update api documentation

add authentication

.gitignore

@@ -7,4 +7,5 @@ ignore/*
 avatars/*
 etc/*
 *newrelic*
-user_uploads/*
+user_uploads/*
+swagger-api.json

routes/api/all.js

@@ -10,76 +10,67 @@ export const setup = function (router, con, server) {
     router.use("/*", (req, res, next) => {
         res.set("Access-Control-Allow-Origin", "*"); //we'll allow it for now
         let unsigned;
-        if (req.body.user === undefined || req.body.pass === undefined) {
+        if(typeof req.get("ipost-auth-token") === "string") {
-            if(typeof req.get("ipost-auth-token") === "string") {
+            try{
-                try{
+                req.body.auth = JSON.parse(req.get("ipost-auth-token"))
-                    req.body.auth = JSON.parse(req.get("ipost-auth-token"))
+            } catch(err) {
-                } catch(err) {
+                console.log("error parsing header",err)
-                    console.log("error parsing header",err)
-                }
             }
-            if(req.body.auth !== undefined && req.originalUrl !== "/redeemauthcode") {
-                if(typeof req.body.auth === "string") {
-                    try{
-                        req.body.auth = JSON.parse(req.body.auth)
-                    } catch(err) {
-                        console.log("error parsing",err)
-                    }
-                } else 
-                if(
-                    typeof req.body.auth            !== "object" || 
-                    typeof req.body.auth.secret     !== "string" || 
-                    typeof req.body.auth.appid      !== "number" || 
-                    typeof req.body.auth.auth_token !== "string" || 
-                    req.body.auth.secret.length     !== 200      || 
-                    req.body.auth.auth_token.length !== 200      ||
-                    Buffer.from(req.body.auth.secret,"base64").length !== 150
-                ) {
-                    res.status(420).send("invalid authentication object")
-                    return;
-                } else {
-                    //secret    : string(200 chars)
-                    //appid     : number
-                    //auth_token: string(200 chars)
-                    let sql = "select User_ID,User_Name,User_Bio,User_Avatar,User_Settings from ipost.auth_tokens inner join ipost.application on auth_token_isfrom_application_id=application_id inner join ipost.users on auth_token_u_id=User_ID where auth_token=? and application_secret=? and application_id=?"
-                    con.query(sql,[SHA256(req.body.auth.auth_token,req.body.auth.appid, HASHES_DB),SHA256(req.body.auth.secret,req.body.auth.appid, HASHES_DB),req.body.auth.appid],(err,result) => {
-                        if(err) throw err;
-
-                        if(result.length !== 1) {
-                            res.status(420).send("invalid authentication object (or server error?)")
-                            return;
-                        }
-
-                        res.locals.userid = result[0].User_ID;
-                        res.locals.username = result[0].User_Name;
-                        res.locals.bio = result[0].User_Bio || "";
-                        res.locals.avatar = result[0].User_Avatar || "";
-                        res.locals.settings = result[0].User_Settings || {};
-
-                        res.locals.isbot = true; //only apps/bots use auth tokens
-
-                        next()
-                    })
-                    return;
-                }
-            } else {
-                if(!req.cookies.AUTH_COOKIE) {
-                    next()
-                    return
-                }
-                unsigned = unsign(req.cookies.AUTH_COOKIE, req, res);
-                if (!unsigned){
-                    next()
-                    return
-                }
-            }
-            
         }
-        else {
+        if(req.body.auth !== undefined && req.originalUrl !== "/redeemauthcode") {
-            unsigned = `${req.body.user} ${SHA256(req.body.pass, req.body.user, HASHES_COOKIE)}`;
+            if(typeof req.body.auth === "string") {
-            res.set("message","user+pass authentication is deprecated as of february 2023, consider switching to auth tokens")
+                try{
-            //basically we generate the unsigned cookie
+                    req.body.auth = JSON.parse(req.body.auth)
-            res.locals.isbot = true; //only bots use user+pass
+                } catch(err) {
+                    console.log("error parsing",err)
+                }
+            } else 
+            if(
+                typeof req.body.auth            !== "object" || 
+                typeof req.body.auth.secret     !== "string" || 
+                typeof req.body.auth.appid      !== "number" || 
+                typeof req.body.auth.auth_token !== "string" || 
+                req.body.auth.secret.length     !== 200      || 
+                req.body.auth.auth_token.length !== 200      ||
+                Buffer.from(req.body.auth.secret,"base64").length !== 150
+            ) {
+                res.status(420).send("invalid authentication object")
+                return;
+            } else {
+                //secret    : string(200 chars)
+                //appid     : number
+                //auth_token: string(200 chars)
+                let sql = "select User_ID,User_Name,User_Bio,User_Avatar,User_Settings from ipost.auth_tokens inner join ipost.application on auth_token_isfrom_application_id=application_id inner join ipost.users on auth_token_u_id=User_ID where auth_token=? and application_secret=? and application_id=?"
+                con.query(sql,[SHA256(req.body.auth.auth_token,req.body.auth.appid, HASHES_DB),SHA256(req.body.auth.secret,req.body.auth.appid, HASHES_DB),req.body.auth.appid],(err,result) => {
+                    if(err) throw err;
+
+                    if(result.length !== 1) {
+                        res.status(420).send("invalid authentication object (or server error?)")
+                        return;
+                    }
+
+                    res.locals.userid = result[0].User_ID;
+                    res.locals.username = result[0].User_Name;
+                    res.locals.bio = result[0].User_Bio || "";
+                    res.locals.avatar = result[0].User_Avatar || "";
+                    res.locals.settings = result[0].User_Settings || {};
+
+                    res.locals.isbot = true; //only apps/bots use auth tokens
+
+                    next()
+                })
+                return;
+            }
+        } else {
+            if(!req.cookies.AUTH_COOKIE) {
+                next()
+                return
+            }
+            unsigned = unsign(req.cookies.AUTH_COOKIE, req, res);
+            if (!unsigned){
+                next()
+                return
+            }
         }
         let sql = `select User_ID,User_Name,User_Bio,User_Avatar,User_Settings from ipost.users where User_Name=? and User_PW=?;`;
         let values = unsigned.split(" ");
@@ -118,6 +109,9 @@ export const setup = function (router, con, server) {
             res.status(402);
             res.json({ "error": "you cannot access the api without being logged in" });
         }
+        /* #swagger.security = [{
+               "appTokenAuthHeader": []
+        }] */
     });
 };
 export default {

