src/middleware/assert.js

'use strict';

/**
 * The middlewares here strictly act to "assert" validity of the incoming
 * payload and throw an error otherwise.
 */

const path = require('path');
const nconf = require('nconf');

const db = require('../database');
const file = require('../file');
const user = require('../user');
const groups = require('../groups');
const topics = require('../topics');
const posts = require('../posts');
const messaging = require('../messaging');
const slugify = require('../slugify');

const helpers = require('./helpers');
const controllerHelpers = require('../controllers/helpers');

const Assert = module.exports;

Assert.user = helpers.try(async (req, res, next) => {
	if (!await user.exists(req.params.uid)) {
		return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));
	}

	next();
});

Assert.group = helpers.try(async (req, res, next) => {
	const name = await groups.getGroupNameByGroupSlug(req.params.slug);
	if (!name || !await groups.exists(name)) {
		return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-group]]'));
	}

	next();
});

Assert.topic = helpers.try(async (req, res, next) => {
	if (!await topics.exists(req.params.tid)) {
		return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
	}

	next();
});

Assert.post = helpers.try(async (req, res, next) => {
	if (!await posts.exists(req.params.pid)) {
		return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-post]]'));
	}

	next();
});

Assert.flag = helpers.try(async (req, res, next) => {
	if (!await db.isSortedSetMember('flags:datetime', req.params.flagId)) {
		return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-flag]]'));
	}

	next();
});

Assert.path = helpers.try(async (req, res, next) => {
	// file: URL support
	if (req.body.path.startsWith('file:///')) {
		req.body.path = new URL(req.body.path).pathname;
	}

	// Strip upload_url if found
	if (req.body.path.startsWith(nconf.get('upload_url'))) {
		req.body.path = req.body.path.slice(nconf.get('upload_url').length);
	}

	const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
	res.locals.cleanedPath = pathToFile;

	// Guard against path traversal
	if (!pathToFile.startsWith(nconf.get('upload_path'))) {
		return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
	}

	if (!await file.exists(pathToFile)) {
		return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
	}

	next();
});

Assert.folderName = helpers.try(async (req, res, next) => {
	const folderName = slugify(path.basename(req.body.folderName.trim()));
	const folderPath = path.join(res.locals.cleanedPath, folderName);

	// slugify removes invalid characters, folderName may become empty
	if (!folderName) {
		return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
	}
	if (await file.exists(folderPath)) {
		return controllerHelpers.formatApiResponse(403, res, new Error('[[error:folder-exists]]'));
	}

	res.locals.folderPath = folderPath;

	next();
});

Assert.room = helpers.try(async (req, res, next) => {
	if (!isFinite(req.params.roomId)) {
		return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-data]]'));
	}

	const [exists, inRoom] = await Promise.all([
		await messaging.roomExists(req.params.roomId),
		await messaging.isUserInRoom(req.uid, req.params.roomId),
	]);

	if (!exists) {
		return controllerHelpers.formatApiResponse(404, res, new Error('[[error:chat-room-does-not-exist]]'));
	}

	if (!inRoom) {
		return controllerHelpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]'));
	}

	next();
});

Assert.message = helpers.try(async (req, res, next) => {
	if (
		!isFinite(req.params.mid) ||
		!(await messaging.messageExists(req.params.mid)) ||
		!(await messaging.canViewMessage(req.params.mid, req.params.roomId, req.uid))
	) {
		return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-mid]]'));
	}

	next();
});
feat(writeapi): added group joining and deletion 2020-10-01 14:11:59 -04:00			`'use strict';`

			`/**`
			`* The middlewares here strictly act to "assert" validity of the incoming`
			`* payload and throw an error otherwise.`
			`*/`

feat(writeapi): file deletion route 2020-10-08 12:00:06 -04:00			`const path = require('path');`
			`const nconf = require('nconf');`

Flags API (#9666) * feat: new routes for flags API + flag get + flag creation, migration from socket method + flag update, migration from socket method * fixed bug where you could not unassign someone from a flag * feat: tests for new flags API added missing files for schema update * fix: flag tests to use Write API instead of sockets * feat: flag notes API + tests * chore: remove debug line * test: fix breaking test on mongo 2021-07-16 13:44:42 -04:00			`const db = require('../database');`
fix: use file lib instead of directly accessing fs (for Assert.path) 2020-12-03 07:41:14 -05:00			`const file = require('../file');`
fix(writeapi): calls to profile editing routes 200 even if user DNE 2020-10-01 19:37:13 -04:00			`const user = require('../user');`
feat(writeapi): added group joining and deletion 2020-10-01 14:11:59 -04:00			`const groups = require('../groups');`
feat(writeapi): topic posting and replying 2020-10-01 14:26:34 -04:00			`const topics = require('../topics');`
feat(writeapi): post delete/restore/purge 2020-10-06 14:12:02 -04:00			`const posts = require('../posts');`
feat: stub code for v3 chats api 2021-12-10 17:16:54 -05:00			`const messaging = require('../messaging');`
feat: create folders in ACP uploads #9638 (#9750) * feat: create folders in ACP uploads #9638 * fix: openapi * test: missing tests * fix: eslint * fix: tests 2021-08-31 16:27:00 +03:00			`const slugify = require('../slugify');`
feat(writeapi): topic posting and replying 2020-10-01 14:26:34 -04:00
feat(writeapi): file deletion route 2020-10-08 12:00:06 -04:00			`const helpers = require('./helpers');`
			`const controllerHelpers = require('../controllers/helpers');`
feat(writeapi): added group joining and deletion 2020-10-01 14:11:59 -04:00
refactor: middleware.assert.* 2020-10-08 13:56:50 -04:00			`const Assert = module.exports;`

