diff options
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/pods.js | 1 | ||||
-rw-r--r-- | server/middlewares/secure.js | 19 | ||||
-rw-r--r-- | server/middlewares/sort.js | 11 | ||||
-rw-r--r-- | server/middlewares/validators/remote.js | 30 | ||||
-rw-r--r-- | server/middlewares/validators/remote/index.js | 13 | ||||
-rw-r--r-- | server/middlewares/validators/remote/signature.js | 21 | ||||
-rw-r--r-- | server/middlewares/validators/remote/videos.js | 20 | ||||
-rw-r--r-- | server/middlewares/validators/sort.js | 23 | ||||
-rw-r--r-- | server/middlewares/validators/users.js | 13 | ||||
-rw-r--r-- | server/middlewares/validators/videos.js | 87 |
10 files changed, 163 insertions, 75 deletions
diff --git a/server/middlewares/pods.js b/server/middlewares/pods.js index 487ea1259..e38fb341d 100644 --- a/server/middlewares/pods.js +++ b/server/middlewares/pods.js | |||
@@ -44,7 +44,6 @@ module.exports = podsMiddleware | |||
44 | function getHostWithPort (host) { | 44 | function getHostWithPort (host) { |
45 | const splitted = host.split(':') | 45 | const splitted = host.split(':') |
46 | 46 | ||
47 | console.log(splitted) | ||
48 | // The port was not specified | 47 | // The port was not specified |
49 | if (splitted.length === 1) { | 48 | if (splitted.length === 1) { |
50 | if (constants.REMOTE_SCHEME.HTTP === 'https') return host + ':443' | 49 | if (constants.REMOTE_SCHEME.HTTP === 'https') return host + ':443' |
diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js index ee836beed..b6e6d818b 100644 --- a/server/middlewares/secure.js +++ b/server/middlewares/secure.js | |||
@@ -1,18 +1,16 @@ | |||
1 | 'use strict' | 1 | 'use strict' |
2 | 2 | ||
3 | const db = require('../initializers/database') | ||
3 | const logger = require('../helpers/logger') | 4 | const logger = require('../helpers/logger') |
4 | const mongoose = require('mongoose') | ||
5 | const peertubeCrypto = require('../helpers/peertube-crypto') | 5 | const peertubeCrypto = require('../helpers/peertube-crypto') |
6 | 6 | ||
7 | const Pod = mongoose.model('Pod') | ||
8 | |||
9 | const secureMiddleware = { | 7 | const secureMiddleware = { |
10 | checkSignature | 8 | checkSignature |
11 | } | 9 | } |
12 | 10 | ||
13 | function checkSignature (req, res, next) { | 11 | function checkSignature (req, res, next) { |
14 | const host = req.body.signature.host | 12 | const host = req.body.signature.host |
15 | Pod.loadByHost(host, function (err, pod) { | 13 | db.Pod.loadByHost(host, function (err, pod) { |
16 | if (err) { | 14 | if (err) { |
17 | logger.error('Cannot get signed host in body.', { error: err }) | 15 | logger.error('Cannot get signed host in body.', { error: err }) |
18 | return res.sendStatus(500) | 16 | return res.sendStatus(500) |
@@ -25,9 +23,20 @@ function checkSignature (req, res, next) { | |||
25 | 23 | ||
26 | logger.debug('Checking signature from %s.', host) | 24 | logger.debug('Checking signature from %s.', host) |
27 | 25 | ||
28 | const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature) | 26 | let signatureShouldBe |
27 | if (req.body.data) { | ||
28 | signatureShouldBe = req.body.data | ||
29 | } else { | ||
30 | signatureShouldBe = host | ||
31 | } | ||
32 | |||
33 | const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, signatureShouldBe, req.body.signature.signature) | ||
29 | 34 | ||
30 | if (signatureOk === true) { | 35 | if (signatureOk === true) { |
36 | res.locals.secure = { | ||
37 | pod | ||
38 | } | ||
39 | |||
31 | return next() | 40 | return next() |
32 | } | 41 | } |
33 | 42 | ||
