aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/pods.js1
-rw-r--r--server/middlewares/secure.js19
-rw-r--r--server/middlewares/sort.js11
-rw-r--r--server/middlewares/validators/remote.js30
-rw-r--r--server/middlewares/validators/remote/index.js13
-rw-r--r--server/middlewares/validators/remote/signature.js21
-rw-r--r--server/middlewares/validators/remote/videos.js20
-rw-r--r--server/middlewares/validators/sort.js23
-rw-r--r--server/middlewares/validators/users.js13
-rw-r--r--server/middlewares/validators/videos.js87
10 files changed, 163 insertions, 75 deletions
diff --git a/server/middlewares/pods.js b/server/middlewares/pods.js
index 487ea1259..e38fb341d 100644
--- a/server/middlewares/pods.js
+++ b/server/middlewares/pods.js
@@ -44,7 +44,6 @@ module.exports = podsMiddleware
44function getHostWithPort (host) { 44function getHostWithPort (host) {
45 const splitted = host.split(':') 45 const splitted = host.split(':')
46 46
47 console.log(splitted)
48 // The port was not specified 47 // The port was not specified
49 if (splitted.length === 1) { 48 if (splitted.length === 1) {
50 if (constants.REMOTE_SCHEME.HTTP === 'https') return host + ':443' 49 if (constants.REMOTE_SCHEME.HTTP === 'https') return host + ':443'
diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js
index ee836beed..b6e6d818b 100644
--- a/server/middlewares/secure.js
+++ b/server/middlewares/secure.js
@@ -1,18 +1,16 @@
1'use strict' 1'use strict'
2 2
3const db = require('../initializers/database')
3const logger = require('../helpers/logger') 4const logger = require('../helpers/logger')
4const mongoose = require('mongoose')
5const peertubeCrypto = require('../helpers/peertube-crypto') 5const peertubeCrypto = require('../helpers/peertube-crypto')
6 6
7const Pod = mongoose.model('Pod')
8
9const secureMiddleware = { 7const secureMiddleware = {
10 checkSignature 8 checkSignature
11} 9}
12 10
13function checkSignature (req, res, next) { 11function checkSignature (req, res, next) {
14 const host = req.body.signature.host 12 const host = req.body.signature.host
15 Pod.loadByHost(host, function (err, pod) { 13 db.Pod.loadByHost(host, function (err, pod) {
16 if (err) { 14 if (err) {
17 logger.error('Cannot get signed host in body.', { error: err }) 15 logger.error('Cannot get signed host in body.', { error: err })
18 return res.sendStatus(500) 16 return res.sendStatus(500)
@@ -25,9 +23,20 @@ function checkSignature (req, res, next) {
25 23
26 logger.debug('Checking signature from %s.', host) 24 logger.debug('Checking signature from %s.', host)
27 25
28 const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature) 26 let signatureShouldBe
27 if (req.body.data) {
28 signatureShouldBe = req.body.data
29 } else {
30 signatureShouldBe = host
31 }
32
33 const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, signatureShouldBe, req.body.signature.signature)
29 34
30 if (signatureOk === true) { 35 if (signatureOk === true) {
36 res.locals.secure = {
37 pod
38 }
39
31 return next() 40 return next()
32 } 41 }
33 42
diff --git a/server/middlewares/sort.js b/server/middlewares/sort.js
index f0b7274eb..39e167265 100644
--- a/server/middlewares/sort.js
+++ b/server/middlewares/sort.js
@@ -2,17 +2,24 @@
2 2
3const sortMiddleware = { 3const sortMiddleware = {
4 setUsersSort, 4 setUsersSort,
5 setVideoAbusesSort,
5 setVideosSort 6 setVideosSort
6} 7}
7 8
8function setUsersSort (req, res, next) { 9function setUsersSort (req, res, next) {
9 if (!req.query.sort) req.query.sort = '-createdDate' 10 if (!req.query.sort) req.query.sort = '-createdAt'
11
12 return next()
13}
14
15function setVideoAbusesSort (req, res, next) {
16 if (!req.query.sort) req.query.sort = '-createdAt'
10 17
11 return next() 18 return next()
12} 19}
13 20
14function setVideosSort (req, res, next) { 21function setVideosSort (req, res, next) {
15 if (!req.query.sort) req.query.sort = '-createdDate' 22 if (!req.query.sort) req.query.sort = '-createdAt'
16 23
17 return next() 24 return next()
18} 25}
diff --git a/server/middlewares/validators/remote.js b/server/middlewares/validators/remote.js
deleted file mode 100644
index 858d193cc..000000000
--- a/server/middlewares/validators/remote.js
+++ /dev/null
@@ -1,30 +0,0 @@
1'use strict'
2
3const checkErrors = require('./utils').checkErrors
4const logger = require('../../helpers/logger')
5
6const validatorsRemote = {
7 remoteVideos,
8 signature
9}
10
11function remoteVideos (req, res, next) {
12 req.checkBody('data').isEachRemoteVideosValid()
13
14 logger.debug('Checking remoteVideos parameters', { parameters: req.body })
15
16 checkErrors(req, res, next)
17}
18
19function signature (req, res, next) {
