split/monofile
1
0
Fork 0
mirror of https://github.com/mollersuite/monofile.git synced 2024-10-06 12:06:26 -07:00
Code Issues Actions Packages Projects Releases 1 Wiki Activity

bearer-auth: move /download route to middleware

Browse source
This commit is contained in:
split / May 2023-10-01 16:28:15 -07:00
parent a5d3131180
commit c8e486630e
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/server/index.ts
View file

@ -13,6 +13,7 @@ import * as authRoutes from "./routes/authRoutes";
import * as fileApiRoutes from "./routes/fileApiRoutes";
import * as adminRoutes from "./routes/adminRoutes";
import * as primaryApi from "./routes/primaryApi";
import { getAccount } from "./lib/middleware";
require("dotenv").config()
@ -82,11 +83,14 @@ app.get("/", function(req,res) {
// serve download page
app.get("/download/:fileId",(req,res) => {
app.get("/download/:fileId", getAccount, (req,res) => {
let acc = res.locals.acc as Accounts.Account
if (files.getFilePointer(req.params.fileId)) {
let file = files.getFilePointer(req.params.fileId)
if (file.visibility == "private" && Accounts.getFromToken(req.cookies.auth)?.id != file.owner) {
if (file.visibility == "private" && acc?.id != file.owner) {
ServeError(res,403,"you do not own this file")
return
}