Merge branch 'master' into webseed-merged

author: Chocobozzz <florian.bigard@gmail.com> 2016-10-02 15:39:09 +0200
committer: Chocobozzz <florian.bigard@gmail.com> 2016-10-02 15:39:09 +0200
commit: a6375e69668ea42e19531c6bc68dcd37f3f7cbd7 (patch)
tree: 03204a408d56311692c3528bedcf95d2455e94f2 /server/middlewares
parent: 052937db8a8d282eccdbdf38d487ed8d85d3c0a7 (diff)
parent: c4403b29ad4db097af528a7f04eea07e0ed320d0 (diff)
download: PeerTube-a6375e69668ea42e19531c6bc68dcd37f3f7cbd7.tar.gz
PeerTube-a6375e69668ea42e19531c6bc68dcd37f3f7cbd7.tar.zst
PeerTube-a6375e69668ea42e19531c6bc68dcd37f3f7cbd7.zip
16 files changed, 252 insertions, 60 deletions
diff --git a/server/middlewares/admin.js b/server/middlewares/admin.js
new file mode 100644
index 000000000..e6d9dc887
--- /dev/null
+++ b/server/middlewares/admin.js
@@ -0,0 +1,22 @@
+'use strict'
+const constants = require('../initializers/constants')
+const logger = require('../helpers/logger')
+const adminMiddleware = {
+  ensureIsAdmin
+}
+function ensureIsAdmin (req, res, next) {
+  const user = res.locals.oauth.token.user
+  if (user.role !== constants.USER_ROLES.ADMIN) {
+    logger.info('A non admin user is trying to access to an admin content.')
+    return res.sendStatus(403)
+  }
+  return next()
+}
+// ---------------------------------------------------------------------------
+module.exports = adminMiddleware
diff --git a/server/middlewares/index.js b/server/middlewares/index.js
index 0a233e701..3f253e31b 100644
--- a/server/middlewares/index.js
+++ b/server/middlewares/index.js
@@ -1,19 +1,23 @@
 'use strict'
-const oauth = require('./oauth')
+const adminMiddleware = require('./admin')
-const pagination = require('./pagination')
+const oauthMiddleware = require('./oauth')
+const paginationMiddleware = require('./pagination')
+const podsMiddleware = require('./pods')
 const validatorsMiddleware = require('./validators')
-const search = require('./search')
+const searchMiddleware = require('./search')
-const sort = require('./sort')
+const sortMiddleware = require('./sort')
 const secureMiddleware = require('./secure')
 const middlewares = {
-  oauth: oauth,
+  admin: adminMiddleware,
-  pagination: pagination,
+  oauth: oauthMiddleware,
-  validators: validatorsMiddleware,
+  pagination: paginationMiddleware,
-  search: search,
+  pods: podsMiddleware,
-  sort: sort,
+  search: searchMiddleware,
-  secure: secureMiddleware
+  secure: secureMiddleware,
+  sort: sortMiddleware,
+  validators: validatorsMiddleware
 }
 // ---------------------------------------------------------------------------
diff --git a/server/middlewares/oauth.js b/server/middlewares/oauth.js
index 91a990509..3a02b9b48 100644
--- a/server/middlewares/oauth.js
+++ b/server/middlewares/oauth.js
@@ -12,8 +12,8 @@ const oAuthServer = new OAuthServer({
 })
 const oAuth = {
-  authenticate: authenticate,
+  authenticate,
-  token: token
+  token
 }
 function authenticate (req, res, next) {
@@ -23,7 +23,7 @@ function authenticate (req, res, next) {
      return res.sendStatus(500)
    }
-    if (res.statusCode === 401 || res.statusCode === 400) return res.end()
+    if (res.statusCode === 401 || res.statusCode === 400 || res.statusCode === 503) return res.end()
    return next()
  })
diff --git a/server/middlewares/pagination.js b/server/middlewares/pagination.js
index a571e51f6..a90f60aab 100644
--- a/server/middlewares/pagination.js
+++ b/server/middlewares/pagination.js
@@ -3,7 +3,7 @@
 const constants = require('../initializers/constants')
 const paginationMiddleware = {
-  setPagination: setPagination
+  setPagination
 }
 function setPagination (req, res, next) {
diff --git a/server/middlewares/pods.js b/server/middlewares/pods.js
new file mode 100644
index 000000000..6e0874a76
--- /dev/null
+++ b/server/middlewares/pods.js
@@ -0,0 +1,62 @@
+'use strict'
+const urlModule = require('url')
+const logger = require('../helpers/logger')
+const podsMiddleware = {
+  setBodyUrlsPort,
+  setBodyUrlPort
+}
+function setBodyUrlsPort (req, res, next) {
+  for (let i = 0; i < req.body.urls.length; i++) {
+    const urlWithPort = getUrlWithPort(req.body.urls[i])
+    // Problem with the url parsing?
+    if (urlWithPort === null) {
+      return res.sendStatus(500)
+    }
+    req.body.urls[i] = urlWithPort
+  }
+  return next()
+}
+function setBodyUrlPort (req, res, next) {
+  const urlWithPort = getUrlWithPort(req.body.url)
+  // Problem with the url parsing?
+  if (urlWithPort === null) {
+    return res.sendStatus(500)
+  }
+  req.body.url = urlWithPort
+  return next()
+}
+// ---------------------------------------------------------------------------
+module.exports = podsMiddleware
+// ---------------------------------------------------------------------------
+function getUrlWithPort (url) {
+  const urlObj = urlModule.parse(url)
+  // Add the port if it is not specified
+  if (urlObj.port === null) {
+    if (urlObj.protocol === 'http:') {
+      return url + ':80'
+    } else if (urlObj.protocol === 'https:') {
+      return url + ':443'
+    } else {
+      logger.error('Unknown url protocol: ' + urlObj.protocol)
+      return null
+    }
+  }
+  return url
+}
diff --git a/server/middlewares/search.js b/server/middlewares/search.js
index 89302a564..bb88faf54 100644
--- a/server/middlewares/search.js
+++ b/server/middlewares/search.js
@@ -1,7 +1,7 @@
 'use strict'
 const searchMiddleware = {
-  setVideosSearch: setVideosSearch
+  setVideosSearch
 }
 function setVideosSearch (req, res, next) {
diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js
index 9779c14ac..58f824d14 100644
--- a/server/middlewares/secure.js