20 req.checkBody('signature.host', 'Should have a signature host').isURL()
21 req.checkBody('signature.signature', 'Should have a signature').notEmpty()
22
23 logger.debug('Checking signature parameters', { parameters: { signatureHost: req.body.signature.host } })
24
25 checkErrors(req, res, next)
26}
27
28// ---------------------------------------------------------------------------
29
30module.exports = validatorsRemote
diff --git a/server/middlewares/validators/remote/index.js b/server/middlewares/validators/remote/index.js
new file mode 100644
index 000000000..022a2fe50
--- /dev/null
+++ b/server/middlewares/validators/remote/index.js
@@ -0,0 +1,13 @@
1'use strict'
2
3const remoteSignatureValidators = require('./signature')
4const remoteVideosValidators = require('./videos')
5
6const validators = {
7 signature: remoteSignatureValidators,
8 videos: remoteVideosValidators
9}
10
11// ---------------------------------------------------------------------------
12
13module.exports = validators
diff --git a/server/middlewares/validators/remote/signature.js b/server/middlewares/validators/remote/signature.js
new file mode 100644
index 000000000..002232c05
--- /dev/null
+++ b/server/middlewares/validators/remote/signature.js
@@ -0,0 +1,21 @@
1'use strict'
2
3const checkErrors = require('../utils').checkErrors
4const logger = require('../../../helpers/logger')
5
6const validatorsRemoteSignature = {
7 signature
8}
9
10function signature (req, res, next) {
11 req.checkBody('signature.host', 'Should have a signature host').isURL()
12 req.checkBody('signature.signature', 'Should have a signature').notEmpty()
13
14 logger.debug('Checking signature parameters', { parameters: { signature: req.body.signature } })
15
16 checkErrors(req, res, next)
17}
18
19// ---------------------------------------------------------------------------
20
21module.exports = validatorsRemoteSignature
diff --git a/server/middlewares/validators/remote/videos.js b/server/middlewares/validators/remote/videos.js
new file mode 100644
index 000000000..cf9925b6c
--- /dev/null
+++ b/server/middlewares/validators/remote/videos.js
@@ -0,0 +1,20 @@
1'use strict'
2
3const checkErrors = require('../utils').checkErrors
4const logger = require('../../../helpers/logger')
5
6const validatorsRemoteVideos = {
7 remoteVideos
8}
9
10function remoteVideos (req, res, next) {
11 req.checkBody('data').isEachRemoteRequestVideosValid()
12
13 logger.debug('Checking remoteVideos parameters', { parameters: req.body })
14
15 checkErrors(req, res, next)
16}
17
18// ---------------------------------------------------------------------------
19
20module.exports = validatorsRemoteVideos
diff --git a/server/middlewares/validators/sort.js b/server/middlewares/validators/sort.js
index 431d3fffd..b7eec0316 100644
--- a/server/middlewares/validators/sort.js
+++ b/server/middlewares/validators/sort.js
@@ -6,29 +6,38 @@ const logger = require('../../helpers/logger')
6 6
7const validatorsSort = { 7const validatorsSort = {
8 usersSort, 8 usersSort,
9 videoAbusesSort,
9 videosSort 10 videosSort
10} 11}
11 12
12function usersSort (req, res, next) { 13function usersSort (req, res, next) {
13 const sortableColumns = constants.SORTABLE_COLUMNS.USERS 14 const sortableColumns = constants.SORTABLE_COLUMNS.USERS
14 15
15 req.checkQuery('sort', 'Should have correct sortable column').optional().isIn(sortableColumns) 16 checkSort(req, res, next, sortableColumns)
17}
16 18
17 logger.debug('Checking sort parameters', { parameters: req.query }) 19function videoAbusesSort (req, res, next) {
20 const sortableColumns = constants.SORTABLE_COLUMNS.VIDEO_ABUSES
18 21
19 checkErrors(req, res, next) 22 checkSort(req, res, next, sortableColumns)
20} 23}
21 24
22function videosSort (req, res, next) { 25function videosSort (req, res, next) {
23 const sortableColumns = constants.SORTABLE_COLUMNS.VIDEOS 26 const sortableColumns = constants.SORTABLE_COLUMNS.VIDEOS
24 27
28 checkSort(req, res, next, sortableColumns)
29}
30
31// ---------------------------------------------------------------------------
32
33module.exports = validatorsSort
34
35// ---------------------------------------------------------------------------
36
37function checkSort (req, res, next, sortableColumns) {
25 req.checkQuery('sort', 'Should have correct sortable column').optional().isIn(sortableColumns) 38 req.checkQuery('sort', 'Should have correct sortable column').optional().isIn(sortableColumns)
26 39
27 logger.debug('Checking sort parameters', { parameters: req.query }) 40 logger.debug('Checking sort parameters', { parameters: req.query })
28 41
29 checkErrors(req, res, next) 42 checkErrors(req, res, next)
