@waline/vercel 1.20.1 → 1.22.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@waline/vercel",
-  "version": "1.20.1",
+  "version": "1.22.0",
   "description": "vercel server for waline comment system",
   "keywords": [
     "waline",

package/src/controller/comment.js

@@ -6,7 +6,7 @@ const { getMarkdownParser } = require('../service/markdown');
 const markdownParser = getMarkdownParser();
 
 async function formatCmt(
-  { ua, user_id, ip, ...comment },
+  { ua, ip, ...comment },
   users = [],
   { avatarProxy },
   loginUser
@@ -20,7 +20,7 @@ async function formatCmt(
     comment.os = [ua.os.name, ua.os.version].filter((v) => v).join(' ');
   }
 
-  const user = users.find(({ objectId }) => user_id === objectId);
+  const user = users.find(({ objectId }) => comment.user_id === objectId);
 
   if (!think.isEmpty(user)) {
     comment.nick = user.display_name;
@@ -42,10 +42,12 @@ async function formatCmt(
 
   const isAdmin = loginUser && loginUser.type === 'administrator';
 
+  if (loginUser) {
+    comment.orig = comment.comment;
+  }
   if (!isAdmin) {
     delete comment.mail;
   } else {
-    comment.orig = comment.comment;
     comment.ip = ip;
   }
 
@@ -592,7 +594,7 @@ module.exports = class extends BaseRest {
       if (parentComment.user_id) {
         parentUser = await this.service(
           `storage/${this.config('storage')}`,
-          'User'
+          'Users'
         ).select({
           objectId: parentComment.user_id,
         });
@@ -642,26 +644,21 @@ module.exports = class extends BaseRest {
 
   async putAction() {
     const { userInfo } = this.ctx.state;
-    let data = this.post();
+    const isAdmin = userInfo.type === 'administrator';
+    let data = isAdmin ? this.post() : this.post('comment,like');
     let oldData = await this.modelInstance.select({ objectId: this.id });
 
-    if (think.isEmpty(oldData)) {
+    if (think.isEmpty(oldData) || think.isEmpty(data)) {
       return this.success();
     }
 
     oldData = oldData[0];
-    if (think.isEmpty(userInfo) || userInfo.type !== 'administrator') {
-      if (!think.isBoolean(data.like)) {
-        return this.success();
-      }
-
+    if (think.isBoolean(data.like)) {
       const likeIncMax = this.config('LIKE_INC_MAX') || 1;
 
-      data = {
-        like:
-          (Number(oldData.like) || 0) +
-          (data.like ? Math.ceil(Math.random() * likeIncMax) : -1),
-      };
+      data.like =
+        (Number(oldData.like) || 0) +
+        (data.like ? Math.ceil(Math.random() * likeIncMax) : -1);
     }
 
     const preUpdateResp = await this.hook('preUpdate', {
@@ -677,23 +674,29 @@ module.exports = class extends BaseRest {
       objectId: this.id,
     });
 
+    let cmtUser;
+
+    if (!think.isEmpty(newData) && newData[0].user_id) {
+      cmtUser = await this.service(
+        `storage/${this.config('storage')}`,
+        'Users'
+      ).select({
+        objectId: newData[0].user_id,
+      });
+      cmtUser = cmtUser[0];
+    }
+    const cmtReturn = await formatCmt(
+      newData[0],
+      cmtUser ? [cmtUser] : [],
+      this.config(),
+      userInfo
+    );
+
     if (
       oldData.status === 'waiting' &&
       data.status === 'approved' &&
       oldData.pid
     ) {
-      let cmtUser;
-
-      if (newData.user_id) {
-        cmtUser = await this.service(
-          `storage/${this.config('storage')}`,
-          'User'
-        ).select({
-          objectId: newData.user_id,
-        });
-        cmtUser = cmtUser[0];
-      }
-
       let pComment = await this.modelInstance.select({
         objectId: oldData.pid,
       });
@@ -705,7 +708,7 @@ module.exports = class extends BaseRest {
       if (pComment.user_id) {
         pUser = await this.service(
           `storage/${this.config('storage')}`,
-          'User'
+          'Users'
         ).select({
           objectId: pComment.user_id,
         });
@@ -713,12 +716,6 @@ module.exports = class extends BaseRest {
       }
 
       const notify = this.service('notify');
-      const cmtReturn = await formatCmt(
-        newData,
-        cmtUser ? [cmtUser] : [],
-        this.config(),
-        userInfo
-      );
       const pcmtReturn = await formatCmt(
         pComment,
         pUser ? [pUser] : [],
@@ -727,7 +724,7 @@ module.exports = class extends BaseRest {
       );
 
       await notify.run(
-        { ...cmtReturn, mail: newData.mail },
+        { ...cmtReturn, mail: newData[0].mail },
         { ...pcmtReturn, mail: pComment.mail },
         true
       );
@@ -735,7 +732,7 @@ module.exports = class extends BaseRest {
 
     await this.hook('postUpdate', data);
 
