@blocklet/uploader-server 0.1.53 → 0.1.55

package/es/index.d.ts

@@ -1 +1,2 @@
 export * from './middlewares';
+export * from './utils';

package/es/index.js

@@ -1 +1,2 @@
 export * from "./middlewares.js";
+export * from "./utils.js";

package/es/middlewares/companion.d.ts

@@ -3,4 +3,3 @@ export declare function initCompanion({ path, express, providerOptions, ...restP
     express: Function;
     providerOptions?: Object;
 }): any;
-export declare function proxyImageDownload(req: any, res: any, next?: Function): Promise<void>;

package/es/middlewares/companion.js

@@ -1,8 +1,8 @@
 const companion = require("@uppy/companion");
 const bodyParser = require("body-parser");
 const session = require("express-session");
-const axios = require("axios");
 const crypto = require("crypto");
+const { checkTrustedReferer, proxyImageDownload } = require("../utils");
 const secret = crypto.randomBytes(32).toString("hex");
 export function initCompanion({
   path,
@@ -13,7 +13,7 @@ export function initCompanion({
   const app = express();
   app.use(bodyParser.json());
   app.use(session({ secret }));
-  app.use("/proxy", proxyImageDownload);
+  app.use("/proxy", checkTrustedReferer, proxyImageDownload);
   let dynamicProviderOptions = providerOptions;
   const companionOptions = {
     secret,
@@ -56,37 +56,3 @@ export function initCompanion({
   };
   return newCompanion;
 }
-export async function proxyImageDownload(req, res, next) {
-  let { url, responseType = "stream" } = {
-    ...req.query,
-    ...req.body
-  };
-  if (url) {
-    url = encodeURI(url);
-    try {
-      const { headers, data, status } = await axios.get(url, {
-        responseType
-      });
-      if (data && status >= 200 && status < 302) {
-        res.setHeader("Content-Type", headers["content-type"]);
-        try {
-        } catch (error) {
-        }
-        if (responseType === "stream") {
-          data.pipe(res);
-        } else if (responseType === "arraybuffer") {
-          res.end(data?.toString?.("binary"), "binary");
-        } else {
-          res.send(data);
-        }
-      } else {
-        throw new Error("download image error");
-      }
-    } catch (err) {
-      console.error("Proxy url failed: ", err);
-      res.status(500).send("Proxy url failed");
-    }
-  } else {
-    res.status(500).send('Parameter "url" is required');
-  }
-}

package/es/middlewares/local-storage.js

@@ -7,6 +7,7 @@ const crypto = require("crypto");
 const mime = require("mime-types");
 const joinUrlLib = require("url-join");
 const { default: queue } = require("p-queue");
+const { setPDFDownloadHeader } = require("../utils");
 const validFilePathInDirPath = (dirPath, filePath) => {
   const fileName = path.basename(filePath);
   if (!filePath.startsWith(dirPath) || path.join(dirPath, fileName) !== filePath) {
@@ -225,6 +226,7 @@ export function setHeaders(req, res, next) {
     if (contentType) {
       res.setHeader("Content-Type", contentType);
     }
+    setPDFDownloadHeader(req, res);
   }
   next?.();
 }

package/es/middlewares/static-resource.js

@@ -4,6 +4,7 @@ const config = require("@blocklet/sdk/lib/config");
 const { getResources } = require("@blocklet/sdk/lib/component");
 const httpProxy = require("http-proxy");
 const joinUrl = require("url-join");
+const { setPDFDownloadHeader } = require("../utils");
 const proxy = httpProxy.createProxyServer();
 const logger = console;
 const ImgResourceType = "imgpack";
@@ -101,6 +102,7 @@ export const initProxyToMediaKitUploadsMiddleware = ({ options, express } = {})
     }
     const filename = basename(req.url);
     req.url = joinUrl("/uploads/", filename);
+    setPDFDownloadHeader(req, res);
     proxy.web(
       req,
       res,

package/es/utils.d.ts

@@ -0,0 +1,7 @@
+export declare function getTrustedDomainsCache({ forceUpdate, ttl, }?: {
+    forceUpdate?: boolean;
+    ttl?: number;
+}): Promise<string[]>;
+export declare function checkTrustedReferer(req: any, res: any, next?: Function): Promise<any>;
+export declare function proxyImageDownload(req: any, res: any, next?: Function): Promise<void>;
+export declare function setPDFDownloadHeader(req: any, res: any): void;

