diff options
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/secure.ts | 56 | ||||
-rw-r--r-- | server/middlewares/validators/pods.ts | 44 | ||||
-rw-r--r-- | server/middlewares/validators/users.ts | 52 | ||||
-rw-r--r-- | server/middlewares/validators/videos.ts | 75 |
4 files changed, 113 insertions, 114 deletions
diff --git a/server/middlewares/secure.ts b/server/middlewares/secure.ts index fbfd08c7b..0fa9ee9d2 100644 --- a/server/middlewares/secure.ts +++ b/server/middlewares/secure.ts | |||
@@ -9,41 +9,41 @@ import { | |||
9 | 9 | ||
10 | function checkSignature (req: express.Request, res: express.Response, next: express.NextFunction) { | 10 | function checkSignature (req: express.Request, res: express.Response, next: express.NextFunction) { |
11 | const host = req.body.signature.host | 11 | const host = req.body.signature.host |
12 | db.Pod.loadByHost(host, function (err, pod) { | 12 | db.Pod.loadByHost(host) |
13 | if (err) { | 13 | .then(pod => { |
14 | logger.error('Cannot get signed host in body.', { error: err }) | 14 | if (pod === null) { |
15 | return res.sendStatus(500) | 15 | logger.error('Unknown pod %s.', host) |
16 | } | 16 | return res.sendStatus(403) |
17 | } | ||
17 | 18 | ||
18 | if (pod === null) { | 19 | logger.debug('Checking signature from %s.', host) |
19 | logger.error('Unknown pod %s.', host) | ||
20 | return res.sendStatus(403) | ||
21 | } | ||
22 | 20 | ||
23 | logger.debug('Checking signature from %s.', host) | 21 | let signatureShouldBe |
22 | // If there is data in the body the sender used it for its signature | ||
23 | // If there is no data we just use its host as signature | ||
24 | if (req.body.data) { | ||
25 | signatureShouldBe = req.body.data | ||
26 | } else { | ||
27 | signatureShouldBe = host | ||
28 | } | ||
24 | 29 | ||
25 | let signatureShouldBe | 30 | const signatureOk = peertubeCryptoCheckSignature(pod.publicKey, signatureShouldBe, req.body.signature.signature) |
26 | // If there is data in the body the sender used it for its signature | ||
27 | // If there is no data we just use its host as signature | ||
28 | if (req.body.data) { | ||
29 | signatureShouldBe = req.body.data | ||
30 | } else { | ||
31 | signatureShouldBe = host | ||
32 | } | ||
33 | 31 | ||
34 | const signatureOk = peertubeCryptoCheckSignature(pod.publicKey, signatureShouldBe, req.body.signature.signature) | 32 | if (signatureOk === true) { |
33 | res.locals.secure = { | ||
34 | pod | ||
35 | } | ||
35 | 36 | ||
36 | if (signatureOk === true) { | 37 | return next() |
37 | res.locals.secure = { | ||
38 | pod | ||
39 | } | 38 | } |
40 | 39 | ||
41 | return next() | 40 | logger.error('Signature is not okay in body for %s.', req.body.signature.host) |
42 | } | 41 | return res.sendStatus(403) |
43 | 42 | }) | |
44 | logger.error('Signature is not okay in body for %s.', req.body.signature.host) | 43 | .catch(err => { |
45 | return res.sendStatus(403) | 44 | logger.error('Cannot get signed host in body.', { error: err }) |
46 | }) | 45 | return res.sendStatus(500) |
46 | }) | ||
47 | } | 47 | } |
48 | 48 | ||
49 | // --------------------------------------------------------------------------- | 49 | // --------------------------------------------------------------------------- |
diff --git a/server/middlewares/validators/pods.ts b/server/middlewares/validators/pods.ts index d8eb90168..da7fc2bd6 100644 --- a/server/middlewares/validators/pods.ts +++ b/server/middlewares/validators/pods.ts | |||
@@ -19,19 +19,19 @@ function makeFriendsValidator (req: express.Request, res: express.Response, next | |||
19 | logger.debug('Checking makeFriends parameters', { parameters: req.body }) | 19 | logger.debug('Checking makeFriends parameters', { parameters: req.body }) |
