key'}))
|
||||
users[users.indexOf(user)].login_key = encrypt(hash,logkey)
|
||||
console.log(users[users.indexOf(user)].login_key,logkey,hash)
|
||||
//console.log(users)
|
||||
writeFileSync('./json/user.json',JSON.stringify(users))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
/*let l = (encrypt(JSON.stringify({
|
||||
'emails':[{
|
||||
'address':'grantsquires@disroot.org',
|
||||
'host':'disroot.org',
|
||||
'port':'993',
|
||||
'creds':pass,
|
||||
'salt':crypt.randomBytes(64).toString('hex')
|
||||
}], //how much salt do you want? 'all of it'
|
||||
'salt':[
|
||||
d(),crypt.randomBytes(64).toString('hex'),crypt.randomBytes(64).toString('base64'),d()
|
||||
],
|
||||
'storage':'./storage/'+user.name,
|
||||
|
||||
}),hash))
|
||||
*/
|
||||
|
||||
|
|
11
json/user.example.json
Normal file
11
json/user.example.json
Normal file
|
@ -0,0 +1,11 @@
|
|||
[
|
||||
{
|
||||
"name": "root",
|
||||
"hash": "OTVYg/fHYeVbtyrusPl8fV+zQcp1ImjzbP+3Cy+3lk14fl2icYhzlULKtbTpOx4E",
|
||||
"sudo": true,
|
||||
"last_login": "",
|
||||
"alias": "root",
|
||||
"login_key": "",
|
||||
"mail": ""
|
||||
}
|
||||
]
|
|
@ -1,8 +1 @@
|
|||
[{
|
||||
"name":"root",
|
||||
"pass":"password",
|
||||
"sudo":true,
|
||||
"last_login":"",
|
||||
"alias":"root",
|
||||
"login_key":""
|
||||
}]
|
||||
[{"name":"root","hash":"OTVYg/fHYeVbtyrusPl8fV+zQcp1ImjzbP+3Cy+3lk14fl2icYhzlULKtbTpOx4E","sudo":true,"last_login":"","alias":"root","login_key":"Q67f8ylkefiCao2ykXV/wDJvgeNLuVK+7FzRdiWK/Ap4gPZzV8L3hndX3PgU3YeW","mail":"X2vLkGESm6Q8owhEH5RR99g9Fb5ukZ5f0+ZbjF/oFLhF+uoAnRRjXxrzUYwFR8b688xG2zKWUx30xEoRkvB24HkDLXf6BW3kB+dWtIltdROnyNlZIyZIfPaZJ6z+XNz53xPFj6MwIwfbexQFLVz8sVzdRaKr27qvYQrI+ubrwK8nRvrErbTTMzjjsVwiqvvNWGs5L4i8VThvQ9iyVfH+ZLpeabd/CfesbntqWtzt86dBU5Z7ZS2Is5klHqnjk1zUUTXEfegqsQYXFXkb0EykfP1adfLrxmd5s/4QIGIRDBPIGYAqzSvXC1wyRkDKZwL/qmde/0rSqeSZej1JazAYQXwLxez/c80buTHaJGvlGT8dt3IpSYHGBbKG8SYAixqSChiJOodT1hcc00YVLWu+pFSWsCgCBkTjteVbI0OEOQG4O9hr+7ccTA465TYpsFRoN1WyB+s5psTADmYahuFV+OIq6etCNh4qi/Y7cN9rk3sbBZeLQr7LrROXwpeAx7aUiT/m7O1yjuNgsdjYexk/6tr54qLmE8H1+qFPq3kj4j0VjKiC+8SLaW7QkCjnra7ZXuFlYmZ8+uH0cSZLz4/Ok79gaXIeYhfqMl4J8fSElMnLurbF22fVE2NcVUyL1H6ixwpcJJ/qXrCxchBR9OdjfVhbrhD9bwbJ5jE1di9mz0grwa28E9hiKN4Wbw2QPQmU"}]
|
|
@ -18,11 +18,15 @@
|
|||
},
|
||||
"homepage": "https://github.com/squiresgrant/kanna-site#readme",
|
||||
"dependencies": {
|
||||
"bcrypt": "^5.1.0",
|
||||
"bcryptjs": "^2.4.3",
|
||||
"body-parser": "^1.20.0",
|
||||
"express": "^4.18.1",
|
||||
"fs": "^0.0.1-security",
|
||||
"ip": "^1.1.8",
|
||||
"node-rsa": "^1.1.1"
|
||||
"md5": "^2.3.0",
|
||||
"node-rsa": "^1.1.1",
|
||||
"openpgp": "^5.5.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
"emailjs-imap-client": "^3.1.0"
|
||||
|
|
Loading…
Reference in a new issue