Add optional password to the download url

2017-08-31 09:43:36 -07:00 · 2017-08-31 09:43:36 -07:00 · bc24a069da
commit bc24a069da
parent 837747f8f7
28 changed files with 805 additions and 241 deletions
--- a/server/routes/upload.js
+++ b/server/routes/upload.js
@ -5,55 +5,42 @@ const mozlog = require('../log');

 const log = mozlog('send.upload');

-const validateIV = route_id => {
-  return route_id.match(/^[0-9a-fA-F]{24}$/) !== null;
-};
-
 module.exports = function(req, res) {
  const newId = crypto.randomBytes(5).toString('hex');
-  let meta;
-
-  try {
-    meta = JSON.parse(req.header('X-File-Metadata'));
-  } catch (e) {
-    res.sendStatus(400);
-    return;
+  const metadata = req.header('X-File-Metadata');
+  const auth = req.header('Authorization');
+  if (!metadata || !auth) {
+    return res.sendStatus(400);
  }

-  if (
-    !meta.hasOwnProperty('id') ||
-    !meta.hasOwnProperty('filename') ||
-    !validateIV(meta.id)
-  ) {
-    res.sendStatus(404);
-    return;
-  }
-
-  meta.delete = crypto.randomBytes(10).toString('hex');
+  const meta = {
+    delete: crypto.randomBytes(10).toString('hex'),
+    metadata,
+    pwd: 0,
+    auth: auth.split(' ')[1],
+    nonce: crypto.randomBytes(16).toString('base64')
+  };
  req.pipe(req.busboy);

-  req.busboy.on(
-    'file',
-    async (fieldname, file, filename, encoding, mimeType) => {
-      try {
-        meta.mimeType = mimeType || 'application/octet-stream';
-        await storage.set(newId, file, filename, meta);
-        const protocol = config.env === 'production' ? 'https' : req.protocol;
-        const url = `${protocol}://${req.get('host')}/download/${newId}/`;
-        res.json({
-          url,
-          delete: meta.delete,
-          id: newId
-        });
-      } catch (e) {
-        log.error('upload', e);
-        if (e.message === 'limit') {
-          return res.sendStatus(413);
-        }
-        res.sendStatus(500);
+  req.busboy.on('file', async (fieldname, file) => {
+    try {
+      await storage.set(newId, file, meta);
+      const protocol = config.env === 'production' ? 'https' : req.protocol;
+      const url = `${protocol}://${req.get('host')}/download/${newId}/`;
+      res.set('WWW-Authenticate', `send-v1 ${meta.nonce}`);
+      res.json({
+        url,
+        delete: meta.delete,
+        id: newId
+      });
+    } catch (e) {
+      log.error('upload', e);
+      if (e.message === 'limit') {
+        return res.sendStatus(413);
      }
+      res.sendStatus(500);
    }
-  );
+  });

  req.on('close', async err => {
    try {