From db8fae4362d62007a634919a8e905ae920254db4 Mon Sep 17 00:00:00 2001
From: Thilo Billerbeck <thilo.billerbeck@officerent.de>
Date: Wed, 27 Nov 2024 01:25:07 +0100
Subject: [PATCH] fix: add more domain validation to login page

---
 lib/utils.ts   |  4 ++++
 routes/user.ts | 11 +++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib/utils.ts b/lib/utils.ts
index 3328164..a9a4e61 100644
--- a/lib/utils.ts
+++ b/lib/utils.ts
@@ -32,6 +32,10 @@ export function domainToUrl(domain: string) {
     return `https://${domain}`
 }
 
+export function validateDomain(domain: string) {
+    return domain.match(/(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]/g)
+}
+
 export function genCallBackUrl(instanceDomain: string) {
     if (process.env.NODE_ENV == 'development') {
         const { ADDRESS = 'localhost', PORT = '3000' } = process.env;
diff --git a/routes/user.ts b/routes/user.ts
index 05b7e4c..fc2a830 100644
--- a/routes/user.ts
+++ b/routes/user.ts
@@ -1,6 +1,6 @@
 import { FastifyInstance } from "fastify";
 import { Mastodon } from 'megalodon'
-import { authenticateJWT, domainToUrl, genCallBackUrl } from './../lib/utils'
+import { authenticateJWT, domainToUrl, genCallBackUrl, validateDomain } from './../lib/utils'
 import { db, getInstanceByDomain, getUserByMastodonUid } from './../lib/db'
 import { AtpSessionData } from "@atproto/api";
 
@@ -70,7 +70,14 @@ export const routesUser = async (app: FastifyInstance, options: Object) => {
         }
     }>('/auth', async (req, res) => {
         let instanceDomain: string = req.query.instance || "mastodon.social"
-        instanceDomain = instanceDomain.toLowerCase().replace(/https?:\/\//, "")
+        instanceDomain = instanceDomain.toLowerCase().replace(/https?:\/\//, "").replace("/", "")
+
+        if(!validateDomain(instanceDomain)) {
+            return res.status(400).view("login", {
+                err: 'Invalid instance domain'
+            })
+        }
+
         const url = domainToUrl(instanceDomain)
         let client = new Mastodon(url)