remvoe google safe browsing api and cooldowns

.example.env

@@ -51,10 +51,6 @@ SERVER_IP_ADDRESS=
 # It's on you to generate SSL certificates for those domains manually, at least on this version for now
 CUSTOM_DOMAIN_USE_HTTPS=false
 
-# Optional - Google Cloud API to prevent from users from submitting malware URLs.
-# Get it from https://developers.google.com/safe-browsing/v4/get-started
-GOOGLE_SAFE_BROWSING_KEY=
-
 # Optional - Email is used to verify or change email address, reset password, and send reports.
 # If it's disabled, all the above functionality would be disabled as well.
 # MAIL_FROM example: "Kutt <support@kutt.it>". Leave it empty to use MAIL_USER.

server/env.js

@@ -35,7 +35,6 @@ const env = cleanEnv(process.env, {
   SERVER_IP_ADDRESS: str({ default: "" }),
   CUSTOM_DOMAIN_USE_HTTPS: bool({ default: false }),
   JWT_SECRET: str({ devDefault: "securekey" }),
-  GOOGLE_SAFE_BROWSING_KEY: str({ default: "" }),
   MAIL_ENABLED: bool({ default: false }),
   MAIL_HOST: str({ default: "" }),
   MAIL_PORT: num({ default: 587 }),

server/handlers/links.handler.js

@@ -105,8 +105,6 @@ async function create(req, res) {
   const targetDomain = utils.removeWww(URL.parse(target).hostname);
   
   const tasks = await Promise.all([
-    validators.cooldown(req.user),
-    validators.malware(req.user, target),
     reuse &&
       query.link.find({
         target,
@@ -125,19 +123,19 @@ async function create(req, res) {
   
   // if "reuse" is true, try to return
   // the existent URL without creating one
-  if (tasks[2]) {
-    return res.json(utils.sanitize.link(tasks[2]));
+  if (tasks[0]) {
+    return res.json(utils.sanitize.link(tasks[0]));
   }
   
   // Check if custom link already exists
-  if (tasks[3]) {
+  if (tasks[1]) {
     const error = "Custom URL is already in use.";
     res.locals.errors = { customurl: error };
     throw new CustomError(error);
   }
 
   // Create new link
-  const address = customurl || tasks[4];
+  const address = customurl || tasks[2];
   const link = await query.link.create({
     password,
     address,
@@ -215,8 +213,6 @@ async function edit(req, res) {
   const domain_id = link.domain_id || null;
 
   const tasks = await Promise.all([
-    validators.cooldown(req.user),
-    target && validators.malware(req.user, target),
     address &&
       query.link.find({
         address,
@@ -227,7 +223,7 @@ async function edit(req, res) {
   ]);
 
   // Check if custom link already exists
-  if (tasks[2]) {
+  if (tasks[0]) {
     const error = "Custom URL is already in use.";
     res.locals.errors = { address: error };
     throw new CustomError("Custom URL is already in use.");
@@ -310,8 +306,6 @@ async function editAdmin(req, res) {
   const domain_id = link.domain_id || null;
 
   const tasks = await Promise.all([
-    validators.cooldown(req.user),
-    target && validators.malware(req.user, target),
     address &&
       query.link.find({
         address,
@@ -322,7 +316,7 @@ async function editAdmin(req, res) {
   ]);
 
   // Check if custom link already exists
-  if (tasks[2]) {
+  if (tasks[0]) {
     const error = "Custom URL is already in use.";
     res.locals.errors = { address: error };
     throw new CustomError("Custom URL is already in use.");

server/handlers/validators.handler.js

@@ -501,73 +501,6 @@ const deleteUserByAdmin = [
     .isNumeric()
 ];
 