+++ b/server/middlewares/secure.js
@@ -7,10 +7,11 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
 const Pod = mongoose.model('Pod')
 const secureMiddleware = {
-  decryptBody: decryptBody
+  checkSignature,
+  decryptBody
 }
-function decryptBody (req, res, next) {
+function checkSignature (req, res, next) {
  const url = req.body.signature.url
  Pod.loadByUrl(url, function (err, pod) {
    if (err) {
@@ -28,21 +29,30 @@ function decryptBody (req, res, next) {
    const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature)
    if (signatureOk === true) {
-      peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
+      return next()
-        if (err) {
+    }
-          logger.error('Cannot decrypt data.', { error: err })
-          return res.sendStatus(500)
+    logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
-        }
+    return res.sendStatus(403)
+  })
-        req.body.data = JSON.parse(decrypted)
+}
-        delete req.body.key
+function decryptBody (req, res, next) {
-        next()
+  peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
-      })
+    if (err) {
-    } else {
+      logger.error('Cannot decrypt data.', { error: err })
-      logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
+      return res.sendStatus(500)
-      return res.sendStatus(403)
    }
+    try {
+      req.body.data = JSON.parse(decrypted)
+      delete req.body.key
+    } catch (err) {
+      logger.error('Error in JSON.parse', { error: err })
+      return res.sendStatus(500)
+    }
+    next()
  })
 }
diff --git a/server/middlewares/sort.js b/server/middlewares/sort.js
index 9f52290a6..f0b7274eb 100644
--- a/server/middlewares/sort.js
+++ b/server/middlewares/sort.js
@@ -1,7 +1,14 @@
 'use strict'
 const sortMiddleware = {
-  setVideosSort: setVideosSort
+  setUsersSort,
+  setVideosSort
+}
+function setUsersSort (req, res, next) {
+  if (!req.query.sort) req.query.sort = '-createdDate'
+  return next()
 }
 function setVideosSort (req, res, next) {
diff --git a/server/middlewares/validators/index.js b/server/middlewares/validators/index.js
index 0471b3f92..6c3a9c2b4 100644
--- a/server/middlewares/validators/index.js
+++ b/server/middlewares/validators/index.js
@@ -4,6 +4,7 @@ const paginationValidators = require('./pagination')
 const podsValidators = require('./pods')
 const remoteValidators = require('./remote')
 const sortValidators = require('./sort')
+const usersValidators = require('./users')
 const videosValidators = require('./videos')
 const validators = {
@@ -11,6 +12,7 @@ const validators = {
  pods: podsValidators,
  remote: remoteValidators,
  sort: sortValidators,
+  users: usersValidators,
  videos: videosValidators
 }
diff --git a/server/middlewares/validators/pagination.js b/server/middlewares/validators/pagination.js
index 8e9a01053..16682696e 100644
--- a/server/middlewares/validators/pagination.js
+++ b/server/middlewares/validators/pagination.js
@@ -4,7 +4,7 @@ const checkErrors = require('./utils').checkErrors
 const logger = require('../../helpers/logger')
 const validatorsPagination = {
-  pagination: pagination
+  pagination
 }
 function pagination (req, res, next) {
diff --git a/server/middlewares/validators/pods.js b/server/middlewares/validators/pods.js
index fda2e865f..fd3d1e2f2 100644
--- a/server/middlewares/validators/pods.js
+++ b/server/middlewares/validators/pods.js
@@ -5,23 +5,29 @@ const friends = require('../../lib/friends')
 const logger = require('../../helpers/logger')
 const validatorsPod = {
-  makeFriends: makeFriends,
+  makeFriends,
-  podsAdd: podsAdd
+  podsAdd
 }
 function makeFriends (req, res, next) {
-  friends.hasFriends(function (err, hasFriends) {
+  req.checkBody('urls', 'Should have an array of unique urls').isEachUniqueUrlValid()
-    if (err) {
-      logger.error('Cannot know if we have friends.', { error: err })
+  logger.debug('Checking makeFriends parameters', { parameters: req.body })
-      res.sendStatus(500)
-    }
+  checkErrors(req, res, function () {
+    friends.hasFriends(function (err, hasFriends) {
-    if (hasFriends === true) {
+      if (err) {
-      // We need to quit our friends before make new ones
+        logger.error('Cannot know if we have friends.', { error: err })
-      res.sendStatus(409)
+        res.sendStatus(500)
-    } else {
+      }
-      return next()
-    }
+      if (hasFriends === true) {
+        // We need to quit our friends before make new ones
+        res.sendStatus(409)
+      } else {
+        return next()
+      }
+    })
  })
 }
diff --git a/server/middlewares/validators/remote.js b/server/middlewares/validators/remote.js
index 1be119458..8c29ef8ca 100644
--- a/server/middlewares/validators/remote.js
+++ b/server/middlewares/validators/remote.js
@@ -4,9 +4,9 @@ const checkErrors = require('./utils').checkErrors
 const logger = require('../../helpers/logger')
 const validatorsRemote = {
-  dataToDecrypt: dataToDecrypt,
+  dataToDecrypt,
-  remoteVideos: remoteVideos,
+  remoteVideos,
-  signature: signature
+  signature
 }
 function dataToDecrypt (req, res, next) {
@@ -19,7 +19,6 @@ function dataToDecrypt (req, res, next) {
 }
 function remoteVideos (req, res, next) {
-  req.checkBody('data').isArray()
  req.checkBody('data').isEachRemoteVideosValid()
  logger.debug('Checking remoteVideos parameters', { parameters: req.body })
diff --git a/server/middlewares/validators/sort.js b/server/middlewares/validators/sort.js
index 56b63cc8b..431d3fffd 100644
--- a/server/middlewares/validators/sort.js
+++ b/server/middlewares/validators/sort.js
@@ -5,7 +5,18 @@ const constants = require('../../initializers/constants')