diff --git a/server/middlewares/sort.js b/server/middlewares/sort.js index f0b7274eb..39e167265 100644 --- a/server/middlewares/sort.js +++ b/server/middlewares/sort.js | |||
@@ -2,17 +2,24 @@ | |||
2 | 2 | ||
3 | const sortMiddleware = { | 3 | const sortMiddleware = { |
4 | setUsersSort, | 4 | setUsersSort, |
5 | setVideoAbusesSort, | ||
5 | setVideosSort | 6 | setVideosSort |
6 | } | 7 | } |
7 | 8 | ||
8 | function setUsersSort (req, res, next) { | 9 | function setUsersSort (req, res, next) { |
9 | if (!req.query.sort) req.query.sort = '-createdDate' | 10 | if (!req.query.sort) req.query.sort = '-createdAt' |
11 | |||
12 | return next() | ||
13 | } | ||
14 | |||
15 | function setVideoAbusesSort (req, res, next) { | ||
16 | if (!req.query.sort) req.query.sort = '-createdAt' | ||
10 | 17 | ||
11 | return next() | 18 | return next() |
12 | } | 19 | } |
13 | 20 | ||
14 | function setVideosSort (req, res, next) { | 21 | function setVideosSort (req, res, next) { |
15 | if (!req.query.sort) req.query.sort = '-createdDate' | 22 | if (!req.query.sort) req.query.sort = '-createdAt' |
16 | 23 | ||
17 | return next() | 24 | return next() |
18 | } | 25 | } |
diff --git a/server/middlewares/validators/remote.js b/server/middlewares/validators/remote.js deleted file mode 100644 index 858d193cc..000000000 --- a/server/middlewares/validators/remote.js +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | 'use strict' | ||
2 | |||
3 | const checkErrors = require('./utils').checkErrors | ||
4 | const logger = require('../../helpers/logger') | ||
5 | |||
6 | const validatorsRemote = { | ||
7 | remoteVideos, | ||
8 | signature | ||
9 | } | ||
10 | |||
11 | function remoteVideos (req, res, next) { | ||
12 | req.checkBody('data').isEachRemoteVideosValid() | ||
13 | |||
14 | logger.debug('Checking remoteVideos parameters', { parameters: req.body }) | ||
15 | |||
16 | checkErrors(req, res, next) | ||
17 | } | ||
18 | |||
19 | function signature (req, res, next) { | ||
20 | req.checkBody('signature.host', 'Should have a signature host').isURL() | ||
21 | req.checkBody('signature.signature', 'Should have a signature').notEmpty() | ||
22 | |||
23 | logger.debug('Checking signature parameters', { parameters: { signatureHost: req.body.signature.host } }) | ||
24 | |||
25 | checkErrors(req, res, next) | ||
26 | } | ||
27 | |||
28 | // --------------------------------------------------------------------------- | ||
29 | |||
30 | module.exports = validatorsRemote | ||
diff --git a/server/middlewares/validators/remote/index.js b/server/middlewares/validators/remote/index.js new file mode 100644 index 000000000..022a2fe50 --- /dev/null +++ b/server/middlewares/validators/remote/index.js | |||
@@ -0,0 +1,13 @@ | |||
1 | 'use strict' | ||
2 | |||
3 | const remoteSignatureValidators = require('./signature') | ||
4 | const remoteVideosValidators = require('./videos') | ||
5 | |||
6 | const validators = { | ||
7 | signature: remoteSignatureValidators, | ||
8 | videos: remoteVideosValidators | ||
9 | } | ||
10 | |||
11 | // --------------------------------------------------------------------------- | ||
12 | |||
13 | module.exports = validators | ||
diff --git a/server/middlewares/validators/remote/signature.js b/server/middlewares/validators/remote/signature.js new file mode 100644 index 000000000..002232c05 --- /dev/null +++ b/server/middlewares/validators/remote/signature.js | |||
@@ -0,0 +1,21 @@ | |||
1 | 'use strict' | ||
2 | |||
3 | const checkErrors = require('../utils').checkErrors | ||
4 | const logger = require('../../../helpers/logger') | ||
