From b81cf72ac41f61e48a86d699e12fcfc327cefb14 Mon Sep 17 00:00:00 2001 From: kanadeko Date: Sat, 14 Jan 2017 18:13:58 -0300 Subject: [PATCH] Changed from ip whitelist to token based auth --- .gitignore | 3 ++- README.md | 13 +++++++++---- config.sample.js | 32 ++++++++++++-------------------- controllers/galleryController.js | 10 ++++++---- controllers/uploadController.js | 9 +++++---- lolisafe.js | 5 ++++- package.json | 3 +-- public/js/upload.js | 5 +---- routes/routes.js | 9 +++++---- 9 files changed, 45 insertions(+), 44 deletions(-) diff --git a/.gitignore b/.gitignore index 286b366..dacd765 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ node_modules/ uploads/ logs/ +database/db config.js -db \ No newline at end of file +start.json \ No newline at end of file diff --git a/README.md b/README.md index 4ed8b7a..183b188 100644 --- a/README.md +++ b/README.md @@ -5,9 +5,14 @@ Pomf-like image uploading service, written in NodeJS --- 1. Clone 2. Rename `config.sample.js` to `config.js` -3. Modify port and privacy options if desired -4. run `npm install` to install all dependencies -5. run `node lolisafe.js` to start the service +4. Modify port and token options if desired +3. run `npm install` to install all dependencies +5. run `pm2 start lolisafe.js` or `node lolisafe.js` to start the service + +### Token +This service supports running both as public and private. The only difference is that one needs a token and the other one doesn't. If you want it to be public so anyone can upload files either from the website or API, just leave the token empty on the config file. + +But if you want to run it privately, you need to specify a random string, which you'll need to provide in every API call as a header called `auth`. --- ## Using it @@ -18,4 +23,4 @@ A chrome extension to be able to right click images -> send to safe is in the wo If you are using nginx, you should set inside your location block the following directive, replacing the number with the one you want set up `client_max_body_size 512M;` -If using apache, you should change the following directives on your config `memory_limit = 512M` +If using apache, you should change the following directives on your config `RLimitMEM 512M` diff --git a/config.sample.js b/config.sample.js index 3d5a98f..721a065 100644 --- a/config.sample.js +++ b/config.sample.js @@ -2,31 +2,27 @@ module.exports = { /* NOTES: - All folders specified on this file will be created automagically. - Most options shouldn't be touched, and the service should run straight up. - + Ideally the only options you should change are port and basedomain. */ + // Token to use on the api. Leave blank for public + TOKEN: 'YOURSUPERSECRETTOKEN', + // Port on which to run the server port: 9999, - // Upload restrictions - privacy: { - - // Is the service public? If so, anyone with the URL can upload files - public: false, - - // If not, which IP's should be able to access? - IPs: [ - '::1', - '127.0.0.1' - ] - }, - // Uploads config uploads: { + // Where to serve the uploaded files. + basedomain: 'https://i.kanacchi.moe/', + + // If prefix is set, it will be appended at the end of basedomain. + // Ex: https://i.kanacchi.moe/prefix/k4n4.png + // Leave blank to use the basedomain + prefix: '', + // Folder where images should be stored folder: 'uploads', @@ -35,10 +31,6 @@ module.exports = { // The length of the random generated name for the uploaded files fileLength: 4, - - // Prefix before linking an uploaded file. Ex: your-domain.com/prefix/k4n4.png - // Leave blank for no prefix - prefix: '' }, // Folder where to store logs diff --git a/controllers/galleryController.js b/controllers/galleryController.js index a74dde5..39826dd 100644 --- a/controllers/galleryController.js +++ b/controllers/galleryController.js @@ -5,8 +5,9 @@ let galleryController = {} galleryController.list = function(req, res, next){ - if(!config.privacy.public) - if(!config.privacy.IPs.includes(req.ip)) return res.status(401).send('not-authorized') + if(config.TOKEN !== '') + if(req.headers.auth !