routes/api/dms/PersonalMessages.js

@@ -20,6 +20,9 @@ export const setup = function (router, con, server) {
                 throw err;
             res.json(result);
         });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     router.get("/api/dms/conversations",  function (req, res) {
         res.set("Access-Control-Allow-Origin", "*");
@@ -30,10 +33,16 @@ export const setup = function (router, con, server) {
                 throw err;
             res.json(result);
         });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     router.get("/api/dms/encrypt.js",  function (req, res) {
         res.set("Access-Control-Allow-Origin", "*");
         res.send(web_version());
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     //
     router.get("/api/dms/getDM",  function (req, res) {
@@ -52,6 +61,9 @@ export const setup = function (router, con, server) {
                 res.json({ "error": "there is no such dm!" });
             }
         });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
 };
 export default {

routes/api/dms/post.js

@@ -19,6 +19,9 @@ export const setup = function (router, con, server) {
     router.get("/api/dms/pid",  function (req, res) {
         res.set("Access-Control-Allow-Origin", "*");
         res.json({ "pid": createPID() });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     router.post("/api/dms/post",  function (req, res) {
         if (!req.body.message) {
@@ -89,6 +92,10 @@ export const setup = function (router, con, server) {
             console.log(5, `posted new dm by ${res.locals.username} to ${otherperson} : ${xor(encodeURIComponent(res.locals.username), otherperson)}`);
         });
         //TODO: bring dms up-to-date with normal posts
+
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     return createPID
 };

routes/api/getFileIcon.js

@@ -31,8 +31,8 @@ async function addTextOnImage(text,buf) {
 }
 
 export const setup = function (router, con, server) {
-    router.get("/api/getFileIcon/*",async function(req,res){
+    router.get("/api/getFileIcon/:icon",async function(req,res){
-        let path = req.path.split("/api/getFileIcon/")[1]
+        let path = req.params.icon
         if(path.length > 4) {
             res.status(410).json({"error":"file ending is too long"})
             return;
@@ -41,5 +41,8 @@ export const setup = function (router, con, server) {
             res.set("content-type","image/png")
             res.send(buf)
         })
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     })
 }

