diff --git a/api/src/middlewares/RateLimit.ts b/api/src/middlewares/RateLimit.ts
index 1a38cfcf..ca6de98f 100644
--- a/api/src/middlewares/RateLimit.ts
+++ b/api/src/middlewares/RateLimit.ts
@@ -1,4 +1,4 @@
-import { Config, listenEvent } from "@fosscord/util";
+import { Config, getRights, listenEvent, Rights } from "@fosscord/util";
import { NextFunction, Request, Response, Router } from "express";
import { getIpAdress } from "@fosscord/api";
import { API_PREFIX_TRAILING_SLASH } from "./Authentication";
@@ -9,6 +9,7 @@ import { API_PREFIX_TRAILING_SLASH } from "./Authentication";
/*
? bucket limit? Max actions/sec per bucket?
+(ANSWER: a small fosscord instance might not need a complex rate limiting system)
TODO: delay database requests to include multiple queries
TODO: different for methods (GET/POST)
@@ -44,21 +45,25 @@ export default function rateLimit(opts: {
onlyIp?: boolean;
}): any {
return async (req: Request, res: Response, next: NextFunction): Promise<any> => {
+ // exempt user? if so, immediately short circuit
+ const rights = await getRights(req.user_id);
+ if (rights.has("BYPASS_RATE_LIMITS")) return;
+
const bucket_id = opts.bucket || req.originalUrl.replace(API_PREFIX_TRAILING_SLASH, "");
var executor_id = getIpAdress(req);
- if (!opts.onlyIp && req.user_id) executor_id = req.user_id;
+ if (!opts.onlyIp && req.user_id) executor_id = req.user_id;
var max_hits = opts.count;
if (opts.bot && req.user_bot) max_hits = opts.bot;
if (opts.GET && ["GET", "OPTIONS", "HEAD"].includes(req.method)) max_hits = opts.GET;
else if (opts.MODIFY && ["POST", "DELETE", "PATCH", "PUT"].includes(req.method)) max_hits = opts.MODIFY;
- const offender = Cache.get(executor_id + bucket_id);
+ let offender = Cache.get(executor_id + bucket_id);
if (offender) {
- const reset = offender.expires_at.getTime();
- const resetAfterMs = reset - Date.now();
- const resetAfterSec = resetAfterMs / 1000;
+ let reset = offender.expires_at.getTime();
+ let resetAfterMs = reset - Date.now();
+ let resetAfterSec = Math.ceil(resetAfterMs / 1000);
if (resetAfterMs <= 0) {
offender.hits = 0;
@@ -70,6 +75,11 @@ export default function rateLimit(opts: {
if (offender.blocked) {
const global = bucket_id === "global";
+ // each block violation pushes the expiry one full window further
+ reset += opts.window * 1000;
+ offender.expires_at = new Date(offender.expires_at.getTime() + opts.window * 1000);
+ resetAfterMs = reset - Date.now();
+ resetAfterSec = Math.ceil(resetAfterMs / 1000);
console.log("blocked bucket: " + bucket_id, { resetAfterMs });
return (
diff --git a/api/src/routes/auth/register.ts b/api/src/routes/auth/register.ts
index cd1bcb72..94dd6502 100644
--- a/api/src/routes/auth/register.ts
+++ b/api/src/routes/auth/register.ts
@@ -128,7 +128,7 @@ router.post("/", route({ body: "RegisterSchema" }), async (req: Request, res: Re
throw FieldErrors({
date_of_birth: { code: "BASE_TYPE_REQUIRED", message: req.t("common:field.BASE_TYPE_REQUIRED") }
});
- } else if (register.dateOfBirth.minimum) {
+ } else if (register.dateOfBirth.required && register.dateOfBirth.minimum) {
const minimum = new Date();
minimum.setFullYear(minimum.getFullYear() - register.dateOfBirth.minimum);
body.date_of_birth = new Date(body.date_of_birth as Date);
diff --git a/api/src/routes/channels/#channel_id/messages/#message_id/index.ts b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts
index a27c71e1..63fee9b9 100644
--- a/api/src/routes/channels/#channel_id/messages/#message_id/index.ts
+++ b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts
@@ -1,12 +1,38 @@
-import { Channel, emitEvent, getPermission, getRights, MessageDeleteEvent, Message, MessageUpdateEvent } from "@fosscord/util";
+import {
+ Attachment,
+ Channel,
+ Embed,
+ DiscordApiErrors,
+ emitEvent,
+ FosscordApiErrors,
+ getPermission,
+ getRights,
+ Message,
+ MessageCreateEvent,
+ MessageDeleteEvent,
+ MessageUpdateEvent,
+ Snowflake,
+ uploadFile
+} from "@fosscord/util";
import { Router, Response, Request } from "express";
+import multer from "multer";
