mirror of
https://github.com/mollersuite/monofile.git
synced 2024-11-24 22:56:26 -08:00
Merge pull request #11 from nbitzz/bearer-auth
Implement bearer authentication
This commit is contained in:
commit
e54f6a5b8f
|
@ -13,6 +13,7 @@ import * as authRoutes from "./routes/authRoutes";
|
|||
import * as fileApiRoutes from "./routes/fileApiRoutes";
|
||||
import * as adminRoutes from "./routes/adminRoutes";
|
||||
import * as primaryApi from "./routes/primaryApi";
|
||||
import { getAccount } from "./lib/middleware";
|
||||
|
||||
require("dotenv").config()
|
||||
|
||||
|
@ -82,11 +83,14 @@ app.get("/", function(req,res) {
|
|||
|
||||
// serve download page
|
||||
|
||||
app.get("/download/:fileId",(req,res) => {
|
||||
app.get("/download/:fileId", getAccount, (req,res) => {
|
||||
|
||||
let acc = res.locals.acc as Accounts.Account
|
||||
|
||||
if (files.getFilePointer(req.params.fileId)) {
|
||||
let file = files.getFilePointer(req.params.fileId)
|
||||
|
||||
if (file.visibility == "private" && Accounts.getFromToken(req.cookies.auth)?.id != file.owner) {
|
||||
if (file.visibility == "private" && acc?.id != file.owner) {
|
||||
ServeError(res,403,"you do not own this file")
|
||||
return
|
||||
}
|
||||
|
|
|
@ -3,7 +3,11 @@ import express, { type RequestHandler } from "express"
|
|||
import ServeError from "../lib/errors";
|
||||
|
||||
export let getAccount: RequestHandler = function(req, res, next) {
|
||||
res.locals.acc = Accounts.getFromToken(req.cookies.auth)
|
||||
res.locals.acc = Accounts.getFromToken(req.cookies.auth || (
|
||||
req.header("authorization")?.startsWith("Bearer ")
|
||||
? req.header("authorization")?.split(" ")[1]
|
||||
: undefined
|
||||
))
|
||||
next()
|
||||
}
|
||||
|
||||
|
|
|
@ -454,19 +454,7 @@ authRoutes.get("/me", requiresAccount, (req,res) => {
|
|||
})
|
||||
|
||||
authRoutes.get("/customCSS", (req,res) => {
|
||||
if (!auth.validate(req.cookies.auth)) {
|
||||
ServeError(res, 401, "not logged in")
|
||||
return
|
||||
}
|
||||
|
||||
// lazy rn so
|
||||
|
||||
let acc = Accounts.getFromToken(req.cookies.auth)
|
||||
if (acc) {
|
||||
if (acc.customCSS) {
|
||||
res.redirect(`/file/${acc.customCSS}`)
|
||||
} else {
|
||||
res.send("")
|
||||
}
|
||||
} else res.send("")
|
||||
let acc = res.locals.acc
|
||||
if (acc?.customCSS) res.redirect(`/file/${acc.customCSS}`)
|
||||
else res.send("")
|
||||
})
|
||||
|
|
|
@ -7,6 +7,7 @@ import {writeFile} from "fs";
|
|||
|
||||
import ServeError from "../lib/errors";
|
||||
import Files from "../lib/files";
|
||||
import { getAccount, requiresAccount } from "../lib/middleware";
|
||||
|
||||
let parser = bodyParser.json({
|
||||
type: ["text/plain","application/json"]
|
||||
|
@ -21,14 +22,11 @@ export function setFilesObj(newFiles:Files) {
|
|||
|
||||
let config = require(`${process.cwd()}/config.json`)
|
||||
|
||||
fileApiRoutes.get("/list", (req,res) => {
|
||||
fileApiRoutes.use(getAccount);
|
||||
|
||||
if (!auth.validate(req.cookies.auth)) {
|
||||
ServeError(res, 401, "not logged in")
|
||||
return
|
||||
}
|
||||
fileApiRoutes.get("/list", requiresAccount, (req,res) => {
|
||||
|
||||
let acc = Accounts.getFromToken(req.cookies.auth)
|
||||
let acc = res.locals.acc as Accounts.Account