-    return this.success();
+    return this.success(cmtReturn);
   }
 
   async deleteAction() {

package/src/controller/oauth.js

@@ -1,7 +1,6 @@
 const jwt = require('jsonwebtoken');
 const fetch = require('node-fetch');
 const { PasswordHash } = require('phpass');
-const qs = require('querystring');
 
 module.exports = class extends think.Controller {
   constructor(ctx) {
@@ -21,16 +20,16 @@ module.exports = class extends think.Controller {
 
     if (!hasCode) {
       const { serverURL } = this.ctx;
-      const redirectUrl = `${serverURL}/oauth?${qs.stringify({
+      const redirectUrl = `${serverURL}/oauth?${new URLSearchParams({
         redirect,
         type,
-      })}`;
+      }).toString()}`;
 
       return this.redirect(
-        `${oauthUrl}/${type}?${qs.stringify({
+        `${oauthUrl}/${type}?${new URLSearchParams({
           redirect: redirectUrl,
           state: this.ctx.state.token,
-        })}`
+        }).toString()}`
       );
     }
 
@@ -41,23 +40,26 @@ module.exports = class extends think.Controller {
 
     if (type === 'facebook') {
       const { serverURL } = this.ctx;
-      const redirectUrl = `${serverURL}/oauth?${qs.stringify({
+      const redirectUrl = `${serverURL}/oauth?${new URLSearchParams({
         redirect,
         type,
-      })}`;
+      }).toString()}`;
 
-      params.state = qs.stringify({
+      params.state = new URLSearchParams({
         redirect: redirectUrl,
         state: this.ctx.state.token || '',
       });
     }
 
-    const user = await fetch(`${oauthUrl}/${type}?${qs.stringify(params)}`, {
-      method: 'GET',
-      headers: {
-        'user-agent': '@waline',
-      },
-    }).then((resp) => resp.json());
+    const user = await fetch(
+      `${oauthUrl}/${type}?${new URLSearchParams(params).toString()}`,
+      {
+        method: 'GET',
+        headers: {
+          'user-agent': '@waline',
+        },
+      }
+    ).then((resp) => resp.json());
 
     if (!user || !user.id) {
       return this.fail(user);

package/src/controller/user.js

@@ -1,4 +1,3 @@
-const qs = require('querystring');
 const { PasswordHash } = require('phpass');
 const BaseRest = require('./rest');
 
@@ -82,7 +81,7 @@ module.exports = class extends BaseRest {
       const apiUrl =
         this.ctx.serverURL +
         '/verification?' +
-        qs.stringify({ token, email: data.email });
+        new URLSearchParams({ token, email: data.email }).toString();
 
       await notify.transporter.sendMail({
         from:

package/src/logic/base.js

@@ -1,4 +1,6 @@
 const path = require('path');
+const qs = require('querystring');
+const fetch = require('node-fetch');
 const jwt = require('jsonwebtoken');
 const helper = require('think-helper');
 
@@ -122,4 +124,35 @@ module.exports = class extends think.Logic {
 
     return '';
   }
+
+  async useCaptchaCheck() {
+    const { RECAPTCHA_V3_SECRET } = process.env;
+
+    if (!RECAPTCHA_V3_SECRET) {
+      return;
+    }
+    const { recaptchaV3 } = this.post();
+
+    if (!recaptchaV3) {
+      return this.ctx.throw(403);
+    }
+
+    const query = qs.stringify({
+      secret: RECAPTCHA_V3_SECRET,
+      response: recaptchaV3,
+      remoteip: this.ctx.ip,
+    });
+    const recaptchaV3Result = await fetch(
+      `https://recaptcha.net/recaptcha/api/siteverify?${query}`
+    ).then((resp) => resp.json());
+
+    if (!recaptchaV3Result.success) {
+      think.logger.debug(
+        'RecaptchaV3 Result:',
+        JSON.stringify(recaptchaV3Result, null, '\t')
+      );
+
+      return this.ctx.throw(403);
+    }
+  }
 };

package/src/logic/comment.js

@@ -1,18 +1,7 @@
 const Base = require('./base');
 
 module.exports = class extends Base {
-  async __before() {
-    await super.__before();
-
-    const { type, path } = this.get();
-    const { like } = this.post();
-    const isAllowedGet = this.isGet && (type !== 'list' || path);
-    const isAllowedPut = this.ctx.isMethod('PUT') && think.isBoolean(like);
-
-    if (this.isPost || isAllowedGet || isAllowedPut) {
-      return;
-    }
-
+  checkAdmin() {
     const { userInfo } = this.ctx.state;
 
     if (think.isEmpty(userInfo)) {
@@ -116,7 +105,12 @@ module.exports = class extends Base {
    * @apiSuccess  (200) {String}  response.type comment login user type
    */
   getAction() {
-    const { type } = this.get();
+    const { type, path } = this.get();
+    const isAllowedGet = type !== 'list' || path;
+
+    if (!isAllowedGet) {
+      this.checkAdmin();
+    }
 
     switch (type) {
       case 'recent':
@@ -206,13 +200,19 @@ module.exports = class extends Base {
    * @apiSuccess  (200) {String}  data.avatar comment user avatar
    * @apiSuccess  (200) {String}  data.type comment login user type
    */
-  postAction() {
+  async postAction() {
     const { LOGIN } = process.env;
     const { userInfo } = this.ctx.state;
 
