Compare commits
77 Commits
snyk-upgra
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
| 2233b4a44c | |||
|
ecb3a38d9b | ||
|
|
0c9f32bc57 | ||
|
|
04dc6ae7ee | ||
|
fd7877fda9 | ||
|
|
6e2d635fbd | ||
|
a2ef9e0e9f | ||
|
|
503b546470 | ||
|
|
a550cfde7b | ||
|
|
344c117938 | ||
|
|
026aa7ac52 | ||
|
|
24064990f7 | ||
|
|
8446a79a7b | ||
|
|
90cde02e31 | ||
|
|
5c4c1f4690 | ||
|
|
12e2fa914f | ||
|
|
d44d107304 | ||
|
52fa742e48 | ||
|
|
1b1e1ef9fd | ||
|
|
f758517eab | ||
|
|
7fbe2e261f | ||
|
|
bb06358eec | ||
|
|
5b635feb28 | ||
|
|
e571696559 | ||
|
|
c02b95fc79 | ||
|
|
5c37c294fc | ||
|
|
86f54a5652 | ||
|
|
17e4940f6d | ||
|
|
fcf98a8b4f | ||
|
|
03a6a46f55 | ||
|
|
6053317ab1 | ||
|
|
ac89cf2504 | ||
|
|
48e9f7bc31 | ||
|
|
a1d4524624 | ||
|
|
5946ff4d86 | ||
|
|
95d0d093e9 | ||
|
|
322b4cad33 | ||
|
|
6b169dc540 | ||
|
|
0ea07f9ec8 | ||
| 213368d34c | |||
| 375facdab5 | |||
| 5fd6cbcfe5 | |||
|
|
4810769c5f | ||
|
|
1f1211b294 | ||
|
|
1ab0379b64 | ||
|
|
55af81bf02 | ||
|
|
3d4e88f3a6 | ||
|
|
93ab117f13 | ||
|
|
5af19d1b12 | ||
|
|
b56dbd4e77 | ||
|
|
d2420e1fef | ||
|
|
2369cc3d08 | ||
|
|
d33bce970e | ||
|
|
ca192718ac | ||
|
|
7e5af52ae8 | ||
|
|
a25c2e3cfe | ||
|
|
84912c17fc | ||
|
|
a30af5aa9f | ||
|
|
cf249ce113 | ||
|
|
8869090cf2 | ||
|
|
957a499a65 | ||
|
|
3c11984291 | ||
|
|
a85b8dd6f3 | ||
|
|
f595086d53 | ||
|
|
b281869651 | ||
|
|
3b4f609d19 | ||
|
|
0c8a3faaed | ||
|
|
4e558257b8 | ||
|
|
66e5afb74e | ||
|
|
81b7ff8629 | ||
|
|
5342c5904f | ||
|
|
8b15f23ad9 | ||
|
|
644d392f59 | ||
|
|
4ffd5b4038 | ||
| 6ce613c15a | |||
| 0cb28a1bcc | |||
|
|
a7551966b9 |
1
.gitignore
vendored
1
.gitignore
vendored
@ -8,3 +8,4 @@ avatars/*
|
||||
etc/*
|
||||
*newrelic*
|
||||
user_uploads/*
|
||||
swagger-api.json
|
||||
@ -1,3 +1,3 @@
|
||||
# IPost
|
||||
IPost, formerly known as "authwebsite" is a chatting platform that mainly has one thing in mind: privacy.
|
||||
IPost, formerly known as "authwebsite" is a chatting platform that also server as a gateway for me to have authentication for my other projects.
