Merge branch 'master' into slowcord

author: Madeline <46743919+MaddyUnderStars@users.noreply.github.com> 2022-04-19 20:09:22 +1000
committer: Madeline <46743919+MaddyUnderStars@users.noreply.github.com> 2022-04-19 20:09:22 +1000
commit: 546f81eefafbe07faaaada9f9af70b3113b468de (patch)
tree: b291f73a842c5f3ce2c3cba830930f5d96a58ab3 /api/src
parent: fixed migration? (diff)
parent: Try catch cpu log (diff)
download: server-546f81eefafbe07faaaada9f9af70b3113b468de.tar.xz
16 files changed, 132 insertions, 42 deletions
diff --git a/api/src/middlewares/Authentication.ts b/api/src/middlewares/Authentication.ts
index 429cf11e..5a08caf3 100644
--- a/api/src/middlewares/Authentication.ts
+++ b/api/src/middlewares/Authentication.ts
@@ -15,6 +15,7 @@ export const NO_AUTHORIZATION_ROUTES = [
 	"/experiments",
 	"/updates",
 	"/downloads/",
+	"/scheduled-maintenances/upcoming.json",
 	// Public kubernetes integration
 	"/-/readyz",
 	"/-/healthz",
diff --git a/api/src/routes/channels/#channel_id/invites.ts b/api/src/routes/channels/#channel_id/invites.ts
index 6d2c625d..9c361164 100644
--- a/api/src/routes/channels/#channel_id/invites.ts
+++ b/api/src/routes/channels/#channel_id/invites.ts
@@ -19,7 +19,8 @@ export interface InviteCreateSchema {
 	target_user_type?: number;
 }
 
-router.post("/", route({ body: "InviteCreateSchema", permission: "CREATE_INSTANT_INVITE" }), async (req: Request, res: Response) => {
+router.post("/", route({ body: "InviteCreateSchema", permission: "CREATE_INSTANT_INVITE", right: "CREATE_INVITES" }),
+			async (req: Request, res: Response) => {
 	const { user_id } = req;
 	const { channel_id } = req.params;
 	const channel = await Channel.findOneOrFail({ where: { id: channel_id }, select: ["id", "name", "type", "guild_id"] });
diff --git a/api/src/routes/channels/#channel_id/messages/#message_id/ack.ts b/api/src/routes/channels/#channel_id/messages/#message_id/ack.ts
index 208c1da4..885c5eca 100644
--- a/api/src/routes/channels/#channel_id/messages/#message_id/ack.ts
+++ b/api/src/routes/channels/#channel_id/messages/#message_id/ack.ts
@@ -4,8 +4,9 @@ import { route } from "@fosscord/api";
 
 const router = Router();
 
-// TODO: check if message exists
+// TODO: public read receipts & privacy scoping
 // TODO: send read state event to all channel members
+// TODO: advance-only notification cursor
 
 export interface MessageAcknowledgeSchema {
 	manual?: boolean;
diff --git a/api/src/routes/channels/#channel_id/messages/#message_id/index.ts b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts
index 7f7de264..a27c71e1 100644
--- a/api/src/routes/channels/#channel_id/messages/#message_id/index.ts
+++ b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts
@@ -1,4 +1,4 @@
-import { Channel, emitEvent, getPermission, MessageDeleteEvent, Message, MessageUpdateEvent } from "@fosscord/util";
+import { Channel, emitEvent, getPermission, getRights, MessageDeleteEvent, Message, MessageUpdateEvent } from "@fosscord/util";
 import { Router, Response, Request } from "express";
 import { route } from "@fosscord/api";
 import { handleMessage, postHandleMessage } from "@fosscord/api";
@@ -7,18 +7,23 @@ import { MessageCreateSchema } from "../index";
 const router = Router();
 // TODO: message content/embed string length limit
 