routes/api/getPosts.js

@@ -1,8 +1,4 @@
 export const setup = function (router, con, server) {
-    router.get("/api/getPosts/*",  function (_req, res) {
-        res.set("Access-Control-Allow-Origin", "");
-        res.redirect("/api/getPosts");
-    });
     router.get("/api/getPosts",  function (req, res) {
         res.set("Access-Control-Allow-Origin", "*");
         if (req.query.channel !== undefined) {
@@ -21,6 +17,9 @@ export const setup = function (router, con, server) {
                 res.json(result);
             });
         }
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     router.get("/api/getPostsLowerThan",  function (req, res) {
         res.set("Access-Control-Allow-Origin", "*");
@@ -40,6 +39,9 @@ export const setup = function (router, con, server) {
                 res.json(result);
             });
         }
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     router.get("/api/getPost",  function (req, res) {
         res.set("Access-Control-Allow-Origin", "*");
@@ -56,5 +58,8 @@ export const setup = function (router, con, server) {
                 res.json({ "error": "there is no such post!" });
             }
         });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
 }

routes/api/post.js

@@ -32,6 +32,9 @@ export const setup = function (router, con, server) {
     router.get("/api/pid",  function (req, res) {
         res.set("Access-Control-Allow-Origin", "*");
         res.json({ "pid": createPID() });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
 
     function validateMessage(message) {
@@ -204,6 +207,9 @@ export const setup = function (router, con, server) {
                 res.json({"error":"internal server error", "status": 500})
             }
         }
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     return createPID
 };

routes/api/search.js

@@ -34,5 +34,9 @@ export const setup = function (router, con, server) {
         else {
             res.json({ "error": "invalid type passed along, expected `user` or `post`", "message": "search has been deprecated as of 11/30/2022"});
         }
+
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
 }

routes/api/settingshandler.js

@@ -4,6 +4,10 @@ const allowed_settings = {
 export const setup = function (router, con, server) {
     router.get("/api/settings", function (req, res) {
         res.json(res.locals.settings);
+
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     router.post("/api/settings", function (req, res) {
         if (!req.body.setting) {
@@ -45,6 +49,10 @@ export const setup = function (router, con, server) {
             }
             res.json({ "status": "success" });
         });
+
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
 };
 export default {

routes/api/userRoutes.js

@@ -47,10 +47,16 @@ export const setup = function (router, con, server) {
                     res.json({ "success": "updated avatar" });
                 });
             })
-        });         
+        });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     router.get("/api/getuser",  function (_req, res) {
         res.json({ "username": res.locals.username, "bio": res.locals.bio, "avatar": res.locals.avatar, "userid": res.locals.userid });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     router.get("/api/getalluserinformation",  function (req, res) {
         res.set("Access-Control-Allow-Origin", ""); //we don't want that here
@@ -73,6 +79,9 @@ export const setup = function (router, con, server) {
                 res.json({ "error": "you cannot access the api without being logged in" });
             }
         });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     router.get("/api/getotheruser",  function (req, res) {
         res.set("Access-Control-Allow-Origin", "*");
@@ -109,6 +118,9 @@ export const setup = function (router, con, server) {
                 throw err;
             res.json({ "success": "updated bio" });
         });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     router.post("/api/changePW", (req, res) => {
         res.set("Access-Control-Allow-Origin", "");
@@ -149,6 +161,9 @@ export const setup = function (router, con, server) {
                 res.json({ "error": "invalid password" });
             }
         });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
     router.post("/api/changeUsername",  function (req, res) {
         res.set("Access-Control-Allow-Origin", "");
@@ -212,5 +227,8 @@ export const setup = function (router, con, server) {
                 res.json({ "error": "invalid password" });
             }
         });
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     });
 }

routes/authorize.js

@@ -59,6 +59,10 @@ export const setup = function (router, con, server) {
         }
 
         res.redirect(`/authorize?id=${req.body.application_id}`)
+
+        /* #swagger.security = [{
+            "appTokenAuthHeader": []
+        }] */
     })
 
     router.post("/redeemauthcode", (req,res) => {
@@ -124,4 +128,8 @@ export const setup = function (router, con, server) {
 
 
     })
+
+    /* #swagger.security = [{
+        "appTokenAuthHeader": []
+    }] */
 }

routes/serve_static_files.js

@@ -5,43 +5,43 @@ export const setup = function (router, con, server) {
     const __dirname = server.dirname
     const dir = __dirname + "/"
     