5 | |||
6 | const validatorsRemoteSignature = { | ||
7 | signature | ||
8 | } | ||
9 | |||
10 | function signature (req, res, next) { | ||
11 | req.checkBody('signature.host', 'Should have a signature host').isURL() | ||
12 | req.checkBody('signature.signature', 'Should have a signature').notEmpty() | ||
13 | |||
14 | logger.debug('Checking signature parameters', { parameters: { signature: req.body.signature } }) | ||
15 | |||
16 | checkErrors(req, res, next) | ||
17 | } | ||
18 | |||
19 | // --------------------------------------------------------------------------- | ||
20 | |||
21 | module.exports = validatorsRemoteSignature | ||
diff --git a/server/middlewares/validators/remote/videos.js b/server/middlewares/validators/remote/videos.js new file mode 100644 index 000000000..cf9925b6c --- /dev/null +++ b/server/middlewares/validators/remote/videos.js | |||
@@ -0,0 +1,20 @@ | |||
1 | 'use strict' | ||
2 | |||
3 | const checkErrors = require('../utils').checkErrors | ||
4 | const logger = require('../../../helpers/logger') | ||
5 | |||
6 | const validatorsRemoteVideos = { | ||
7 | remoteVideos | ||
8 | } | ||
9 | |||
10 | function remoteVideos (req, res, next) { | ||
11 | req.checkBody('data').isEachRemoteRequestVideosValid() | ||
12 | |||
13 | logger.debug('Checking remoteVideos parameters', { parameters: req.body }) | ||
14 | |||
15 | checkErrors(req, res, next) | ||
16 | } | ||
17 | |||
18 | // --------------------------------------------------------------------------- | ||
19 | |||
20 | module.exports = validatorsRemoteVideos | ||
diff --git a/server/middlewares/validators/sort.js b/server/middlewares/validators/sort.js index 431d3fffd..b7eec0316 100644 --- a/server/middlewares/validators/sort.js +++ b/server/middlewares/validators/sort.js | |||
@@ -6,29 +6,38 @@ const logger = require('../../helpers/logger') | |||
6 | 6 | ||
7 | const validatorsSort = { | 7 | const validatorsSort = { |
8 | usersSort, | 8 | usersSort, |
9 | videoAbusesSort, | ||
9 | videosSort | 10 | videosSort |
10 | } | 11 | } |
11 | 12 | ||
12 | function usersSort (req, res, next) { | 13 | function usersSort (req, res, next) { |
13 | const sortableColumns = constants.SORTABLE_COLUMNS.USERS | 14 | const sortableColumns = constants.SORTABLE_COLUMNS.USERS |
14 | 15 | ||
15 | req.checkQuery('sort', 'Should have correct sortable column').optional().isIn(sortableColumns) | 16 | checkSort(req, res, next, sortableColumns) |
17 | } | ||
16 | 18 | ||
17 | logger.debug('Checking sort parameters', { parameters: req.query }) | 19 | function videoAbusesSort (req, res, next) { |
20 | const sortableColumns = constants.SORTABLE_COLUMNS.VIDEO_ABUSES | ||
18 | 21 | ||
19 | checkErrors(req, res, next) | 22 | checkSort(req, res, next, sortableColumns) |
20 | } | 23 | } |
21 | 24 | ||
22 | function videosSort (req, res, next) { | 25 | function videosSort (req, res, next) { |
23 | const sortableColumns = constants.SORTABLE_COLUMNS.VIDEOS | 26 | const sortableColumns = constants.SORTABLE_COLUMNS.VIDEOS |
24 | 27 | ||
28 | checkSort(req, res, next, sortableColumns) | ||
29 | } | ||
30 | |||
31 | // --------------------------------------------------------------------------- | ||
32 | |||
33 | module.exports = validatorsSort | ||
34 | |||
35 | // --------------------------------------------------------------------------- | ||
36 | |||
37 | function checkSort (req, res, next, sortableColumns) { | ||
25 | req.checkQuery('sort', 'Should have correct sortable column').optional().isIn(sortableColumns) | 38 | req.checkQuery('sort', 'Should have correct sortable column').optional().isIn(sortableColumns) |
