UNPKG

save-server

Version:

A powerful ShareX image and URL server, with support for multiple users.

github.com/neztore/save-server

neztore/save-server

310 lines (282 loc) 9.46 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
// User handler // While called "id", the "id" actually refers to a user's username, as this is what we use to uniquely identify a user. const express = require("express"); const users = express.Router(); const auth = require("../middleware/auth"); const db = require("../util/db"); const { errorGenerator, errorCatch, generateToken, errors, dest, hashRounds, adminUser, getBase } = require("../util"); const { isLength, isAlphanumeric, isEmpty } = require("validator"); const { compare, hash } = require("bcrypt"); const fs = require("fs"); const path = require("path"); const BIG = 1000000; const validUsername = (str) => str && typeof str === "string" && isLength(str, { min: 3, max: 50 }) && isAlphanumeric(str); const validPassword = (str) => str && typeof str === "string" && isLength(str, { min: 3, max: 100 }); users.post("/login", errorCatch(async function (req, res) { const username = req.body.username; const password = req.body.password; if (validUsername(username)) { if (!validPassword(password)) { return res.status(400).send(errorGenerator(400, "Invalid password: Must be less than 100 characters.")); } // It passes all checks const user = await db.getUser(username); if (user && user.password) { const correct = await compare(password, user.password); if (correct) { if (user.token) { // They have a token. Return it. res.cookie("authorization", user.token, { httpOnly: true, /* A week */ expires: new Date(Date.now() + 604800000), secure: req.secure || false, sameSite: "Lax" }); return res.send({ success: true, message: "Logged in." }); } else { // No token - generate. const token = await generateToken(); await db.setToken(user.username, token); res.cookie("authorization", token, { httpOnly: true, /* A week */ expires: new Date(Date.now() + 604800000), secure: req.secure || false, sameSite: "Lax" }); return res.send({ success: true, message: "Logged in." }); } } else { return res.status(403).send(errorGenerator(403, "Forbidden: Invalid username or password.")); } } else { return res.status(404).send(errorGenerator(404, "User not found.")); } } else { return res.status(400).send(errorGenerator(400, "Invalid username.")); } })); users.use(auth); users.get("/", errorCatch(async function (req, res) { const users = await db.getUsers(); res.send({ users, success: true }); })); // Create is an authenticated route - only the root user can do it. users.post("/create", errorCatch(async function (req, res) { if (!req.user || !req.user.isAdmin) { return res.status(403).send(errors.forbidden); } const username = req.body.username; const password = req.body.password; if (validUsername(username)) { if (!validPassword(password)) { return res.status(400).send(errorGenerator(400, "Invalid password. - Must be > 3 and < 50.")); } // It passes all checks const user = await db.getUser(username); if (user) { return res.status(404).send(errorGenerator(400, "Username is already in use.")); } else { const hashed = await hash(password, hashRounds); await db.addUser(username, hashed); res.send({ success: true, username }); } } else { return res.status(400).send(errorGenerator(400, "Invalid username.")); } })); // Routes for root account or @me. users.use("/:id/", async function (req, res, next) { const { id } = req.params; if (id) { if (id === "@me") { req.target = req.user; return next(); } else { if (!isEmpty(id) && isAlphanumeric(id)) { const user = await db.getUser(id); if (user) { req.target = user; if (user.username === adminUser) { user.isAdmin = true; } if (req.target.username !== req.user.username) { // isAdmin is added by the auth middleware if (req.user.isAdmin) { return next(); } else { // They're not admin, but trying to edit another user. no! return res.status(403).send(errors.forbidden); } } else { return next(); } } else { return res.status(404).send(errorGenerator(404, "User not found.")); } } else { return res.status(400).send(errorGenerator(400, "Invalid username.")); } } } else { throw new Error("No id on user middleware... what?"); } }); users.delete("/:id", errorCatch(async function (req, res, next) { if (req.target.isAdmin) { return res.status(400).send(errorGenerator(400, "The admin user cannot be deleted.")); } const deleteFiles = req.query.deleteFiles && req.query.deleteFiles === "true"; const files = await db.getAllUserFiles(req.target.username); if (deleteFiles) { console.log(`Deleting user ${req.target.username} AND all of their files.