From 4dafc79cb74d901bb9454f78277298f020543bb5 Mon Sep 17 00:00:00 2001 From: Pitu Date: Sat, 18 Jul 2020 02:55:05 +0900 Subject: [PATCH] fix authorization --- docs/migrating.md | 4 ++++ src/api/utils/Util.js | 10 +++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/migrating.md b/docs/migrating.md index a7d9eb7..796d422 100644 --- a/docs/migrating.md +++ b/docs/migrating.md @@ -12,3 +12,7 @@ For starters we recommend cloning the new version somewhere else instead of `git ### Known issues of migrating - The thumbnails in the album view don't show up. That's because they don't exist, this will get solved as you upload new stuff so the newly uploaded files get the proper thumbnail created. + +### Breaking changes +- You need to update the lolisafe browser if you use it, since it won't work with the new version automatically. Instead of pasting your token into it, you need to log in to lolisafe, go to your user settings and generate an `API KEY`, which you will use to access the service from 3rd party apps like the browser extension, ShareX, etc. +- To upload a file to an album directly users used to use the endpoint `/api/upload/${albumId}`. This is no longer the case. To upload directly to an album now it's necessary to pass a header called `albumid` with an integer as the value of the album to which you want to upload a file to. diff --git a/src/api/utils/Util.js b/src/api/utils/Util.js index b8d960d..80bffd5 100644 --- a/src/api/utils/Util.js +++ b/src/api/utils/Util.js @@ -206,7 +206,15 @@ class Util { } } - static isAuthorized(req) { + static async isAuthorized(req) { + if (req.headers.token) { + if (!this.options.canApiKey) return false; + const user = await db.table('users').where({ apiKey: req.headers.token }).first(); + if (!user) return false; + if (!user.enabled) return false; + return true; + } + if (!req.headers.authorization) return false; const token = req.headers.authorization.split(' ')[1]; if (!token) return false;