26 | 39 | ||
27 | logger.debug('Checking sort parameters', { parameters: req.query }) | 40 | logger.debug('Checking sort parameters', { parameters: req.query }) |
28 | 41 | ||
29 | checkErrors(req, res, next) | 42 | checkErrors(req, res, next) |
30 | } | 43 | } |
31 | |||
32 | // --------------------------------------------------------------------------- | ||
33 | |||
34 | module.exports = validatorsSort | ||
diff --git a/server/middlewares/validators/users.js b/server/middlewares/validators/users.js index 02e4f34cb..0629550bc 100644 --- a/server/middlewares/validators/users.js +++ b/server/middlewares/validators/users.js | |||
@@ -1,12 +1,9 @@ | |||
1 | 'use strict' | 1 | 'use strict' |
2 | 2 | ||
3 | const mongoose = require('mongoose') | ||
4 | |||
5 | const checkErrors = require('./utils').checkErrors | 3 | const checkErrors = require('./utils').checkErrors |
4 | const db = require('../../initializers/database') | ||
6 | const logger = require('../../helpers/logger') | 5 | const logger = require('../../helpers/logger') |
7 | 6 | ||
8 | const User = mongoose.model('User') | ||
9 | |||
10 | const validatorsUsers = { | 7 | const validatorsUsers = { |
11 | usersAdd, | 8 | usersAdd, |
12 | usersRemove, | 9 | usersRemove, |
@@ -20,7 +17,7 @@ function usersAdd (req, res, next) { | |||
20 | logger.debug('Checking usersAdd parameters', { parameters: req.body }) | 17 | logger.debug('Checking usersAdd parameters', { parameters: req.body }) |
21 | 18 | ||
22 | checkErrors(req, res, function () { | 19 | checkErrors(req, res, function () { |
23 | User.loadByUsername(req.body.username, function (err, user) { | 20 | db.User.loadByUsername(req.body.username, function (err, user) { |
24 | if (err) { | 21 | if (err) { |
25 | logger.error('Error in usersAdd request validator.', { error: err }) | 22 | logger.error('Error in usersAdd request validator.', { error: err }) |
26 | return res.sendStatus(500) | 23 | return res.sendStatus(500) |
@@ -34,12 +31,12 @@ function usersAdd (req, res, next) { | |||
34 | } | 31 | } |
35 | 32 | ||
36 | function usersRemove (req, res, next) { | 33 | function usersRemove (req, res, next) { |
37 | req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId() | 34 | req.checkParams('id', 'Should have a valid id').notEmpty().isInt() |
38 | 35 | ||
39 | logger.debug('Checking usersRemove parameters', { parameters: req.params }) | 36 | logger.debug('Checking usersRemove parameters', { parameters: req.params }) |
40 | 37 | ||
41 | checkErrors(req, res, function () { | 38 | checkErrors(req, res, function () { |
42 | User.loadById(req.params.id, function (err, user) { | 39 | db.User.loadById(req.params.id, function (err, user) { |
43 | if (err) { | 40 | if (err) { |
44 | logger.error('Error in usersRemove request validator.', { error: err }) | 41 | logger.error('Error in usersRemove request validator.', { error: err }) |
45 | return res.sendStatus(500) | 42 | return res.sendStatus(500) |
@@ -55,7 +52,7 @@ function usersRemove (req, res, next) { | |||
55 | } | 52 | } |
56 | 53 | ||
57 | function usersUpdate (req, res, next) { | 54 | function usersUpdate (req, res, next) { |
58 | req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId() | 55 | req.checkParams('id', 'Should have a valid id').notEmpty().isInt() |
59 | // Add old password verification | 56 | // Add old password verification |
60 | req.checkBody('password', 'Should have a valid password').isUserPasswordValid() | 57 | req.checkBody('password', 'Should have a valid password').isUserPasswordValid() |