 const logger = require('../../helpers/logger')
 const validatorsSort = {
-  videosSort: videosSort
+  usersSort,
+  videosSort
+}
+function usersSort (req, res, next) {
+  const sortableColumns = constants.SORTABLE_COLUMNS.USERS
+  req.checkQuery('sort', 'Should have correct sortable column').optional().isIn(sortableColumns)
+  logger.debug('Checking sort parameters', { parameters: req.query })
+  checkErrors(req, res, next)
 }
 function videosSort (req, res, next) {
diff --git a/server/middlewares/validators/users.js b/server/middlewares/validators/users.js
new file mode 100644
index 000000000..d541e9124
--- /dev/null
+++ b/server/middlewares/validators/users.js
@@ -0,0 +1,67 @@
+'use strict'
+const mongoose = require('mongoose')
+const checkErrors = require('./utils').checkErrors
+const logger = require('../../helpers/logger')
+const User = mongoose.model('User')
+const validatorsUsers = {
+  usersAdd,
+  usersRemove,
+  usersUpdate
+}
+function usersAdd (req, res, next) {
+  req.checkBody('username', 'Should have a valid username').isUserUsernameValid()
+  req.checkBody('password', 'Should have a valid password').isUserPasswordValid()
+  logger.debug('Checking usersAdd parameters', { parameters: req.body })
+  checkErrors(req, res, function () {
+    User.loadByUsername(req.body.username, function (err, user) {
+      if (err) {
+        logger.error('Error in usersAdd request validator.', { error: err })
+        return res.sendStatus(500)
+      }
+      if (user) return res.status(409).send('User already exists.')
+      next()
+    })
+  })
+}
+function usersRemove (req, res, next) {
+  req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId()
+  logger.debug('Checking usersRemove parameters', { parameters: req.params })
+  checkErrors(req, res, function () {
+    User.loadById(req.params.id, function (err, user) {
+      if (err) {
+        logger.error('Error in usersRemove request validator.', { error: err })
+        return res.sendStatus(500)
+      }
+      if (!user) return res.status(404).send('User not found')
+      next()
+    })
+  })
+}
+function usersUpdate (req, res, next) {
+  req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId()
+  // Add old password verification
+  req.checkBody('password', 'Should have a valid password').isUserPasswordValid()
+  logger.debug('Checking usersUpdate parameters', { parameters: req.body })
+  checkErrors(req, res, next)
+}
+// ---------------------------------------------------------------------------
+module.exports = validatorsUsers
diff --git a/server/middlewares/validators/utils.js b/server/middlewares/validators/utils.js
index f6e5b2b38..3741b84c6 100644
--- a/server/middlewares/validators/utils.js
+++ b/server/middlewares/validators/utils.js
@@ -5,7 +5,7 @@ const util = require('util')
 const logger = require('../../helpers/logger')
 const validatorsUtils = {
-  checkErrors: checkErrors
+  checkErrors
 }
 function checkErrors (req, res, next, statusCode) {
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 3e2af06fb..76e943e77 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -4,20 +4,21 @@ const mongoose = require('mongoose')
 const checkErrors = require('./utils').checkErrors
 const constants = require('../../initializers/constants')
-const customValidators = require('../../helpers/custom-validators')
+const customVideosValidators = require('../../helpers/custom-validators').videos
 const logger = require('../../helpers/logger')
 const Video = mongoose.model('Video')
 const validatorsVideos = {
-  videosAdd: videosAdd,
+  videosAdd,
-  videosGet: videosGet,
+  videosGet,
-  videosRemove: videosRemove,
+  videosRemove,
-  videosSearch: videosSearch
+  videosSearch
 }
 function videosAdd (req, res, next) {
  req.checkFiles('videofile[0].originalname', 'Should have an input video').notEmpty()
+  // TODO: move to constants and function
  req.checkFiles('videofile[0].mimetype', 'Should have a correct mime type').matches(/video\/(webm)|(mp4)|(ogg)/i)
  req.checkBody('name', 'Should have a valid name').isVideoNameValid()
  req.checkBody('description', 'Should have a valid description').isVideoDescriptionValid()
@@ -33,8 +34,8 @@ function videosAdd (req, res, next) {
        return res.status(400).send('Cannot retrieve metadata of the file.')
      }
-      if (!customValidators.isVideoDurationValid(duration)) {
+      if (!customVideosValidators.isVideoDurationValid(duration)) {
-        return res.status(400).send('Duration of the video file is too big (max: ' + constants.VIDEOS_CONSTRAINTS_FIELDS.DURATION.max + 's).')
+        return res.status(400).send('Duration of the video file is too big (max: ' + constants.CONSTRAINTS_FIELDS.VIDEOS.DURATION.max + 's).')
      }
      videoFile.duration = duration
@@ -76,6 +77,7 @@ function videosRemove (req, res, next) {
      if (!video) return res.status(404).send('Video not found')
      else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod')
+      else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user')
      next()
    })
author	Chocobozzz <florian.bigard@gmail.com>	2016-10-02 15:39:09 +0200
committer	Chocobozzz <florian.bigard@gmail.com>	2016-10-02 15:39:09 +0200
commit	a6375e69668ea42e19531c6bc68dcd37f3f7cbd7 (patch)
tree	03204a408d56311692c3528bedcf95d2455e94f2 /server/middlewares
parent	052937db8a8d282eccdbdf38d487ed8d85d3c0a7 (diff)
parent	c4403b29ad4db097af528a7f04eea07e0ed320d0 (diff)
download	PeerTube-a6375e69668ea42e19531c6bc68dcd37f3f7cbd7.tar.gz PeerTube-a6375e69668ea42e19531c6bc68dcd37f3f7cbd7.tar.zst PeerTube-a6375e69668ea42e19531c6bc68dcd37f3f7cbd7.zip

