Adding option to log users ips

This commit is contained in:
2026-05-11 07:45:00 +02:00
parent 862b145c77
commit 1221e0580f
16 changed files with 306 additions and 38 deletions

View File

@@ -11,7 +11,7 @@ import cfg from "../config.mjs";
import security from "../security.mjs";
import crypto from "crypto";
import path from "path";
import { getManualApproval, setManualApproval, getMinTags, setMinTags, getRegistrationOpen, setRegistrationOpen, getTrustedUploads, setTrustedUploads, getEnablePdf, setEnablePdf } from "../settings.mjs";
import { getManualApproval, setManualApproval, getMinTags, setMinTags, getRegistrationOpen, setRegistrationOpen, getTrustedUploads, setTrustedUploads, getEnablePdf, setEnablePdf, getLogUserIps, setLogUserIps, getHashUserIps, setHashUserIps } from "../settings.mjs";
export default (router, tpl) => {
router.get(/^\/login(\/)?$/, async (req, res) => {
@@ -102,13 +102,17 @@ export default (router, tpl) => {
created_at: stamp,
last_used: stamp,
last_action: "/login",
kmsi: typeof req.post.kmsi !== 'undefined' ? 1 : 0
kmsi: typeof req.post.kmsi !== 'undefined' ? 1 : 0,
ip: ip
};
await db`
insert into "user_sessions" ${db(blah, 'user_id', 'session', 'csrf_token', 'browser', 'created_at', 'last_used', 'last_action', 'kmsi')
insert into "user_sessions" ${db(blah, 'user_id', 'session', 'csrf_token', 'browser', 'created_at', 'last_used', 'last_action', 'kmsi', 'ip')
}
`;
// Log IP for historical data
await security.logUserIP(user[0].id, ip);
return res.writeHead(301, {
"Cache-Control": "no-cache, public",
@@ -277,6 +281,8 @@ export default (router, tpl) => {
totals: await lib.countf0cks(),
session: req.session,
manual_approval: getManualApproval(),
log_user_ips: getLogUserIps(),
hash_user_ips: getHashUserIps(),
tmp: null
}, req)
});
@@ -303,6 +309,32 @@ export default (router, tpl) => {
activeUsers: activeUsernames.length,
activeUserList: activeUsernames,
totals: await lib.countf0cks(),
log_user_ips: getLogUserIps(),
tmp: null
}, req)
});
});
router.get(/\/admin\/user\/(?<userId>\d+)\/ips(\/)?$/, lib.auth, async (req, res) => {
const userId = +req.params.userId;
const user = await db`select "user", login from "user" where id = ${userId} limit 1`;
if (user.length === 0) return res.reply({ code: 404, body: 'User not found' });
const rows = await db`
select * from user_ips
where user_id = ${userId}
order by last_seen desc
`;
res.reply({
body: tpl.render("admin/user_ips", {
session: req.session,
targetUser: user[0],
ips: rows,
page_meta: {
title: `IP History - ${user[0].user}`
},
totals: await lib.countf0cks(),
tmp: null
}, req)
});
@@ -580,10 +612,14 @@ export default (router, tpl) => {
router.post(/^\/admin\/settings\/?$/, lib.auth, async (req, res) => {
const manual_approval = req.post.manual_approval === 'on' ? 'true' : 'false';
const registration_open = req.post.registration_open === 'on' ? 'true' : 'false';
const log_user_ips = req.post.log_user_ips === 'on' ? 'true' : 'false';
const hash_user_ips = req.post.hash_user_ips === 'on' ? 'true' : 'false';
const min_tags = isNaN(parseInt(req.post.min_tags)) ? 3 : Math.max(0, parseInt(req.post.min_tags));
const trusted_uploads = Math.max(0, parseInt(req.post.trusted_uploads) ?? 3);
await db`INSERT INTO site_settings (key, value) VALUES ('manual_approval', ${manual_approval}) ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value`;
await db`INSERT INTO site_settings (key, value) VALUES ('log_user_ips', ${log_user_ips}) ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value`;
await db`INSERT INTO site_settings (key, value) VALUES ('hash_user_ips', ${hash_user_ips}) ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value`;
if (cfg.websrv.open_registration_web_toggle !== false) {
await db`INSERT INTO site_settings (key, value) VALUES ('registration_open', ${registration_open}) ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value`;
@@ -594,6 +630,8 @@ export default (router, tpl) => {
await db`INSERT INTO site_settings (key, value) VALUES ('trusted_uploads', ${trusted_uploads.toString()}) ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value`;
setManualApproval(manual_approval === 'true');
setLogUserIps(log_user_ips === 'true');
setHashUserIps(hash_user_ips === 'true');
setMinTags(min_tags);
setTrustedUploads(trusted_uploads);
@@ -697,6 +735,7 @@ const page = Math.max(1, parseInt(req.url.qs?.page) || 1);
total,
hasMore: users.length === limit,
totals: await lib.countf0cks(),
log_user_ips: getLogUserIps(),
tmp: null
};

