diff --git a/jest.global-setup.js b/jest.global-setup.js index 075fc38bc..3694e8947 100644 --- a/jest.global-setup.js +++ b/jest.global-setup.js @@ -41,7 +41,7 @@ const setSessionUser = (userId, token = 'valid-token') => { try { const db = getAccountDb(); - const session = db.get('SELECT token FROM sessions WHERE token = ?', [ + const session = db.first('SELECT token FROM sessions WHERE token = ?', [ token, ]); if (!session) { diff --git a/src/app-admin.js b/src/app-admin.js index 27589d096..34891200a 100644 --- a/src/app-admin.js +++ b/src/app-admin.js @@ -37,7 +37,7 @@ app.get('/users/', validateSessionMiddleware, (req, res) => { }); app.post('/users', validateSessionMiddleware, async (req, res) => { - if (!isAdmin(res.locals.session.user_id)) { + if (!isAdmin(res.locals.user_id)) { res.status(403).send({ status: 'error', reason: 'forbidden', @@ -89,7 +89,7 @@ app.post('/users', validateSessionMiddleware, async (req, res) => { }); app.patch('/users', validateSessionMiddleware, async (req, res) => { - if (!isAdmin(res.locals.session.user_id)) { + if (!isAdmin(res.locals.user_id)) { res.status(403).send({ status: 'error', reason: 'forbidden', @@ -141,7 +141,7 @@ app.patch('/users', validateSessionMiddleware, async (req, res) => { }); app.delete('/users', validateSessionMiddleware, async (req, res) => { - if (!isAdmin(res.locals.session.user_id)) { + if (!isAdmin(res.locals.user_id)) { res.status(403).send({ status: 'error', reason: 'forbidden', @@ -191,8 +191,8 @@ app.get('/access', validateSessionMiddleware, (req, res) => { const accesses = UserService.getUserAccess( fileId, - res.locals.session.user_id, - isAdmin(res.locals.session.user_id), + res.locals.user_id, + isAdmin(res.locals.user_id), ); res.json(accesses); @@ -305,12 +305,12 @@ app.get('/access/users', validateSessionMiddleware, async (req, res) => { const { granted } = UserService.checkFilePermission( fileId, - res.locals.session.user_id, + res.locals.user_id, ) || { granted: 0, }; - if (granted === 0 && !isAdmin(res.locals.session.user_id)) { + if (granted === 0 && !isAdmin(res.locals.user_id)) { res.status(400).send({ status: 'error', reason: 'file-denied', @@ -341,12 +341,12 @@ app.post( const { granted } = UserService.checkFilePermission( newUserOwner.fileId, - res.locals.session.user_id, + res.locals.user_id, ) || { granted: 0, }; - if (granted === 0 && !isAdmin(res.locals.session.user_id)) { + if (granted === 0 && !isAdmin(res.locals.user_id)) { res.status(400).send({ status: 'error', reason: 'file-denied', diff --git a/src/app-openid.js b/src/app-openid.js index a4c9ce78c..045824190 100644 --- a/src/app-openid.js +++ b/src/app-openid.js @@ -18,7 +18,7 @@ app.use(requestLoggerMiddleware); export { app as handlers }; app.post('/enable', validateSessionMiddleware, async (req, res) => { - if (!isAdmin(res.locals.session.user_id)) { + if (!isAdmin(res.locals.user_id)) { res.status(403).send({ status: 'error', reason: 'forbidden', @@ -37,7 +37,7 @@ app.post('/enable', validateSessionMiddleware, async (req, res) => { }); app.post('/disable', validateSessionMiddleware, async (req, res) => { - if (!isAdmin(res.locals.session.user_id)) { + if (!isAdmin(res.locals.user_id)) { res.status(403).send({ status: 'error', reason: 'forbidden', diff --git a/src/app-secrets.js b/src/app-secrets.js index 9cc608460..d95e94ea8 100644 --- a/src/app-secrets.js +++ b/src/app-secrets.js @@ -20,7 +20,7 @@ app.post('/', async (req, res) => { const { name, value } = req.body; if (method === 'openid') { - let canSaveSecrets = isAdmin(res.locals.session.user_id); + let canSaveSecrets = isAdmin(res.locals.user_id); if (!canSaveSecrets) { res.status(403).send({ diff --git a/src/app-sync.js b/src/app-sync.js index 5c7fa3d44..92fdf3013 100644 --- a/src/app-sync.js +++ b/src/app-sync.js @@ -25,13 +25,13 @@ import { } from './app-sync/validation.js'; const app = express(); +app.use(validateSessionMiddleware); app.use(errorMiddleware); app.use(requestLoggerMiddleware); app.use(express.raw({ type: 'application/actual-sync' })); app.use(express.raw({ type: 'application/encrypted-file' })); app.use(express.json()); -app.use(validateSessionMiddleware); export { app as handlers }; const OK_RESPONSE = { status: 'ok' }; @@ -113,6 +113,8 @@ app.post('/sync', async (req, res) => { }); app.post('/user-get-key', (req, res) => { + if (!res.locals) return; + let { fileId } = req.body; const filesService = new FilesService(getAccountDb()); @@ -247,7 +249,7 @@ app.post('/upload-user-file', async (req, res) => { name: name, encryptMeta: encryptMeta, owner: - res.locals.session.user_id || + res.locals.user_id || (() => { throw new Error('User ID is required for file creation'); })(), @@ -310,7 +312,7 @@ app.post('/update-user-filename', (req, res) => { app.get('/list-user-files', (req, res) => { const fileService = new FilesService(getAccountDb()); - const rows = fileService.find({ userId: res.locals.session.user_id }); + const rows = fileService.find({ userId: res.locals.user_id }); res.send({ status: 'ok', data: rows.map((row) => ({ diff --git a/src/util/middlewares.js b/src/util/middlewares.js index bf02e247d..f8d6b4f18 100644 --- a/src/util/middlewares.js +++ b/src/util/middlewares.js @@ -31,23 +31,13 @@ async function errorMiddleware(err, req, res, next) { * @param {import('express').Response} res * @param {import('express').NextFunction} next */ -/** - * Middleware to validate session and attach it to response locals - * @param {import('express').Request} req - * @param {import('express').Response} res - * @param {import('express').NextFunction} next - */ const validateSessionMiddleware = async (req, res, next) => { let session = await validateSession(req, res); if (!session) { - res.status(401).json({ - status: 'error', - reason: 'invalid-session', - }); return; } - res.locals.session = session; + res.locals = session; next(); };