-router.patch("/", route({ body: "MessageCreateSchema", permission: "SEND_MESSAGES" }), async (req: Request, res: Response) => {
+router.patch("/", route({ body: "MessageCreateSchema", permission: "SEND_MESSAGES", right: "SEND_MESSAGES" }), async (req: Request, res: Response) => {
 	const { message_id, channel_id } = req.params;
 	var body = req.body as MessageCreateSchema;
 
 	const message = await Message.findOneOrFail({ where: { id: message_id, channel_id }, relations: ["attachments"] });
 
 	const permissions = await getPermission(req.user_id, undefined, channel_id);
-
-	if (req.user_id !== message.author_id) {
-		permissions.hasThrow("MANAGE_MESSAGES");
-		body = { flags: body.flags }; // admins can only suppress embeds of other messages
-	}
+	
+	const rights = await getRights(req.user_id);
+
+	if ((req.user_id !== message.author_id)) {
+		if (!rights.has("MANAGE_MESSAGES")) {
+			permissions.hasThrow("MANAGE_MESSAGES");
+			body = { flags: body.flags };
+// guild admins can only suppress embeds of other messages, no such restriction imposed to instance-wide admins
+		}
+	} else rights.hasThrow("SELF_EDIT_MESSAGES");
 
 	const new_message = await handleMessage({
 		...message,
@@ -46,17 +51,32 @@ router.patch("/", route({ body: "MessageCreateSchema", permission: "SEND_MESSAGE
 	return res.json(message);
 });
 
-// permission check only if deletes messagr from other user
+router.get("/", route({ permission: "VIEW_CHANNEL" }), async (req: Request, res: Response) => {
+	const { message_id, channel_id } = req.params;
+
+	const message = await Message.findOneOrFail({ where: { id: message_id, channel_id }, relations: ["attachments"] });
+
+	const permissions = await getPermission(req.user_id, undefined, channel_id);
+	
+	if (message.author_id !== req.user_id) permissions.hasThrow("READ_MESSAGE_HISTORY");
+
+	return res.json(message);
+});
+
 router.delete("/", route({}), async (req: Request, res: Response) => {
 	const { message_id, channel_id } = req.params;
 
 	const channel = await Channel.findOneOrFail({ id: channel_id });
 	const message = await Message.findOneOrFail({ id: message_id });
+	
+	const rights = await getRights(req.user_id);
 
-	if (message.author_id !== req.user_id) {
-		const permission = await getPermission(req.user_id, channel.guild_id, channel_id);
-		permission.hasThrow("MANAGE_MESSAGES");
-	}
+	if ((message.author_id !== req.user_id)) {
+		if (!rights.has("MANAGE_MESSAGES")) {
+			const permission = await getPermission(req.user_id, channel.guild_id, channel_id);
+			permission.hasThrow("MANAGE_MESSAGES");
+		}
+	} else rights.hasThrow("SELF_DELETE_MESSAGES");
 
 	await Message.delete({ id: message_id });
 
diff --git a/api/src/routes/channels/#channel_id/messages/#message_id/reactions.ts b/api/src/routes/channels/#channel_id/messages/#message_id/reactions.ts
index 6b6a66b2..d93cf70f 100644
--- a/api/src/routes/channels/#channel_id/messages/#message_id/reactions.ts
+++ b/api/src/routes/channels/#channel_id/messages/#message_id/reactions.ts
@@ -101,7 +101,7 @@ router.get("/:emoji", route({ permission: "VIEW_CHANNEL" }), async (req: Request
 	res.json(users);
 });
 