-    if (LOGIN === 'force' && think.isEmpty(userInfo)) {
+    if (!think.isEmpty(userInfo)) {
+      return;
+    }
+
+    if (LOGIN === 'force') {
       return this.ctx.throw(401);
     }
+
+    return this.useCaptchaCheck();
   }
 
   /**
@@ -230,17 +230,46 @@ module.exports = class extends Base {
    * @apiSuccess  (200) {Number}  errno 0
    * @apiSuccess  (200) {String}  errmsg  return error message if error
    */
-  putAction() {
+  async putAction() {
     const { userInfo } = this.ctx.state;
+    const { like } = this.post();
 
-    if (think.isEmpty(userInfo) || userInfo.type !== 'administrator') {
+    // 1. like
+    if (think.isEmpty(userInfo) && think.isBoolean(like)) {
       this.rules = {
         like: {
           required: true,
           boolean: true,
         },
       };
+
+      return;
     }
+
+    if (think.isEmpty(userInfo)) {
+      return this.ctx.throw(401);
+    }
+
+    // 2. administrator
+    if (userInfo.type === 'administrator') {
+      return;
+    }
+
+    // 3. comment author modify comment content
+    const modelInstance = this.service(
+      `storage/${this.config('storage')}`,
+      'Comment'
+    );
+    const commentData = await modelInstance.select({
+      user_id: userInfo.objectId,
+      objectId: this.id,
+    });
+
+    if (!think.isEmpty(commentData)) {
+      return;
+    }
+
+    return this.ctx.throw(403);
   }
 
   /**
@@ -251,5 +280,30 @@ module.exports = class extends Base {
    * @apiSuccess  (200) {Number}  errno 0
    * @apiSuccess  (200) {String}  errmsg  return error message if error
    */
-  deleteAction() {}
+  async deleteAction() {
+    const { userInfo } = this.ctx.state;
+
+    if (think.isEmpty(userInfo)) {
+      return this.ctx.throw(401);
+    }
+
+    if (userInfo.type === 'administrator') {
+      return;
+    }
+
+    const modelInstance = this.service(
+      `storage/${this.config('storage')}`,
+      'Comment'
+    );
+    const commentData = await modelInstance.select({
+      user_id: userInfo.objectId,
+      objectId: this.id,
+    });
+
+    if (!think.isEmpty(commentData)) {
+      return;
+    }
+
+    return this.ctx.throw(403);
+  }
 };

package/src/logic/token.js

@@ -32,7 +32,9 @@ module.exports = class extends Base {
    * @apiSuccess  (200) {Number}  errno 0
    * @apiSuccess  (200) {String}  errmsg  return error message if error
    */
-  postAction() {}
+  postAction() {
+    return this.useCaptchaCheck();
+  }
 
   /**
    * @api {DELETE} /token  user logout

package/src/logic/user.js

@@ -33,7 +33,9 @@ module.exports = class extends Base {
    * @apiSuccess  (200) {Number}  errno 0
    * @apiSuccess  (200) {String}  errmsg  return error message if error
    */
-  postAction() {}
+  postAction() {
+    return this.useCaptchaCheck();
+  }
 
   /**
    * @api {PUT} /user update user profile

package/src/middleware/dashboard.js

@@ -12,6 +12,7 @@ module.exports = function () {
     <script>
     window.SITE_URL = ${JSON.stringify(process.env.SITE_URL)};
     window.SITE_NAME = ${JSON.stringify(process.env.SITE_NAME)};
+    window.recaptchaV3Key = ${JSON.stringify(process.env.RECAPTCHA_V3_KEY)};
     </script>
     <script src="${
       process.env.WALINE_ADMIN_MODULE_ASSET_URL || '//unpkg.com/@waline/admin'

package/src/service/storage/mysql.js

@@ -67,7 +67,7 @@ module.exports = class extends Base {
       return instance.count();
     }
 
-    instance.field([...group, 'COUNT(*) as count']);
+    instance.field([...group, 'COUNT(*) as count'].join(','));
     instance.group(group);
 
     return instance.select();
@@ -79,10 +79,9 @@ module.exports = class extends Base {
       delete data.objectId;
     }
     const date = new Date();
-    if (!data.createdAt)
-      data.createdAt = date;
-    if (!data.updatedAt)
-      data.updatedAt = date;
+
+    if (!data.createdAt) data.createdAt = date;
+    if (!data.updatedAt) data.updatedAt = date;
 
     const instance = this.model(this.tableName);
     const id = await instance.add(data);