npm - free-be-account - Versions diffs - 0.0.26 → 0.0.27 - Mend

free-be-account 0.0.26 → 0.0.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +157 -0
package/package.json +1 -1

package/index.js CHANGED Viewed

@@ -451,6 +451,16 @@ module.exports = (app) => ({
             Read: { type: 'Boolean', default: false },
             Category: { type: 'String' },
         },
+        // 静态资源访问权限控制
+        staticResourcePermissionControl: {
+            User: { type: 'String', refer: 'account', required: true }, // 创建用户
+            ResourcePath: { type: 'String', index: true, required: true, unique: true }, // 资源路径
+            Users: { type: 'String' },       // 逗号分割的字符串，每一个代表一个允许访问的用户ID, self代表资源创建者本人
+            Referers: { type: 'String' },    // 逗号分割的字符串，每一个代表一个允许访问的来源
+            Permissions: { type: 'String' }, // 逗号分割的字符串，每一个代表一个api路径
+        },
     },
     utils: {
         verify_api_permission,
@@ -1560,6 +1570,153 @@ module.exports = (app) => ({
             }
         },
         onRoutersReady: async (app, m) => {
+            // file uploads
+            app.post(
+                `${app.config.baseUrl}/upload`,
+                async (req, res, next) => {
+                    if (!res.locals.data?.id) return next();
+                    if (!req.body?.perms && !req.body?.refs && !req.body?.users) return next();
+                    // save the permission control info
+                    const assetsFilePath = res.locals.data?.id.split(/[\\|/]/g).slice(-2).join('/');
+                    await app.models.staticResourcePermissionControl.create({
+                        User: req.user?.id,
+                        ResourcePath: assetsFilePath,
+                        Users: req.body?.users || '',
+                        Permissions: req.body?.perms || '',
+                        Referers: req.body?.refs || '',
+                    })
+                    return next();
+                }
+            );
+            // multiple files upload
+            app.post(
+                `${app.config.baseUrl}/uploads`,
+                async (req, res, next) => {
+                    if (!res.locals.data?.length) return next();
+                    if (!req.body?.perms && !req.body?.refs && !req.body?.users) return next();
+                    // save the permission control info
+                    for (let i = 0; i < res.loals.data.length; i += 1) {
+                        const resi = res.locals.data[i];
+                        if (!resi?.id) continue;
+                        const assetsFilePath = resi?.id.split(/[\\|/]/g).slice(-2).join('/');
+                        await app.models.staticResourcePermissionControl.create({
+                            User: req.user?.id,
+                            ResourcePath: assetsFilePath,
+                            Users: req.body?.users || '',
+                            Permissions: req.body?.perms || '',
+                            Referers: req.body?.refs || '',
+                        })
+                    }
+                    return next();
+                }
+            );
+            // 静态资源身份验证
+            async function checkPerm (req) {
+                // 验证是静态资源请求
+                const assetsPath = req.originalUrl;
+                if (!assetsPath || !assetsPath.startsWith(app.config.assetsUrlPrefix)) {
+                    return false;
+                }
+                // 获取当前资源的权限控制
+                const assetsFilePath = assetsPath.replace(app.config.assetsUrlPrefix, '').split(/[\\|/]/g).slice(-2).join('/');
+                const assetsPerm = await app.models.staticResourcePermissionControl.findOne({ ResourcePath: assetsFilePath }).lean();
+                // 如果没有保存对应的权限控制，说明是公开资源
+                if (!assetsPerm || (!assetsPerm.Users && !assetsPerm.Permissions && !assetsPerm.Referers)) {
+                    return true;
+                }
+                // 验证referer。并不完全可靠，但能防一部分无脑盗链
+                // 配置可能太复杂，所以先不需要
+                const neededReferer = assetsPerm.Referers || '';
+                // check referrer
+                const referer = req.get('Referer') || '';
+                let refererPath = '/';
+                try {
+                    const urlObj = new URL(referer);
+                    refererPath = urlObj.pathname;
+                } catch (ex) {
+                    refererPath = '/';
+                }
+                if (!refererPath || refererPath === '/') {
+                    return false;
+                }
+                const refererMatched = /^\/pdfjs(_.+)?\/web\/viewer.html$/.test(refererPath) || neededReferer.split(/,|，/).map((nr) => new RegExp(nr)).some((reg) => reg.test(refererPath));
+                if (!refererMatched) {
+                    return false;
+                }
+                // 验证host。并不完全可靠，但能防一部分无脑盗链
+                const host = req.get('Host') || '';
+                if (!host || (app.config.host !== host && app.config.host !== `https://${host}` && app.config.host !== `http://${host}`)) {
+                    return false;
+                }
+                // 验证用户
+                const neededUsers = assetsPerm.Users || '';
+                if (neededUsers) {
+                    if (!req.user?.id) return false;
+                    const userList = neededUsers.split(/,|，/) || [];
+                    let userMatched = false;
+                    for (let i = 0; i < userList.length; i += 1) {
+                        const u = userList[i];
+                        if ((u.toLowerCase() === 'self' && req.user.id === assetsPerm.User.toString()) || req.user.id === u) {
+                            userMatched = true;
+                            break;
+                        }
+                    }
+                    if (!userMatched) {
+                        return false;
+                    }
+                }
+                // 验证权限
+                const neededPerms = assetsPerm.Permissions || '';
+                const permList = neededPerms.split(/,|，/) || [];
+                if (permList.length <= 0) {
+                    return true;
+                }
+                // 验证权限列表
+                if (!req.user?.id) {
+                    return false;
+                }
+                let hasPerm = false;
+                for (let i = 0; i < permList.length; i += 1) {
+                    const p = permList[i];
+                    if (verify_api_permission(req.app, m, req.user, p)) {
+                        hasPerm = true;
+                        break;
+                    }
+                }
+                return hasPerm;
+            }
+            app.use(`/assets`, async (req, res, next) => {
+                if (await checkPerm(req)) {
+                    return next()
+                } else {
+                    res.status(404).end();
+                }
+            });
             // create default user if it's an empty db
             if (await m.models['account'].countDocuments({}) <= 0) {
                 // let perms = app.ctx.serviceList()

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "free-be-account",
-  "version": "0.0.26",
+  "version": "0.0.27",
   "main": "index.js",
   "license": "UNLICENSED",
   "repository": {