-router.put("/:emoji/:user_id", route({ permission: "READ_MESSAGE_HISTORY" }), async (req: Request, res: Response) => {
+router.put("/:emoji/:user_id", route({ permission: "READ_MESSAGE_HISTORY", right: "SELF_ADD_REACTIONS" }), async (req: Request, res: Response) => {
 	const { message_id, channel_id, user_id } = req.params;
 	if (user_id !== "@me") throw new HTTPError("Invalid user");
 	const emoji = getEmoji(req.params.emoji);
diff --git a/api/src/routes/channels/#channel_id/messages/index.ts b/api/src/routes/channels/#channel_id/messages/index.ts
index 2fd08b04..af0ae32d 100644
--- a/api/src/routes/channels/#channel_id/messages/index.ts
+++ b/api/src/routes/channels/#channel_id/messages/index.ts
@@ -8,6 +8,7 @@ import {
 	Embed,
 	emitEvent,
 	getPermission,
+	getRights,
 	Message,
 	MessageCreateEvent,
 	uploadFile,
@@ -119,7 +120,7 @@ router.get("/", async (req: Request, res: Response) => {
 				delete x.user_ids;
 			});
 			// @ts-ignore
-			if (!x.author) x.author = { discriminator: "0000", username: "Deleted User", public_flags: "0", avatar: null };
+			if (!x.author) x.author = { id: "4", discriminator: "0000", username: "Fosscord Ghost", public_flags: "0", avatar: null };
 			x.attachments?.forEach((y: any) => {
 				// dynamically set attachment proxy_url in case the endpoint changed
 				const uri = y.proxy_url.startsWith("http") ? y.proxy_url : `https://example.org${y.proxy_url}`;
@@ -149,7 +150,7 @@ const messageUpload = multer({
 }); // max upload 50 mb
 
 // TODO: dynamically change limit of MessageCreateSchema with config
-// TODO: check: sum of all characters in an embed structure must not exceed 6000 characters
+// TODO: check: sum of all characters in an embed structure must not exceed instance limits
 
 // https://discord.com/developers/docs/resources/channel#create-message
 // TODO: text channel slowdown
@@ -167,7 +168,7 @@ router.post(
 
 		next();
 	},
-	route({ body: "MessageCreateSchema", permission: "SEND_MESSAGES" }),
+	route({ body: "MessageCreateSchema", permission: "SEND_MESSAGES", right: "SEND_MESSAGES" }),
 	async (req: Request, res: Response) => {
 		const { channel_id } = req.params;
 		var body = req.body as MessageCreateSchema;
diff --git a/api/src/routes/guilds/#guild_id/index.ts b/api/src/routes/guilds/#guild_id/index.ts
index 991c3f93..4ec3df72 100644
--- a/api/src/routes/guilds/#guild_id/index.ts
+++ b/api/src/routes/guilds/#guild_id/index.ts
@@ -1,5 +1,5 @@
 import { Request, Response, Router } from "express";
-import { emitEvent, getPermission, Guild, GuildUpdateEvent, handleFile, Member } from "@fosscord/util";
+import { DiscordApiErrors, emitEvent, getPermission, getRights, Guild, GuildUpdateEvent, handleFile, Member } from "@fosscord/util";
 import { HTTPError } from "lambert-server";
 import { route } from "@fosscord/api";
 import "missing-native-js-functions";
@@ -37,9 +37,17 @@ router.get("/", route({}), async (req: Request, res: Response) => {
 	return res.send(guild);
 });
 
-router.patch("/", route({ body: "GuildUpdateSchema", permission: "MANAGE_GUILD" }), async (req: Request, res: Response) => {
+router.patch("/", route({ body: "GuildUpdateSchema"}), async (req: Request, res: Response) => {
 	const body = req.body as GuildUpdateSchema;
 	const { guild_id } = req.params;
+	
+	
+	const rights = await getRights(req.user_id);
+	const permission = await getPermission(req.user_id, guild_id);
+	
+	if (!rights.has("MANAGE_GUILDS")||!permission.has("MANAGE_GUILD"))
+		throw DiscordApiErrors.MISSING_PERMISSIONS.withParams("MANAGE_GUILD");
+	
 	// TODO: guild update check image
 
 	if (body.icon) body.icon = await handleFile(`/icons/${guild_id}`, body.icon);
diff --git a/api/src/routes/guilds/#guild_id/members/index.ts b/api/src/routes/guilds/#guild_id/members/index.ts
index 386276c8..b730a4e7 100644
--- a/api/src/routes/guilds/#guild_id/members/index.ts
+++ b/api/src/routes/guilds/#guild_id/members/index.ts
@@ -6,7 +6,6 @@ import { HTTPError } from "lambert-server";
 
 const router = Router();
 