|
||||
You can visit IPost under https://ipost.rocks
|
||||
@ -4,7 +4,7 @@
|
||||
403: login error (no cookie)
|
||||
404: invalid url / not found
|
||||
410-419: argument/data error
|
||||
420: invalid authetication object
|
||||
420: invalid authentication object
|
||||
429: ratelimit
|
||||
|
||||
500: server error
|
||||
617
package-lock.json
generated
617
package-lock.json
generated
File diff suppressed because it is too large
Load Diff
19
package.json
19
package.json
@ -1,23 +1,26 @@
|
||||
{
|
||||
"dependencies": {
|
||||
"body-parser": "^1.20.1",
|
||||
"body-parser": "^1.20.2",
|
||||
"clean-css": "^5.3.2",
|
||||
"compression": "^1.7.4",
|
||||
"cookie-parser": "^1.4.6",
|
||||
"ejs": "^3.1.8",
|
||||
"ejs": "^3.1.9",
|
||||
"express": "^4.18.2",
|
||||
"express-fileupload": "^1.3.1",
|
||||
"express-useragent": "^1.0.15",
|
||||
"hcaptcha": "^0.1.1",
|
||||
"html-minifier-terser": "^7.1.0",
|
||||
"lru-cache": "^7.14.1",
|
||||
"mysql2": "^3.1.2",
|
||||
"newrelic": "^9.8.1",
|
||||
"sharp": "^0.31.3",
|
||||
"hsts": "^2.2.0",
|
||||
"newrelic": "^9.15.0",
|
||||
"html-minifier-terser": "^7.2.0",
|
||||
"lru-cache": "^9.1.2",
|
||||
"mysql2": "^3.3.5",
|
||||
"newrelic": "^9.11.0",
|
||||
"sharp": "^0.30.7",
|
||||
"spdy": "^4.0.2",
|
||||
"swagger-autogen": "^2.23.1",
|
||||
"uglify-js": "^3.17.4",
|
||||
"unsafe_encrypt": "^1.0.4",
|
||||
"ws": "^8.12.0"
|
||||
"ws": "^8.13.0"
|
||||
},
|
||||
"scripts": {
|
||||
"start": "node server.js",
|
||||
|
||||
@ -10,76 +10,67 @@ export const setup = function (router, con, server) {
|
||||
router.use("/*", (req, res, next) => {
|
||||
res.set("Access-Control-Allow-Origin", "*"); //we'll allow it for now
|
||||
let unsigned;
|
||||
if (req.body.user === undefined || req.body.pass === undefined) {
|
||||
if(typeof req.get("ipost-auth-token") === "string") {
|
||||
try{
|
||||
req.body.auth = JSON.parse(req.get("ipost-auth-token"))
|
||||
} catch(err) {
|
||||
console.log("error parsing header",err)
|
||||
}
|
||||
if(typeof req.get("ipost-auth-token") === "string") {
|
||||
try{
|
||||
req.body.auth = JSON.parse(req.get("ipost-auth-token"))
|
||||
} catch(err) {
|
||||
console.log("error parsing header",err)
|
||||
}
|
||||
if(req.body.auth !== undefined && req.originalUrl !== "/redeemauthcode") {
|
||||
if(typeof req.body.auth === "string") {
|
||||
try{
|
||||
req.body.auth = JSON.parse(req.body.auth)
|
||||
} catch(err) {
|
||||
console.log("error parsing",err)
|
||||
}
|
||||
} else
|
||||
if(
|
||||
typeof req.body.auth !== "object" ||
|
||||
typeof req.body.auth.secret !== "string" ||
|
||||
typeof req.body.auth.appid !== "number" ||
|
||||
typeof req.body.auth.auth_token !== "string" ||
|
||||
req.body.auth.secret.length !== 200 ||
|
||||
req.body.auth.auth_token.length !== 200 ||
|
||||
Buffer.from(req.body.auth.secret,"base64").length !== 150
|
||||
) {
|
||||
res.status(420).send("invalid authentication object")
|
||||
return;
|
||||
} else {
|
||||
//secret : string(200 chars)
|
||||
//appid : number
|
||||
//auth_token: string(200 chars)
|
||||
let sql = "select User_ID,User_Name,User_Bio,User_Avatar,User_Settings from ipost.auth_tokens inner join ipost.application on auth_token_isfrom_application_id=application_id inner join ipost.users on auth_token_u_id=User_ID where auth_token=? and application_secret=? and application_id=?"
|
||||
con.query(sql,[SHA256(req.body.auth.auth_token,req.body.auth.appid, HASHES_DB),SHA256(req.body.auth.secret,req.body.auth.appid, HASHES_DB),req.body.auth.appid],(err,result) => {
|
||||
if(err) throw err;
|
||||
|
||||
if(result.length !== 1) {
|
||||
res.status(420).send("invalid authentication object (or server error?)")
|
||||
return;
|
||||
}
|
||||
|
||||
res.locals.userid = result[0].User_ID;
|
||||
res.locals.username = result[0].User_Name;
|
||||
res.locals.bio = result[0].User_Bio || "";
|
||||
res.locals.avatar = result[0].User_Avatar || "";
|
||||
res.locals.settings = result[0].User_Settings || {};
|
||||
|
||||
res.locals.isbot = true; //only apps/bots use auth tokens
|
||||
|
||||
next()
|
||||
})
|
||||
return;
|
||||
}
|
||||
} else {
|
||||
if(!req.cookies.AUTH_COOKIE) {
|
||||
next()
|
||||
return
|
||||
}
|
||||
unsigned = unsign(req.cookies.AUTH_COOKIE, req, res);
|
||||
if (!unsigned){
|
||||
next()
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
else {
|
||||
unsigned = `${req.body.user} ${SHA256(req.body.pass, req.body.user, HASHES_COOKIE)}`;
|
||||
res.set("message","user+pass authentication is deprecated as of february 2023, consider switching to auth tokens")
|
||||
//basically we generate the unsigned cookie
|
||||
res.locals.isbot = true; //only bots use user+pass
|
||||
if(req.body.auth !== undefined && req.originalUrl !== "/redeemauthcode") {
|
||||
if(typeof req.body.auth === "string") {
|
||||
try{
|
||||
req.body.auth = JSON.parse(req.body.auth)
|
||||
} catch(err) {
|
||||
console.log("error parsing",err)
|
||||
}
|
||||
} else
|
||||
if(
|
||||
typeof req.body.auth !== "object" ||
|
||||
typeof req.body.auth.secret !== "string" ||
|
||||
typeof req.body.auth.appid !== "number" ||
|
||||
typeof req.body.auth.auth_token !== "string" ||
|
||||
req.body.auth.secret.length !== 200 ||
|
||||
req.body.auth.auth_token.length !== 200 ||
|
||||
Buffer.from(req.body.auth.secret,"base64").length !== 150
|
||||
) {
|
||||
res.status(420).send("invalid authentication object")
|
||||
return;
|
||||
} else {
|
||||
//secret : string(200 chars)
|
||||
//appid : number
|
||||
//auth_token: string(200 chars)
|
||||
let sql = "select User_ID,User_Name,User_Bio,User_Avatar,User_Settings from ipost.auth_tokens inner join ipost.application on auth_token_isfrom_application_id=application_id inner join ipost.users on auth_token_u_id=User_ID where auth_token=? and application_secret=? and application_id=?"