package/es/utils.js

@@ -0,0 +1,79 @@
+import axios from "axios";
+import config from "@blocklet/sdk/lib/config";
+import path from "path";
+import joinUrl from "url-join";
+import { isbot } from "isbot";
+import AuthService from "@blocklet/sdk/service/auth";
+const authClient = new AuthService();
+const DEFAULT_TTL = 5 * 60 * 1e3;
+const trustedDomainsCache = {
+  timestamp: 0,
+  domains: []
+};
+export async function getTrustedDomainsCache({
+  forceUpdate = false,
+  ttl = DEFAULT_TTL
+} = {}) {
+  const now = Date.now();
+  if (!forceUpdate && trustedDomainsCache.domains.length > 0) {
+    if (now - trustedDomainsCache.timestamp < ttl) {
+      return trustedDomainsCache.domains;
+    }
+  }
+  trustedDomainsCache.domains = await axios.get(joinUrl(config.env.appUrl, "/.well-known/service/api/federated/getTrustedDomains")).then((res) => res.data);
+  trustedDomainsCache.timestamp = now;
+  return trustedDomainsCache.domains;
+}
+export async function checkTrustedReferer(req, res, next) {
+  if (isbot(req.get("user-agent"))) {
+    return next?.();
+  }
+  const referer = req.headers.referer;
+  if (!referer) {
+    return res.status(403).send("Access denied");
+  }
+  const allowedDomains = await getTrustedDomainsCache();
+  const refererHost = new URL(referer).hostname;
+  if (allowedDomains?.length && !allowedDomains.some((domain) => refererHost.includes(domain))) {
+    return res.status(403).send("Access denied");
+  }
+  next?.();
+}
+export async function proxyImageDownload(req, res, next) {
+  let { url } = {
+    ...req.query,
+    ...req.body
+  };
+  if (url) {
+    url = encodeURI(url);
+    try {
+      const { headers, data, status } = await axios({
+        method: "get",
+        url,
+        responseType: "stream",
+        timeout: 30 * 1e3,
+        headers: {
+          // Add common headers to mimic browser request
+          "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
+        }
+      });
+      if (data && status >= 200 && status < 302) {
+        res.setHeader("Content-Type", headers["content-type"]);
+        data.pipe(res);
+      } else {
+        throw new Error("download image error");
+      }
+    } catch (err) {
+      console.error("Proxy url failed: ", err);
+      res.status(500).send("Proxy url failed");
+    }
+  } else {
+    res.status(500).send('Parameter "url" is required');
+  }
+}
+export function setPDFDownloadHeader(req, res) {
+  if (path.extname(req.path) === ".pdf") {
+    const filename = req.query?.filename ?? req?.path;
+    res.setHeader("Content-Disposition", `attachment; ${filename ? `filename="${filename}"` : ""}`);
+  }
+}

package/lib/index.d.ts

@@ -1 +1,2 @@
 export * from './middlewares';
+export * from './utils';

package/lib/index.js

@@ -13,4 +13,15 @@ Object.keys(_middlewares).forEach(function (key) {
       return _middlewares[key];
     }
   });
+});
+var _utils = require("./utils");
+Object.keys(_utils).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _utils[key]) return;
+  Object.defineProperty(exports, key, {
+    enumerable: true,
+    get: function () {
+      return _utils[key];
+    }
+  });
 });

package/lib/middlewares/companion.d.ts

@@ -3,4 +3,3 @@ export declare function initCompanion({ path, express, providerOptions, ...restP
     express: Function;
     providerOptions?: Object;
 }): any;
-export declare function proxyImageDownload(req: any, res: any, next?: Function): Promise<void>;

