From 320d33c5fae46037f836980349c83abf77293c74 Mon Sep 17 00:00:00 2001 From: Regalijan <72576136+Regalijan@users.noreply.github.com> Date: Mon, 23 Oct 2023 20:32:18 -0400 Subject: [PATCH] Maybe fix signed links? --- functions/api/me/items/[type]/[id].ts | 30 ++++++++++++++++----------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/functions/api/me/items/[type]/[id].ts b/functions/api/me/items/[type]/[id].ts index cbb8fc6..40e8056 100644 --- a/functions/api/me/items/[type]/[id].ts +++ b/functions/api/me/items/[type]/[id].ts @@ -15,7 +15,18 @@ export async function onRequestGet(context: RequestContext) { user?: { id: string; username: string }; } & { [k: string]: any }; + if (data?.user?.id !== context.data.current_user.id) + return jsonError("Item does not exist", 404); + if (type === "report") { + let unsignedUrls = []; + const exp = Math.round(Date.now() / 1000) + 1800; + + for (const attachment of data.attachments) + unsignedUrls.push( + `https://mediaproxy.carcrushers.cc/${attachment}?Expires=${exp}&KeyName=portal-media-linkgen`, + ); + let resolvedUrls = []; let signingPromises = []; const key = await crypto.subtle.importKey( @@ -28,14 +39,14 @@ export async function onRequestGet(context: RequestContext) { ["sign"], ); - const exp = Math.round(Date.now() / 1000) + 1800; - - for (const attachment of data.attachments) { - const unsignedUrl = `https://mediaproxy.carcrushers.cc/${attachment}?Expires=${exp}&KeyName=portal-media-linkgen`; + for (let i = 0; i < unsignedUrls.length; i++) signingPromises.push( - crypto.subtle.sign("HMAC", key, new TextEncoder().encode(unsignedUrl)), + crypto.subtle.sign( + "HMAC", + key, + new TextEncoder().encode(unsignedUrls[i]), + ), ); - } let signatures: ArrayBuffer[]; @@ -49,9 +60,7 @@ export async function onRequestGet(context: RequestContext) { for (let i = 0; i < signatures.length; i++) { resolvedUrls.push( - `https://mediaproxy.carcrushers.cc/${ - data.attachments[i] - }?Expires=${exp}&KeyName=portal-media-linkgen&Signature=${btoa( + `${unsignedUrls[i]}Signature=${btoa( String.fromCharCode(...new Uint8Array(signatures[i])), ) .replaceAll("+", "-") @@ -63,8 +72,5 @@ export async function onRequestGet(context: RequestContext) { data.resolved_attachments = resolvedUrls; } - if (data?.user?.id !== context.data.current_user.id) - return jsonError("Item does not exist", 404); - return jsonResponse(JSON.stringify(data)); }