v1.0.59

2025-09-14 00:54:36 +08:00 · 2017-07-28 16:34:22 +03:00 · 2017-07-28 16:34:22 +03:00 · 1b10664e56
commit 1b10664e56
parent b6d01842f8
4 changed files with 35 additions and 19 deletions
--- a/api.js
+++ b/api.js
@ -75,7 +75,7 @@ server.get(
 );

 server.use((req, res, next) => {
-    if (config.api.accessToken && req.query.accessToken !== config.api.accessToken) {
+    if (config.api.accessToken && ![req.query.accessToken, req.headers['x-access-token']].includes(config.api.accessToken)) {
        res.status(403);
        res.charSet('utf-8');
        return res.json({
--- a/lib/translations.js
+++ b/lib/translations.js
@ -0,0 +1,20 @@
+'use strict';
+
+module.exports = {
+    // default
+    en: {
+        '\\Sent': 'Sent Mail',
+        '\\Trash': 'Trash',
+        '\\Junk': 'Junk',
+        '\\Drafts': 'Drafts',
+        '\\Archive': 'Archive'
+    },
+    // estonian
+    et: {
+        '\\Sent': 'Saadetud kirjad',
+        '\\Trash': 'Prügikast',
+        '\\Junk': 'Rämpspost',
+        '\\Drafts': 'Mustandid',
+        '\\Archive': 'Arhiiv'
+    }
+};
--- a/lib/user-handler.js
+++ b/lib/user-handler.js
@ -10,23 +10,8 @@ const consts = require('./consts');
 const ObjectID = require('mongodb').ObjectID;
 const generatePassword = require('generate-password');
 const os = require('os');
-
-const mailboxTranslations = {
-    en: {
-        '\\Sent': 'Sent Mail',
-        '\\Trash': 'Trash',
-        '\\Junk': 'Junk',
-        '\\Drafts': 'Drafts',
-        '\\Archive': 'Archive'
-    },
-    et: {
-        '\\Sent': 'Saadetud kirjad',
-        '\\Trash': 'Prügikast',
-        '\\Junk': 'Rämpspost',
-        '\\Drafts': 'Mustandid',
-        '\\Archive': 'Arhiiv'
-    }
-};
+const crypto = require('crypto');
+const mailboxTranslations = require('./translations');

 class UserHandler {
    constructor(options) {
@ -160,6 +145,8 @@ class UserHandler {
                        return this.logAuthEvent(userData._id, meta, () => callback(null, false));
                    }

+                    let prefix = crypto.createHash('md5').update(password.substr(0, 4)).digest('hex');
+
                    this.users
                        .collection('asps')
                        .find({
@ -186,6 +173,10 @@ class UserHandler {
                                }

                                let asp = asps[pos++];
+                                if (asp.prefix && asp.prefix !== prefix) {
+                                    // no need to check, definitely a wrong one
+                                    return setImmediate(checkNext);
+                                }

                                bcrypt.compare(password, asp.password || '', (err, success) => {
                                    if (err) {
@ -232,6 +223,10 @@ class UserHandler {
            numbers: false,
            symbols: false
        });
+        // We need a quick hash key that can be used to identify the password.
+        // Otherwise, when authenticating, we'd need to check the password against all stored bcrypt
+        // hashes which would make forever if the user has a longer list of application specific passwords
+        let prefix = crypto.createHash('md5').update(password.substr(0, 4)).digest('hex');

        let allowedScopes = ['imap', 'pop3', 'smtp'];
        let hasAllScopes = false;
@ -258,6 +253,7 @@ class UserHandler {
            description: data.description,
            scopes,
            password: bcrypt.hashSync(password, 11),
+            prefix,
            created: new Date()
        };

--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
    "name": "wildduck",
-    "version": "1.0.58",
+    "version": "1.0.59",
    "description": "IMAP server built with Node.js and MongoDB",
    "main": "server.js",
    "scripts": {