61 | 58 | ||
diff --git a/server/middlewares/validators/videos.js b/server/middlewares/validators/videos.js index 76e943e77..4fe6dcd8b 100644 --- a/server/middlewares/validators/videos.js +++ b/server/middlewares/validators/videos.js | |||
@@ -1,19 +1,19 @@ | |||
1 | 'use strict' | 1 | 'use strict' |
2 | 2 | ||
3 | const mongoose = require('mongoose') | ||
4 | |||
5 | const checkErrors = require('./utils').checkErrors | 3 | const checkErrors = require('./utils').checkErrors |
6 | const constants = require('../../initializers/constants') | 4 | const constants = require('../../initializers/constants') |
7 | const customVideosValidators = require('../../helpers/custom-validators').videos | 5 | const customVideosValidators = require('../../helpers/custom-validators').videos |
6 | const db = require('../../initializers/database') | ||
8 | const logger = require('../../helpers/logger') | 7 | const logger = require('../../helpers/logger') |
9 | 8 | ||
10 | const Video = mongoose.model('Video') | ||
11 | |||
12 | const validatorsVideos = { | 9 | const validatorsVideos = { |
13 | videosAdd, | 10 | videosAdd, |
11 | videosUpdate, | ||
14 | videosGet, | 12 | videosGet, |
15 | videosRemove, | 13 | videosRemove, |
16 | videosSearch | 14 | videosSearch, |
15 | |||
16 | videoAbuseReport | ||
17 | } | 17 | } |
18 | 18 | ||
19 | function videosAdd (req, res, next) { | 19 | function videosAdd (req, res, next) { |
@@ -29,7 +29,7 @@ function videosAdd (req, res, next) { | |||
29 | checkErrors(req, res, function () { | 29 | checkErrors(req, res, function () { |
30 | const videoFile = req.files.videofile[0] | 30 | const videoFile = req.files.videofile[0] |
31 | 31 | ||
32 | Video.getDurationFromFile(videoFile.path, function (err, duration) { | 32 | db.Video.getDurationFromFile(videoFile.path, function (err, duration) { |
33 | if (err) { | 33 | if (err) { |
34 | return res.status(400).send('Cannot retrieve metadata of the file.') | 34 | return res.status(400).send('Cannot retrieve metadata of the file.') |
35 | } | 35 | } |
@@ -44,40 +44,56 @@ function videosAdd (req, res, next) { | |||
44 | }) | 44 | }) |
45 | } | 45 | } |
46 | 46 | ||
47 | function videosGet (req, res, next) { | 47 | function videosUpdate (req, res, next) { |
48 | req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId() | 48 | req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4) |
49 | req.checkBody('name', 'Should have a valid name').optional().isVideoNameValid() | ||
50 | req.checkBody('description', 'Should have a valid description').optional().isVideoDescriptionValid() | ||
51 | req.checkBody('tags', 'Should have correct tags').optional().isVideoTagsValid() | ||
49 | 52 | ||
50 | logger.debug('Checking videosGet parameters', { parameters: req.params }) | 53 | logger.debug('Checking videosUpdate parameters', { parameters: req.body }) |
51 | 54 | ||
52 | checkErrors(req, res, function () { | 55 | checkErrors(req, res, function () { |
53 | Video.load(req.params.id, function (err, video) { | 56 | checkVideoExists(req.params.id, res, function () { |
54 | if (err) { | 57 | // We need to make additional checks |
55 | logger.error('Error in videosGet request validator.', { error: err }) | 58 | if (res.locals.video.isOwned() === false) { |
56 | return res.sendStatus(500) | 59 | return res.status(403).send('Cannot update video of another pod') |
57 | } | 60 | } |
58 | 61 | ||
59 | if (!video) return res.status(404).send('Video not found') | 62 | if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { |
63 | return res.status(403).send('Cannot update video of another user') | ||
64 | } | ||
60 | 65 | ||
61 | next() | 66 | next() |
62 | }) | 67 | }) |
63 | }) | 68 | }) |
64 | } | 69 | } |
65 | 70 | ||
71 | function videosGet (req, res, next) { | ||
72 | req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4) | ||
73 | |||
74 | logger.debug('Checking videosGet parameters', { parameters: req.params }) | ||
75 | |||
76 | checkErrors(req, res, function () { | ||
77 | checkVideoExists(req.params.id, res, next) | ||
78 | }) | ||
79 | } | ||
80 | |||
66 | function videosRemove (req, res, next) { | 81 | function videosRemove (req, res, next) { |
67 | req.checkParams('id', 'Should have a valid id').notEmpty().isMongoId() | 82 | req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4) |
68 | 83 | ||
69 | logger.debug('Checking videosRemove parameters', { parameters: req.params }) | 84 | logger.debug('Checking videosRemove parameters', { parameters: req.params }) |
70 | 85 | ||
71 | checkErrors(req, res, function () { | 86 | checkErrors(req, res, function () { |
72 | Video.load(req.params.id, function (err, video) { | 87 | checkVideoExists(req.params.id, res, function () { |
73 | if (err) { | 88 | // We need to make additional checks |
74 | logger.error('Error in videosRemove request validator.', { error: err }) | 89 | |
75 | return res.sendStatus(500) | 90 | if (res.locals.video.isOwned() === false) { |
91 | return res.status(403).send('Cannot remove video of another pod') | ||
76 | } | 92 | } |
77 | 93 | ||
78 | if (!video) return res.status(404).send('Video not found') | 94 | if (res.locals.video.Author.userId !== res.locals.oauth.token.User.id) { |
79 | else if (video.isOwned() === false) return res.status(403).send('Cannot remove video of another pod') | 95 | return res.status(403).send('Cannot remove video of another user') |
80 | else if (video.author !== res.locals.oauth.token.user.username) return res.status(403).send('Cannot remove video of another user') | 96 | } |
81 | 97 | ||
82 | next() | 98 | next() |
83 | }) | 99 | }) |
@@ -94,6 +110,33 @@ function videosSearch (req, res, next) { | |||
94 | checkErrors(req, res, next) | 110 | checkErrors(req, res, next) |
95 | } | 111 | } |
96 | 112 | ||
113 | function videoAbuseReport (req, res, next) { | ||
114 | req.checkParams('id', 'Should have a valid id').notEmpty().isUUID(4) | ||
115 | req.checkBody('reason', 'Should have a valid reason').isVideoAbuseReasonValid() | ||
116 | |||
117 | logger.debug('Checking videoAbuseReport parameters', { parameters: req.body }) | ||
118 | |||
119 | checkErrors(req, res, function () { | ||
120 | checkVideoExists(req.params.id, res, next) | ||
121 | }) | ||
122 | } | ||
123 | |||
97 | // --------------------------------------------------------------------------- | 124 | // --------------------------------------------------------------------------- |
98 | 125 | ||
99 | module.exports = validatorsVideos | 126 | module.exports = validatorsVideos |
127 | |||
128 | // --------------------------------------------------------------------------- | ||
129 | |||
130 | function checkVideoExists (id, res, callback) { | ||
131 | db.Video.loadAndPopulateAuthorAndPodAndTags(id, function (err, video) { | ||
132 | if (err) { | ||
133 | logger.error('Error in video request validator.', { error: err }) | ||
134 | return res.sendStatus(500) | ||
135 | } | ||
136 | |||
137 | if (!video) return res.status(404).send('Video not found') | ||
138 | |||
139 | res.locals.video = video | ||
140 | callback() | ||
141 | }) | ||
142 | } | ||