docs(server): add some comments and correct value

mmtftr · mmtftr · commit cc22efdd90e4 · 2020-08-08T14:07:35.000+03:00
Change wrong value in README
Describe server code in server.ts
Add one line in postAction.ts
diff --git a/README.md b/README.md
@@ -20,7 +20,7 @@ This project is just a hobby project with potential bugs and security flaws. Do
 
 The server assumes that the communication is over HTTP and is insecure, thus it uses JWT HS256-signed tokens to communicate and a session counter so that a request can't be copied by an attacker.
 
-There is a built-in session counter that provides basic security. The session counter has a session limit of 10 and blocks new sessions after 10 sessions but you can increase this limit in the code. This is to protect against memory attacks.
+There is a built-in session counter that provides basic security. The session counter has a session limit of 20 and blocks new sessions after 10 sessions but you can increase this limit in the code. This is to protect against memory attacks.
 
 The counter is incremented with each request and the counter value is included in the JWT which makes request forging impossible without the secret.
 
diff --git a/server/routes/postAction.ts b/server/routes/postAction.ts
@@ -4,17 +4,21 @@ import jwt from "jwt-simple"
 
 export function postAction(req: Request, res: Response) {
   let result = false
+  // assume request is verified
   const request = jwt.decode(req.body.request, "", true)
   const keycode = request.keycode
   if (keycode) {
+    // parseInt makes it impossible to inject code here.
     exec(
       `osascript -l JavaScript -e "Application('System Events').keyCode(${parseInt(
         keycode
       )})"`
     )
     res.json({ message: "Your keycode has been sent" })
     result = true
+    // debug
     console.log(req.body.keycode)
   }
+  // to make sure a response is sent back
   if (!result) res.json({ message: "noop" })
 }
diff --git a/server/server.ts b/server/server.ts
@@ -13,27 +13,34 @@ const sessionCounter: { [key: string]: number } = {}
 app.use(bodyParser.json())
 app.use(bodyParser.urlencoded({ extended: true }))
 
+// sessionId middleware
 app.use((req, res, next) => {
+  // sessionId is in the body?
   if (req.body && req.body.sessionId) {
     if (req.body.sessionId.length > 300)
+      // we don't want overflow issues
       return res.status(403).send({
         message: "SessionId length is too long",
         code: Errors.SessionIdTooLong,
       })
+    // if the sessionId is already being tracked
     if (req.body.sessionId in sessionCounter) next()
     else {
       if (Object.keys(sessionCounter).length > 20)
+        // too many sessions, abort
         res.status(500).send({
           message:
             "Session limit exceeded, please restart server or manually purge sessions",
           code: Errors.SessionLimitExceeded,
         })
+      // if not, start tracking with counter 0
       else {
         sessionCounter[req.body.sessionId] = 0
         next()
       }
     }
   } else {
+    // cant do anything without a sessionId, sorry
     res.status(403).send({
       message: "You are missing the sessionId in the body",
       code: Errors.MissingSessionId,
@@ -44,11 +51,14 @@ app.use((req, res, next) => {
 app.use((req, res, next) => {
   if (req.body && req.body.request) {
     try {
+      // verify JWT
       let payload = jwt.decode(req.body.request, secret, false, "HS256")
       if (payload.counter === sessionCounter[req.body.sessionId]) {
+        // increment session counter and go on, everything is fine
         sessionCounter[req.body.sessionId]++
         next()
       } else {
+        // the counter value is unsynchronized, or somebody is trying to forge requests, in any case reject
         res.status(403).send({
           message:
             "Sorry, you sent the wrong counter value, your current session counter is at " +
@@ -58,12 +68,14 @@ app.use((req, res, next) => {
         })
       }
     } catch (e) {
+      // hmm, wrong token
       res.status(403).send({
         message: "Could not verify the token.",
         code: Errors.FailedTokenVerify,
       })
     }
   } else {
+    // no request JWT was sent?
     res.status(403).send({
       message:
         "You need to send a request in the body as a JWT verified with the agreed secret with HS256.",