|
||||
|
||||
if (!acc) return
|
||||
let accId = acc.id
|
||||
|
@ -48,12 +46,7 @@ fileApiRoutes.get("/list", (req,res) => {
|
|||
|
||||
fileApiRoutes.post("/manage", parser, (req,res) => {
|
||||
|
||||
if (!auth.validate(req.cookies.auth)) {
|
||||
ServeError(res, 401, "not logged in")
|
||||
return
|
||||
}
|
||||
|
||||
let acc = Accounts.getFromToken(req.cookies.auth) as Accounts.Account
|
||||
let acc = res.locals.acc as Accounts.Account
|
||||
|
||||
if (!acc) return
|
||||
if (!req.body.target || !(typeof req.body.target == "object") || req.body.target.length < 1) return
|
||||
|
|
|
@ -8,6 +8,7 @@ import multer, {memoryStorage} from "multer"
|
|||
|
||||
import ServeError from "../lib/errors";
|
||||
import Files from "../lib/files";
|
||||
import { getAccount } from "../lib/middleware";
|
||||
|
||||
let parser = bodyParser.json({
|
||||
type: ["text/plain","application/json"]
|
||||
|
@ -24,9 +25,12 @@ const multerSetup = multer({storage:memoryStorage()})
|
|||
|
||||
let config = require(`${process.cwd()}/config.json`)
|
||||
|
||||
primaryApi.use(getAccount);
|
||||
|
||||
primaryApi.get(["/file/:fileId", "/cpt/:fileId/*", "/:fileId"], async (req:express.Request,res:express.Response) => {
|
||||
|
||||
let acc = res.locals.acc as Accounts.Account
|
||||
|
||||
let file = files.getFilePointer(req.params.fileId)
|
||||
res.setHeader("Access-Control-Allow-Origin", "*")
|
||||
res.setHeader("Content-Security-Policy","sandbox allow-scripts")
|
||||
|
@ -34,7 +38,7 @@ primaryApi.get(["/file/:fileId", "/cpt/:fileId/*", "/:fileId"], async (req:expre
|
|||
|
||||
if (file) {
|
||||
|
||||
if (file.visibility == "private" && Accounts.getFromToken(req.cookies.auth)?.id != file.owner) {
|
||||
if (file.visibility == "private" && acc?.id != file.owner) {
|
||||
ServeError(res,403,"you do not own this file")
|
||||
return
|
||||
}
|
||||
|
@ -112,6 +116,9 @@ primaryApi.head(["/file/:fileId", "/cpt/:fileId/*", "/:fileId"], (req: express.R
|
|||
// upload handlers
|
||||
|
||||
primaryApi.post("/upload",multerSetup.single('file'),async (req,res) => {
|
||||
|
||||
let acc = res.locals.acc as Accounts.Account
|
||||
|
||||
if (req.file) {
|
||||
try {
|
||||
let prm = req.header("monofile-params")
|
||||
|
@ -121,7 +128,7 @@ primaryApi.post("/upload",multerSetup.single('file'),async (req,res) => {
|
|||
}
|
||||
|
||||
files.uploadFile({
|
||||
owner: auth.validate(req.cookies.auth),
|
||||
owner: acc?.id,
|
||||
|
||||
uploadId:params.uploadId,
|
||||
name:req.file.originalname,
|
||||
|
@ -143,11 +150,14 @@ primaryApi.post("/upload",multerSetup.single('file'),async (req,res) => {
|
|||
})
|
||||
|
||||
primaryApi.post("/clone", bodyParser.json({type: ["text/plain","application/json"]}) ,(req,res) => {
|
||||
|
||||
let acc = res.locals.acc as Accounts.Account
|
||||
|
||||
try {
|
||||
axios.get(req.body.url,{responseType:"arraybuffer"}).then((data:AxiosResponse) => {
|
||||
|
||||
files.uploadFile({
|
||||
owner: auth.validate(req.cookies.auth),
|
||||
owner: acc?.id,
|
||||
|
||||
name:req.body.url.split("/")[req.body.url.split("/").length-1] || "generic",
|
||||
mime:data.headers["content-type"],
|
||||
|
|
Loading…
Reference in a new issue