package/lib/middlewares/companion.js

@@ -4,12 +4,14 @@ Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports.initCompanion = initCompanion;
-exports.proxyImageDownload = proxyImageDownload;
 const companion = require("@uppy/companion");
 const bodyParser = require("body-parser");
 const session = require("express-session");
-const axios = require("axios");
 const crypto = require("crypto");
+const {
+  checkTrustedReferer,
+  proxyImageDownload
+} = require("../utils");
 const secret = crypto.randomBytes(32).toString("hex");
 function initCompanion({
   path,
@@ -22,7 +24,7 @@ function initCompanion({
   app.use(session({
     secret
   }));
-  app.use("/proxy", proxyImageDownload);
+  app.use("/proxy", checkTrustedReferer, proxyImageDownload);
   let dynamicProviderOptions = providerOptions;
   const companionOptions = {
     secret,
@@ -62,43 +64,4 @@ function initCompanion({
     dynamicProviderOptions = options;
   };
   return newCompanion;
-}
-async function proxyImageDownload(req, res, next) {
-  let {
-    url,
-    responseType = "stream"
-  } = {
-    ...req.query,
-    ...req.body
-  };
-  if (url) {
-    url = encodeURI(url);
-    try {
-      const {
-        headers,
-        data,
-        status
-      } = await axios.get(url, {
-        responseType
-      });
-      if (data && status >= 200 && status < 302) {
-        res.setHeader("Content-Type", headers["content-type"]);
-        try {} catch (error) {}
-        if (responseType === "stream") {
-          data.pipe(res);
-        } else if (responseType === "arraybuffer") {
-          res.end(data?.toString?.("binary"), "binary");
-        } else {
-          res.send(data);
-        }
-      } else {
-        throw new Error("download image error");
-      }
-    } catch (err) {
-      console.error("Proxy url failed: ", err);
-      res.status(500).send("Proxy url failed");
-    }
-  } else {
-    res.status(500).send('Parameter "url" is required');
-  }
 }

package/lib/middlewares/local-storage.js

@@ -27,6 +27,9 @@ const joinUrlLib = require("url-join");
 const {
   default: queue
 } = require("p-queue");
+const {
+  setPDFDownloadHeader
+} = require("../utils");
 const validFilePathInDirPath = (dirPath, filePath) => {
   const fileName = path.basename(filePath);
   if (!filePath.startsWith(dirPath) || path.join(dirPath, fileName) !== filePath) {
@@ -267,6 +270,7 @@ function setHeaders(req, res, next) {
     if (contentType) {
       res.setHeader("Content-Type", contentType);
     }
+    setPDFDownloadHeader(req, res);
   }
   next?.();
 }

package/lib/middlewares/static-resource.js

@@ -17,6 +17,9 @@ const {
 } = require("@blocklet/sdk/lib/component");
 const httpProxy = require("http-proxy");
 const joinUrl = require("url-join");
+const {
+  setPDFDownloadHeader
+} = require("../utils");
 const proxy = httpProxy.createProxyServer();
 const logger = console;
 const ImgResourceType = "imgpack";
@@ -127,6 +130,7 @@ const initProxyToMediaKitUploadsMiddleware = ({
     }
     const filename = basename(req.url);
     req.url = joinUrl("/uploads/", filename);
+    setPDFDownloadHeader(req, res);
     proxy.web(req, res, {
       target: mediaKitInfo.webEndpoint,
       changeOrigin: true,

package/lib/utils.d.ts

@@ -0,0 +1,7 @@
+export declare function getTrustedDomainsCache({ forceUpdate, ttl, }?: {
+    forceUpdate?: boolean;
+    ttl?: number;
+}): Promise<string[]>;
+export declare function checkTrustedReferer(req: any, res: any, next?: Function): Promise<any>;
+export declare function proxyImageDownload(req: any, res: any, next?: Function): Promise<void>;
+export declare function setPDFDownloadHeader(req: any, res: any): void;

