import { registerPlugin, loadConfig, rootDir } from './index.js';
import crypto from 'crypto';
import path from 'path';
import fs from 'fs';
import { promises as fsPromises } from 'fs';
import { dirname, join } from 'path';
import { fileURLToPath } from 'url';
import { Level } from 'level';
import cookie from 'cookie';
import { parseDuration } from './utils/time.js';
import { getRealIP } from './utils/network.js';
import ttl from 'level-ttl';
import { Readable } from 'stream';
import {
challengeStore,
generateRequestID as proofGenerateRequestID,
getChallengeParams,
deleteChallenge,
verifyPoW,
verifyPoS,
} from './utils/proof.js';
import express from 'express';
// Import recordEvent dynamically to avoid circular dependency issues
let recordEvent;
let statsLoadPromise = import('./plugins/stats.js')
.then((stats) => {
recordEvent = stats.recordEvent;
})
.catch((err) => {
console.error('Failed to import stats module:', err);
recordEvent = null;
});
function sanitizePath(inputPath) {
let pathOnly = inputPath.replace(/[\x00-\x1F\x7F]/g, '');
pathOnly = pathOnly.replace(/[<>;"'`|]/g, '');
const parts = pathOnly.split('/').filter((seg) => seg && seg !== '.' && seg !== '..');
return '/' + parts.map((seg) => encodeURIComponent(seg)).join('/');
}
const checkpointConfig = {};
let hmacSecret = null;
const usedNonces = new Map();
const ipRateLimit = new Map();
const tokenCache = new Map();
let db;
const tokenExpirations = new Map();
let interstitialTemplate = null;
const __dirname = dirname(fileURLToPath(import.meta.url));
function simpleTemplate(str) {
return function (data) {
return str.replace(/\{\{\s*([^{}]+?)\s*\}\}/g, (_, key) => {
let value = data;
for (const part of key.trim().split('.')) {
value = value?.[part];
if (value == null) break;
}
return value != null ? String(value) : '';
});
};
}
async function initConfig() {
await loadConfig('checkpoint', checkpointConfig);
// Handle new nested configuration structure
// Map nested structure to flat structure for internal use
checkpointConfig.Enabled = checkpointConfig.Core.Enabled;
checkpointConfig.CookieName = checkpointConfig.Core.CookieName;
checkpointConfig.CookieDomain = checkpointConfig.Core.CookieDomain;
checkpointConfig.SanitizeURLs = checkpointConfig.Core.SanitizeURLs;
// Proof of Work settings
checkpointConfig.Difficulty = checkpointConfig.ProofOfWork.Difficulty;
checkpointConfig.SaltLength = checkpointConfig.ProofOfWork.SaltLength;
checkpointConfig.ChallengeExpiration = parseDuration(
checkpointConfig.ProofOfWork.ChallengeExpiration,
);
checkpointConfig.MaxAttemptsPerHour = checkpointConfig.ProofOfWork.MaxAttemptsPerHour;
// Proof of Space-Time settings
checkpointConfig.CheckPoSTimes = checkpointConfig.ProofOfSpaceTime.Enabled;
checkpointConfig.PoSTimeConsistencyRatio = checkpointConfig.ProofOfSpaceTime.ConsistencyRatio;
// Token settings
checkpointConfig.TokenExpiration = parseDuration(checkpointConfig.Token.Expiration);
checkpointConfig.MaxNonceAge = parseDuration(checkpointConfig.Token.MaxNonceAge);
// Storage settings
checkpointConfig.SecretConfigPath = checkpointConfig.Storage.SecretPath;
checkpointConfig.TokenStoreDBPath = checkpointConfig.Storage.TokenDBPath;
checkpointConfig.InterstitialPaths = checkpointConfig.Storage.InterstitialTemplates;
// Process exclusions