`); } for (const file of files) { const loc = `${file.id}${file.extension ? `.${file.extension}` : ""}`; if (deleteFiles) { fs.unlink(path.join(dest, loc), (err) => { if (err) { if (err.code === "ENOENT") { console.log(`Tried to delete file ${loc} but it was already removed.`); } else { return next(err); } } }); } else { await db.setFilesOwner(req.target.username, adminUser); } } await db.removeUser(req.target.username); res.send({ success: true, message: "User deleted." }); })); users.get("/:id/config", errorCatch(async function (req, res) { // Generate config const isLink = req.query.link && req.query.link === "true"; const urlBase = `${getBase(req)}/api`; let token = req.target.token; if (!token) { token = await generateToken(); await db.setToken(req.target.username, token); } const config = { Version: "12.4.1", Headers: { Authorization: token }, RequestMethod: "POST", URL: "$json:url$", }; if (isLink) { config.Name = `${req.hostname} ${req.target.username} URL service`; config.DestinationType = "URLShortener, URLSharingService"; config.RequestURL = `${urlBase}/links`; config.Headers["shorten-url"] = "$input$"; } else { config.Name = `${req.hostname} ${req.target.username} Upload`; config.DestinationType = "ImageUploader, TextUploader, FileUploader"; config.RequestURL = `${urlBase}/files`; config.Body = "MultipartFormData"; config.FileFormName = "files"; config.URL = "$json:url$"; config.ThumbnailURL = "$json:url$"; config.DeletionURL = "$json:deletionUrl$"; } res.set({ "Content-Disposition": `attachment; filename="${req.target.username} ${isLink ? "Link shorten" : "Upload"}.sxcu"` }); res.setHeader("content-type", "application/sxcu"); const stringified = JSON.stringify(config, null, "\t"); res.send(stringified); })); users.patch("/:id/password", errorCatch(async function (req, res) { // ID being @me or an ID. // Allows the user to change password by providing current password, or if root by force. const { newPassword, oldPassword } = req.body; if (validPassword(newPassword)) { if (!req.user.isAdmin) { // They are not admin, so we need to make sure they supplied correct current password if (validPassword(oldPassword)) { if (!req.target.password) { throw new Error("Target user password is not set. This should not be possible."); } const correct = await compare(oldPassword, req.target.password); if (!correct) { return res.status(403).send(errorGenerator(403, "Incorrect current password!")); } } else { return res.status(400).send(errorGenerator(400, "Invalid old password.")); } } // they are good - either admin or provided correct pass. const hashed = await hash(newPassword, hashRounds); await db.setPassword(req.target.username, hashed); return res.send({ success: true, updatedUser: req.target.username }); } else { return res.status(400).send(errorGenerator(400, "Invalid or no new password provided.")); } })); users.patch("/:id/token", errorCatch(async function (req, res) { // ID being @me or an ID. // Allows the user to generate a new token const newToken = await generateToken(); await db.setToken(req.target.username, newToken); if (req.user.username === req.target.username) { res.cookie("authorization", newToken, { httpOnly: true, /* A week */ expires: new Date(Date.now() + 604800000), secure: req.secure || false, sameSite: "Lax" }); } return res.send({ success: true, token: newToken }); })); users.post("/:id/logout", errorCatch(async function (req, res) { if (req.user.username === req.target.username) { res.cookie("authorization", "", { httpOnly: true, /* Expired */ expires: new Date(Date.now() - 604800000), secure: req.secure || false, sameSite: "Lax" }); } return res.send({ success: true }); })); users.get("/:id/files", errorCatch(async function (req, res) { let pageNo = 0; if (req.query.page && !isNaN(req.query.page)) { try { const no = parseInt(req.query.page, 10); if (typeof no === "number" && no >= 0 && no < BIG) { pageNo = no; } else { return res.status(400).send(errorGenerator(400, "Invalid page number.")); } } catch (err) { return res.status(400).send(errorGenerator(400, "Invalid page number.")); } } const files = await db.getUserFiles(req.target.username, pageNo); res.send({ success: true, files }); })); users.get("/:id/links", errorCatch(async function (req, res) { const links = await db.getLinks(req.target.username); res.send({ success: true, links: links || [] }); })); module.exports = users;