1
0
mirror of https://github.com/stonith404/pingvin-share.git synced 2024-11-05 15:30:14 +01:00

feat: improve share security

This commit is contained in:
Elias Schneider 2022-10-13 23:23:33 +02:00
parent d9e5c286e3
commit 6358ac3918
15 changed files with 219 additions and 158 deletions

View File

@ -27,6 +27,7 @@ export class AuthController {
} }
@Post("signIn") @Post("signIn")
@HttpCode(200)
signIn(@Body() dto: AuthSignInDTO) { signIn(@Body() dto: AuthSignInDTO) {
return this.authService.signIn(dto); return this.authService.signIn(dto);
} }

View File

@ -100,12 +100,12 @@ export class FileService {
); );
} }
verifyFileDownloadToken(shareId: string, fileId: string, token: string) { verifyFileDownloadToken(shareId: string, token: string) {
try { try {
const claims = this.jwtService.verify(token, { const claims = this.jwtService.verify(token, {
secret: this.config.get("JWT_SECRET"), secret: this.config.get("JWT_SECRET"),
}); });
return claims.shareId == shareId && claims.fileId == fileId; return claims.shareId == shareId;
} catch { } catch {
return false; return false;
} }

View File

@ -1,23 +1,17 @@
import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common"; import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
import { Reflector } from "@nestjs/core";
import { Request } from "express"; import { Request } from "express";
import { FileService } from "src/file/file.service"; import { FileService } from "src/file/file.service";
import { PrismaService } from "src/prisma/prisma.service";
@Injectable() @Injectable()
export class FileDownloadGuard implements CanActivate { export class FileDownloadGuard implements CanActivate {
constructor( constructor(private fileService: FileService) {}
private reflector: Reflector,
private fileService: FileService,
private prisma: PrismaService
) {}
async canActivate(context: ExecutionContext) { async canActivate(context: ExecutionContext) {
const request: Request = context.switchToHttp().getRequest(); const request: Request = context.switchToHttp().getRequest();
const token = request.query.token as string; const token = request.query.token as string;
const { shareId, fileId } = request.params; const { shareId } = request.params;
return this.fileService.verifyFileDownloadToken(shareId, fileId, token); return this.fileService.verifyFileDownloadToken(shareId, token);
} }
} }

View File

@ -1,5 +1,5 @@
import { Type } from "class-transformer"; import { Type } from "class-transformer";
import { IsString, Matches, ValidateNested } from "class-validator"; import { IsString, Length, Matches, ValidateNested } from "class-validator";
import { ShareSecurityDTO } from "./shareSecurity.dto"; import { ShareSecurityDTO } from "./shareSecurity.dto";
export class CreateShareDTO { export class CreateShareDTO {
@ -7,6 +7,7 @@ export class CreateShareDTO {
@Matches("^[a-zA-Z0-9_-]*$", undefined, { @Matches("^[a-zA-Z0-9_-]*$", undefined, {
message: "ID only can contain letters, numbers, underscores and hyphens", message: "ID only can contain letters, numbers, underscores and hyphens",
}) })
@Length(3, 50)
id: string; id: string;
@IsString() @IsString()

View File

@ -1,6 +1,5 @@
import { IsNotEmpty } from "class-validator"; import { IsNotEmpty } from "class-validator";
export class SharePasswordDto { export class SharePasswordDto {
@IsNotEmpty()
password: string; password: string;
} }

View File

@ -1,16 +1,16 @@
import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common"; import {
import { Reflector } from "@nestjs/core"; CanActivate,
ExecutionContext,
Injectable,
NotFoundException,
} from "@nestjs/common";
import { User } from "@prisma/client"; import { User } from "@prisma/client";
import { Request } from "express"; import { Request } from "express";
import { ExtractJwt } from "passport-jwt";
import { PrismaService } from "src/prisma/prisma.service"; import { PrismaService } from "src/prisma/prisma.service";
import { ShareService } from "src/share/share.service";
@Injectable() @Injectable()
export class ShareOwnerGuard implements CanActivate { export class ShareOwnerGuard implements CanActivate {
constructor( constructor(private prisma: PrismaService) {}
private prisma: PrismaService
) {}
async canActivate(context: ExecutionContext) { async canActivate(context: ExecutionContext) {
const request: Request = context.switchToHttp().getRequest(); const request: Request = context.switchToHttp().getRequest();
@ -26,7 +26,7 @@ export class ShareOwnerGuard implements CanActivate {
include: { security: true }, include: { security: true },
}); });
if (!share) throw new NotFoundException("Share not found");
return share.creatorId == (request.user as User).id; return share.creatorId == (request.user as User).id;
} }

