Feature: enable apiKey access to uploads and album fetching for the uploader/sharex/3rd party

author: Pitu <[email protected]> 2020-05-11 00:57:56 +0900
committer: Pitu <[email protected]> 2020-05-11 00:57:56 +0900
commit: 496477ebda3f6c347a9944e22daae447d15ebc31 (patch)
tree: c9449d39ec3f15a3a69a790fbe4c6fce60811b1d /src/api
parent: chore: cleanup and todo (diff)
download: host.fuwn.me-496477ebda3f6c347a9944e22daae447d15ebc31.tar.xz
host.fuwn.me-496477ebda3f6c347a9944e22daae447d15ebc31.zip
6 files changed, 21 insertions, 17 deletions
diff --git a/src/api/databaseMigration.js b/src/api/databaseMigration.js
index 75611f3..5cf4b39 100644
--- a/src/api/databaseMigration.js
+++ b/src/api/databaseMigration.js
@@ -51,7 +51,7 @@ const start = async () => {
 			password: user.password,
 			enabled: user.enabled == 1 ? true : false,
 			isAdmin: false,
-			apiKey: user.token, // Is this the best way to do it?
+			apiKey: user.token,
 			passwordEditedAt: now,
 			apiKeyEditedAt: now,
 			createdAt: now,
diff --git a/src/api/routes/albums/albumsGET.js b/src/api/routes/albums/albumsGET.js
index c61ad03..bbd3cae 100644
--- a/src/api/routes/albums/albumsGET.js
+++ b/src/api/routes/albums/albumsGET.js
@@ -69,7 +69,7 @@ class albumsGET extends Route {
 
 class albumsDropdownGET extends Route {
 	constructor() {
-		super('/albums/dropdown', 'get');
+		super('/albums/dropdown', 'get', { canApiKey: true });
 	}
 
 	async run(req, res, db, user) {
diff --git a/src/api/routes/uploads/chunksPOST.js b/src/api/routes/uploads/chunksPOST.js
index 1c02bc7..013c0d6 100644
--- a/src/api/routes/uploads/chunksPOST.js
+++ b/src/api/routes/uploads/chunksPOST.js
@@ -6,7 +6,10 @@ const randomstring = require('randomstring');
 
 class uploadPOST extends Route {
 	constructor() {
-		super('/upload/chunks', 'post', { bypassAuth: true });
+		super('/upload/chunks', 'post', {
+			bypassAuth: true,
+			canApiKey: true
+		});
 	}
 
 	async run(req, res, db) {
diff --git a/src/api/routes/uploads/uploadPOST.js b/src/api/routes/uploads/uploadPOST.js
index d611175..6c01dd3 100644
--- a/src/api/routes/uploads/uploadPOST.js
+++ b/src/api/routes/uploads/uploadPOST.js
@@ -39,7 +39,10 @@ const upload = multer({
 
 class uploadPOST extends Route {
 	constructor() {
-		super('/upload', 'post', { bypassAuth: true });
+		super('/upload', 'post', {
+			bypassAuth: true,
+			canApiKey: true
+		});
 	}
 
 	async run(req, res, db) {
diff --git a/src/api/routes/user/apiKey.js b/src/api/routes/user/apiKey.js
index f80d563..a87d98d 100644
--- a/src/api/routes/user/apiKey.js
+++ b/src/api/routes/user/apiKey.js
@@ -1,12 +1,11 @@
 const Route = require('../../structures/Route');
 const randomstring = require('randomstring');
 const moment = require('moment');
-const bcrypt = require('bcrypt');
 const { dump } = require('dumper.js');
 
 class apiKeyPOST extends Route {
 	constructor() {
-		super('/user/apikey/change', 'post', { noApiKey: true });
+		super('/user/apikey/change', 'post');
 	}
 
 	async run(req, res, db, user) {
@@ -14,11 +13,10 @@ class apiKeyPOST extends Route {
 		const apiKey = randomstring.generate(64);
 
 		try {
-			const hash = await bcrypt.hash(apiKey, 10);
 			await db.table('users')
 				.where({ id: user.id })
 				.update({
-					apiKey: hash,
+					apiKey,
 					apiKeyEditedAt: now
 				});
 		} catch (error) {
diff --git a/src/api/structures/Route.js b/src/api/structures/Route.js
index 2db9bc6..23a3522 100644
--- a/src/api/structures/Route.js
+++ b/src/api/structures/Route.js
@@ -57,7 +57,9 @@ class Route {
 		if (banned) return res.status(401).json({ message: 'This IP has been banned from using the service.' });
 
 		if (this.options.bypassAuth) return this.run(req, res, db);
-		if (req.headers.apiKey) return this.authorizeApiKey(req, res, req.headers.apiKey);
+		// The only reason I call it token here and not Api Key is to be backwards compatible with the uploader and sharex
+		// Small price to pay.
+		if (req.headers.token) return this.authorizeApiKey(req, res, req.headers.token);
 		if (!req.headers.authorization) return res.status(401).json({ message: 'No authorization header provided' });
 
 		const token = req.headers.authorization.split(' ')[1];
@@ -81,15 +83,13 @@ class Route {
 		});
 	}
 
-	authorizeApiKey(req, res, apiKey) {
-		if (this.options.noApiKey) return res.status(401).json({ message: 'Api Key not allowed for this resource' });
+	async authorizeApiKey(req, res, apiKey) {
+		if (!this.options.canApiKey) return res.status(401).json({ message: 'Api Key not allowed for this resource' });
+		const user = await db.table('users').where({ apiKey }).first();
+		if (!user) return res.status(401).json({ message: 'Invalid authorization' });
+		if (!user.enabled) return res.status(401).json({ message: 'This account has been disabled' });
 
-		/*
-		Need to read more into how api keys work before proceeding any further
-
-		const comparePassword = await bcrypt.compare(password, user.password);
-		if (!comparePassword) return res.status(401).json({ message: 'Invalid authorization.' });
-		*/
+		return this.run(req, res, db, user);
 	}
 
 	run(req, res, db) { // eslint-disable-line no-unused-vars
author	Pitu <[email protected]>	2020-05-11 00:57:56 +0900
committer	Pitu <[email protected]>	2020-05-11 00:57:56 +0900
commit	496477ebda3f6c347a9944e22daae447d15ebc31 (patch)
tree	c9449d39ec3f15a3a69a790fbe4c6fce60811b1d /src/api
parent	chore: cleanup and todo (diff)
download	host.fuwn.me-496477ebda3f6c347a9944e22daae447d15ebc31.tar.xz host.fuwn.me-496477ebda3f6c347a9944e22daae447d15ebc31.zip