Merge pull request #1 from LightYagami28/main

Enhances security and code quality

Author: vntcore

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/API"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "deps"
+    labels:
+      - "dependencies"
+      - "npm"

API/server.js

@@ -3,13 +3,15 @@ import { checkIsValid, newSecretKey } from "./totp.js"
 import { hashPassword, checkPassword } from "./hashingPasswd.js"
 
 import express from 'express';
+const helmet = require('helmet');
 import cors from 'cors';
 import { use } from "react";
 
 const app = express();
 const PORT = 3000;
 
 app.use(cors());
+app.use(helmet());
 app.use(express.json());
 
 const pendingLogin = {};
@@ -38,7 +40,7 @@ app.post('/api/login', async (req, res) => {
     let _count = new Database("users", ["username"], [username]);
     let __count = await _count.count();
 
-    if(__count >= 1) {
+    if (__count >= 1) {
         let DB = new Database("users", ["username"], [username]);
         let values = await DB.read();
 
@@ -51,8 +53,8 @@ app.post('/api/login', async (req, res) => {
             const now = new Date();
             const expire = new Date(now.getTime() + 5 * 60 * 1000);
 
-            while(true) {
-                if(Array.isArray(pendingLogin[rndID])) {
+            while (true) {
+                if (Array.isArray(pendingLogin[rndID])) {
                     rndID = Math.floor(Math.random() * 9999999999);
                 }
                 else {
@@ -62,13 +64,13 @@ app.post('/api/login', async (req, res) => {
 
             pendingLogin[rndID] = pendingLogin[rndID] || [];
 
-            pendingLogin[rndID].push({ 
-                USERNAME: username, 
+            pendingLogin[rndID].push({
+                USERNAME: username,
                 TOTP_SECRET_KEY: values[0].totp_secret_key,
                 EXPIRE: expire,
                 ATTEMPTS: 0
             });
-            
+
             const data = {
                 "STATUS": "SUCCESS",
                 "MESSAGE": "ACCEPTED - VALID CREDENTIALS, NOW YOU MUST VALIDATE YOUR ACCESS WITH THE OTP",
@@ -116,8 +118,8 @@ app.post('/api/otp_verification', async (req, res) => {
 
     let _expire = new Date(expire);
     let now = new Date();
-    
-    if(now > _expire) {
+
+    if (now > _expire) {
         // The pending request has expired
         delete pendingLogin[pendingID];
 
@@ -133,8 +135,8 @@ app.post('/api/otp_verification', async (req, res) => {
 
     else {
         let otpIsValid = checkIsValid(otp, totp_secretKey);
-        
-        if(otpIsValid) {
+
+        if (otpIsValid) {
             // Done, the user is authenticated! :)
             // You can now implement token management for user logins, including expiration control, multiple login management, and other related features
 
@@ -159,7 +161,7 @@ app.post('/api/otp_verification', async (req, res) => {
             pendingLogin[pendingID][0].ATTEMPTS = attemps + 1;
 
             // Incorrect OTP entered 5 times in a row, i'm canceling the request for security reasons
-            if(attemps >= 5) {
+            if (attemps >= 5) {
                 delete pendingLogin[pendingID];
 
                 const data = {
@@ -205,7 +207,7 @@ app.post('/api/signup', async (req, res) => {
     }
 
     // Check if the username contains at least 5 characters
-    if (username.length < 5) {
+    if (String(username).length < 5) {
         const data = {
             "STATUS": "ERROR",
             "MESSAGE": "BAD REQUEST - THE USERNAME HAS LESS THAN 5 CHARACTERS",
@@ -219,7 +221,7 @@ app.post('/api/signup', async (req, res) => {
     }
 
     // Check if the username is more than 20 characters
-    if (username.length > 20) {
+    if (String(username).length > 20) {
         const data = {
             "STATUS": "ERROR",
             "MESSAGE": "BAD REQUEST - THE USERNAME HAS MORE THAN 20 CHARACTERS",
@@ -233,7 +235,7 @@ app.post('/api/signup', async (req, res) => {
     }
 
     // Check if the password contains at least 6 characters
-    if (password.length < 6) {
+    if (String(password).length < 6) {
         const data = {
             "STATUS": "ERROR",
             "MESSAGE": "BAD REQUEST - THE PASSWORD HAS LESS THAN 6 CHARACTERS",
@@ -247,7 +249,7 @@ app.post('/api/signup', async (req, res) => {
     }
 
