fix(services): restrict GET /uploads/messages/:file to authorized users

2022-01-06 18:13:13 +01:00
parent 03946f26e7
commit 97b1d04261
23 changed files with 1314 additions and 2534 deletions
--- a/src/services/channels/[channelId]/test/get.test.ts
+++ b/src/services/channels/[channelId]/test/get.test.ts
@ -1,7 +1,7 @@
 import { application } from '../../../../application.js'
 import { authenticateUserTest } from '../../../../__test__/utils/authenticateUserTest.js'
 import { prismaMock } from '../../../../__test__/setup.js'
-import { memberExample } from '../../../../models/Member'
+import { memberExample } from '../../../../models/Member.js'
 import { channelExample } from '../../../../models/Channel.js'

 describe('GET /channels/[channelId]', () => {
--- a/src/services/channels/[channelId]/messages/post.ts
+++ b/src/services/channels/[channelId]/messages/post.ts
@ -44,7 +44,6 @@ const postServiceSchema: FastifySchema = {
    401: fastifyErrors[401],
    403: fastifyErrors[403],
    404: fastifyErrors[404],
-    431: fastifyErrors[431],
    500: fastifyErrors[500]
  }
 } as const
--- a/src/services/channels/[channelId]/messages/uploads/post.ts
+++ b/src/services/channels/[channelId]/messages/uploads/post.ts
@ -42,6 +42,7 @@ const postServiceSchema: FastifySchema = {
    401: fastifyErrors[401],
    403: fastifyErrors[403],
    404: fastifyErrors[404],
+    431: fastifyErrors[431],
    500: fastifyErrors[500]
  }
 } as const
--- a/src/services/guilds/[guildId]/channels/test/get.test.ts
+++ b/src/services/guilds/[guildId]/channels/test/get.test.ts
@ -1,8 +1,8 @@
 import { application } from '../../../../../application.js'
 import { authenticateUserTest } from '../../../../../__test__/utils/authenticateUserTest.js'
 import { prismaMock } from '../../../../../__test__/setup.js'
-import { memberExample } from '../../../../../models/Member'
-import { guildExample } from '../../../../../models/Guild'
+import { memberExample } from '../../../../../models/Member.js'
+import { guildExample } from '../../../../../models/Guild.js'
 import { channelExample } from '../../../../../models/Channel.js'

 describe('GET /guilds/[guildId]/channels', () => {
--- a/src/services/guilds/[guildId]/icon/put.ts
+++ b/src/services/guilds/[guildId]/icon/put.ts
@ -1,9 +1,9 @@
 import { Static, Type } from '@sinclair/typebox'
 import { FastifyPluginAsync, FastifySchema } from 'fastify'
+import fastifyMultipart from 'fastify-multipart'

 import authenticateUser from '../../../../tools/plugins/authenticateUser.js'
 import { fastifyErrors } from '../../../../models/utils.js'
-import fastifyMultipart from 'fastify-multipart'
 import prisma from '../../../../tools/database/prisma.js'
 import { uploadFile } from '../../../../tools/utils/uploadFile.js'
 import { guildSchema } from '../../../../models/Guild.js'
--- a/src/services/uploads/guilds/get.ts
+++ b/src/services/uploads/guilds/get.ts
@ -0,0 +1,40 @@
+import path from 'node:path'
+
+import { FastifyPluginAsync, FastifySchema } from 'fastify'
+import { Static, Type } from '@sinclair/typebox'
+
+import { fastifyErrors } from '../../../models/utils.js'
+
+const parameters = Type.Object({
+  file: Type.String()
+})
+
+type Parameters = Static<typeof parameters>
+
+export const getServiceSchema: FastifySchema = {
+  tags: ['uploads'] as string[],
+  params: parameters,
+  response: {
+    200: {
+      type: 'string',
+      format: 'binary'
+    },
+    400: fastifyErrors[400],
+    404: fastifyErrors[404],
+    500: fastifyErrors[500]
+  }
+} as const
+
+export const getGuildsUploadsService: FastifyPluginAsync = async (fastify) => {
+  fastify.route<{
+    Params: Parameters
+  }>({
+    method: 'GET',
+    url: '/uploads/guilds/:file',
+    schema: getServiceSchema,
+    handler: async (request, reply) => {
+      const { file } = request.params
+      return await reply.sendFile(path.join('guilds', file))
+    }
+  })
+}
--- a/src/services/uploads/index.ts
+++ b/src/services/uploads/index.ts
@ -1,58 +1,11 @@
-import path from 'node:path'
+import { FastifyPluginAsync } from 'fastify'

-import { FastifyPluginAsync, FastifySchema } from 'fastify'
-import { Static, Type } from '@sinclair/typebox'
-
-import { fastifyErrors } from '../../models/utils'
-
-const parametersUploadsSchema = Type.Object({
-  image: Type.String()
-})
-
-type ParametersUploadsSchemaType = Static<typeof parametersUploadsSchema>
-
-const getUploadsSchema: FastifySchema = {
-  tags: ['uploads'] as string[],
-  params: parametersUploadsSchema,
-  response: {
-    200: {
-      type: 'string',
-      format: 'binary'
-    },
-    400: fastifyErrors[400],
-    404: fastifyErrors[404],
-    500: fastifyErrors[500]
-  }
-} as const
+import { getGuildsUploadsService } from './guilds/get.js'
+import { getMessagesUploadsService } from './messages/get.js'
+import { getUsersUploadsService } from './users/get.js'