20 | 20 | ||
21 | checkErrors(req, res, function () { | 21 | checkErrors(req, res, function () { |
22 | hasFriends(function (err, heHasFriends) { | 22 | hasFriends() |
23 | if (err) { | 23 | .then(heHasFriends => { |
24 | if (heHasFriends === true) { | ||
25 | // We need to quit our friends before make new ones | ||
26 | return res.sendStatus(409) | ||
27 | } | ||
28 | |||
29 | return next() | ||
30 | }) | ||
31 | .catch(err => { | ||
24 | logger.error('Cannot know if we have friends.', { error: err }) | 32 | logger.error('Cannot know if we have friends.', { error: err }) |
25 | res.sendStatus(500) | 33 | res.sendStatus(500) |
26 | } | 34 | }) |
27 | |||
28 | if (heHasFriends === true) { | ||
29 | // We need to quit our friends before make new ones | ||
30 | return res.sendStatus(409) | ||
31 | } | ||
32 | |||
33 | return next() | ||
34 | }) | ||
35 | }) | 35 | }) |
36 | } | 36 | } |
37 | 37 | ||
@@ -42,19 +42,19 @@ function podsAddValidator (req: express.Request, res: express.Response, next: ex | |||
42 | logger.debug('Checking podsAdd parameters', { parameters: req.body }) | 42 | logger.debug('Checking podsAdd parameters', { parameters: req.body }) |
43 | 43 | ||
44 | checkErrors(req, res, function () { | 44 | checkErrors(req, res, function () { |
45 | db.Pod.loadByHost(req.body.host, function (err, pod) { | 45 | db.Pod.loadByHost(req.body.host) |
46 | if (err) { | 46 | .then(pod => { |
47 | // Pod with this host already exists | ||
48 | if (pod) { | ||
49 | return res.sendStatus(409) | ||
50 | } | ||
51 | |||
52 | return next() | ||
53 | }) | ||
54 | .catch(err => { | ||
47 | logger.error('Cannot load pod by host.', { error: err }) | 55 | logger.error('Cannot load pod by host.', { error: err }) |
48 | res.sendStatus(500) | 56 | res.sendStatus(500) |
49 | } | 57 | }) |
50 | |||
51 | // Pod with this host already exists | ||
52 | if (pod) { | ||
53 | return res.sendStatus(409) | ||
54 | } | ||
55 | |||
56 | return next() | ||
57 | }) | ||
58 | }) | 58 | }) |
59 | } | 59 | } |
60 | 60 | ||
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index b7b9ef370..c06735047 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts | |||
@@ -13,16 +13,16 @@ function usersAddValidator (req: express.Request, res: express.Response, next: e | |||
13 | logger.debug('Checking usersAdd parameters', { parameters: req.body }) | 13 | logger.debug('Checking usersAdd parameters', { parameters: req.body }) |
14 | 14 | ||
15 | checkErrors(req, res, function () { | 15 | checkErrors(req, res, function () { |
16 | db.User.loadByUsernameOrEmail(req.body.username, req.body.email, function (err, user) { | 16 | db.User.loadByUsernameOrEmail(req.body.username, req.body.email) |
17 | if (err) { | 17 | .then(user => { |
18 | if (user) return res.status(409).send('User already exists.') | ||
19 | |||
20 | next() | ||
21 | }) | ||
22 | .catch(err => { | ||
18 | logger.error('Error in usersAdd request validator.', { error: err }) | 23 | logger.error('Error in usersAdd request validator.', { error: err }) |
19 | return res.sendStatus(500) | 24 | return res.sendStatus(500) |
20 | } | 25 | }) |
21 | |||
22 | if (user) return res.status(409).send('User already exists.') | ||
23 | |||
24 | next() | ||
25 | }) | ||
26 | }) | 26 | }) |
27 | } | 27 | } |
28 | 28 | ||
@@ -32,18 +32,18 @@ function usersRemoveValidator (req: express.Request, res: express.Response, next | |||
32 | logger.debug('Checking usersRemove parameters', { parameters: req.params }) | 32 | logger.debug('Checking usersRemove parameters', { parameters: req.params }) |
33 | 33 | ||