View File

@ -21,6 +21,7 @@ export class ShareSecurityGuard implements CanActivate {
async canActivate(context: ExecutionContext) { async canActivate(context: ExecutionContext) {
const request: Request = context.switchToHttp().getRequest(); const request: Request = context.switchToHttp().getRequest();
const shareToken = request.get("X-Share-Token");
const shareId = Object.prototype.hasOwnProperty.call( const shareId = Object.prototype.hasOwnProperty.call(
request.params, request.params,
"shareId" "shareId"
@ -36,19 +37,15 @@ export class ShareSecurityGuard implements CanActivate {
if (!share || moment().isAfter(share.expiration)) if (!share || moment().isAfter(share.expiration))
throw new NotFoundException("Share not found"); throw new NotFoundException("Share not found");
if (!share.security) return true; if (share.security?.password && !shareToken)
if (share.security.maxViews && share.security.maxViews <= share.views)
throw new ForbiddenException(
"Maximum views exceeded",
"share_max_views_exceeded"
);
if (
!this.shareService.verifyShareToken(shareId, request.get("X-Share-Token"))
)
throw new ForbiddenException( throw new ForbiddenException(
"This share is password protected", "This share is password protected",
"share_password_required"
);
if (!this.shareService.verifyShareToken(shareId, shareToken))
throw new ForbiddenException(
"Share token required",
"share_token_required" "share_token_required"
); );

View File

@ -0,0 +1,47 @@
import {
CanActivate,
ExecutionContext,
ForbiddenException,
Injectable,
NotFoundException,
} from "@nestjs/common";
import { Reflector } from "@nestjs/core";
import { Request } from "express";
import * as moment from "moment";
import { PrismaService } from "src/prisma/prisma.service";
import { ShareService } from "src/share/share.service";
@Injectable()
export class ShareTokenSecurity implements CanActivate {
constructor(
private reflector: Reflector,
private shareService: ShareService,
private prisma: PrismaService
) {}
async canActivate(context: ExecutionContext) {
const request: Request = context.switchToHttp().getRequest();
const shareId = Object.prototype.hasOwnProperty.call(
request.params,
"shareId"
)
? request.params.shareId
: request.params.id;
const share = await this.prisma.share.findUnique({
where: { id: shareId },
include: { security: true },
});
if (!share || moment().isAfter(share.expiration))
throw new NotFoundException("Share not found");
if (share.security?.maxViews && share.security.maxViews <= share.views)
throw new ForbiddenException(
"Maximum views exceeded",
"share_max_views_exceeded"
);
return true;
}
}

View File

@ -18,6 +18,7 @@ import { ShareMetaDataDTO } from "./dto/shareMetaData.dto";
import { SharePasswordDto } from "./dto/sharePassword.dto"; import { SharePasswordDto } from "./dto/sharePassword.dto";
import { ShareOwnerGuard } from "./guard/shareOwner.guard"; import { ShareOwnerGuard } from "./guard/shareOwner.guard";
import { ShareSecurityGuard } from "./guard/shareSecurity.guard"; import { ShareSecurityGuard } from "./guard/shareSecurity.guard";
import { ShareTokenSecurity } from "./guard/shareTokenSecurity.guard";
import { ShareService } from "./share.service"; import { ShareService } from "./share.service";
@Controller("shares") @Controller("shares")
@ -68,11 +69,10 @@ export class ShareController {
return this.shareService.isShareIdAvailable(id); return this.shareService.isShareIdAvailable(id);
} }
@Post(":id/password") @HttpCode(200)
async exchangeSharePasswordWithToken( @UseGuards(ShareTokenSecurity)
@Param("id") id: string, @Post(":id/token")
@Body() body: SharePasswordDto async getShareToken(@Param("id") id: string, @Body() body: SharePasswordDto) {
) { return this.shareService.getShareToken(id, body.password);
return this.shareService.exchangeSharePasswordWithToken(id, body.password);
} }
} }