diff --git a/server/middlewares/admin.js b/server/middlewares/admin.js new file mode 100644 index 000000000..e6d9dc887 --- /dev/null +++ b/server/middlewares/admin.js
@@ -0,0 +1,22 @@
		1	'use strict'
		2
		3	const constants = require('../initializers/constants')
		4	const logger = require('../helpers/logger')
		5
		6	const adminMiddleware = {
		7	ensureIsAdmin
		8	}
		9
		10	function ensureIsAdmin (req, res, next) {
		11	const user = res.locals.oauth.token.user
		12	if (user.role !== constants.USER_ROLES.ADMIN) {
		13	logger.info('A non admin user is trying to access to an admin content.')
		14	return res.sendStatus(403)
		15	}
		16
		17	return next()
		18	}
		19
		20	// ---------------------------------------------------------------------------
		21
		22	module.exports = adminMiddleware


diff --git a/server/middlewares/index.js b/server/middlewares/index.js index 0a233e701..3f253e31b 100644 --- a/server/middlewares/index.js +++ b/server/middlewares/index.js
@@ -1,19 +1,23 @@
1	'use strict'	1	'use strict'
2		2
3	const oauth = require('./oauth')	3	const adminMiddleware = require('./admin')
4	const pagination = require('./pagination')	4	const oauthMiddleware = require('./oauth')
		5	const paginationMiddleware = require('./pagination')
		6	const podsMiddleware = require('./pods')
5	const validatorsMiddleware = require('./validators')	7	const validatorsMiddleware = require('./validators')
6	const search = require('./search')	8	const searchMiddleware = require('./search')
7	const sort = require('./sort')	9	const sortMiddleware = require('./sort')
8	const secureMiddleware = require('./secure')	10	const secureMiddleware = require('./secure')
9		11
10	const middlewares = {	12	const middlewares = {
11	oauth: oauth,	13	admin: adminMiddleware,
12	pagination: pagination,	14	oauth: oauthMiddleware,
13	validators: validatorsMiddleware,	15	pagination: paginationMiddleware,
14	search: search,	16	pods: podsMiddleware,
15	sort: sort,	17	search: searchMiddleware,
16	secure: secureMiddleware	18	secure: secureMiddleware,
		19	sort: sortMiddleware,
		20	validators: validatorsMiddleware
17	}	21	}
18		22
19	// ---------------------------------------------------------------------------	23	// ---------------------------------------------------------------------------


