split/monofile
1
0
Fork 0
mirror of https://github.com/mollersuite/monofile.git synced 2024-11-21 21:36:26 -08:00
Code Issues Actions Packages Projects Releases 1 Wiki Activity

Kms

Browse source
This commit is contained in:
May 2024-05-23 00:22:32 -07:00
parent 9b68d7a705
commit da4c4d202f
2 changed files with 23 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/server/lib/middleware.ts
View file

@ -148,13 +148,13 @@ export const noAPIAccess: RequestHandler = function (ctx, next) {
*/
export const assertAPI = function (
condition: (acc: Accounts.Account, token: string) => boolean
condition: (ctx: Context) => boolean
): RequestHandler {
return function (ctx, next) {
let reqToken = auth.tokenFor(ctx)!
if (
auth.getType(reqToken) == "App" &&
condition(ctx.get("account"), reqToken)
auth.getType(reqToken) != "User" &&
condition(ctx)
)
return ServeError(
ctx,
@ -197,7 +197,7 @@ export const login = (ctx: Context, account: string) => {
export const verifyPoi = (user: string, poi?: string, wantsMfaPoi: boolean = false) => {
if (!poi) return false
let poiCode = codes.identityProof.byId.get(poi)
if (!poiCode || poiCode.for !== user || poiCode.data == wantsMfaPoi)

42
src/server/routes/api/v1/account/index.ts
View file

@ -32,6 +32,7 @@ const router = new Hono<{
Variables: {
account: Accounts.Account
target: Accounts.Account
parsedScheme: any
}
}>()
@ -281,37 +282,32 @@ export default function (files: Files) {
router.patch(
"/:user",
scheme(UserUpdateScheme),
assertAPI(
ctx =>
Object.keys(ctx.get("parsedScheme"))
.some(e => validators[e as keyof typeof validators]?.noAPIAccess)
&& ctx.get("account") == ctx.get("target")
),
async (ctx) => {
const body = (await ctx.req.json()) as z.infer<typeof UserUpdateScheme>
const actor = ctx.get("account")!
const target = ctx.get("target")!
const tokenType = auth.getType(auth.tokenFor(ctx)!)
const body = ctx.get("parsedScheme") as z.infer<typeof UserUpdateScheme>
const actor = ctx.get("account")
const target = ctx.get("target")
if (body.poi && !verifyPoi(target.id, body.poi))
return ServeError(ctx, 403, "invalid proof of identity provided")
let results: Result[] = (
let messages = (
Object.entries(body).filter(
(e) => e[0] !== "poi"
)
).map(([x, v]) => {
let validator = validators[x as keyof typeof validators]!
if (target == actor && tokenType !== "User") {
if (validator.noAPIAccess)
return [400, "no API access to this route"]
}
return [
x,
validator.validator(actor, target, body as any, ctx),
] as [
keyof Accounts.Account,
Accounts.Account[keyof Accounts.Account],
]
})
let allMsgs = results.map((v) => {
] as Result
}).map((v) => {
if (isMessage(v)) return v
target[v[0]] = v[1] as never // lol
return [200, "OK"] as Message
@ -319,20 +315,20 @@ export default function (files: Files) {
await Accounts.save()
if (allMsgs.length == 1)
if (messages.length == 1)
return ctx.text(
...(allMsgs[0]!.reverse() as [Message[1], Message[0]])
...(messages[0]!.reverse() as [Message[1], Message[0]])
) // im sorry
else return ctx.json(allMsgs)
else return ctx.json(messages)
}
)
router.delete("/:user", noAPIAccess, async (ctx) => {
router.delete("/:user", async (ctx) => {
let actor = ctx.get("account")
let target = ctx.get("target")
if (actor == target && !verifyPoi(actor.id, ctx.req.query("poi")))
return ServeError(ctx, 403, "no proof of identity provided")
return ServeError(ctx, 403, "invalid proof of identity provided")
auth.AuthTokens.filter((e) => e.account == target?.id).forEach((token) => {
auth.invalidate(token.token)