release: 0.10.0

* add first concept

* add reverse share funcionality to frontend

* allow creator to limit share expiration

* moved reverse share in seperate module

* add table to manage reverse shares

* delete complete share if reverse share was deleted

* optimize function names

* add db migration

* enable reverse share email notifications

* fix config variable descriptions

* fix migration for new installations

.env.example

@@ -1,11 +0,0 @@
-# Read what every environment variable does: https://github.com/stonith404/pingvin-share#environment-variables
-
-# GENERAL
-APP_URL=http://localhost:3000
-SHOW_HOME_PAGE=true
-ALLOW_REGISTRATION=true
-ALLOW_UNAUTHENTICATED_SHARES=false
-MAX_FILE_SIZE=1000000000
-
-# SECURITY
-JWT_SECRET=long-random-string

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+# These are supported funding model platforms
+github: stonith404

.github/ISSUE_TEMPLATE/bug.yml

@@ -0,0 +1,45 @@
+name: "🐛 Bug Report"
+description: "Submit a bug report to help us improve"
+title: "🐛 Bug Report: "
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out our bug report form 🙏
+  - type: textarea
+    id: steps-to-reproduce
+    validations:
+      required: true
+    attributes:
+      label: "👟 Reproduction steps"
+      description: "How do you trigger this bug? Please walk us through it step by step."
+      placeholder: "When I ..."
+  - type: textarea
+    id: expected-behavior
+    validations:
+      required: true
+    attributes:
+      label: "👍 Expected behavior"
+      description: "What did you think would happen?"
+      placeholder: "It should ..."
+  - type: textarea
+    id: actual-behavior
+    validations:
+      required: true
+    attributes:
+      label: "👎 Actual Behavior"
+      description: "What did actually happen? Add screenshots, if applicable."
+      placeholder: "It actually ..."
+  - type: input
+    id: operating-system
+    attributes:
+      label: "🌐 Browser"
+      description: "Which browser do you use?"
+      placeholder: "Firefox"
+    validations:
+      required: true
+  - type: markdown
+    attributes:
+      value: |
+        Before submitting, please check if the issues hasn't been raised before.

.github/ISSUE_TEMPLATE/feature.yml

@@ -0,0 +1,29 @@
+name: 🚀 Feature
+description: "Submit a proposal for a new feature"
+title: "🚀 Feature: "
+labels: [feature]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out our feature request form 🙏
+  - type: textarea
+    id: feature-description
+    validations:
+      required: true
+    attributes:
+      label: "🔖 Feature description"
+      description: "A clear and concise description of what the feature is."
+      placeholder: "You should add ..."
+  - type: textarea
+    id: pitch
+    validations:
+      required: true
+    attributes:
+      label: "🎤 Pitch"
+      description: "Please explain why this feature should be implemented and how it would be used. Add examples, if applicable."
+      placeholder: "In my use-case, ..."
+  - type: markdown
+    attributes:
+      value: |
+        Before submitting, please check if the issues hasn't been raised before.

.github/workflows/backend-system-tests.yml

@@ -13,13 +13,10 @@ jobs:
     runs-on: ubuntu-latest
     container: node:18
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Install Dependencies
         working-directory: ./backend
         run: npm install
-      - name: Create .env file
-        working-directory: ./backend
-        run: mv .env.example .env
       - name: Run Server and Test with Newman
         working-directory: ./backend
         run: npm run test:system

.github/workflows/build-docker-image.yml

@@ -9,11 +9,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: login to docker registry
         run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
       - name: Build the image

.github/workflows/close_inactive_issues.yml

@@ -0,0 +1,23 @@
+name: Close inactive issues
+on:
+  schedule:
+    - cron: "00 00 * * *"
+
+jobs:
+  close-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v4
+        with:
+          days-before-issue-stale: 30
+          days-before-issue-close: 14
+          exempt-issue-labels: "feature"
+          stale-issue-label: "stale"
+          stale-issue-message: "This issue is stale because it has been open for 30 days with no activity."
+          close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale."
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

CHANGELOG.md

@@ -1,3 +1,242 @@
+## [0.10.0](https://github.com/stonith404/pingvin-share/compare/v0.9.0...v0.10.0) (2023-02-10)
+
+
+### ⚠ BREAKING CHANGES
+
+* reset password with email
+
+### Features
+
+* allow multiple shares with one reverse share link ([ccdf8ea](https://github.com/stonith404/pingvin-share/commit/ccdf8ea3ae1e7b8520c5b1dd9bea18b1b3305f35))
+* **frontend:** server side rendering to improve performance ([38de022](https://github.com/stonith404/pingvin-share/commit/38de022215a9b99c2eb36654f8dbb1e17ca87aba))
+* reset password with email ([5d1a7f0](https://github.com/stonith404/pingvin-share/commit/5d1a7f0310df2643213affd2a0d1785b7e0af398))
+
+
+### Bug Fixes
+
+* delete all shares of reverse share ([86a7379](https://github.com/stonith404/pingvin-share/commit/86a737951951c911abd7967d76cb253c4335cb0c))
+* invalid redirection after jwt expiry ([82f204e](https://github.com/stonith404/pingvin-share/commit/82f204e8a93e3113dcf65b1881d4943a898602eb))
+* setup status doesn't change ([064ef38](https://github.com/stonith404/pingvin-share/commit/064ef38d783b3f351535c2911eb451efd9526d71))
+* share creation without reverseShareToken ([b966270](https://github.com/stonith404/pingvin-share/commit/b9662701c42fe6771c07acb869564031accb2932))
+* share fails if a share was created with a reverse share link recently ([edc10b7](https://github.com/stonith404/pingvin-share/commit/edc10b72b7884c629a8417c3c82222b135ef7653))
+
+## [0.9.0](https://github.com/stonith404/pingvin-share/compare/v0.8.0...v0.9.0) (2023-01-31)
+
+
+### Features
+
+* direct file link ([008df06](https://github.com/stonith404/pingvin-share/commit/008df06b5cf48872d4dd68df813370596a4fd468))
+* file preview ([91a6b3f](https://github.com/stonith404/pingvin-share/commit/91a6b3f716d37d7831e17a7be1cdb35cb23da705))
+
+
+### Bug Fixes
+
+* improve send test email UX ([233c26e](https://github.com/stonith404/pingvin-share/commit/233c26e5cfde59e7d51023ef9901dec2b84a4845))
+
+## [0.8.0](https://github.com/stonith404/pingvin-share/compare/v0.7.0...v0.8.0) (2023-01-26)
+
+
+### Features
+
+* reverse shares ([#86](https://github.com/stonith404/pingvin-share/issues/86)) ([4a5fb54](https://github.com/stonith404/pingvin-share/commit/4a5fb549c6ac808261eb65d28db69510a82efd00))
+
+
+### Bug Fixes
+
+* Add meta tags to new pages ([bb64f6c](https://github.com/stonith404/pingvin-share/commit/bb64f6c33fc5c5e11f2c777785c96a74b57dfabc))
+* admin users were created while the setup wizard wasn't finished ([ad92cfc](https://github.com/stonith404/pingvin-share/commit/ad92cfc852ca6aa121654d747a02628492ae5b89))
+
+## [0.7.0](https://github.com/stonith404/pingvin-share/compare/v0.6.1...v0.7.0) (2023-01-13)
+
+
+### Features
+
+* add ClamAV to scan for malicious files ([76088cc](https://github.com/stonith404/pingvin-share/commit/76088cc76aedae709f06deaee2244efcf6a22bed))
+
+
+### Bug Fixes
+
+* invalid github release link on admin page ([349bf47](https://github.com/stonith404/pingvin-share/commit/349bf475cc7fc1141dbd2a9bd2f63153c4d5b41b))
+
+### [0.6.1](https://github.com/stonith404/pingvin-share/compare/v0.6.0...v0.6.1) (2023-01-11)
+
+
+### Features
+
+* delete all sessions if password was changed ([02e41e2](https://github.com/stonith404/pingvin-share/commit/02e41e243768de34de1bdc8833e83f60db530e55))
+
+
+### Bug Fixes
+
+* shareUrl uses wrong origin ([f1b44f8](https://github.com/stonith404/pingvin-share/commit/f1b44f87fa64d3b21ca92c9068cb352d0ad51bc0))
+* update password doesn't work ([74e8956](https://github.com/stonith404/pingvin-share/commit/74e895610642552c98c0015d0f8347735aaed457))
+
+## [0.6.0](https://github.com/stonith404/pingvin-share/compare/v0.5.1...v0.6.0) (2023-01-09)
+
+
+### Features
+
+* chunk uploads ([#76](https://github.com/stonith404/pingvin-share/issues/76)) ([653d72b](https://github.com/stonith404/pingvin-share/commit/653d72bcb958268e2f23efae94cccb72faa745af))
+
+
+### Bug Fixes
+
+* access token refreshes even it is still valid ([c8ad222](https://github.com/stonith404/pingvin-share/commit/c8ad2225e3c9ca79fea494d538b67797fbc7f6ae))
+* error message typo ([72c8081](https://github.com/stonith404/pingvin-share/commit/72c8081e7c135ab1f600ed7e3d7a0bf03dabde34))
+* migration for v0.5.1 ([f2d4895](https://github.com/stonith404/pingvin-share/commit/f2d4895e50d3da82cef68858752fb7f6293e7a20))
+* refresh token expires after 1 day instead of 3 months ([a5bef5d](https://github.com/stonith404/pingvin-share/commit/a5bef5d4a4ae75447ca1f65259c5541edfc87dd8))
+
+### [0.5.1](https://github.com/stonith404/pingvin-share/compare/v0.5.0...v0.5.1) (2023-01-04)
+
+
+### Features
+
+* show version and show button if new release is available on admin page ([71658ad](https://github.com/stonith404/pingvin-share/commit/71658ad39d7e3638de659e8230fad4e05f60fdd8))
+* use cookies for authentication ([faea1ab](https://github.com/stonith404/pingvin-share/commit/faea1abcc4b533f391feaed427e211fef9166fe4))
+
+
+### Bug Fixes
+
+* email configuration updated without restart ([1117465](https://github.com/stonith404/pingvin-share/commit/11174656e425c4be60e4f7b1ea8463678e5c60d2))
+
+## [0.5.0](https://github.com/stonith404/pingvin-share/compare/v0.4.0...v0.5.0) (2022-12-30)
+
+
+### Features
+
+* custom mail subject ([cabaee5](https://github.com/stonith404/pingvin-share/commit/cabaee588b50877872d210c870bfb9c95b541921))
+* improve config UI ([#69](https://github.com/stonith404/pingvin-share/issues/69)) ([5bc4f90](https://github.com/stonith404/pingvin-share/commit/5bc4f902f6218a09423491404806a4b7fb865c98))
+* manually switch color scheme ([ef21bac](https://github.com/stonith404/pingvin-share/commit/ef21bac59b11dc68649ab3b195dcb89d2b192e7b))
+
+
+### Bug Fixes
+
+* refresh token gets deleted on session end ([e5b50f8](https://github.com/stonith404/pingvin-share/commit/e5b50f855c02aa4b5c9ee873dd5a7ab25759972d))
+
+## [0.4.0](https://github.com/stonith404/pingvin-share/compare/v0.3.6...v0.4.0) (2022-12-21)
+
+
+### Features
+
+* custom email message ([0616a68](https://github.com/stonith404/pingvin-share/commit/0616a68bd2e0c9cb559ebdf294e353dd3f69c9a5))
+* TOTP (two-factor) Authentication ([#55](https://github.com/stonith404/pingvin-share/issues/55)) ([16480f6](https://github.com/stonith404/pingvin-share/commit/16480f6e9572011fadeb981a388b92cb646fa6d9))
+
+### [0.3.6](https://github.com/stonith404/pingvin-share/compare/v0.3.5...v0.3.6) (2022-12-13)
+
+
+### Features
+
+* add description field to share ([8728fa5](https://github.com/stonith404/pingvin-share/commit/8728fa5207524e9aee26d68eafe1b6fff367d749))
+
+
+### Bug Fixes
+
+* remove dot in email link ([9b0c08d](https://github.com/stonith404/pingvin-share/commit/9b0c08d0cdeeeef217ccba57f593fea9d8858371))
+* rerange accordion items ([844c47e](https://github.com/stonith404/pingvin-share/commit/844c47e1290fb0f7dedb41a18be59ed5ab83dabc))
+
+### [0.3.5](https://github.com/stonith404/pingvin-share/compare/v0.3.4...v0.3.5) (2022-12-11)
+
+
+### Features
+
+* upload 3 files at same time ([d010a8a](https://github.com/stonith404/pingvin-share/commit/d010a8a2d366708b1bb5088e9c1e9f9378d3e023))
+
+
+### Bug Fixes
+
+* jobs never get executed ([05cbb7b](https://github.com/stonith404/pingvin-share/commit/05cbb7b27ef98a3a80dd9edc318f1dcc9a8bd442))
+* only create zip if more than one file is in the share ([3d1d4d0](https://github.com/stonith404/pingvin-share/commit/3d1d4d0fc7c0351724387c3721280c334ae94d98))
+* remove unnecessary port expose ([084e911](https://github.com/stonith404/pingvin-share/commit/084e911eed95eb22fea0bf185803ba32c3eda1a9))
+* setup wizard table doesn't take full width ([9798e26](https://github.com/stonith404/pingvin-share/commit/9798e26872064edc1049138cf73479b1354a43ed))
+* use node slim to fix arm builds ([797f893](https://github.com/stonith404/pingvin-share/commit/797f8938cac9cc3bb788f632d97eba5c49fe98a5))
+* zip doesn't contain file extension ([5b01108](https://github.com/stonith404/pingvin-share/commit/5b0110877745f1fcde4952737a93c07ef4a2a92d))
+
+### [0.3.4](https://github.com/stonith404/pingvin-share/compare/v0.3.3...v0.3.4) (2022-12-10)
+
+
+### Bug Fixes
+
+* show alternative to copy button if site is not using https ([7e877ce](https://github.com/stonith404/pingvin-share/commit/7e877ce9f4b82d61c9b238e17def9f4c29e7aeb8))
+* sign up page available when registration is disabled ([c8a4521](https://github.com/stonith404/pingvin-share/commit/c8a4521677280d6aba89d293a1fe0c38adf9f92c))
+* tables on mobile ([b1bfb09](https://github.com/stonith404/pingvin-share/commit/b1bfb09dfd5c90cc18847470a9ce1ce8397c1476))
+
+### [0.3.3](https://github.com/stonith404/pingvin-share/compare/v0.3.2...v0.3.3) (2022-12-08)
+
+
+### Features
+
+* add support for different email and user ([888a0c5](https://github.com/stonith404/pingvin-share/commit/888a0c5fafc51b6872ed71e37d4b40c9bf6a07f1))
+
+
+### Bug Fixes
+
+* allow empty strings in config variable ([b8172ef](https://github.com/stonith404/pingvin-share/commit/b8172efd59fb3271ab9b818b13a7003342b2cebd))
+* improve admin dashboard color and layout ([a545c44](https://github.com/stonith404/pingvin-share/commit/a545c444261c90105dcb165ebcf4b26634e729ca))
+* obscure critical config variables ([bfb0d15](https://github.com/stonith404/pingvin-share/commit/bfb0d151ea2ba125e536a16b1873e143a67e9f64))
+* obscured text length ([cbe37c6](https://github.com/stonith404/pingvin-share/commit/cbe37c679853ecef1522ed213e4cac5defd5b45a))
+* space character in email ([907e56a](https://github.com/stonith404/pingvin-share/commit/907e56af0faccdbc8d7f5ab3418a4ad71ff849f5))
+
+### [0.3.2](https://github.com/stonith404/pingvin-share/compare/v0.3.1...v0.3.2) (2022-12-07)
+
+
+### Bug Fixes
+
+* make share password optional ([57cb683](https://github.com/stonith404/pingvin-share/commit/57cb683c64eaedec2697ea6863948bd2ae68dd75))
+* unauthenticated dialog not shown ([4a016ed](https://github.com/stonith404/pingvin-share/commit/4a016ed57db526ee900c567f7b7f0991f948c631))
+* use session storage for share token ([5ea63fb](https://github.com/stonith404/pingvin-share/commit/5ea63fb60be0c508c38ba228cc8ac6dd7b403aac))
+
+### [0.3.1](https://github.com/stonith404/pingvin-share/compare/v0.3.0...v0.3.1) (2022-12-05)
+
+
+### Bug Fixes
+
+* dropzone rejection on chrome ([75f57a4](https://github.com/stonith404/pingvin-share/commit/75f57a4e57fb13cc62e87428e8302b453ea6b44b))
+
+## [0.3.0](https://github.com/stonith404/pingvin-share/compare/v0.2.0...v0.3.0) (2022-12-05)
+
+
+### Features
+
+* add add new config strategy to frontend ([493705e](https://github.com/stonith404/pingvin-share/commit/493705e4ef21cb638620b0037b9ff2cec8046c95))
+* add administrator guard ([13f98cc](https://github.com/stonith404/pingvin-share/commit/13f98cc32c804c786c71b10dc4cf029d7795be76))
+* add job that deleted temporary files ([b649d8b](https://github.com/stonith404/pingvin-share/commit/b649d8bf8e849aff3f350e3c5fd0151a063b9706))
+* add new config strategy to backend ([1b5e53f](https://github.com/stonith404/pingvin-share/commit/1b5e53ff7ee00228eda6dc5c62d5cd8c3752b03b))
+* add setup wizard ([b579b8f](https://github.com/stonith404/pingvin-share/commit/b579b8f3309e2d7070e6a82c5da76ab8029bee11))
+* add user management ([7a3967f](https://github.com/stonith404/pingvin-share/commit/7a3967fd6f76a03461d05e962e82fe5130528ca5))
+* add user operations to backend ([31b3f6c](https://github.com/stonith404/pingvin-share/commit/31b3f6cb2fc662623df92cdbaf803f1b98a696ae))
+
+
+### Bug Fixes
+
+* convert async function to sync function ([1dbfe0b](https://github.com/stonith404/pingvin-share/commit/1dbfe0bbc9821bbee02220484c87cf9fe12fd033))
+* database migration by adding a username ([e9526fc](https://github.com/stonith404/pingvin-share/commit/e9526fc0390cc8ba70c824370041ea9aaf6f9ef9))
+* docker build ([e958a83](https://github.com/stonith404/pingvin-share/commit/e958a83b87a452e42fb38c12d4b11d71b2323c2d))
+* share password validation ([c795b98](https://github.com/stonith404/pingvin-share/commit/c795b988df437c85efb91e0f6f8ec782f38dbe3d))
+* unable to update user privileges ([d4a0f1a](https://github.com/stonith404/pingvin-share/commit/d4a0f1a4f16b7980fb244a4e582ceeb9bfaff877))
+
+## [0.2.0](https://github.com/stonith404/pingvin-share/compare/v0.1.1...v0.2.0) (2022-11-13)
+
+
+### Features
+
+* add email recepients functionality ([32ad43a](https://github.com/stonith404/pingvin-share/commit/32ad43ae27a29b946bfba0040cac7eb158c84553))
+
+
+### Bug Fixes
+
+* add public userDTO to prevent confusion ([0efd2d8](https://github.com/stonith404/pingvin-share/commit/0efd2d8bf96506cf7d7dc2dc3164a8d59009cec7))
+* email sending when not signed in ([32eaee4](https://github.com/stonith404/pingvin-share/commit/32eaee42363250defa92913c738a2702ba3e2693))
+* hide and disallow email recipients if disabled ([34db3ae](https://github.com/stonith404/pingvin-share/commit/34db3ae2a997498edaa70404807d0e770dad6edb))
+
+### [0.1.1](https://github.com/stonith404/pingvin-share/compare/v0.1.0...v0.1.1) (2022-10-31)
+
+
+### Bug Fixes
+
+* add `ALLOW_UNAUTHENTICATED_SHARES` to docker compose file ([599d8ca](https://github.com/stonith404/pingvin-share/commit/599d8caa31dc018c14c959d6602ac652eaef5da2))
+* only log jobs if they actually did something ([e40cc0f](https://github.com/stonith404/pingvin-share/commit/e40cc0f48beec09e18738de1b445cabd9daab09b))
+* share finishes before all files are uploaded ([99de4e5](https://github.com/stonith404/pingvin-share/commit/99de4e57e18df54596e168a57b94c55d7a834472))
+
 ## [0.1.0](https://github.com/stonith404/pingvin-share/compare/v0.0.1...v0.1.0) (2022-10-29)
 
 

CONTRIBUTING.md

@@ -3,10 +3,11 @@
 We would ❤️ for you to contribute to Pingvin Share and help make it better! All contributions are welcome, including issues, suggestions, pull requests and more.
 
 ## Getting started
+
 You've found a bug, have suggestion or something else, just create an issue on GitHub and we can get in touch 😊.
 
+## Submit a Pull Request
 
-## Submit a Pull Request 
 Once you created a issue and you want to create a pull request, follow this guide.
 
 Branch naming convention is as following
@@ -74,20 +75,21 @@ The backend is built with [Nest.js](https://nestjs.com) and uses Typescript.
 #### Setup
 
 1. Open the `backend` folder
-2. Duplicate the `.env.example` file, rename the duplicate to `.env` and change the environment variables if needed
+2. Install the dependencies with `npm install`
-3. Install the dependencies with `npm install`
+3. Push the database schema to the database by running `npx prisma db push`
-4. Push the database schema to the database by running `npx prisma db push`
+4. Seed the database with `npx prisma db seed`
 5. Start the backend with `npm run dev`
 
 ### Frontend
+
 The frontend is built with [Next.js](https://nextjs.org) and uses Typescript.
 
 #### Setup
+
 1. Start the backend first
 2. Open the `frontend` folder
-3. Duplicate the `.env.example` file, rename the duplicate to `.env` and change the environment variables if needed
+3. Install the dependencies with `npm install`
-4. Install the dependencies with `npm install`
+4. Start the frontend with `npm run dev`
-5. Start the frontend with `npm run dev`
 
 You're all set!
 

