From 2a49e21c5d4b8b0cc50feb2c8a5204b41481a409 Mon Sep 17 00:00:00 2001
From: Leandro Menezes <lelemm@gmail.com>
Date: Mon, 11 Nov 2024 12:23:20 -0300
Subject: [PATCH] reverting res.locals and fixes

---
 jest.global-setup.js    |  2 +-
 src/app-admin.js        | 18 +++++++++---------
 src/app-openid.js       |  4 ++--
 src/app-secrets.js      |  2 +-
 src/app-sync.js         |  8 +++++---
 src/util/middlewares.js | 12 +-----------
 6 files changed, 19 insertions(+), 27 deletions(-)

diff --git a/jest.global-setup.js b/jest.global-setup.js
index 075fc38bc..3694e8947 100644
--- a/jest.global-setup.js
+++ b/jest.global-setup.js
@@ -41,7 +41,7 @@ const setSessionUser = (userId, token = 'valid-token') => {
 
   try {
     const db = getAccountDb();
-    const session = db.get('SELECT token FROM sessions WHERE token = ?', [
+    const session = db.first('SELECT token FROM sessions WHERE token = ?', [
       token,
     ]);
     if (!session) {
diff --git a/src/app-admin.js b/src/app-admin.js
index 27589d096..34891200a 100644
--- a/src/app-admin.js
+++ b/src/app-admin.js
@@ -37,7 +37,7 @@ app.get('/users/', validateSessionMiddleware, (req, res) => {
 });
 
 app.post('/users', validateSessionMiddleware, async (req, res) => {
-  if (!isAdmin(res.locals.session.user_id)) {
+  if (!isAdmin(res.locals.user_id)) {
     res.status(403).send({
       status: 'error',
       reason: 'forbidden',
@@ -89,7 +89,7 @@ app.post('/users', validateSessionMiddleware, async (req, res) => {
 });
 
 app.patch('/users', validateSessionMiddleware, async (req, res) => {
-  if (!isAdmin(res.locals.session.user_id)) {
+  if (!isAdmin(res.locals.user_id)) {
     res.status(403).send({
       status: 'error',
       reason: 'forbidden',
@@ -141,7 +141,7 @@ app.patch('/users', validateSessionMiddleware, async (req, res) => {
 });
 
 app.delete('/users', validateSessionMiddleware, async (req, res) => {
-  if (!isAdmin(res.locals.session.user_id)) {
+  if (!isAdmin(res.locals.user_id)) {
     res.status(403).send({
       status: 'error',
       reason: 'forbidden',
@@ -191,8 +191,8 @@ app.get('/access', validateSessionMiddleware, (req, res) => {
 
   const accesses = UserService.getUserAccess(
     fileId,
-    res.locals.session.user_id,
-    isAdmin(res.locals.session.user_id),
+    res.locals.user_id,
+    isAdmin(res.locals.user_id),
   );
 
   res.json(accesses);
@@ -305,12 +305,12 @@ app.get('/access/users', validateSessionMiddleware, async (req, res) => {
 
   const { granted } = UserService.checkFilePermission(
     fileId,
-    res.locals.session.user_id,
+    res.locals.user_id,
   ) || {
     granted: 0,
   };
 
-  if (granted === 0 && !isAdmin(res.locals.session.user_id)) {
+  if (granted === 0 && !isAdmin(res.locals.user_id)) {
     res.status(400).send({
       status: 'error',
       reason: 'file-denied',
@@ -341,12 +341,12 @@ app.post(
 
     const { granted } = UserService.checkFilePermission(
       newUserOwner.fileId,
-      res.locals.session.user_id,
+      res.locals.user_id,
     ) || {
       granted: 0,
     };
 