== config.TOKEN) + return res.status(401).send('not-authorized') db.table('gallery').select('id', 'name').then((data) => { res.json({ data }) @@ -15,8 +16,9 @@ galleryController.list = function(req, res, next){ galleryController.test = function(req, res, next){ - if(!config.privacy.public) - if(!config.privacy.IPs.includes(req.ip)) return res.status(401).send('not-authorized') + if(config.TOKEN !== '') + if(req.headers.auth !== config.TOKEN) + return res.status(401).send('not-authorized') let testdata = [ {name: 'Test 1'}, diff --git a/controllers/uploadController.js b/controllers/uploadController.js index 259e824..7754261 100644 --- a/controllers/uploadController.js +++ b/controllers/uploadController.js @@ -22,10 +22,11 @@ const upload = multer({ uploadsController.upload = function(req, res, next){ - let gallery = req.headers.gallery + if(config.TOKEN !== '') + if(req.headers.auth !== config.TOKEN) + return res.status(401).send('not-authorized') - if(!config.privacy.public) - if(!config.privacy.IPs.includes(req.ip)) return res.status(401).send('not-authorized') + let gallery = req.headers.gallery upload(req, res, function (err) { if (err) { @@ -38,7 +39,7 @@ uploadsController.upload = function(req, res, next){ galleryid: gallery }).then(() => { return res.json({ - 'filename': req.file.filename + 'url': config.uploads.basedomain + req.file.filename }) }) diff --git a/lolisafe.js b/lolisafe.js index fdc7769..2e9135d 100644 --- a/lolisafe.js +++ b/lolisafe.js @@ -30,4 +30,7 @@ safe.use(function (err, req, res, next) { res.status(500).end() }) -safe.listen(config.port, () => console.log(`loli-safe started on port ${config.port}`)) \ No newline at end of file +safe.listen(config.port, () => console.log(`loli-safe started on port ${config.port}`)) + +if(config.TOKEN !== '') console.log('Use the following token as the \'auth\' header in your requests to the API: ' + config.TOKEN) +else console.log('Running lolisafe in public mode. No token required.') \ No newline at end of file diff --git a/package.json b/package.json index f4ce9e4..4a8ce8b 100644 --- a/package.json +++ b/package.json @@ -1,9 +1,8 @@ { "name": "loli-safe", "version": "1.0.0", - "description": "Pomf-like uploading service, written in NodeJS", + "description": "Pomf-like uploading service, written in node", "author": "kanadeko", - "main": "lolibank.js", "repository": { "type": "git", "url": "https://github.com/kanadeko/loli-safe" diff --git a/public/js/upload.js b/public/js/upload.js index 4795679..0696af6 100644 --- a/public/js/upload.js +++ b/public/js/upload.js @@ -1,5 +1,4 @@ var maxSize = '512'; -var urlPrefix = ''; var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { @@ -10,8 +9,6 @@ xhr.onreadystatechange = function() { } if(xhr.responseText.maxFileSize) maxSize = xhr.responseText.maxFileSize; - if(xhr.responseText.urlPrefix) - urlPrefix = xhr.responseText.urlPrefix + '/'; } } xhr.open('GET', '/api/info', true); @@ -45,7 +42,7 @@ window.onload = function () { dropzone.on("success", function(file, response) { // Handle the responseText here. For example, add the text to the preview element: a = document.createElement('a'); - a.href = window.location.origin + '/' + urlPrefix + response.filename; + a.href = response.url; a.target = '_blank'; a.innerHTML = response.filename; diff --git a/routes/routes.js b/routes/routes.js index e81b733..23a1a60 100644 --- a/routes/routes.js +++ b/routes/routes.js @@ -4,12 +4,13 @@ const uploadController = require('../controllers/uploadController') const galleryController = require('../controllers/galleryController') routes.get ('/info', (req, res, next) => { - if(!config.privacy.public) - if(!config.privacy.IPs.includes(req.ip)) return res.status(401).send('not-authorized') + if(config.TOKEN !== '') + if(req.headers.auth !== config.TOKEN) + return res.status(401).send('not-authorized') + return res.json({ - maxFileSize: config.uploads.maxsize.slice(0, -2), - urlPrefix: config.uploads.prefix + maxFileSize: config.uploads.maxsize.slice(0, -2) }) })