챌린지 Reply Attack 방어 구현

2025-12-16 15:08:46 +00:00 · 2024-12-31 03:05:14 +09:00
parent b84d6fd5ad
commit a64e85848c
6 changed files with 24 additions and 3 deletions
--- a/src/lib/server/db/client.ts
+++ b/src/lib/server/db/client.ts
@@ -118,12 +118,21 @@ export const getUserClientChallenge = async (answer: string, ip: string) => {
        eq(userClientChallenge.answer, answer),
        eq(userClientChallenge.allowedIp, ip),
        gt(userClientChallenge.expiresAt, new Date()),
+        eq(userClientChallenge.isUsed, false),
      ),
    )
    .execute();
  return challenges[0] ?? null;
 };

+export const markUserClientChallengeAsUsed = async (id: number) => {
+  await db
+    .update(userClientChallenge)
+    .set({ isUsed: true })
+    .where(eq(userClientChallenge.id, id))
+    .execute();
+};
+
 export const cleanupExpiredUserClientChallenges = async () => {
  await db
    .delete(userClientChallenge)
--- a/src/lib/server/db/schema/client.ts
+++ b/src/lib/server/db/schema/client.ts
@@ -42,4 +42,5 @@ export const userClientChallenge = sqliteTable("user_client_challenge", {
  answer: text("challenge").notNull().unique(), // Base64
  allowedIp: text("allowed_ip").notNull(),
  expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+  isUsed: integer("is_used", { mode: "boolean" }).notNull().default(false),
 });
--- a/src/lib/server/db/schema/token.ts
+++ b/src/lib/server/db/schema/token.ts
@@ -28,4 +28,5 @@ export const tokenUpgradeChallenge = sqliteTable("token_upgrade_challenge", {
  answer: text("challenge").notNull().unique(), // Base64
  allowedIp: text("allowed_ip").notNull(),
  expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+  isUsed: integer("is_used", { mode: "boolean" }).notNull().default(false),
 });
--- a/src/lib/server/db/token.ts
+++ b/src/lib/server/db/token.ts
@@ -102,12 +102,21 @@ export const getTokenUpgradeChallenge = async (answer: string, ip: string) => {
        eq(tokenUpgradeChallenge.answer, answer),
        eq(tokenUpgradeChallenge.allowedIp, ip),
        gt(tokenUpgradeChallenge.expiresAt, new Date()),
+        eq(tokenUpgradeChallenge.isUsed, false),
      ),
    )
    .execute();
  return challenges[0] ?? null;
 };

+export const markTokenUpgradeChallengeAsUsed = async (id: number) => {
+  await db
+    .update(tokenUpgradeChallenge)
+    .set({ isUsed: true })
+    .where(eq(tokenUpgradeChallenge.id, id))
+    .execute();
+};
+
 export const cleanupExpiredTokenUpgradeChallenges = async () => {
  await db
    .delete(tokenUpgradeChallenge)