1 files changed, 55 insertions, 13 deletions
diff --git a/src/internal-server/start/routes.js b/src/internal-server/start/routes.js
index 79c809f5f..736796bb8 100644
--- a/src/internal-server/start/routes.js
+++ b/src/internal-server/start/routes.js
@@ -5,6 +5,8 @@
 |
 */
+const { timingSafeEqual } = require('crypto');
 /** @type {typeof import('@adonisjs/framework/src/Route/Manager')} */
 const Route = use('Route');
@@ -14,14 +16,38 @@ const migrate = require('./migrate');
 migrate();
+async function validateToken(clientToken, response, next) {
+  const serverToken = process.env.FERDIUM_LOCAL_TOKEN;
+  const valid = serverToken &&
+    clientToken &&
+    timingSafeEqual(Buffer.from(clientToken, 'utf8'), Buffer.from(serverToken, 'utf8'));
+  if (valid) {
+    await next();
+    return true;
+  }
+  return response.forbidden();
+}
 const OnlyAllowFerdium = async ({ request, response }, next) => {
  const version = request.header('X-Franz-Version');
  if (!version) {
-    return response.status(403).redirect('/');
+    return response.forbidden();
  }
-  await next();
+  const clientToken = request.header('X-Ferdium-Local-Token');
-  return true;
+  return validateToken(clientToken, response, next);
+};
+const RequireTokenInQS = async ({ request, response }, next) => {
+  const clientToken = request.get().token;
+  return validateToken(clientToken, response, next);
+}
+const FERDIUM_LOCAL_TOKEN_COOKIE = 'ferdium-local-token';
+const RequireAuthenticatedBrowser = async({ request, response }, next) => {
+  const clientToken = request.cookie(FERDIUM_LOCAL_TOKEN_COOKIE);
+  return validateToken(clientToken, response, next);
 };
 // Health: Returning if all systems function correctly
@@ -67,16 +93,32 @@ Route.group(() => {
 Route.group(() => {
  Route.get('icon/:id', 'ImageController.icon');
-}).prefix(API_VERSION);
+})
+  .prefix(API_VERSION)
+  .middleware(RequireTokenInQS);
-// Franz account import
+Route.group(() => {
-Route.post('import', 'UserController.import');
+  // Franz account import
-Route.get('import', ({ view }) => view.render('import'));
+  Route.post('import', 'UserController.import');
+  Route.get('import', ({ view }) => view.render('import'));
+  // Account transfer
+  Route.get('export', 'UserController.export');
+  Route.post('transfer', 'UserController.importFerdium');
+  Route.get('transfer', ({ view }) => view.render('transfer'));
-// Account transfer
+  // Index
-Route.get('export', 'UserController.export');
+  Route.get('/', ({ view }) => view.render('index'));
-Route.post('transfer', 'UserController.importFerdium');
+}).middleware(RequireAuthenticatedBrowser);
-Route.get('transfer', ({ view }) => view.render('transfer'));
-// Index
+Route.get('token/:token', ({ params: { token }, response }) => {
-Route.get('/', ({ view }) => view.render('index'));
+  if (validateToken(token)) {
+    response.cookie(FERDIUM_LOCAL_TOKEN_COOKIE, token, {
+      httpOnly: true,
+      sameSite: true,
+      path: '/',
+    });
+    return response.redirect('/');
+  }
+  return response.forbidden();
+});

diff --git a/src/internal-server/start/routes.js b/src/internal-server/start/routes.js index 79c809f5f..736796bb8 100644 --- a/src/internal-server/start/routes.js +++ b/src/internal-server/start/routes.js
@@ -5,6 +5,8 @@
5	\|	5	\|
6	*/	6	*/
7		7
		8	const { timingSafeEqual } = require('crypto');
		9
8	/** @type {typeof import('@adonisjs/framework/src/Route/Manager')} */	10	/** @type {typeof import('@adonisjs/framework/src/Route/Manager')} */
9	const Route = use('Route');	11	const Route = use('Route');
10		12
@@ -14,14 +16,38 @@ const migrate = require('./migrate');
14		16
15	migrate();	17	migrate();
16		18
		19	async function validateToken(clientToken, response, next) {
		20	const serverToken = process.env.FERDIUM_LOCAL_TOKEN;
		21	const valid = serverToken &&
		22	clientToken &&
		23	timingSafeEqual(Buffer.from(clientToken, 'utf8'), Buffer.from(serverToken, 'utf8'));
		24	if (valid) {
		25	await next();
		26	return true;
		27	}
		28	return response.forbidden();
		29	}
		30
17	const OnlyAllowFerdium = async ({ request, response }, next) => {	31	const OnlyAllowFerdium = async ({ request, response }, next) => {
18	const version = request.header('X-Franz-Version');	32	const version = request.header('X-Franz-Version');
19	if (!version) {	33	if (!version) {
20	return response.status(403).redirect('/');	34	return response.forbidden();
21	}	35	}
22		36
23	await next();	37	const clientToken = request.header('X-Ferdium-Local-Token');
24	return true;	38	return validateToken(clientToken, response, next);
		39	};
		40
		41	const RequireTokenInQS = async ({ request, response }, next) => {
		42	const clientToken = request.get().token;
		43	return validateToken(clientToken, response, next);
		44	}
		45
		46	const FERDIUM_LOCAL_TOKEN_COOKIE = 'ferdium-local-token';
		47
		48	const RequireAuthenticatedBrowser = async({ request, response }, next) => {
		49	const clientToken = request.cookie(FERDIUM_LOCAL_TOKEN_COOKIE);
		50	return validateToken(clientToken, response, next);
25	};	51	};
26		52
27	// Health: Returning if all systems function correctly	53	// Health: Returning if all systems function correctly
@@ -67,16 +93,32 @@ Route.group(() => {
67		93
68	Route.group(() => {	94	Route.group(() => {
69	Route.get('icon/:id', 'ImageController.icon');	95	Route.get('icon/:id', 'ImageController.icon');
70	}).prefix(API_VERSION);	96	})
		97	.prefix(API_VERSION)
		98	.middleware(RequireTokenInQS);
71		99
72	// Franz account import	100	Route.group(() => {
73	Route.post('import', 'UserController.import');	101	// Franz account import
74	Route.get('import', ({ view }) => view.render('import'));	102	Route.post('import', 'UserController.import');
		103	Route.get('import', ({ view }) => view.render('import'));
		104
		105	// Account transfer
		106	Route.get('export', 'UserController.export');
		107	Route.post('transfer', 'UserController.importFerdium');
		108	Route.get('transfer', ({ view }) => view.render('transfer'));
75		109
76	// Account transfer	110	// Index
77	Route.get('export', 'UserController.export');	111	Route.get('/', ({ view }) => view.render('index'));
78	Route.post('transfer', 'UserController.importFerdium');	112	}).middleware(RequireAuthenticatedBrowser);
79	Route.get('transfer', ({ view }) => view.render('transfer'));
80		113
81	// Index	114	Route.get('token/:token', ({ params: { token }, response }) => {
82	Route.get('/', ({ view }) => view.render('index'));	115	if (validateToken(token)) {
		116	response.cookie(FERDIUM_LOCAL_TOKEN_COOKIE, token, {
		117	httpOnly: true,
		118	sameSite: true,
		119	path: '/',
		120	});
		121	return response.redirect('/');
		122	}
		123	return response.forbidden();
		124	});