From da4c4d202f5b9cb17fe59941fce75fa07d74962f Mon Sep 17 00:00:00 2001 From: stringsplit <77242831+nbitzz@users.noreply.github.com> Date: Thu, 23 May 2024 00:22:32 -0700 Subject: [PATCH] Kms --- src/server/lib/middleware.ts | 8 ++--- src/server/routes/api/v1/account/index.ts | 42 ++++++++++------------- 2 files changed, 23 insertions(+), 27 deletions(-) diff --git a/src/server/lib/middleware.ts b/src/server/lib/middleware.ts index 1180dc1..f02ce9f 100644 --- a/src/server/lib/middleware.ts +++ b/src/server/lib/middleware.ts @@ -148,13 +148,13 @@ export const noAPIAccess: RequestHandler = function (ctx, next) { */ export const assertAPI = function ( - condition: (acc: Accounts.Account, token: string) => boolean + condition: (ctx: Context) => boolean ): RequestHandler { return function (ctx, next) { let reqToken = auth.tokenFor(ctx)! if ( - auth.getType(reqToken) == "App" && - condition(ctx.get("account"), reqToken) + auth.getType(reqToken) != "User" && + condition(ctx) ) return ServeError( ctx, @@ -197,7 +197,7 @@ export const login = (ctx: Context, account: string) => { export const verifyPoi = (user: string, poi?: string, wantsMfaPoi: boolean = false) => { if (!poi) return false - + let poiCode = codes.identityProof.byId.get(poi) if (!poiCode || poiCode.for !== user || poiCode.data == wantsMfaPoi) diff --git a/src/server/routes/api/v1/account/index.ts b/src/server/routes/api/v1/account/index.ts index 0ee25d4..3cace2a 100644 --- a/src/server/routes/api/v1/account/index.ts +++ b/src/server/routes/api/v1/account/index.ts @@ -32,6 +32,7 @@ const router = new Hono<{ Variables: { account: Accounts.Account target: Accounts.Account + parsedScheme: any } }>() @@ -281,37 +282,32 @@ export default function (files: Files) { router.patch( "/:user", scheme(UserUpdateScheme), + assertAPI( + ctx => + Object.keys(ctx.get("parsedScheme")) + .some(e => validators[e as keyof typeof validators]?.noAPIAccess) + && ctx.get("account") == ctx.get("target") + ), async (ctx) => { - const body = (await ctx.req.json()) as z.infer - const actor = ctx.get("account")! - const target = ctx.get("target")! - const tokenType = auth.getType(auth.tokenFor(ctx)!) + const body = ctx.get("parsedScheme") as z.infer + const actor = ctx.get("account") + const target = ctx.get("target") if (body.poi && !verifyPoi(target.id, body.poi)) return ServeError(ctx, 403, "invalid proof of identity provided") - let results: Result[] = ( + let messages = ( Object.entries(body).filter( (e) => e[0] !== "poi" ) ).map(([x, v]) => { let validator = validators[x as keyof typeof validators]! - - if (target == actor && tokenType !== "User") { - if (validator.noAPIAccess) - return [400, "no API access to this route"] - } - + return [ x, validator.validator(actor, target, body as any, ctx), - ] as [ - keyof Accounts.Account, - Accounts.Account[keyof Accounts.Account], - ] - }) - - let allMsgs = results.map((v) => { + ] as Result + }).map((v) => { if (isMessage(v)) return v target[v[0]] = v[1] as never // lol return [200, "OK"] as Message @@ -319,20 +315,20 @@ export default function (files: Files) { await Accounts.save() - if (allMsgs.length == 1) + if (messages.length == 1) return ctx.text( - ...(allMsgs[0]!.reverse() as [Message[1], Message[0]]) + ...(messages[0]!.reverse() as [Message[1], Message[0]]) ) // im sorry - else return ctx.json(allMsgs) + else return ctx.json(messages) } ) - router.delete("/:user", noAPIAccess, async (ctx) => { + router.delete("/:user", async (ctx) => { let actor = ctx.get("account") let target = ctx.get("target") if (actor == target && !verifyPoi(actor.id, ctx.req.query("poi"))) - return ServeError(ctx, 403, "no proof of identity provided") + return ServeError(ctx, 403, "invalid proof of identity provided") auth.AuthTokens.filter((e) => e.account == target?.id).forEach((token) => { auth.invalidate(token.token)