dylan.derr/Send
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add optional password to the download url

Browse source
This commit is contained in:
Danny Coates 2017-08-31 09:43:36 -07:00
parent 837747f8f7
commit bc24a069da
No known key found for this signature in database
GPG key ID: 4C442633C62E00CB
28 changed files with 805 additions and 241 deletions
Download patch file Download diff file Expand all files Collapse all files

16
server/routes/download.js
View file

@ -1,6 +1,7 @@
const storage = require('../storage');
const mozlog = require('../log');
const log = mozlog('send.download');
const crypto = require('crypto');
function validateID(route_id) {
return route_id.match(/^[0-9a-fA-F]{10}$/) !== null;
@ -13,13 +14,24 @@ module.exports = async function(req, res) {
}
try {
const auth = req.header('Authorization').split(' ')[1];
const meta = await storage.metadata(id);
const hmac = crypto.createHmac('sha256', Buffer.from(meta.auth, 'base64'));
hmac.update(Buffer.from(meta.nonce, 'base64'));
const verifyHash = hmac.digest();
const nonce = crypto.randomBytes(16).toString('base64');
storage.setField(id, 'nonce', nonce);
if (!verifyHash.equals(Buffer.from(auth, 'base64'))) {
res.set('WWW-Authenticate', `send-v1 ${nonce}`);
return res.sendStatus(401);
}
const contentLength = await storage.length(id);
res.writeHead(200, {
'Content-Disposition': `attachment; filename=${meta.filename}`,
'Content-Disposition': 'attachment',
'Content-Type': 'application/octet-stream',
'Content-Length': contentLength,
'X-File-Metadata': JSON.stringify(meta)
'X-File-Metadata': meta.metadata,
'WWW-Authenticate': `send-v1 ${nonce}`
});
const file_stream = storage.get(id);

4
server/routes/index.js
View file

@ -59,10 +59,12 @@ module.exports = function(app) {
app.get('/download/:id', pages.download);
app.get('/completed', pages.blank);
app.get('/unsupported/:reason', pages.unsupported);
app.post('/api/upload', require('./upload'));
app.get('/api/download/:id', require('./download'));
app.get('/api/exists/:id', require('./exists'));
app.get('/api/metadata/:id', require('./metadata'));
app.post('/api/upload', require('./upload'));
app.post('/api/delete/:id', require('./delete'));
app.post('/api/password/:id', require('./password'));
app.get('/__version__', function(req, res) {
res.sendFile(require.resolve('../../dist/version.json'));

36
server/routes/metadata.js Normal file
View file

@ -0,0 +1,36 @@
const storage = require('../storage');
const crypto = require('crypto');
function validateID(route_id) {
return route_id.match(/^[0-9a-fA-F]{10}$/) !== null;
}
module.exports = async function(req, res) {
const id = req.params.id;
if (!validateID(id)) {
return res.sendStatus(404);
}
try {
const auth = req.header('Authorization').split(' ')[1];
const meta = await storage.metadata(id);
const hmac = crypto.createHmac('sha256', Buffer.from(meta.auth, 'base64'));
hmac.update(Buffer.from(meta.nonce, 'base64'));
const verifyHash = hmac.digest();
const nonce = crypto.randomBytes(16).toString('base64');
storage.setField(id, 'nonce', nonce);
res.set('WWW-Authenticate', `send-v1 ${nonce}`);
if (!verifyHash.equals(Buffer.from(auth, 'base64'))) {
return res.sendStatus(401);
}
const size = await storage.length(id);
const ttl = await storage.ttl(id);
res.send({
metadata: meta.metadata,
size,
ttl
});
} catch (e) {
res.sendStatus(404);
}
};

8
server/routes/pages.js
View file

@ -28,16 +28,14 @@ module.exports = {
}
try {
const efilename = await storage.filename(id);
const name = decodeURIComponent(efilename);
const size = await storage.length(id);
const ttl = await storage.ttl(id);
const { nonce, pwd } = await storage.metadata(id);
res.set('WWW-Authenticate', `send-v1 ${nonce}`);
res.send(
stripEvents(
routes.toString(
`/download/${req.params.id}`,
Object.assign(state(req), {
fileInfo: { name, size, ttl }
fileInfo: { nonce, pwd: +pwd }
})
)
)