import { route } from "@fosscord/api";
import { handleMessage, postHandleMessage } from "@fosscord/api";
import { MessageCreateSchema } from "../index";
+import { HTTPError } from "lambert-server";
const router = Router();
// TODO: message content/embed string length limit
+const messageUpload = multer({
+ limits: {
+ fileSize: 1024 * 1024 * 100,
+ fields: 10,
+ files: 1
+ },
+ storage: multer.memoryStorage()
+}); // max upload 50 mb
+
router.patch("/", route({ body: "MessageCreateSchema", permission: "SEND_MESSAGES", right: "SEND_MESSAGES" }), async (req: Request, res: Response) => {
const { message_id, channel_id } = req.params;
var body = req.body as MessageCreateSchema;
@@ -51,6 +77,83 @@ router.patch("/", route({ body: "MessageCreateSchema", permission: "SEND_MESSAGE
return res.json(message);
});
+
+// Backfill message with specific timestamp
+router.put(
+ "/",
+ messageUpload.single("file"),
+ async (req, res, next) => {
+ if (req.body.payload_json) {
+ req.body = JSON.parse(req.body.payload_json);
+ }
+
+ next();
+ },
+ route({ body: "MessageCreateSchema", permission: "SEND_MESSAGES", right: "SEND_BACKDATED_EVENTS" }),
+ async (req: Request, res: Response) => {
+ const { channel_id, message_id } = req.params;
+ var body = req.body as MessageCreateSchema;
+ const attachments: Attachment[] = [];
+
+ const rights = await getRights(req.user_id);
+ rights.hasThrow("SEND_MESSAGES");
+
+ // regex to check if message contains anything other than numerals ( also no decimals )
+ if (!message_id.match(/^\+?\d+$/)) {
+ throw new HTTPError("Message IDs must be positive integers", 400);
+ }
+
+ const snowflake = Snowflake.deconstruct(message_id)
+ if (Date.now() < snowflake.timestamp) {
+ // message is in the future
+ throw FosscordApiErrors.CANNOT_BACKFILL_TO_THE_FUTURE;
+ }
+
+ const exists = await Message.findOne({ where: { id: message_id, channel_id: channel_id }});
+ if (exists) {
+ throw FosscordApiErrors.CANNOT_REPLACE_BY_BACKFILL;
+ }
+
+ if (req.file) {
+ try {
+ const file = await uploadFile(`/attachments/${req.params.channel_id}`, req.file);
+ attachments.push({ ...file, proxy_url: file.url });
+ } catch (error) {
+ return res.status(400).json(error);
+ }
+ }
+ const channel = await Channel.findOneOrFail({ where: { id: channel_id }, relations: ["recipients", "recipients.user"] });
+
+ const embeds = body.embeds || [];
+ if (body.embed) embeds.push(body.embed);
+ let message = await handleMessage({
+ ...body,
+ type: 0,
+ pinned: false,
+ author_id: req.user_id,
+ id: message_id,
+ embeds,
+ channel_id,
+ attachments,
+ edited_timestamp: undefined,
+ timestamp: new Date(snowflake.timestamp),
+ });
+
+ //Fix for the client bug
+ delete message.member
+
+ await Promise.all([
+ message.save(),
+ emitEvent({ event: "MESSAGE_CREATE", channel_id: channel_id, data: message } as MessageCreateEvent),
+ channel.save()
+ ]);
+
+ postHandleMessage(message).catch((e) => { }); // no await as it shouldnt block the message send function and silently catch error
+
+ return res.json(message);
+ }
+);
+
router.get("/", route({ permission: "VIEW_CHANNEL" }), async (req: Request, res: Response) => {
const { message_id, channel_id } = req.params;
diff --git a/api/src/routes/channels/#channel_id/messages/bulk-delete.ts b/api/src/routes/channels/#channel_id/messages/bulk-delete.ts
index 7a711cb0..6eacf249 100644
--- a/api/src/routes/channels/#channel_id/messages/bulk-delete.ts
+++ b/api/src/routes/channels/#channel_id/messages/bulk-delete.ts
@@ -1,5 +1,5 @@
import { Router, Response, Request } from "express";
-import { Channel, Config, emitEvent, getPermission, MessageDeleteBulkEvent, Message } from "@fosscord/util";
+import { Channel, Config, emitEvent, getPermission, getRights, MessageDeleteBulkEvent, Message } from "@fosscord/util";
import { HTTPError } from "lambert-server";
import { route } from "@fosscord/api";
import { In } from "typeorm";
@@ -12,22 +12,28 @@ export interface BulkDeleteSchema {
messages: string[];
}
-// TODO: should users be able to bulk delete messages or only bots?