-// TODO: not allowed for user -> only allowed for bots with privileged intents
 // TODO: send over websocket
 // TODO: check for GUILD_MEMBERS intent
 
diff --git a/api/src/routes/guilds/index.ts b/api/src/routes/guilds/index.ts
index 7b676211..10721413 100644
--- a/api/src/routes/guilds/index.ts
+++ b/api/src/routes/guilds/index.ts
@@ -1,5 +1,5 @@
 import { Router, Request, Response } from "express";
-import { Role, Guild, Snowflake, Config, Member, Channel, DiscordApiErrors, handleFile } from "@fosscord/util";
+import { Role, Guild, Snowflake, Config, getRights, Member, Channel, DiscordApiErrors, handleFile } from "@fosscord/util";
 import { route } from "@fosscord/api";
 import { ChannelModifySchema } from "../channels/#channel_id";
 
@@ -20,12 +20,13 @@ export interface GuildCreateSchema {
 
 //TODO: create default channel
 
-router.post("/", route({ body: "GuildCreateSchema" }), async (req: Request, res: Response) => {
+router.post("/", route({ body: "GuildCreateSchema", right: "CREATE_GUILDS" }), async (req: Request, res: Response) => {
 	const body = req.body as GuildCreateSchema;
 
 	const { maxGuilds } = Config.get().limits.user;
 	const guild_count = await Member.count({ id: req.user_id });
-	if (guild_count >= maxGuilds) {
+	const rights = await getRights(req.user_id);
+	if ((guild_count >= maxGuilds)&&!rights.has("MANAGE_GUILDS")) {
 		throw DiscordApiErrors.MAXIMUM_GUILDS.withParams(maxGuilds);
 	}
 
diff --git a/api/src/routes/invites/index.ts b/api/src/routes/invites/index.ts
index 37e9e05a..21da2d18 100644
--- a/api/src/routes/invites/index.ts
+++ b/api/src/routes/invites/index.ts
@@ -13,7 +13,7 @@ router.get("/:code", route({}), async (req: Request, res: Response) => {
 	res.status(200).send(invite);
 });
 
-router.post("/:code", route({}), async (req: Request, res: Response) => {
+router.post("/:code", route({right: "JOIN_GUILDS"}), async (req: Request, res: Response) => {
 	const { code } = req.params;
     const { guild_id } = await Invite.findOneOrFail({ code })
 	const { features } = await Guild.findOneOrFail({ id: guild_id});
diff --git a/api/src/routes/scheduled-maintenances/upcoming_json.ts b/api/src/routes/scheduled-maintenances/upcoming_json.ts
new file mode 100644
index 00000000..83092e44
--- /dev/null
+++ b/api/src/routes/scheduled-maintenances/upcoming_json.ts
@@ -0,0 +1,12 @@
+import { Router, Request, Response } from "express";
+import { route } from "@fosscord/api";
+const router = Router();
+
+router.get("/scheduled-maintenances/upcoming.json",route({}), async (req: Request, res: Response) => {
+	res.json({
+  "page": {},
+  "scheduled_maintenances": {}
+  });
+});
+
+export default router;
diff --git a/api/src/routes/users/@me/notes.ts b/api/src/routes/users/@me/notes.ts
index 96067bf5..4887b191 100644
--- a/api/src/routes/users/@me/notes.ts
+++ b/api/src/routes/users/@me/notes.ts
@@ -1,14 +1,39 @@
 import { Request, Response, Router } from "express";
 import { route } from "@fosscord/api";
+import { User, emitEvent } from "@fosscord/util";
 
 const router: Router = Router();
 