View File

@@ -26,7 +26,10 @@ export default new class {
* @returns {string}
*/
getRealIP(req) {
let ip = req.headers['x-real-ip'] ||
let ip = req.headers['cf-connecting-ip'] ||
req.headers['true-client-ip'] ||
req.headers['x-client-ip'] ||
req.headers['x-real-ip'] ||
(req.headers['x-forwarded-for'] ? req.headers['x-forwarded-for'].split(',')[0].trim() : null) ||
req.socket.remoteAddress;
@@ -34,11 +37,14 @@ export default new class {
// Handle IPv6 loopback and mapped IPv4
if (ip === "::1") ip = "127.0.0.1";
if (ip.startsWith("::ffff:")) ip = ip.substring(7);
if (ip && ip.startsWith("::ffff:")) ip = ip.substring(7);
// Basic IPv6 normalization (ensure consistent case and representation if possible)
// Note: Simple hex strings for IP are fine for hashing as long as Nginx is consistent.
if (ip.includes(":")) ip = ip.toLowerCase();
if (ip && ip.includes(":")) ip = ip.toLowerCase();
if (cfg.main.development && ip === "127.0.0.1" && req.headers) {
console.debug('[SECURITY] Local IP detected. Headers:', req.headers);
}
return ip;
}
@@ -163,4 +169,22 @@ export default new class {
return false;
}
/**
* Log user IP for historical tracking if enabled.
* @param {number} userId
* @param {string} ip
*/
async logUserIP(userId, ip) {
if (!cfg.websrv.log_user_ips || !userId || !ip) return;
const { getHashUserIps } = await import("./settings.mjs");
const finalIp = getHashUserIps() ? this.hashIP(ip) : ip;
await db`
insert into user_ips (user_id, ip)
values (${userId}, ${finalIp})
on conflict (user_id, ip) do update set last_seen = now()
`.catch(err => console.error(`[SECURITY] Failed to log user IP:`, err));
}
};

View File

@@ -44,3 +44,18 @@ export const setPrivateMessages = (val) => private_messages = !!val;
export const getDefaultLayout = () => default_layout;
export const setDefaultLayout = (val) => default_layout = (val === 'legacy' ? 'legacy' : 'modern');
let log_user_ips = false;
export const getLogUserIps = () => log_user_ips;
export const setLogUserIps = (val) => {
log_user_ips = !!val;
// Also update the config object for components that read from it directly
cfg.websrv.log_user_ips = log_user_ips;
};
let hash_user_ips = false;
export const getHashUserIps = () => hash_user_ips;
export const setHashUserIps = (val) => {
hash_user_ips = !!val;
cfg.websrv.hash_user_ips = hash_user_ips;
};

View File

@@ -19,6 +19,7 @@ import { handleMetaStrip } from "./meta_strip_handler.mjs";
import { getManualApproval, setManualApproval, getMinTags, setMinTags, getRegistrationOpen, setRegistrationOpen, getTrustedUploads, setTrustedUploads, getBypassDuplicateCheck, setBypassDuplicateCheck, getProtectFiles, setProtectFiles, getPrivateMessages, setPrivateMessages, getDefaultLayout, setDefaultLayout, getEnablePdf, setEnablePdf } from "./inc/settings.mjs";
import { updateHallsCache, getHalls } from "./inc/halls_cache.mjs";
import { createI18n } from "./inc/i18n.mjs";
import security from "./inc/security.mjs";
const nginx502 = `<html>
<head><title>502 Bad Gateway</title></head>
@@ -297,12 +298,17 @@ process.on('uncaughtException', err => {
// log last action (Fire-and-Forget)
if (!req.url.pathname.startsWith('/api/notifications')) {
const { getLogUserIps, getHashUserIps } = await import("./inc/settings.mjs");
const currentIp = security.getRealIP(req);
const finalIp = getHashUserIps() ? security.hashIP(currentIp) : currentIp;
db`
update "user_sessions" set ${db({
last_used: ~~(Date.now() / 1e3),
last_action: req.url.pathname,
browser: req.headers['user-agent']
}, 'last_used', 'last_action', 'browser')
browser: req.headers['user-agent'],
...(getLogUserIps() ? { ip: finalIp } : {})
}, 'last_used', 'last_action', 'browser', ...(getLogUserIps() ? ['ip'] : []))
}
where id = ${+user[0].sess_id}
`.catch(e => console.error('[MIDDLEWARE] Session update failed:', e));
@@ -310,6 +316,9 @@ process.on('uncaughtException', err => {
// Update last_seen on user table (Fire-and-Forget) — feeds the 30-day orakel pool
db`update "user" set last_seen = ${~~(Date.now() / 1e3)} where id = ${+user[0].id}`
.catch(e => console.error('[MIDDLEWARE] last_seen update failed:', e));
// Log IP for historical data
security.logUserIP(user[0].id, currentIp);
}
if (req.session.admin) {
@@ -655,6 +664,30 @@ process.on('uncaughtException', err => {
setEnablePdf(!!cfg.enable_pdf);
console.log(`[BOOT] Enable PDF setting: ${getEnablePdf()}`);
// Fetch log_user_ips and hash_user_ips setting
const { getLogUserIps, setLogUserIps, getHashUserIps, setHashUserIps } = await import("./inc/settings.mjs");
try {
const lipSetting = await db`SELECT value FROM site_settings WHERE key = 'log_user_ips' LIMIT 1`;
if (lipSetting.length > 0) {
setLogUserIps(lipSetting[0].value === 'true');
} else {
setLogUserIps(!!cfg.websrv.log_user_ips);
}
console.log(`[BOOT] Log User IPs: ${getLogUserIps()}`);
const hipSetting = await db`SELECT value FROM site_settings WHERE key = 'hash_user_ips' LIMIT 1`;
if (hipSetting.length > 0) {
setHashUserIps(hipSetting[0].value === 'true');
} else {
setHashUserIps(!!cfg.websrv.hash_user_ips);
}
console.log(`[BOOT] Hash User IPs: ${getHashUserIps()}`);
} catch (e) {
console.warn(`[BOOT] IP logging settings fetch failed:`, e.message);
setLogUserIps(!!cfg.websrv.log_user_ips);
setHashUserIps(!!cfg.websrv.hash_user_ips);
}
// Load bypass_duplicate_check from config.json (static — not a DB setting)
if (cfg.websrv.bypass_duplicate_check === true) {
setBypassDuplicateCheck(true);