From 3dbaf7a01b299c1ec7cc74dd8b24dcda48425d6e Mon Sep 17 00:00:00 2001 From: Jared Date: Wed, 18 Jun 2025 08:48:53 +0200 Subject: [PATCH] added token validation with input fields --- src/lib/minio.ts | 2 + src/lib/server/s3ClientService.ts | 39 +---- src/lib/server/vorgangService.ts | 133 +++++++++++------- src/routes/(angemeldet)/upload/+page.svelte | 1 + .../(token-based)/list/[vorgang]/+page.svelte | 1 - .../list/[vorgang]/[tatort]/+server.ts | 4 +- src/routes/(token-based)/view/+page.server.ts | 4 +- src/routes/(token-based)/view/+page.svelte | 92 ++++-------- src/routes/anmeldung/+page.server.ts | 4 +- src/routes/anmeldung/+page.svelte | 30 ++-- 10 files changed, 133 insertions(+), 177 deletions(-) diff --git a/src/lib/minio.ts b/src/lib/minio.ts index 07a763b..6824b78 100644 --- a/src/lib/minio.ts +++ b/src/lib/minio.ts @@ -6,3 +6,5 @@ import config from '$lib/config'; /** export const client = new Minio.Client(config.minio); */ export const client = new Client(config.minio); + +export const BUCKET = 'tatort'; diff --git a/src/lib/server/s3ClientService.ts b/src/lib/server/s3ClientService.ts index beb1411..2a46c87 100644 --- a/src/lib/server/s3ClientService.ts +++ b/src/lib/server/s3ClientService.ts @@ -1,41 +1,4 @@ -import { client } from '$lib/minio'; - -const BUCKET = 'tatort'; - -export const getVorgang = ({ params }) => { - const prefix = params.vorgang ? `${params.vorgang}/` : ''; - const stream = client.listObjectsV2('tatort', prefix, false, ''); - const result = new ReadableStream({ - start(controller) { - stream.on('data', (data) => { - if (prefix === '') { - if (data.prefix) - controller.enqueue(`${JSON.stringify({ ...data, name: data.prefix.slice(0, -1) })}\n`); - return; - } - - const name = data.name.slice(prefix.length); - if (name === 'config.json') return; - // zugangscode datei - if (name === '__perm__') return; - - controller.enqueue(`${JSON.stringify({ ...data, name, prefix })}\n`); - }); - stream.on('end', () => { - controller.close(); - }); - }, - cancel() { - stream.destroy(); - } - }); - - return new Response(result, { - headers: { - 'content-type': 'text/event-stream' - } - }); -}; +import { BUCKET, client } from '$lib/minio'; export const checkIfExactDirectoryExists = (dir: string): Promise => { diff --git a/src/lib/server/vorgangService.ts b/src/lib/server/vorgangService.ts index cb0dda7..4374e90 100644 --- a/src/lib/server/vorgangService.ts +++ b/src/lib/server/vorgangService.ts @@ -1,68 +1,97 @@ import { fail, redirect } from '@sveltejs/kit'; -import { client } from '$lib/minio'; +import { BUCKET, client } from '$lib/minio'; import { checkIfExactDirectoryExists } from './s3ClientService'; /** - * - * @param request - * @returns + * + * @param request + * @returns */ -export const getVorgangByCaseNumber = async ( request: Request) => { - const data = await request.formData(); - const caseNumber = data.get('caseNumber'); - const user_token = data.get('token'); +export const redirectIfVorgangExists = async (request: Request) => { + const data = await request.formData(); + const caseId = data.get('case-id'); + const caseToken = data.get('case-token'); - if (!caseNumber) { - return fail(400, { - success: false, - caseNumber, - error: { message: 'Die Vorgangsnummer darf nicht leer sein.' } - }); - } + if (!caseId) { + return fail(400, { + success: false, + caseId, + error: { message: 'Die Vorgangsnummer darf nicht leer sein.' } + }); + } - if (typeof caseNumber === 'string' && !