Switch to a system where you can use either a verifyCode or a captcha token for any endpoint with one or the other

2026-02-01 16:09:35 -07:00
parent 3f3d6325d6
commit b4309294e6
8 changed files with 130 additions and 177 deletions
--- a/src/routes/berrydash/icon-marketplace/upload/post.ts
+++ b/src/routes/berrydash/icon-marketplace/upload/post.ts
@@ -4,18 +4,17 @@ import {
  getDatabaseConnection,
  hash,
  jsonResponse,
-  validateTurnstile
+  verifyTurstileOrVerifyCode
 } from '../../../../lib/util'
 import { checkAuthorization } from '../../../../lib/auth'
-import { berryDashMarketplaceIcons, verifyCodes } from '../../../../lib/tables'
-import { and, desc, eq, sql } from 'drizzle-orm'
+import { berryDashMarketplaceIcons } from '../../../../lib/tables'
 import { Buffer } from 'buffer'
 import sizeOf from 'image-size'
 import { Connection } from 'mysql2/typings/mysql/lib/Connection'

 type Body = {
-  verifyCode: string
-  token: string
+  token: string | null
+  verifyCode: string | null
  price: string
  name: string
  fileContent: string
@@ -136,55 +135,17 @@ export async function handler (context: Context) {
    )

  const time = Math.floor(Date.now() / 1000)
-  if (body.verifyCode) {
-    const codeExists = await db0
-      .select({ id: verifyCodes.id })
-      .from(verifyCodes)
-      .where(
-        and(
-          eq(verifyCodes.ip, ip),
-          eq(verifyCodes.usedTimestamp, 0),
-          eq(verifyCodes.code, body.verifyCode),
-          sql`${verifyCodes.timestamp} >= UNIX_TIMESTAMP() - 600`
-        )
-      )
-      .orderBy(desc(verifyCodes.id))
-      .limit(1)
-      .execute()
-    if (codeExists[0]) {
-      await db0
-        .update(verifyCodes)
-        .set({ usedTimestamp: time })
-        .where(
-          and(
-            eq(verifyCodes.id, codeExists[0].id),
-            eq(verifyCodes.ip, ip),
-            eq(verifyCodes.usedTimestamp, 0),
-            eq(verifyCodes.code, body.verifyCode)
-          )
-        )
-        .execute()
-    } else
-      return jsonResponse(
-        {
-          success: false,
-          message: 'Invalid verify code (codes can only be used once)'
-        },
-        400
-      )
-  } else {
-    const result = await validateTurnstile(body.token, ip)
-    if (!result.success) {
-      connection0.end()
-      return jsonResponse(
-        {
-          success: false,
-          message: 'Unable to verify captcha key'
-        },
-        400
-      )
-    }
-  }
+  if (!(await verifyTurstileOrVerifyCode(body.token, body.verifyCode, ip, db0)))
+    return jsonResponse(
+      {
+        success: false,
+        message:
+          body.token != null
+            ? 'Invalid captcha token'
+            : 'Invalid verify code (codes can only be used once)'
+      },
+      400
+    )

  const hashResult = hash(atob(body.fileContent), 'sha512')
  const id = crypto.randomUUID()