feat: improve share security

2022-10-13 23:23:33 +02:00
parent d9e5c286e3
commit 6358ac3918
15 changed files with 219 additions and 158 deletions
--- a/backend/src/share/guard/shareSecurity.guard.ts
+++ b/backend/src/share/guard/shareSecurity.guard.ts
@@ -21,6 +21,7 @@ export class ShareSecurityGuard implements CanActivate {

  async canActivate(context: ExecutionContext) {
    const request: Request = context.switchToHttp().getRequest();
+    const shareToken = request.get("X-Share-Token");
    const shareId = Object.prototype.hasOwnProperty.call(
      request.params,
      "shareId"
@@ -36,19 +37,15 @@ export class ShareSecurityGuard implements CanActivate {
    if (!share || moment().isAfter(share.expiration))
      throw new NotFoundException("Share not found");

-    if (!share.security) return true;
-
-    if (share.security.maxViews && share.security.maxViews <= share.views)
-      throw new ForbiddenException(
-        "Maximum views exceeded",
-        "share_max_views_exceeded"
-      );
-
-    if (
-      !this.shareService.verifyShareToken(shareId, request.get("X-Share-Token"))
-    )
+    if (share.security?.password && !shareToken)
      throw new ForbiddenException(
        "This share is password protected",
+        "share_password_required"
+      );
+
+    if (!this.shareService.verifyShareToken(shareId, shareToken))
+      throw new ForbiddenException(
+        "Share token required",
        "share_token_required"
      );