35
server/routes/password.js Normal file
View file

@ -0,0 +1,35 @@
const storage = require('../storage');
const crypto = require('crypto');
function validateID(route_id) {
return route_id.match(/^[0-9a-fA-F]{10}$/) !== null;
}
module.exports = async function(req, res) {
const id = req.params.id;
if (!validateID(id)) {
return res.sendStatus(404);
}
if (!req.body.auth) {
return res.sendStatus(400);
}
try {
const auth = req.header('Authorization').split(' ')[1];
const meta = await storage.metadata(id);
const hmac = crypto.createHmac('sha256', Buffer.from(meta.auth, 'base64'));
hmac.update(Buffer.from(meta.nonce, 'base64'));
const verifyHash = hmac.digest();
const nonce = crypto.randomBytes(16).toString('base64');
storage.setField(id, 'nonce', nonce);
if (!verifyHash.equals(Buffer.from(auth, 'base64'))) {
res.set('WWW-Authenticate', `send-v1 ${nonce}`);
return res.sendStatus(401);
}
} catch (e) {
res.sendStatus(404);
}
storage.setField(id, 'auth', req.body.auth);
storage.setField(id, 'pwd', 1);
res.sendStatus(200);
};

69
server/routes/upload.js
View file

@ -5,55 +5,42 @@ const mozlog = require('../log');
const log = mozlog('send.upload');
const validateIV = route_id => {
return route_id.match(/^[0-9a-fA-F]{24}$/) !== null;
};
module.exports = function(req, res) {
const newId = crypto.randomBytes(5).toString('hex');
let meta;
try {
meta = JSON.parse(req.header('X-File-Metadata'));
} catch (e) {
res.sendStatus(400);
return;
const metadata = req.header('X-File-Metadata');
const auth = req.header('Authorization');
if (!metadata || !auth) {
return res.sendStatus(400);
}
if (
!meta.hasOwnProperty('id') ||
!meta.hasOwnProperty('filename') ||
!validateIV(meta.id)
) {
res.sendStatus(404);
return;
}
meta.delete = crypto.randomBytes(10).toString('hex');
const meta = {
delete: crypto.randomBytes(10).toString('hex'),
metadata,
pwd: 0,
auth: auth.split(' ')[1],
nonce: crypto.randomBytes(16).toString('base64')
};
req.pipe(req.busboy);
req.busboy.on(
'file',
async (fieldname, file, filename, encoding, mimeType) => {
try {
meta.mimeType = mimeType || 'application/octet-stream';
await storage.set(newId, file, filename, meta);
const protocol = config.env === 'production' ? 'https' : req.protocol;
const url = `${protocol}://${req.get('host')}/download/${newId}/`;
res.json({
url,
delete: meta.delete,
id: newId
});
} catch (e) {
log.error('upload', e);
if (e.message === 'limit') {
return res.sendStatus(413);
}
res.sendStatus(500);
req.busboy.on('file', async (fieldname, file) => {
try {
await storage.set(newId, file, meta);
const protocol = config.env === 'production' ? 'https' : req.protocol;
const url = `${protocol}://${req.get('host')}/download/${newId}/`;
res.set('WWW-Authenticate', `send-v1 ${meta.nonce}`);
res.json({
url,
delete: meta.delete,
id: newId
});
} catch (e) {
log.error('upload', e);
if (e.message === 'limit') {
return res.sendStatus(413);
}
res.sendStatus(500);
}
);
});
req.on('close', async err => {
try {

17
server/storage.js
View file

@ -29,7 +29,6 @@ const fileDir = config.file_dir;
if (config.s3_bucket) {
module.exports = {
filename: filename,
exists: exists,
ttl: ttl,
length: awsLength,
@ -47,7 +46,6 @@ if (config.s3_bucket) {
mkdirp.sync(config.file_dir);
log.info('fileDir', fileDir);
module.exports = {
filename: filename,
exists: exists,
ttl: ttl,
length: localLength,
@ -93,17 +91,6 @@ function ttl(id) {
});
}
function filename(id) {
return new Promise((resolve, reject) => {
redis_client.hget(id, 'filename', (err, reply) => {
if (err || !reply) {
return reject();
}
resolve(reply);
});
});
}
function exists(id) {
return new Promise((resolve, reject) => {
redis_client.exists(id, (rediserr, reply) => {
@ -134,7 +121,7 @@ function localGet(id) {
return fs.createReadStream(path.join(fileDir, id));
}
function localSet(newId, file, filename, meta) {
function localSet(newId, file, meta) {
return new Promise((resolve, reject) => {
const filepath = path.join(fileDir, newId);
const fstream = fs.createWriteStream(filepath);
@ -216,7 +203,7 @@ function awsGet(id) {
}
}
function awsSet(newId, file, filename, meta) {
function awsSet(newId, file, meta) {
const params = {
Bucket: config.s3_bucket,
Key: newId,