-    router.get("/users/*",  function (req, res) {
+    router.get("/users/:user",  function (req, res) {
         if (!increaseUSERCall(req, res))
             return;
         res.sendFile(dir + "views/otheruser.html");
     });
-    router.get("/css/*", (request, response) => {
+    router.get("/css/:file", (request, response) => {
         if (!increaseUSERCall(request, response))
             return;
-        if (existsSync(__dirname + request.originalUrl)) {
+        if (existsSync(`${__dirname}/css/${request.params.file}`)) {
-            response.sendFile(__dirname + request.originalUrl);
+            response.sendFile(`${__dirname}/css/${request.params.file}`);
         }
         else {
             response.status(404).send("no file with that name found");
         }
         return;
     });
-    router.get("/js/*", (request, response) => {
+    router.get("/js/:file", (request, response) => {
         if (!increaseUSERCall(request, response))
             return;
-        if (existsSync(__dirname + request.originalUrl)) {
+        if (existsSync(`${__dirname}/js/${request.params.file}`)) {
-            response.sendFile(__dirname + request.originalUrl);
+            response.sendFile(`${__dirname}/js/${request.params.file}`);
         }
         else {
             response.status(404).send("no file with that name found");
         }
         return;
     });
-    router.get("/images/*", (request, response) => {
+    router.get("/images/:file", (request, response) => {
         if (!increaseUSERCall(request, response))
             return;
-        if (existsSync(__dirname + request.originalUrl)) {
+        if (existsSync(`${__dirname}/images/${request.params.file}`)) {
             response.set('Cache-Control', 'public, max-age=2592000'); //cache it for one month-ish
-            response.sendFile(__dirname + request.originalUrl);
+            response.sendFile(`${__dirname}/images/${request.params.file}`);
         }
-        else if(existsSync(__dirname + request.originalUrl.toLowerCase())){
+        else if(existsSync(`${__dirname}/images/${request.params.file.toLowerCase()}`)){
             response.set('Cache-Control', 'public, max-age=2592000'); //cache it for one month-ish
-            response.sendFile(__dirname + request.originalUrl.toLowerCase());
+            response.sendFile(`${__dirname}/images/${request.params.file.toLowerCase()}`);
         }
         else {
             response.status(404).send("no file with that name found");
@@ -49,12 +49,12 @@ export const setup = function (router, con, server) {
         return;
     });
     
-    router.get("/user_uploads/*", (request, response) => {
+    router.get("/user_uploads/:file", (request, response) => {
         if (!increaseUSERCall(request, response))
             return;
-        if (existsSync(__dirname + request.originalUrl)) {
+        if (existsSync(`${__dirname}/user_uploads/${request.params.file}`)) {
             response.set('Cache-Control', 'public, max-age=2592000'); //cache it for one month-ish
-            response.sendFile(__dirname + request.originalUrl);
+            response.sendFile(`${__dirname}/user_uploads/${request.params.file}`);
         }
         else {
             response.status(404).send("no file with that name found");
@@ -62,13 +62,12 @@ export const setup = function (router, con, server) {
         return;
     });
     
-    router.get("/avatars/*", (request, response) => {
+    router.get("/avatars/:avatar", (request, response) => {
         if (!increaseUSERCall(request, response))
             return;
         response.set('Cache-Control', 'public, max-age=2592000'); //cache it for one month-ish
-        let originalUrl = request.originalUrl.split("?").shift();
+        if (existsSync(`${__dirname}/avatars/${request.params.avatar}`)) {
-        if (existsSync(dir + originalUrl)) {
+            return response.sendFile(`${__dirname}/avatars/${request.params.avatar}`);
-            return response.sendFile(dir + originalUrl);
         }
         response.status(404).send("No avatar with that name found");
     });

routes/userfiles.js

@@ -70,6 +70,10 @@ export const setup = function (router, con, server) {
     function getAppWithId(appid) {
         appid = Number(appid)
         return new Promise((res,rej) => {
+            if(isNaN(appid)) {
+                res({})
+                return
+            }
             if(appId_Cache.has(appid)) {
                 res(appId_Cache.get(appid) || {})
                 return
@@ -111,7 +115,9 @@ export const setup = function (router, con, server) {
         if (!increaseUSERCall(request, response))return;
         if(typeof overrideurl !== "string")overrideurl = undefined;
     
-        let originalUrl = overrideurl || request.originalUrl.split("?").shift();
+        let originalUrl = overrideurl
+            || request.params.file
+            || request.originalUrl.split("?").shift(); //backup in case anything goes wrong
     
         let path = ""
         if (existsSync(dir + "views" + originalUrl)) {
@@ -136,10 +142,11 @@ export const setup = function (router, con, server) {
             path = dir + "views" + originalUrl + ".html"
         }
     