			`Assert.user = helpers.try(async (req, res, next) => {`
			`if (!await user.exists(req.params.uid)) {`
			`return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));`
			`}`

			`next();`
			`});`

			`Assert.group = helpers.try(async (req, res, next) => {`
			`const name = await groups.getGroupNameByGroupSlug(req.params.slug);`
			`if (!name \|\| !await groups.exists(name)) {`
			`return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-group]]'));`
			`}`

			`next();`
			`});`

			`Assert.topic = helpers.try(async (req, res, next) => {`
			`if (!await topics.exists(req.params.tid)) {`
			`return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));`
			`}`

			`next();`
			`});`

			`Assert.post = helpers.try(async (req, res, next) => {`
			`if (!await posts.exists(req.params.pid)) {`
refactor(api): post move to write API 2021-01-18 15:31:14 -05:00			`return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-post]]'));`
refactor: middleware.assert.* 2020-10-08 13:56:50 -04:00			`}`

			`next();`
			`});`

Flags API (#9666) * feat: new routes for flags API + flag get + flag creation, migration from socket method + flag update, migration from socket method * fixed bug where you could not unassign someone from a flag * feat: tests for new flags API added missing files for schema update * fix: flag tests to use Write API instead of sockets * feat: flag notes API + tests * chore: remove debug line * test: fix breaking test on mongo 2021-07-16 13:44:42 -04:00			`Assert.flag = helpers.try(async (req, res, next) => {`
			`if (!await db.isSortedSetMember('flags:datetime', req.params.flagId)) {`
			`return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-flag]]'));`
			`}`

			`next();`
			`});`

refactor: middleware.assert.* 2020-10-08 13:56:50 -04:00			`Assert.path = helpers.try(async (req, res, next) => {`
			`// file: URL support`
			`if (req.body.path.startsWith('file:///')) {`
			`req.body.path = new URL(req.body.path).pathname;`
			`}`

feat: more work on topic thumbs refactor - addThumb and deleteThumb are now protected routes (duh) - new getThumbs route GET /api/v3/topics/<tid>/thumbs - Updated `assert.path` middleware to better handle if relative paths are received with upload_url - Slight refactor of thumbs lib to use validator to differentiate between tid and UUID 2020-12-03 15:04:23 -05:00			`// Strip upload_url if found`
			`if (req.body.path.startsWith(nconf.get('upload_url'))) {`
			`req.body.path = req.body.path.slice(nconf.get('upload_url').length);`
			`}`

refactor: middleware.assert.* 2020-10-08 13:56:50 -04:00			`const pathToFile = path.join(nconf.get('upload_path'), req.body.path);`
			`res.locals.cleanedPath = pathToFile;`

fix: use file lib instead of directly accessing fs (for Assert.path) 2020-12-03 07:41:14 -05:00			`// Guard against path traversal`
refactor: middleware.assert.* 2020-10-08 13:56:50 -04:00			`if (!pathToFile.startsWith(nconf.get('upload_path'))) {`
			`return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));`
			`}`

fix: use file lib instead of directly accessing fs (for Assert.path) 2020-12-03 07:41:14 -05:00			`if (!await file.exists(pathToFile)) {`
refactor: middleware.assert.* 2020-10-08 13:56:50 -04:00			`return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));`
			`}`

			`next();`
			`});`
feat: create folders in ACP uploads #9638 (#9750) * feat: create folders in ACP uploads #9638 * fix: openapi * test: missing tests * fix: eslint * fix: tests 2021-08-31 16:27:00 +03:00
			`Assert.folderName = helpers.try(async (req, res, next) => {`
			`const folderName = slugify(path.basename(req.body.folderName.trim()));`
			`const folderPath = path.join(res.locals.cleanedPath, folderName);`

			`// slugify removes invalid characters, folderName may become empty`
			`if (!folderName) {`
			`return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));`
			`}`
			`if (await file.exists(folderPath)) {`
			`return controllerHelpers.formatApiResponse(403, res, new Error('[[error:folder-exists]]'));`
			`}`

			`res.locals.folderPath = folderPath;`

			`next();`
			`});`
feat: stub code for v3 chats api 2021-12-10 17:16:54 -05:00
			`Assert.room = helpers.try(async (req, res, next) => {`
fix: isFinite check for room assertion, more test migrating 2021-12-16 10:46:58 -05:00			`if (!isFinite(req.params.roomId)) {`
			`return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-data]]'));`
			`}`

feat: stub code for v3 chats api 2021-12-10 17:16:54 -05:00			`const [exists, inRoom] = await Promise.all([`
			`await messaging.roomExists(req.params.roomId),`
			`await messaging.isUserInRoom(req.uid, req.params.roomId),`
			`]);`

			`if (!exists) {`
			`return controllerHelpers.formatApiResponse(404, res, new Error('[[error:chat-room-does-not-exist]]'));`
			`}`

			`if (!inRoom) {`
			`return controllerHelpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]'));`
			`}`

			`next();`
			`});`
feat: middleware.assert.message 2021-12-20 14:32:45 -05:00
			`Assert.message = helpers.try(async (req, res, next) => {`
fix: assertion check to ensure messages are in the room when editing/deleting, etc 2021-12-22 14:58:42 -05:00			`if (`
			`!isFinite(req.params.mid) \|\|`
			`!(await messaging.messageExists(req.params.mid)) \|\|`
			`!(await messaging.canViewMessage(req.params.mid, req.params.roomId, req.uid))`
			`) {`
feat: middleware.assert.message 2021-12-20 14:32:45 -05:00			`return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-mid]]'));`
			`}`

			`next();`
			`});`