Dockerfile

@@ -1,34 +1,51 @@
-FROM node:18-alpine AS frontend-builder
+# Using node slim because prisma ORM needs libc for ARM builds
+
+# Stage 1: on frontend dependency change
+FROM node:18-slim AS frontend-dependencies
 WORKDIR /opt/app
 COPY frontend/package.json frontend/package-lock.json ./
 RUN npm ci
+
+# Stage 2: on frontend change
+FROM node:18-slim AS frontend-builder
+WORKDIR /opt/app
 COPY ./frontend .
+COPY --from=frontend-dependencies /opt/app/node_modules ./node_modules
 RUN npm run build
 
-FROM node:18 AS backend-builder
+# Stage 3: on backend dependency change
+FROM node:18-slim AS backend-dependencies
 WORKDIR /opt/app
 COPY backend/package.json backend/package-lock.json ./
 RUN npm ci
-COPY ./backend .
-RUN npx prisma generate
-RUN npm run build
 
-FROM node:18 AS runner
+# Stage 4:on backend change
+FROM node:18-slim AS backend-builder
+RUN apt-get update && apt-get install -y openssl
+WORKDIR /opt/app
+COPY ./backend .
+COPY --from=backend-dependencies /opt/app/node_modules ./node_modules
+RUN npx prisma generate
+RUN npm run build  && npm prune --production
+
+# Stage 5: Final image
+FROM node:18-slim AS runner
+ENV NODE_ENV=docker
+RUN apt-get update && apt-get install -y openssl
+
 WORKDIR /opt/app/frontend
-ENV NODE_ENV=production
-COPY --from=frontend-builder /opt/app/next.config.js .
 COPY --from=frontend-builder /opt/app/public ./public
-COPY --from=frontend-builder /opt/app/.next ./.next
+# Automatically leverage output traces to reduce image size
-COPY --from=frontend-builder /opt/app/node_modules ./node_modules
+# https://nextjs.org/docs/advanced-features/output-file-tracing
+COPY --from=frontend-builder /opt/app/.next/standalone ./
+COPY --from=frontend-builder /opt/app/.next/static ./.next/static
 
 WORKDIR /opt/app/backend
 COPY --from=backend-builder /opt/app/node_modules ./node_modules
 COPY --from=backend-builder /opt/app/dist ./dist
 COPY --from=backend-builder /opt/app/prisma ./prisma
 COPY --from=backend-builder /opt/app/package.json ./
+
 WORKDIR /opt/app
-
-RUN npm i -g dotenv-cli
-
 EXPOSE 3000
-CMD cd frontend && dotenv node_modules/.bin/next start & cd backend && npm run prod
+CMD node frontend/server.js & cd backend && npm run prod

README.md

@@ -2,46 +2,52 @@
 
 Pingvin Share is self-hosted file sharing platform and an alternative for WeTransfer.
 
-## 🎪 Showcase
-
-Demo: https://pingvin-share.dev.eliasschneider.com
-
-<img src="https://user-images.githubusercontent.com/58886915/167101708-b85032ad-f5b1-480a-b8d7-ec0096ea2a43.png" width="700"/>
-
 ## ✨ Features
 
 - Create a share with files that you can access with a link
 - No file size limit, only your disk will be your limit
 - Set a share expiration
 - Optionally secure your share with a visitor limit and a password
-- Light & dark mode
+- Email recepients
+- ClamAV integration
+
+## 🐧 Get to know Pingvin Share
+
+- [Demo](https://pingvin-share.dev.eliasschneider.com)
+- [Review by DB Tech](https://www.youtube.com/watch?v=rWwNeZCOPJA)
+
+<img src="https://user-images.githubusercontent.com/58886915/167101708-b85032ad-f5b1-480a-b8d7-ec0096ea2a43.png" width="700"/>
 
 ## ⌨️ Setup
 
 > Pleas note that Pingvin Share is in early stage and could include some bugs
 
-1. Download the `docker-compose.yml` and `.env.example` file.
+### Recommended installation
-2. Rename the `.env.example` file to `.env` and change the environment variables so that they fit to your environment. If you need help with the environment variables take a look [here](#environment-variables)
+
-3. Run `docker-compose up -d`
+1. Download the `docker-compose.yml` file
+2. Run `docker-compose up -d`
 
 The website is now listening available on `http://localhost:3000`, have fun with Pingvin Share 🐧!
 
-### Environment variables
+### Integrations
 
-| Variable                       | Description                                                                                 | Possible values |
+#### ClamAV
-| ------------------------------ | ------------------------------------------------------------------------------------------- | --------------- |
+
-| `APP_URL`                      | On which URL Pingvin Share is available. E.g http://localhost or https://pingvin-share.com. | URL             |
+With ClamAV the shares get scanned for malicious files and get removed if any found.
-| `SHOW_HOME_PAGE`               | Whether the Pingvin Share home page should be shown.                                        | true/false      |
+
-| `ALLOW_REGISTRATION`           | Whether a new user can create a new account.                                                | true/false      |
+1. Add the ClamAV container to the Docker Compose stack (see `docker-compose.yml`) and start the container.
-| `ALLOW_UNAUTHENTICATED_SHARES` | Whether a user can create a share without being signed in.                                  | true/false      |
+2. Docker will wait for ClamAV to start before starting Pingvin Share. This may take a minute or two.
-| `MAX_FILE_SIZE`                | Maximum allowed size per file in bytes.                                                     | Number          |
+3. The Pingvin Share logs should now log "ClamAV is active"
-| `JWT_SECRET`                   | Long random string to sign the JWT's.                                                       | Random string   |
+
+Please note that ClamAV needs a lot of [ressources](https://docs.clamav.net/manual/Installing/Docker.html#memory-ram-requirements).
+
+### Additional resources
+
+- [Synology NAS installation](https://mariushosting.com/how-to-install-pingvin-share-on-your-synology-nas/)
 
 ### Upgrade to a new version
 
-Just update the docker container by running `docker compose pull && docker compose up -d`
+Run `docker compose pull && docker compose up -d` to update your docker container
-
-> Note: If you installed Pingvin Share before it used Sqlite, you unfortunately have to set up the project from scratch again, sorry for that.
 
 ## 🖤 Contribute
 

SECURITY.md

@@ -0,0 +1,7 @@
+# Security Policy
+
+## Supported Versions
+As Pingvin Share is in beta, older versions don't get security updates. Please consider to update Pingvin Share regularly. Updates can be automated with e.g [Watchtower](https://github.com/containrrr/watchtower).
+
+## Reporting a Vulnerability
+Thank you for taking the time to report a vulnerability. Please DO NOT create an issue on GitHub because the vulnerability could get exploited. Instead please write an email to [elias@eliasschneider.com](mailto:elias@eliasschneider.com).

backend/.env.example

@@ -1,8 +0,0 @@
-# CONFIGURATION
-APP_URL=http://localhost:3000
-ALLOW_REGISTRATION=true
-MAX_FILE_SIZE=5000000000
-ALLOW_UNAUTHENTICATED_SHARES=false
-
-# SECURITY
-JWT_SECRET=random-string

backend/nest-cli.json

@@ -1,5 +1,8 @@
 {
   "$schema": "https://json.schemastore.org/nest-cli",
   "collection": "@nestjs/schematics",
-  "sourceRoot": "src"
+  "sourceRoot": "src",
+  "compilerOptions": {
+    "plugins": ["@nestjs/swagger"]
+  }
 }

backend/package.json

@@ -1,66 +1,77 @@
 {
   "name": "pingvin-share-backend",
-  "version": "0.0.1",
+  "version": "0.10.0",
   "scripts": {
     "build": "nest build",
-    "dev": "dotenv -- nest start --watch",
+    "dev": "cross-env NODE_ENV=development nest start --watch",
-    "prod": "npx prisma migrate deploy && dotenv node dist/main",
+    "prod": "prisma migrate deploy && prisma db seed && node dist/src/main",
     "lint": "eslint 'src/**/*.ts'",
     "format": "prettier --write 'src/**/*.ts'",
-    "test:system": "npx prisma migrate reset -f && nest start & sleep 10 && newman run ./test/system/newman-system-tests.json"
+    "test:system": "prisma migrate reset -f && nest start & wait-on http://localhost:8080/api/configs && newman run ./test/newman-system-tests.json"
+  },
+  "prisma": {
+    "seed": "ts-node prisma/seed/config.seed.ts"
   },
   "dependencies": {
-    "@nestjs/common": "^9.1.2",
+    "@nestjs/common": "^9.2.1",
     "@nestjs/config": "^2.2.0",
-    "@nestjs/core": "^9.1.2",
+    "@nestjs/core": "^9.2.1",
-    "@nestjs/jwt": "^9.0.0",
+    "@nestjs/jwt": "^10.0.1",
     "@nestjs/passport": "^9.0.0",
-    "@nestjs/platform-express": "^9.1.2",
+    "@nestjs/platform-express": "^9.2.1",
     "@nestjs/schedule": "^2.1.0",
-    "@nestjs/swagger": "^6.1.2",
+    "@nestjs/swagger": "^6.2.1",
     "@nestjs/throttler": "^3.1.0",
+    "@prisma/client": "^4.8.1",
     "archiver": "^5.3.1",
-    "argon2": "^0.29.1",
+    "argon2": "^0.30.3",
+    "body-parser": "^1.20.1",
+    "clamscan": "^2.1.2",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.13.2",
     "content-disposition": "^0.5.4",
+    "cookie-parser": "^1.4.6",
     "mime-types": "^2.1.35",
     "moment": "^2.29.4",
-    "multer": "^1.4.5-lts.1",
+    "nodemailer": "^6.9.0",
+    "otplib": "^12.0.1",
     "passport": "^0.6.0",
-    "passport-jwt": "^4.0.0",
+    "passport-jwt": "^4.0.1",
     "passport-local": "^1.0.0",
+    "qrcode-svg": "^1.1.0",
     "reflect-metadata": "^0.1.13",
-    "rimraf": "^3.0.2",
+    "rimraf": "^4.0.4",
-    "rxjs": "^7.5.7"
+    "rxjs": "^7.8.0",
+    "ts-node": "^10.9.1"
   },
   "devDependencies": {
-    "@nestjs/cli": "^9.1.4",
+    "@nestjs/cli": "^9.1.8",
-    "@nestjs/schematics": "^9.0.3",
+    "@nestjs/schematics": "^9.0.4",
-    "@nestjs/testing": "^9.1.2",
+    "@nestjs/testing": "^9.2.1",
-    "@prisma/client": "^4.4.0",
     "@types/archiver": "^5.3.1",
+    "@types/clamscan": "^2.0.4",
+    "@types/cookie-parser": "^1.4.3",
     "@types/cron": "^2.0.0",
-    "@types/express": "^4.17.14",
+    "@types/express": "^4.17.15",
     "@types/mime-types": "^2.1.1",
-    "@types/multer": "^1.4.7",
+    "@types/node": "^18.11.18",
-    "@types/node": "^18.7.23",
+    "@types/nodemailer": "^6.4.7",
-    "@types/passport-jwt": "^3.0.7",
+    "@types/passport-jwt": "^3.0.8",
+    "@types/qrcode-svg": "^1.1.1",
     "@types/supertest": "^2.0.12",
-    "@typescript-eslint/eslint-plugin": "^5.40.0",
+    "@typescript-eslint/eslint-plugin": "^5.48.1",
-    "@typescript-eslint/parser": "^5.40.0",
+    "@typescript-eslint/parser": "^5.48.1",
     "cross-env": "^7.0.3",
-    "dotenv-cli": "^6.0.0",
+    "eslint": "^8.31.0",
-    "eslint": "^8.25.0",
+    "eslint-config-prettier": "^8.6.0",
-    "eslint-config-prettier": "^8.3.0",
+    "eslint-plugin-prettier": "^4.2.1",
-    "eslint-plugin-prettier": "^4.0.0",
     "newman": "^5.3.2",
-    "prettier": "^2.7.1",
+    "prettier": "^2.8.2",
-    "prisma": "^4.4.0",
+    "prisma": "^4.9.0",
     "source-map-support": "^0.5.21",
-    "ts-loader": "^9.4.1",
+    "ts-loader": "^9.4.2",
-    "ts-node": "^10.9.1",
+    "tsconfig-paths": "4.1.2",
-    "tsconfig-paths": "4.1.0",
+    "typescript": "^4.9.4",
-    "typescript": "^4.8.4"
+    "wait-on": "^7.0.1"
   }
 }

backend/prisma/migrations/20221113221005_share_recipient/migration.sql

@@ -0,0 +1,25 @@
+-- CreateTable
+CREATE TABLE "ShareRecipient" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "email" TEXT NOT NULL,
+    "shareId" TEXT NOT NULL,
+    CONSTRAINT "ShareRecipient_shareId_fkey" FOREIGN KEY ("shareId") REFERENCES "Share" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Share" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "uploadLocked" BOOLEAN NOT NULL DEFAULT false,
+    "isZipReady" BOOLEAN NOT NULL DEFAULT false,
+    "views" INTEGER NOT NULL DEFAULT 0,
+    "expiration" DATETIME NOT NULL,
+    "creatorId" TEXT,
+    CONSTRAINT "Share_creatorId_fkey" FOREIGN KEY ("creatorId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+INSERT INTO "new_Share" ("createdAt", "creatorId", "expiration", "id", "isZipReady", "uploadLocked", "views") SELECT "createdAt", "creatorId", "expiration", "id", "isZipReady", "uploadLocked", "views" FROM "Share";
+DROP TABLE "Share";
+ALTER TABLE "new_Share" RENAME TO "Share";
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;

backend/prisma/migrations/20221201220540_config_and_admin_functionalities/migration.sql

@@ -0,0 +1,37 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `firstName` on the `User` table. All the data in the column will be lost.
+  - You are about to drop the column `lastName` on the `User` table. All the data in the column will be lost.
+  - Added the required column `username` to the `User` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- CreateTable
+CREATE TABLE "Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "key" TEXT NOT NULL PRIMARY KEY,
+    "type" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false
+);
+
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_User" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL,
+    "username" TEXT NOT NULL,
+    "email" TEXT NOT NULL,
+    "password" TEXT NOT NULL,
+    "isAdmin" BOOLEAN NOT NULL DEFAULT false
+);
+INSERT INTO "new_User" ("createdAt", "email", "id", "password", "updatedAt", "username") SELECT "createdAt", "email", "id", "password", "updatedAt", 'user-' || User.id as "username"  FROM "User";
+DROP TABLE "User";
+ALTER TABLE "new_User" RENAME TO "User";
+CREATE UNIQUE INDEX "User_username_key" ON "User"("username");
+CREATE UNIQUE INDEX "User_email_key" ON "User"("email");
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;

backend/prisma/migrations/20221208191607_v0_3_3/migration.sql

@@ -0,0 +1,17 @@
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "key" TEXT NOT NULL PRIMARY KEY,
+    "type" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "obscured" BOOLEAN NOT NULL DEFAULT false,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false
+);
+INSERT INTO "new_Config" ("description", "key", "locked", "secret", "type", "updatedAt", "value") SELECT "description", "key", "locked", "secret", "type", "updatedAt", "value" FROM "Config";
+DROP TABLE "Config";
+ALTER TABLE "new_Config" RENAME TO "Config";
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;

backend/prisma/migrations/20221213173854_v0_3_6/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Share" ADD COLUMN "description" TEXT;

backend/prisma/migrations/20221219061131_user_entity/migration.sql

@@ -0,0 +1,31 @@
+-- CreateTable
+CREATE TABLE "LoginToken" (
+    "token" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expiresAt" DATETIME NOT NULL,
+    "userId" TEXT NOT NULL,
+    "used" BOOLEAN NOT NULL DEFAULT false,
+    CONSTRAINT "LoginToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_User" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL,
+    "username" TEXT NOT NULL,
+    "email" TEXT NOT NULL,
+    "password" TEXT NOT NULL,
+    "isAdmin" BOOLEAN NOT NULL DEFAULT false,
+    "totpEnabled" BOOLEAN NOT NULL DEFAULT false,
+    "totpVerified" BOOLEAN NOT NULL DEFAULT false,
+    "totpSecret" TEXT
+);
+INSERT INTO "new_User" ("createdAt", "email", "id", "isAdmin", "password", "updatedAt", "username") SELECT "createdAt", "email", "id", "isAdmin", "password", "updatedAt", "username" FROM "User";
+DROP TABLE "User";
+ALTER TABLE "new_User" RENAME TO "User";
+CREATE UNIQUE INDEX "User_username_key" ON "User"("username");
+CREATE UNIQUE INDEX "User_email_key" ON "User"("email");
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;

backend/prisma/migrations/20221230120407_category_attribute_config/migration.sql

@@ -0,0 +1,56 @@
+/*
+  Warnings:
+
+  - Added the required column `category` to the `Config` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "key" TEXT NOT NULL PRIMARY KEY,
+    "type" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "category" TEXT,
+    "obscured" BOOLEAN NOT NULL DEFAULT false,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false
+);
+INSERT INTO "new_Config" ("description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value") SELECT "description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value" FROM "Config";
+DROP TABLE "Config";
+ALTER TABLE "new_Config" RENAME TO "Config";
+
+ UPDATE config SET category = "internal" WHERE key = "SETUP_FINISHED";
+ UPDATE config SET category = "internal" WHERE key = "TOTP_SECRET";
+ UPDATE config SET category = "internal" WHERE key = "JWT_SECRET";
+ UPDATE config SET category = "general" WHERE key = "APP_URL";
+ UPDATE config SET category = "general" WHERE key = "SHOW_HOME_PAGE";
+ UPDATE config SET category = "share" WHERE key = "ALLOW_REGISTRATION";
+ UPDATE config SET category = "share" WHERE key = "ALLOW_UNAUTHENTICATED_SHARES";
+ UPDATE config SET category = "share" WHERE key = "MAX_FILE_SIZE";
+ UPDATE config SET category = "email" WHERE key = "ENABLE_EMAIL_RECIPIENTS";
+ UPDATE config SET category = "email" WHERE key = "EMAIL_MESSAGE";
+ UPDATE config SET category = "email" WHERE key = "EMAIL_SUBJECT";
+ UPDATE config SET category = "email" WHERE key = "SMTP_HOST";
+ UPDATE config SET category = "email" WHERE key = "SMTP_PORT";
+ UPDATE config SET category = "email" WHERE key = "SMTP_EMAIL";
+ UPDATE config SET category = "email" WHERE key = "SMTP_USERNAME";
+ UPDATE config SET category = "email" WHERE key = "SMTP_PASSWORD";
+
+CREATE TABLE "new_Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "key" TEXT NOT NULL PRIMARY KEY,
+    "type" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "category" TEXT NOT NULL,
+    "obscured" BOOLEAN NOT NULL DEFAULT false,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false
+);
+INSERT INTO "new_Config" ("description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value", "category") SELECT "description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value", "category" FROM "Config";
+DROP TABLE "Config";
+ALTER TABLE "new_Config" RENAME TO "Config";
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;

backend/prisma/migrations/20230104145733_v0_5_1/migration.sql

@@ -0,0 +1,21 @@
+/*
+  Warnings:
+
+  - The primary key for the `RefreshToken` table will be changed. If it partially fails, the table could be left without primary key constraint.
+  - The required column `id` was added to the `RefreshToken` table with a prisma-level default value. This is not possible if the table is not empty. Please add this column as optional, then populate it before making it required.
+
+*/
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+DROP TABLE "RefreshToken";
+CREATE TABLE "RefreshToken" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "token" TEXT NOT NULL,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expiresAt" DATETIME NOT NULL,
+    "userId" TEXT NOT NULL,
+    CONSTRAINT "RefreshToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+CREATE UNIQUE INDEX "RefreshToken_token_key" ON "RefreshToken"("token");
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;

backend/prisma/migrations/20230113080918_removed_reason_attribute/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Share" ADD COLUMN "removedReason" TEXT;

backend/prisma/migrations/20230126125501_reverse_shares/migration.sql

@@ -0,0 +1,67 @@
+/*
+  Warnings:
+
+  - Added the required column `order` to the `Config` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- CreateTable
+CREATE TABLE "ReverseShare" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "token" TEXT NOT NULL,
+    "shareExpiration" DATETIME NOT NULL,
+    "maxShareSize" TEXT NOT NULL,
+    "sendEmailNotification" BOOLEAN NOT NULL,
+    "used" BOOLEAN NOT NULL DEFAULT false,
+    "creatorId" TEXT NOT NULL,
+    "shareId" TEXT,
+    CONSTRAINT "ReverseShare_creatorId_fkey" FOREIGN KEY ("creatorId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE,
+    CONSTRAINT "ReverseShare_shareId_fkey" FOREIGN KEY ("shareId") REFERENCES "Share" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "key" TEXT NOT NULL PRIMARY KEY,
+    "type" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "category" TEXT NOT NULL,
+    "obscured" BOOLEAN NOT NULL DEFAULT false,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false,
+    "order" INTEGER NOT NULL
+);
+INSERT INTO "new_Config" ("category", "description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value", "order") SELECT "category", "description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value", 0 FROM "Config";
+DROP TABLE "Config";
+ALTER TABLE "new_Config" RENAME TO "Config";
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ReverseShare_token_key" ON "ReverseShare"("token");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ReverseShare_shareId_key" ON "ReverseShare"("shareId");
+
+-- Custom migration
+UPDATE Config SET `order` = 0 WHERE key = "JWT_SECRET";
+UPDATE Config SET `order` = 0 WHERE key = "TOTP_SECRET";
+
+UPDATE Config SET `order` = 1 WHERE key = "APP_URL";
+UPDATE Config SET `order` = 2 WHERE key = "SHOW_HOME_PAGE";
+UPDATE Config SET `order` = 3 WHERE key = "ALLOW_REGISTRATION";
+UPDATE Config SET `order` = 4 WHERE key = "ALLOW_UNAUTHENTICATED_SHARES";
+UPDATE Config SET `order` = 5 WHERE key = "MAX_SHARE_SIZE";
+UPDATE Config SET `order` = 6, key = "ENABLE_SHARE_EMAIL_RECIPIENTS" WHERE key = "ENABLE_EMAIL_RECIPIENTS";
+UPDATE Config SET `order` = 7, key = "SHARE_RECEPIENTS_EMAIL_MESSAGE" WHERE key = "EMAIL_MESSAGE";
+UPDATE Config SET `order` = 8, key = "SHARE_RECEPIENTS_EMAIL_SUBJECT" WHERE key = "EMAIL_SUBJECT";
+UPDATE Config SET `order` = 12 WHERE key = "SMTP_HOST";
+UPDATE Config SET `order` = 13 WHERE key = "SMTP_PORT";
+UPDATE Config SET `order` = 14 WHERE key = "SMTP_EMAIL";
+UPDATE Config SET `order` = 15 WHERE key = "SMTP_USERNAME";
+UPDATE Config SET `order` = 16 WHERE key = "SMTP_PASSWORD";
+
+INSERT INTO Config (`order`, `key`, `description`, `type`, `value`, `category`, `secret`, `updatedAt`) VALUES (11, "SMTP_ENABLED", "Whether SMTP is enabled. Only set this to true if you entered the host, port, email, user and password of your SMTP server.", "boolean", IFNULL((SELECT value FROM Config WHERE key="ENABLE_SHARE_EMAIL_RECIPIENTS"), "false"), "smtp", 0, strftime('%s', 'now'));
+INSERT INTO Config (`order`, `key`, `description`, `type`, `value`, `category`, `secret`, `updatedAt`, `locked`) VALUES (0, "SETUP_STATUS", "Status of the setup wizard", "string", IIF((SELECT value FROM Config WHERE key="SETUP_FINISHED") == "true", "FINISHED", "STARTED"), "internal", 0, strftime('%s', 'now'), 1);