 export const uploadsService: FastifyPluginAsync = async (fastify) => {
-  fastify.route<{ Params: ParametersUploadsSchemaType }>({
-    method: 'GET',
-    url: '/uploads/users/:image',
-    schema: getUploadsSchema,
-    handler: async (request, reply) => {
-      const { image } = request.params
-      return await reply.sendFile(path.join('users', image))
-    }
-  })
-
-  fastify.route<{ Params: ParametersUploadsSchemaType }>({
-    method: 'GET',
-    url: '/uploads/guilds/:image',
-    schema: getUploadsSchema,
-    handler: async (request, reply) => {
-      const { image } = request.params
-      return await reply.sendFile(path.join('guilds', image))
-    }
-  })
-
-  fastify.route<{ Params: ParametersUploadsSchemaType }>({
-    method: 'GET',
-    url: '/uploads/messages/:image',
-    schema: getUploadsSchema,
-    handler: async (request, reply) => {
-      const { image } = request.params
-      return await reply.sendFile(path.join('messages', image))
-    }
-  })
+  await fastify.register(getGuildsUploadsService)
+  await fastify.register(getMessagesUploadsService)
+  await fastify.register(getUsersUploadsService)
 }
--- a/src/services/uploads/messages/get.ts
+++ b/src/services/uploads/messages/get.ts
@ -0,0 +1,76 @@
+import path from 'node:path'
+
+import { FastifyPluginAsync, FastifySchema } from 'fastify'
+import { Static, Type } from '@sinclair/typebox'
+
+import { fastifyErrors } from '../../../models/utils.js'
+import authenticateUser from '../../../tools/plugins/authenticateUser.js'
+import prisma from '../../../tools/database/prisma.js'
+
+const parameters = Type.Object({
+  file: Type.String()
+})
+
+type Parameters = Static<typeof parameters>
+
+export const getServiceSchema: FastifySchema = {
+  tags: ['uploads'] as string[],
+  security: [
+    {
+      bearerAuth: []
+    }
+  ] as Array<{ [key: string]: [] }>,
+  params: parameters,
+  response: {
+    200: {
+      type: 'string',
+      format: 'binary'
+    },
+    400: fastifyErrors[400],
+    401: fastifyErrors[401],
+    403: fastifyErrors[403],
+    404: fastifyErrors[404],
+    500: fastifyErrors[500]
+  }
+} as const
+
+export const getMessagesUploadsService: FastifyPluginAsync = async (
+  fastify
+) => {
+  await fastify.register(authenticateUser)
+
+  fastify.route<{
+    Params: Parameters
+  }>({
+    method: 'GET',
+    url: '/uploads/messages/:file',
+    schema: getServiceSchema,
+    handler: async (request, reply) => {
+      if (request.user == null) {
+        throw fastify.httpErrors.forbidden()
+      }
+      const { file } = request.params
+      const message = await prisma.message.findFirst({
+        where: { value: `/uploads/messages/${file}` },
+        include: {
+          member: {
+            select: { guildId: true }
+          }
+        }
+      })
+      if (message == null) {
+        throw fastify.httpErrors.notFound('Message not found')
+      }
+      const member = await prisma.member.findFirst({
+        where: {
+          guildId: message.member?.guildId,
+          userId: request.user.current.id
+        }
+      })
+      if (member == null) {
+        throw fastify.httpErrors.notFound('Member not found')
+      }
+      return await reply.sendFile(path.join('messages', file))
+    }
+  })
+}
--- a/src/services/uploads/users/get.ts
+++ b/src/services/uploads/users/get.ts
@ -0,0 +1,40 @@
+import path from 'node:path'
+
+import { FastifyPluginAsync, FastifySchema } from 'fastify'
+import { Static, Type } from '@sinclair/typebox'
+
+import { fastifyErrors } from '../../../models/utils.js'
+
+const parameters = Type.Object({
+  file: Type.String()
+})
+
+type Parameters = Static<typeof parameters>
+
+export const getServiceSchema: FastifySchema = {
+  tags: ['uploads'] as string[],
+  params: parameters,
+  response: {
+    200: {
+      type: 'string',
+      format: 'binary'
+    },
+    400: fastifyErrors[400],
+    404: fastifyErrors[404],
+    500: fastifyErrors[500]
+  }
+} as const
+
+export const getUsersUploadsService: FastifyPluginAsync = async (fastify) => {
+  fastify.route<{
+    Params: Parameters
+  }>({
+    method: 'GET',
+    url: '/uploads/users/:file',
+    schema: getServiceSchema,
+    handler: async (request, reply) => {
+      const { file } = request.params
+      return await reply.sendFile(path.join('users', file))
+    }
+  })
+}
--- a/src/services/users/current/logo/put.ts
+++ b/src/services/users/current/logo/put.ts
@ -1,9 +1,9 @@
 import { Type } from '@sinclair/typebox'
 import { FastifyPluginAsync, FastifySchema } from 'fastify'

+import fastifyMultipart from 'fastify-multipart'
 import authenticateUser from '../../../../tools/plugins/authenticateUser.js'
 import { fastifyErrors } from '../../../../models/utils.js'
-import fastifyMultipart from 'fastify-multipart'
 import prisma from '../../../../tools/database/prisma.js'
 import { uploadFile } from '../../../../tools/utils/uploadFile.js'
 import {