diff --git a/server/middlewares/oauth.js b/server/middlewares/oauth.js index 91a990509..3a02b9b48 100644 --- a/server/middlewares/oauth.js +++ b/server/middlewares/oauth.js
@@ -12,8 +12,8 @@ const oAuthServer = new OAuthServer({
12	})	12	})
13		13
14	const oAuth = {	14	const oAuth = {
15	authenticate: authenticate,	15	authenticate,
16	token: token	16	token
17	}	17	}
18		18
19	function authenticate (req, res, next) {	19	function authenticate (req, res, next) {
@@ -23,7 +23,7 @@ function authenticate (req, res, next) {
23	return res.sendStatus(500)	23	return res.sendStatus(500)
24	}	24	}
25		25
26	if (res.statusCode === 401 \|\| res.statusCode === 400) return res.end()	26	if (res.statusCode === 401 \|\| res.statusCode === 400 \|\| res.statusCode === 503) return res.end()
27		27
28	return next()	28	return next()
29	})	29	})


diff --git a/server/middlewares/pagination.js b/server/middlewares/pagination.js index a571e51f6..a90f60aab 100644 --- a/server/middlewares/pagination.js +++ b/server/middlewares/pagination.js
@@ -3,7 +3,7 @@
3	const constants = require('../initializers/constants')	3	const constants = require('../initializers/constants')
4		4
5	const paginationMiddleware = {	5	const paginationMiddleware = {
6	setPagination: setPagination	6	setPagination
7	}	7	}
8		8
9	function setPagination (req, res, next) {	9	function setPagination (req, res, next) {


diff --git a/server/middlewares/pods.js b/server/middlewares/pods.js new file mode 100644 index 000000000..6e0874a76 --- /dev/null +++ b/server/middlewares/pods.js
@@ -0,0 +1,62 @@
		1	'use strict'
		2
		3	const urlModule = require('url')
		4
		5	const logger = require('../helpers/logger')
		6
		7	const podsMiddleware = {
		8	setBodyUrlsPort,
		9	setBodyUrlPort
		10	}
		11
		12	function setBodyUrlsPort (req, res, next) {
		13	for (let i = 0; i < req.body.urls.length; i++) {
		14	const urlWithPort = getUrlWithPort(req.body.urls[i])
		15
		16	// Problem with the url parsing?
		17	if (urlWithPort === null) {
		18	return res.sendStatus(500)
		19	}
		20
		21	req.body.urls[i] = urlWithPort
		22	}
		23
		24	return next()
		25	}
		26
		27	function setBodyUrlPort (req, res, next) {
		28	const urlWithPort = getUrlWithPort(req.body.url)
		29
		30	// Problem with the url parsing?
		31	if (urlWithPort === null) {
		32	return res.sendStatus(500)
		33	}
		34
		35	req.body.url = urlWithPort
		36
		37	return next()
		38	}
		39
		40	// ---------------------------------------------------------------------------
		41
		42	module.exports = podsMiddleware
		43
		44	// ---------------------------------------------------------------------------
		45
		46	function getUrlWithPort (url) {
		47	const urlObj = urlModule.parse(url)
		48
		49	// Add the port if it is not specified
		50	if (urlObj.port === null) {
		51	if (urlObj.protocol === 'http:') {
		52	return url + ':80'
		53	} else if (urlObj.protocol === 'https:') {
		54	return url + ':443'
		55	} else {
		56	logger.error('Unknown url protocol: ' + urlObj.protocol)
		57	return null
		58	}
		59	}
		60
		61	return url
		62	}


diff --git a/server/middlewares/search.js b/server/middlewares/search.js index 89302a564..bb88faf54 100644 --- a/server/middlewares/search.js +++ b/server/middlewares/search.js
@@ -1,7 +1,7 @@
1	'use strict'	1	'use strict'
2		2
3	const searchMiddleware = {	3	const searchMiddleware = {
4	setVideosSearch: setVideosSearch	4	setVideosSearch
5	}	5	}
6		6
7	function setVideosSearch (req, res, next) {	7	function setVideosSearch (req, res, next) {


diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js index 9779c14ac..58f824d14 100644 --- a/server/middlewares/secure.js +++ b/server/middlewares/secure.js
@@ -7,10 +7,11 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
7	const Pod = mongoose.model('Pod')	7	const Pod = mongoose.model('Pod')
8		8
9	const secureMiddleware = {	9	const secureMiddleware = {
10	decryptBody: decryptBody	10	checkSignature,
		11	decryptBody
11	}	12	}
12		13
13	function decryptBody (req, res, next) {	14	function checkSignature (req, res, next) {
14	const url = req.body.signature.url	15	const url = req.body.signature.url
15	Pod.loadByUrl(url, function (err, pod) {	16	Pod.loadByUrl(url, function (err, pod) {
16	if (err) {	17	if (err) {
@@ -28,21 +29,30 @@ function decryptBody (req, res, next) {
28	const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature)	29	const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, url, req.body.signature.signature)
29		30
30	if (signatureOk === true) {	31	if (signatureOk === true) {
31	peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {	32	return next()
32	if (err) {	33	}
33	logger.error('Cannot decrypt data.', { error: err })	34
34	return res.sendStatus(500)	35	logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)
35	}	36	return res.sendStatus(403)
36		37	})
37	req.body.data = JSON.parse(decrypted)	38	}
38	delete req.body.key	39
39		40	function decryptBody (req, res, next) {
40	next()	41	peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
41	})	42	if (err) {
42	} else {	43	logger.error('Cannot decrypt data.', { error: err })
43	logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.url)	44	return res.sendStatus(500)
44	return res.sendStatus(403)
45	}	45	}
		46
		47	try {
		48	req.body.data = JSON.parse(decrypted)
		49	delete req.body.key
		50	} catch (err) {
		51	logger.error('Error in JSON.parse', { error: err })
		52	return res.sendStatus(500)
		53	}
		54
		55	next()
46	})	56	})
47	}	57	}
48		58


diff --git a/server/middlewares/sort.js b/server/middlewares/sort.js index 9f52290a6..f0b7274eb 100644 --- a/server/middlewares/sort.js +++ b/server/middlewares/sort.js
@@ -1,7 +1,14 @@
1	'use strict'	1	'use strict'
2		2
3	const sortMiddleware = {	3	const sortMiddleware = {
4	setVideosSort: setVideosSort	4	setUsersSort,
		5	setVideosSort
		6	}
		7
		8	function setUsersSort (req, res, next) {
		9	if (!req.query.sort) req.query.sort = '-createdDate'
		10
		11	return next()
5	}	12	}
6		13
7	function setVideosSort (req, res, next) {	14	function setVideosSort (req, res, next) {


diff --git a/server/middlewares/validators/index.js b/server/middlewares/validators/index.js index 0471b3f92..6c3a9c2b4 100644 --- a/server/middlewares/validators/index.js +++ b/server/middlewares/validators/index.js
@@ -4,6 +4,7 @@ const paginationValidators = require('./pagination')
4	const podsValidators = require('./pods')	4	const podsValidators = require('./pods')
5	const remoteValidators = require('./remote')	5	const remoteValidators = require('./remote')
6	const sortValidators = require('./sort')	6	const sortValidators = require('./sort')
		7	const usersValidators = require('./users')
7	const videosValidators = require('./videos')	8	const videosValidators = require('./videos')
8		9
9	const validators = {	10	const validators = {
@@ -11,6 +12,7 @@ const validators = {
11	pods: podsValidators,	12	pods: podsValidators,
12	remote: remoteValidators,	13	remote: remoteValidators,
13	sort: sortValidators,	14	sort: sortValidators,
		15	users: usersValidators,
14	videos: videosValidators	16	videos: videosValidators
15	}	17	}
16		18


diff --git a/server/middlewares/validators/pagination.js b/server/middlewares/validators/pagination.js index 8e9a01053..16682696e 100644 --- a/server/middlewares/validators/pagination.js +++ b/server/middlewares/validators/pagination.js
@@ -4,7 +4,7 @@ const checkErrors = require('./utils').checkErrors
4	const logger = require('../../helpers/logger')	4	const logger = require('../../helpers/logger')
5		5
6	const validatorsPagination = {	6	const validatorsPagination = {
7	pagination: pagination	7	pagination
8	}	8	}
9		9
10	function pagination (req, res, next) {	10	function pagination (req, res, next) {