backend/prisma/migrations/20230209205230_v0_10_0/migration.sql

@@ -0,0 +1,64 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `shareId` on the `ReverseShare` table. All the data in the column will be lost.
+  - You are about to drop the column `used` on the `ReverseShare` table. All the data in the column will be lost.
+  - Added the required column `remainingUses` to the `ReverseShare` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- CreateTable
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "ResetPasswordToken" (
+    "token" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expiresAt" DATETIME NOT NULL,
+    "userId" TEXT NOT NULL,
+    CONSTRAINT "ResetPasswordToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- Disable TOTP as secret isn't encrypted anymore
+UPDATE User SET totpEnabled=false, totpSecret=null, totpVerified=false WHERE totpSecret IS NOT NULL;
+
+-- RedefineTables
+CREATE TABLE "new_Share" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "uploadLocked" BOOLEAN NOT NULL DEFAULT false,
+    "isZipReady" BOOLEAN NOT NULL DEFAULT false,
+    "views" INTEGER NOT NULL DEFAULT 0,
+    "expiration" DATETIME NOT NULL,
+    "description" TEXT,
+    "removedReason" TEXT,
+    "creatorId" TEXT,
+    "reverseShareId" TEXT,
+    CONSTRAINT "Share_creatorId_fkey" FOREIGN KEY ("creatorId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE,
+    CONSTRAINT "Share_reverseShareId_fkey" FOREIGN KEY ("reverseShareId") REFERENCES "ReverseShare" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+INSERT INTO "new_Share" ("createdAt", "creatorId", "description", "expiration", "id", "isZipReady", "removedReason", "uploadLocked", "views", "reverseShareId")
+SELECT "createdAt", "creatorId", "description", "expiration", "id", "isZipReady", "removedReason", "uploadLocked", "views", (SELECT id FROM ReverseShare WHERE shareId=Share.id)
+FROM "Share";
+
+
+DROP TABLE "Share";
+ALTER TABLE "new_Share" RENAME TO "Share";
+CREATE TABLE "new_ReverseShare" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "token" TEXT NOT NULL,
+    "shareExpiration" DATETIME NOT NULL,
+    "maxShareSize" TEXT NOT NULL,
+    "sendEmailNotification" BOOLEAN NOT NULL,
+    "remainingUses" INTEGER NOT NULL,
+    "creatorId" TEXT NOT NULL,
+    CONSTRAINT "ReverseShare_creatorId_fkey" FOREIGN KEY ("creatorId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+INSERT INTO "new_ReverseShare" ("createdAt", "creatorId", "id", "maxShareSize", "sendEmailNotification", "shareExpiration", "token", "remainingUses") SELECT "createdAt", "creatorId", "id", "maxShareSize", "sendEmailNotification", "shareExpiration", "token", iif("ReverseShare".used, 0, 1) FROM "ReverseShare";
+DROP TABLE "ReverseShare";
+ALTER TABLE "new_ReverseShare" RENAME TO "ReverseShare";
+CREATE UNIQUE INDEX "ReverseShare_token_key" ON "ReverseShare"("token");
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ResetPasswordToken_userId_key" ON "ResetPasswordToken"("userId");

backend/prisma/schema.prisma

@@ -12,17 +12,25 @@ model User {
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
 
-  email     String  @unique
+  username String  @unique
-  password  String
+  email    String  @unique
-  firstName String?
+  password String
-  lastName  String?
+  isAdmin  Boolean @default(false)
 
   shares        Share[]
   refreshTokens RefreshToken[]
+  loginTokens   LoginToken[]
+  reverseShares ReverseShare[]
+
+  totpEnabled        Boolean             @default(false)
+  totpVerified       Boolean             @default(false)
+  totpSecret         String?
+  resetPasswordToken ResetPasswordToken?
 }
 
 model RefreshToken {
-  token     String   @id @default(uuid())
+  id        String   @id @default(uuid())
+  token     String   @unique @default(uuid())
   createdAt DateTime @default(now())
 
   expiresAt DateTime
@@ -31,19 +39,71 @@ model RefreshToken {
   user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
 }
 
+model LoginToken {
+  token     String   @id @default(uuid())
+  createdAt DateTime @default(now())
+
+  expiresAt DateTime
+
+  userId String
+  user   User    @relation(fields: [userId], references: [id], onDelete: Cascade)
+  used   Boolean @default(false)
+}
+
+model ResetPasswordToken {
+  token     String   @id @default(uuid())
+  createdAt DateTime @default(now())
+
+  expiresAt DateTime
+
+  userId String @unique
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+}
+
 model Share {
   id        String   @id @default(uuid())
   createdAt DateTime @default(now())
 
-  uploadLocked Boolean  @default(false)
+  uploadLocked  Boolean  @default(false)
-  isZipReady   Boolean  @default(false)
+  isZipReady    Boolean  @default(false)
-  views        Int      @default(0)
+  views         Int      @default(0)
-  expiration   DateTime
+  expiration    DateTime
+  description   String?
+  removedReason String?
 
   creatorId String?
-  creator   User?           @relation(fields: [creatorId], references: [id])
+  creator   User?   @relation(fields: [creatorId], references: [id], onDelete: Cascade)
-  security  ShareSecurity?
+
-  files     File[]
+  reverseShareId String?
+  reverseShare   ReverseShare? @relation(fields: [reverseShareId], references: [id], onDelete: Cascade)
+
+  security   ShareSecurity?
+  recipients ShareRecipient[]
+  files      File[]
+}
+
+model ReverseShare {
+  id        String   @id @default(uuid())
+  createdAt DateTime @default(now())
+
+  token                 String   @unique @default(uuid())
+  shareExpiration       DateTime
+  maxShareSize          String
+  sendEmailNotification Boolean
+  remainingUses         Int
+
+  creatorId String
+  creator   User   @relation(fields: [creatorId], references: [id], onDelete: Cascade)
+
+  shares Share[]
+}
+
+model ShareRecipient {
+  id    String @id @default(uuid())
+  email String
+
+  shareId String
+  share   Share  @relation(fields: [shareId], references: [id], onDelete: Cascade)
 }
 
 model File {
@@ -67,3 +127,17 @@ model ShareSecurity {
   shareId String? @unique
   share   Share?  @relation(fields: [shareId], references: [id], onDelete: Cascade)
 }
+
+model Config {
+  updatedAt DateTime @updatedAt
+
+  key         String  @id
+  type        String
+  value       String
+  description String
+  category    String
+  obscured    Boolean @default(false)
+  secret      Boolean @default(true)
+  locked      Boolean @default(false)
+  order       Int
+}

backend/prisma/seed/config.seed.ts

@@ -0,0 +1,247 @@
+import { Prisma, PrismaClient } from "@prisma/client";
+import * as crypto from "crypto";
+
+const configVariables: Prisma.ConfigCreateInput[] = [
+  {
+    order: 0,
+    key: "SETUP_STATUS",
+    description: "Status of the setup wizard",
+    type: "string",
+    value: "STARTED", // STARTED, REGISTERED, FINISHED
+    category: "internal",
+    secret: false,
+    locked: true,
+  },
+  {
+    order: 0,
+    key: "JWT_SECRET",
+    description: "Long random string used to sign JWT tokens",
+    type: "string",
+    value: crypto.randomBytes(256).toString("base64"),
+    category: "internal",
+    locked: true,
+  },
+  {
+    order: 1,
+    key: "APP_URL",
+    description: "On which URL Pingvin Share is available",
+    type: "string",
+    value: "http://localhost:3000",
+    category: "general",
+    secret: false,
+  },
+  {
+    order: 2,
+    key: "SHOW_HOME_PAGE",
+    description: "Whether to show the home page",
+    type: "boolean",
+    value: "true",
+    category: "general",
+    secret: false,
+  },
+  {
+    order: 3,
+    key: "ALLOW_REGISTRATION",
+    description: "Whether registration is allowed",
+    type: "boolean",
+    value: "true",
+    category: "share",
+    secret: false,
+  },
+  {
+    order: 4,
+    key: "ALLOW_UNAUTHENTICATED_SHARES",
+    description: "Whether unauthorized users can create shares",
+    type: "boolean",
+    value: "false",
+    category: "share",
+    secret: false,
+  },
+  {
+    order: 5,
+
+    key: "MAX_SHARE_SIZE",
+    description: "Maximum share size in bytes",
+    type: "number",
+    value: "1073741824",
+    category: "share",
+    secret: false,
+  },
+
+  {
+    order: 6,
+    key: "ENABLE_SHARE_EMAIL_RECIPIENTS",
+    description:
+      "Whether to allow emails to share recipients. Only enable this if you have enabled SMTP.",
+    type: "boolean",
+    value: "false",
+    category: "email",
+    secret: false,
+  },
+  {
+    order: 7,
+    key: "SHARE_RECEPIENTS_EMAIL_SUBJECT",
+    description:
+      "Subject of the email which gets sent to the share recipients.",
+    type: "string",
+    value: "Files shared with you",
+    category: "email",
+  },
+  {
+    order: 8,
+    key: "SHARE_RECEPIENTS_EMAIL_MESSAGE",
+    description:
+      "Message which gets sent to the share recipients. {creator} and {shareUrl} will be replaced with the creator's name and the share URL.",
+    type: "text",
+    value:
+      "Hey!\n{creator} shared some files with you. View or download the files with this link: {shareUrl}\nShared securely with Pingvin Share 🐧",
+    category: "email",
+  },
+  {
+    order: 9,
+    key: "REVERSE_SHARE_EMAIL_SUBJECT",
+    description:
+      "Subject of the email which gets sent when someone created a share with your reverse share link.",
+    type: "string",
+    value: "Reverse share link used",
+    category: "email",
+  },
+  {
+    order: 10,
+    key: "REVERSE_SHARE_EMAIL_MESSAGE",
+    description:
+      "Message which gets sent when someone created a share with your reverse share link. {shareUrl} will be replaced with the creator's name and the share URL.",
+    type: "text",
+    value:
+      "Hey!\nA share was just created with your reverse share link: {shareUrl}\nShared securely with Pingvin Share 🐧",
+    category: "email",
+  },
+  {
+    order: 11,
+    key: "RESET_PASSWORD_EMAIL_SUBJECT",
+    description:
+      "Subject of the email which gets sent when a user requests a password reset.",
+    type: "string",
+    value: "Pingvin Share password reset",
+    category: "email",
+  },
+  {
+    order: 12,
+    key: "RESET_PASSWORD_EMAIL_MESSAGE",
+    description:
+      "Message which gets sent when a user requests a password reset. {url} will be replaced with the reset password URL.",
+    type: "text",
+    value:
+      "Hey!\nYou requested a password reset. Click this link to reset your password: {url}\nThe link expires in a hour.\nPingvin Share 🐧",
+    category: "email",
+  },
+
+  {
+    order: 13,
+    key: "SMTP_ENABLED",
+    description:
+      "Whether SMTP is enabled. Only set this to true if you entered the host, port, email, user and password of your SMTP server.",
+    type: "boolean",
+    value: "false",
+    category: "smtp",
+    secret: false,
+  },
+  {
+    order: 14,
+    key: "SMTP_HOST",
+    description: "Host of the SMTP server",
+    type: "string",
+    value: "",
+    category: "smtp",
+  },
+  {
+    order: 15,
+    key: "SMTP_PORT",
+    description: "Port of the SMTP server",
+    type: "number",
+    value: "0",
+    category: "smtp",
+  },
+  {
+    order: 16,
+    key: "SMTP_EMAIL",
+    description: "Email address which the emails get sent from",
+    type: "string",
+    value: "",
+    category: "smtp",
+  },
+  {
+    order: 17,
+    key: "SMTP_USERNAME",
+    description: "Username of the SMTP server",
+    type: "string",
+    value: "",
+    category: "smtp",
+  },
+  {
+    order: 18,
+    key: "SMTP_PASSWORD",
+    description: "Password of the SMTP server",
+    type: "string",
+    value: "",
+    obscured: true,
+    category: "smtp",
+  },
+];
+
+const prisma = new PrismaClient();
+
+async function main() {
+  for (const variable of configVariables) {
+    const existingConfigVariable = await prisma.config.findUnique({
+      where: { key: variable.key },
+    });
+
+    // Create a new config variable if it doesn't exist
+    if (!existingConfigVariable) {
+      await prisma.config.create({
+        data: variable,
+      });
+    }
+  }
+
+  const configVariablesFromDatabase = await prisma.config.findMany();
+
+  // Delete the config variable if it doesn't exist anymore
+  for (const configVariableFromDatabase of configVariablesFromDatabase) {
+    const configVariable = configVariables.find(
+      (v) => v.key == configVariableFromDatabase.key
+    );
+    if (!configVariable) {
+      await prisma.config.delete({
+        where: { key: configVariableFromDatabase.key },
+      });
+
+      // Update the config variable if the metadata changed
+    } else if (
+      JSON.stringify({
+        ...configVariable,
+        key: configVariableFromDatabase.key,
+        value: configVariableFromDatabase.value,
+      }) != JSON.stringify(configVariableFromDatabase)
+    ) {
+      await prisma.config.update({
+        where: { key: configVariableFromDatabase.key },
+        data: {
+          ...configVariable,
+          key: configVariableFromDatabase.key,
+          value: configVariableFromDatabase.value,
+        },
+      });
+    }
+  }
+}
+main()
+  .then(async () => {
+    await prisma.$disconnect();
+  })
+  .catch(async (e) => {
+    console.error(e);
+    await prisma.$disconnect();
+    process.exit(1);
+  });

backend/src/app.module.ts

@@ -1,40 +1,43 @@
 import { Module } from "@nestjs/common";
-import { ConfigModule } from "@nestjs/config";
+
 import { ScheduleModule } from "@nestjs/schedule";
 import { AuthModule } from "./auth/auth.module";
-import { JobsService } from "./jobs/jobs.service";
 
 import { APP_GUARD } from "@nestjs/core";
 import { ThrottlerGuard, ThrottlerModule } from "@nestjs/throttler";
-import { FileController } from "./file/file.controller";
+import { ConfigModule } from "./config/config.module";
+import { EmailModule } from "./email/email.module";
 import { FileModule } from "./file/file.module";
+import { JobsModule } from "./jobs/jobs.module";
 import { PrismaModule } from "./prisma/prisma.module";
-import { PrismaService } from "./prisma/prisma.service";
-import { ShareController } from "./share/share.controller";
 import { ShareModule } from "./share/share.module";
-import { UserController } from "./user/user.controller";
+import { UserModule } from "./user/user.module";
+import { ClamScanModule } from "./clamscan/clamscan.module";
+import { ReverseShareModule } from "./reverseShare/reverseShare.module";
 
 @Module({
   imports: [
     AuthModule,
     ShareModule,
     FileModule,
+    EmailModule,
     PrismaModule,
-    ConfigModule.forRoot({ isGlobal: true }),
+    ConfigModule,
+    JobsModule,
+    UserModule,
     ThrottlerModule.forRoot({
       ttl: 60,
       limit: 100,
     }),
     ScheduleModule.forRoot(),
+    ClamScanModule,
+    ReverseShareModule,
   ],
   providers: [
-    PrismaService,
-    JobsService,
     {
       provide: APP_GUARD,
       useClass: ThrottlerGuard,
     },
   ],
-  controllers: [UserController, ShareController, FileController],
 })
 export class AppModule {}

backend/src/auth/auth.controller.ts

@@ -3,43 +3,191 @@ import {
   Controller,
   ForbiddenException,
   HttpCode,
+  Param,
+  Patch,
   Post,
+  Req,
+  Res,
+  UnauthorizedException,
+  UseGuards,
 } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
 import { Throttle } from "@nestjs/throttler";
+import { User } from "@prisma/client";
+import { Request, Response } from "express";
+import { ConfigService } from "src/config/config.service";
 import { AuthService } from "./auth.service";
+import { AuthTotpService } from "./authTotp.service";
+import { GetUser } from "./decorator/getUser.decorator";
 import { AuthRegisterDTO } from "./dto/authRegister.dto";
 import { AuthSignInDTO } from "./dto/authSignIn.dto";
-import { RefreshAccessTokenDTO } from "./dto/refreshAccessToken.dto";
+import { AuthSignInTotpDTO } from "./dto/authSignInTotp.dto";
+import { EnableTotpDTO } from "./dto/enableTotp.dto";
+import { ResetPasswordDTO } from "./dto/resetPassword.dto";
+import { TokenDTO } from "./dto/token.dto";
+import { UpdatePasswordDTO } from "./dto/updatePassword.dto";
+import { VerifyTotpDTO } from "./dto/verifyTotp.dto";
+import { JwtGuard } from "./guard/jwt.guard";
 
 @Controller("auth")
 export class AuthController {
   constructor(
     private authService: AuthService,
+    private authTotpService: AuthTotpService,
     private config: ConfigService
   ) {}
 
-  @Throttle(10, 5 * 60)
   @Post("signUp")
-  signUp(@Body() dto: AuthRegisterDTO) {
+  @Throttle(10, 5 * 60)
-    if (this.config.get("ALLOW_REGISTRATION") == "false")
+  async signUp(
+    @Body() dto: AuthRegisterDTO,
+    @Res({ passthrough: true }) response: Response
+  ) {
+    if (!this.config.get("ALLOW_REGISTRATION"))
       throw new ForbiddenException("Registration is not allowed");
-    return this.authService.signUp(dto);
+
+    const result = await this.authService.signUp(dto);
+
+    response = this.addTokensToResponse(
+      response,
+      result.refreshToken,
+      result.accessToken
+    );
+
+    return result;
   }
 
-  @Throttle(10, 5 * 60)
   @Post("signIn")
+  @Throttle(10, 5 * 60)
   @HttpCode(200)
-  signIn(@Body() dto: AuthSignInDTO) {
+  async signIn(
-    return this.authService.signIn(dto);
+    @Body() dto: AuthSignInDTO,
+    @Res({ passthrough: true }) response: Response
+  ) {
+    const result = await this.authService.signIn(dto);
+
+    if (result.accessToken && result.refreshToken) {
+      response = this.addTokensToResponse(
+        response,
+        result.refreshToken,
+        result.accessToken
+      );
+    }
+
+    return result;
+  }
+
+  @Post("signIn/totp")
+  @Throttle(10, 5 * 60)
+  @HttpCode(200)
+  async signInTotp(
+    @Body() dto: AuthSignInTotpDTO,
+    @Res({ passthrough: true }) response: Response
+  ) {
+    const result = await this.authTotpService.signInTotp(dto);
+
+    response = this.addTokensToResponse(
+      response,
+      result.refreshToken,
+      result.accessToken
+    );
+
+    return new TokenDTO().from(result);
+  }
+
+  @Post("resetPassword/:email")
+  @Throttle(5, 5 * 60)
+  @HttpCode(204)
+  async requestResetPassword(@Param("email") email: string) {
+    return await this.authService.requestResetPassword(email);
+  }
+
+  @Post("resetPassword")
+  @Throttle(5, 5 * 60)
+  @HttpCode(204)
+  async resetPassword(@Body() dto: ResetPasswordDTO) {
+    return await this.authService.resetPassword(dto.token, dto.password);
+  }
+
+  @Patch("password")
+  @UseGuards(JwtGuard)
+  async updatePassword(
+    @GetUser() user: User,
+    @Res({ passthrough: true }) response: Response,
+    @Body() dto: UpdatePasswordDTO
+  ) {
+    const result = await this.authService.updatePassword(
+      user,
+      dto.oldPassword,
+      dto.password
+    );
+
+    response = this.addTokensToResponse(response, result.refreshToken);
+    return new TokenDTO().from(result);
   }
 
   @Post("token")
   @HttpCode(200)
-  async refreshAccessToken(@Body() body: RefreshAccessTokenDTO) {
+  async refreshAccessToken(
+    @Req() request: Request,
+    @Res({ passthrough: true }) response: Response
+  ) {
+    if (!request.cookies.refresh_token) throw new UnauthorizedException();
+
     const accessToken = await this.authService.refreshAccessToken(
-      body.refreshToken
+      request.cookies.refresh_token
     );
-    return { accessToken };
+    response = this.addTokensToResponse(response, undefined, accessToken);
+    return new TokenDTO().from({ accessToken });
+  }
+
+  @Post("signOut")
+  async signOut(
+    @Req() request: Request,
+    @Res({ passthrough: true }) response: Response
+  ) {
+    await this.authService.signOut(request.cookies.access_token);
+    response.cookie("access_token", "accessToken", { maxAge: -1 });
+    response.cookie("refresh_token", "", {
+      path: "/api/auth/token",
+      httpOnly: true,
+      maxAge: -1,
+    });
+  }
+
+  @Post("totp/enable")
+  @UseGuards(JwtGuard)
+  async enableTotp(@GetUser() user: User, @Body() body: EnableTotpDTO) {
+    return this.authTotpService.enableTotp(user, body.password);
+  }
+
+  @Post("totp/verify")
+  @UseGuards(JwtGuard)
+  async verifyTotp(@GetUser() user: User, @Body() body: VerifyTotpDTO) {
+    return this.authTotpService.verifyTotp(user, body.password, body.code);
+  }
+
+  @Post("totp/disable")
+  @UseGuards(JwtGuard)
+  async disableTotp(@GetUser() user: User, @Body() body: VerifyTotpDTO) {
+    // Note: We use VerifyTotpDTO here because it has both fields we need: password and totp code
+    return this.authTotpService.disableTotp(user, body.password, body.code);
+  }
+
+  private addTokensToResponse(
+    response: Response,
+    refreshToken?: string,
+    accessToken?: string
+  ) {
+    if (accessToken)
+      response.cookie("access_token", accessToken, { sameSite: "lax" });
+    if (refreshToken)
+      response.cookie("refresh_token", refreshToken, {
+        path: "/api/auth/token",
+        httpOnly: true,
+        sameSite: "strict",
+        maxAge: 1000 * 60 * 60 * 24 * 30 * 3,
+      });
+
+    return response;
   }
 }

backend/src/auth/auth.module.ts

@@ -1,13 +1,15 @@
 import { Module } from "@nestjs/common";
 import { JwtModule } from "@nestjs/jwt";
+import { EmailModule } from "src/email/email.module";
 import { AuthController } from "./auth.controller";
 import { AuthService } from "./auth.service";
+import { AuthTotpService } from "./authTotp.service";
 import { JwtStrategy } from "./strategy/jwt.strategy";
 
