Thream/api
Archived
2
1
Fork 0
Code Issues Pull Requests Releases Activity

fix(services): restrict GET /uploads/messages/:file to authorized users

Browse Source
This commit is contained in:
Divlo
2022-01-06 18:13:13 +01:00
parent 03946f26e7
commit 97b1d04261
23 changed files with 1314 additions and 2534 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/__test__/setup.ts
View File

@ -1,6 +1,5 @@
import { PrismaClient } from '@prisma/client'
import { mockDeep, mockReset } from 'jest-mock-extended'
import { DeepMockProxy } from 'jest-mock-extended/lib/cjs/Mock'
import { mockDeep, mockReset, DeepMockProxy } from 'jest-mock-extended'
import prisma from '../tools/database/prisma.js'

4
src/__test__/utils/authenticateUserTest.ts
View File

@ -6,8 +6,8 @@ import { userSettingsExample } from '../../models/UserSettings.js'
import {
generateAccessToken,
generateRefreshToken
} from '../../tools/utils/jwtToken'
import { prismaMock } from '../setup'
} from '../../tools/utils/jwtToken.js'
import { prismaMock } from '../setup.js'
export const authenticateUserTest = async (): Promise<{
accessToken: string

2
src/services/channels/[channelId]/__test__/get.test.ts
View File

@ -1,7 +1,7 @@
import { application } from '../../../../application.js'
import { authenticateUserTest } from '../../../../__test__/utils/authenticateUserTest.js'
import { prismaMock } from '../../../../__test__/setup.js'
import { memberExample } from '../../../../models/Member'
import { memberExample } from '../../../../models/Member.js'
import { channelExample } from '../../../../models/Channel.js'
describe('GET /channels/[channelId]', () => {

1
src/services/channels/[channelId]/messages/post.ts
View File

@ -44,7 +44,6 @@ const postServiceSchema: FastifySchema = {
401: fastifyErrors[401],
403: fastifyErrors[403],
404: fastifyErrors[404],
431: fastifyErrors[431],
500: fastifyErrors[500]
}
} as const

1
src/services/channels/[channelId]/messages/uploads/post.ts
View File

@ -42,6 +42,7 @@ const postServiceSchema: FastifySchema = {
401: fastifyErrors[401],
403: fastifyErrors[403],
404: fastifyErrors[404],
431: fastifyErrors[431],
500: fastifyErrors[500]
}
} as const

4
src/services/guilds/[guildId]/channels/__test__/get.test.ts
View File

@ -1,8 +1,8 @@
import { application } from '../../../../../application.js'
import { authenticateUserTest } from '../../../../../__test__/utils/authenticateUserTest.js'
import { prismaMock } from '../../../../../__test__/setup.js'
import { memberExample } from '../../../../../models/Member'
import { guildExample } from '../../../../../models/Guild'
import { memberExample } from '../../../../../models/Member.js'
import { guildExample } from '../../../../../models/Guild.js'
import { channelExample } from '../../../../../models/Channel.js'
describe('GET /guilds/[guildId]/channels', () => {

2
src/services/guilds/[guildId]/icon/put.ts
View File

@ -1,9 +1,9 @@
import { Static, Type } from '@sinclair/typebox'
import { FastifyPluginAsync, FastifySchema } from 'fastify'
import fastifyMultipart from 'fastify-multipart'
import authenticateUser from '../../../../tools/plugins/authenticateUser.js'
import { fastifyErrors } from '../../../../models/utils.js'
import fastifyMultipart from 'fastify-multipart'
import prisma from '../../../../tools/database/prisma.js'
import { uploadFile } from '../../../../tools/utils/uploadFile.js'
import { guildSchema } from '../../../../models/Guild.js'

40
src/services/uploads/guilds/get.ts Normal file
View File

@ -0,0 +1,40 @@
import path from 'node:path'
import { FastifyPluginAsync, FastifySchema } from 'fastify'
import { Static, Type } from '@sinclair/typebox'
import { fastifyErrors } from '../../../models/utils.js'
const parameters = Type.Object({
file: Type.String()
})
type Parameters = Static<typeof parameters>
export const getServiceSchema: FastifySchema = {
tags: ['uploads'] as string[],
params: parameters,
response: {
200: {
type: 'string',
format: 'binary'
},
400: fastifyErrors[400],
404: fastifyErrors[404],
500: fastifyErrors[500]
}
} as const
export const getGuildsUploadsService: FastifyPluginAsync = async (fastify) => {
fastify.route<{
Params: Parameters
}>({
method: 'GET',
url: '/uploads/guilds/:file',
schema: getServiceSchema,
handler: async (request, reply) => {
const { file } = request.params
return await reply.sendFile(path.join('guilds', file))
}
})
}