30} 43}
31
32// ---------------------------------------------------------------------------
33
34module.exports = validatorsSort
diff --git a/server/middlewares/validators/users.js b/server/middlewares/validators/users.js
index 02e4f34cb..0629550bc 100644
--- a/server/middlewares/validators/users.js
+++ b/server/middlewares/validators/users.js
@@ -1,12 +1,9 @@
1'use strict' 1'use strict'
2 2
3const mongoose = require('mongoose')
4
5const checkErrors = require('./utils').checkErrors 3const checkErrors = require('./utils').checkErrors
4const db = require('../../initializers/database')
6const logger = require('../../helpers/logger') 5const logger = require('../../helpers/logger')
7 6
8const User = mongoose.model('User')
9
10const validatorsUsers = { 7const validatorsUsers = {
11 usersAdd, 8 usersAdd,
12 usersRemove, 9 usersRemove,
@@ -20,7 +17,7 @@ function usersAdd (req, res, next) {
20 logger.debug('Checking usersAdd parameters', { parameters: req.body }) 17 logger.debug('Checking usersAdd parameters', { parameters: req.body })
21 18
22 checkErrors(req, res, function () { 19 checkErrors(req, res, function () {
23 User.loadByUsername(req.body.username, function (err, user) { 20 db.User.loadByUsername(req.body.username, function (err, user) {
24 if (err) { 21 if (err) {
25 logger.error('Error in usersAdd request validator.', { error: err }) 22 logger.error('Error in usersAdd request validator.', { error: err })
26 return res.sendStatus(500) 23 return res.sendStatus(500)
@@ -34,12 +31,12 @@ function usersAdd (req, res, next) {
34} 31}
35 32
36function usersRemove (req, res, next) { 33function usersRemove (req, res, next) {
37 req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId() 34 req.checkParams('id', 'Should have a valid id').notEmpty().isInt()
38 35
39 logger.debug('Checking usersRemove parameters', { parameters: req.params }) 36 logger.debug('Checking usersRemove parameters', { parameters: req.params })
40 37
41 checkErrors(req, res, function () { 38 checkErrors(req, res, function () {
42 User.loadById(req.params.id, function (err, user) { 39 db.User.loadById(req.params.id, function (err, user) {
43 if (err) { 40 if (err) {
44 logger.error('Error in usersRemove request validator.', { error: err }) 41 logger.error('Error in usersRemove request validator.', { error: err })
45 return res.sendStatus(500) 42 return res.sendStatus(500)
@@ -55,7 +52,7 @@ function usersRemove (req, res, next) {
55} 52}
56 53
57function usersUpdate (req, res, next) { 54function usersUpdate (req, res, next) {
58 req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId() 55 req.checkParams('id', 'Should have a valid id').notEmpty().isInt()
59 // Add old password verification 56 // Add old password verification
60 req.checkBody('password', 'Should have a valid password').isUserPasswordValid() 57 req.checkBody('password', 'Should have a valid password').isUserPasswordValid()
61 58
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js
index 76e943e77..4fe6dcd8b 100644
--- a/server/middlewares/validators/videos.js
+++ b/server/middlewares/validators/videos.js
@@ -1,19 +1,19 @@
1'use strict' 1'use strict'
2 2
3const mongoose = require('mongoose')
4
5const checkErrors = require('./utils').checkErrors 3const checkErrors = require('./utils').checkErrors
6const constants = require('../../initializers/constants') 4const constants = require('../../initializers/constants')
7const customVideosValidators = require('../../helpers/custom-validators').videos 5const customVideosValidators = require('../../helpers/custom-validators').videos
6const db = require('../../initializers/database')
8const logger = require('../../helpers/logger') 7const logger = require('../../helpers/logger')
9 8
10const Video = mongoose.model('Video')
11
12const validatorsVideos = { 9const validatorsVideos = {
13 videosAdd, 10 videosAdd,
11 videosUpdate,
14 videosGet, 12 videosGet,
15 videosRemove, 13 videosRemove,
16 videosSearch 14 videosSearch,
15
16 videoAbuseReport
17} 17}
18 18
19function videosAdd (req, res, next) { 19function videosAdd (req, res, next) {
@@ -29,7 +29,7 @@ function videosAdd (req, res, next) {
29 checkErrors(req, res, function () { 29 checkErrors(req, res, function () {
30 const videoFile = req.files.videofile[0] 30 const videoFile = req.files.videofile[0]
31 31
32 Video.getDurationFromFile(videoFile.path, function (err, duration) { 32 db.Video.getDurationFromFile(videoFile.path, function (err, duration) {
33 if (err) { 33 if (err) {
34 return res.status(400).send('Cannot retrieve metadata of the file.') 34 return res.status(400).send('Cannot retrieve metadata of the file.')
