135 lines
3.0 KiB
JavaScript
135 lines
3.0 KiB
JavaScript
const config = require('../../config');
|
|
const express = require('Express');
|
|
const asyncHandler = require('express-async-handler');
|
|
const jwt = require('jsonwebtoken');
|
|
const path = require('path');
|
|
const resolvePath = require('resolve-path');
|
|
const AuthTokens = require('../authtokens');
|
|
|
|
|
|
async function checkAuthorization(req, res, repository, onVerified)
|
|
{
|
|
var token;
|
|
|
|
if (req.headers.authorization)
|
|
{
|
|
if (req.headers.authorization.split(' ')[0] !== 'Bearer')
|
|
{
|
|
res.sendStatus(400);
|
|
return;
|
|
}
|
|
|
|
token = req.headers.authorization.split(' ')[1];
|
|
}
|
|
else if (req.cookies && req.cookies.token)
|
|
{
|
|
token = req.cookies.token;
|
|
}
|
|
else
|
|
{
|
|
res.sendStatus(403);
|
|
return;
|
|
}
|
|
|
|
|
|
jwt.verify(token, config.jwtSecret, async (err, decoded) =>
|
|
{
|
|
try
|
|
{
|
|
if (err)
|
|
{
|
|
res.sendStatus(403);
|
|
return;
|
|
}
|
|
|
|
if (decoded.userId)
|
|
{
|
|
var user = await repository.users.getUser(decoded.userId);
|
|
if (user === null || !user.active)
|
|
{
|
|
res.sendStatus(403);
|
|
return;
|
|
}
|
|
else
|
|
await onVerified(user);
|
|
}
|
|
else
|
|
res.sendStatus(400);
|
|
}
|
|
catch (e)
|
|
{
|
|
console.log(e);
|
|
res.sendStatus(500);
|
|
}
|
|
});
|
|
}
|
|
|
|
|
|
|
|
module.exports = (repository) =>
|
|
{
|
|
var router = express.Router();
|
|
|
|
|
|
router.get('/whoami', asyncHandler(async (req, res) =>
|
|
{
|
|
await checkAuthorization(req, res, repository, async (user) =>
|
|
{
|
|
res.send({
|
|
userId: user.userId,
|
|
username: user.username,
|
|
auth: user.auth
|
|
});
|
|
});
|
|
}));
|
|
|
|
|
|
router.get('/codes', asyncHandler(async (req, res) =>
|
|
{
|
|
await checkAuthorization(req, res, repository, async (user) =>
|
|
{
|
|
var codes = await repository.codes.getCodes(user.hasAuth(AuthTokens.ViewAllCodes) ? null : user.userId);
|
|
var usernames = await repository.users.getUserNames();
|
|
|
|
codes.forEach((item) =>
|
|
{
|
|
item.username = usernames[item.userId];
|
|
});
|
|
|
|
res.send(codes);
|
|
});
|
|
}));
|
|
|
|
|
|
router.get('/uploads', asyncHandler(async (req, res) =>
|
|
{
|
|
await checkAuthorization(req, res, repository, async (user) =>
|
|
{
|
|
var files = await repository.uploads.getUploads(user.hasAuth(AuthTokens.ViewAllUploads) ? null : user.userId);
|
|
var usernames = await repository.users.getUserNames();
|
|
|
|
files.forEach((item) =>
|
|
{
|
|
item.username = usernames[item.userId];
|
|
});
|
|
|
|
res.send(files);
|
|
});
|
|
}));
|
|
|
|
|
|
router.get('/download/:fileid/:displayname', asyncHandler(async (req, res) =>
|
|
{
|
|
await checkAuthorization(req, res, repository, async (user) =>
|
|
{
|
|
// TODO should we check if the user has access to the file?
|
|
// for now not that important, if you know the file's UID and are logged in
|
|
|
|
var fullpath = resolvePath(config.fileUpload.path, req.params.fileid);
|
|
res.download(fullpath, req.params.displayname);
|
|
});
|
|
}));
|
|
|
|
|
|
return router;
|
|
} |