-    if (granted === 0 && !isAdmin(res.locals.session.user_id)) {
+    if (granted === 0 && !isAdmin(res.locals.user_id)) {
       res.status(400).send({
         status: 'error',
         reason: 'file-denied',
diff --git a/src/app-openid.js b/src/app-openid.js
index a4c9ce78c..045824190 100644
--- a/src/app-openid.js
+++ b/src/app-openid.js
@@ -18,7 +18,7 @@ app.use(requestLoggerMiddleware);
 export { app as handlers };
 
 app.post('/enable', validateSessionMiddleware, async (req, res) => {
-  if (!isAdmin(res.locals.session.user_id)) {
+  if (!isAdmin(res.locals.user_id)) {
     res.status(403).send({
       status: 'error',
       reason: 'forbidden',
@@ -37,7 +37,7 @@ app.post('/enable', validateSessionMiddleware, async (req, res) => {
 });
 
 app.post('/disable', validateSessionMiddleware, async (req, res) => {
-  if (!isAdmin(res.locals.session.user_id)) {
+  if (!isAdmin(res.locals.user_id)) {
     res.status(403).send({
       status: 'error',
       reason: 'forbidden',
diff --git a/src/app-secrets.js b/src/app-secrets.js
index 9cc608460..d95e94ea8 100644
--- a/src/app-secrets.js
+++ b/src/app-secrets.js
@@ -20,7 +20,7 @@ app.post('/', async (req, res) => {
   const { name, value } = req.body;
 
   if (method === 'openid') {
-    let canSaveSecrets = isAdmin(res.locals.session.user_id);
+    let canSaveSecrets = isAdmin(res.locals.user_id);
 
     if (!canSaveSecrets) {
       res.status(403).send({
diff --git a/src/app-sync.js b/src/app-sync.js
index 5c7fa3d44..92fdf3013 100644
--- a/src/app-sync.js
+++ b/src/app-sync.js
@@ -25,13 +25,13 @@ import {
 } from './app-sync/validation.js';
 
 const app = express();
+app.use(validateSessionMiddleware);
 app.use(errorMiddleware);
 app.use(requestLoggerMiddleware);
 app.use(express.raw({ type: 'application/actual-sync' }));
 app.use(express.raw({ type: 'application/encrypted-file' }));
 app.use(express.json());
 
-app.use(validateSessionMiddleware);
 export { app as handlers };
 
 const OK_RESPONSE = { status: 'ok' };
@@ -113,6 +113,8 @@ app.post('/sync', async (req, res) => {
 });
 
 app.post('/user-get-key', (req, res) => {
+  if (!res.locals) return;
+
   let { fileId } = req.body;
 
   const filesService = new FilesService(getAccountDb());
@@ -247,7 +249,7 @@ app.post('/upload-user-file', async (req, res) => {
         name: name,
         encryptMeta: encryptMeta,
         owner:
-          res.locals.session.user_id ||
+          res.locals.user_id ||
           (() => {
             throw new Error('User ID is required for file creation');
           })(),
@@ -310,7 +312,7 @@ app.post('/update-user-filename', (req, res) => {
 
 app.get('/list-user-files', (req, res) => {
   const fileService = new FilesService(getAccountDb());
-  const rows = fileService.find({ userId: res.locals.session.user_id });
+  const rows = fileService.find({ userId: res.locals.user_id });
   res.send({
     status: 'ok',
     data: rows.map((row) => ({
diff --git a/src/util/middlewares.js b/src/util/middlewares.js
index bf02e247d..f8d6b4f18 100644
--- a/src/util/middlewares.js
+++ b/src/util/middlewares.js
@@ -31,23 +31,13 @@ async function errorMiddleware(err, req, res, next) {
  * @param {import('express').Response} res
  * @param {import('express').NextFunction} next
  */
-/**
- * Middleware to validate session and attach it to response locals
- * @param {import('express').Request} req
- * @param {import('express').Response} res
- * @param {import('express').NextFunction} next
- */
 const validateSessionMiddleware = async (req, res, next) => {
   let session = await validateSession(req, res);
   if (!session) {
-    res.status(401).json({
-      status: 'error',
-      reason: 'invalid-session',
-    });
     return;
   }
 
-  res.locals.session = session;
+  res.locals = session;
   next();
 };