diff --git a/src/server/index.ts b/src/server/index.ts index 05eaeb8..68819e6 100644 --- a/src/server/index.ts +++ b/src/server/index.ts @@ -13,6 +13,7 @@ import * as authRoutes from "./routes/authRoutes"; import * as fileApiRoutes from "./routes/fileApiRoutes"; import * as adminRoutes from "./routes/adminRoutes"; import * as primaryApi from "./routes/primaryApi"; +import { getAccount } from "./lib/middleware"; require("dotenv").config() @@ -82,11 +83,14 @@ app.get("/", function(req,res) { // serve download page -app.get("/download/:fileId",(req,res) => { +app.get("/download/:fileId", getAccount, (req,res) => { + + let acc = res.locals.acc as Accounts.Account + if (files.getFilePointer(req.params.fileId)) { let file = files.getFilePointer(req.params.fileId) - if (file.visibility == "private" && Accounts.getFromToken(req.cookies.auth)?.id != file.owner) { + if (file.visibility == "private" && acc?.id != file.owner) { ServeError(res,403,"you do not own this file") return } diff --git a/src/server/lib/middleware.ts b/src/server/lib/middleware.ts index a56ba95..2f0ed0c 100644 --- a/src/server/lib/middleware.ts +++ b/src/server/lib/middleware.ts @@ -3,7 +3,11 @@ import express, { type RequestHandler } from "express" import ServeError from "../lib/errors"; export let getAccount: RequestHandler = function(req, res, next) { - res.locals.acc = Accounts.getFromToken(req.cookies.auth) + res.locals.acc = Accounts.getFromToken(req.cookies.auth || ( + req.header("authorization")?.startsWith("Bearer ") + ? req.header("authorization")?.split(" ")[1] + : undefined + )) next() } diff --git a/src/server/routes/authRoutes.ts b/src/server/routes/authRoutes.ts index 12e7cf7..72b5863 100644 --- a/src/server/routes/authRoutes.ts +++ b/src/server/routes/authRoutes.ts @@ -454,19 +454,7 @@ authRoutes.get("/me", requiresAccount, (req,res) => { }) authRoutes.get("/customCSS", (req,res) => { - if (!auth.validate(req.cookies.auth)) { - ServeError(res, 401, "not logged in") - return - } - - // lazy rn so - - let acc = Accounts.getFromToken(req.cookies.auth) - if (acc) { - if (acc.customCSS) { - res.redirect(`/file/${acc.customCSS}`) - } else { - res.send("") - } - } else res.send("") + let acc = res.locals.acc + if (acc?.customCSS) res.redirect(`/file/${acc.customCSS}`) + else res.send("") }) diff --git a/src/server/routes/fileApiRoutes.ts b/src/server/routes/fileApiRoutes.ts index be461c9..8953a84 100644 --- a/src/server/routes/fileApiRoutes.ts +++ b/src/server/routes/fileApiRoutes.ts @@ -7,6 +7,7 @@ import {writeFile} from "fs"; import ServeError from "../lib/errors"; import Files from "../lib/files"; +import { getAccount, requiresAccount } from "../lib/middleware"; let parser = bodyParser.json({ type: ["text/plain","application/json"] @@ -21,14 +22,11 @@ export function setFilesObj(newFiles:Files) { let config = require(`${process.cwd()}/config.json`) -fileApiRoutes.get("/list", (req,res) => { +fileApiRoutes.use(getAccount); - if (!auth.validate(req.cookies.auth)) { - ServeError(res, 401, "not logged in") - return - } +fileApiRoutes.get("/list", requiresAccount, (req,res) => { - let acc = Accounts.getFromToken(req.cookies.auth) + let acc = res.locals.acc as Accounts.Account if (!acc) return let accId = acc.id @@ -48,12 +46,7 @@ fileApiRoutes.get("/list", (req,res) => { fileApiRoutes.post("/manage", parser, (req,res) => { - if (!auth.validate(req.cookies.auth)) { - ServeError(res, 401, "not logged in") - return - } - - let acc = Accounts.getFromToken(req.cookies.auth) as Accounts.Account + let acc = res.locals.acc as Accounts.Account if (!acc) return if (!req.body.target || !(typeof req.body.target == "object") || req.body.target.length < 1) return diff --git a/src/server/routes/primaryApi.ts b/src/server/routes/primaryApi.ts index 5ce01bb..0ff3ed7 100644 --- a/src/server/routes/primaryApi.ts +++ b/src/server/routes/primaryApi.ts @@ -8,6 +8,7 @@ import multer, {memoryStorage} from "multer" import ServeError from "../lib/errors"; import Files from "../lib/files"; +import { getAccount } from "../lib/middleware"; let parser = bodyParser.json({ type: ["text/plain","application/json"] @@ -24,9 +25,12 @@ const multerSetup = multer({storage:memoryStorage()}) let config = require(`${process.cwd()}/config.json`) +primaryApi.use(getAccount); primaryApi.get(["/file/:fileId", "/cpt/:fileId/*", "/:fileId"], async (req:express.Request,res:express.Response) => { + let acc = res.locals.acc as Accounts.Account + let file = files.getFilePointer(req.params.fileId) res.setHeader("Access-Control-Allow-Origin", "*") res.setHeader("Content-Security-Policy","sandbox allow-scripts") @@ -34,7 +38,7 @@ primaryApi.get(["/file/:fileId", "/cpt/:fileId/*", "/:fileId"], async (req:expre if (file) { - if (file.visibility == "private" && Accounts.getFromToken(req.cookies.auth)?.id != file.owner) { + if (file.visibility == "private" && acc?.id != file.owner) { ServeError(res,403,"you do not own this file") return } @@ -112,6 +116,9 @@ primaryApi.head(["/file/:fileId", "/cpt/:fileId/*", "/:fileId"], (req: express.R // upload handlers primaryApi.post("/upload",multerSetup.single('file'),async (req,res) => { + + let acc = res.locals.acc as Accounts.Account + if (req.file) { try { let prm = req.header("monofile-params") @@ -121,7 +128,7 @@ primaryApi.post("/upload",multerSetup.single('file'),async (req,res) => { } files.uploadFile({ - owner: auth.validate(req.cookies.auth), + owner: acc?.id, uploadId:params.uploadId, name:req.file.originalname, @@ -143,11 +150,14 @@ primaryApi.post("/upload",multerSetup.single('file'),async (req,res) => { }) primaryApi.post("/clone", bodyParser.json({type: ["text/plain","application/json"]}) ,(req,res) => { + + let acc = res.locals.acc as Accounts.Account + try { axios.get(req.body.url,{responseType:"arraybuffer"}).then((data:AxiosResponse) => { files.uploadFile({ - owner: auth.validate(req.cookies.auth), + owner: acc?.id, name:req.body.url.split("/")[req.body.url.split("/").length-1] || "generic", mime:data.headers["content-type"],