package/lib/utils.js

@@ -1 +1,95 @@
-"use strict";
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.checkTrustedReferer = checkTrustedReferer;
+exports.getTrustedDomainsCache = getTrustedDomainsCache;
+exports.proxyImageDownload = proxyImageDownload;
+exports.setPDFDownloadHeader = setPDFDownloadHeader;
+var _axios = _interopRequireDefault(require("axios"));
+var _config = _interopRequireDefault(require("@blocklet/sdk/lib/config"));
+var _path = _interopRequireDefault(require("path"));
+var _urlJoin = _interopRequireDefault(require("url-join"));
+var _isbot = require("isbot");
+var _auth = _interopRequireDefault(require("@blocklet/sdk/service/auth"));
+function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
+const authClient = new _auth.default();
+const DEFAULT_TTL = 5 * 60 * 1e3;
+const trustedDomainsCache = {
+  timestamp: 0,
+  domains: []
+};
+async function getTrustedDomainsCache({
+  forceUpdate = false,
+  ttl = DEFAULT_TTL
+} = {}) {
+  const now = Date.now();
+  if (!forceUpdate && trustedDomainsCache.domains.length > 0) {
+    if (now - trustedDomainsCache.timestamp < ttl) {
+      return trustedDomainsCache.domains;
+    }
+  }
+  trustedDomainsCache.domains = await _axios.default.get((0, _urlJoin.default)(_config.default.env.appUrl, "/.well-known/service/api/federated/getTrustedDomains")).then(res => res.data);
+  trustedDomainsCache.timestamp = now;
+  return trustedDomainsCache.domains;
+}
+async function checkTrustedReferer(req, res, next) {
+  if ((0, _isbot.isbot)(req.get("user-agent"))) {
+    return next?.();
+  }
+  const referer = req.headers.referer;
+  if (!referer) {
+    return res.status(403).send("Access denied");
+  }
+  const allowedDomains = await getTrustedDomainsCache();
+  const refererHost = new URL(referer).hostname;
+  if (allowedDomains?.length && !allowedDomains.some(domain => refererHost.includes(domain))) {
+    return res.status(403).send("Access denied");
+  }
+  next?.();
+}
+async function proxyImageDownload(req, res, next) {
+  let {
+    url
+  } = {
+    ...req.query,
+    ...req.body
+  };
+  if (url) {
+    url = encodeURI(url);
+    try {
+      const {
+        headers,
+        data,
+        status
+      } = await (0, _axios.default)({
+        method: "get",
+        url,
+        responseType: "stream",
+        timeout: 30 * 1e3,
+        headers: {
+          // Add common headers to mimic browser request
+          "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
+        }
+      });
+      if (data && status >= 200 && status < 302) {
+        res.setHeader("Content-Type", headers["content-type"]);
+        data.pipe(res);
+      } else {
+        throw new Error("download image error");
+      }
+    } catch (err) {
+      console.error("Proxy url failed: ", err);
+      res.status(500).send("Proxy url failed");
+    }
+  } else {
+    res.status(500).send('Parameter "url" is required');
+  }
+}
+function setPDFDownloadHeader(req, res) {
+  if (_path.default.extname(req.path) === ".pdf") {
+    const filename = req.query?.filename ?? req?.path;
+    res.setHeader("Content-Disposition", `attachment; ${filename ? `filename="${filename}"` : ""}`);
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blocklet/uploader-server",
-  "version": "0.1.53",
+  "version": "0.1.55",
   "description": "blocklet upload server",
   "publishConfig": {
     "access": "public"
@@ -17,8 +17,11 @@
       "import": "./es/middlewares.js",
       "types": "./lib/middlewares.d.ts"
     },
-    "./lib/": "./lib/",
-    "./es/": "./es/"
+    "./utils": {
+      "require": "./lib/utils.js",
+      "import": "./es/utils.js",
+      "types": "./lib/utils.d.ts"
+    }
   },
   "files": [
     "lib",
@@ -38,10 +41,10 @@
     "@uppy/companion": "4.15.1"
   },
   "dependencies": {
-    "@abtnode/cron": "^1.16.33",
-    "@blocklet/constant": "^1.16.33",
-    "@blocklet/logger": "^1.16.33",
-    "@blocklet/sdk": "^1.16.33",
+    "@abtnode/cron": "1.16.34-beta-20241126-104450-d60e25c2",
+    "@blocklet/constant": "1.16.34-beta-20241126-104450-d60e25c2",
+    "@blocklet/logger": "1.16.34-beta-20241126-104450-d60e25c2",
+    "@blocklet/sdk": "1.16.34-beta-20241126-104450-d60e25c2",
     "@tus/file-store": "1.0.0",
     "@tus/server": "1.0.0",
     "@uppy/companion": "4.15.1",
@@ -49,6 +52,7 @@
     "crypto": "^1.0.1",
     "express-session": "1.17.3",
     "http-proxy": "^1.18.1",
+    "isbot": "^5.1.17",
     "mime-types": "^2.1.35",
     "p-queue": "^6.6.2",
     "ufo": "^1.5.3",
@@ -57,6 +61,7 @@
   "devDependencies": {
     "@arcblock/eslint-config-ts": "^0.2.4",
     "@types/express": "^4.17.21",
+    "@types/http-proxy": "^1.17.15",
     "@types/mime-types": "^2.1.4",
     "@types/node": "^20.12.7",
     "@types/url-join": "^4.0.3",