/ var / www / html / greenpreneurs / api / middleware / [ HOME SHELL ]

Name	Size	Permission
inputValidation.js	6.52 KB	-rw-r--r--
loginAttempts.js	1.73 KB	-rw-r--r--
sessionTimeout.js	862 B	-rw-r--r--

Code Editor : inputValidation.js

import { validationResult } from 'express-validator';
import crypto from 'crypto';

// Define input length limits
const INPUT_LIMITS = {
    username: { min: 3, max: 30 },
    email: { min: 5, max: 100 },
    password: { min: 8, max: 100 },
    title: { min: 1, max: 100 },
    content: { min: 1, max: 10000 },
    comment: { min: 1, max: 500 },
    search: { min: 1, max: 100 },
    bio: { min: 0, max: 500 },
    location: { min: 0, max: 100 },
    website: { min: 0, max: 200 },
    phone: { min: 0, max: 20 },
    otp: { min: 6, max: 6 }
};

// Define SQL injection patterns to block
const SQL_INJECTION_PATTERNS = [
    /['"]/, // Single and double quotes
    /--/, // SQL comments
    /;/, // Statement termination
    /\b(UNION|SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|TRUNCATE)\b/i, // SQL keywords
    /\/\*.*\*\//, // SQL block comments
    /xp_cmdshell/, // Dangerous SQL commands
    /exec\s*\(/i, // Execution commands
    /sp_/i, // Stored procedures
    /@@/ // System variables
];

// Define allowed characters for different input types
const ALLOWED_PATTERNS = {
    username: /^[a-zA-Z0-9_-]+$/,
    email: /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/,
    password: /^[a-zA-Z0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]+$/,
    title: /^[a-zA-Z0-9\s.,!?-]+$/,
    content: /^[\s\S]+$/, // Allow all characters for content
    comment: /^[a-zA-Z0-9\s.,!?-]+$/,
    search: /^[a-zA-Z0-9\s.,!?-]+$/,
    bio: /^[\s\S]+$/,
    location: /^[a-zA-Z0-9\s.,-]+$/,
    website: /^[a-zA-Z0-9-._~:/?#[\]@!$&'()*+,;=]+$/,
    phone: /^[0-9+\s()-]+$/,
    otp: /^[0-9]+$/
};

// Function to check for SQL injection patterns
const checkForSQLInjection = (value) => {
    return SQL_INJECTION_PATTERNS.some(pattern => pattern.test(value));
};

// Function to validate input length
const validateLength = (value, type) => {
    const limits = INPUT_LIMITS[type];
    if (!limits) return true;
    return value.length >= limits.min && value.length <= limits.max;
};

// Function to validate input pattern
const validatePattern = (value, type) => {
    const pattern = ALLOWED_PATTERNS[type];
    if (!pattern) return true;
    return pattern.test(value);
};

// Function to sanitize input
const sanitizeInput = (value) => {
    if (typeof value !== 'string') return value;
    return value.replace(/[<>]/g, ''); // Remove HTML tags
};

// Main validation middleware
export const validateInput = (req, res, next) => {
    const errors = [];
    const sanitizedBody = {};

// Process each field in the request body
    for (const [field, value] of Object.entries(req.body)) {
        if (value === undefined || value === null) continue;

const sanitizedValue = sanitizeInput(value.toString());
        sanitizedBody[field] = sanitizedValue;

// Check for SQL injection
        if (checkForSQLInjection(sanitizedValue)) {
            errors.push({
                field,
                message: `Invalid characters detected in ${field}`
            });
            continue;
        }

// Validate length
        if (!validateLength(sanitizedValue, field)) {
            const limits = INPUT_LIMITS[field];
            errors.push({
                field,
                message: `${field} must be between ${limits.min} and ${limits.max} characters`
            });
        }

// Validate pattern
        if (!validatePattern(sanitizedValue, field)) {
            errors.push({
                field,
                message: `Invalid format for ${field}`
            });
        }
    }

// If there are errors, return them
    if (errors.length > 0) {
        return res.status(400).json({
            success: false,
            errors
        });
    }

// Replace request body with sanitized values
    req.body = sanitizedBody;
    next();
};

// Function to create parameterized queries
export const createParameterizedQuery = (query, params) => {
    // Replace placeholders with parameterized values
    const parameterizedQuery = query.replace(/\?/g, () => {
        const param = params.shift();
        if (typeof param === 'string') {
            return `'${param.replace(/'/g, "''")}'`; // Escape single quotes
        }
        return param;
    });
    return parameterizedQuery;
};

// Example of predefined queries
export const PREDEFINED_QUERIES = {
    // User queries
    getUserById: 'SELECT * FROM UserData WHERE CID = ?',
    getUserByEmail: 'SELECT * FROM UserData WHERE Email = ?',
    createUser: 'INSERT INTO UserData (CID, Name, Email, password_hash, salt, totp_secret, backup_codes) VALUES (?, ?, ?, ?, ?, ?, ?)',
    updateUser: 'UPDATE UserData SET Name = ?, Email = ? WHERE CID = ?',
    deleteUser: 'DELETE FROM UserData WHERE CID = ?',
    
    // Authentication queries
    incrementFailedAttempts: 'UPDATE UserData SET failed_attempts = failed_attempts + 1 WHERE CID = ?',
    resetFailedAttempts: 'UPDATE UserData SET failed_attempts = 0, last_login = CURRENT_TIMESTAMP WHERE CID = ?',
    lockAccount: 'UPDATE UserData SET locked_until = ? WHERE CID = ?',
    updateBackupCodes: 'UPDATE UserData SET backup_codes = ? WHERE CID = ?',
    
    // 2FA queries
    updateUser2FA: 'UPDATE UserData SET totp_secret = ? WHERE CID = ?',
    updateUser2FAEnabled: 'UPDATE UserData SET is_2fa_enabled = ? WHERE CID = ?',
    
    // Search queries
    searchUsers: 'SELECT CID, Name, Email FROM UserData WHERE Name LIKE ? OR Email LIKE ? LIMIT ? OFFSET ?'
};

// Rate limiting middleware
export const rateLimit = (req, res, next) => {
    const key = `2fa_${req.ip}`;
    const maxAttempts = 5;
    const windowMs = 15 * 60 * 1000; // 15 minutes

if (!req.app.locals.rateLimit) {
        req.app.locals.rateLimit = {};
    }

if (!req.app.locals.rateLimit[key]) {
        req.app.locals.rateLimit[key] = {
            attempts: 0,
            resetTime: Date.now() + windowMs
        };
    }

const rateLimitData = req.app.locals.rateLimit[key];

// Reset if window has passed
    if (Date.now() > rateLimitData.resetTime) {
        rateLimitData.attempts = 0;
        rateLimitData.resetTime = Date.now() + windowMs;
    }

// Check if exceeded max attempts
    if (rateLimitData.attempts >= maxAttempts) {
        const timeLeft = Math.ceil((rateLimitData.resetTime - Date.now()) / 1000 / 60);
        return res.status(429).json({
            message: `Too many attempts. Please try again in ${timeLeft} minutes.`
        });
    }

rateLimitData.attempts++;
    next();
};

Urban Research Lab

The Urban Research Lab (URL) at IIIT-Delhi was established in 2020, during a time when the pandemic brought the complexities of urban life more visible than ever. What started as an initiative by faculty and students has grown into a collaborative space for critically exploring and reimagining the urban questions through research, dialogue, and interdisciplinary engagement.

${this.title}

Code Editor : inputValidation.js

Urban Research Lab