Maybe fix signed links?

regalijan · Oct 24, 2023 · 320d33c · 320d33c
1 parent 4559349
commit 320d33c
Showing 1 changed file with 18 additions and 12 deletions.
diff --git a/functions/api/me/items/[type]/[id].ts b/functions/api/me/items/[type]/[id].ts
@@ -15,7 +15,18 @@ export async function onRequestGet(context: RequestContext) {
     user?: { id: string; username: string };
   } & { [k: string]: any };
 
+  if (data?.user?.id !== context.data.current_user.id)
+    return jsonError("Item does not exist", 404);
+
   if (type === "report") {
+    let unsignedUrls = [];
+    const exp = Math.round(Date.now() / 1000) + 1800;
+
+    for (const attachment of data.attachments)
+      unsignedUrls.push(
+        `https://mediaproxy.carcrushers.cc/${attachment}?Expires=${exp}&KeyName=portal-media-linkgen`,
+      );
+
     let resolvedUrls = [];
     let signingPromises = [];
     const key = await crypto.subtle.importKey(
@@ -28,14 +39,14 @@ export async function onRequestGet(context: RequestContext) {
       ["sign"],
     );
 
-    const exp = Math.round(Date.now() / 1000) + 1800;
-
-    for (const attachment of data.attachments) {
-      const unsignedUrl = `https://mediaproxy.carcrushers.cc/${attachment}?Expires=${exp}&KeyName=portal-media-linkgen`;
+    for (let i = 0; i < unsignedUrls.length; i++)
       signingPromises.push(
-        crypto.subtle.sign("HMAC", key, new TextEncoder().encode(unsignedUrl)),
+        crypto.subtle.sign(
+          "HMAC",
+          key,
+          new TextEncoder().encode(unsignedUrls[i]),
+        ),
       );
-    }
 
     let signatures: ArrayBuffer[];
 
@@ -49,9 +60,7 @@ export async function onRequestGet(context: RequestContext) {
 
     for (let i = 0; i < signatures.length; i++) {
       resolvedUrls.push(
-        `https://mediaproxy.carcrushers.cc/${
-          data.attachments[i]
-        }?Expires=${exp}&KeyName=portal-media-linkgen&Signature=${btoa(
+        `${unsignedUrls[i]}Signature=${btoa(
           String.fromCharCode(...new Uint8Array(signatures[i])),
         )
           .replaceAll("+", "-")
@@ -63,8 +72,5 @@ export async function onRequestGet(context: RequestContext) {
     data.resolved_attachments = resolvedUrls;
   }
 
-  if (data?.user?.id !== context.data.current_user.id)
-    return jsonError("Item does not exist", 404);
-
   return jsonResponse(JSON.stringify(data));
 }