61
src/services/uploads/index.ts
View File

@ -1,58 +1,11 @@
import path from 'node:path'
import { FastifyPluginAsync } from 'fastify'
import { FastifyPluginAsync, FastifySchema } from 'fastify'
import { Static, Type } from '@sinclair/typebox'
import { fastifyErrors } from '../../models/utils'
const parametersUploadsSchema = Type.Object({
image: Type.String()
})
type ParametersUploadsSchemaType = Static<typeof parametersUploadsSchema>
const getUploadsSchema: FastifySchema = {
tags: ['uploads'] as string[],
params: parametersUploadsSchema,
response: {
200: {
type: 'string',
format: 'binary'
},
400: fastifyErrors[400],
404: fastifyErrors[404],
500: fastifyErrors[500]
}
} as const
import { getGuildsUploadsService } from './guilds/get.js'
import { getMessagesUploadsService } from './messages/get.js'
import { getUsersUploadsService } from './users/get.js'
export const uploadsService: FastifyPluginAsync = async (fastify) => {
fastify.route<{ Params: ParametersUploadsSchemaType }>({
method: 'GET',
url: '/uploads/users/:image',
schema: getUploadsSchema,
handler: async (request, reply) => {
const { image } = request.params
return await reply.sendFile(path.join('users', image))
}
})
fastify.route<{ Params: ParametersUploadsSchemaType }>({
method: 'GET',
url: '/uploads/guilds/:image',
schema: getUploadsSchema,
handler: async (request, reply) => {
const { image } = request.params
return await reply.sendFile(path.join('guilds', image))
}
})
fastify.route<{ Params: ParametersUploadsSchemaType }>({
method: 'GET',
url: '/uploads/messages/:image',
schema: getUploadsSchema,
handler: async (request, reply) => {
const { image } = request.params
return await reply.sendFile(path.join('messages', image))
}
})
await fastify.register(getGuildsUploadsService)
await fastify.register(getMessagesUploadsService)
await fastify.register(getUsersUploadsService)
}

76
src/services/uploads/messages/get.ts Normal file
View File

@ -0,0 +1,76 @@
import path from 'node:path'
import { FastifyPluginAsync, FastifySchema } from 'fastify'
import { Static, Type } from '@sinclair/typebox'
import { fastifyErrors } from '../../../models/utils.js'
import authenticateUser from '../../../tools/plugins/authenticateUser.js'
import prisma from '../../../tools/database/prisma.js'
const parameters = Type.Object({
file: Type.String()
})
type Parameters = Static<typeof parameters>
export const getServiceSchema: FastifySchema = {
tags: ['uploads'] as string[],
security: [
{
bearerAuth: []
}
] as Array<{ [key: string]: [] }>,
params: parameters,
response: {
200: {
type: 'string',
format: 'binary'
},
400: fastifyErrors[400],
401: fastifyErrors[401],
403: fastifyErrors[403],
404: fastifyErrors[404],
500: fastifyErrors[500]
}
} as const
export const getMessagesUploadsService: FastifyPluginAsync = async (
fastify
) => {
await fastify.register(authenticateUser)
fastify.route<{
Params: Parameters
}>({
method: 'GET',
url: '/uploads/messages/:file',
schema: getServiceSchema,
handler: async (request, reply) => {
if (request.user == null) {
throw fastify.httpErrors.forbidden()
}
const { file } = request.params
const message = await prisma.message.findFirst({
where: { value: `/uploads/messages/${file}` },
include: {
member: {
select: { guildId: true }
}
}
})
if (message == null) {
throw fastify.httpErrors.notFound('Message not found')
}
const member = await prisma.member.findFirst({
where: {
guildId: message.member?.guildId,
userId: request.user.current.id
}
})
if (member == null) {
throw fastify.httpErrors.notFound('Member not found')
}
return await reply.sendFile(path.join('messages', file))
}
})
}

40
src/services/uploads/users/get.ts Normal file
View File

@ -0,0 +1,40 @@
import path from 'node:path'
import { FastifyPluginAsync, FastifySchema } from 'fastify'
import { Static, Type } from '@sinclair/typebox'
import { fastifyErrors } from '../../../models/utils.js'
const parameters = Type.Object({
file: Type.String()
})
type Parameters = Static<typeof parameters>
export const getServiceSchema: FastifySchema = {
tags: ['uploads'] as string[],
params: parameters,
response: {
200: {
type: 'string',
format: 'binary'
},
400: fastifyErrors[400],
404: fastifyErrors[404],
500: fastifyErrors[500]
}
} as const
export const getUsersUploadsService: FastifyPluginAsync = async (fastify) => {
fastify.route<{
Params: Parameters
}>({
method: 'GET',
url: '/uploads/users/:file',
schema: getServiceSchema,
handler: async (request, reply) => {
const { file } = request.params
return await reply.sendFile(path.join('users', file))
}
})
}

2
src/services/users/current/logo/put.ts
View File

@ -1,9 +1,9 @@
import { Type } from '@sinclair/typebox'
import { FastifyPluginAsync, FastifySchema } from 'fastify'
import fastifyMultipart from 'fastify-multipart'
import authenticateUser from '../../../../tools/plugins/authenticateUser.js'
import { fastifyErrors } from '../../../../models/utils.js'
import fastifyMultipart from 'fastify-multipart'
import prisma from '../../../../tools/database/prisma.js'
import { uploadFile } from '../../../../tools/utils/uploadFile.js'
import {

2
src/tools/email/emailTransporter.ts
View File

@ -1,6 +1,6 @@
import dotenv from 'dotenv'
import nodemailer from 'nodemailer'
import SMTPTransport from 'nodemailer/lib/smtp-transport'
import type SMTPTransport from 'nodemailer/lib/smtp-transport.js'
dotenv.config()
const EMAIL_PORT = parseInt(process.env.EMAIL_PORT ?? '465', 10)

2
src/tools/utils/__test__/parseStringNullish.test.ts
View File

@ -1,4 +1,4 @@
import { parseStringNullish } from '../parseStringNullish'
import { parseStringNullish } from '../parseStringNullish.js'
const defaultString = 'defaultString'