|
||||
con.query(sql,[SHA256(req.body.auth.auth_token,req.body.auth.appid, HASHES_DB),SHA256(req.body.auth.secret,req.body.auth.appid, HASHES_DB),req.body.auth.appid],(err,result) => {
|
||||
if(err) throw err;
|
||||
|
||||
if(result.length !== 1) {
|
||||
res.status(420).send("invalid authentication object (or server error?)")
|
||||
return;
|
||||
}
|
||||
|
||||
res.locals.userid = result[0].User_ID;
|
||||
res.locals.username = result[0].User_Name;
|
||||
res.locals.bio = result[0].User_Bio || "";
|
||||
res.locals.avatar = result[0].User_Avatar || "";
|
||||
res.locals.settings = result[0].User_Settings || {};
|
||||
|
||||
res.locals.isbot = true; //only apps/bots use auth tokens
|
||||
|
||||
next()
|
||||
})
|
||||
return;
|
||||
}
|
||||
} else {
|
||||
if(!req.cookies.AUTH_COOKIE) {
|
||||
next()
|
||||
return
|
||||
}
|
||||
unsigned = unsign(req.cookies.AUTH_COOKIE, req, res);
|
||||
if (!unsigned){
|
||||
next()
|
||||
return
|
||||
}
|
||||
}
|
||||
let sql = `select User_ID,User_Name,User_Bio,User_Avatar,User_Settings from ipost.users where User_Name=? and User_PW=?;`;
|
||||
let values = unsigned.split(" ");
|
||||
@ -118,6 +109,9 @@ export const setup = function (router, con, server) {
|
||||
res.status(402);
|
||||
res.json({ "error": "you cannot access the api without being logged in" });
|
||||
}
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
};
|
||||
export default {
|
||||
|
||||
@ -20,6 +20,9 @@ export const setup = function (router, con, server) {
|
||||
throw err;
|
||||
res.json(result);
|
||||
});
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
router.get("/api/dms/conversations", function (req, res) {
|
||||
res.set("Access-Control-Allow-Origin", "*");
|
||||
@ -30,10 +33,16 @@ export const setup = function (router, con, server) {
|
||||
throw err;
|
||||
res.json(result);
|
||||
});
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
router.get("/api/dms/encrypt.js", function (req, res) {
|
||||
res.set("Access-Control-Allow-Origin", "*");
|
||||
res.send(web_version());
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
//
|
||||
router.get("/api/dms/getDM", function (req, res) {
|
||||
@ -52,6 +61,9 @@ export const setup = function (router, con, server) {
|
||||
res.json({ "error": "there is no such dm!" });
|
||||
}
|
||||
});
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
};
|
||||
export default {
|
||||
|
||||
@ -19,6 +19,9 @@ export const setup = function (router, con, server) {
|
||||
router.get("/api/dms/pid", function (req, res) {
|
||||
res.set("Access-Control-Allow-Origin", "*");
|
||||
res.json({ "pid": createPID() });
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
router.post("/api/dms/post", function (req, res) {
|
||||
if (!req.body.message) {
|
||||
@ -89,6 +92,10 @@ export const setup = function (router, con, server) {
|
||||
console.log(5, `posted new dm by ${res.locals.username} to ${otherperson} : ${xor(encodeURIComponent(res.locals.username), otherperson)}`);
|
||||
});
|
||||
//TODO: bring dms up-to-date with normal posts
|
||||
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
return createPID
|
||||
};
|
||||
|
||||
@ -31,8 +31,8 @@ async function addTextOnImage(text,buf) {
|
||||
}
|
||||
|
||||
export const setup = function (router, con, server) {
|
||||
router.get("/api/getFileIcon/*",async function(req,res){
|
||||
let path = req.path.split("/api/getFileIcon/")[1]
|
||||
router.get("/api/getFileIcon/:icon",async function(req,res){
|
||||
let path = req.params.icon
|
||||
if(path.length > 4) {
|
||||
res.status(410).json({"error":"file ending is too long"})
|
||||
return;
|
||||
@ -41,5 +41,8 @@ export const setup = function (router, con, server) {
|
||||
res.set("content-type","image/png")
|
||||
res.send(buf)
|
||||
})
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
})
|
||||
}
|
||||
@ -1,8 +1,4 @@
|
||||
export const setup = function (router, con, server) {
|
||||
router.get("/api/getPosts/*", function (_req, res) {
|
||||
res.set("Access-Control-Allow-Origin", "");
|
||||
res.redirect("/api/getPosts");
|
||||
});
|
||||
router.get("/api/getPosts", function (req, res) {
|
||||
res.set("Access-Control-Allow-Origin", "*");
|
||||
if (req.query.channel !== undefined) {
|
||||
@ -21,6 +17,9 @@ export const setup = function (router, con, server) {
|
||||
res.json(result);
|
||||
});
|
||||
}
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
router.get("/api/getPostsLowerThan", function (req, res) {
|
||||
res.set("Access-Control-Allow-Origin", "*");
