Added a security check when sending an e-mail

front/form.js

@@ -8,6 +8,14 @@ var items = {
 var server  = getServer();
 var xhrSend = new XMLHttpRequest();
 
+var token = "";
+var xhrToken = new XMLHttpRequest();
+xhrToken.onreadystatechange = function() {
+    if(xhrToken.readyState == XMLHttpRequest.DONE) {
+        token = xhrToken.responseText;
+    }
+}
+
 
 // Returns the server's base URI based on the user's script tag
 // return: the SMAM server's base URI
@@ -76,6 +84,10 @@ function generateForm(id) {
             }
         }
     };
+    
+    // Retrieve the token from the server
+    
+    getToken();
 }
 
 
@@ -170,6 +182,9 @@ function sendForm() {
     xhrSend.open('POST', server + '/send');
     xhrSend.setRequestHeader('Content-Type', 'application/json');
     xhrSend.send(JSON.stringify(getFormData()));
+    
+    // Get a new token
+    getToken();
 }
 
 
@@ -180,7 +195,8 @@ function getFormData() {
         name: document.getElementById(items.name + '_input').value,
         addr: document.getElementById(items.addr + '_input').value,
         subj: document.getElementById(items.subj + '_input').value,
-        text: document.getElementById(items.text + '_textarea').value
+        text: document.getElementById(items.text + '_textarea').value,
+        token: token
     }
 }
 
@@ -192,4 +208,12 @@ function cleanForm() {
     document.getElementById(items.addr + '_input').value = '';
     document.getElementById(items.subj + '_input').value = '';
     document.getElementById(items.text + '_textarea').value = '';
+}
+
+
+// Ask the server for a token
+// return: nothing
+function getToken() {
+    xhrToken.open('GET', server + '/register');
+    xhrToken.send();
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "smam",
-  "version": "0.0.1",
+  "version": "1.1.0",
   "description": "SMAM (short for Send Me A Mail) is an free (as in freedom) contact form embedding software.",
   "contributors": [
     {

server.js

@@ -1,5 +1,6 @@
 var pug         = require('pug');
 var nodemailer  = require('nodemailer');
+var crypto      = require('crypto');
 var settings    = require('./settings');
 
 // Web server
@@ -19,6 +20,10 @@ var log = printit({
 var transporter = nodemailer.createTransport(settings.mailserver);
 
 
+// Verification tokens
+var tokens = {};
+
+
 // Serve static (JS + HTML) files
 app.use(express.static('front'));
 // Body parsing
@@ -26,8 +31,40 @@ app.use(bodyParser.urlencoded({ extended: true }));
 app.use(bodyParser.json());
 
 
+// A request on /register generates a token and store it, along the user's
+// address, on the tokens object
+app.get('/register', function(req, res, next) {
+    // Get IP from express
+    let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
+    if(tokens[ip] === undefined) {
+        tokens[ip] = [];
+    }
+    // Generate token
+    crypto.randomBytes(10, (err, buf) => { 
+        let token = buf.toString('hex');
+        // Store and send the token
+        tokens[ip].push({
+            token: token,
+            // A token expires after 12h
+            expire: new Date().getTime() + 12 * 3600 * 1000
+        });
+        res.status(200).send(token);
+    });
+});
+
+
 // A request on /send with user input = mail to be sent
 app.post('/send', function(req, res, next) {
+    if(!checkBody(req.body)) {
+        return res.status(400).send();
+    }
+    
+    let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
+    
+    if(!checkToken(ip, req.body.token)) {
+        return res.status(403).send();
+    }
+    
     // Count the failures
     let status = {
         failed: 0,
@@ -53,13 +90,12 @@ app.post('/send', function(req, res, next) {
     // Send the email to all users
     sendMails(params, function(err, infos) {
         if(err) {
-            log.error(err)
+            log.error(err);
         }
         logStatus(infos);
     }, function() {
-        res.header('Access-Control-Allow-Origin', '*');
         if(status.failed === status.total) {
-            res.status(500).send()
+            res.status(500).send();
         } else {
             res.status(200).send();
         }
@@ -75,6 +111,10 @@ app.listen(port, function() {
 });
 
 
+// Run the clean every hour
+var tokensChecks = setTimeout(cleanTokens, 3600 * 1000);
+
+
 // Send mails to the recipients specified in the JSON settings file
 // content: object containing mail params
 //  {
@@ -117,4 +157,72 @@ function logStatus(infos) {
         status.failed++;
         log.info('Message failed to send to ' + infos.rejected[0]);
     }
+}
+
+
+// Checks if the request's sender has been registered (and unregister it if not)
+// ip: sender's IP address
+// token: token used by the sender
+// return: true if the user was registered, false else
+function checkToken(ip, token) {
+    let verified = false;
+    
+    // Check if there's at least one token for this IP
+    if(tokens[ip] !== undefined) {
+        if(tokens[ip].length !== 0) {
+            // There's at least one element for this IP, let's check the tokens
+            for(var i = 0; i < tokens[ip].length; i++) {
+                if(!tokens[ip][i].token.localeCompare(token)) {
+                    // We found the right token
+                    verified = true;
+                    // Removing the token
+                    tokens[ip].pop(tokens[ip][i]);
+                    break;
+                }
+            }
+        } 
+    }
+    
+    if(!verified) {
+        log.warn(ip + ' just tried to send a message with an invalid token');
+    }
+    
+    return verified;
+}
+
+
+// Checks if all the required fields are in the request body
+// body: body taken from express's request object
+// return: true if the body is valid, false else
+function checkBody(body) {
+    let valid = false;
+    
+    if(body.token !== undefined && body.subj !== undefined 
+        && body.name !== undefined && body.addr !== undefined 
+        && body.text !== undefined) {
+        valid = true;
+    }
+    
+    return valid;
+}
+
+
+// Checks the tokens object to see if no token has expired
+// return: nothing
+function cleanTokens() {
+    // Get current time for comparison
+    let now = new Date().getTime();
+    
+    for(let ip in tokens) { // Check for each IP in the object
+        for(let token of tokens[ip]) { // Check for each token of an IP
+            if(token.expire < now) { // Token has expired
+                tokens[ip].pop(token);
+            }
+        }
+        if(tokens[ip].length === 0) { // No more element for this IP
+            delete tokens[ip];
+        }
+    }
+    
+    log.info('Cleared expired tokens');
 }