35 } 35 }
@@ -44,40 +44,56 @@ function videosAdd (req, res, next) {
44 }) 44 })
45} 45}
46 46
47function videosGet (req, res, next) { 47function videosUpdate (req, res, next) {
48 req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId() 48 req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
49 req.checkBody('name', 'Should have a valid name').optional().isVideoNameValid()
50 req.checkBody('description', 'Should have a valid description').optional().isVideoDescriptionValid()
51 req.checkBody('tags', 'Should have correct tags').optional().isVideoTagsValid()
49 52
50 logger.debug('Checking videosGet parameters', { parameters: req.params }) 53 logger.debug('Checking videosUpdate parameters', { parameters: req.body })
51 54
52 checkErrors(req, res, function () { 55 checkErrors(req, res, function () {
53 Video.load(req.params.id, function (err, video) { 56 checkVideoExists(req.params.id, res, function () {
54 if (err) { 57 // We need to make additional checks
55 logger.error('Error in videosGet request validator.', { error: err }) 58 if (res.locals.video.isOwned() === false) {
56 return res.sendStatus(500) 59 return res.status(403).send('Cannot update video of another pod')
57 } 60 }
58 61
59 if (!video) return res.status(404).send('Video not found') 62 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
63 return res.status(403).send('Cannot update video of another user')
64 }
60 65
61 next() 66 next()
62 }) 67 })
63 }) 68 })
64} 69}
65 70
71function videosGet (req, res, next) {
72 req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
73
74 logger.debug('Checking videosGet parameters', { parameters: req.params })
75
76 checkErrors(req, res, function () {
77 checkVideoExists(req.params.id, res, next)
78 })
79}
80
66function videosRemove (req, res, next) { 81function videosRemove (req, res, next) {
67 req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId() 82 req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
68 83
69 logger.debug('Checking videosRemove parameters', { parameters: req.params }) 84 logger.debug('Checking videosRemove parameters', { parameters: req.params })
70 85
71 checkErrors(req, res, function () { 86 checkErrors(req, res, function () {
72 Video.load(req.params.id, function (err, video) { 87 checkVideoExists(req.params.id, res, function () {
73 if (err) { 88 // We need to make additional checks
74 logger.error('Error in videosRemove request validator.', { error: err }) 89
75 return res.sendStatus(500) 90 if (res.locals.video.isOwned() === false) {
91 return res.status(403).send('Cannot remove video of another pod')
76 } 92 }
77 93
78 if (!video) return res.status(404).send('Video not found') 94 if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
79 else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod') 95 return res.status(403).send('Cannot remove video of another user')
80 else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user') 96 }
81 97
82 next() 98 next()
83 }) 99 })
@@ -94,6 +110,33 @@ function videosSearch (req, res, next) {
94 checkErrors(req, res, next) 110 checkErrors(req, res, next)
95} 111}
96 112
113function videoAbuseReport (req, res, next) {
114 req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4)
115 req.checkBody('reason', 'Should have a valid reason').isVideoAbuseReasonValid()
116
117 logger.debug('Checking videoAbuseReport parameters', { parameters: req.body })
118
119 checkErrors(req, res, function () {
120 checkVideoExists(req.params.id, res, next)
121 })
122}
123
97// --------------------------------------------------------------------------- 124// ---------------------------------------------------------------------------
98 125
99module.exports = validatorsVideos 126module.exports = validatorsVideos
127
128// ---------------------------------------------------------------------------
129
130function checkVideoExists (id, res, callback) {
131 db.Video.loadAndPopulateAuthorAndPodAndTags(id, function (err, video) {
132 if (err) {
133 logger.error('Error in video request validator.', { error: err })
134 return res.sendStatus(500)
135 }
136
137 if (!video) return res.status(404).send('Video not found')
138
139 res.locals.video = video
140 callback()
141 })
142}