+router.get("/:id", route({}), async (req: Request, res: Response) => {
+	const { id } = req.params;
+	const user = await User.findOneOrFail({ where: { id: req.user_id }, select: ["notes"] });
+
+	const note = user.notes[id];
+	return res.json({
+		note: note,
+		note_user_id: id,
+		user_id: user.id,
+	});
+});
+
 router.put("/:id", route({}), async (req: Request, res: Response) => {
-	//TODO
-	res.json({
-		message: "Unknown User",
-		code: 10013
-	}).status(404);
+	const { id } = req.params;
+	const user = await User.findOneOrFail({ where: { id: req.user_id } });
+	const noteUser = await User.findOneOrFail({ where: { id: id }});		//if noted user does not exist throw
+	const { note } = req.body;
+
+	await User.update({ id: req.user_id }, { notes: { ...user.notes, [noteUser.id]: note } });
+
+	await emitEvent({
+		event: "USER_NOTE_UPDATE",
+		data: {
+			note: note,
+			id: noteUser.id
+		},
+		user_id: user.id,
+	})
+
+	return res.status(204);
 });
 
 export default router;
diff --git a/api/src/start.ts b/api/src/start.ts
index 717e1b8f..ccb4d108 100644
--- a/api/src/start.ts
+++ b/api/src/start.ts
@@ -7,7 +7,12 @@ config();
 import { FosscordServer } from "./Server";
 import cluster from "cluster";
 import os from "os";
-const cores = Number(process.env.THREADS) || os.cpus().length;
+var cores = 1;
+try {
+	cores = Number(process.env.THREADS) || os.cpus().length;
+} catch {
+	console.log("[API] Failed to get thread count! Using 1...")
+}
 
 if (cluster.isMaster && process.env.NODE_ENV == "production") {
 	console.log(`Primary ${process.pid} is running`);
diff --git a/api/src/util/handlers/Message.ts b/api/src/util/handlers/Message.ts
index 2d9f7032..5a5ac666 100644
--- a/api/src/util/handlers/Message.ts
+++ b/api/src/util/handlers/Message.ts
@@ -7,6 +7,7 @@ import {
 	MessageCreateEvent,
 	MessageUpdateEvent,
 	getPermission,
+	getRights,
 	CHANNEL_MENTION,
 	Snowflake,
 	USER_MENTION,
@@ -61,19 +62,20 @@ export async function handleMessage(opts: MessageOptions): Promise<Message> {
 		throw new HTTPError("Content length over max character limit")
 	}
 
-	// TODO: are tts messages allowed in dm channels? should permission be checked?
 	if (opts.author_id) {
 		message.author = await User.getPublicUser(opts.author_id);
-	}
+		const rights = await getRights(opts.author_id);
+		rights.hasThrow("SEND_MESSAGES");
+	}	
 	if (opts.application_id) {
 		message.application = await Application.findOneOrFail({ id: opts.application_id });
 	}
 	if (opts.webhook_id) {
 		message.webhook = await Webhook.findOneOrFail({ id: opts.webhook_id });
 	}
-
+	
 	const permission = await getPermission(opts.author_id, channel.guild_id, opts.channel_id);
-	permission.hasThrow("SEND_MESSAGES"); // TODO: add the rights check
+	permission.hasThrow("SEND_MESSAGES");
 	if (permission.cache.member) {
 		message.member = permission.cache.member;
 	}
@@ -81,7 +83,7 @@ export async function handleMessage(opts: MessageOptions): Promise<Message> {
 	if (opts.tts) permission.hasThrow("SEND_TTS_MESSAGES");
 	if (opts.message_reference) {
 		permission.hasThrow("READ_MESSAGE_HISTORY");
-		// code below has to be redone when we add custom message routing and cross-channel replies
+		// code below has to be redone when we add custom message routing
 		if (message.guild_id !== null) {
 			const guild = await Guild.findOneOrFail({ id: channel.guild_id });
 			if (!guild.features.includes("CROSS_CHANNEL_REPLIES")) {
@@ -89,7 +91,7 @@ export async function handleMessage(opts: MessageOptions): Promise<Message> {
 				if (opts.message_reference.channel_id !== opts.channel_id) throw new HTTPError("You can only reference messages from this channel");
 			}
 		}
-		// TODO: should be checked if the referenced message exists?
+		// Q: should be checked if the referenced message exists? ANSWER: NO
 		// @ts-ignore
 		message.type = MessageType.REPLY;
 	}
diff --git a/api/src/util/handlers/route.ts b/api/src/util/handlers/route.ts
index 0048c4dd..3d3bbc37 100644
--- a/api/src/util/handlers/route.ts
+++ b/api/src/util/handlers/route.ts
@@ -6,6 +6,7 @@ import {
 	FieldErrors,
 	FosscordApiErrors,
 	getPermission,
+	getRights,
 	PermissionResolvable,
 	Permissions,
 	RightResolvable,
@@ -105,6 +106,8 @@ export function route(opts: RouteOptions) {
 