(await checkIfExactDirectoryExists(caseNumber))) { - return fail(400, { - success: false, - caseNumber, - error: { message: 'Die Vorgangsnummer existiert in dieser Anwendung nicht.' } - }); - } + if (typeof caseId === 'string' && !(await checkIfExactDirectoryExists(caseId))) { + return fail(400, { + success: false, + caseId, + error: { message: 'Die Vorgangsnummer existiert in dieser Anwendung nicht.' } + }); + } + const isTokenValid = await hasValidToken(caseId, caseToken); - const token = await getTokenOrNull(caseNumber); + if (!isTokenValid) { + return fail(400, { + success: false, + caseId, + error: { message: 'Der Token ist ungültig.' } + }); + } - if (token && token != user_token) { - return fail(400, { - success: false, - caseNumber, - error: { message: 'Der Token ist falsch.' } - }); - } + redirect(303, `/list/${caseId}`); +}; - redirect(303, `/list/${caseNumber}`); - } +export const getVorgangByCaseId = ({ params }) => { + const prefix = params.vorgang ? `${params.vorgang}/` : ''; + const stream = client.listObjectsV2(BUCKET, prefix, false, ''); + const result = new ReadableStream({ + start(controller) { + stream.on('data', (data) => { + if (prefix === '') { + if (data.prefix) + controller.enqueue(`${JSON.stringify({ ...data, name: data.prefix.slice(0, -1) })}\n`); + return; + } + const name = data.name.slice(prefix.length); + if (name === 'config.json') return; + // zugangscode datei + if (name === '__perm__') return; -const getTokenOrNull = async (vorgang) => { - const code_name = '__perm__'; - const obj_path = `${vorgang}/${code_name}`; + controller.enqueue(`${JSON.stringify({ ...data, name, prefix })}\n`); + }); + stream.on('end', () => { + controller.close(); + }); + }, + cancel() { + stream.destroy(); + } + }); - let resp = null; - let code_saved = ''; + return new Response(result, { + headers: { + 'content-type': 'text/event-stream' + } + }); +}; - try { - resp = await client.getObject('tatort', obj_path); - - code_saved = await new Response(resp).text(); - } catch (error) { - if (error.name == 'S3Error') { - resp = null; - } - } +const hasValidToken = async (caseId: string, caseToken: string) => { + const tokenFileName = '__perm__'; + const objPath = `${caseId}/${tokenFileName}`; - if (resp != null) { - return code_saved; - } else { - return null; - } -} + try { + if (!caseToken) return false; + + const res = await client.getObject('tatort', objPath); + + const savedToken = await new Response(res).text(); + + return savedToken === caseToken ? true : false; + } catch (error) { + if (error.name == 'S3Error') { + console.log(error); + return false; + } + } +}; diff --git a/src/routes/(angemeldet)/upload/+page.svelte b/src/routes/(angemeldet)/upload/+page.svelte index f7f53ac..0d93a8c 100644 --- a/src/routes/(angemeldet)/upload/+page.svelte +++ b/src/routes/(angemeldet)/upload/+page.svelte @@ -148,6 +148,7 @@ } else { return false; } + return true; } // `/(angemeldet)/view` return true or false diff --git a/src/routes/(token-based)/list/[vorgang]/+page.svelte b/src/routes/(token-based)/list/[vorgang]/+page.svelte index 695d7c9..3e96884 100644 --- a/src/routes/(token-based)/list/[vorgang]/+page.svelte +++ b/src/routes/(token-based)/list/[vorgang]/+page.svelte @@ -172,7 +172,6 @@ >
-
{#if data?.user?.admin} getVorgangByCaseNumber(request) + default: async ({request}: {request: Request}) => redirectIfVorgangExists(request) } \ No newline at end of file diff --git a/src/routes/(token-based)/view/+page.svelte b/src/routes/(token-based)/view/+page.svelte index cd8c641..f2a6c49 100644 --- a/src/routes/(token-based)/view/+page.svelte +++ b/src/routes/(token-based)/view/+page.svelte @@ -1,5 +1,7 @@