From 7d57961ab20dc56c93b97ccd5bc9724ae55730a4 Mon Sep 17 00:00:00 2001 From: zadam Date: Sun, 7 Jul 2019 13:12:40 +0200 Subject: [PATCH] make clipper api authenticated for server and unauthenticated for local electron --- src/routes/api/clipper.js | 20 +++++++++++++++----- src/routes/routes.js | 18 +++++++++++------- src/services/auth.js | 4 ++-- 3 files changed, 28 insertions(+), 14 deletions(-) diff --git a/src/routes/api/clipper.js b/src/routes/api/clipper.js index 38cf6e1d2..5424f00c1 100644 --- a/src/routes/api/clipper.js +++ b/src/routes/api/clipper.js @@ -7,6 +7,7 @@ const imageService = require('../../services/image'); const appInfo = require('../../services/app_info'); const messagingService = require('../../services/messaging'); const log = require('../../services/log'); +const utils = require('../../services/utils'); const path = require('path'); const Link = require('../../entities/link'); @@ -144,12 +145,21 @@ async function createImage(req) { } async function openNote(req) { - messagingService.sendMessageToAllClients({ - type: 'open-note', - noteId: req.params.noteId - }); + if (utils.isElectron()) { + messagingService.sendMessageToAllClients({ + type: 'open-note', + noteId: req.params.noteId + }); - return {}; + return { + result: 'ok' + }; + } + else { + return { + result: 'open-in-browser' + } + } } async function handshake() { diff --git a/src/routes/routes.js b/src/routes/routes.js index eabb7319c..702dc53d6 100644 --- a/src/routes/routes.js +++ b/src/routes/routes.js @@ -1,6 +1,7 @@ const setupRoute = require('./setup'); const loginRoute = require('./login'); const indexRoute = require('./index'); +const utils = require('../services/utils'); const multer = require('multer')(); // API routes @@ -214,8 +215,8 @@ function register(app) { // no CSRF since this is called from android app route(POST, '/api/sender/login', [], loginApiRoute.token, apiResultHandler); - route(POST, '/api/sender/image', [auth.checkSenderToken, uploadMiddleware], senderRoute.uploadImage, apiResultHandler); - route(POST, '/api/sender/note', [auth.checkSenderToken], senderRoute.saveNote, apiResultHandler); + route(POST, '/api/sender/image', [auth.checkToken, uploadMiddleware], senderRoute.uploadImage, apiResultHandler); + route(POST, '/api/sender/note', [auth.checkToken], senderRoute.saveNote, apiResultHandler); apiRoute(GET, '/api/search/:searchString', searchRoute.searchNotes); apiRoute(GET, '/api/search-note/:noteId', searchRoute.searchFromNote); @@ -225,11 +226,14 @@ function register(app) { apiRoute(POST, '/api/login/protected', loginApiRoute.loginToProtectedSession); route(POST, '/api/login/token', [], loginApiRoute.token, apiResultHandler); - route(GET, '/api/clipper/handshake', [], clipperRoute.handshake, apiResultHandler); - route(POST, '/api/clipper/clippings', [], clipperRoute.addClipping, apiResultHandler); - route(POST, '/api/clipper/notes', [], clipperRoute.createNote, apiResultHandler); - route(POST, '/api/clipper/image', [], clipperRoute.createImage, apiResultHandler); - route(POST, '/api/clipper/open/:noteId', [], clipperRoute.openNote, apiResultHandler); + // in case of local electron, local calls are allowed unauthenticated, for server they need auth + const clipperMiddleware = utils.isElectron() ? [] : [auth.checkToken]; + + route(GET, '/api/clipper/handshake', clipperMiddleware, clipperRoute.handshake, apiResultHandler); + route(POST, '/api/clipper/clippings', clipperMiddleware, clipperRoute.addClipping, apiResultHandler); + route(POST, '/api/clipper/notes', clipperMiddleware, clipperRoute.createNote, apiResultHandler); + route(POST, '/api/clipper/image', clipperMiddleware, clipperRoute.createImage, apiResultHandler); + route(POST, '/api/clipper/open/:noteId', clipperMiddleware, clipperRoute.openNote, apiResultHandler); app.use('', router); } diff --git a/src/services/auth.js b/src/services/auth.js index f9ed65356..6ebd968e3 100644 --- a/src/services/auth.js +++ b/src/services/auth.js @@ -56,7 +56,7 @@ async function checkAppNotInitialized(req, res, next) { } } -async function checkSenderToken(req, res, next) { +async function checkToken(req, res, next) { const token = req.headers.authorization; if (await sql.getValue("SELECT COUNT(*) FROM api_tokens WHERE isDeleted = 0 AND token = ?", [token]) === 0) { @@ -89,6 +89,6 @@ module.exports = { checkAppInitialized, checkAppNotInitialized, checkApiAuthOrElectron, - checkSenderToken, + checkToken, checkBasicAuth }; \ No newline at end of file