 @Module({
-  imports: [JwtModule.register({})],
+  imports: [JwtModule.register({}), EmailModule],
   controllers: [AuthController],
-  providers: [AuthService, JwtStrategy],
+  providers: [AuthService, AuthTotpService, JwtStrategy],
   exports: [AuthService],
 })
 export class AuthModule {}

backend/src/auth/auth.service.ts

@@ -1,14 +1,16 @@
 import {
   BadRequestException,
+  ForbiddenException,
   Injectable,
   UnauthorizedException,
 } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
 import { JwtService } from "@nestjs/jwt";
 import { User } from "@prisma/client";
 import { PrismaClientKnownRequestError } from "@prisma/client/runtime";
 import * as argon from "argon2";
 import * as moment from "moment";
+import { ConfigService } from "src/config/config.service";
+import { EmailService } from "src/email/email.service";
 import { PrismaService } from "src/prisma/prisma.service";
 import { AuthRegisterDTO } from "./dto/authRegister.dto";
 import { AuthSignInDTO } from "./dto/authSignIn.dto";
@@ -18,53 +20,144 @@ export class AuthService {
   constructor(
     private prisma: PrismaService,
     private jwtService: JwtService,
-    private config: ConfigService
+    private config: ConfigService,
+    private emailService: EmailService
   ) {}
 
   async signUp(dto: AuthRegisterDTO) {
+    const isFirstUser = this.config.get("SETUP_STATUS") == "STARTED";
+
     const hash = await argon.hash(dto.password);
     try {
       const user = await this.prisma.user.create({
         data: {
           email: dto.email,
+          username: dto.username,
           password: hash,
+          isAdmin: isFirstUser,
         },
       });
 
-      const accessToken = await this.createAccessToken(user);
+      if (isFirstUser) {
-      const refreshToken = await this.createRefreshToken(user.id);
+        await this.config.changeSetupStatus("REGISTERED");
+      }
+
+      const { refreshToken, refreshTokenId } = await this.createRefreshToken(
+        user.id
+      );
+      const accessToken = await this.createAccessToken(user, refreshTokenId);
 
       return { accessToken, refreshToken };
     } catch (e) {
       if (e instanceof PrismaClientKnownRequestError) {
         if (e.code == "P2002") {
-          throw new BadRequestException("Credentials taken");
+          const duplicatedField: string = e.meta.target[0];
+          throw new BadRequestException(
+            `A user with this ${duplicatedField} already exists`
+          );
         }
       }
     }
   }
 
   async signIn(dto: AuthSignInDTO) {
-    const user = await this.prisma.user.findUnique({
+    if (!dto.email && !dto.username)
+      throw new BadRequestException("Email or username is required");
+
+    const user = await this.prisma.user.findFirst({
       where: {
-        email: dto.email,
+        OR: [{ email: dto.email }, { username: dto.username }],
       },
     });
 
     if (!user || !(await argon.verify(user.password, dto.password)))
       throw new UnauthorizedException("Wrong email or password");
 
-    const accessToken = await this.createAccessToken(user);
+    // TODO: Make all old loginTokens invalid when a new one is created
-    const refreshToken = await this.createRefreshToken(user.id);
+    // Check if the user has TOTP enabled
+    if (user.totpVerified) {
+      const loginToken = await this.createLoginToken(user.id);
+
+      return { loginToken };
+    }
+
+    const { refreshToken, refreshTokenId } = await this.createRefreshToken(
+      user.id
+    );
+    const accessToken = await this.createAccessToken(user, refreshTokenId);
 
     return { accessToken, refreshToken };
   }
 
-  async createAccessToken(user: User) {
+  async requestResetPassword(email: string) {
+    const user = await this.prisma.user.findFirst({
+      where: { email },
+      include: { resetPasswordToken: true },
+    });
+
+    if (!user) throw new BadRequestException("User not found");
+
+    // Delete old reset password token
+    if (user.resetPasswordToken) {
+      await this.prisma.resetPasswordToken.delete({
+        where: { token: user.resetPasswordToken.token },
+      });
+    }
+
+    const { token } = await this.prisma.resetPasswordToken.create({
+      data: {
+        expiresAt: moment().add(1, "hour").toDate(),
+        user: { connect: { id: user.id } },
+      },
+    });
+
+    await this.emailService.sendResetPasswordEmail(user.email, token);
+  }
+
+  async resetPassword(token: string, newPassword: string) {
+    const user = await this.prisma.user.findFirst({
+      where: { resetPasswordToken: { token } },
+    });
+
+    if (!user) throw new BadRequestException("Token invalid or expired");
+
+    const newPasswordHash = await argon.hash(newPassword);
+
+    await this.prisma.resetPasswordToken.delete({
+      where: { token },
+    });
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: { password: newPasswordHash },
+    });
+  }
+
+  async updatePassword(user: User, oldPassword: string, newPassword: string) {
+    if (!(await argon.verify(user.password, oldPassword)))
+      throw new ForbiddenException("Invalid password");
+
+    const hash = await argon.hash(newPassword);
+
+    await this.prisma.refreshToken.deleteMany({
+      where: { userId: user.id },
+    });
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: { password: hash },
+    });
+
+    return this.createRefreshToken(user.id);
+  }
+
+  async createAccessToken(user: User, refreshTokenId: string) {
     return this.jwtService.sign(
       {
         sub: user.id,
         email: user.email,
+        isAdmin: user.isAdmin,
+        refreshTokenId,
       },
       {
         expiresIn: "15min",
@@ -73,6 +166,22 @@ export class AuthService {
     );
   }
 
+  async signOut(accessToken: string) {
+    const { refreshTokenId } =
+      (this.jwtService.decode(accessToken) as {
+        refreshTokenId: string;
+      }) || {};
+
+    if (refreshTokenId) {
+      await this.prisma.refreshToken
+        .delete({ where: { id: refreshTokenId } })
+        .catch((e) => {
+          // Ignore error if refresh token doesn't exist
+          if (e.code != "P2025") throw e;
+        });
+    }
+  }
+
   async refreshAccessToken(refreshToken: string) {
     const refreshTokenMetaData = await this.prisma.refreshToken.findUnique({
       where: { token: refreshToken },
@@ -82,16 +191,27 @@ export class AuthService {
     if (!refreshTokenMetaData || refreshTokenMetaData.expiresAt < new Date())
       throw new UnauthorizedException();
 
-    return this.createAccessToken(refreshTokenMetaData.user);
+    return this.createAccessToken(
+      refreshTokenMetaData.user,
+      refreshTokenMetaData.id
+    );
   }
 
   async createRefreshToken(userId: string) {
-    const refreshToken = (
+    const { id, token } = await this.prisma.refreshToken.create({
-      await this.prisma.refreshToken.create({
+      data: { userId, expiresAt: moment().add(3, "months").toDate() },
-        data: { userId, expiresAt: moment().add(3, "months").toDate() },
+    });
+
+    return { refreshTokenId: id, refreshToken: token };
+  }
+
+  async createLoginToken(userId: string) {
+    const loginToken = (
+      await this.prisma.loginToken.create({
+        data: { userId, expiresAt: moment().add(5, "minutes").toDate() },
       })
     ).token;
 
-    return refreshToken;
+    return loginToken;
   }
 }

backend/src/auth/authTotp.service.ts

@@ -0,0 +1,185 @@
+import {
+  BadRequestException,
+  ForbiddenException,
+  Injectable,
+  UnauthorizedException,
+} from "@nestjs/common";
+import { User } from "@prisma/client";
+import * as argon from "argon2";
+import { authenticator, totp } from "otplib";
+import * as qrcode from "qrcode-svg";
+import { PrismaService } from "src/prisma/prisma.service";
+import { AuthService } from "./auth.service";
+import { AuthSignInTotpDTO } from "./dto/authSignInTotp.dto";
+
+@Injectable()
+export class AuthTotpService {
+  constructor(
+    private prisma: PrismaService,
+    private authService: AuthService
+  ) {}
+
+  async signInTotp(dto: AuthSignInTotpDTO) {
+    if (!dto.email && !dto.username)
+      throw new BadRequestException("Email or username is required");
+
+    const user = await this.prisma.user.findFirst({
+      where: {
+        OR: [{ email: dto.email }, { username: dto.username }],
+      },
+    });
+
+    if (!user || !(await argon.verify(user.password, dto.password)))
+      throw new UnauthorizedException("Wrong email or password");
+
+    const token = await this.prisma.loginToken.findFirst({
+      where: {
+        token: dto.loginToken,
+      },
+    });
+
+    if (!token || token.userId != user.id || token.used)
+      throw new UnauthorizedException("Invalid login token");
+
+    if (token.expiresAt < new Date())
+      throw new UnauthorizedException("Login token expired");
+
+    // Check the TOTP code
+    const { totpSecret } = await this.prisma.user.findUnique({
+      where: { id: user.id },
+      select: { totpSecret: true },
+    });
+
+    if (!totpSecret) {
+      throw new BadRequestException("TOTP is not enabled");
+    }
+
+    const expected = authenticator.generate(totpSecret);
+
+    if (dto.totp !== expected) {
+      throw new BadRequestException("Invalid code");
+    }
+
+    // Set the login token to used
+    await this.prisma.loginToken.update({
+      where: { token: token.token },
+      data: { used: true },
+    });
+
+    const { refreshToken, refreshTokenId } =
+      await this.authService.createRefreshToken(user.id);
+    const accessToken = await this.authService.createAccessToken(
+      user,
+      refreshTokenId
+    );
+
+    return { accessToken, refreshToken };
+  }
+
+  async enableTotp(user: User, password: string) {
+    if (!(await argon.verify(user.password, password)))
+      throw new ForbiddenException("Invalid password");
+
+    // Check if we have a secret already
+    const { totpVerified } = await this.prisma.user.findUnique({
+      where: { id: user.id },
+      select: { totpVerified: true },
+    });
+
+    if (totpVerified) {
+      throw new BadRequestException("TOTP is already enabled");
+    }
+
+    // TODO: Maybe make the issuer configurable with env vars?
+    const secret = authenticator.generateSecret();
+
+    const otpURL = totp.keyuri(
+      user.username || user.email,
+      "pingvin-share",
+      secret
+    );
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: {
+        totpEnabled: true,
+        totpSecret: secret,
+      },
+    });
+
+    // TODO: Maybe we should generate the QR code on the client rather than the server?
+    const qrCode = new qrcode({
+      content: otpURL,
+      container: "svg-viewbox",
+      join: true,
+    }).svg();
+
+    return {
+      totpAuthUrl: otpURL,
+      totpSecret: secret,
+      qrCode:
+        "data:image/svg+xml;base64," + Buffer.from(qrCode).toString("base64"),
+    };
+  }
+
+  // TODO: Maybe require a token to verify that the user who started enabling totp is the one who is verifying it?
+  async verifyTotp(user: User, password: string, code: string) {
+    if (!(await argon.verify(user.password, password)))
+      throw new ForbiddenException("Invalid password");
+
+    const { totpSecret } = await this.prisma.user.findUnique({
+      where: { id: user.id },
+      select: { totpSecret: true },
+    });
+
+    if (!totpSecret) {
+      throw new BadRequestException("TOTP is not in progress");
+    }
+
+    const expected = authenticator.generate(totpSecret);
+
+    if (code !== expected) {
+      throw new BadRequestException("Invalid code");
+    }
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: {
+        totpVerified: true,
+      },
+    });
+
+    return true;
+  }
+
+  async disableTotp(user: User, password: string, code: string) {
+    if (!(await argon.verify(user.password, password)))
+      throw new ForbiddenException("Invalid password");
+
+    const { totpSecret } = await this.prisma.user.findUnique({
+      where: { id: user.id },
+      select: { totpSecret: true },
+    });
+
+    if (!totpSecret) {
+      throw new BadRequestException("TOTP is not enabled");
+    }
+
+    const expected = authenticator.generate(totpSecret);
+
+    if (code !== expected) {
+      throw new BadRequestException("Invalid code");
+    }
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: {
+        totpVerified: false,
+        totpEnabled: false,
+        totpSecret: null,
+      },
+    });
+
+    return true;
+  }
+}

backend/src/auth/dto/authRegister.dto.ts

@@ -1,3 +1,8 @@
+import { PickType } from "@nestjs/swagger";
 import { UserDTO } from "src/user/dto/user.dto";
 
-export class AuthRegisterDTO extends UserDTO {}
+export class AuthRegisterDTO extends PickType(UserDTO, [
+  "email",
+  "username",
+  "password",
+] as const) {}

backend/src/auth/dto/authSignIn.dto.ts

@@ -1,7 +1,13 @@
 import { PickType } from "@nestjs/swagger";
+import { IsEmail, IsOptional, IsString } from "class-validator";
 import { UserDTO } from "src/user/dto/user.dto";
 
-export class AuthSignInDTO extends PickType(UserDTO, [
+export class AuthSignInDTO extends PickType(UserDTO, ["password"] as const) {
-  "email",
+  @IsEmail()
-  "password",
+  @IsOptional()
-] as const) {}
+  email: string;
+
+  @IsString()
+  @IsOptional()
+  username: string;
+}

backend/src/auth/dto/authSignInTotp.dto.ts

@@ -0,0 +1,10 @@
+import { IsString } from "class-validator";
+import { AuthSignInDTO } from "./authSignIn.dto";
+
+export class AuthSignInTotpDTO extends AuthSignInDTO {
+  @IsString()
+  totp: string;
+
+  @IsString()
+  loginToken: string;
+}

backend/src/auth/dto/enableTotp.dto.ts

@@ -0,0 +1,4 @@
+import { PickType } from "@nestjs/swagger";
+import { UserDTO } from "src/user/dto/user.dto";
+
+export class EnableTotpDTO extends PickType(UserDTO, ["password"] as const) {}

backend/src/auth/dto/refreshAccessToken.dto.ts

@@ -1,6 +0,0 @@
-import { IsNotEmpty } from "class-validator";
-
-export class RefreshAccessTokenDTO {
-  @IsNotEmpty()
-  refreshToken: string;
-}

backend/src/auth/dto/resetPassword.dto.ts

@@ -0,0 +1,8 @@
+import { PickType } from "@nestjs/swagger";
+import { IsString } from "class-validator";
+import { UserDTO } from "src/user/dto/user.dto";
+
+export class ResetPasswordDTO extends PickType(UserDTO, ["password"]) {
+  @IsString()
+  token: string;
+}

backend/src/auth/dto/token.dto.ts

@@ -0,0 +1,15 @@
+import { Expose, plainToClass } from "class-transformer";
+
+export class TokenDTO {
+  @Expose()
+  accessToken: string;
+
+  @Expose()
+  refreshToken: string;
+
+  from(partial: Partial<TokenDTO>) {
+    return plainToClass(TokenDTO, partial, {
+      excludeExtraneousValues: true,
+    });
+  }
+}

backend/src/auth/dto/updatePassword.dto.ts

@@ -0,0 +1,8 @@
+import { PickType } from "@nestjs/swagger";
+import { IsString } from "class-validator";
+import { UserDTO } from "src/user/dto/user.dto";
+
+export class UpdatePasswordDTO extends PickType(UserDTO, ["password"]) {
+  @IsString()
+  oldPassword: string;
+}

backend/src/auth/dto/verifyTotp.dto.ts

@@ -0,0 +1,8 @@
+import { PickType } from "@nestjs/swagger";
+import { IsString } from "class-validator";
+import { UserDTO } from "src/user/dto/user.dto";
+
+export class VerifyTotpDTO extends PickType(UserDTO, ["password"] as const) {
+  @IsString()
+  code: string;
+}

backend/src/auth/guard/isAdmin.guard.ts

@@ -0,0 +1,13 @@
+import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
+import { User } from "@prisma/client";
+
+@Injectable()
+export class AdministratorGuard implements CanActivate {
+  canActivate(context: ExecutionContext) {
+    const { user }: { user: User } = context.switchToHttp().getRequest();
+
+    if (!user) return false;
+
+    return user.isAdmin;
+  }
+}

backend/src/auth/guard/jwt.guard.ts

@@ -1,15 +1,17 @@
-import { ExecutionContext } from "@nestjs/common";
+import { ExecutionContext, Injectable } from "@nestjs/common";
 import { AuthGuard } from "@nestjs/passport";
+import { ConfigService } from "src/config/config.service";
 
+@Injectable()
 export class JwtGuard extends AuthGuard("jwt") {
-  constructor() {
+  constructor(private config: ConfigService) {
     super();
   }
   async canActivate(context: ExecutionContext): Promise<boolean> {
     try {
       return (await super.canActivate(context)) as boolean;
     } catch {
-      return process.env.ALLOW_UNAUTHENTICATED_SHARES == "true";
+      return this.config.get("ALLOW_UNAUTHENTICATED_SHARES");
     }
   }
 }

backend/src/auth/strategy/jwt.strategy.ts

@@ -1,24 +1,30 @@
 import { Injectable } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
 import { PassportStrategy } from "@nestjs/passport";
 import { User } from "@prisma/client";
-import { ExtractJwt, Strategy } from "passport-jwt";
+import { Request } from "express";
+import { Strategy } from "passport-jwt";
+import { ConfigService } from "src/config/config.service";
 import { PrismaService } from "src/prisma/prisma.service";
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy) {
   constructor(config: ConfigService, private prisma: PrismaService) {
+    config.get("JWT_SECRET");
     super({
-      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      jwtFromRequest: JwtStrategy.extractJWT,
       secretOrKey: config.get("JWT_SECRET"),
     });
   }
 
+  private static extractJWT(req: Request) {
+    if (!req.cookies.access_token) return null;
+    return req.cookies.access_token;
+  }
+
   async validate(payload: { sub: string }) {
     const user: User = await this.prisma.user.findUnique({
       where: { id: payload.sub },
     });
-
     return user;
   }
 }

backend/src/clamscan/clamscan.module.ts

@@ -0,0 +1,10 @@
+import { forwardRef, Module } from "@nestjs/common";
+import { FileModule } from "src/file/file.module";
+import { ClamScanService } from "./clamscan.service";
+
+@Module({
+  imports: [forwardRef(() => FileModule)],
+  providers: [ClamScanService],
+  exports: [ClamScanService],
+})
+export class ClamScanModule {}

backend/src/clamscan/clamscan.service.ts

@@ -0,0 +1,86 @@
+import { Injectable } from "@nestjs/common";
+import * as NodeClam from "clamscan";
+import * as fs from "fs";
+import { FileService } from "src/file/file.service";
+import { PrismaService } from "src/prisma/prisma.service";
+
+const clamscanConfig = {
+  clamdscan: {
+    host: process.env.NODE_ENV == "docker" ? "clamav" : "127.0.0.1",
+    port: 3310,
+    localFallback: false,
+  },
+  preference: "clamdscan",
+};
+
+@Injectable()
+export class ClamScanService {
+  constructor(
+    private fileService: FileService,
+    private prisma: PrismaService
+  ) {}
+
+  private ClamScan: Promise<NodeClam | null> = new NodeClam()
+    .init(clamscanConfig)
+    .then((res) => {
+      console.log("ClamAV is active");
+      return res;
+    })
+    .catch(() => {
+      console.log("ClamAV is not active");
+      return null;
+    });
+
+  async check(shareId: string) {
+    const clamScan = await this.ClamScan;
+
+    if (!clamScan) return [];
+
+    const infectedFiles = [];
+
+    const files = fs
+      .readdirSync(`./data/uploads/shares/${shareId}`)
+      .filter((file) => file != "archive.zip");
+
+    for (const fileId of files) {
+      const { isInfected } = await clamScan
+        .isInfected(`./data/uploads/shares/${shareId}/${fileId}`)
+        .catch(() => {
+          console.log("ClamAV is not active");
+          return { isInfected: false };
+        });
+
+      const fileName = (
+        await this.prisma.file.findUnique({ where: { id: fileId } })
+      ).name;
+
+      if (isInfected) {
+        infectedFiles.push({ id: fileId, name: fileName });
+      }
+    }
+
+    return infectedFiles;
+  }
+
+  async checkAndRemove(shareId: string) {
+    const infectedFiles = await this.check(shareId);
+
+    if (infectedFiles.length > 0) {
+      await this.fileService.deleteAllFiles(shareId);
+      await this.prisma.file.deleteMany({ where: { shareId } });
+
+      const fileNames = infectedFiles.map((file) => file.name).join(", ");
+
+      await this.prisma.share.update({
+        where: { id: shareId },
+        data: {
+          removedReason: `Your share got removed because the file(s) ${fileNames} are malicious.`,
+        },
+      });
+
+      console.log(
+        `Share ${shareId} deleted because it contained ${infectedFiles.length} malicious file(s)`
+      );
+    }
+  }
+}

backend/src/config/config.controller.ts

@@ -0,0 +1,50 @@
+import { Body, Controller, Get, Patch, Post, UseGuards } from "@nestjs/common";
+import { SkipThrottle } from "@nestjs/throttler";
+import { AdministratorGuard } from "src/auth/guard/isAdmin.guard";
+import { JwtGuard } from "src/auth/guard/jwt.guard";
+import { EmailService } from "src/email/email.service";
+import { ConfigService } from "./config.service";
+import { AdminConfigDTO } from "./dto/adminConfig.dto";
+import { ConfigDTO } from "./dto/config.dto";
+import { TestEmailDTO } from "./dto/testEmail.dto";
+import UpdateConfigDTO from "./dto/updateConfig.dto";
+
+@Controller("configs")
+export class ConfigController {
+  constructor(
+    private configService: ConfigService,
+    private emailService: EmailService
+  ) {}
+
+  @Get()
+  @SkipThrottle()
+  async list() {
+    return new ConfigDTO().fromList(await this.configService.list());
+  }
+
+  @Get("admin")
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async listForAdmin() {
+    return new AdminConfigDTO().fromList(
+      await this.configService.listForAdmin()
+    );
+  }
+
+  @Patch("admin")
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async updateMany(@Body() data: UpdateConfigDTO[]) {
+    await this.configService.updateMany(data);
+  }
+
+  @Post("admin/finishSetup")
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async finishSetup() {
+    return await this.configService.changeSetupStatus("FINISHED");
+  }
+
+  @Post("admin/testEmail")
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async testEmail(@Body() { email }: TestEmailDTO) {
+    await this.emailService.sendTestMail(email);
+  }
+}