View File

@ -76,6 +76,9 @@ export class ShareService {
} }
async complete(id: string) { async complete(id: string) {
if (await this.isShareCompleted(id))
throw new BadRequestException("Share already completed");
const moreThanOneFileInShare = const moreThanOneFileInShare =
(await this.prisma.file.findMany({ where: { shareId: id } })).length != 0; (await this.prisma.file.findMany({ where: { shareId: id } })).length != 0;
@ -117,8 +120,6 @@ export class ShareService {
return file; return file;
}); });
await this.increaseViewCount(share);
return share; return share;
} }
@ -160,27 +161,36 @@ export class ShareService {
}); });
} }
async exchangeSharePasswordWithToken(shareId: string, password: string) { async getShareToken(shareId: string, password: string) {
const sharePassword = ( const share = await this.prisma.share.findFirst({
await this.prisma.shareSecurity.findFirst({ where: { id: shareId },
where: { share: { id: shareId } }, include: {
}) security: true,
).password; },
});
if (!(await argon.verify(sharePassword, password))) if (
share?.security?.password &&
!(await argon.verify(share.security.password, password))
)
throw new ForbiddenException("Wrong password"); throw new ForbiddenException("Wrong password");
const token = this.generateShareToken(shareId); const token = await this.generateShareToken(shareId);
await this.increaseViewCount(share);
return { token }; return { token };
} }
generateShareToken(shareId: string) { async generateShareToken(shareId: string) {
const { expiration } = await this.prisma.share.findUnique({
where: { id: shareId },
});
console.log(moment(expiration).diff(new Date(), "seconds"));
return this.jwtService.sign( return this.jwtService.sign(
{ {
shareId, shareId,
}, },
{ {
expiresIn: "1h", expiresIn: moment(expiration).diff(new Date(), "seconds") + "s",
secret: this.config.get("JWT_SECRET"), secret: this.config.get("JWT_SECRET"),
} }
); );

View File

@ -31,7 +31,7 @@ const CreateUploadModalBody = ({
.string() .string()
.required() .required()
.min(3) .min(3)
.max(100) .max(50)
.matches(new RegExp("^[a-zA-Z0-9_-]*$"), { .matches(new RegExp("^[a-zA-Z0-9_-]*$"), {
message: "Can only contain letters, numbers, underscores and hyphens", message: "Can only contain letters, numbers, underscores and hyphens",
}), }),

View File

@ -25,7 +25,7 @@ const DownloadAllButton = ({ shareId }: { shareId: string }) => {
setIsZipReady(share.isZipReady); setIsZipReady(share.isZipReady);
if (share.isZipReady) clearInterval(timer); if (share.isZipReady) clearInterval(timer);
}) })
.catch(() => {}); .catch(() => clearInterval(timer));
}, 5000); }, 5000);
return () => { return () => {
clearInterval(timer); clearInterval(timer);