-// TODO: should this request fail, if you provide messages older than 14 days/invalid ids?
+// should users be able to bulk delete messages or only bots? ANSWER: all users
+// should this request fail, if you provide messages older than 14 days/invalid ids? ANSWER: NO
// https://discord.com/developers/docs/resources/channel#bulk-delete-messages
router.post("/", route({ body: "BulkDeleteSchema" }), async (req: Request, res: Response) => {
const { channel_id } = req.params;
const channel = await Channel.findOneOrFail({ id: channel_id });
if (!channel.guild_id) throw new HTTPError("Can't bulk delete dm channel messages", 400);
+ const rights = await getRights(req.user_id);
+ rights.hasThrow("SELF_DELETE_MESSAGES");
+
+ let superuser = rights.has("MANAGE_MESSAGES");
const permission = await getPermission(req.user_id, channel?.guild_id, channel_id);
- permission.hasThrow("MANAGE_MESSAGES");
-
+
const { maxBulkDelete } = Config.get().limits.message;
const { messages } = req.body as { messages: string[] };
- if (messages.length < 2) throw new HTTPError("You must at least specify 2 messages to bulk delete");
- if (messages.length > maxBulkDelete) throw new HTTPError(`You cannot delete more than ${maxBulkDelete} messages`);
+ if (messages.length === 0) throw new HTTPError("You must specify messages to bulk delete");
+ if (!superuser) {
+ permission.hasThrow("MANAGE_MESSAGES");
+ if (messages.length > maxBulkDelete) throw new HTTPError(`You cannot delete more than ${maxBulkDelete} messages`);
+ }
await Message.delete(messages.map((x) => ({ id: x })));
diff --git a/api/src/routes/channels/#channel_id/messages/index.ts b/api/src/routes/channels/#channel_id/messages/index.ts
index af0ae32d..2d6a2977 100644
--- a/api/src/routes/channels/#channel_id/messages/index.ts
+++ b/api/src/routes/channels/#channel_id/messages/index.ts
@@ -11,6 +11,7 @@ import {
getRights,
Message,
MessageCreateEvent,
+ Snowflake,
uploadFile,
Member
} from "@fosscord/util";
@@ -30,6 +31,8 @@ export function isTextChannel(type: ChannelType): boolean {
case ChannelType.GUILD_VOICE:
case ChannelType.GUILD_STAGE_VOICE:
case ChannelType.GUILD_CATEGORY:
+ case ChannelType.GUILD_FORUM:
+ case ChannelType.DIRECTORY:
throw new HTTPError("not a text channel", 400);
case ChannelType.DM:
case ChannelType.GROUP_DM:
@@ -68,7 +71,11 @@ export interface MessageCreateSchema {
};
payload_json?: string;
file?: any;
- attachments?: any[]; //TODO we should create an interface for attachments
+ /**
+ TODO: we should create an interface for attachments
+ TODO: OpenWAAO<-->attachment-style metadata conversion
+ **/
+ attachments?: any[];
sticker_ids?: string[];
}
@@ -84,7 +91,7 @@ router.get("/", async (req: Request, res: Response) => {
const before = req.query.before ? `${req.query.before}` : undefined;
const after = req.query.after ? `${req.query.after}` : undefined;
const limit = Number(req.query.limit) || 50;
- if (limit < 1 || limit > 100) throw new HTTPError("limit must be between 1 and 100");
+ if (limit < 1 || limit > 100) throw new HTTPError("limit must be between 1 and 100", 422);
var halfLimit = Math.floor(limit / 2);
@@ -98,9 +105,16 @@ router.get("/", async (req: Request, res: Response) => {
where: { channel_id },
relations: ["author", "webhook", "application", "mentions", "mention_roles", "mention_channels", "sticker_items", "attachments"]
};
+
- if (after) query.where.id = MoreThan(after);
- else if (before) query.where.id = LessThan(before);
+ if (after) {
+ if (after > new Snowflake()) return res.status(422);
+ query.where.id = MoreThan(after);
+ }
+ else if (before) {
+ if (before < req.params.channel_id) return res.status(422);
+ query.where.id = LessThan(before);
+ }
else if (around) {
query.where.id = [
MoreThan((BigInt(around) - BigInt(halfLimit)).toString()),
@@ -126,9 +140,12 @@ router.get("/", async (req: Request, res: Response) => {
const uri = y.proxy_url.startsWith("http") ? y.proxy_url : `https://example.org${y.proxy_url}`;
y.proxy_url = `${endpoint == null ? "" : endpoint}${new URL(uri).pathname}`;
});
-
- //Some clients ( discord.js ) only check if a property exists within the response,
- //which causes erorrs when, say, the `application` property is `null`.