34 | checkErrors(req, res, function () { | 34 | checkErrors(req, res, function () { |
35 | db.User.loadById(req.params.id, function (err, user) { | 35 | db.User.loadById(req.params.id) |
36 | if (err) { | 36 | .then(user => { |
37 | logger.error('Error in usersRemove request validator.', { error: err }) | 37 | if (!user) return res.status(404).send('User not found') |
38 | return res.sendStatus(500) | ||
39 | } | ||
40 | |||
41 | if (!user) return res.status(404).send('User not found') | ||
42 | 38 | ||
43 | if (user.username === 'root') return res.status(400).send('Cannot remove the root user') | 39 | if (user.username === 'root') return res.status(400).send('Cannot remove the root user') |
44 | 40 | ||
45 | next() | 41 | next() |
46 | }) | 42 | }) |
43 | .catch(err => { | ||
44 | logger.error('Error in usersRemove request validator.', { error: err }) | ||
45 | return res.sendStatus(500) | ||
46 | }) | ||
47 | }) | 47 | }) |
48 | } | 48 | } |
49 | 49 | ||
@@ -64,16 +64,16 @@ function usersVideoRatingValidator (req: express.Request, res: express.Response, | |||
64 | logger.debug('Checking usersVideoRating parameters', { parameters: req.params }) | 64 | logger.debug('Checking usersVideoRating parameters', { parameters: req.params }) |
65 | 65 | ||
66 | checkErrors(req, res, function () { | 66 | checkErrors(req, res, function () { |
67 | db.Video.load(req.params.videoId, function (err, video) { | 67 | db.Video.load(req.params.videoId) |
68 | if (err) { | 68 | .then(video => { |
69 | if (!video) return res.status(404).send('Video not found') | ||
70 | |||
71 | next() | ||
72 | }) | ||
73 | .catch(err => { | ||
69 | logger.error('Error in user request validator.', { error: err }) | 74 | logger.error('Error in user request validator.', { error: err }) |
70 | return res.sendStatus(500) | 75 | return res.sendStatus(500) |
71 | } | 76 | }) |
72 | |||
73 | if (!video) return res.status(404).send('Video not found') | ||
74 | |||
75 | next() | ||
76 | }) | ||
77 | }) | 77 | }) |
78 | } | 78 | } |
79 | 79 | ||
diff --git a/server/middlewares/validators/videos.ts b/server/middlewares/validators/videos.ts index 03742a522..ec452cade 100644 --- a/server/middlewares/validators/videos.ts +++ b/server/middlewares/validators/videos.ts | |||
@@ -1,5 +1,4 @@ | |||
1 | import 'express-validator' | 1 | import 'express-validator' |
2 | import * as multer from 'multer' | ||
3 | import * as express from 'express' | 2 | import * as express from 'express' |
4 | 3 | ||
5 | import { database as db } from '../../initializers/database' | 4 | import { database as db } from '../../initializers/database' |
@@ -24,18 +23,19 @@ function videosAddValidator (req: express.Request, res: express.Response, next: | |||
24 | checkErrors(req, res, function () { | 23 | checkErrors(req, res, function () { |
25 | const videoFile = req.files.videofile[0] | 24 | const videoFile = req.files.videofile[0] |
26 | 25 | ||
27 | db.Video.getDurationFromFile(videoFile.path, function (err, duration) { | 26 | db.Video.getDurationFromFile(videoFile.path) |
28 | if (err) { | 27 | .then(duration => { |
29 | return res.status(400).send('Cannot retrieve metadata of the file.') | 28 | if (!isVideoDurationValid('' + duration)) { |
30 | } | 29 | return res.status(400).send('Duration of the video file is too big (max: ' + CONSTRAINTS_FIELDS.VIDEOS.DURATION.max + 's).') |
31 | 30 | } | |
32 | if (!isVideoDurationValid(duration)) { | ||
33 | return res.status(400).send('Duration of the video file is too big (max: ' + CONSTRAINTS_FIELDS.VIDEOS.DURATION.max + 's).') | ||
34 | } | ||
35 | 31 | ||
36 | videoFile['duration'] = duration | 32 | videoFile['duration'] = duration |