|
||||
@ -40,6 +39,9 @@ export const setup = function (router, con, server) {
|
||||
res.json(result);
|
||||
});
|
||||
}
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
router.get("/api/getPost", function (req, res) {
|
||||
res.set("Access-Control-Allow-Origin", "*");
|
||||
@ -56,5 +58,8 @@ export const setup = function (router, con, server) {
|
||||
res.json({ "error": "there is no such post!" });
|
||||
}
|
||||
});
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
}
|
||||
@ -32,6 +32,9 @@ export const setup = function (router, con, server) {
|
||||
router.get("/api/pid", function (req, res) {
|
||||
res.set("Access-Control-Allow-Origin", "*");
|
||||
res.json({ "pid": createPID() });
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
|
||||
function validateMessage(message) {
|
||||
@ -204,6 +207,9 @@ export const setup = function (router, con, server) {
|
||||
res.json({"error":"internal server error", "status": 500})
|
||||
}
|
||||
}
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
return createPID
|
||||
};
|
||||
|
||||
@ -34,5 +34,9 @@ export const setup = function (router, con, server) {
|
||||
else {
|
||||
res.json({ "error": "invalid type passed along, expected `user` or `post`", "message": "search has been deprecated as of 11/30/2022"});
|
||||
}
|
||||
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
}
|
||||
@ -4,6 +4,10 @@ const allowed_settings = {
|
||||
export const setup = function (router, con, server) {
|
||||
router.get("/api/settings", function (req, res) {
|
||||
res.json(res.locals.settings);
|
||||
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
router.post("/api/settings", function (req, res) {
|
||||
if (!req.body.setting) {
|
||||
@ -45,6 +49,10 @@ export const setup = function (router, con, server) {
|
||||
}
|
||||
res.json({ "status": "success" });
|
||||
});
|
||||
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
};
|
||||
export default {
|
||||
|
||||
@ -48,9 +48,15 @@ export const setup = function (router, con, server) {
|
||||
});
|
||||
})
|
||||
});
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
router.get("/api/getuser", function (_req, res) {
|
||||
res.json({ "username": res.locals.username, "bio": res.locals.bio, "avatar": res.locals.avatar, "userid": res.locals.userid });
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
router.get("/api/getalluserinformation", function (req, res) {
|
||||
res.set("Access-Control-Allow-Origin", ""); //we don't want that here
|
||||
@ -73,6 +79,9 @@ export const setup = function (router, con, server) {
|
||||
res.json({ "error": "you cannot access the api without being logged in" });
|
||||
}
|
||||
});
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
router.get("/api/getotheruser", function (req, res) {
|
||||
res.set("Access-Control-Allow-Origin", "*");
|
||||
@ -109,6 +118,9 @@ export const setup = function (router, con, server) {
|
||||
throw err;
|
||||
res.json({ "success": "updated bio" });
|
||||
});
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
router.post("/api/changePW", (req, res) => {
|
||||
res.set("Access-Control-Allow-Origin", "");
|
||||
@ -149,6 +161,9 @@ export const setup = function (router, con, server) {
|
||||
res.json({ "error": "invalid password" });
|
||||
}
|
||||
});
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
router.post("/api/changeUsername", function (req, res) {
|
||||
res.set("Access-Control-Allow-Origin", "");
|
||||
@ -212,5 +227,8 @@ export const setup = function (router, con, server) {
|
||||
res.json({ "error": "invalid password" });
|
||||
}
|
||||
});
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
}
|
||||
@ -23,7 +23,7 @@ export const setup = function (router, con, server) {
|
||||
|
||||
let tokencode;
|
||||
while(tokencode===undefined || temp_code_to_token[tokencode]!==undefined) {
|
||||
tokencode = randomBytes(15).toString("base64")
|
||||
tokencode = randomBytes(15).toString("base64").replaceAll("/","f").replaceAll("+","A") //"/" and "+" may break some apps
|
||||
}
|
||||
temp_code_to_token[tokencode]={
|
||||
"userid":res.locals.userid,
|
||||
@ -35,7 +35,7 @@ export const setup = function (router, con, server) {
|
||||
if(data !== undefined && data.token===token && data.appid === appid && data.userid === res.locals.userid) {
|
||||
temp_code_to_token[tokencode]=undefined
|
||||
}
|
||||
}, 300000); //wait for 5 minutes
|
||||
}, 1000*60*5);
|
||||
|
||||
const sql = "SELECT application_auth_url FROM ipost.application where application_id=?"
