feat: blocklist table with registration check endpoint

- is_blocked BOOLEAN (default true), INET type for IP validation
- Indexes on email/username/phone/ip for fast registration checks
- POST /api/blocklist/check — checks all fields in one request, returns 403 if blocked
- Auto-timestamps on block/unblock, email stored lowercase

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-21 10:29:53 +02:00
parent 9eac7b47fc
commit 5f79e76b67
3 changed files with 141 additions and 0 deletions

View File

@@ -307,6 +307,34 @@ async function migrate() {
) )
`); `);
// blocklist
await query(`
CREATE TABLE IF NOT EXISTS blocklist (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
is_blocked BOOLEAN NOT NULL DEFAULT true,
username TEXT,
email TEXT,
phone TEXT,
ip INET,
blocked_at TIMESTAMPTZ,
unblocked_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)
`);
await query(`
DROP TRIGGER IF EXISTS blocklist_updated_at ON blocklist;
CREATE TRIGGER blocklist_updated_at
BEFORE UPDATE ON blocklist
FOR EACH ROW EXECUTE FUNCTION update_updated_at()
`);
await query(`CREATE INDEX IF NOT EXISTS blocklist_email_idx ON blocklist (lower(email)) WHERE email IS NOT NULL`);
await query(`CREATE INDEX IF NOT EXISTS blocklist_username_idx ON blocklist (lower(username)) WHERE username IS NOT NULL`);
await query(`CREATE INDEX IF NOT EXISTS blocklist_phone_idx ON blocklist (phone) WHERE phone IS NOT NULL`);
await query(`CREATE INDEX IF NOT EXISTS blocklist_ip_idx ON blocklist (ip) WHERE ip IS NOT NULL`);
console.log('Migration complete'); console.log('Migration complete');
} }

View File

@@ -31,6 +31,7 @@ app.use('/api/objects', auth, require('./routes/objects'));
app.use('/api/pairs', auth, require('./routes/pairs')); app.use('/api/pairs', auth, require('./routes/pairs'));
app.use('/api/questions', auth, require('./routes/questions')); app.use('/api/questions', auth, require('./routes/questions'));
app.use('/api/statements', auth, require('./routes/statements')); app.use('/api/statements', auth, require('./routes/statements'));
app.use('/api/blocklist', auth, require('./routes/blocklist'));
// 404 // 404
app.use((req, res) => { app.use((req, res) => {

112
src/routes/blocklist.js Normal file
View File

@@ -0,0 +1,112 @@
const router = require('express').Router();
const { query } = require('../db');
// GET /api/blocklist
router.get('/', async (req, res, next) => {
try {
const { is_blocked, limit = 50, offset = 0 } = req.query;
const params = [Math.min(parseInt(limit), 500), parseInt(offset)];
const where = is_blocked !== undefined ? `WHERE is_blocked = $3` : '';
if (is_blocked !== undefined) params.push(is_blocked === 'true');
const result = await query(
`SELECT * FROM blocklist ${where} ORDER BY created_at DESC LIMIT $1 OFFSET $2`,
params
);
res.json(result.rows);
} catch (err) { next(err); }
});
// GET /api/blocklist/:id
router.get('/:id', async (req, res, next) => {
try {
const result = await query('SELECT * FROM blocklist WHERE id = $1', [req.params.id]);
if (!result.rows.length) return res.status(404).json({ error: 'Not found' });
res.json(result.rows[0]);
} catch (err) { next(err); }
});
// POST /api/blocklist/check — Registrierungs-Check
router.post('/check', async (req, res, next) => {
try {
const { username, email, phone, ip } = req.body;
if (!username && !email && !phone && !ip)
return res.status(400).json({ error: 'Provide at least one field to check' });
const conditions = [];
const params = [];
if (email) { params.push(email.toLowerCase()); conditions.push(`lower(email) = $${params.length}`); }
if (username) { params.push(username.toLowerCase()); conditions.push(`lower(username) = $${params.length}`); }
if (phone) { params.push(phone); conditions.push(`phone = $${params.length}`); }
if (ip) { params.push(ip); conditions.push(`ip = $${params.length}`); }
const result = await query(
`SELECT id, is_blocked, username, email, phone, ip FROM blocklist
WHERE is_blocked = true AND (${conditions.join(' OR ')})
LIMIT 1`,
params
);
if (result.rows.length) {
return res.status(403).json({ blocked: true, matched: result.rows[0] });
}
res.json({ blocked: false });
} catch (err) { next(err); }
});
// POST /api/blocklist — Eintrag anlegen
router.post('/', async (req, res, next) => {
try {
const { username, email, phone, ip } = req.body;
if (!username && !email && !phone && !ip)
return res.status(400).json({ error: 'Provide at least one of: username, email, phone, ip' });
const result = await query(
`INSERT INTO blocklist (username, email, phone, ip, blocked_at)
VALUES ($1, $2, $3, $4, NOW()) RETURNING *`,
[username || null, email ? email.toLowerCase() : null, phone || null, ip || null]
);
res.status(201).json(result.rows[0]);
} catch (err) { next(err); }
});
// PATCH /api/blocklist/:id — blockieren / entsperren
router.patch('/:id', async (req, res, next) => {
try {
const allowed = ['is_blocked', 'username', 'email', 'phone', 'ip', 'blocked_at', 'unblocked_at'];
const fields = Object.keys(req.body).filter(k => allowed.includes(k));
if (!fields.length) return res.status(400).json({ error: 'No valid fields provided' });
// Auto-timestamps bei is_blocked Wechsel
if (req.body.is_blocked === true && !req.body.blocked_at) {
fields.push('blocked_at');
req.body.blocked_at = new Date().toISOString();
}
if (req.body.is_blocked === false && !req.body.unblocked_at) {
fields.push('unblocked_at');
req.body.unblocked_at = new Date().toISOString();
}
// Email normalisieren
if (req.body.email) req.body.email = req.body.email.toLowerCase();
const setClauses = fields.map((f, i) => `${f} = $${i + 1}`).join(', ');
const values = [...fields.map(f => req.body[f]), req.params.id];
const result = await query(
`UPDATE blocklist SET ${setClauses} WHERE id = $${fields.length + 1} RETURNING *`,
values
);
if (!result.rows.length) return res.status(404).json({ error: 'Not found' });
res.json(result.rows[0]);
} catch (err) { next(err); }
});
// DELETE /api/blocklist/:id
router.delete('/:id', async (req, res, next) => {
try {
const result = await query('DELETE FROM blocklist WHERE id = $1 RETURNING id', [req.params.id]);
if (!result.rows.length) return res.status(404).json({ error: 'Not found' });
res.status(204).end();
} catch (err) { next(err); }
});
module.exports = router;