checkpointConfig.ExclusionRules = checkpointConfig.Exclusion || [];
// Process bypass keys
checkpointConfig.BypassQueryKeys = [];
checkpointConfig.BypassHeaderKeys = [];
checkpointConfig.BypassKeys.forEach((key) => {
if (key.Type === 'query') {
checkpointConfig.BypassQueryKeys.push({
Key: key.Key,
Value: key.Value,
Domains: key.Hosts || [],
});
} else if (key.Type === 'header') {
checkpointConfig.BypassHeaderKeys.push({
Name: key.Key,
Value: key.Value,
Domains: key.Hosts || [],
});
}
});
// Extension handling
checkpointConfig.HTMLCheckpointIncludedExtensions = checkpointConfig.Extensions?.IncludeOnly || [];
checkpointConfig.HTMLCheckpointExcludedExtensions = checkpointConfig.Extensions?.Exclude || [];
// Remove legacy arrays
checkpointConfig.HTMLCheckpointExclusions = [];
checkpointConfig.UserAgentValidationExclusions = [];
checkpointConfig.UserAgentRequiredPrefixes = {};
checkpointConfig.ReverseProxyMappings = {};
}
function addReadStreamSupport(dbInstance) {
if (!dbInstance.createReadStream) {
dbInstance.createReadStream = (opts) =>
Readable.from(
(async function* () {
for await (const [key, value] of dbInstance.iterator(opts)) {
yield { key, value };
}
})(),
);
}
return dbInstance;
}
function initTokenStore() {
try {
const storePath = join(rootDir, checkpointConfig.TokenStoreDBPath || 'db/tokenstore');
fs.mkdirSync(storePath, { recursive: true });
let rawDB = new Level(storePath, { valueEncoding: 'json' });
addReadStreamSupport(rawDB);
db = ttl(rawDB, { defaultTTL: checkpointConfig.TokenExpiration });
addReadStreamSupport(db);
console.log('Token store initialized with TTL');
} catch (err) {
console.error('Failed to initialize token store:', err);
}
}
function getFullClientIP(request) {
const ip = getRealIP(request) || '';
const h = crypto.createHash('sha256').update(ip).digest();
return h.slice(0, 8).toString('hex');
}
function hashUserAgent(ua) {
if (!ua) return '';
const h = crypto.createHash('sha256').update(ua).digest();
return h.slice(0, 8).toString('hex');
}
function extractBrowserFingerprint(request) {
const headers = [
'sec-ch-ua',
'sec-ch-ua-platform',
'sec-ch-ua-mobile',
'sec-ch-ua-platform-version',
'sec-ch-ua-arch',
'sec-ch-ua-model',
];
const parts = headers.map((h) => request.headers.get(h)).filter(Boolean);
if (!parts.length) return '';
const buf = Buffer.from(parts.join('|'));
const h = crypto.createHash('sha256').update(buf).digest();
return h.slice(0, 12).toString('hex');
}
async function getInterstitialTemplate() {
if (!interstitialTemplate) {
for (const p of checkpointConfig.InterstitialPaths) {
try {
let templatePath = join(__dirname, p);
if (fs.existsSync(templatePath)) {
const raw = await fsPromises.readFile(templatePath, 'utf8');
interstitialTemplate = simpleTemplate(raw);
break;
}
templatePath = join(rootDir, p);
if (fs.existsSync(templatePath)) {
const raw = await fsPromises.readFile(templatePath, 'utf8');
interstitialTemplate = simpleTemplate(raw);
break;
}
} catch (e) {
console.warn(`Failed to load interstitial template from path ${p}:`, e);
}
}
if (!interstitialTemplate) {
// Create a minimal fallback template
console.warn('Could not find interstitial HTML template, using minimal fallback');
interstitialTemplate = simpleTemplate(`
Security Verification
Security Verification Required
Please wait while we verify your request...
