v3: fixed authorization bug with stale tokens, fixed private dump access bug, various small fixes across the app
Some checks failed
Build and Publish Docker Image / build-and-push (push) Failing after 20s
Some checks failed
Build and Publish Docker Image / build-and-push (push) Failing after 20s
This commit is contained in:
@@ -2,6 +2,7 @@ import { Router } from "@oak/oak";
|
||||
import { APIErrorCode, APIException } from "../model/interfaces.ts";
|
||||
import { getDump } from "../services/dump-service.ts";
|
||||
import { DUMPS_DIR } from "../lib/upload.ts";
|
||||
import { verifyJWT } from "../lib/jwt.ts";
|
||||
|
||||
const router = new Router({ prefix: "/api/files" });
|
||||
|
||||
@@ -30,7 +31,12 @@ router.get("/:dumpId", async (ctx) => {
|
||||
throw new APIException(APIErrorCode.BAD_REQUEST, 400, "Invalid dump ID");
|
||||
}
|
||||
|
||||
const dump = getDump(dumpId);
|
||||
// Media elements can't send an Authorization header, so the viewer's token
|
||||
// arrives as a query param (same as the WebSocket route). Needed to authorize
|
||||
// access to private dumps the requester owns.
|
||||
const token = ctx.request.url.searchParams.get("token");
|
||||
const payload = token ? await verifyJWT(token) : null;
|
||||
const dump = getDump(dumpId, payload?.userId);
|
||||
|
||||
if (dump.kind !== "file" || !dump.fileMime || !dump.fileName) {
|
||||
throw new APIException(
|
||||
|
||||
Reference in New Issue
Block a user