diff --git a/server/middlewares/validators/pods.js b/server/middlewares/validators/pods.js index fda2e865f..fd3d1e2f2 100644 --- a/server/middlewares/validators/pods.js +++ b/server/middlewares/validators/pods.js
@@ -5,23 +5,29 @@ const friends = require('../../lib/friends')
5	const logger = require('../../helpers/logger')	5	const logger = require('../../helpers/logger')
6		6
7	const validatorsPod = {	7	const validatorsPod = {
8	makeFriends: makeFriends,	8	makeFriends,
9	podsAdd: podsAdd	9	podsAdd
10	}	10	}
11		11
12	function makeFriends (req, res, next) {	12	function makeFriends (req, res, next) {
13	friends.hasFriends(function (err, hasFriends) {	13	req.checkBody('urls', 'Should have an array of unique urls').isEachUniqueUrlValid()
14	if (err) {	14
15	logger.error('Cannot know if we have friends.', { error: err })	15	logger.debug('Checking makeFriends parameters', { parameters: req.body })
16	res.sendStatus(500)	16
17	}	17	checkErrors(req, res, function () {
18		18	friends.hasFriends(function (err, hasFriends) {
19	if (hasFriends === true) {	19	if (err) {
20	// We need to quit our friends before make new ones	20	logger.error('Cannot know if we have friends.', { error: err })
21	res.sendStatus(409)	21	res.sendStatus(500)
22	} else {	22	}
23	return next()	23
24	}	24	if (hasFriends === true) {
		25	// We need to quit our friends before make new ones
		26	res.sendStatus(409)
		27	} else {
		28	return next()
		29	}
		30	})
25	})	31	})
26	}	32	}
27		33


diff --git a/server/middlewares/validators/remote.js b/server/middlewares/validators/remote.js index 1be119458..8c29ef8ca 100644 --- a/server/middlewares/validators/remote.js +++ b/server/middlewares/validators/remote.js
@@ -4,9 +4,9 @@ const checkErrors = require('./utils').checkErrors
4	const logger = require('../../helpers/logger')	4	const logger = require('../../helpers/logger')
5		5
6	const validatorsRemote = {	6	const validatorsRemote = {
7	dataToDecrypt: dataToDecrypt,	7	dataToDecrypt,
8	remoteVideos: remoteVideos,	8	remoteVideos,
9	signature: signature	9	signature
10	}	10	}
11		11
12	function dataToDecrypt (req, res, next) {	12	function dataToDecrypt (req, res, next) {
@@ -19,7 +19,6 @@ function dataToDecrypt (req, res, next) {
19	}	19	}
20		20
21	function remoteVideos (req, res, next) {	21	function remoteVideos (req, res, next) {
22	req.checkBody('data').isArray()
23	req.checkBody('data').isEachRemoteVideosValid()	22	req.checkBody('data').isEachRemoteVideosValid()
24		23
25	logger.debug('Checking remoteVideos parameters', { parameters: req.body })	24	logger.debug('Checking remoteVideos parameters', { parameters: req.body })


diff --git a/server/middlewares/validators/sort.js b/server/middlewares/validators/sort.js index 56b63cc8b..431d3fffd 100644 --- a/server/middlewares/validators/sort.js +++ b/server/middlewares/validators/sort.js
@@ -5,7 +5,18 @@ const constants = require('../../initializers/constants')
5	const logger = require('../../helpers/logger')	5	const logger = require('../../helpers/logger')
6		6
7	const validatorsSort = {	7	const validatorsSort = {
8	videosSort: videosSort	8	usersSort,
		9	videosSort
		10	}
		11
		12	function usersSort (req, res, next) {
		13	const sortableColumns = constants.SORTABLE_COLUMNS.USERS
		14
		15	req.checkQuery('sort', 'Should have correct sortable column').optional().isIn(sortableColumns)
		16
		17	logger.debug('Checking sort parameters', { parameters: req.query })
		18
		19	checkErrors(req, res, next)
9	}	20	}
10		21
11	function videosSort (req, res, next) {	22	function videosSort (req, res, next) {


diff --git a/server/middlewares/validators/users.js b/server/middlewares/validators/users.js new file mode 100644 index 000000000..d541e9124 --- /dev/null +++ b/server/middlewares/validators/users.js
@@ -0,0 +1,67 @@
		1	'use strict'
		2
		3	const mongoose = require('mongoose')
		4
		5	const checkErrors = require('./utils').checkErrors
		6	const logger = require('../../helpers/logger')
		7
		8	const User = mongoose.model('User')
		9
		10	const validatorsUsers = {
		11	usersAdd,
		12	usersRemove,
		13	usersUpdate
		14	}
		15
		16	function usersAdd (req, res, next) {
		17	req.checkBody('username', 'Should have a valid username').isUserUsernameValid()
		18	req.checkBody('password', 'Should have a valid password').isUserPasswordValid()
		19
		20	logger.debug('Checking usersAdd parameters', { parameters: req.body })
		21
		22	checkErrors(req, res, function () {
		23	User.loadByUsername(req.body.username, function (err, user) {
		24	if (err) {
		25	logger.error('Error in usersAdd request validator.', { error: err })
		26	return res.sendStatus(500)
		27	}
		28
		29	if (user) return res.status(409).send('User already exists.')
		30
		31	next()
		32	})
		33	})
		34	}
		35
		36	function usersRemove (req, res, next) {
		37	req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId()
		38
		39	logger.debug('Checking usersRemove parameters', { parameters: req.params })
		40
		41	checkErrors(req, res, function () {
		42	User.loadById(req.params.id, function (err, user) {
		43	if (err) {
		44	logger.error('Error in usersRemove request validator.', { error: err })
		45	return res.sendStatus(500)
		46	}
		47
		48	if (!user) return res.status(404).send('User not found')
		49
		50	next()
		51	})
		52	})
		53	}
		54
		55	function usersUpdate (req, res, next) {
		56	req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId()
		57	// Add old password verification
		58	req.checkBody('password', 'Should have a valid password').isUserPasswordValid()
		59
		60	logger.debug('Checking usersUpdate parameters', { parameters: req.body })
		61
		62	checkErrors(req, res, next)
		63	}
		64
		65	// ---------------------------------------------------------------------------
		66
		67	module.exports = validatorsUsers