`);
}
}
return interstitialTemplate;
}
// Helper function for safe stats recording
function safeRecordEvent(metric, data) {
// If recordEvent is not yet loaded, try to wait for it
if (!recordEvent && statsLoadPromise) {
statsLoadPromise.then(() => {
if (recordEvent) {
try {
recordEvent(metric, data);
} catch (err) {
console.error(`Failed to record ${metric} event:`, err);
}
}
});
return;
}
if (typeof recordEvent === 'function') {
try {
recordEvent(metric, data);
} catch (err) {
console.error(`Failed to record ${metric} event:`, err);
}
}
}
async function serveInterstitial(request) {
const ip = getRealIP(request);
const requestPath = new URL(request.url).pathname;
safeRecordEvent('checkpoint.sent', { ip, path: requestPath });
let tpl;
try {
tpl = await getInterstitialTemplate();
} catch (err) {
console.error('Interstitial template error:', err);
return new Response('Security verification required.', {
status: 200,
headers: { 'Content-Type': 'text/plain' },
});
}
const requestID = proofGenerateRequestID(request, checkpointConfig);
const url = new URL(request.url);
const host = request.headers.get('host') || url.hostname;
const targetPath = url.pathname;
const fullURL = request.url;
const html = tpl({
TargetPath: targetPath,
RequestID: requestID,
Host: host,
FullURL: fullURL,
});
return new Response(html, {
status: 200,
headers: { 'Content-Type': 'text/html; charset=utf-8' },
});
}
async function handleGetCheckpointChallenge(request) {
const url = new URL(request.url);
const requestID = url.searchParams.get('id');
if (!requestID) {
return new Response(JSON.stringify({ error: 'Missing request ID' }), {
status: 400,
headers: { 'Content-Type': 'application/json' },
});
}
const ip = getRealIP(request);
const attempts = (ipRateLimit.get(ip) || 0) + 1;
ipRateLimit.set(ip, attempts);
if (attempts > checkpointConfig.MaxAttemptsPerHour) {
return new Response(
JSON.stringify({ error: 'Too many challenge requests. Try again later.' }),
{
status: 429,
headers: { 'Content-Type': 'application/json' },
},
);
}
const params = getChallengeParams(requestID);
if (!params) {
return new Response(JSON.stringify({ error: 'Challenge not found or expired' }), {
status: 404,
headers: { 'Content-Type': 'application/json' },
});
}
if (ip !== params.ClientIP) {
return new Response(JSON.stringify({ error: 'IP address mismatch for challenge' }), {
status: 403,
headers: { 'Content-Type': 'application/json' },
});
}
const payload = {
a: params.Challenge,
b: params.Salt,
c: params.Difficulty,
d: params.PoSSeed,
};
return new Response(JSON.stringify(payload), {
status: 200,
headers: { 'Content-Type': 'application/json' },
});
}
function calculateTokenHash(token) {
const data = `${token.Nonce}:${token.Entropy}:${token.Created.getTime()}`;
return crypto.createHash('sha256').update(data).digest('hex');
}
function computeTokenSignature(token) {
const copy = { ...token, Signature: '' };
const serialized = JSON.stringify(copy);
return crypto.createHmac('sha256', hmacSecret).update(serialized).digest('hex');
}
function verifyTokenSignature(token) {
if (!token.Signature) return false;
const expected = computeTokenSignature(token);
try {
return crypto.timingSafeEqual(
Buffer.from(token.Signature, 'hex'),
Buffer.from(expected, 'hex'),
);
} catch (e) {
return false;
}
}
async function issueToken(request, token) {
const tokenHash = calculateTokenHash(token);
const storedData = {
ClientIPHash: token.ClientIP,
UserAgentHash: token.UserAgent,
BrowserHint: token.BrowserHint,
LastVerified: new Date(token.LastVerified).toISOString(),
ExpiresAt: new Date(token.ExpiresAt).toISOString(),
};
try {
await addToken(tokenHash, storedData);
} catch (err) {
console.error('Failed to store token:', err);
}
token.Signature = computeTokenSignature(token);
const tokenStr = Buffer.from(JSON.stringify(token)).toString('base64');
const url = new URL(request.url);
const cookieDomain = checkpointConfig.CookieDomain || '';
