Fix api authentication

This commit is contained in:
Alice Gaudon 2020-11-27 15:28:28 +01:00
parent 13abf62368
commit 892cf26628
3 changed files with 37 additions and 13 deletions

View File

@ -1,5 +1,5 @@
import Controller from "swaf/Controller"; import Controller from "swaf/Controller";
import {RequireAuthMiddleware} from "swaf/auth/AuthComponent"; import {RequireAuthMiddleware, RequireRequestAuthMiddleware} from "swaf/auth/AuthComponent";
import {NextFunction, Request, Response} from "express"; import {NextFunction, Request, Response} from "express";
import {BadRequestError, ForbiddenHttpError, ServerError} from "swaf/HttpError"; import {BadRequestError, ForbiddenHttpError, ServerError} from "swaf/HttpError";
import FileModel from "../models/FileModel"; import FileModel from "../models/FileModel";
@ -54,7 +54,12 @@ export default class FileController extends Controller {
); );
} }
public static async handleFileUpload(slug: string, req: Request, res: Response): Promise<void> { public static async handleFileUpload(
slug: string,
req: Request,
res: Response,
requestAuth: boolean = false,
): Promise<void> {
// Check for file upload // Check for file upload
if (Object.keys(req.files).indexOf('upload') < 0) { if (Object.keys(req.files).indexOf('upload') < 0) {
throw new BadRequestError('No file received.', 'You must upload exactly one (1) file.', req.url); throw new BadRequestError('No file received.', 'You must upload exactly one (1) file.', req.url);
@ -68,7 +73,7 @@ export default class FileController extends Controller {
if (req.body.ttl !== undefined) ttl = parseInt(req.body.ttl); if (req.body.ttl !== undefined) ttl = parseInt(req.body.ttl);
else if (req.body.expire_after_days !== undefined) ttl = parseInt(req.body.expire_after_days) * 24 * 3600; else if (req.body.expire_after_days !== undefined) ttl = parseInt(req.body.expire_after_days) * 24 * 3600;
const user = req.as(RequireAuthMiddleware).getUser(); const user = (requestAuth ? req.as(RequireRequestAuthMiddleware) : req.as(RequireAuthMiddleware)).getUser();
const file = FileModel.create({ const file = FileModel.create({
user_id: user.id, user_id: user.id,
@ -97,14 +102,19 @@ export default class FileController extends Controller {
}); });
} }
public static async deleteFileRoute(req: Request, res: Response, next: NextFunction): Promise<void> { public static async deleteFileRoute(
req: Request,
res: Response,
next: NextFunction,
requestAuth: boolean = false,
): Promise<void> {
const slug = req.params.slug; const slug = req.params.slug;
if (!slug) throw new BadRequestError('Cannot delete nothing.', 'Please provide a slug.', req.url); if (!slug) throw new BadRequestError('Cannot delete nothing.', 'Please provide a slug.', req.url);
const file = await FileModel.getBySlug(req.params.slug); const file = await FileModel.getBySlug(req.params.slug);
if (!file) return next(); if (!file) return next();
const user = req.as(RequireAuthMiddleware).getUser(); const user = (requestAuth ? req.as(RequireRequestAuthMiddleware) : req.as(RequireAuthMiddleware)).getUser();
if (!file.canDelete(user.getOrFail('id'))) throw new ForbiddenHttpError('file', req.url); if (!file.canDelete(user.getOrFail('id'))) throw new ForbiddenHttpError('file', req.url);
switch (file.storage_type) { switch (file.storage_type) {