     // Check if the password is more than 80 characters
-    if (password.length > 80) {
+    if (String(password).length > 80) {
         const data = {
             "STATUS": "ERROR",
             "MESSAGE": "BAD REQUEST - THE PASSWORD HAS MORE THAN 80 CHARACTERS",
@@ -276,14 +278,14 @@ app.post('/api/signup', async (req, res) => {
 
         return;
     }
-    
+
     const cryptedPasswd = await hashPassword(password);
 
     let _newSecretKey = newSecretKey();
-    
+
     const columns = ["username", "password", "totp_secret_key"];
     const parameters = [username, cryptedPasswd, _newSecretKey];
-    
+
     let mysqlCMD = new Database("users", columns, parameters);
     mysqlCMD.insert();
 

README.md

@@ -1,31 +1,89 @@
-# Secure auth with NodeJS
-> Login and registration system with TOTP (Time-based One-Time Password), password hashing using bcrypt, and some basic server-side validation.
-
-## Features
-- Hash the password with bcrypt before saving it to the database.
-- Server-side checks: alphanumeric character validation for the username, minimum and maximum length checks for both password and username, check if the username is already registered, and a maximum attempt limit for entering the OTP code.
-- Handling of pending login requests awaiting OTP code verification, with expiration after 5 minutes.
-- Client-side QR code generation to easily add the secret key to your authentication app (e.g. Google Authenticator).
-- Simple use of JSON to send and receive requests, with realistic status codes for responses.
-- Use SQL parameters to prevent SQL injection.
-
-## How to use
-### Install the dependencies
+# Secure Authentication with Node.js
+
+> Un sistema di registrazione e autenticazione professionale con supporto a **TOTP (Time-based One-Time Password)**, hashing sicuro delle password tramite **bcrypt** e solide validazioni lato server.
+
+
+
+Language:
+
+
+![NodeJS](https://img.shields.io/badge/node.js-6DA55F?style=for-the-badge&logo=node.js&logoColor=white)
+
+![Express](https://img.shields.io/badge/express.js-000000?style=for-the-badge&logo=express&logoColor=white)
+
+![Dependabot](https://img.shields.io/badge/dependabot-025E8C?style=for-the-badge&logo=dependabot&logoColor=white)
+
+
+
+
+## Caratteristiche principali
+
+* **Archiviazione sicura delle password**
+  Tutte le password vengono sottoposte ad hashing con **bcrypt** prima di essere salvate nel database.
+
+* **Validazione completa**
+
+  * Controllo alfanumerico per il nome utente
+  * Verifica della lunghezza minima e massima di username e password
+  * Prevenzione della registrazione con username duplicati
+  * Limitazione dei tentativi di inserimento OTP
+
+* **Gestione dei login in sospeso**
+  Supporto per richieste di accesso in attesa di verifica OTP, con scadenza automatica dopo 5 minuti.
+
+* **Configurazione semplice della 2FA**
+  Generazione di QR code lato client per un’integrazione immediata con app di autenticazione (es. Google Authenticator).
+
+* **API moderne e standardizzate**
+  Tutte le interazioni avvengono tramite JSON, con utilizzo di codici di stato HTTP appropriati.
+
+* **Protezione contro SQL Injection**
+  Tutte le query al database utilizzano **parametri preparati**.
+
+---
+
+## Avvio rapido
+
+### 1. Installazione delle dipendenze
+
 ```bash
-# Run the command inside the API/ folder
+# All’interno della directory API/
 npm install
 ```
-### Start the backend server
+
+### 2. Avvio del server backend
+
 ```bash
-# Run the command inside the API/ folder
+# All’interno della directory API/
 node server.js
 ```
-> Make sure the HTML files are served from a server (hosted) and not opened directly as local files, because the login stores the pending login request ID in cookies, which won’t work if you open the file locally.
 
-I hope this helps you learn how a robust login and signup system works. Have fun experimenting and modifying my code by adding extra features, for example, a token-based system after the user logs in.
+> **Nota importante:** i file HTML devono essere serviti tramite un web server. L’apertura diretta in locale impedirà il corretto funzionamento dei cookie utilizzati per la gestione dei login in sospeso.
+
+---
+
+## Azioni rapide
+
+<p align="center">
+    <a href="https://github.com/LightYagami28/secure-auth-nodejs" target="_blank">
+        <img src="https://img.shields.io/badge/Visualizza%20su-GitHub-181717?logo=github&style=for-the-badge" alt="View on GitHub"/>
+    </a>
+    <a href="https://your-demo-link.com" target="_blank">
+        <img src="https://img.shields.io/badge/Demo%20Online-Visita-4CAF50?style=for-the-badge" alt="Live Demo"/>
+    </a>
+    <a href="https://github.com/LightYagami28/secure-auth-nodejs/fork" target="_blank">
+        <img src="https://img.shields.io/badge/Fork%20Repository-Crea%20una%20copia-blue?style=for-the-badge" alt="Fork Repo"/>
+    </a>
+</p>
+
+---
+
+## Dimostrazione
+
+### Registrazione
+
+![Demo Registrazione](signup.gif)
 