|
||||
|
||||
@ -45,7 +45,11 @@ export const setup = function (router, con, server) {
|
||||
res.redirect(`/authorize?id=${req.body.application_id}`)
|
||||
return
|
||||
}
|
||||
res.redirect(`${result[0].application_auth_url}?code=${tokencode}`)
|
||||
let extra = ""
|
||||
if(req.body.application_extra !== "") {
|
||||
extra = "&extra="+String(req.body.application_extra)
|
||||
}
|
||||
res.redirect(`${result[0].application_auth_url}?code=${tokencode}${extra}`)
|
||||
})
|
||||
|
||||
|
||||
@ -55,6 +59,10 @@ export const setup = function (router, con, server) {
|
||||
}
|
||||
|
||||
res.redirect(`/authorize?id=${req.body.application_id}`)
|
||||
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
})
|
||||
|
||||
router.post("/redeemauthcode", (req,res) => {
|
||||
@ -120,4 +128,8 @@ export const setup = function (router, con, server) {
|
||||
|
||||
|
||||
})
|
||||
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
}
|
||||
@ -5,43 +5,43 @@ export const setup = function (router, con, server) {
|
||||
const __dirname = server.dirname
|
||||
const dir = __dirname + "/"
|
||||
|
||||
router.get("/users/*", function (req, res) {
|
||||
router.get("/users/:user", function (req, res) {
|
||||
if (!increaseUSERCall(req, res))
|
||||
return;
|
||||
res.sendFile(dir + "views/otheruser.html");
|
||||
});
|
||||
router.get("/css/*", (request, response) => {
|
||||
router.get("/css/:file", (request, response) => {
|
||||
if (!increaseUSERCall(request, response))
|
||||
return;
|
||||
if (existsSync(__dirname + request.originalUrl)) {
|
||||
response.sendFile(__dirname + request.originalUrl);
|
||||
if (existsSync(`${__dirname}/css/${request.params.file}`)) {
|
||||
response.sendFile(`${__dirname}/css/${request.params.file}`);
|
||||
}
|
||||
else {
|
||||
response.status(404).send("no file with that name found");
|
||||
}
|
||||
return;
|
||||
});
|
||||
router.get("/js/*", (request, response) => {
|
||||
router.get("/js/:file", (request, response) => {
|
||||
if (!increaseUSERCall(request, response))
|
||||
return;
|
||||
if (existsSync(__dirname + request.originalUrl)) {
|
||||
response.sendFile(__dirname + request.originalUrl);
|
||||
if (existsSync(`${__dirname}/js/${request.params.file}`)) {
|
||||
response.sendFile(`${__dirname}/js/${request.params.file}`);
|
||||
}
|
||||
else {
|
||||
response.status(404).send("no file with that name found");
|
||||
}
|
||||
return;
|
||||
});
|
||||
router.get("/images/*", (request, response) => {
|
||||
router.get("/images/:file", (request, response) => {
|
||||
if (!increaseUSERCall(request, response))
|
||||
return;
|
||||
if (existsSync(__dirname + request.originalUrl)) {
|
||||
if (existsSync(`${__dirname}/images/${request.params.file}`)) {
|
||||
response.set('Cache-Control', 'public, max-age=2592000'); //cache it for one month-ish
|
||||
response.sendFile(__dirname + request.originalUrl);
|
||||
response.sendFile(`${__dirname}/images/${request.params.file}`);
|
||||
}
|
||||
else if(existsSync(__dirname + request.originalUrl.toLowerCase())){
|
||||
else if(existsSync(`${__dirname}/images/${request.params.file.toLowerCase()}`)){
|
||||
response.set('Cache-Control', 'public, max-age=2592000'); //cache it for one month-ish
|
||||
response.sendFile(__dirname + request.originalUrl.toLowerCase());
|
||||
response.sendFile(`${__dirname}/images/${request.params.file.toLowerCase()}`);
|
||||
}
|
||||
else {
|
||||
response.status(404).send("no file with that name found");
|
||||
@ -49,12 +49,12 @@ export const setup = function (router, con, server) {
|
||||
return;
|
||||
});
|
||||
|
||||
router.get("/user_uploads/*", (request, response) => {
|
||||
router.get("/user_uploads/:file", (request, response) => {
|
||||
if (!increaseUSERCall(request, response))
|
||||
return;
|
||||
if (existsSync(__dirname + request.originalUrl)) {
|
||||
if (existsSync(`${__dirname}/user_uploads/${request.params.file}`)) {
|
||||