const sameSite = cookieDomain ? 'Lax' : 'Strict';
const secure = url.protocol === 'https:';
const expires = new Date(token.ExpiresAt).toUTCString();
const domainPart = cookieDomain ? `; Domain=${cookieDomain}` : '';
const securePart = secure ? '; Secure' : '';
const cookieStr =
`${checkpointConfig.CookieName}=${tokenStr}; Path=/` +
`${domainPart}; Expires=${expires}; HttpOnly; SameSite=${sameSite}${securePart}`;
return new Response(JSON.stringify({ token: tokenStr, expires_at: token.ExpiresAt }), {
status: 200,
headers: {
'Content-Type': 'application/json',
'Set-Cookie': cookieStr,
},
});
}
async function handleVerifyCheckpoint(request) {
let body;
try {
body = await request.json();
} catch (e) {
safeRecordEvent('checkpoint.failure', { reason: 'invalid_json', ip: getRealIP(request) });
return new Response(JSON.stringify({ error: 'Invalid JSON' }), {
status: 400,
headers: { 'Content-Type': 'application/json' },
});
}
const ip = getRealIP(request);
const params = getChallengeParams(body.request_id);
if (!params) {
safeRecordEvent('checkpoint.failure', { reason: 'invalid_or_expired_request', ip });
return new Response(JSON.stringify({ error: 'Invalid or expired request ID' }), {
status: 400,
headers: { 'Content-Type': 'application/json' },
});
}
if (ip !== params.ClientIP) {
safeRecordEvent('checkpoint.failure', { reason: 'ip_mismatch', ip });
return new Response(JSON.stringify({ error: 'IP address mismatch' }), {
status: 403,
headers: { 'Content-Type': 'application/json' },
});
}
const challenge = params.Challenge;
const salt = params.Salt;
if (!body.g || !verifyPoW(challenge, salt, body.g, params.Difficulty)) {
safeRecordEvent('checkpoint.failure', { reason: 'invalid_pow', ip });
return new Response(JSON.stringify({ error: 'Invalid proof-of-work solution' }), {
status: 400,
headers: { 'Content-Type': 'application/json' },
});
}
const nonceKey = body.g + challenge;
usedNonces.set(nonceKey, Date.now());
if (body.h?.length === 3 && body.i?.length === 3) {
try {
verifyPoS(body.h, body.i, checkpointConfig);
} catch (e) {
safeRecordEvent('checkpoint.failure', { reason: 'invalid_pos', ip });
return new Response(JSON.stringify({ error: e.message }), {
status: 400,
headers: { 'Content-Type': 'application/json' },
});
}
}
deleteChallenge(body.request_id);
safeRecordEvent('checkpoint.success', { ip });
const now = new Date();
const expiresAt = new Date(now.getTime() + checkpointConfig.TokenExpiration);
const token = {
Nonce: body.g,
ExpiresAt: expiresAt,
ClientIP: getFullClientIP(request),
UserAgent: hashUserAgent(request.headers.get('user-agent')),
BrowserHint: extractBrowserFingerprint(request),
Entropy: crypto.randomBytes(8).toString('hex'),
Created: now,
LastVerified: now,
TokenFormat: 2,
};
token.Signature = computeTokenSignature(token);
const tokenStr = Buffer.from(JSON.stringify(token)).toString('base64');
const tokenKey = crypto.createHash('sha256').update(tokenStr).digest('hex');
try {
await db.put(tokenKey, true);
tokenCache.set(tokenKey, true);
tokenExpirations.set(tokenKey, new Date(token.ExpiresAt).getTime());
console.log(`checkpoint: token stored in DB and cache key=${tokenKey}`);
} catch (e) {
console.error('checkpoint: failed to store token in DB:', e);
}
return new Response(JSON.stringify({ token: tokenStr, expires_at: token.ExpiresAt }), {
status: 200,
headers: { 'Content-Type': 'application/json' },
});
}
function generateUpdatedCookie(token, secure) {
token.Signature = computeTokenSignature(token);
const tokenStr = Buffer.from(JSON.stringify(token)).toString('base64');
const cookieDomain = checkpointConfig.CookieDomain || '';
const sameSite = cookieDomain ? 'Lax' : 'Strict';
const expires = new Date(token.ExpiresAt).toUTCString();
const domainPart = cookieDomain ? `; Domain=${cookieDomain}` : '';
const securePart = secure ? '; Secure' : '';
const cookieStr =
`${checkpointConfig.CookieName}=${tokenStr}; Path=/` +
`${domainPart}; Expires=${expires}; HttpOnly; SameSite=${sameSite}${securePart}`;