-### Sign up phase
-![tuto-gif](signup.gif)
+### Accesso
 
-### Log in phase
-![tuto-gif](login.gif)
+![Demo Login](login.gif)

login.html

@@ -1,12 +1,13 @@
 <!DOCTYPE html>
 <html lang="it">
+
 <head>
-<meta charset="UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>Log in</title>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Log in</title>
 
-<link href="assets/css/bootstrap.min.css" rel="stylesheet">
-<link href="assets/css/style.css" rel="stylesheet">
+    <link href="assets/css/bootstrap.min.css" rel="stylesheet">
+    <link href="assets/css/style.css" rel="stylesheet">
 </head>
 
 <body>
@@ -31,12 +32,12 @@ <h2>Log In</h2>
         const otp_txt = document.getElementById("otp_txt");
         const checkOtpBtn = document.getElementById("checkOtpBtn");
 
-        loginBtn.addEventListener('click', function() {
+        loginBtn.addEventListener('click', function () {
             const data = {
                 "username": username_txt.value,
                 "password": password_txt.value
             };
-            
+
             fetch("http://localhost:3000/api/login",
                 {
                     method: "POST",
@@ -46,33 +47,33 @@ <h2>Log In</h2>
                     body: JSON.stringify(data)
                 }
             )
-            .then(response => response.json())
-            .then(data => {
-                if(data["STATUS_CODE"] == 202) {
-                    username_txt.style.display = "none";
-                    loginBtn.style.display = "none";
-                    password_txt.style.display = "none";
-
-                    otp_txt.style.display = "block";
-                    checkOtpBtn.style.display = "block";
-
-                    setCookie("pendingID", data["PENDING_ID"], 10);
-                }
-
-                else {
-                    alert("An error occurred:\nSTATUS CODE: " + data["STATUS_CODE"] + "\n\n" + data["MESSAGE"]);
-                }
-            });
+                .then(response => response.json())
+                .then(data => {
+                    if (data["STATUS_CODE"] == 202) {
+                        username_txt.style.display = "none";
+                        loginBtn.style.display = "none";
+                        password_txt.style.display = "none";
+
+                        otp_txt.style.display = "block";
+                        checkOtpBtn.style.display = "block";
+
+                        setCookie("pendingID", data["PENDING_ID"], 10);
+                    }
+
+                    else {
+                        alert("An error occurred:\nSTATUS CODE: " + data["STATUS_CODE"] + "\n\n" + data["MESSAGE"]);
+                    }
+                });
         });
 
-        checkOtpBtn.addEventListener('click', function() {
+        checkOtpBtn.addEventListener('click', function () {
             let pendingID = getCookie("pendingID");
 
             const data = {
                 "pendingID": pendingID,
                 "otp": otp_txt.value
             };
-            
+
             fetch("http://localhost:3000/api/otp_verification",
                 {
                     method: "POST",
@@ -82,16 +83,16 @@ <h2>Log In</h2>
                     body: JSON.stringify(data)
                 }
             )
-            .then(response => response.json())
-            .then(data => {
-                if(data["STATUS_CODE"] == 200) {
-                    alert("Login successful:\nSTATUS CODE: " + data["STATUS_CODE"] + "\n\n" + data["MESSAGE"] + "\n\n\nI hope this repository has been helpful in understanding and learning how to manage a secure login!\n\nFeel free to experiment you can modify and improve my code, add extra checks, or implement new actions to execute after login.");
-                }
-
-                else {
-                    alert("An error occurred:\nSTATUS CODE: " + data["STATUS_CODE"] + "\n\n" + data["MESSAGE"]);
-                }
-            });
+                .then(response => response.json())
+                .then(data => {
+                    if (data["STATUS_CODE"] == 200) {
+                        alert("Login successful:\nSTATUS CODE: " + data["STATUS_CODE"] + "\n\n" + data["MESSAGE"] + "\n\n\nI hope this repository has been helpful in understanding and learning how to manage a secure login!\n\nFeel free to experiment you can modify and improve my code, add extra checks, or implement new actions to execute after login.");
+                    }
+
+                    else {
+                        alert("An error occurred:\nSTATUS CODE: " + data["STATUS_CODE"] + "\n\n" + data["MESSAGE"]);
+                    }
+                });
         });
 
         function setCookie(name, value, minutes) {
@@ -101,7 +102,7 @@ <h2>Log In</h2>
                 date.setTime(date.getTime() + (minutes * 60 * 1000));
                 expires = "; expires=" + date.toUTCString();
             }
-            document.cookie = name + "=" + encodeURIComponent(value) + expires + "; path=/";
+            document.cookie = name + "=" + encodeURIComponent(value) + expires + "; path=/; secure";
         }
 
         function getCookie(name) {
@@ -118,4 +119,5 @@ <h2>Log In</h2>
 
     <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"></script>
 </body>
+
 </html>