diff --git a/server/middlewares/validators/utils.js b/server/middlewares/validators/utils.js index f6e5b2b38..3741b84c6 100644 --- a/server/middlewares/validators/utils.js +++ b/server/middlewares/validators/utils.js
@@ -5,7 +5,7 @@ const util = require('util')
5	const logger = require('../../helpers/logger')	5	const logger = require('../../helpers/logger')
6		6
7	const validatorsUtils = {	7	const validatorsUtils = {
8	checkErrors: checkErrors	8	checkErrors
9	}	9	}
10		10
11	function checkErrors (req, res, next, statusCode) {	11	function checkErrors (req, res, next, statusCode) {


diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js index 3e2af06fb..76e943e77 100644 --- a/server/middlewares/validators/videos.js +++ b/server/middlewares/validators/videos.js
@@ -4,20 +4,21 @@ const mongoose = require('mongoose')
4		4
5	const checkErrors = require('./utils').checkErrors	5	const checkErrors = require('./utils').checkErrors
6	const constants = require('../../initializers/constants')	6	const constants = require('../../initializers/constants')
7	const customValidators = require('../../helpers/custom-validators')	7	const customVideosValidators = require('../../helpers/custom-validators').videos
8	const logger = require('../../helpers/logger')	8	const logger = require('../../helpers/logger')
9		9
10	const Video = mongoose.model('Video')	10	const Video = mongoose.model('Video')
11		11
12	const validatorsVideos = {	12	const validatorsVideos = {
13	videosAdd: videosAdd,	13	videosAdd,
14	videosGet: videosGet,	14	videosGet,
15	videosRemove: videosRemove,	15	videosRemove,
16	videosSearch: videosSearch	16	videosSearch
17	}	17	}
18		18
19	function videosAdd (req, res, next) {	19	function videosAdd (req, res, next) {
20	req.checkFiles('videofile[0].originalname', 'Should have an input video').notEmpty()	20	req.checkFiles('videofile[0].originalname', 'Should have an input video').notEmpty()
		21	// TODO: move to constants and function
21	req.checkFiles('videofile[0].mimetype', 'Should have a correct mime type').matches(/video\/(webm)\|(mp4)\|(ogg)/i)	22	req.checkFiles('videofile[0].mimetype', 'Should have a correct mime type').matches(/video\/(webm)\|(mp4)\|(ogg)/i)
22	req.checkBody('name', 'Should have a valid name').isVideoNameValid()	23	req.checkBody('name', 'Should have a valid name').isVideoNameValid()
23	req.checkBody('description', 'Should have a valid description').isVideoDescriptionValid()	24	req.checkBody('description', 'Should have a valid description').isVideoDescriptionValid()
@@ -33,8 +34,8 @@ function videosAdd (req, res, next) {
33	return res.status(400).send('Cannot retrieve metadata of the file.')	34	return res.status(400).send('Cannot retrieve metadata of the file.')
34	}	35	}
35		36
36	if (!customValidators.isVideoDurationValid(duration)) {	37	if (!customVideosValidators.isVideoDurationValid(duration)) {
37	return res.status(400).send('Duration of the video file is too big (max: ' + constants.VIDEOS_CONSTRAINTS_FIELDS.DURATION.max + 's).')	38	return res.status(400).send('Duration of the video file is too big (max: ' + constants.CONSTRAINTS_FIELDS.VIDEOS.DURATION.max + 's).')
38	}	39	}
39		40
40	videoFile.duration = duration	41	videoFile.duration = duration
@@ -76,6 +77,7 @@ function videosRemove (req, res, next) {
76		77
77	if (!video) return res.status(404).send('Video not found')	78	if (!video) return res.status(404).send('Video not found')
78	else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod')	79	else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod')
		80	else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user')
79		81
80	next()	82	next()
81	})	83	})