From af993407b3c7f840eb63dcb837e6be0e8d3d95f4 Mon Sep 17 00:00:00 2001
From: Philip Molares <philip.molares@udo.edu>
Date: Mon, 25 Jan 2021 12:05:25 +0100
Subject: [PATCH] auth: Add token limit of 200

This is a very high ceiling unlikely to hinder legitimate usage, but should prevent possible attack vectors

Signed-off-by: Philip Molares <philip.molares@udo.edu>
---
 src/auth/auth.service.ts | 15 +++++++++++++--
 src/errors/errors.ts     |  4 ++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts
index df529ec1e..d921cb4c2 100644
--- a/src/auth/auth.service.ts
+++ b/src/auth/auth.service.ts
@@ -11,7 +11,11 @@ import { AuthToken } from './auth-token.entity';
 import { AuthTokenDto } from './auth-token.dto';
 import { AuthTokenWithSecretDto } from './auth-token-with-secret.dto';
 import { compare, hash } from 'bcrypt';
-import { NotInDBError, TokenNotValidError } from '../errors/errors';
+import {
+  NotInDBError,
+  TokenNotValidError,
+  TooManyTokensError,
+} from '../errors/errors';
 import { randomBytes } from 'crypto';
 import { InjectRepository } from '@nestjs/typeorm';
 import { Repository } from 'typeorm';
@@ -76,7 +80,14 @@ export class AuthService {
     identifier: string,
     validUntil: TimestampMillis,
   ): Promise<AuthTokenWithSecretDto> {
-    const user = await this.usersService.getUserByUsername(userName);
+    const user = await this.usersService.getUserByUsername(userName, true);
+    if (user.authTokens.length >= 200) {
+      // This is a very high ceiling unlikely to hinder legitimate usage,
+      // but should prevent possible attack vectors
+      throw new TooManyTokensError(
+        `User '${user.displayName}' has already 200 tokens and can't have anymore`,
+      );
+    }
     const secret = await this.randomString(64);
     const keyId = this.BufferToBase64Url(await this.randomString(8));
     const accessTokenString = await this.hashPassword(secret.toString());
diff --git a/src/errors/errors.ts b/src/errors/errors.ts
index 1b4821bf7..084a84bb4 100644
--- a/src/errors/errors.ts
+++ b/src/errors/errors.ts
@@ -19,3 +19,7 @@ export class PermissionError extends Error {
 export class TokenNotValidError extends Error {
   name = 'TokenNotValidError';
 }
+
+export class TooManyTokensError extends Error {
+  name = 'TooManyTokensError';
+}