return cookieStr;
}
async function validateToken(tokenStr, request) {
if (!tokenStr) return false;
let token;
try {
token = JSON.parse(Buffer.from(tokenStr, 'base64').toString());
} catch {
console.log('checkpoint: invalid token format');
return false;
}
if (Date.now() > new Date(token.ExpiresAt).getTime()) {
console.log('checkpoint: token expired');
return false;
}
if (!verifyTokenSignature(token)) {
console.log('checkpoint: invalid token signature');
return false;
}
const tokenKey = crypto.createHash('sha256').update(tokenStr).digest('hex');
if (tokenCache.has(tokenKey)) return true;
try {
await db.get(tokenKey);
tokenCache.set(tokenKey, true);
tokenExpirations.set(tokenKey, new Date(token.ExpiresAt).getTime());
return true;
} catch {
console.log('checkpoint: token not found in DB');
return false;
}
}
async function handleTokenRedirect(request) {
const url = new URL(request.url);
const tokenStr = url.searchParams.get('token');
if (!tokenStr) return undefined;
let token;
try {
token = JSON.parse(Buffer.from(tokenStr, 'base64').toString());
if (Date.now() > new Date(token.ExpiresAt).getTime()) {
console.log('checkpoint: token in URL parameter expired');
return undefined;
}
if (!verifyTokenSignature(token)) {
console.log('checkpoint: invalid token signature in URL parameter');
return undefined;
}
const tokenKey = crypto.createHash('sha256').update(tokenStr).digest('hex');
try {
await db.get(tokenKey);
} catch {
console.log('checkpoint: token in URL parameter not found in DB');
return undefined;
}
} catch (e) {
console.log('checkpoint: invalid token format in URL parameter', e);
return undefined;
}
const expires = new Date(token.ExpiresAt).toUTCString();
const cookieDomain = checkpointConfig.CookieDomain || '';
const sameSite = cookieDomain ? 'Lax' : 'Strict';
const securePart = url.protocol === 'https:' ? '; Secure' : '';
const domainPart = cookieDomain ? `; Domain=${cookieDomain}` : '';
const cookieStr =
`${checkpointConfig.CookieName}=${tokenStr}; Path=/` +
`${domainPart}; Expires=${expires}; HttpOnly; SameSite=${sameSite}${securePart}`;
url.searchParams.delete('token');
const cleanUrl = url.pathname + (url.search || '');
return new Response(null, {
status: 302,
headers: {
'Set-Cookie': cookieStr,
Location: cleanUrl,
},
});
}
function CheckpointMiddleware() {
// Return Express-compatible middleware
return {
middleware: [
// Add body parser middleware for JSON
express.json({ limit: '10mb' }),
// Main checkpoint middleware
async (req, res, next) => {
// Check if checkpoint is enabled
if (checkpointConfig.Enabled === false) {
return next();
}
// Convert Express request to the format expected by checkpoint logic
const request = {
url: `${req.protocol}://${req.get('host')}${req.originalUrl}`,
method: req.method,
headers: {
get: (name) => req.get(name),
entries: () => Object.entries(req.headers).map(([k, v]) => [k, Array.isArray(v) ? v.join(', ') : v])
},
json: () => Promise.resolve(req.body)
};
const urlObj = new URL(request.url);
const host = request.headers.get('host')?.split(':')[0];
const userAgent = request.headers.get('user-agent') || '';
// 1) Bypass via query keys
for (const { Key, Value, Domains } of checkpointConfig.BypassQueryKeys) {
if (urlObj.searchParams.get(Key) === Value) {
if (!Array.isArray(Domains) || Domains.length === 0 || Domains.includes(host)) {
return next();
}
}
}
// 2) Bypass via header keys
for (const { Name, Value, Domains } of checkpointConfig.BypassHeaderKeys) {
// Get header value case-insensitively by checking all headers
let headerVal = null;
const headersMap = Object.fromEntries([...request.headers.entries()].map(([k, v]) => [k.toLowerCase(), v]));
headerVal = headersMap[Name.toLowerCase()] || request.headers.get(Name);
console.log(`DEBUG - Checking header ${Name}: received="${headerVal}", expected="${Value}", domains=${JSON.stringify(Domains)}`);
if (headerVal === Value) {
console.log(`DEBUG - Header value matched for ${Name}`);