backend/src/config/config.module.ts

@@ -0,0 +1,23 @@
+import { Global, Module } from "@nestjs/common";
+import { EmailModule } from "src/email/email.module";
+import { PrismaService } from "src/prisma/prisma.service";
+import { ConfigController } from "./config.controller";
+import { ConfigService } from "./config.service";
+
+@Global()
+@Module({
+  imports: [EmailModule],
+  providers: [
+    {
+      provide: "CONFIG_VARIABLES",
+      useFactory: async (prisma: PrismaService) => {
+        return await prisma.config.findMany();
+      },
+      inject: [PrismaService],
+    },
+    ConfigService,
+  ],
+  controllers: [ConfigController],
+  exports: [ConfigService],
+})
+export class ConfigModule {}

backend/src/config/config.service.ts

@@ -0,0 +1,89 @@
+import {
+  BadRequestException,
+  Inject,
+  Injectable,
+  NotFoundException,
+} from "@nestjs/common";
+import { Config } from "@prisma/client";
+import { PrismaService } from "src/prisma/prisma.service";
+
+@Injectable()
+export class ConfigService {
+  constructor(
+    @Inject("CONFIG_VARIABLES") private configVariables: Config[],
+    private prisma: PrismaService
+  ) {}
+
+  get(key: string): any {
+    const configVariable = this.configVariables.filter(
+      (variable) => variable.key == key
+    )[0];
+
+    if (!configVariable) throw new Error(`Config variable ${key} not found`);
+
+    if (configVariable.type == "number") return parseInt(configVariable.value);
+    if (configVariable.type == "boolean") return configVariable.value == "true";
+    if (configVariable.type == "string" || configVariable.type == "text")
+      return configVariable.value;
+  }
+
+  async listForAdmin() {
+    return await this.prisma.config.findMany({
+      orderBy: { order: "asc" },
+      where: { locked: { equals: false } },
+    });
+  }
+
+  async list() {
+    return await this.prisma.config.findMany({
+      where: { secret: { equals: false } },
+    });
+  }
+
+  async updateMany(data: { key: string; value: string | number | boolean }[]) {
+    for (const variable of data) {
+      await this.update(variable.key, variable.value);
+    }
+
+    return data;
+  }
+
+  async update(key: string, value: string | number | boolean) {
+    const configVariable = await this.prisma.config.findUnique({
+      where: { key },
+    });
+
+    if (!configVariable || configVariable.locked)
+      throw new NotFoundException("Config variable not found");
+
+    if (
+      typeof value != configVariable.type &&
+      typeof value == "string" &&
+      configVariable.type != "text"
+    ) {
+      throw new BadRequestException(
+        `Config variable must be of type ${configVariable.type}`
+      );
+    }
+
+    const updatedVariable = await this.prisma.config.update({
+      where: { key },
+      data: { value: value.toString() },
+    });
+
+    this.configVariables = await this.prisma.config.findMany();
+
+    return updatedVariable;
+  }
+
+  async changeSetupStatus(status: "STARTED" | "REGISTERED" | "FINISHED") {
+    const updatedVariable = await this.prisma.config.update({
+      where: { key: "SETUP_STATUS" },
+      data: { value: status },
+    });
+
+    this.configVariables = await this.prisma.config.findMany();
+
+    return updatedVariable;
+  }
+}

backend/src/config/dto/adminConfig.dto.ts

@@ -0,0 +1,31 @@
+import { Expose, plainToClass } from "class-transformer";
+import { ConfigDTO } from "./config.dto";
+
+export class AdminConfigDTO extends ConfigDTO {
+  @Expose()
+  secret: boolean;
+
+  @Expose()
+  updatedAt: Date;
+
+  @Expose()
+  description: string;
+
+  @Expose()
+  obscured: boolean;
+
+  @Expose()
+  category: string;
+
+  from(partial: Partial<AdminConfigDTO>) {
+    return plainToClass(AdminConfigDTO, partial, {
+      excludeExtraneousValues: true,
+    });
+  }
+
+  fromList(partial: Partial<AdminConfigDTO>[]) {
+    return partial.map((part) =>
+      plainToClass(AdminConfigDTO, part, { excludeExtraneousValues: true })
+    );
+  }
+}

backend/src/config/dto/config.dto.ts

@@ -0,0 +1,18 @@
+import { Expose, plainToClass } from "class-transformer";
+
+export class ConfigDTO {
+  @Expose()
+  key: string;
+
+  @Expose()
+  value: string;
+
+  @Expose()
+  type: string;
+
+  fromList(partial: Partial<ConfigDTO>[]) {
+    return partial.map((part) =>
+      plainToClass(ConfigDTO, part, { excludeExtraneousValues: true })
+    );
+  }
+}

backend/src/config/dto/testEmail.dto.ts

@@ -0,0 +1,7 @@
+import { IsEmail, IsNotEmpty } from "class-validator";
+
+export class TestEmailDTO {
+  @IsEmail()
+  @IsNotEmpty()
+  email: string;
+}

backend/src/config/dto/updateConfig.dto.ts

@@ -0,0 +1,12 @@
+import { IsNotEmpty, IsString, ValidateIf } from "class-validator";
+
+class UpdateConfigDTO {
+  @IsString()
+  key: string;
+
+  @IsNotEmpty()
+  @ValidateIf((dto) => dto.value !== "")
+  value: string | number | boolean;
+}
+
+export default UpdateConfigDTO;

backend/src/email/email.module.ts

@@ -0,0 +1,8 @@
+import { Module } from "@nestjs/common";
+import { EmailService } from "./email.service";
+
+@Module({
+  providers: [EmailService],
+  exports: [EmailService],
+})
+export class EmailModule {}

backend/src/email/email.service.ts

@@ -0,0 +1,89 @@
+import { Injectable, InternalServerErrorException } from "@nestjs/common";
+import { User } from "@prisma/client";
+import * as nodemailer from "nodemailer";
+import { ConfigService } from "src/config/config.service";
+
+@Injectable()
+export class EmailService {
+  constructor(private config: ConfigService) {}
+
+  getTransporter() {
+    if (!this.config.get("SMTP_ENABLED"))
+      throw new InternalServerErrorException("SMTP is disabled");
+
+    return nodemailer.createTransport({
+      host: this.config.get("SMTP_HOST"),
+      port: parseInt(this.config.get("SMTP_PORT")),
+      secure: parseInt(this.config.get("SMTP_PORT")) == 465,
+      auth: {
+        user: this.config.get("SMTP_USERNAME"),
+        pass: this.config.get("SMTP_PASSWORD"),
+      },
+    });
+  }
+
+  async sendMailToShareRecepients(
+    recipientEmail: string,
+    shareId: string,
+    creator?: User
+  ) {
+    if (!this.config.get("ENABLE_SHARE_EMAIL_RECIPIENTS"))
+      throw new InternalServerErrorException("Email service disabled");
+
+    const shareUrl = `${this.config.get("APP_URL")}/share/${shareId}`;
+
+    await this.getTransporter().sendMail({
+      from: `"Pingvin Share" <${this.config.get("SMTP_EMAIL")}>`,
+      to: recipientEmail,
+      subject: this.config.get("SHARE_RECEPIENTS_EMAIL_SUBJECT"),
+      text: this.config
+        .get("SHARE_RECEPIENTS_EMAIL_MESSAGE")
+        .replaceAll("\\n", "\n")
+        .replaceAll("{creator}", creator?.username ?? "Someone")
+        .replaceAll("{shareUrl}", shareUrl),
+    });
+  }
+
+  async sendMailToReverseShareCreator(recipientEmail: string, shareId: string) {
+    const shareUrl = `${this.config.get("APP_URL")}/share/${shareId}`;
+
+    await this.getTransporter().sendMail({
+      from: `"Pingvin Share" <${this.config.get("SMTP_EMAIL")}>`,
+      to: recipientEmail,
+      subject: this.config.get("REVERSE_SHARE_EMAIL_SUBJECT"),
+      text: this.config
+        .get("REVERSE_SHARE_EMAIL_MESSAGE")
+        .replaceAll("\\n", "\n")
+        .replaceAll("{shareUrl}", shareUrl),
+    });
+  }
+
+  async sendResetPasswordEmail(recipientEmail: string, token: string) {
+    const resetPasswordUrl = `${this.config.get(
+      "APP_URL"
+    )}/auth/resetPassword/${token}`;
+
+    await this.getTransporter().sendMail({
+      from: `"Pingvin Share" <${this.config.get("SMTP_EMAIL")}>`,
+      to: recipientEmail,
+      subject: this.config.get("RESET_PASSWORD_EMAIL_SUBJECT"),
+      text: this.config
+        .get("RESET_PASSWORD_EMAIL_MESSAGE")
+        .replaceAll("{url}", resetPasswordUrl),
+    });
+  }
+
+  async sendTestMail(recipientEmail: string) {
+    try {
+      await this.getTransporter().sendMail({
+        from: `"Pingvin Share" <${this.config.get("SMTP_EMAIL")}>`,
+        to: recipientEmail,
+        subject: "Test email",
+        text: "This is a test email",
+      });
+    } catch (e) {
+      console.error(e);
+      throw new InternalServerErrorException(e.message);
+    }
+  }
+}

backend/src/file/file.controller.ts

@@ -1,84 +1,49 @@
 import {
+  Body,
   Controller,
   Get,
   Param,
-  ParseFilePipeBuilder,
   Post,
+  Query,
   Res,
   StreamableFile,
-  UploadedFile,
   UseGuards,
-  UseInterceptors,
 } from "@nestjs/common";
-import { FileInterceptor } from "@nestjs/platform-express";
+import { SkipThrottle } from "@nestjs/throttler";
 import * as contentDisposition from "content-disposition";
 import { Response } from "express";
-import { JwtGuard } from "src/auth/guard/jwt.guard";
+import { CreateShareGuard } from "src/share/guard/createShare.guard";
-import { FileDownloadGuard } from "src/file/guard/fileDownload.guard";
-import { ShareDTO } from "src/share/dto/share.dto";
 import { ShareOwnerGuard } from "src/share/guard/shareOwner.guard";
-import { ShareSecurityGuard } from "src/share/guard/shareSecurity.guard";
 import { FileService } from "./file.service";
+import { FileSecurityGuard } from "./guard/fileSecurity.guard";
 
 @Controller("shares/:shareId/files")
 export class FileController {
   constructor(private fileService: FileService) {}
 
   @Post()
-  @UseGuards(JwtGuard, ShareOwnerGuard)
+  @SkipThrottle()
-  @UseInterceptors(
+  @UseGuards(CreateShareGuard, ShareOwnerGuard)
-    FileInterceptor("file", {
-      dest: "./data/uploads/_temp/",
-    })
-  )
   async create(
-    @UploadedFile(
+    @Query() query: any,
-      new ParseFilePipeBuilder()
+
-        .addMaxSizeValidator({
+    @Body() body: string,
-          maxSize: parseInt(process.env.MAX_FILE_SIZE),
-        })
-        .build()
-    )
-    file: Express.Multer.File,
     @Param("shareId") shareId: string
   ) {
-    // Fixes file names with special characters
+    const { id, name, chunkIndex, totalChunks } = query;
-    file.originalname = Buffer.from(file.originalname, "latin1").toString(
+
-      "utf8"
+    const data = body.toString().split(",")[1];
+
+    return await this.fileService.create(
+      data,
+      { index: parseInt(chunkIndex), total: parseInt(totalChunks) },
+      { id, name },
+      shareId
     );
-    return new ShareDTO().from(await this.fileService.create(file, shareId));
-  }
-
-  @Get(":fileId/download")
-  @UseGuards(ShareSecurityGuard)
-  async getFileDownloadUrl(
-    @Res({ passthrough: true }) res: Response,
-    @Param("shareId") shareId: string,
-    @Param("fileId") fileId: string
-  ) {
-    const url = this.fileService.getFileDownloadUrl(shareId, fileId);
-
-    return { url };
-  }
-
-  @Get("zip/download")
-  @UseGuards(ShareSecurityGuard)
-  async getZipArchiveDownloadURL(
-    @Res({ passthrough: true }) res: Response,
-    @Param("shareId") shareId: string,
-    @Param("fileId") fileId: string
-  ) {
-    const url = this.fileService.getFileDownloadUrl(shareId, fileId);
-
-    res.set({
-      "Content-Type": "application/zip",
-    });
-
-    return { url };
   }
 
   @Get("zip")
-  @UseGuards(FileDownloadGuard)
+  @UseGuards(FileSecurityGuard)
   async getZip(
     @Res({ passthrough: true }) res: Response,
     @Param("shareId") shareId: string
@@ -86,25 +51,32 @@ export class FileController {
     const zip = this.fileService.getZip(shareId);
     res.set({
       "Content-Type": "application/zip",
-      "Content-Disposition": `attachment ; filename="pingvin-share-${shareId}"`,
+      "Content-Disposition": contentDisposition(`pingvin-share-${shareId}.zip`),
     });
 
     return new StreamableFile(zip);
   }
 
   @Get(":fileId")
-  @UseGuards(FileDownloadGuard)
+  @UseGuards(FileSecurityGuard)
   async getFile(
     @Res({ passthrough: true }) res: Response,
     @Param("shareId") shareId: string,
-    @Param("fileId") fileId: string
+    @Param("fileId") fileId: string,
+    @Query("download") download = "true"
   ) {
     const file = await this.fileService.get(shareId, fileId);
-    res.set({
+
+    const headers = {
       "Content-Type": file.metaData.mimeType,
       "Content-Length": file.metaData.size,
-      "Content-Disposition": contentDisposition(file.metaData.name),
+    };
-    });
+
+    if (download === "true") {
+      headers["Content-Disposition"] = contentDisposition(file.metaData.name);
+    }
+
+    res.set(headers);
 
     return new StreamableFile(file.file);
   }

backend/src/file/file.module.ts

@@ -1,11 +1,12 @@
 import { Module } from "@nestjs/common";
 import { JwtModule } from "@nestjs/jwt";
+import { ReverseShareModule } from "src/reverseShare/reverseShare.module";
 import { ShareModule } from "src/share/share.module";
 import { FileController } from "./file.controller";
 import { FileService } from "./file.service";
 
 @Module({
-  imports: [JwtModule.register({}), ShareModule],
+  imports: [JwtModule.register({}), ReverseShareModule, ShareModule],
   controllers: [FileController],
   providers: [FileService],
   exports: [FileService],

backend/src/file/file.service.ts

@@ -1,13 +1,15 @@
 import {
   BadRequestException,
+  HttpException,
+  HttpStatus,
   Injectable,
   NotFoundException,
 } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
 import { JwtService } from "@nestjs/jwt";
-import { randomUUID } from "crypto";
+import * as crypto from "crypto";
 import * as fs from "fs";
 import * as mime from "mime-types";
+import { ConfigService } from "src/config/config.service";
 import { PrismaService } from "src/prisma/prisma.service";
 
 @Injectable()
@@ -18,32 +20,88 @@ export class FileService {
     private config: ConfigService
   ) {}
 
-  async create(file: Express.Multer.File, shareId: string) {
+  async create(
+    data: string,
+    chunk: { index: number; total: number },
+    file: { id?: string; name: string },
+    shareId: string
+  ) {
+    if (!file.id) file.id = crypto.randomUUID();
+
     const share = await this.prisma.share.findUnique({
       where: { id: shareId },
+      include: { files: true, reverseShare: true },
     });
 
     if (share.uploadLocked)
       throw new BadRequestException("Share is already completed");
 
-    const fileId = randomUUID();
+    let diskFileSize: number;
+    try {
+      diskFileSize = fs.statSync(
+        `./data/uploads/shares/${shareId}/${file.id}.tmp-chunk`
+      ).size;
+    } catch {
+      diskFileSize = 0;
+    }
 
-    await fs.promises.mkdir(`./data/uploads/shares/${shareId}`, {
+    // If the sent chunk index and the expected chunk index doesn't match throw an error
-      recursive: true,
+    const chunkSize = 10 * 1024 * 1024; // 10MB
-    });
+    const expectedChunkIndex = Math.ceil(diskFileSize / chunkSize);
-    fs.promises.rename(
+
-      `./data/uploads/_temp/${file.filename}`,
+    if (expectedChunkIndex != chunk.index)
-      `./data/uploads/shares/${shareId}/${fileId}`
+      throw new BadRequestException({
+        message: "Unexpected chunk received",
+        error: "unexpected_chunk_index",
+        expectedChunkIndex,
+      });
+
+    const buffer = Buffer.from(data, "base64");
+
+    // Check if share size limit is exceeded
+    const fileSizeSum = share.files.reduce(
+      (n, { size }) => n + parseInt(size),
+      0
     );
 
-    return await this.prisma.file.create({
+    const shareSizeSum = fileSizeSum + diskFileSize + buffer.byteLength;
-      data: {
+
-        id: fileId,
+    if (
-        name: file.originalname,
+      shareSizeSum > this.config.get("MAX_SHARE_SIZE") ||
-        size: file.size.toString(),
+      (share.reverseShare?.maxShareSize &&
-        share: { connect: { id: shareId } },
+        shareSizeSum > parseInt(share.reverseShare.maxShareSize))
-      },
+    ) {
-    });
+      throw new HttpException(
+        "Max share size exceeded",
+        HttpStatus.PAYLOAD_TOO_LARGE
+      );
+    }
+
+    fs.appendFileSync(
+      `./data/uploads/shares/${shareId}/${file.id}.tmp-chunk`,
+      buffer
+    );
+
+    const isLastChunk = chunk.index == chunk.total - 1;
+    if (isLastChunk) {
+      fs.renameSync(
+        `./data/uploads/shares/${shareId}/${file.id}.tmp-chunk`,
+        `./data/uploads/shares/${shareId}/${file.id}`
+      );
+      const fileSize = fs.statSync(
+        `./data/uploads/shares/${shareId}/${file.id}`
+      ).size;
+      await this.prisma.file.create({
+        data: {
+          id: file.id,
+          name: file.name,
+          size: fileSize.toString(),
+          share: { connect: { id: shareId } },
+        },
+      });
+    }
+
+    return file;
   }
 
   async get(shareId: string, fileId: string) {
@@ -77,37 +135,4 @@ export class FileService {
   getZip(shareId: string) {
     return fs.createReadStream(`./data/uploads/shares/${shareId}/archive.zip`);
   }
-
-  getFileDownloadUrl(shareId: string, fileId: string) {
-    const downloadToken = this.generateFileDownloadToken(shareId, fileId);
-    return `${this.config.get(
-      "APP_URL"
-    )}/api/shares/${shareId}/files/${fileId}?token=${downloadToken}`;
-  }
-
-  generateFileDownloadToken(shareId: string, fileId: string) {
-    if (fileId == "zip") fileId = undefined;
-
-    return this.jwtService.sign(
-      {
-        shareId,
-        fileId,
-      },
-      {
-        expiresIn: "10min",
-        secret: this.config.get("JWT_SECRET"),
-      }
-    );
-  }
-
-  verifyFileDownloadToken(shareId: string, token: string) {
-    try {
-      const claims = this.jwtService.verify(token, {
-        secret: this.config.get("JWT_SECRET"),
-      });
-      return claims.shareId == shareId;
-    } catch {
-      return false;
-    }
-  }
 }

backend/src/file/guard/fileDownload.guard.ts

@@ -1,17 +0,0 @@
-import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
-import { Request } from "express";
-import { FileService } from "src/file/file.service";
-
-@Injectable()
-export class FileDownloadGuard implements CanActivate {
-  constructor(private fileService: FileService) {}
-
-  async canActivate(context: ExecutionContext) {
-    const request: Request = context.switchToHttp().getRequest();
-
-    const token = request.query.token as string;
-    const { shareId } = request.params;
-
-    return this.fileService.verifyFileDownloadToken(shareId, token);
-  }
-}

backend/src/file/guard/fileSecurity.guard.ts

@@ -0,0 +1,65 @@
+import {
+  ExecutionContext,
+  ForbiddenException,
+  Injectable,
+  NotFoundException,
+} from "@nestjs/common";
+import { Request } from "express";
+import * as moment from "moment";
+import { PrismaService } from "src/prisma/prisma.service";
+import { ShareSecurityGuard } from "src/share/guard/shareSecurity.guard";
+import { ShareService } from "src/share/share.service";
+
+@Injectable()
+export class FileSecurityGuard extends ShareSecurityGuard {
+  constructor(
+    private _shareService: ShareService,
+    private _prisma: PrismaService
+  ) {
+    super(_shareService, _prisma);
+  }
+
+  async canActivate(context: ExecutionContext) {
+    const request: Request = context.switchToHttp().getRequest();
+
+    const shareId = Object.prototype.hasOwnProperty.call(
+      request.params,
+      "shareId"
+    )
+      ? request.params.shareId
+      : request.params.id;
+
+    const shareToken = request.cookies[`share_${shareId}_token`];
+
+    const share = await this._prisma.share.findUnique({
+      where: { id: shareId },
+      include: { security: true },
+    });
+
+    // If there is no share token the user requests a file directly
+    if (!shareToken) {
+      if (
+        !share ||
+        (moment().isAfter(share.expiration) &&
+          !moment(share.expiration).isSame(0))
+      ) {
+        throw new NotFoundException("File not found");
+      }
+
+      if (share.security?.password)
+        throw new ForbiddenException("This share is password protected");
+
+      if (share.security?.maxViews && share.security.maxViews <= share.views) {
+        throw new ForbiddenException(
+          "Maximum views exceeded",
+          "share_max_views_exceeded"
+        );
+      }
+
+      await this._shareService.increaseViewCount(share);
+      return true;
+    } else {
+      return super.canActivate(context);
+    }
+  }
+}

backend/src/jobs/jobs.module.ts

@@ -0,0 +1,10 @@
+import { Module } from "@nestjs/common";
+import { FileModule } from "src/file/file.module";
+import { ReverseShareModule } from "src/reverseShare/reverseShare.module";
+import { JobsService } from "./jobs.service";
+
+@Module({
+  imports: [FileModule, ReverseShareModule],
+  providers: [JobsService],
+})
+export class JobsModule {}

backend/src/jobs/jobs.service.ts

@@ -1,13 +1,16 @@
 import { Injectable } from "@nestjs/common";
 import { Cron } from "@nestjs/schedule";
+import * as fs from "fs";
+import * as moment from "moment";
 import { FileService } from "src/file/file.service";
 import { PrismaService } from "src/prisma/prisma.service";
-import * as moment from "moment";
+import { ReverseShareService } from "src/reverseShare/reverseShare.service";
 