 		if (opts.right) {
 			const required = new Rights(opts.right);
+			req.rights = await getRights(req.user_id);
+
 			if (!req.rights || !req.rights.has(required)) {
 				throw FosscordApiErrors.MISSING_RIGHTS.withParams(opts.right as string);
 			}
diff --git a/api/src/util/utility/passwordStrength.ts b/api/src/util/utility/passwordStrength.ts
index 047df008..439700d0 100644
--- a/api/src/util/utility/passwordStrength.ts
+++ b/api/src/util/utility/passwordStrength.ts
@@ -13,6 +13,7 @@ const blocklist: string[] = []; // TODO: update ones passwordblocklist is stored
  *  - min <n> numbers
  *  - min <n> symbols
  *  - min <n> uppercase chars
+ *  - shannon entropy folded into [0, 1) interval
  *
  * Returns: 0 > pw > 1
  */
@@ -22,28 +23,38 @@ export function checkPassword(password: string): number {
 
 	// checks for total password len
 	if (password.length >= minLength - 1) {
-		strength += 0.25;
+		strength += 0.05;
 	}
 
 	// checks for amount of Numbers
 	if (password.count(reNUMBER) >= minNumbers - 1) {
-		strength += 0.25;
+		strength += 0.05;
 	}
 
 	// checks for amount of Uppercase Letters
 	if (password.count(reUPPERCASELETTER) >= minUpperCase - 1) {
-		strength += 0.25;
+		strength += 0.05;
 	}
 
 	// checks for amount of symbols
 	if (password.replace(reSYMBOLS, "").length >= minSymbols - 1) {
-		strength += 0.25;
+		strength += 0.05;
 	}
 
 	// checks if password only consists of numbers or only consists of chars
 	if (password.length == password.count(reNUMBER) || password.length === password.count(reUPPERCASELETTER)) {
 		strength = 0;
 	}
-
+	
+	let entropyMap: { [key: string]: number } = {};
+	for (let i = 0; i < password.length; i++) {
+		if (entropyMap[password[i]]) entropyMap[password[i]]++;
+		else entropyMap[password[i]] = 1;
+	}
+	
+	let entropies = Object.values(entropyMap);
+	
+	entropies.map(x => (x / entropyMap.length));
+	strength += entropies.reduceRight((a: number, x: number) => a - (x * Math.log2(x))) / Math.log2(password.length);	
 	return strength;
 }
author	Madeline <46743919+MaddyUnderStars@users.noreply.github.com>	2022-04-19 20:09:22 +1000
committer	Madeline <46743919+MaddyUnderStars@users.noreply.github.com>	2022-04-19 20:09:22 +1000
commit	546f81eefafbe07faaaada9f9af70b3113b468de (patch)
tree	b291f73a842c5f3ce2c3cba830930f5d96a58ab3 /api/src
parent	fixed migration? (diff)
parent	Try catch cpu log (diff)
download	server-546f81eefafbe07faaaada9f9af70b3113b468de.tar.xz