+
+ /**
+ Some clients ( discord.js ) only check if a property exists within the response,
+ which causes erorrs when, say, the `application` property is `null`.
+ **/
+
for (var curr in x) {
if (x[curr] === null)
delete x[curr];
@@ -148,15 +165,14 @@ const messageUpload = multer({
},
storage: multer.memoryStorage()
}); // max upload 50 mb
+/**
+ TODO: dynamically change limit of MessageCreateSchema with config
-// TODO: dynamically change limit of MessageCreateSchema with config
-// TODO: check: sum of all characters in an embed structure must not exceed instance limits
-
-// https://discord.com/developers/docs/resources/channel#create-message
-// TODO: text channel slowdown
-// TODO: trim and replace message content and every embed field
-// TODO: check allowed_mentions
-
+ https://discord.com/developers/docs/resources/channel#create-message
+ TODO: text channel slowdown (per-user and across-users)
+ Q: trim and replace message content and every embed field A: NO, given this cannot be implemented in E2EE channels
+ TODO: only dispatch notifications for mentions denoted in allowed_mentions
+**/
// Send message
router.post(
"/",
@@ -183,6 +199,9 @@ router.post(
}
}
const channel = await Channel.findOneOrFail({ where: { id: channel_id }, relations: ["recipients", "recipients.user"] });
+ if (!channel.isWritable()) {
+ throw new HTTPError(`Cannot send messages to channel of type ${channel.type}`, 400)
+ }
const embeds = body.embeds || [];
if (body.embed) embeds.push(body.embed);
@@ -236,3 +255,4 @@ router.post(
return res.json(message);
}
);
+
diff --git a/api/src/routes/channels/#channel_id/purge.ts b/api/src/routes/channels/#channel_id/purge.ts
new file mode 100644
index 00000000..28b52b50
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/purge.ts
@@ -0,0 +1,84 @@
+import { HTTPError } from "lambert-server";
+import { route } from "@fosscord/api";
+import { isTextChannel } from "./messages";
+import { FindManyOptions, Between, Not } from "typeorm";
+import {
+ Attachment,
+ Channel,
+ Config,
+ Embed,
+ DiscordApiErrors,
+ emitEvent,
+ FosscordApiErrors,
+ getPermission,
+ getRights,
+ Message,
+ MessageDeleteBulkEvent,
+ Snowflake,
+ uploadFile
+} from "@fosscord/util";
+import { Router, Response, Request } from "express";
+import multer from "multer";
+import { handleMessage, postHandleMessage } from "@fosscord/api";
+
+const router: Router = Router();
+
+export default router;
+
+export interface PurgeSchema {
+ before: string;
+ after: string
+}
+
+/**
+TODO: apply the delete bit by bit to prevent client and database stress
+**/
+router.post("/", route({ /*body: "PurgeSchema",*/ }), async (req: Request, res: Response) => {
+ const { channel_id } = req.params;
+ const channel = await Channel.findOneOrFail({ id: channel_id });
+
+ if (!channel.guild_id) throw new HTTPError("Can't purge dm channels", 400);
+ isTextChannel(channel.type);
+
+ const rights = await getRights(req.user_id);
+ if (!rights.has("MANAGE_MESSAGES")) {
+ const permissions = await getPermission(req.user_id, channel.guild_id, channel_id);
+ permissions.hasThrow("MANAGE_MESSAGES");
+ permissions.hasThrow("MANAGE_CHANNELS");
+ }
+
+ const { before, after } = req.body as PurgeSchema;
+
+ // TODO: send the deletion event bite-by-bite to prevent client stress
+
+ var query: FindManyOptions<Message> & { where: { id?: any; }; } = {
+ order: { id: "ASC" },