 @Injectable()
 export class JobsService {
   constructor(
     private prisma: PrismaService,
+    private reverseShareService: ReverseShareService,
     private fileService: FileService
   ) {}
 
@@ -31,14 +34,80 @@ export class JobsService {
       await this.fileService.deleteAllFiles(expiredShare.id);
     }
 
-    console.log(`job: deleted ${expiredShares.length} expired shares`);
+    if (expiredShares.length > 0)
+      console.log(`job: deleted ${expiredShares.length} expired shares`);
   }
 
   @Cron("0 * * * *")
-  async deleteExpiredRefreshTokens() {
+  async deleteExpiredReverseShares() {
-    const expiredShares = await this.prisma.refreshToken.deleteMany({
+    const expiredReverseShares = await this.prisma.reverseShare.findMany({
+      where: {
+        shareExpiration: { lt: new Date() },
+      },
+    });
+
+    for (const expiredReverseShare of expiredReverseShares) {
+      await this.reverseShareService.remove(expiredReverseShare.id);
+    }
+
+    if (expiredReverseShares.length > 0)
+      console.log(
+        `job: deleted ${expiredReverseShares.length} expired reverse shares`
+      );
+  }
+
+  @Cron("0 0 * * *")
+  deleteTemporaryFiles() {
+    let filesDeleted = 0;
+
+    const shareDirectories = fs
+      .readdirSync("./data/uploads/shares", { withFileTypes: true })
+      .filter((dirent) => dirent.isDirectory())
+      .map((dirent) => dirent.name);
+
+    for (const shareDirectory of shareDirectories) {
+      const temporaryFiles = fs
+        .readdirSync(`./data/uploads/shares/${shareDirectory}`)
+        .filter((file) => file.endsWith(".tmp-chunk"));
+
+      for (const file of temporaryFiles) {
+        const stats = fs.statSync(
+          `./data/uploads/shares/${shareDirectory}/${file}`
+        );
+        const isOlderThanOneDay = moment(stats.mtime)
+          .add(1, "day")
+          .isBefore(moment());
+
+        if (isOlderThanOneDay) {
+          fs.rmSync(`./data/uploads/shares/${shareDirectory}/${file}`);
+          filesDeleted++;
+        }
+      }
+    }
+
+    console.log(`job: deleted ${filesDeleted} temporary files`);
+  }
+
+  @Cron("0 * * * *")
+  async deleteExpiredTokens() {
+    const { count: refreshTokenCount } =
+      await this.prisma.refreshToken.deleteMany({
+        where: { expiresAt: { lt: new Date() } },
+      });
+
+    const { count: loginTokenCount } = await this.prisma.loginToken.deleteMany({
       where: { expiresAt: { lt: new Date() } },
     });
-    console.log(`job: deleted ${expiredShares.count} expired refresh tokens`);
+
+    const { count: resetPasswordTokenCount } =
+      await this.prisma.resetPasswordToken.deleteMany({
+        where: { expiresAt: { lt: new Date() } },
+      });
+
+    const deletedTokensCount =
+      refreshTokenCount + loginTokenCount + resetPasswordTokenCount;
+
+    if (deletedTokensCount > 0)
+      console.log(`job: deleted ${deletedTokensCount} expired refresh tokens`);
   }
 }

backend/src/main.ts

@@ -1,19 +1,35 @@
 import { ClassSerializerInterceptor, ValidationPipe } from "@nestjs/common";
 import { NestFactory, Reflector } from "@nestjs/core";
 import { NestExpressApplication } from "@nestjs/platform-express";
+import { DocumentBuilder, SwaggerModule } from "@nestjs/swagger";
+import * as bodyParser from "body-parser";
+import * as cookieParser from "cookie-parser";
 import * as fs from "fs";
 import { AppModule } from "./app.module";
 
 async function bootstrap() {
   const app = await NestFactory.create<NestExpressApplication>(AppModule);
-  app.useGlobalPipes(new ValidationPipe());
+  app.useGlobalPipes(new ValidationPipe({ whitelist: true }));
   app.useGlobalInterceptors(new ClassSerializerInterceptor(app.get(Reflector)));
 
+  app.use(bodyParser.raw({ type: "application/octet-stream", limit: "20mb" }));
+  app.use(cookieParser());
   app.set("trust proxy", true);
 
   await fs.promises.mkdir("./data/uploads/_temp", { recursive: true });
 
   app.setGlobalPrefix("api");
+
+  // Setup Swagger in development mode
+  if (process.env.NODE_ENV == "development") {
+    const config = new DocumentBuilder()
+      .setTitle("Pingvin Share API")
+      .setVersion("1.0")
+      .build();
+    const document = SwaggerModule.createDocument(app, config);
+    SwaggerModule.setup("api/swagger", app, document);
+  }
+
   await app.listen(8080);
 }
 bootstrap();

backend/src/prisma/prisma.service.ts

@@ -1,18 +1,16 @@
 import { Injectable } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
 import { PrismaClient } from "@prisma/client";
 
 @Injectable()
 export class PrismaService extends PrismaClient {
-  constructor(config: ConfigService) {
+  constructor() {
     super({
       datasources: {
         db: {
-          url: "file:../data/pingvin-share.db",
+          url: "file:../data/pingvin-share.db?connection_limit=1",
         },
       },
     });
-    console.log(config.get("DB_URL"));
     super.$connect().then(() => console.info("Connected to the database"));
   }
 }

backend/src/reverseShare/dto/createReverseShare.dto.ts

@@ -0,0 +1,16 @@
+import { IsBoolean, IsString, Max, Min } from "class-validator";
+
+export class CreateReverseShareDTO {
+  @IsBoolean()
+  sendEmailNotification: boolean;
+
+  @IsString()
+  maxShareSize: string;
+
+  @IsString()
+  shareExpiration: string;
+
+  @Min(1)
+  @Max(1000)
+  maxUseCount: number;
+}

backend/src/reverseShare/dto/reverseShare.dto.ts

@@ -0,0 +1,18 @@
+import { Expose, plainToClass } from "class-transformer";
+
+export class ReverseShareDTO {
+  @Expose()
+  id: string;
+
+  @Expose()
+  maxShareSize: string;
+
+  @Expose()
+  shareExpiration: Date;
+
+  from(partial: Partial<ReverseShareDTO>) {
+    return plainToClass(ReverseShareDTO, partial, {
+      excludeExtraneousValues: true,
+    });
+  }
+}

backend/src/reverseShare/dto/reverseShareTokenWithShares.ts

@@ -0,0 +1,29 @@
+import { OmitType } from "@nestjs/swagger";
+import { Expose, plainToClass, Type } from "class-transformer";
+import { MyShareDTO } from "src/share/dto/myShare.dto";
+import { ReverseShareDTO } from "./reverseShare.dto";
+
+export class ReverseShareTokenWithShares extends OmitType(ReverseShareDTO, [
+  "shareExpiration",
+] as const) {
+  @Expose()
+  shareExpiration: Date;
+
+  @Expose()
+  @Type(() => OmitType(MyShareDTO, ["recipients", "hasPassword"] as const))
+  shares: Omit<
+    MyShareDTO,
+    "recipients" | "files" | "from" | "fromList" | "hasPassword"
+  >[];
+
+  @Expose()
+  remainingUses: number;
+
+  fromList(partial: Partial<ReverseShareTokenWithShares>[]) {
+    return partial.map((part) =>
+      plainToClass(ReverseShareTokenWithShares, part, {
+        excludeExtraneousValues: true,
+      })
+    );
+  }
+}

backend/src/reverseShare/guards/reverseShareOwner.guard.ts

@@ -0,0 +1,22 @@
+import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
+import { User } from "@prisma/client";
+import { Request } from "express";
+import { PrismaService } from "src/prisma/prisma.service";
+
+@Injectable()
+export class ReverseShareOwnerGuard implements CanActivate {
+  constructor(private prisma: PrismaService) {}
+
+  async canActivate(context: ExecutionContext) {
+    const request: Request = context.switchToHttp().getRequest();
+    const { reverseShareId } = request.params;
+
+    const reverseShare = await this.prisma.reverseShare.findUnique({
+      where: { id: reverseShareId },
+    });
+
+    if (!reverseShare) return false;
+
+    return reverseShare.creatorId == (request.user as User).id;
+  }
+}

backend/src/reverseShare/reverseShare.controller.ts

@@ -0,0 +1,64 @@
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  NotFoundException,
+  Param,
+  Post,
+  UseGuards,
+} from "@nestjs/common";
+import { Throttle } from "@nestjs/throttler";
+import { User } from "@prisma/client";
+import { GetUser } from "src/auth/decorator/getUser.decorator";
+import { JwtGuard } from "src/auth/guard/jwt.guard";
+import { ConfigService } from "src/config/config.service";
+import { CreateReverseShareDTO } from "./dto/createReverseShare.dto";
+import { ReverseShareDTO } from "./dto/reverseShare.dto";
+import { ReverseShareTokenWithShares } from "./dto/reverseShareTokenWithShares";
+import { ReverseShareOwnerGuard } from "./guards/reverseShareOwner.guard";
+import { ReverseShareService } from "./reverseShare.service";
+
+@Controller("reverseShares")
+export class ReverseShareController {
+  constructor(
+    private reverseShareService: ReverseShareService,
+    private config: ConfigService
+  ) {}
+
+  @Post()
+  @UseGuards(JwtGuard)
+  async create(@Body() body: CreateReverseShareDTO, @GetUser() user: User) {
+    const token = await this.reverseShareService.create(body, user.id);
+
+    const link = `${this.config.get("APP_URL")}/upload/${token}`;
+
+    return { token, link };
+  }
+
+  @Throttle(20, 60)
+  @Get(":reverseShareToken")
+  async getByToken(@Param("reverseShareToken") reverseShareToken: string) {
+    const isValid = await this.reverseShareService.isValid(reverseShareToken);
+
+    if (!isValid) throw new NotFoundException("Reverse share token not found");
+
+    return new ReverseShareDTO().from(
+      await this.reverseShareService.getByToken(reverseShareToken)
+    );
+  }
+
+  @Get()
+  @UseGuards(JwtGuard)
+  async getAllByUser(@GetUser() user: User) {
+    return new ReverseShareTokenWithShares().fromList(
+      await this.reverseShareService.getAllByUser(user.id)
+    );
+  }
+
+  @Delete(":reverseShareId")
+  @UseGuards(JwtGuard, ReverseShareOwnerGuard)
+  async remove(@Param("reverseShareId") id: string) {
+    await this.reverseShareService.remove(id);
+  }
+}

backend/src/reverseShare/reverseShare.module.ts

@@ -0,0 +1,12 @@
+import { forwardRef, Module } from "@nestjs/common";
+import { FileModule } from "src/file/file.module";
+import { ReverseShareController } from "./reverseShare.controller";
+import { ReverseShareService } from "./reverseShare.service";
+
+@Module({
+  imports: [forwardRef(() => FileModule)],
+  controllers: [ReverseShareController],
+  providers: [ReverseShareService],
+  exports: [ReverseShareService],
+})
+export class ReverseShareModule {}

backend/src/reverseShare/reverseShare.service.ts

@@ -0,0 +1,97 @@
+import { BadRequestException, Injectable } from "@nestjs/common";
+import * as moment from "moment";
+import { ConfigService } from "src/config/config.service";
+import { FileService } from "src/file/file.service";
+import { PrismaService } from "src/prisma/prisma.service";
+import { CreateReverseShareDTO } from "./dto/createReverseShare.dto";
+
+@Injectable()
+export class ReverseShareService {
+  constructor(
+    private config: ConfigService,
+    private prisma: PrismaService,
+    private fileService: FileService
+  ) {}
+
+  async create(data: CreateReverseShareDTO, creatorId: string) {
+    // Parse date string to date
+    const expirationDate = moment()
+      .add(
+        data.shareExpiration.split("-")[0],
+        data.shareExpiration.split(
+          "-"
+        )[1] as moment.unitOfTime.DurationConstructor
+      )
+      .toDate();
+
+    const globalMaxShareSize = this.config.get("MAX_SHARE_SIZE");
+
+    if (globalMaxShareSize < data.maxShareSize)
+      throw new BadRequestException(
+        `Max share size can't be greater than ${globalMaxShareSize} bytes.`
+      );
+
+    const reverseShare = await this.prisma.reverseShare.create({
+      data: {
+        shareExpiration: expirationDate,
+        remainingUses: data.maxUseCount,
+        maxShareSize: data.maxShareSize,
+        sendEmailNotification: data.sendEmailNotification,
+        creatorId,
+      },
+    });
+
+    return reverseShare.token;
+  }
+
+  async getByToken(reverseShareToken?: string) {
+    if (!reverseShareToken) return null;
+
+    const reverseShare = await this.prisma.reverseShare.findUnique({
+      where: { token: reverseShareToken },
+    });
+
+    return reverseShare;
+  }
+
+  async getAllByUser(userId: string) {
+    const reverseShares = await this.prisma.reverseShare.findMany({
+      where: {
+        creatorId: userId,
+        shareExpiration: { gt: new Date() },
+      },
+      orderBy: {
+        shareExpiration: "desc",
+      },
+      include: { shares: { include: { creator: true } } },
+    });
+
+    return reverseShares;
+  }
+
+  async isValid(reverseShareToken: string) {
+    const reverseShare = await this.prisma.reverseShare.findUnique({
+      where: { token: reverseShareToken },
+    });
+
+    if (!reverseShare) return false;
+
+    const isExpired = new Date() > reverseShare.shareExpiration;
+    const remainingUsesExceeded = reverseShare.remainingUses <= 0;
+
+    return !(isExpired || remainingUsesExceeded);
+  }
+
+  async remove(id: string) {
+    const shares = await this.prisma.share.findMany({
+      where: { reverseShare: { id } },
+    });
+
+    for (const share of shares) {
+      await this.prisma.share.delete({ where: { id: share.id } });
+      await this.fileService.deleteAllFiles(share.id);
+    }
+
+    await this.prisma.reverseShare.delete({ where: { id } });
+  }
+}

backend/src/share/dto/createShare.dto.ts

@@ -1,11 +1,19 @@
 import { Type } from "class-transformer";
-import { IsString, Length, Matches, ValidateNested } from "class-validator";
+import {
+  IsEmail,
+  IsOptional,
+  IsString,
+  Length,
+  Matches,
+  MaxLength,
+  ValidateNested,
+} from "class-validator";
 import { ShareSecurityDTO } from "./shareSecurity.dto";
 
 export class CreateShareDTO {
   @IsString()
   @Matches("^[a-zA-Z0-9_-]*$", undefined, {
-    message: "ID only can contain letters, numbers, underscores and hyphens",
+    message: "ID can only contain letters, numbers, underscores and hyphens",
   })
   @Length(3, 50)
   id: string;
@@ -13,6 +21,13 @@ export class CreateShareDTO {
   @IsString()
   expiration: string;
 
+  @MaxLength(512)
+  @IsOptional()
+  description: string;
+
+  @IsEmail({}, { each: true })
+  recipients: string[];
+
   @ValidateNested()
   @Type(() => ShareSecurityDTO)
   security: ShareSecurityDTO;

backend/src/share/dto/myShare.dto.ts

@@ -8,6 +8,9 @@ export class MyShareDTO extends ShareDTO {
   @Expose()
   createdAt: Date;
 
+  @Expose()
+  recipients: string[];
+
   from(partial: Partial<MyShareDTO>) {
     return plainToClass(MyShareDTO, partial, { excludeExtraneousValues: true });
   }

backend/src/share/dto/share.dto.ts

@@ -1,6 +1,6 @@
 import { Expose, plainToClass, Type } from "class-transformer";
-import { AuthSignInDTO } from "src/auth/dto/authSignIn.dto";
 import { FileDTO } from "src/file/dto/file.dto";
+import { PublicUserDTO } from "src/user/dto/publicUser.dto";
 
 export class ShareDTO {
   @Expose()
@@ -14,8 +14,14 @@ export class ShareDTO {
   files: FileDTO[];
 
   @Expose()
-  @Type(() => AuthSignInDTO)
+  @Type(() => PublicUserDTO)
-  creator: AuthSignInDTO;
+  creator: PublicUserDTO;
+
+  @Expose()
+  description: string;
+
+  @Expose()
+  hasPassword: boolean;
 
   from(partial: Partial<ShareDTO>) {
     return plainToClass(ShareDTO, partial, { excludeExtraneousValues: true });

backend/src/share/dto/sharePassword.dto.ts

@@ -1,3 +1,7 @@
+import { IsOptional, IsString } from "class-validator";
+
 export class SharePasswordDto {
+  @IsString()
+  @IsOptional()
   password: string;
 }

backend/src/share/guard/createShare.guard.ts

@@ -0,0 +1,29 @@
+import { ExecutionContext, Injectable } from "@nestjs/common";
+import { JwtGuard } from "src/auth/guard/jwt.guard";
+import { ConfigService } from "src/config/config.service";
+import { ReverseShareService } from "src/reverseShare/reverseShare.service";
+
+@Injectable()
+export class CreateShareGuard extends JwtGuard {
+  constructor(
+    configService: ConfigService,
+    private reverseShareService: ReverseShareService
+  ) {
+    super(configService);
+  }
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    if (await super.canActivate(context)) return true;
+
+    const reverseShareTokenId = context.switchToHttp().getRequest()
+      .cookies.reverse_share_token;
+
+    if (!reverseShareTokenId) return false;
+
+    const isReverseShareTokenValid = await this.reverseShareService.isValid(
+      reverseShareTokenId
+    );
+
+    return isReverseShareTokenValid;
+  }
+}

backend/src/share/guard/shareSecurity.guard.ts

@@ -5,7 +5,6 @@ import {
   Injectable,
   NotFoundException,
 } from "@nestjs/common";
-import { Reflector } from "@nestjs/core";
 import { Request } from "express";
 import * as moment from "moment";
 import { PrismaService } from "src/prisma/prisma.service";
@@ -14,14 +13,13 @@ import { ShareService } from "src/share/share.service";
 @Injectable()
 export class ShareSecurityGuard implements CanActivate {
   constructor(
-    private reflector: Reflector,
     private shareService: ShareService,
     private prisma: PrismaService
   ) {}
 
   async canActivate(context: ExecutionContext) {
     const request: Request = context.switchToHttp().getRequest();
-    const shareToken = request.get("X-Share-Token");
+
     const shareId = Object.prototype.hasOwnProperty.call(
       request.params,
       "shareId"
@@ -29,6 +27,8 @@ export class ShareSecurityGuard implements CanActivate {
       ? request.params.shareId
       : request.params.id;
 
+    const shareToken = request.cookies[`share_${shareId}_token`];
+
     const share = await this.prisma.share.findUnique({
       where: { id: shareId },
       include: { security: true },
@@ -37,7 +37,7 @@ export class ShareSecurityGuard implements CanActivate {
     if (
       !share ||
       (moment().isAfter(share.expiration) &&
-        moment(share.expiration).unix() !== 0)
+        !moment(share.expiration).isSame(0))
     )
       throw new NotFoundException("Share not found");
 

backend/src/share/guard/shareTokenSecurity.guard.ts

@@ -1,7 +1,6 @@
 import {
   CanActivate,
   ExecutionContext,
-  ForbiddenException,
   Injectable,
   NotFoundException,
 } from "@nestjs/common";
@@ -34,12 +33,6 @@ export class ShareTokenSecurity implements CanActivate {
     )
       throw new NotFoundException("Share not found");
 
-    if (share.security?.maxViews && share.security.maxViews <= share.views)
-      throw new ForbiddenException(
-        "Maximum views exceeded",
-        "share_max_views_exceeded"
-      );
-
     return true;
   }
 }

backend/src/share/share.controller.ts

@@ -6,10 +6,13 @@ import {
   HttpCode,
   Param,
   Post,
+  Req,
+  Res,
   UseGuards,
 } from "@nestjs/common";
 import { Throttle } from "@nestjs/throttler";
 import { User } from "@prisma/client";
+import { Request, Response } from "express";
 import { GetUser } from "src/auth/decorator/getUser.decorator";
 import { JwtGuard } from "src/auth/guard/jwt.guard";
 import { CreateShareDTO } from "./dto/createShare.dto";
@@ -17,6 +20,7 @@ import { MyShareDTO } from "./dto/myShare.dto";
 import { ShareDTO } from "./dto/share.dto";
 import { ShareMetaDataDTO } from "./dto/shareMetaData.dto";
 import { SharePasswordDto } from "./dto/sharePassword.dto";
+import { CreateShareGuard } from "./guard/createShare.guard";
 import { ShareOwnerGuard } from "./guard/shareOwner.guard";
 import { ShareSecurityGuard } from "./guard/shareSecurity.guard";
 import { ShareTokenSecurity } from "./guard/shareTokenSecurity.guard";
@@ -46,9 +50,16 @@ export class ShareController {
   }
 
   @Post()
-  @UseGuards(JwtGuard)
+  @UseGuards(CreateShareGuard)
-  async create(@Body() body: CreateShareDTO, @GetUser() user: User) {
+  async create(
-    return new ShareDTO().from(await this.shareService.create(body, user));
+    @Body() body: CreateShareDTO,
+    @Req() request: Request,
+    @GetUser() user: User
+  ) {
+    const { reverse_share_token } = request.cookies;
+    return new ShareDTO().from(
+      await this.shareService.create(body, user, reverse_share_token)
+    );
   }
 