View File

@ -14,9 +14,11 @@ import { useClipboard } from "@mantine/hooks";
import { useModals } from "@mantine/modals"; import { useModals } from "@mantine/modals";
import { NextLink } from "@mantine/next"; import { NextLink } from "@mantine/next";
import moment from "moment"; import moment from "moment";
import { useEffect, useState } from "react"; import { useRouter } from "next/router";
import { useState } from "react";
import { Link, Trash } from "tabler-icons-react"; import { Link, Trash } from "tabler-icons-react";
import Meta from "../../components/Meta"; import Meta from "../../components/Meta";
import useUser from "../../hooks/user.hook";
import shareService from "../../services/share.service"; import shareService from "../../services/share.service";
import { MyShare } from "../../types/share.type"; import { MyShare } from "../../types/share.type";
import toast from "../../utils/toast.util"; import toast from "../../utils/toast.util";
@ -24,13 +26,18 @@ import toast from "../../utils/toast.util";
const MyShares = () => { const MyShares = () => {
const modals = useModals(); const modals = useModals();
const clipboard = useClipboard(); const clipboard = useClipboard();
const router = useRouter();
const user = useUser();
const [shares, setShares] = useState<MyShare[]>(); const [shares, setShares] = useState<MyShare[]>();
useEffect(() => { // useEffect(() => {
shareService.getMyShares().then((shares) => setShares(shares)); // shareService.getMyShares().then((shares) => setShares(shares));
}, []); // }, []);
if (!user) {
router.replace("/");
} else {
if (!shares) return <LoadingOverlay visible />; if (!shares) return <LoadingOverlay visible />;
return ( return (
<> <>
@ -77,7 +84,9 @@ const MyShares = () => {
clipboard.copy( clipboard.copy(
`${window.location.origin}/share/${share.id}` `${window.location.origin}/share/${share.id}`
); );
toast.success("Your link was copied to the keyboard."); toast.success(
"Your link was copied to the keyboard."
);
}} }}
> >
<Link /> <Link />
@ -118,6 +127,7 @@ const MyShares = () => {
)} )}
</> </>
); );
}
}; };
export default MyShares; export default MyShares;

View File

@ -15,12 +15,21 @@ const Share = () => {
const shareId = router.query.shareId as string; const shareId = router.query.shareId as string;
const [fileList, setFileList] = useState<any[]>([]); const [fileList, setFileList] = useState<any[]>([]);
const submitPassword = async (password: string) => { const getShareToken = async (password?: string) => {
await shareService await shareService
.exchangeSharePasswordWithToken(shareId, password) .getShareToken(shareId, password)
.then(() => { .then(() => {
modals.closeAll(); modals.closeAll();
getFiles(); getFiles();
})
.catch((e) => {
if (e.response.data.error == "share_max_views_exceeded") {
showErrorModal(
modals,
"Visitor limit exceeded",
"The visitor limit from this share has been exceeded."
);
}
}); });
}; };
@ -38,14 +47,10 @@ const Share = () => {
"Not found", "Not found",
"This share can't be found. Please check your link." "This share can't be found. Please check your link."
); );
} else if (error == "share_password_required") {
showEnterPasswordModal(modals, getShareToken);
} else if (error == "share_token_required") { } else if (error == "share_token_required") {
showEnterPasswordModal(modals, submitPassword); getShareToken();
} else if (error == "share_max_views_exceeded") {
showErrorModal(
modals,
"Visitor limit exceeded",
"The visitor limit from this share has been exceeded."
);
} else if (error == "forbidden") { } else if (error == "forbidden") {
showErrorModal( showErrorModal(
modals, modals,
@ -69,9 +74,7 @@ const Share = () => {
description="Look what I've shared with you." description="Look what I've shared with you."
/> />
<Group position="right" mb="lg"> <Group position="right" mb="lg">
<DownloadAllButton <DownloadAllButton shareId={shareId} />
shareId={shareId}
/>
</Group> </Group>
<FileList <FileList
files={fileList} files={fileList}

View File

@ -44,9 +44,8 @@ const getMyShares = async (): Promise<MyShare[]> => {
return (await api.get("shares")).data; return (await api.get("shares")).data;
}; };
const exchangeSharePasswordWithToken = async (id: string, password: string) => { const getShareToken = async (id: string, password?: string) => {
const { token } = (await api.post(`/shares/${id}/password`, { password })) const { token } = (await api.post(`/shares/${id}/token`, { password })).data;
.data;
localStorage.setItem(`share_${id}_token`, token); localStorage.setItem(`share_${id}_token`, token);
}; };
@ -87,7 +86,7 @@ const uploadFile = async (
export default { export default {
create, create,
completeShare, completeShare,
exchangeSharePasswordWithToken, getShareToken,
get, get,
remove, remove,
getMetaData, getMetaData,