response.set('Cache-Control', 'public, max-age=2592000'); //cache it for one month-ish
|
||||
response.sendFile(__dirname + request.originalUrl);
|
||||
response.sendFile(`${__dirname}/user_uploads/${request.params.file}`);
|
||||
}
|
||||
else {
|
||||
response.status(404).send("no file with that name found");
|
||||
@ -62,13 +62,12 @@ export const setup = function (router, con, server) {
|
||||
return;
|
||||
});
|
||||
|
||||
router.get("/avatars/*", (request, response) => {
|
||||
router.get("/avatars/:avatar", (request, response) => {
|
||||
if (!increaseUSERCall(request, response))
|
||||
return;
|
||||
response.set('Cache-Control', 'public, max-age=2592000'); //cache it for one month-ish
|
||||
let originalUrl = request.originalUrl.split("?").shift();
|
||||
if (existsSync(dir + originalUrl)) {
|
||||
return response.sendFile(dir + originalUrl);
|
||||
if (existsSync(`${__dirname}/avatars/${request.params.avatar}`)) {
|
||||
return response.sendFile(`${__dirname}/avatars/${request.params.avatar}`);
|
||||
}
|
||||
response.status(404).send("No avatar with that name found");
|
||||
});
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
import ejs from "ejs"
|
||||
import LRU from "lru-cache"
|
||||
import { LRUCache as LRU} from "lru-cache"
|
||||
import {minify as min_js} from "uglify-js"
|
||||
import Clean from 'clean-css';
|
||||
import Minifier from 'html-minifier-terser';
|
||||
@ -25,27 +25,27 @@ export const setup = function (router, con, server) {
|
||||
updateAgeOnHas: true
|
||||
})
|
||||
|
||||
function load_var(fina) {
|
||||
if(load_var_cache.get(fina))return load_var_cache.get(fina)
|
||||
if(!existsSync(fina)) {
|
||||
console.log(1,"tried loading non-existent file",fina)
|
||||
load_var_cache.set(fina,"")
|
||||
return "";
|
||||
}
|
||||
let out = readFileSync(fina)
|
||||
if(fina.endsWith(".js")) {
|
||||
out = min_js(out.toString()).code
|
||||
}
|
||||
else if(fina.endsWith(".css")) {
|
||||
const {
|
||||
styles,
|
||||
} = new Clean({}).minify(out.toString());
|
||||
out = styles
|
||||
function load_var(filePath) {
|
||||
if (load_var_cache.has(filePath)) {
|
||||
return load_var_cache.get(filePath);
|
||||
}
|
||||
|
||||
load_var_cache.set(fina,out)
|
||||
if (!existsSync(filePath)) {
|
||||
console.log(1,'Tried loading non-existent file', filePath);
|
||||
load_var_cache.set(filePath, '');
|
||||
return '';
|
||||
}
|
||||
|
||||
return out
|
||||
let output = readFileSync(filePath);
|
||||
|
||||
if (filePath.endsWith('.js')) {
|
||||
output = min_js(output.toString()).code;
|
||||
} else if (filePath.endsWith('.css')) {
|
||||
const { styles } = new Clean({}).minify(output.toString());
|
||||
output = styles;
|
||||
}
|
||||
load_var_cache.set(filePath, output);
|
||||
return output;
|
||||
}
|
||||
|
||||
function get_channels(){
|
||||
@ -70,6 +70,10 @@ export const setup = function (router, con, server) {
|
||||
function getAppWithId(appid) {
|
||||
appid = Number(appid)
|
||||
return new Promise((res,rej) => {
|
||||
if(isNaN(appid)) {
|
||||
res({})
|
||||
return
|
||||
}
|
||||
if(appId_Cache.has(appid)) {
|
||||
res(appId_Cache.get(appid) || {})
|
||||
return
|
||||
@ -111,11 +115,13 @@ export const setup = function (router, con, server) {
|
||||
if (!increaseUSERCall(request, response))return;
|
||||
if(typeof overrideurl !== "string")overrideurl = undefined;
|
||||
|
||||
let originalUrl = overrideurl || request.originalUrl.split("?").shift();
|
||||
let originalUrl = overrideurl
|
||||
|| request.params.file
|
||||
|| request.originalUrl.split("?").shift(); //backup in case anything goes wrong
|
||||
|
||||
let path = ""
|
||||
if (existsSync(dir + "views" + originalUrl)) {
|
||||
path = dir + "views" + originalUrl
|
||||
if (existsSync(dir + "views/" + originalUrl)) {
|
||||
path = dir + "views/" + originalUrl
|
||||
//send .txt files as plaintext to help browsers interpret it correctly
|
||||