   @Delete(":id")
@@ -59,21 +70,35 @@ export class ShareController {
 
   @Post(":id/complete")
   @HttpCode(202)
-  @UseGuards(JwtGuard, ShareOwnerGuard)
+  @UseGuards(CreateShareGuard, ShareOwnerGuard)
-  async complete(@Param("id") id: string) {
+  async complete(@Param("id") id: string, @Req() request: Request) {
-    return new ShareDTO().from(await this.shareService.complete(id));
+    const { reverse_share_token } = request.cookies;
+    return new ShareDTO().from(
+      await this.shareService.complete(id, reverse_share_token)
+    );
   }
 
+  @Throttle(10, 60)
   @Get("isShareIdAvailable/:id")
   async isShareIdAvailable(@Param("id") id: string) {
     return this.shareService.isShareIdAvailable(id);
   }
 
   @HttpCode(200)
-  @Throttle(10, 5 * 60)
+  @Throttle(20, 5 * 60)
   @UseGuards(ShareTokenSecurity)
   @Post(":id/token")
-  async getShareToken(@Param("id") id: string, @Body() body: SharePasswordDto) {
+  async getShareToken(
-    return this.shareService.getShareToken(id, body.password);
+    @Param("id") id: string,
+    @Res({ passthrough: true }) response: Response,
+    @Body() body: SharePasswordDto
+  ) {
+    const token = await this.shareService.getShareToken(id, body.password);
+    response.cookie(`share_${id}_token`, token, {
+      path: "/",
+      httpOnly: true,
+    });
+
+    return { token };
   }
 }

backend/src/share/share.module.ts

@@ -1,11 +1,20 @@
 import { forwardRef, Module } from "@nestjs/common";
 import { JwtModule } from "@nestjs/jwt";
+import { ClamScanModule } from "src/clamscan/clamscan.module";
+import { EmailModule } from "src/email/email.module";
 import { FileModule } from "src/file/file.module";
+import { ReverseShareModule } from "src/reverseShare/reverseShare.module";
 import { ShareController } from "./share.controller";
 import { ShareService } from "./share.service";
 
 @Module({
-  imports: [JwtModule.register({}), forwardRef(() => FileModule)],
+  imports: [
+    JwtModule.register({}),
+    EmailModule,
+    ClamScanModule,
+    ReverseShareModule,
+    forwardRef(() => FileModule),
+  ],
   controllers: [ShareController],
   providers: [ShareService],
   exports: [ShareService],

backend/src/share/share.service.ts

@@ -4,15 +4,18 @@ import {
   Injectable,
   NotFoundException,
 } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
 import { JwtService } from "@nestjs/jwt";
 import { Share, User } from "@prisma/client";
 import * as archiver from "archiver";
 import * as argon from "argon2";
 import * as fs from "fs";
 import * as moment from "moment";
+import { ClamScanService } from "src/clamscan/clamscan.service";
+import { ConfigService } from "src/config/config.service";
+import { EmailService } from "src/email/email.service";
 import { FileService } from "src/file/file.service";
 import { PrismaService } from "src/prisma/prisma.service";
+import { ReverseShareService } from "src/reverseShare/reverseShare.service";
 import { CreateShareDTO } from "./dto/createShare.dto";
 
 @Injectable()
@@ -20,11 +23,14 @@ export class ShareService {
   constructor(
     private prisma: PrismaService,
     private fileService: FileService,
+    private emailService: EmailService,
     private config: ConfigService,
-    private jwtService: JwtService
+    private jwtService: JwtService,
+    private reverseShareService: ReverseShareService,
+    private clamScanService: ClamScanService
   ) {}
 
-  async create(share: CreateShareDTO, user?: User) {
+  async create(share: CreateShareDTO, user?: User, reverseShareToken?: string) {
     if (!(await this.isShareIdAvailable(share.id)).isAvailable)
       throw new BadRequestException("Share id already in use");
 
@@ -35,33 +41,61 @@ export class ShareService {
       share.security.password = await argon.hash(share.security.password);
     }
 
-    // We have to add an exception for "never" (since moment won't like that)
+    let expirationDate: Date;
-    let expirationDate;
-    if (share.expiration !== "never") {
-      expirationDate = moment()
-        .add(
-          share.expiration.split("-")[0],
-          share.expiration.split(
-            "-"
-          )[1] as moment.unitOfTime.DurationConstructor
-        )
-        .toDate();
 
-      // Throw error if expiration date is now
+    // If share is created by a reverse share token override the expiration date
-      if (expirationDate.setMilliseconds(0) == new Date().setMilliseconds(0))
+    const reverseShare = await this.reverseShareService.getByToken(
-        throw new BadRequestException("Invalid expiration date");
+      reverseShareToken
+    );
+    if (reverseShare) {
+      expirationDate = reverseShare.shareExpiration;
     } else {
-      expirationDate = moment(0).toDate();
+      // We have to add an exception for "never" (since moment won't like that)
+      if (share.expiration !== "never") {
+        expirationDate = moment()
+          .add(
+            share.expiration.split("-")[0],
+            share.expiration.split(
+              "-"
+            )[1] as moment.unitOfTime.DurationConstructor
+          )
+          .toDate();
+      } else {
+        expirationDate = moment(0).toDate();
+      }
     }
 
-    return await this.prisma.share.create({
+    fs.mkdirSync(`./data/uploads/shares/${share.id}`, {
+      recursive: true,
+    });
+
+    const shareTuple = await this.prisma.share.create({
       data: {
         ...share,
         expiration: expirationDate,
         creator: { connect: user ? { id: user.id } : undefined },
         security: { create: share.security },
+        recipients: {
+          create: share.recipients
+            ? share.recipients.map((email) => ({ email }))
+            : [],
+        },
       },
     });
+
+    if (reverseShare) {
+      // Assign share to reverse share token
+      await this.prisma.reverseShare.update({
+        where: { token: reverseShareToken },
+        data: {
+          shares: {
+            connect: { id: shareTuple.id },
+          },
+        },
+      });
+    }
+
+    return shareTuple;
   }
 
   async createZip(shareId: string) {
@@ -83,21 +117,60 @@ export class ShareService {
     await archive.finalize();
   }
 
-  async complete(id: string) {
+  async complete(id: string, reverseShareToken?: string) {
+    const share = await this.prisma.share.findUnique({
+      where: { id },
+      include: {
+        files: true,
+        recipients: true,
+        creator: true,
+        reverseShare: { include: { creator: true } },
+      },
+    });
+
     if (await this.isShareCompleted(id))
       throw new BadRequestException("Share already completed");
 
-    const moreThanOneFileInShare =
+    if (share.files.length == 0)
-      (await this.prisma.file.findMany({ where: { shareId: id } })).length != 0;
-
-    if (!moreThanOneFileInShare)
       throw new BadRequestException(
         "You need at least on file in your share to complete it."
       );
 
-    this.createZip(id).then(() =>
+    // Asynchronously create a zip of all files
-      this.prisma.share.update({ where: { id }, data: { isZipReady: true } })
+    if (share.files.length > 1)
-    );
+      this.createZip(id).then(() =>
+        this.prisma.share.update({ where: { id }, data: { isZipReady: true } })
+      );
+
+    // Send email for each recepient
+    for (const recepient of share.recipients) {
+      await this.emailService.sendMailToShareRecepients(
+        recepient.email,
+        share.id,
+        share.creator
+      );
+    }
+
+    if (
+      share.reverseShare &&
+      this.config.get("SMTP_ENABLED") &&
+      share.reverseShare.sendEmailNotification
+    ) {
+      await this.emailService.sendMailToReverseShareCreator(
+        share.reverseShare.creator.email,
+        share.id
+      );
+    }
+
+    // Check if any file is malicious with ClamAV
+    this.clamScanService.checkAndRemove(share.id);
+
+    if (share.reverseShare) {
+      await this.prisma.reverseShare.update({
+        where: { token: reverseShareToken },
+        data: { remainingUses: { decrement: 1 } },
+      });
+    }
 
     return await this.prisma.share.update({
       where: { id },
@@ -106,7 +179,7 @@ export class ShareService {
   }
 
   async getSharesByUser(userId: string) {
-    return await this.prisma.share.findMany({
+    const shares = await this.prisma.share.findMany({
       where: {
         creator: { id: userId },
         uploadLocked: true,
@@ -119,22 +192,38 @@ export class ShareService {
       orderBy: {
         expiration: "desc",
       },
+      include: { recipients: true },
     });
+
+    const sharesWithEmailRecipients = shares.map((share) => {
+      return {
+        ...share,
+        recipients: share.recipients.map((recipients) => recipients.email),
+      };
+    });
+
+    return sharesWithEmailRecipients;
   }
 
-  async get(id: string) {
+  async get(id: string): Promise<any> {
-    const share: any = await this.prisma.share.findUnique({
+    const share = await this.prisma.share.findUnique({
       where: { id },
       include: {
         files: true,
         creator: true,
+        security: true,
       },
     });
 
+    if (share.removedReason)
+      throw new NotFoundException(share.removedReason, "share_removed");
+
     if (!share || !share.uploadLocked)
       throw new NotFoundException("Share not found");
-
+    return {
-    return share;
+      ...share,
+      hasPassword: share.security?.password ? true : false,
+    };
   }
 
   async getMetaData(id: string) {
@@ -188,12 +277,20 @@ export class ShareService {
     if (
       share?.security?.password &&
       !(await argon.verify(share.security.password, password))
-    )
+    ) {
       throw new ForbiddenException("Wrong password");
+    }
+
+    if (share.security?.maxViews && share.security.maxViews <= share.views) {
+      throw new ForbiddenException(
+        "Maximum views exceeded",
+        "share_max_views_exceeded"
+      );
+    }
 
     const token = await this.generateShareToken(shareId);
     await this.increaseViewCount(share);
-    return { token };
+    return token;
   }
 
   async generateShareToken(shareId: string) {

backend/src/user/dto/createUser.dto.ts

@@ -0,0 +1,15 @@
+import { Expose, plainToClass } from "class-transformer";
+import { Allow } from "class-validator";
+import { UserDTO } from "./user.dto";
+
+export class CreateUserDTO extends UserDTO {
+  @Expose()
+  @Allow()
+  isAdmin: boolean;
+
+  from(partial: Partial<CreateUserDTO>) {
+    return plainToClass(CreateUserDTO, partial, {
+      excludeExtraneousValues: true,
+    });
+  }
+}

backend/src/user/dto/publicUser.dto.ts

@@ -0,0 +1,4 @@
+import { PickType } from "@nestjs/swagger";
+import { UserDTO } from "./user.dto";
+
+export class PublicUserDTO extends PickType(UserDTO, ["username"] as const) {}

backend/src/user/dto/updateOwnUser.dto.ts

@@ -0,0 +1,6 @@
+import { OmitType, PartialType } from "@nestjs/swagger";
+import { UserDTO } from "./user.dto";
+
+export class UpdateOwnUserDTO extends PartialType(
+  OmitType(UserDTO, ["isAdmin", "password"] as const)
+) {}

backend/src/user/dto/updateUser.dto.ts

@@ -0,0 +1,4 @@
+import { PartialType } from "@nestjs/swagger";
+import { CreateUserDTO } from "./createUser.dto";
+
+export class UpdateUserDto extends PartialType(CreateUserDTO) {}

backend/src/user/dto/user.dto.ts

@@ -1,26 +1,37 @@
 import { Expose, plainToClass } from "class-transformer";
-import { IsEmail, IsNotEmpty, IsString } from "class-validator";
+import { IsEmail, Length, Matches, MinLength } from "class-validator";
 
 export class UserDTO {
   @Expose()
   id: string;
 
   @Expose()
-  firstName: string;
+  @Matches("^[a-zA-Z0-9_.]*$", undefined, {
+    message: "Username can only contain letters, numbers, dots and underscores",
+  })
+  @Length(3, 32)
+  username: string;
 
   @Expose()
-  lastName: string;
-
-  @Expose()
-  @IsNotEmpty()
   @IsEmail()
   email: string;
 
-  @IsNotEmpty()
+  @MinLength(8)
-  @IsString()
   password: string;
 
+  @Expose()
+  isAdmin: boolean;
+
+  @Expose()
+  totpVerified: boolean;
+
   from(partial: Partial<UserDTO>) {
     return plainToClass(UserDTO, partial, { excludeExtraneousValues: true });
   }
+
+  fromList(partial: Partial<UserDTO>[]) {
+    return partial.map((part) =>
+      plainToClass(UserDTO, part, { excludeExtraneousValues: true })
+    );
+  }
 }

backend/src/user/user.controller.ts

@@ -1,14 +1,71 @@
-import { Controller, Get, UseGuards } from "@nestjs/common";
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Patch,
+  Post,
+  UseGuards,
+} from "@nestjs/common";
 import { User } from "@prisma/client";
 import { GetUser } from "src/auth/decorator/getUser.decorator";
+import { AdministratorGuard } from "src/auth/guard/isAdmin.guard";
 import { JwtGuard } from "src/auth/guard/jwt.guard";
+import { CreateUserDTO } from "./dto/createUser.dto";
+import { UpdateOwnUserDTO } from "./dto/updateOwnUser.dto";
+import { UpdateUserDto } from "./dto/updateUser.dto";
 import { UserDTO } from "./dto/user.dto";
+import { UserSevice } from "./user.service";
 
 @Controller("users")
 export class UserController {
+  constructor(private userService: UserSevice) {}
+
+  // Own user operations
   @Get("me")
   @UseGuards(JwtGuard)
   async getCurrentUser(@GetUser() user: User) {
     return new UserDTO().from(user);
   }
+
+  @Patch("me")
+  @UseGuards(JwtGuard)
+  async updateCurrentUser(
+    @GetUser() user: User,
+    @Body() data: UpdateOwnUserDTO
+  ) {
+    return new UserDTO().from(await this.userService.update(user.id, data));
+  }
+
+  @Delete("me")
+  @UseGuards(JwtGuard)
+  async deleteCurrentUser(@GetUser() user: User) {
+    return new UserDTO().from(await this.userService.delete(user.id));
+  }
+
+  // Global user operations
+  @Get()
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async list() {
+    return new UserDTO().fromList(await this.userService.list());
+  }
+
+  @Post()
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async create(@Body() user: CreateUserDTO) {
+    return new UserDTO().from(await this.userService.create(user));
+  }
+
+  @Patch(":id")
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async update(@Param("id") id: string, @Body() user: UpdateUserDto) {
+    return new UserDTO().from(await this.userService.update(id, user));
+  }
+
+  @Delete(":id")
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async delete(@Param("id") id: string) {
+    return new UserDTO().from(await this.userService.delete(id));
+  }
 }

backend/src/user/user.module.ts

@@ -0,0 +1,9 @@
+import { Module } from "@nestjs/common";
+import { UserController } from "./user.controller";
+import { UserSevice } from "./user.service";
+
+@Module({
+  providers: [UserSevice],
+  controllers: [UserController],
+})
+export class UserModule {}

backend/src/user/user.service.ts

@@ -0,0 +1,64 @@
+import { BadRequestException, Injectable } from "@nestjs/common";
+import { PrismaClientKnownRequestError } from "@prisma/client/runtime";
+import * as argon from "argon2";
+import { PrismaService } from "src/prisma/prisma.service";
+import { CreateUserDTO } from "./dto/createUser.dto";
+import { UpdateUserDto } from "./dto/updateUser.dto";
+
+@Injectable()
+export class UserSevice {
+  constructor(private prisma: PrismaService) {}
+
+  async list() {
+    return await this.prisma.user.findMany();
+  }
+
+  async get(id: string) {
+    return await this.prisma.user.findUnique({ where: { id } });
+  }
+
+  async create(dto: CreateUserDTO) {
+    const hash = await argon.hash(dto.password);
+    try {
+      return await this.prisma.user.create({
+        data: {
+          ...dto,
+          password: hash,
+        },
+      });
+    } catch (e) {
+      if (e instanceof PrismaClientKnownRequestError) {
+        if (e.code == "P2002") {
+          const duplicatedField: string = e.meta.target[0];
+          throw new BadRequestException(
+            `A user with this ${duplicatedField} already exists`
+          );
+        }
+      }
+    }
+  }
+
+  async update(id: string, user: UpdateUserDto) {
+    try {
+      const hash = user.password && (await argon.hash(user.password));
+
+      return await this.prisma.user.update({
+        where: { id },
+        data: { ...user, password: hash },
+      });
+    } catch (e) {
+      if (e instanceof PrismaClientKnownRequestError) {
+        if (e.code == "P2002") {
+          const duplicatedField: string = e.meta.target[0];
+          throw new BadRequestException(
+            `A user with this ${duplicatedField} already exists`
+          );
+        }
+      }
+    }
+  }
+
+  async delete(id: string) {
+    return await this.prisma.user.delete({ where: { id } });
+  }
+}