View File

@ -16,14 +16,14 @@ import {log} from "swaf/Logger";
export default class LinkController extends Controller { export default class LinkController extends Controller {
public routes(): void { public routes(): void {
this.post('/', this.postFile, 'post-file', RequireRequestAuthMiddleware, FileUploadFormMiddleware); this.post('/', this.postFile, 'post-file', RequireRequestAuthMiddleware, FileUploadFormMiddleware);
this.delete('/:slug', FileController.deleteFileRoute, 'delete-file', RequireRequestAuthMiddleware); this.delete('/:slug', this.deleteFile, 'delete-file', RequireRequestAuthMiddleware);
this.get('/:slug', this.getFile, 'get-file'); this.get('/:slug', this.getFile, 'get-file');
this.put('/:slug', this.putFile, 'put-file', RequireRequestAuthMiddleware, FileUploadFormMiddleware); this.put('/:slug', this.putFile, 'put-file', RequireRequestAuthMiddleware, FileUploadFormMiddleware);
this.post('/', URLRedirectController.addURL, 'post-url', RequireRequestAuthMiddleware); this.post('/', this.addURL, 'post-url', RequireRequestAuthMiddleware);
this.delete('/:slug', this.deleteURL, 'delete-url', RequireRequestAuthMiddleware); this.delete('/:slug', this.deleteURL, 'delete-url', RequireRequestAuthMiddleware);
this.get('/:slug', this.getURLRedirect, 'get-url'); this.get('/:slug', this.getURLRedirect, 'get-url');
this.put('/:slug', URLRedirectController.addURL, 'put-url', RequireRequestAuthMiddleware); this.put('/:slug', this.addURL, 'put-url', RequireRequestAuthMiddleware);
this.get(/(.*)/, this.domainFilter); this.get(/(.*)/, this.domainFilter);
} }
@ -69,7 +69,7 @@ export default class LinkController extends Controller {
protected async postFile(req: Request, res: Response, next: NextFunction): Promise<void> { protected async postFile(req: Request, res: Response, next: NextFunction): Promise<void> {
if (req.body.type !== 'file') return next(); if (req.body.type !== 'file') return next();
await FileController.handleFileUpload(req.body.slug || await generateSlug(10), req, res); await FileController.handleFileUpload(req.body.slug || await generateSlug(10), req, res, true);
} }
protected async putFile(req: Request, res: Response, next: NextFunction): Promise<void> { protected async putFile(req: Request, res: Response, next: NextFunction): Promise<void> {
@ -77,7 +77,15 @@ export default class LinkController extends Controller {
const slug = req.params.slug; const slug = req.params.slug;
if (!slug) throw new BadRequestError('Cannot put without a slug.', 'Either provide a slug or use POST method instead.', req.url); if (!slug) throw new BadRequestError('Cannot put without a slug.', 'Either provide a slug or use POST method instead.', req.url);
await FileController.handleFileUpload(slug, req, res); await FileController.handleFileUpload(slug, req, res, true);
}
protected async deleteFile(req: Request, res: Response, next: NextFunction): Promise<void> {
return await FileController.deleteFileRoute(req, res, next, true);
}
protected async addURL(req: Request, res: Response, next: NextFunction): Promise<void> {
return await URLRedirectController.addURL(req, res, next, undefined, true);
} }
protected async getURLRedirect(req: Request, res: Response, next: NextFunction): Promise<void> { protected async getURLRedirect(req: Request, res: Response, next: NextFunction): Promise<void> {

View File

@ -1,7 +1,7 @@
import Controller from "swaf/Controller"; import Controller from "swaf/Controller";
import {NextFunction, Request, Response} from "express"; import {NextFunction, Request, Response} from "express";
import URLRedirect from "../models/URLRedirect"; import URLRedirect from "../models/URLRedirect";
import {RequireAuthMiddleware} from "swaf/auth/AuthComponent"; import {RequireAuthMiddleware, RequireRequestAuthMiddleware} from "swaf/auth/AuthComponent";
import generateSlug from "../SlugGenerator"; import generateSlug from "../SlugGenerator";
import config from "config"; import config from "config";
import AuthToken from "../models/AuthToken"; import AuthToken from "../models/AuthToken";
@ -47,10 +47,16 @@ export default class URLRedirectController extends Controller {
); );
} }
public static async addURL(req: Request, res: Response, next: NextFunction, slug?: string): Promise<void> { public static async addURL(
req: Request,
res: Response,
next: NextFunction,
slug?: string,
requestAuth: boolean = false,
): Promise<void> {
if (req.body.type !== 'url') return next(); if (req.body.type !== 'url') return next();
const user = req.as(RequireAuthMiddleware).getUser(); const user = (requestAuth ? req.as(RequireRequestAuthMiddleware) : req.as(RequireAuthMiddleware)).getUser();
slug = slug || req.params.slug || req.body.slug || await generateSlug(10); slug = slug || req.params.slug || req.body.slug || await generateSlug(10);
const urlRedirect = URLRedirect.create({ const urlRedirect = URLRedirect.create({
user_id: user.id, user_id: user.id,