if(originalUrl.endsWith(".txt")) {
|
||||
response.set('Content-Type', 'text/plain');
|
||||
@ -136,10 +142,11 @@ export const setup = function (router, con, server) {
|
||||
path = dir + "views" + originalUrl + ".html"
|
||||
}
|
||||
|
||||
if(path !== "" && originalUrl !== "/favicon.ico" && originalUrl !== "/api/documentation/") {
|
||||
if(path !== "" && originalUrl !== "favicon.ico" && originalUrl !== "api_documentation" && originalUrl !== "api_documentation.html") {
|
||||
console.log(originalUrl)
|
||||
global_page_variables.user = { "username": response.locals.username, "bio": response.locals.bio, "avatar": response.locals.avatar }
|
||||
global_page_variables.query = request.query
|
||||
if(originalUrl === "/authorize") {
|
||||
if(originalUrl === "authorize") {
|
||||
global_page_variables.application = await getAppWithId(request.query.id)
|
||||
}
|
||||
ejs.renderFile(path,global_page_variables,{async: true},async function(err,str){
|
||||
@ -177,16 +184,16 @@ export const setup = function (router, con, server) {
|
||||
return;
|
||||
}
|
||||
|
||||
if(originalUrl === "/favicon.ico") {
|
||||
if(originalUrl === "api_documentation" || originalUrl === "api_documentation.html") {
|
||||
response.set('Cache-Control', 'public, max-age=2592000');
|
||||
response.sendFile(dir + "/views/favicon.ico")
|
||||
response.set('Content-Type', 'text/html')
|
||||
response.send(load_var("./views/api_documentation.html"))
|
||||
return
|
||||
}
|
||||
|
||||
if(originalUrl === "/api/documentation/") {
|
||||
readFile(path,function(_err,res){
|
||||
response.send(res.toString())
|
||||
})
|
||||
if(originalUrl === "favicon.ico") {
|
||||
response.set('Cache-Control', 'public, max-age=2592000');
|
||||
response.sendFile(dir + "/views/favicon.ico")
|
||||
return
|
||||
}
|
||||
|
||||
@ -201,9 +208,14 @@ export const setup = function (router, con, server) {
|
||||
/**
|
||||
* Handle default URI as /index (interpreted redirect: "localhost" -> "localhost/index" )
|
||||
*/
|
||||
router.get("/", function (req, res) {
|
||||
router.get("/", (req, res) => {
|
||||
req.params.file = "index"
|
||||
handleUserFiles(req,res,"/index")
|
||||
});
|
||||
|
||||
router.get("/*", handleUserFiles);
|
||||
router.get("/:file", handleUserFiles);
|
||||
router.get("/:folder/:file", (req, res) => {
|
||||
req.params.file = req.params.folder+"/"+req.params.file
|
||||
handleUserFiles(req,res)
|
||||
});
|
||||
}
|
||||
25
server.js
25
server.js
@ -14,6 +14,7 @@ import { readFileSync, appendFile } from "fs";
|
||||
import { format } from "util";
|
||||
import { setup as SETUP_ROUTES} from "./routes/setup_all_routes.js"
|
||||
import { verify as verifyHCaptcha_int } from "hcaptcha"
|
||||
import hsts from "hsts"
|
||||
|
||||
import { ensureExists } from "./extra_modules/ensureExists.js"
|
||||
|
||||
@ -262,6 +263,26 @@ app.use(fileUpload({
|
||||
}
|
||||
}));
|
||||
|
||||
const hstsMiddleware = hsts({
|
||||
maxAge: 31536000,
|
||||
includeSubDomains: true,
|
||||
preload: true
|
||||
})
|
||||
|
||||
app.use((req, res, next) => {
|
||||
res.set("x-powered-by", "ipost");
|
||||
res.set("X-Frame-Options","DENY");
|
||||
res.set("X-XSS-Protection","1; mode=block");
|
||||
res.set("X-Content-Type-Options","nosniff");
|
||||
res.set("Referrer-Policy","no-referrer");
|
||||
|
||||
if (req.secure) {
|
||||
hstsMiddleware(req, res, next)
|
||||
} else {
|
||||
next()
|
||||
}
|
||||
})
|
||||
|
||||
app.use(bodyParser.default.json({ limit: "100mb" }));
|
||||
app.use(bodyParser.default.urlencoded({ limit: "100mb", extended: true }));
|
||||
app.use(cookieParser(cookiesecret));
|
||||
@ -304,7 +325,6 @@ app.use((req, res, next) => {
|
||||
});
|
||||
|
||||
app.use("/*", function (req, res, next) {
|
||||
res.set("x-powered-by", "ipost");
|
||||
for (let i = 0; i < blocked_headers.length; i++) {
|
||||
if (req.header(blocked_headers[i]) !== undefined) {
|
||||