backend/test/newman-system-tests.json

@@ -1,6 +1,6 @@
 {
 	"info": {
-		"_postman_id": "243b0832-3a6a-4389-bb71-4d988c0a86d9",
+		"_postman_id": "cd31bdf9-d558-42da-9231-154721476cd2",
 		"name": "Pingvin Share Testing",
 		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
 		"_exporter_id": "17822132"
@@ -18,12 +18,12 @@
 								"exec": [
 									"if(pm.response.to.have.status(201)){",
 									"    const token = pm.response.json()[\"accessToken\"]",
-									"    pm.collectionVariables.set(\"USER_AUTH_TOKEN\", token)",
-									"",
 									"    // Get user id",
 									"    const jwtPayload = JSON.parse(atob(token.split('.')[1]));",
 									"    const userId = jwtPayload[\"sub\"]",
 									"    pm.collectionVariables.set(\"USER_ID\", userId)",
+									"",
+									"    pm.collectionVariables.set(\"COOKIES\", pm.response.headers.get(\"Set-Cookie\"))",
 									"}",
 									""
 								],
@@ -36,7 +36,7 @@
 						"header": [],
 						"body": {
 							"mode": "raw",
-							"raw": "{\n    \"firstName\" : \"System\",\n    \"lastName\" : \"Test\",\n    \"email\": \"system@test.org\",\n    \"password\": \"J2y8unpJUcJDRv\"\n}",
+							"raw": "{\n    \"email\": \"system@test.org\",\n    \"username\": \"system.test\",\n    \"password\": \"J2y8unpJUcJDRv\"\n}",
 							"options": {
 								"raw": {
 									"language": "json"
@@ -80,6 +80,7 @@
 											"    pm.expect(responseBody).to.have.property(\"accessToken\")",
 											"    pm.expect(responseBody).to.have.property(\"refreshToken\")",
 											"});",
+											"",
 											""
 										],
 										"type": "text/javascript"
@@ -97,7 +98,7 @@
 								],
 								"body": {
 									"mode": "raw",
-									"raw": "{\n    \"firstName\" : \"System\",\n    \"lastName\" : \"Test2\",\n    \"email\": \"system2@test.org\",\n    \"password\": \"N44HcHgeuAvfCT\"\n}",
+									"raw": "{\n    \"email\": \"system2@test.org\",\n   \"username\": \"system2.test\",\n     \"password\": \"N44HcHgeuAvfCT\"\n}",
 									"options": {
 										"raw": {
 											"language": "json"
@@ -431,7 +432,7 @@
 											"    const responseBody = pm.response.json();",
 											"    pm.expect(responseBody).to.have.property(\"id\")",
 											"    pm.expect(responseBody).to.have.property(\"expiration\")",
-											"    pm.expect(Object.keys(responseBody).length).be.equal(2)",
+											"    pm.expect(Object.keys(responseBody).length).be.equal(3)",
 											"});",
 											""
 										],
@@ -444,7 +445,7 @@
 								"header": [],
 								"body": {
 									"mode": "raw",
-									"raw": "{\n    \"id\": \"test-share\",\n    \"expiration\": \"1-day\",\n    \"security\": {\n        \"password\": \"share-password\",\n        \"maxViews\": 1\n    }\n}",
+									"raw": "{\n    \"id\": \"test-share\",\n    \"expiration\": \"1-day\",\n    \"recipients\": [],\n    \"security\": {\n        \"password\": \"share-password\",\n        \"maxViews\": 1\n    }\n}",
 									"options": {
 										"raw": {
 											"language": "json"
@@ -477,28 +478,34 @@
 											"pm.test(\"Response body correct\", () => {",
 											"    const responseBody = pm.response.json();",
 											"    pm.expect(responseBody).to.have.property(\"id\")",
-											"    pm.expect(Object.keys(responseBody).length).be.equal(1)",
+											"    pm.expect(responseBody.name).to.be.equal(\"test-file.txt\")",
+											"    pm.expect(Object.keys(responseBody).length).be.equal(2)",
 											"});"
 										],
 										"type": "text/javascript"
 									}
 								}
 							],
+							"protocolProfileBehavior": {
+								"disabledSystemHeaders": {
+									"content-type": true
+								}
+							},
 							"request": {
 								"method": "POST",
-								"header": [],
+								"header": [
+									{
+										"key": "Content-Type",
+										"value": "application/octet-stream",
+										"type": "text"
+									}
+								],
 								"body": {
-									"mode": "formdata",
+									"mode": "raw",
-									"formdata": [
+									"raw": "data:application/octet-stream;base64,VGhpcyBpcyBhIHRlc3QgZmlsZWQgdXNlZCBmb3IgdXBsb2FkaW5nIGluIHRoZSBzeXN0ZW0gdGVzdC4="
-										{
-											"key": "file",
-											"type": "file",
-											"src": "./test/system/test-file.txt"
-										}
-									]
 								},
 								"url": {
-									"raw": "{{API_URL}}/shares/:shareId/files",
+									"raw": "{{API_URL}}/shares/:shareId/files?name=test-file.txt&chunkIndex=0&totalChunks=1",
 									"host": [
 										"{{API_URL}}"
 									],
@@ -507,6 +514,93 @@
 										":shareId",
 										"files"
 									],
+									"query": [
+										{
+											"key": "name",
+											"value": "test-file.txt"
+										},
+										{
+											"key": "chunkIndex",
+											"value": "0"
+										},
+										{
+											"key": "totalChunks",
+											"value": "1"
+										}
+									],
+									"variable": [
+										{
+											"key": "shareId",
+											"value": "test-share"
+										}
+									]
+								}
+							},
+							"response": []
+						},
+						{
+							"name": "Upload file 2",
+							"event": [
+								{
+									"listen": "test",
+									"script": {
+										"exec": [
+											"pm.test(\"Status code is 201\",  () => {",
+											"    pm.response.to.have.status(201);",
+											"});",
+											"",
+											"pm.test(\"Response body correct\", () => {",
+											"    const responseBody = pm.response.json();",
+											"    pm.expect(responseBody.name).to.be.equal(\"test-file2.txt\")",
+											"    pm.expect(Object.keys(responseBody).length).be.equal(2)",
+											"});"
+										],
+										"type": "text/javascript"
+									}
+								}
+							],
+							"protocolProfileBehavior": {
+								"disabledSystemHeaders": {
+									"content-type": true
+								}
+							},
+							"request": {
+								"method": "POST",
+								"header": [
+									{
+										"key": "Content-Type",
+										"value": "application/octet-stream",
+										"type": "text"
+									}
+								],
+								"body": {
+									"mode": "raw",
+									"raw": "data:application/octet-stream;base64,VGhpcyBpcyBhIHRlc3QgZmlsZWQgdXNlZCBmb3IgdXBsb2FkaW5nIGluIHRoZSBzeXN0ZW0gdGVzdC4="
+								},
+								"url": {
+									"raw": "{{API_URL}}/shares/:shareId/files?name=test-file2.txt&chunkIndex=0&totalChunks=1",
+									"host": [
+										"{{API_URL}}"
+									],
+									"path": [
+										"shares",
+										":shareId",
+										"files"
+									],
+									"query": [
+										{
+											"key": "name",
+											"value": "test-file2.txt"
+										},
+										{
+											"key": "chunkIndex",
+											"value": "0"
+										},
+										{
+											"key": "totalChunks",
+											"value": "1"
+										}
+									],
 									"variable": [
 										{
 											"key": "shareId",
@@ -532,7 +626,7 @@
 											"    const responseBody = pm.response.json();",
 											"    pm.expect(responseBody).to.have.property(\"id\")",
 											"    pm.expect(responseBody).to.have.property(\"expiration\")",
-											"    pm.expect(Object.keys(responseBody).length).be.equal(2)",
+											"    pm.expect(Object.keys(responseBody).length).be.equal(3)",
 											"});",
 											""
 										],
@@ -710,16 +804,6 @@
 							"request": {
 								"method": "POST",
 								"header": [],
-								"body": {
-									"mode": "formdata",
-									"formdata": [
-										{
-											"key": "file",
-											"type": "file",
-											"src": "./test/system/test-file.txt"
-										}
-									]
-								},
 								"url": {
 									"raw": "{{API_URL}}/shares/:shareId/files",
 									"host": [
@@ -759,16 +843,6 @@
 							"request": {
 								"method": "POST",
 								"header": [],
-								"body": {
-									"mode": "formdata",
-									"formdata": [
-										{
-											"key": "file",
-											"type": "file",
-											"src": "./test/system/test-file.txt"
-										}
-									]
-								},
 								"url": {
 									"raw": "{{API_URL}}/shares/:shareId/files",
 									"host": [
@@ -893,7 +967,8 @@
 											"    pm.expect(Object.keys(responseBody).length).be.equal(1)",
 											"});",
 											"",
-											"pm.collectionVariables.set(\"shareToken\", pm.response.json().token)"
+											"pm.collectionVariables.set(\"COOKIES\", `${pm.collectionVariables.get(\"COOKIES\")};${pm.response.headers.get(\"Set-Cookie\")}`)",
+											""
 										],
 										"type": "text/javascript"
 									}
@@ -942,13 +1017,11 @@
 											"    pm.response.to.have.status(200);",
 											"});",
 											"",
-											"pm.test(\"Response contains 1 file\", () => {",
+											"pm.test(\"Response contains 2 files\", () => {",
 											"    const responseBody = pm.response.json();",
-											"    pm.expect(responseBody.files.length).be.equal(1)",
+											"    pm.expect(responseBody.files.length).be.equal(2)",
 											"});",
 											"",
-											"",
-											"",
 											"pm.collectionVariables.set(\"fileId\", pm.response.json().files[0].id)"
 										],
 										"type": "text/javascript"
@@ -957,13 +1030,7 @@
 							],
 							"request": {
 								"method": "GET",
-								"header": [
+								"header": [],
-									{
-										"key": "X-Share-Token",
-										"value": "{{shareToken}}",
-										"type": "text"
-									}
-								],
 								"url": {
 									"raw": "{{API_URL}}/shares/:shareId",
 									"host": [
@@ -983,88 +1050,6 @@
 							},
 							"response": []
 						},
-						{
-							"name": "Get file download url",
-							"event": [
-								{
-									"listen": "test",
-									"script": {
-										"exec": [
-											"let URL = require('url');",
-											"",
-											"pm.test(\"Status code is 200\",  () => {",
-											"    pm.response.to.have.status(200);",
-											"});",
-											"",
-											"",
-											"pm.test(\"Response body correct\", () => {",
-											"    const responseBody = pm.response.json();",
-											"    pm.expect(responseBody).to.have.property(\"url\")",
-											"    pm.expect(Object.keys(responseBody).length).be.equal(1)",
-											"});",
-											"",
-											"",
-											"const path = URL.parse(pm.response.json().url).path.replace(\"/api/\", \"\")",
-											"",
-											"pm.collectionVariables.set(\"fileDownloadPath\",path )"
-										],
-										"type": "text/javascript"
-									}
-								}
-							],
-							"protocolProfileBehavior": {
-								"disableBodyPruning": true
-							},
-							"request": {
-								"method": "GET",
-								"header": [
-									{
-										"key": "X-Share-Token",
-										"value": "{{shareToken}}",
-										"type": "text"
-									}
-								],
-								"body": {
-									"mode": "formdata",
-									"formdata": [
-										{
-											"key": "file",
-											"type": "file",
-											"src": "./test/system/test-file.txt"
-										},
-										{
-											"key": "shareId",
-											"value": "868c6a44-fb8c-4768-ad0d-ef22feebc8ea",
-											"type": "text"
-										}
-									]
-								},
-								"url": {
-									"raw": "{{API_URL}}/shares/:shareId/files/:fileId/download",
-									"host": [
-										"{{API_URL}}"
-									],
-									"path": [
-										"shares",
-										":shareId",
-										"files",
-										":fileId",
-										"download"
-									],
-									"variable": [
-										{
-											"key": "shareId",
-											"value": "test-share"
-										},
-										{
-											"key": "fileId",
-											"value": "{{fileId}}"
-										}
-									]
-								}
-							},
-							"response": []
-						},
 						{
 							"name": "Get File",
 							"event": [
@@ -1080,97 +1065,11 @@
 									}
 								}
 							],
-							"protocolProfileBehavior": {
-								"disableBodyPruning": true
-							},
 							"request": {
 								"method": "GET",
 								"header": [],
-								"body": {
-									"mode": "formdata",
-									"formdata": [
-										{
-											"key": "file",
-											"type": "file",
-											"src": "./test/system/test-file.txt"
-										},
-										{
-											"key": "shareId",
-											"value": "868c6a44-fb8c-4768-ad0d-ef22feebc8ea",
-											"type": "text"
-										}
-									]
-								},
 								"url": {
-									"raw": "{{API_URL}}/{{fileDownloadPath}}",
+									"raw": "{{API_URL}}/shares/:shareId/files/{{fileId}}",
-									"host": [
-										"{{API_URL}}"
-									],
-									"path": [
-										"{{fileDownloadPath}}"
-									]
-								}
-							},
-							"response": []
-						},
-						{
-							"name": "Get zip download url",
-							"event": [
-								{
-									"listen": "test",
-									"script": {
-										"exec": [
-											"let URL = require('url');",
-											"",
-											"pm.test(\"Status code is 200\",  () => {",
-											"    pm.response.to.have.status(200);",
-											"});",
-											"",
-											"",
-											"pm.test(\"Response body correct\", () => {",
-											"    const responseBody = pm.response.json();",
-											"    pm.expect(responseBody).to.have.property(\"url\")",
-											"    pm.expect(Object.keys(responseBody).length).be.equal(1)",
-											"});",
-											"",
-											"",
-											"const path = URL.parse(pm.response.json().url).path.replace(\"/api/\", \"\")",
-											"",
-											"pm.collectionVariables.set(\"zipDownloadPath\",path )"
-										],
-										"type": "text/javascript"
-									}
-								}
-							],
-							"protocolProfileBehavior": {
-								"disableBodyPruning": true
-							},
-							"request": {
-								"method": "GET",
-								"header": [
-									{
-										"key": "X-Share-Token",
-										"value": "{{shareToken}}",
-										"type": "text"
-									}
-								],
-								"body": {
-									"mode": "formdata",
-									"formdata": [
-										{
-											"key": "file",
-											"type": "file",
-											"src": "./test/system/test-file.txt"
-										},
-										{
-											"key": "shareId",
-											"value": "868c6a44-fb8c-4768-ad0d-ef22feebc8ea",
-											"type": "text"
-										}
-									]
-								},
-								"url": {
-									"raw": "{{API_URL}}/shares/:shareId/files/zip/download",
 									"host": [
 										"{{API_URL}}"
 									],
@@ -1178,8 +1077,7 @@
 										"shares",
 										":shareId",
 										"files",
-										"zip",
+										"{{fileId}}"
-										"download"
 									],
 									"variable": [
 										{
@@ -1212,64 +1110,16 @@
 							"request": {
 								"method": "GET",
 								"header": [],
-								"body": {
-									"mode": "formdata",
-									"formdata": [
-										{
-											"key": "file",
-											"type": "file",
-											"src": "./test/system/test-file.txt"
-										},
-										{
-											"key": "shareId",
-											"value": "868c6a44-fb8c-4768-ad0d-ef22feebc8ea",
-											"type": "text"
-										}
-									]
-								},
 								"url": {
-									"raw": "{{API_URL}}/{{zipDownloadPath}}",
+									"raw": "{{API_URL}}/shares/:shareId/files/zip",
-									"host": [
-										"{{API_URL}}"
-									],
-									"path": [
-										"{{zipDownloadPath}}"
-									]
-								}
-							},
-							"response": []
-						}
-					]
-				},
-				{
-					"name": "Negative",
-					"item": [
-						{
-							"name": "Get share - No token",
-							"event": [
-								{
-									"listen": "test",
-									"script": {
-										"exec": [
-											"pm.test(\"Status code is 403\",  () => {",
-											"    pm.response.to.have.status(403);",
-											"});"
-										],
-										"type": "text/javascript"
-									}
-								}
-							],
-							"request": {
-								"method": "GET",
-								"header": [],
-								"url": {
-									"raw": "{{API_URL}}/shares/:shareId",
 									"host": [
 										"{{API_URL}}"
 									],
 									"path": [
 										"shares",
-										":shareId"
+										":shareId",
+										"files",
+										"zip"
 									],
 									"variable": [
 										{
@@ -1280,7 +1130,12 @@
 								}
 							},
 							"response": []
-						},
+						}
+					]
+				},
+				{
+					"name": "Negative",
+					"item": [
 						{
 							"name": "Get share token - Wrong password",
 							"event": [
@@ -1374,151 +1229,19 @@
 								}
 							},
 							"response": []
-						},
-						{
-							"name": "Get file download url - No token",
-							"event": [
-								{
-									"listen": "test",
-									"script": {
-										"exec": [
-											"pm.test(\"Status code is 403\",  () => {",
-											"    pm.response.to.have.status(403);",
-											"});",
-											""
-										],
-										"type": "text/javascript"
-									}
-								}
-							],
-							"protocolProfileBehavior": {
-								"disableBodyPruning": true
-							},
-							"request": {
-								"method": "GET",
-								"header": [],
-								"body": {
-									"mode": "formdata",
-									"formdata": [
-										{
-											"key": "file",
-											"type": "file",
-											"src": "./test/system/test-file.txt"
-										},
-										{
-											"key": "shareId",
-											"value": "868c6a44-fb8c-4768-ad0d-ef22feebc8ea",
-											"type": "text"
-										}
-									]
-								},
-								"url": {
-									"raw": "{{API_URL}}/shares/:shareId/files/:fileId/download",
-									"host": [
-										"{{API_URL}}"
-									],
-									"path": [
-										"shares",
-										":shareId",
-										"files",
-										":fileId",
-										"download"
-									],
-									"variable": [
-										{
-											"key": "shareId",
-											"value": "test-share"
-										},
-										{
-											"key": "fileId",
-											"value": "{{fileId}}"
-										}
-									]
-								}
-							},
-							"response": []
-						},
-						{
-							"name": "Get zip download url - No token",
-							"event": [
-								{
-									"listen": "test",
-									"script": {
-										"exec": [
-											"pm.test(\"Status code is 403\",  () => {",
-											"    pm.response.to.have.status(403);",
-											"});",
-											""
-										],
-										"type": "text/javascript"
-									}
-								}
-							],
-							"protocolProfileBehavior": {
-								"disableBodyPruning": true
-							},
-							"request": {
-								"method": "GET",
-								"header": [],
-								"body": {
-									"mode": "formdata",
-									"formdata": [
-										{
-											"key": "file",
-											"type": "file",
-											"src": "./test/system/test-file.txt"
-										},
-										{
-											"key": "shareId",
-											"value": "868c6a44-fb8c-4768-ad0d-ef22feebc8ea",
-											"type": "text"
-										}
-									]
-								},
-								"url": {
-									"raw": "{{API_URL}}/shares/:shareId/files/zip/download",
-									"host": [
-										"{{API_URL}}"
-									],
-									"path": [
-										"shares",
-										":shareId",
-										"files",
-										"zip",
-										"download"
-									],
-									"variable": [
-										{
-											"key": "shareId",
-											"value": "test-share"
-										}
-									]
-								}
-							},
-							"response": []
 						}
 					]
 				}
 			]
 		}
 	],
-	"auth": {
-		"type": "bearer",
-		"bearer": [
-			{
-				"key": "token",
-				"value": "{{USER_AUTH_TOKEN}}",
-				"type": "string"
-			}
-		]
-	},
 	"event": [
 		{
 			"listen": "prerequest",
 			"script": {
 				"type": "text/javascript",
 				"exec": [
-					""
+					"pm.request.addHeader(\"Cookie\", pm.collectionVariables.get(\"COOKIES\"))"
 				]
 			}
 		},

backend/test/system/test-file.txt

@@ -1 +0,0 @@
-This is a test filed used for uploading in the system test.

docker-compose-dev.yml

@@ -0,0 +1,7 @@
+version: '3.8'
+services:
+  clamav:
+    restart: unless-stopped
+    ports:
+      - 3310:3310
+    image: clamav/clamav

docker-compose.yml

@@ -5,11 +5,14 @@ services:
     restart: unless-stopped
     ports:
       - 3000:3000
-    environment:
-      - APP_URL=${APP_URL}
-      - SHOW_HOME_PAGE=${SHOW_HOME_PAGE}
-      - ALLOW_REGISTRATION=${ALLOW_REGISTRATION}
-      - MAX_FILE_SIZE=${MAX_FILE_SIZE}
-      - JWT_SECRET=${JWT_SECRET}
     volumes:
-      - "${PWD}/data:/opt/app/backend/data"
+      - "./data:/opt/app/backend/data"
+# Optional: If you add ClamAV, uncomment the following to have ClamAV start first.
+#    depends_on:
+#      clamav:
+#        condition: service_healthy
+# Optional: Add ClamAV (see README.md)  
+# ClamAV is currently only available for AMD64 see https://github.com/Cisco-Talos/clamav/issues/482
+#  clamav:
+#    restart: unless-stopped
+#    image: clamav/clamav

frontend/.env.example

@@ -1,4 +0,0 @@
-SHOW_HOME_PAGE=true
-ALLOW_REGISTRATION=true
-MAX_FILE_SIZE=1000000000
-ALLOW_UNAUTHENTICATED_SHARES=false

frontend/next.config.js

@@ -1,18 +1,14 @@
 /** @type {import('next').NextConfig} */
 
-const nextConfig = {
+const { version } = require('./package.json');
-  publicRuntimeConfig: {
-    ALLOW_REGISTRATION: process.env.ALLOW_REGISTRATION,
-    SHOW_HOME_PAGE: process.env.SHOW_HOME_PAGE,
-    MAX_FILE_SIZE: process.env.MAX_FILE_SIZE,
-    ALLOW_UNAUTHENTICATED_SHARES: process.env.ALLOW_UNAUTHENTICATED_SHARES
-  }
-}
 
 const withPWA = require("next-pwa")({
   dest: "public",
-  disable: process.env.NODE_ENV == "development"
+  disable: process.env.NODE_ENV == "development",
 });
 
-
+module.exports = withPWA({
-module.exports = withPWA(nextConfig);
+  output: "standalone", env: {
+    VERSION: version,
+  },
+});

frontend/package.json

@@ -1,48 +1,51 @@
 {
-  "name": "pingvin-share",
+  "name": "pingvin-share-frontend",
-  "version": "0.0.1",
+  "version": "0.10.0",
   "scripts": {
-    "dev": "dotenv next dev",
+    "dev": "next dev",
     "build": "next build",
-    "start": "dotenv next start",
+    "start": "next start",
     "lint": "next lint",
     "format": "prettier --write \"src/**/*.ts*\""
   },
   "dependencies": {
-    "@emotion/react": "^11.10.4",
+    "@emotion/react": "^11.10.5",
     "@emotion/server": "^11.10.0",
-    "@mantine/core": "^5.5.2",
+    "@mantine/core": "^5.10.0",
-    "@mantine/dropzone": "^5.5.2",
+    "@mantine/dropzone": "^5.10.0",
-    "@mantine/form": "^5.5.2",
+    "@mantine/form": "^5.10.0",
-    "@mantine/hooks": "^5.5.2",
+    "@mantine/hooks": "^5.10.0",
-    "@mantine/modals": "^5.5.2",
+    "@mantine/modals": "^5.10.0",
-    "@mantine/next": "^5.5.2",
+    "@mantine/next": "^5.10.0",
-    "@mantine/notifications": "^5.5.2",
+    "@mantine/notifications": "^5.10.0",
-    "axios": "^0.26.1",
+    "axios": "^1.2.2",
-    "cookies-next": "^2.0.4",
+    "cookies-next": "^2.1.1",
     "file-saver": "^2.0.5",
-    "jose": "^4.8.1",
+    "jose": "^4.11.2",
+    "jwt-decode": "^3.1.2",
+    "mime-types": "^2.1.35",
     "moment": "^2.29.4",
-    "next": "^12.3.1",
+    "next": "^13.1.2",
     "next-cookies": "^2.0.3",
-    "next-http-proxy-middleware": "^1.2.4",
+    "next-http-proxy-middleware": "^1.2.5",
     "next-pwa": "^5.6.0",
-    "react": "18.0.0",
+    "p-limit": "^4.0.0",
-    "react-dom": "18.0.0",
+    "react": "^18.2.0",
-    "react-icons": "^4.4.0",
+    "react-dom": "^18.2.0",
+    "react-icons": "^4.7.1",
     "yup": "^0.32.11"
   },
   "devDependencies": {
-    "@types/node": "17.0.23",
+    "@types/mime-types": "^2.1.1",
-    "@types/react": "18.0.4",
+    "@types/node": "18.11.18",
-    "@types/react-dom": "18.0.0",
+    "@types/react": "18.0.26",
-    "axios": "^0.26.1",
+    "@types/react-dom": "18.0.10",
-    "dotenv-cli": "^6.0.0",
+    "axios": "^1.2.2",
-    "eslint": "8.13.0",
+    "eslint": "8.31.0",
-    "eslint-config-next": "12.1.5",
+    "eslint-config-next": "^13.1.2",
-    "eslint-config-prettier": "^8.5.0",
+    "eslint-config-prettier": "^8.6.0",
-    "prettier": "^2.7.1",
+    "prettier": "^2.8.2",
-    "tar": "^6.1.11",
+    "tar": "^6.1.13",
-    "typescript": "^4.6.3"
+    "typescript": "^4.9.4"
   }
 }

frontend/src/components/Meta.tsx

@@ -7,18 +7,20 @@ const Meta = ({
   title: string;
   description?: string;
 }) => {
+  const metaTitle = `${title} - Pingvin Share`;
+
   return (
     <Head>
-      {/* TODO: Doesn't work because script get only executed on client side */}
+      <title>{metaTitle}</title>
-      <title>{title} - Pingvin Share</title>
+      <meta name="og:title" content={metaTitle} />
-      <meta name="og:title" content={`${title} - Pingvin Share`} />
       <meta
         name="og:description"
         content={
           description ?? "An open-source and self-hosted sharing platform."
         }
       />
-      <meta name="twitter:title" content={`${title} - Pingvin Share`} />
+      <meta property="og:image" content="/img/opengraph-default.png" />
+      <meta name="twitter:title" content={metaTitle} />
       <meta name="twitter:description" content={description} />
     </Head>
   );

frontend/src/components/account/ThemeSwitcher.tsx

@@ -0,0 +1,66 @@
+import {
+  Box,
+  Center,
+  ColorScheme,
+  SegmentedControl,
+  Stack,
+  useMantineColorScheme,
+} from "@mantine/core";
+import { useColorScheme } from "@mantine/hooks";
+import { useState } from "react";
+import { TbDeviceLaptop, TbMoon, TbSun } from "react-icons/tb";
+import usePreferences from "../../hooks/usePreferences";
+
+const ThemeSwitcher = () => {
+  const preferences = usePreferences();
+  const [colorScheme, setColorScheme] = useState(
+    preferences.get("colorScheme")
+  );
+  const { toggleColorScheme } = useMantineColorScheme();
+  const systemColorScheme = useColorScheme();
+  return (
+    <Stack>
+      <SegmentedControl
+        value={colorScheme}
+        onChange={(value) => {
+          preferences.set("colorScheme", value);
+          setColorScheme(value);
+          toggleColorScheme(
+            value == "system" ? systemColorScheme : (value as ColorScheme)
+          );
+        }}
+        data={[
+          {
+            label: (
+              <Center>
+                <TbMoon size={16} />
+                <Box ml={10}>Dark</Box>
+              </Center>
+            ),
+            value: "dark",
+          },
+          {
+            label: (
+              <Center>
+                <TbSun size={16} />
+                <Box ml={10}>Light</Box>
+              </Center>
+            ),
+            value: "light",
+          },
+          {
+            label: (
+              <Center>
+                <TbDeviceLaptop size={16} />
+                <Box ml={10}>System</Box>
+              </Center>
+            ),
+            value: "system",
+          },
+        ]}
+      />
+    </Stack>
+  );
+};
+
+export default ThemeSwitcher;