feat: record signup metadata for abuse prevention

HeyPuter · Nov 24, 2024 · 66016b9 · 66016b9
1 parent e0df542
commit 66016b9
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/src/backend/src/routers/signup.js b/src/backend/src/routers/signup.js
@@ -207,7 +207,14 @@ module.exports = eggspress(['/signup'], {
     if(pseudo_user === undefined){
         insert_res = await db.write(
             `INSERT INTO user
-            (username, email, clean_email, password, uuid, referrer, email_confirm_code, email_confirm_token, free_storage, referred_by, audit_metadata) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+            (
+                username, email, clean_email, password, uuid, referrer, 
+                email_confirm_code, email_confirm_token, free_storage, 
+                referred_by, audit_metadata, signup_ip, signup_ip_forwarded, 
+                signup_user_agent, signup_origin, signup_server
+            ) 
+            VALUES 
+            (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
             [
                 // username
                 req.body.username,
@@ -231,7 +238,18 @@ module.exports = eggspress(['/signup'], {
                 referred_by_user ? referred_by_user.id : null,
                 // audit_metadata
                 JSON.stringify(audit_metadata),
-            ]);
+                // signup_ip
+                req.connection.remoteAddress,
+                // signup_ip_fwd
+                req.headers['x-forwarded-for'],
+                // signup_user_agent
+                req.headers['user-agent'],
+                // signup_origin
+                req.headers['origin'],
+                // signup_server
+                config.server_id,
+            ]
+        );
 
         // record activity
         db.write(

diff --git a/src/backend/src/services/database/SqliteDatabaseAccessService.js b/src/backend/src/services/database/SqliteDatabaseAccessService.js
@@ -138,6 +138,9 @@ class SqliteDatabaseAccessService extends BaseDatabaseAccessService {
             [28, [
                 '0031_audit-meta.sql',
             ]],
+            [29, [
+                '0032_signup_metadata.sql',
+            ]],
         ];
 
         // Database upgrade logic

diff --git a/src/backend/src/services/database/sqlite_setup/0032_signup_metadata.sql b/src/backend/src/services/database/sqlite_setup/0032_signup_metadata.sql
@@ -0,0 +1,13 @@
+-- Store IP and request data as TEXT (for JSON strings)
+ALTER TABLE `user` ADD COLUMN `signup_ip` TEXT DEFAULT NULL;
+ALTER TABLE `user` ADD COLUMN `signup_ip_forwarded` TEXT DEFAULT NULL;
+ALTER TABLE `user` ADD COLUMN `signup_user_agent` TEXT DEFAULT NULL;
+ALTER TABLE `user` ADD COLUMN `signup_origin` TEXT DEFAULT NULL;
+ALTER TABLE `user` ADD COLUMN `signup_server` TEXT DEFAULT NULL;
+
+-- Add indexes for columns likely to be searched
+CREATE INDEX idx_user_signup_ip ON user(signup_ip);
+CREATE INDEX idx_user_signup_ip_forwarded ON user(signup_ip_forwarded);
+CREATE INDEX idx_user_signup_user_agent ON user(signup_user_agent);
+CREATE INDEX idx_user_signup_origin ON user(signup_origin);
+CREATE INDEX idx_user_signup_server ON user(signup_server);
-Original file line number
+Diff line change
@@ Expand Up @@
                 [28, [
                     '0031_audit-meta.sql',
                 ]],
+                [29, [
+                    '0032_signup_metadata.sql',
+                ]],
             ];
             // Database upgrade logic
@@ Expand Down @@