if (!Array.isArray(Domains) || Domains.length === 0 || Domains.includes(host)) {
console.log(`DEBUG - Domain check passed for ${host}`);
return next();
} else {
console.log(`DEBUG - Domain check failed: ${host} not in ${JSON.stringify(Domains)}`);
}
} else {
console.log(`DEBUG - Header value mismatch for ${Name}`);
}
}
// Handle token redirect for URL-token login
const tokenResponse = await handleTokenRedirect(request);
if (tokenResponse) {
// Convert Response to Express response
res.status(tokenResponse.status);
tokenResponse.headers.forEach((value, key) => {
res.setHeader(key, value);
});
const body = await tokenResponse.text();
return res.send(body);
}
// Setup request context
const url = new URL(request.url);
let path = url.pathname;
if (checkpointConfig.SanitizeURLs) {
path = sanitizePath(path);
}
const method = request.method;
// Always allow challenge & verify endpoints
if (method === 'GET' && path === '/api/challenge') {
const response = await handleGetCheckpointChallenge(request);
res.status(response.status);
response.headers.forEach((value, key) => {
res.setHeader(key, value);
});
const body = await response.text();
return res.send(body);
}
if (method === 'POST' && path === '/api/verify') {
const response = await handleVerifyCheckpoint(request);
res.status(response.status);
response.headers.forEach((value, key) => {
res.setHeader(key, value);
});
const body = await response.text();
return res.send(body);
}
// Check new exclusion rules
if (checkpointConfig.ExclusionRules && checkpointConfig.ExclusionRules.length > 0) {
for (const rule of checkpointConfig.ExclusionRules) {
// Check if path matches
if (!rule.Path || !path.startsWith(rule.Path)) {
continue;
}
// Check if host matches (if specified)
if (rule.Hosts && rule.Hosts.length > 0 && !rule.Hosts.includes(host)) {
continue;
}
// Check if user agent matches (if specified)
if (rule.UserAgents && rule.UserAgents.length > 0) {
const matchesUA = rule.UserAgents.some((ua) => userAgent.includes(ua));
if (!matchesUA) {
continue;
}
}
// All conditions match - exclude this request
return next();
}
}
// Skip checkpoint for requests that don't accept HTML or are for audio/video
if (!req.accepts('html')) {
return next();
}
// Validate session token
const cookies = cookie.parse(request.headers.get('cookie') || '');
const tokenCookie = cookies[checkpointConfig.CookieName];
const validation = await validateToken(tokenCookie, request);
if (validation) {
// Active session: bypass checkpoint
return next();
}
// Log new checkpoint flow
console.log(`checkpoint: incoming ${method} ${request.url}`);
console.log(`checkpoint: tokenCookie=${tokenCookie}`);
console.log(`checkpoint: validateToken => ${validation}`);
// Serve interstitial challenge
const response = await serveInterstitial(request);
res.status(response.status);
response.headers.forEach((value, key) => {
res.setHeader(key, value);
});
const body = await response.text();
return res.send(body);
}
]
};
}
async function addToken(tokenHash, data) {
if (!db) return;
try {
const ttlMs = checkpointConfig.TokenExpiration;
await db.put(tokenHash, data);
tokenExpirations.set(tokenHash, Date.now() + ttlMs);
} catch (err) {
console.error('Error adding token:', err);
}
}
async function updateTokenVerification(tokenHash) {
if (!db) return;
try {
const data = await db.get(tokenHash);
data.LastVerified = new Date().toISOString();
await db.put(tokenHash, data);
} catch (err) {
console.error('Error updating token verification:', err);
}
}
async function lookupTokenData(tokenHash) {
if (!db) return { data: null, found: false };
try {
const expireTime = tokenExpirations.get(tokenHash);
if (!expireTime || expireTime <= Date.now()) {
if (expireTime) {
tokenExpirations.delete(tokenHash);
try {
await db.del(tokenHash);
} catch (e) {}
}
return { data: null, found: false };
}
const data = await db.get(tokenHash);
return { data, found: true };
} catch (err) {
