added hmac auth to report route

2025-10-05 10:29:26 +02:00 · 2020-07-25 15:36:09 -07:00 · 2020-07-25 15:36:09 -07:00 · d9cbe058ab
commit d9cbe058ab
parent 2f6119e2f1
7 changed files with 39 additions and 50 deletions
--- a/server/routes/index.js
+++ b/server/routes/index.js
@ -127,7 +127,7 @@ module.exports = function(app) {
    require('./params')
  );
  app.post(`/api/info/:id${ID_REGEX}`, auth.owner, require('./info'));
-  app.post(`/api/report/:id${ID_REGEX}`, require('./report'));
+  app.post(`/api/report/:id${ID_REGEX}`, auth.hmac, require('./report'));
  app.post('/api/metrics', require('./metrics'));
  app.get('/__version__', function(req, res) {
    // eslint-disable-next-line node/no-missing-require
--- a/server/routes/report.js
+++ b/server/routes/report.js
@ -1,38 +1,21 @@
 const storage = require('../storage');
-const Keychain = require('../keychain');
 const { statReportEvent } = require('../amplitude');

 module.exports = async function(req, res) {
  try {
    const id = req.params.id;
    const meta = await storage.metadata(id);
-    if (meta.flagged) {
-      return res.sendStatus(200);
-    }
-    try {
-      const key = req.body.key;
-      const keychain = new Keychain(key);
-      const metadata = await keychain.decryptMetadata(
-        Buffer.from(meta.metadata, 'base64')
-      );
-      if (metadata.manifest) {
-        storage.flag(id, key);
-        statReportEvent({
-          id,
-          ip: req.ip,
-          owner: meta.owner,
-          reason: req.body.reason,
-          download_limit: meta.dlimit,
-          download_count: meta.dl,
-          agent: req.ua.browser.name || req.ua.ua.substring(0, 6)
-        });
-        return res.sendStatus(200);
-      }
-      res.sendStatus(400);
-    } catch (e) {
-      console.error(e);
-      res.sendStatus(400);
-    }
+    storage.flag(id);
+    statReportEvent({
+      id,
+      ip: req.ip,
+      owner: meta.owner,
+      reason: req.body.reason,
+      download_limit: meta.dlimit,
+      download_count: meta.dl,
+      agent: req.ua.browser.name || req.ua.ua.substring(0, 6)
+    });
+    res.sendStatus(200);
  } catch (e) {
    res.sendStatus(404);
  }
--- a/server/storage/index.js
+++ b/server/storage/index.js
@ -80,14 +80,16 @@ class DB {
  }

  async kill(id) {
-    const { filePath } = await this.getPrefixedInfo(id);
-    this.storage.del(filePath);
-    this.redis.hset(id, 'dead', 1);
+    const { filePath, dead } = await this.getPrefixedInfo(id);
+    if (!dead) {
+      this.storage.del(filePath);
+      this.redis.hset(id, 'dead', 1);
+    }
  }

-  async flag(id, key) {
+  async flag(id) {
    await this.kill(id);
-    this.redis.hmset(id, { flagged: 1, key });
+    this.redis.hset(id, 'flagged', 1);
  }

  async del(id) {