-// TODO: if user has posted malware should do something better
-function cooldown(user) {
-
-  if (!user?.cooldown) return;
-
-  // If user has active cooldown then throw error
-  const hasCooldownNow = differenceInHours(new Date(), utils.parseDatetime(user.cooldown)) < 12;
-
-  if (hasCooldownNow) {
-    throw new utils.CustomError("Cooldown because of a malware URL. Wait 12h");
-  }
-}
-
-// TODO: if user or non-user has posted malware should do something better
-async function malware(user, target) {
-  if (!env.GOOGLE_SAFE_BROWSING_KEY) return;
-
-  const isMalware = await fetch(
-    `https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${env.GOOGLE_SAFE_BROWSING_KEY}`,
-    {
-      method: "post",
-      body: JSON.stringify({
-        client: {
-          clientId: env.DEFAULT_DOMAIN.toLowerCase().replace(".", ""),
-          clientVersion: "1.0.0"
-        },
-        threatInfo: {
-          threatTypes: [
-            "THREAT_TYPE_UNSPECIFIED",
-            "MALWARE",
-            "SOCIAL_ENGINEERING",
-            "UNWANTED_SOFTWARE",
-            "POTENTIALLY_HARMFUL_APPLICATION"
-          ],
-          platformTypes: ["ANY_PLATFORM", "PLATFORM_TYPE_UNSPECIFIED"],
-          threatEntryTypes: [
-            "EXECUTABLE",
-            "URL",
-            "THREAT_ENTRY_TYPE_UNSPECIFIED"
-          ],
-          threatEntries: [{ url: target }]
-        }
-      })
-    }
-  ).then(res => res.json());
-
-  if (!isMalware.data || !isMalware.data.matches) return;
-
-  if (user) {
-    const updatedUser = await query.user.update(
-      { id: user.id },
-      { cooldown: utils.dateToUTC(new Date()) },
-      { increments: ["malicious_attempts"] }
-    );
-
-    // Ban if too many cooldowns
-    if (updatedUser.malicious_attempts > 2) {
-      await query.user.update({ id: user.id }, { banned: true });
-      throw new utils.CustomError("Too much malware requests. You are now banned.");
-    }
-  }
-
-  throw new utils.CustomError(
-    user ? "Malware detected! Cooldown for 12h." : "Malware detected!"
-  );
-};
-
 async function bannedDomain(domain) {
   const isBanned = await query.domain.find({
     address: domain,
@@ -611,7 +544,6 @@ module.exports = {
   changeEmail,
   changePassword,
   checkUser,
-  cooldown,
   createAdmin,
   createLink,
   createUser,
@@ -621,7 +553,6 @@ module.exports = {
   editLink,
   getStats,
   login, 
-  malware,
   newPassword,
   redirectProtected,
   removeDomain,

server/migrations/20240911230301_change_cooldown.js → server/migrations/20250106070444_remove_cooldown.js

@@ -1,5 +1,4 @@
 async function up(knex) {
-
   const hasCooldowns = await knex.schema.hasColumn("users", "cooldowns");
   if (hasCooldowns) {
     await knex.schema.alterTable("users", table => {
@@ -8,16 +7,16 @@ async function up(knex) {
   }
 
   const hasCooldown = await knex.schema.hasColumn("users", "cooldown");
-  if (!hasCooldown) {
+  if (hasCooldown) {
     await knex.schema.alterTable("users", table => {
-      table.datetime("cooldown").nullable();
+      table.dropColumn("cooldown");
     });
   }
 
   const hasMaliciousAttempts = await knex.schema.hasColumn("users", "malicious_attempts");
-  if (!hasMaliciousAttempts) {
+  if (hasMaliciousAttempts) {
     await knex.schema.alterTable("users", table => {
-      table.integer("malicious_attempts").notNullable().defaultTo(0);
+      table.dropColumn("malicious_attempts");
     });
   }
 }

server/models/user.model.js

@@ -24,8 +24,6 @@ async function createUserTable(knex) {
         .notNullable()
         .defaultTo(ROLES.USER);
       table.string("password").notNullable();
-      table.datetime("cooldown").nullable();
-      table.integer("malicious_attempts").notNullable().defaultTo(0);
       table.dateTime("reset_password_expires");
       table.string("reset_password_token");
       table.dateTime("change_email_expires");