This commit is contained in:
May 2024-05-23 00:22:32 -07:00
parent 9b68d7a705
commit da4c4d202f
2 changed files with 23 additions and 27 deletions

View file

@ -148,13 +148,13 @@ export const noAPIAccess: RequestHandler = function (ctx, next) {
*/ */
export const assertAPI = function ( export const assertAPI = function (
condition: (acc: Accounts.Account, token: string) => boolean condition: (ctx: Context) => boolean
): RequestHandler { ): RequestHandler {
return function (ctx, next) { return function (ctx, next) {
let reqToken = auth.tokenFor(ctx)! let reqToken = auth.tokenFor(ctx)!
if ( if (
auth.getType(reqToken) == "App" && auth.getType(reqToken) != "User" &&
condition(ctx.get("account"), reqToken) condition(ctx)
) )
return ServeError( return ServeError(
ctx, ctx,

View file

@ -32,6 +32,7 @@ const router = new Hono<{
Variables: { Variables: {
account: Accounts.Account account: Accounts.Account
target: Accounts.Account target: Accounts.Account
parsedScheme: any
} }
}>() }>()
@ -281,37 +282,32 @@ export default function (files: Files) {
router.patch( router.patch(
"/:user", "/:user",
scheme(UserUpdateScheme), scheme(UserUpdateScheme),
assertAPI(
ctx =>
Object.keys(ctx.get("parsedScheme"))
.some(e => validators[e as keyof typeof validators]?.noAPIAccess)
&& ctx.get("account") == ctx.get("target")
),
async (ctx) => { async (ctx) => {
const body = (await ctx.req.json()) as z.infer<typeof UserUpdateScheme> const body = ctx.get("parsedScheme") as z.infer<typeof UserUpdateScheme>
const actor = ctx.get("account")! const actor = ctx.get("account")
const target = ctx.get("target")! const target = ctx.get("target")
const tokenType = auth.getType(auth.tokenFor(ctx)!)
if (body.poi && !verifyPoi(target.id, body.poi)) if (body.poi && !verifyPoi(target.id, body.poi))
return ServeError(ctx, 403, "invalid proof of identity provided") return ServeError(ctx, 403, "invalid proof of identity provided")
let results: Result[] = ( let messages = (
Object.entries(body).filter( Object.entries(body).filter(
(e) => e[0] !== "poi" (e) => e[0] !== "poi"
) )
).map(([x, v]) => { ).map(([x, v]) => {
let validator = validators[x as keyof typeof validators]! let validator = validators[x as keyof typeof validators]!
if (target == actor && tokenType !== "User") {
if (validator.noAPIAccess)
return [400, "no API access to this route"]
}
return [ return [
x, x,
validator.validator(actor, target, body as any, ctx), validator.validator(actor, target, body as any, ctx),
] as [ ] as Result
keyof Accounts.Account, }).map((v) => {
Accounts.Account[keyof Accounts.Account],
]
})
let allMsgs = results.map((v) => {
if (isMessage(v)) return v if (isMessage(v)) return v
target[v[0]] = v[1] as never // lol target[v[0]] = v[1] as never // lol
return [200, "OK"] as Message return [200, "OK"] as Message
@ -319,20 +315,20 @@ export default function (files: Files) {
await Accounts.save() await Accounts.save()
if (allMsgs.length == 1) if (messages.length == 1)
return ctx.text( return ctx.text(
...(allMsgs[0]!.reverse() as [Message[1], Message[0]]) ...(messages[0]!.reverse() as [Message[1], Message[0]])
) // im sorry ) // im sorry
else return ctx.json(allMsgs) else return ctx.json(messages)
} }
) )
router.delete("/:user", noAPIAccess, async (ctx) => { router.delete("/:user", async (ctx) => {
let actor = ctx.get("account") let actor = ctx.get("account")
let target = ctx.get("target") let target = ctx.get("target")
if (actor == target && !verifyPoi(actor.id, ctx.req.query("poi"))) if (actor == target && !verifyPoi(actor.id, ctx.req.query("poi")))
return ServeError(ctx, 403, "no proof of identity provided") return ServeError(ctx, 403, "invalid proof of identity provided")
auth.AuthTokens.filter((e) => e.account == target?.id).forEach((token) => { auth.AuthTokens.filter((e) => e.account == target?.id).forEach((token) => {
auth.invalidate(token.token) auth.invalidate(token.token)