-        if(path !== "" && originalUrl !== "/favicon.ico" && originalUrl !== "/api/documentation/") {
+        if(path !== "" && originalUrl !== "favicon.ico" && originalUrl !== "api_documentation" && originalUrl !== "api_documentation.html") {
+            console.log(originalUrl)
             global_page_variables.user = { "username": response.locals.username, "bio": response.locals.bio, "avatar": response.locals.avatar }
             global_page_variables.query = request.query
-            if(originalUrl === "/authorize") {
+            if(originalUrl === "authorize") {
                 global_page_variables.application = await getAppWithId(request.query.id)
             }
             ejs.renderFile(path,global_page_variables,{async: true},async function(err,str){
@@ -176,20 +183,20 @@ export const setup = function (router, con, server) {
             })
             return;
         }
-    
+
-        if(originalUrl === "/favicon.ico") {
+        if(originalUrl === "api_documentation" || originalUrl === "api_documentation.html") {
+            response.set('Cache-Control', 'public, max-age=2592000');
+            response.set('Content-Type', 'text/html')
+            response.send(load_var("./views/api_documentation.html"))
+            return
+        }
+
+        if(originalUrl === "favicon.ico") {
             response.set('Cache-Control', 'public, max-age=2592000');
             response.sendFile(dir + "/views/favicon.ico")
             return
         }
-    
+
-        if(originalUrl === "/api/documentation/") {
-            readFile(path,function(_err,res){
-                response.send(res.toString())
-            })
-            return
-        }
-    
         console.log(5,"no file found",originalUrl);
         try {
             response.status(404).send("No file with that name found");
@@ -197,13 +204,14 @@ export const setup = function (router, con, server) {
             console.error(err)
         }
     }
-    
+
-    /** 
+    /**
     * Handle default URI as /index (interpreted redirect: "localhost" -> "localhost/index" )
     */
     router.get("/", function (req, res) {
+        req.params.file = "index"
         handleUserFiles(req,res,"/index")
     });
-    
+
-    router.get("/*", handleUserFiles);
+    router.get("/:file", handleUserFiles);
 }

server.js

@@ -358,6 +358,9 @@ router.get("/api/getChannels",  function (_req, res) {
             throw err;
         res.json(result);
     });
+    /* #swagger.security = [{
+        "appTokenAuthHeader": []
+    }] */
 });
 /*
 

swagger.cjs

@@ -8,9 +8,18 @@ const doc = {
   },
   host: 'ipost.rocks',
   schemes: ['https'],
+  securityDefinitions: {
+    appTokenAuthHeader: {
+      type: 'apiKey',
+      in: 'header', // can be 'header', 'query' or 'cookie'
+      name: 'ipost-auth-token', // name of the header, query parameter or cookie
+      description: 'authenticate using the authentication object in the header'
+    }
+  }
 };
 
-const outputFile = './swagger-output.json';
+const outputFile = './swagger-api.json';
+const tempFile = './swagger-output.json';
 const endpointsFiles = ['./server.js'];
 
 function pushdirectory(currentpath) {
@@ -27,10 +36,43 @@ function pushdirectory(currentpath) {
 
 pushdirectory("./routes/");
 
-console.log(endpointsFiles)
+swaggerAutogen(tempFile, endpointsFiles, doc);
 
-/* NOTE: if you use the express Router, you must pass in the 
+/*
-   'endpointsFiles' only the root file where the route starts,
+  Replace some error codes with own error codes, as described in error_codes.txt
-   such as index.js, app.js, routes.js, ... */
+*/
+const to_replace = {
+  "401": "login error (invalid cookie)",
+  "402": "login error (bad cookie)",
+  "403": "login error (no cookie)",
+  
+  "410": "argument/data error",
+  "411": "argument/data error",
+  "412": "argument/data error",
+  "413": "argument/data error",
+  "414": "argument/data error",
+  "415": "argument/data error",
+  "416": "argument/data error",
+  "417": "argument/data error",
+  "418": "argument/data error",
+  "419": "argument/data error",
+  "420": "invalid authetication object",
+  
+}
 
-swaggerAutogen(outputFile, endpointsFiles, doc);
+let file = JSON.parse(fs.readFileSync(tempFile, 'utf8'));
+
+for (let path in file.paths) {
+  for (let method in file.paths[path]) {
+    for (let response in file.paths[path][method].responses) {
+      if (to_replace[response]) {
+        file.paths[path][method].responses[response].description = to_replace[response];
+      }
+    }
+  }
+}
+
+file = JSON.stringify(file);
+console.log(file)
+fs.writeFileSync(outputFile, file);
+fs.rmSync(tempFile);