res.json({ "error": "we don't allow proxies on our website." });
|
||||
@ -358,6 +378,9 @@ router.get("/api/getChannels", function (_req, res) {
|
||||
throw err;
|
||||
res.json(result);
|
||||
});
|
||||
/* #swagger.security = [{
|
||||
"appTokenAuthHeader": []
|
||||
}] */
|
||||
});
|
||||
/*
|
||||
|
||||
|
||||
@ -155,8 +155,8 @@
|
||||
"level": 5
|
||||
},
|
||||
"ssl": {
|
||||
"privateKey": "./etc/letsencrypt/live/ipost.rocks/privkey.pem",
|
||||
"certificate" : "./etc/letsencrypt/live/ipost.rocks/fullchain.pem"
|
||||
"privateKey": "/etc/letsencrypt/live/ipost.rocks-0002/privkey.pem",
|
||||
"certificate" : "/etc/letsencrypt/live/ipost.rocks-0002/fullchain.pem"
|
||||
},
|
||||
"ports": {
|
||||
"http": 9999,
|
||||
|
||||
78
swagger.cjs
Normal file
78
swagger.cjs
Normal file
@ -0,0 +1,78 @@
|
||||
const fs = require('fs');
|
||||
const swaggerAutogen = require('swagger-autogen')();
|
||||
|
||||
const doc = {
|
||||
info: {
|
||||
title: 'IPost API',
|
||||
description: 'the official IPost.rocks API documentation',
|
||||
},
|
||||
host: 'ipost.rocks',
|
||||
schemes: ['https'],
|
||||
securityDefinitions: {
|
||||
appTokenAuthHeader: {
|
||||
type: 'apiKey',
|
||||
in: 'header', // can be 'header', 'query' or 'cookie'
|
||||
name: 'ipost-auth-token', // name of the header, query parameter or cookie
|
||||
description: 'authenticate using the authentication object in the header'
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
const outputFile = './swagger-api.json';
|
||||
const tempFile = './swagger-output.json';
|
||||
const endpointsFiles = ['./server.js'];
|
||||
|
||||
function pushdirectory(currentpath) {
|
||||
fs.readdirSync(currentpath, {
|
||||
withFileTypes: true
|
||||
}).forEach(dirent => {
|
||||
if (dirent.isFile()) {
|
||||
endpointsFiles.push(currentpath + dirent.name);
|
||||
} else {
|
||||
pushdirectory(currentpath + dirent.name + "/");
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
pushdirectory("./routes/");
|
||||
|
||||
swaggerAutogen(tempFile, endpointsFiles, doc);
|
||||
|
||||
/*
|
||||
Replace some error codes with own error codes, as described in error_codes.txt
|
||||
*/
|
||||
const to_replace = {
|
||||
"401": "login error (invalid cookie)",
|
||||
"402": "login error (bad cookie)",
|
||||
"403": "login error (no cookie)",
|
||||
|
||||
"410": "argument/data error",
|
||||
"411": "argument/data error",
|
||||
"412": "argument/data error",
|
||||
"413": "argument/data error",
|
||||
"414": "argument/data error",
|
||||
"415": "argument/data error",
|
||||
"416": "argument/data error",
|
||||
"417": "argument/data error",
|
||||
"418": "argument/data error",
|
||||
"419": "argument/data error",
|
||||
"420": "invalid authetication object",
|
||||
|
||||
}
|
||||
|
||||
let file = JSON.parse(fs.readFileSync(tempFile, 'utf8'));
|
||||
|
||||
for (let path in file.paths) {
|
||||
for (let method in file.paths[path]) {
|
||||
for (let response in file.paths[path][method].responses) {
|
||||
if (to_replace[response]) {
|
||||
file.paths[path][method].responses[response].description = to_replace[response];
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
file = JSON.stringify(file);
|
||||
console.log(file)
|
||||
fs.writeFileSync(outputFile, file);
|
||||
fs.rmSync(tempFile);
|
||||
File diff suppressed because it is too large
Load Diff
@ -27,6 +27,7 @@
|
||||
<p>Please authorize the app "<%= application.application_name %>" to access your information:</p>
|
||||
<form action="/authorize" method="post">
|
||||
<input type="number" value=<%= query.id %> class="hidden" name="application_id" id="application_id">
|
||||
<input type="number" value=<%= query.extra || "" %> class="hidden" name="application_extra" id="application_extra">
|
||||
<div class="h-captcha" data-sitekey="<%- hcaptcha_sitekey %>"></div>
|
||||
<input type="submit" value="Authorize">
|
||||
</form>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user