+ // take: limit,
+ where: {
+ channel_id,
+ id: Between(after, before), // the right way around
+ author_id: rights.has("SELF_DELETE_MESSAGES") ? undefined : Not(req.user_id)
+ // if you lack the right of self-deletion, you can't delete your own messages, even in purges
+ },
+ relations: ["author", "webhook", "application", "mentions", "mention_roles", "mention_channels", "sticker_items", "attachments"]
+ };
+
+
+ const messages = await Message.find(query);
+ const endpoint = Config.get().cdn.endpointPublic;
+
+ if (messages.length == 0) {
+ res.sendStatus(304);
+ return;
+ }
+
+ await Message.delete(messages.map((x) => ({ id: x })));
+
+ await emitEvent({
+ event: "MESSAGE_DELETE_BULK",
+ channel_id,
+ data: { ids: messages.map(x => x.id), channel_id, guild_id: channel.guild_id }
+ } as MessageDeleteBulkEvent);
+
+ res.sendStatus(204);
+});
diff --git a/api/src/routes/guilds/#guild_id/prune.ts b/api/src/routes/guilds/#guild_id/prune.ts
index 0dd4d610..0e587d22 100644
--- a/api/src/routes/guilds/#guild_id/prune.ts
+++ b/api/src/routes/guilds/#guild_id/prune.ts
@@ -11,6 +11,10 @@ export const inactiveMembers = async (guild_id: string, user_id: string, days: n
//Snowflake should have `generateFromTime` method? Or similar?
var minId = BigInt(date.valueOf() - Snowflake.EPOCH) << BigInt(22);
+ /**
+ idea: ability to customise the cutoff variable
+ possible candidates: public read receipt, last presence, last VC leave
+ **/
var members = await Member.find({
where: [
{
@@ -47,7 +51,7 @@ export const inactiveMembers = async (guild_id: string, user_id: string, days: n
return members;
};
-router.get("/", route({ permission: "KICK_MEMBERS" }), async (req: Request, res: Response) => {
+router.get("/", route({}), async (req: Request, res: Response) => {
const days = parseInt(req.query.days as string);
var roles = req.query.include_roles;
@@ -65,7 +69,7 @@ export interface PruneSchema {
days: number;
}
-router.post("/", route({ permission: "KICK_MEMBERS" }), async (req: Request, res: Response) => {
+router.post("/", route({ permission: "KICK_MEMBERS", right: "KICK_BAN_MEMBERS" }), async (req: Request, res: Response) => {
const days = parseInt(req.body.days);
var roles = req.query.include_roles;
diff --git a/api/src/routes/users/@me/index.ts b/api/src/routes/users/@me/index.ts
index d32b44f9..1af413c4 100644
--- a/api/src/routes/users/@me/index.ts
+++ b/api/src/routes/users/@me/index.ts
@@ -46,8 +46,6 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
}
}
- user.assign(body);
-
if (body.new_password) {
if (!body.password && !user.email) {
throw FieldErrors({
@@ -66,6 +64,7 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
}
}
+ user.assign(body);
await user.save();
// @ts-ignore
diff --git a/api/src/util/handlers/Message.ts b/api/src/util/handlers/Message.ts
index 5a5ac666..e9f0ac55 100644
--- a/api/src/util/handlers/Message.ts
+++ b/api/src/util/handlers/Message.ts
@@ -91,7 +91,8 @@ export async function handleMessage(opts: MessageOptions): Promise<Message> {
if (opts.message_reference.channel_id !== opts.channel_id) throw new HTTPError("You can only reference messages from this channel");
}
}
- // Q: should be checked if the referenced message exists? ANSWER: NO
+ /** Q: should be checked if the referenced message exists? ANSWER: NO
+ otherwise backfilling won't work **/
// @ts-ignore
message.type = MessageType.REPLY;
}
|