37 | next() | 33 | next() |
38 | }) | 34 | }) |
35 | .catch(err => { | ||
36 | logger.error('Error in getting duration from file.', { error: err }) | ||
37 | res.status(400).send('Cannot retrieve metadata of the file.') | ||
38 | }) | ||
39 | }) | 39 | }) |
40 | } | 40 | } |
41 | 41 | ||
@@ -157,43 +157,42 @@ export { | |||
157 | // --------------------------------------------------------------------------- | 157 | // --------------------------------------------------------------------------- |
158 | 158 | ||
159 | function checkVideoExists (id: string, res: express.Response, callback: () => void) { | 159 | function checkVideoExists (id: string, res: express.Response, callback: () => void) { |
160 | db.Video.loadAndPopulateAuthorAndPodAndTags(id, function (err, video) { | 160 | db.Video.loadAndPopulateAuthorAndPodAndTags(id).then(video => { |
161 | if (err) { | ||
162 | logger.error('Error in video request validator.', { error: err }) | ||
163 | return res.sendStatus(500) | ||
164 | } | ||
165 | |||
166 | if (!video) return res.status(404).send('Video not found') | 161 | if (!video) return res.status(404).send('Video not found') |
167 | 162 | ||
168 | res.locals.video = video | 163 | res.locals.video = video |
169 | callback() | 164 | callback() |
170 | }) | 165 | }) |
166 | .catch(err => { | ||
167 | logger.error('Error in video request validator.', { error: err }) | ||
168 | return res.sendStatus(500) | ||
169 | }) | ||
171 | } | 170 | } |
172 | 171 | ||
173 | function checkUserCanDeleteVideo (userId: number, res: express.Response, callback: () => void) { | 172 | function checkUserCanDeleteVideo (userId: number, res: express.Response, callback: () => void) { |
174 | // Retrieve the user who did the request | 173 | // Retrieve the user who did the request |
175 | db.User.loadById(userId, function (err, user) { | 174 | db.User.loadById(userId) |
176 | if (err) { | 175 | .then(user => { |
177 | logger.error('Error in video request validator.', { error: err }) | 176 | // Check if the user can delete the video |
178 | return res.sendStatus(500) | 177 | // The user can delete it if s/he is an admin |
179 | } | 178 | // Or if s/he is the video's author |
180 | 179 | if (user.isAdmin() === false) { | |
181 | // Check if the user can delete the video | 180 | if (res.locals.video.isOwned() === false) { |
182 | // The user can delete it if s/he is an admin | 181 | return res.status(403).send('Cannot remove video of another pod') |
183 | // Or if s/he is the video's author | 182 | } |
184 | if (user.isAdmin() === false) { | 183 | |
185 | if (res.locals.video.isOwned() === false) { | 184 | if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { |
186 | return res.status(403).send('Cannot remove video of another pod') | 185 | return res.status(403).send('Cannot remove video of another user') |
187 | } | 186 | } |
188 | |||
189 | if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { | ||
190 | return res.status(403).send('Cannot remove video of another user') | ||
191 | } | 187 | } |
192 | } | ||
193 | 188 | ||
194 | // If we reach this comment, we can delete the video | 189 | // If we reach this comment, we can delete the video |
195 | callback() | 190 | callback() |
196 | }) | 191 | }) |
192 | .catch(err => { | ||
193 | logger.error('Error in video request validator.', { error: err }) | ||
194 | return res.sendStatus(500) | ||
195 | }) | ||
197 | } | 196 | } |
198 | 197 | ||
199 | function checkVideoIsBlacklistable (req: express.Request, res: express.Response, callback: () => void) { | 198 | function checkVideoIsBlacklistable (req: express.Request, res: express.Response, callback: () => void) { |