if (err.code === 'LEVEL_NOT_FOUND') return { data: null, found: false };
console.error('Error looking up token:', err);
throw err;
}
}
async function closeTokenStore() {
if (db) await db.close();
}
function startCleanupTimer() {
// Cleanup expired data hourly
setInterval(() => {
cleanupExpiredData();
}, 3600000);
// Cleanup expired challenges at the challenge expiration interval
const challengeInterval = checkpointConfig.ChallengeExpiration || 60000;
setInterval(() => {
cleanupExpiredChallenges();
}, challengeInterval);
}
function cleanupExpiredData() {
const now = Date.now();
let count = 0;
try {
for (const [nonce, ts] of usedNonces.entries()) {
if (now - ts > checkpointConfig.MaxNonceAge) {
usedNonces.delete(nonce);
count++;
}
}
if (count) console.log(`Checkpoint: cleaned up ${count} expired nonces.`);
} catch (err) {
console.error('Error cleaning up nonces:', err);
}
// Clean up expired tokens from cache
let tokenCacheCount = 0;
try {
for (const [tokenKey, _] of tokenCache.entries()) {
const expireTime = tokenExpirations.get(tokenKey);
if (!expireTime || expireTime <= now) {
tokenCache.delete(tokenKey);
tokenExpirations.delete(tokenKey);
tokenCacheCount++;
}
}
if (tokenCacheCount)
console.log(`Checkpoint: cleaned up ${tokenCacheCount} expired tokens from cache.`);
} catch (err) {
console.error('Error cleaning up token cache:', err);
}
try {
ipRateLimit.clear();
console.log('Checkpoint: IP rate limits reset.');
} catch (err) {
console.error('Error resetting IP rate limits:', err);
}
}
function cleanupExpiredChallenges() {
const now = Date.now();
let count = 0;
for (const [id, params] of challengeStore.entries()) {
if (params.ExpiresAt && params.ExpiresAt < now) {
// Record failure for expired challenges that were never completed
safeRecordEvent('checkpoint.failure', {
reason: 'challenge_expired',
ip: params.ClientIP,
challenge_id: id.substring(0, 8), // Include partial ID for debugging
age_ms: now - params.CreatedAt, // How long the challenge existed
expiry_ms: checkpointConfig.ChallengeExpiration, // Configured expiry time
});
challengeStore.delete(id);
count++;
}
}
if (count) console.log(`Checkpoint: cleaned up ${count} expired challenges.`);
}
async function initSecret() {
try {
if (!checkpointConfig.SecretConfigPath) {
checkpointConfig.SecretConfigPath = join(rootDir, 'data', 'checkpoint_secret.json');
}
const secretPath = checkpointConfig.SecretConfigPath;
const exists = fs.existsSync(secretPath);
if (exists) {
const loaded = loadSecretFromFile();
if (loaded) {
hmacSecret = loaded;
console.log(`Loaded existing HMAC secret from ${secretPath}`);
return;
}
}
hmacSecret = crypto.randomBytes(32);
fs.mkdirSync(path.dirname(secretPath), { recursive: true });
const secretCfg = {
hmac_secret: hmacSecret.toString('base64'),
created_at: new Date().toISOString(),
updated_at: new Date().toISOString(),
};
fs.writeFileSync(secretPath, JSON.stringify(secretCfg), { mode: 0o600 });
console.log(`Created and saved new HMAC secret to ${secretPath}`);
} catch (err) {
console.error('Error initializing secret:', err);
hmacSecret = crypto.randomBytes(32);
}
}
function loadSecretFromFile() {
try {
const data = fs.readFileSync(checkpointConfig.SecretConfigPath, 'utf8');
const cfg = JSON.parse(data);
const buf = Buffer.from(cfg.hmac_secret, 'base64');
if (buf.length < 16) return null;
cfg.updated_at = new Date().toISOString();
fs.writeFileSync(checkpointConfig.SecretConfigPath, JSON.stringify(cfg), { mode: 0o600 });
return buf;
} catch (e) {
console.warn('Could not load HMAC secret from file:', e);
return null;
}
}
(async function initialize() {
await initConfig();
await initSecret();
initTokenStore();
startCleanupTimer();
// Only register plugin if enabled
if (checkpointConfig.Enabled !== false) {
registerPlugin('checkpoint', CheckpointMiddleware());
} else {
console.log('Checkpoint plugin disabled via configuration');
}
})();
export { checkpointConfig, addToken, updateTokenVerification, lookupTokenData, closeTokenStore };