Merge pull request #11 from nbitzz/bearer-auth

Implement bearer authentication

src/server/index.ts

@@ -13,6 +13,7 @@ import * as authRoutes from "./routes/authRoutes";
 import * as fileApiRoutes from "./routes/fileApiRoutes";
 import * as adminRoutes from "./routes/adminRoutes";
 import * as primaryApi from "./routes/primaryApi";
+import { getAccount } from "./lib/middleware";
 
 require("dotenv").config()
 
@@ -82,11 +83,14 @@ app.get("/", function(req,res) {
 
 // serve download page
 
-app.get("/download/:fileId",(req,res) => {
+app.get("/download/:fileId", getAccount, (req,res) => {
+    
+    let acc = res.locals.acc as Accounts.Account
+
     if (files.getFilePointer(req.params.fileId)) {
         let file = files.getFilePointer(req.params.fileId)
 
-        if (file.visibility == "private" && Accounts.getFromToken(req.cookies.auth)?.id != file.owner) {
+        if (file.visibility == "private" && acc?.id != file.owner) {
             ServeError(res,403,"you do not own this file")
             return
         }

src/server/lib/middleware.ts

@@ -3,7 +3,11 @@ import express, { type RequestHandler } from "express"
 import ServeError from "../lib/errors";
 
 export let getAccount: RequestHandler = function(req, res, next) {
-    res.locals.acc = Accounts.getFromToken(req.cookies.auth)
+    res.locals.acc = Accounts.getFromToken(req.cookies.auth || (
+        req.header("authorization")?.startsWith("Bearer ")
+        ? req.header("authorization")?.split(" ")[1]
+        : undefined
+    ))
     next()
 }
 

src/server/routes/authRoutes.ts

@@ -454,19 +454,7 @@ authRoutes.get("/me", requiresAccount, (req,res) => {
 })
 
 authRoutes.get("/customCSS", (req,res) => {
-    if (!auth.validate(req.cookies.auth)) {
+    let acc = res.locals.acc
-        ServeError(res, 401, "not logged in")
+    if (acc?.customCSS) res.redirect(`/file/${acc.customCSS}`)
-        return
+    else res.send("")
-    }
-    
-    // lazy rn so
-
-    let acc = Accounts.getFromToken(req.cookies.auth)
-    if (acc) {
-        if (acc.customCSS) {
-            res.redirect(`/file/${acc.customCSS}`)
-        } else {
-            res.send("")
-        }
-    } else res.send("")
 })

src/server/routes/fileApiRoutes.ts

@@ -7,6 +7,7 @@ import {writeFile} from "fs";
 
 import ServeError from "../lib/errors";
 import Files from "../lib/files";
+import { getAccount, requiresAccount } from "../lib/middleware";
 
 let parser = bodyParser.json({
     type: ["text/plain","application/json"]
@@ -21,14 +22,11 @@ export function setFilesObj(newFiles:Files) {
 
 let config = require(`${process.cwd()}/config.json`)
 
-fileApiRoutes.get("/list", (req,res) => {
+fileApiRoutes.use(getAccount);
 
-    if (!auth.validate(req.cookies.auth)) {
+fileApiRoutes.get("/list", requiresAccount, (req,res) => {
-        ServeError(res, 401, "not logged in")
-        return
-    }
 
-    let acc = Accounts.getFromToken(req.cookies.auth)
+    let acc = res.locals.acc as Accounts.Account
     
     if (!acc) return
     let accId = acc.id
@@ -48,12 +46,7 @@ fileApiRoutes.get("/list", (req,res) => {
 
 fileApiRoutes.post("/manage", parser, (req,res) => {
 
-    if (!auth.validate(req.cookies.auth)) {
+    let acc = res.locals.acc as Accounts.Account
-        ServeError(res, 401, "not logged in")
-        return
-    }
-
-    let acc = Accounts.getFromToken(req.cookies.auth) as Accounts.Account
     
     if (!acc) return
     if (!req.body.target || !(typeof req.body.target == "object") || req.body.target.length < 1) return

src/server/routes/primaryApi.ts

@@ -8,6 +8,7 @@ import multer, {memoryStorage} from "multer"
 
 import ServeError from "../lib/errors";
 import Files from "../lib/files";
+import { getAccount } from "../lib/middleware";
 
 let parser = bodyParser.json({
     type: ["text/plain","application/json"]
@@ -24,9 +25,12 @@ const multerSetup = multer({storage:memoryStorage()})
 
 let config = require(`${process.cwd()}/config.json`)
 
+primaryApi.use(getAccount);
 
 primaryApi.get(["/file/:fileId", "/cpt/:fileId/*", "/:fileId"], async (req:express.Request,res:express.Response) => {
     
+    let acc = res.locals.acc as Accounts.Account
+
     let file = files.getFilePointer(req.params.fileId)
     res.setHeader("Access-Control-Allow-Origin", "*")
     res.setHeader("Content-Security-Policy","sandbox allow-scripts")
@@ -34,7 +38,7 @@ primaryApi.get(["/file/:fileId", "/cpt/:fileId/*", "/:fileId"], async (req:expre
     
     if (file) {
         
-        if (file.visibility == "private" && Accounts.getFromToken(req.cookies.auth)?.id != file.owner) {
+        if (file.visibility == "private" && acc?.id != file.owner) {
             ServeError(res,403,"you do not own this file")
             return
         }
@@ -112,6 +116,9 @@ primaryApi.head(["/file/:fileId", "/cpt/:fileId/*", "/:fileId"], (req: express.R
 // upload handlers
 
 primaryApi.post("/upload",multerSetup.single('file'),async (req,res) => {
+    
+    let acc = res.locals.acc as Accounts.Account
+
     if (req.file) {
         try {
             let prm = req.header("monofile-params")
@@ -121,7 +128,7 @@ primaryApi.post("/upload",multerSetup.single('file'),async (req,res) => {
             }
 
             files.uploadFile({
-                owner: auth.validate(req.cookies.auth),
+                owner: acc?.id,
 
                 uploadId:params.uploadId,
                 name:req.file.originalname,
@@ -143,11 +150,14 @@ primaryApi.post("/upload",multerSetup.single('file'),async (req,res) => {
 })
 
 primaryApi.post("/clone", bodyParser.json({type: ["text/plain","application/json"]}) ,(req,res) => {
+    
+    let acc = res.locals.acc as Accounts.Account
+
     try {
         axios.get(req.body.url,{responseType:"arraybuffer"}).then((data:AxiosResponse) => {
 
             files.uploadFile({
-                owner: auth.validate(req.cookies.auth),
+                owner: acc?.id,
 
                 name:req.body.url.split("/")[req.body.url.split("/").length-1] || "generic",
                 mime:data.headers["content-type"],