Added global salt for hashed ips

2024-11-10 01:02:30 +01:00 · 2019-07-10 22:07:39 -04:00 · 2019-07-10 22:07:39 -04:00 · a2889925e7
commit a2889925e7
parent 05da836384
1 changed files with 10 additions and 6 deletions
--- a/index.js
+++ b/index.js
@ -18,6 +18,10 @@ var db = new sqlite3.Database('./databases/sponsorTimes.db');
 // Create an HTTP service.
 http.createServer(app).listen(80);

+//global salt that is added to every ip before hashing to
+//  make it even harder for someone to decode the ip
+var globalSalt = "49cb0d52-1aec-4b89-85fc-fab2c53062fb";
+
 //setup CORS correctly
 app.use(function(req, res, next) {
    res.header("Access-Control-Allow-Origin", "*");
@ -59,18 +63,18 @@ app.get('/api/postVideoSponsorTimes', function (req, res) {
    let endTime = req.query.endTime;
    let userID = req.query.userID;

-    //x-forwarded-for if this server is behind a proxy
-    let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
-
-    //hash the ip so no one can get it from the database
-    let hashedIP = hash.update(ip).digest('hex');
-
    if (typeof videoID != 'string' || startTime == undefined || endTime == undefined || userID == undefined) {
        //invalid request
        res.sendStatus(400);
        return;
    }

+    //x-forwarded-for if this server is behind a proxy
+    let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
+
+    //hash the ip so no one can get it from the database
+    let hashedIP = hash.update(ip + globalSalt).digest('hex');
+
    startTime = parseFloat(startTime);
    endTime = parseFloat(endTime);