mirrors
/
wekan
mirrorاز https://github.com/wekan/wekan.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313
							import { ReactiveCache } from '/imports/reactiveCache';
import { Exporter } from './exporter';
import { Meteor } from 'meteor/meteor';

/* global JsonRoutes */
if (Meteor.isServer) {
  import { Picker } from 'meteor/communitypackages:picker';

  // todo XXX once we have a real API in place, move that route there
  // todo XXX also  share the route definition between the client and the server
  // so that we could use something like
  // `ApiRoutes.path('boards/export', boardId)``
  // on the client instead of copy/pasting the route path manually between the
  // client and the server.
  /**
   * @operation exportJson
   * @tag Boards
   *
   * @summary This route is used to export the board to a json file format.
   *
   * @description If user is already logged-in, pass loginToken as param
   * "authToken": '/api/boards/:boardId/export?authToken=:token'
   *
   * See https://blog.kayla.com.au/server-side-route-authentication-in-meteor/
   * for detailed explanations
   *
   * @param {string} boardId the ID of the board we are exporting
   * @param {string} authToken the loginToken
   */
  JsonRoutes.add('get', '/api/boards/:boardId/export', function (req, res) {
    const boardId = req.params.boardId;
    let user = null;
    let impersonateDone = false;
    let adminId = null;

    // First check if board exists and is public to avoid unnecessary authentication
    const board = ReactiveCache.getBoard(boardId);
    if (!board) {
      JsonRoutes.sendResult(res, 404);
      return;
    }

    // If board is public, skip expensive authentication operations
    if (board.isPublic()) {
      // Public boards don't require authentication - skip hash operations
      const exporter = new Exporter(boardId);
      JsonRoutes.sendResult(res, {
        code: 200,
        data: exporter.build(),
      });
      return;
    }

    // Only perform expensive authentication for private boards
    const loginToken = req.query.authToken;
    if (loginToken) {
      // Validate token length to prevent resource abuse
      if (loginToken.length > 10000) {
        if (process.env.DEBUG === 'true') {
          console.warn('Suspiciously long auth token received, rejecting to prevent resource abuse');
        }
        JsonRoutes.sendResult(res, 400);
        return;
      }

      const hashToken = Accounts._hashLoginToken(loginToken);
      user = ReactiveCache.getUser({
        'services.resume.loginTokens.hashedToken': hashToken,
      });
      adminId = user._id.toString();
      impersonateDone = ReactiveCache.getImpersonatedUser({ adminId: adminId });
    } else if (!Meteor.settings.public.sandstorm) {
      Authentication.checkUserId(req.userId);
      user = ReactiveCache.getUser({ _id: req.userId, isAdmin: true });
    }

    const exporter = new Exporter(boardId);
    if (exporter.canExport(user) || impersonateDone) {
      if (impersonateDone) {
        ImpersonatedUsers.insert({
          adminId: adminId,
          boardId: boardId,
          reason: 'exportJSON',
        });
      }

      JsonRoutes.sendResult(res, {
        code: 200,
        data: exporter.build(),
      });
    } else {
      // we could send an explicit error message, but on the other hand the only
      // way to get there is by hacking the UI so let's keep it raw.
      JsonRoutes.sendResult(res, 403);
    }
  });

  // todo XXX once we have a real API in place, move that route there
  // todo XXX also  share the route definition between the client and the server
  // so that we could use something like
  // `ApiRoutes.path('boards/export', boardId)``
  // on the client instead of copy/pasting the route path manually between the
  // client and the server.
  /**
   * @operation exportJson
   * @tag Boards
   *
   * @summary This route is used to export a attachement to a json file format.
   *
   * @description If user is already logged-in, pass loginToken as param
   * "authToken": '/api/boards/:boardId/attachments/:attachmentId/export?authToken=:token'
   *
   *
   * @param {string} boardId the ID of the board we are exporting
   * @param {string} attachmentId the ID of the attachment we are exporting
   * @param {string} authToken the loginToken
   */
  JsonRoutes.add(
    'get',
    '/api/boards/:boardId/attachments/:attachmentId/export',
    function (req, res) {
      const boardId = req.params.boardId;
      const attachmentId = req.params.attachmentId;
      let user = null;
      let impersonateDone = false;
      let adminId = null;

      // First check if board exists and is public to avoid unnecessary authentication
      const board = ReactiveCache.getBoard(boardId);
      if (!board) {
        JsonRoutes.sendResult(res, 404);
        return;
      }

      // If board is public, skip expensive authentication operations
      if (board.isPublic()) {
        // Public boards don't require authentication - skip hash operations
        const exporter = new Exporter(boardId, attachmentId);
        JsonRoutes.sendResult(res, {
          code: 200,
          data: exporter.build(),
        });
        return;
      }

      // Only perform expensive authentication for private boards
      const loginToken = req.query.authToken;
      if (loginToken) {
        // Validate token length to prevent resource abuse
        if (loginToken.length > 10000) {
          if (process.env.DEBUG === 'true') {
            console.warn('Suspiciously long auth token received, rejecting to prevent resource abuse');
          }
          JsonRoutes.sendResult(res, 400);
          return;
        }

        const hashToken = Accounts._hashLoginToken(loginToken);
        user = ReactiveCache.getUser({
          'services.resume.loginTokens.hashedToken': hashToken,
        });
        adminId = user._id.toString();
        impersonateDone = ReactiveCache.getImpersonatedUser({ adminId: adminId });
      } else if (!Meteor.settings.public.sandstorm) {
        Authentication.checkUserId(req.userId);
        user = ReactiveCache.getUser({ _id: req.userId, isAdmin: true });
      }

      const exporter = new Exporter(boardId, attachmentId);
      if (exporter.canExport(user) || impersonateDone) {
        if (impersonateDone) {
          ImpersonatedUsers.insert({
            adminId: adminId,
            boardId: boardId,
            attachmentId: attachmentId,
            reason: 'exportJSONattachment',
          });
        }
        JsonRoutes.sendResult(res, {
          code: 200,
          data: exporter.build(),
        });
      } else {
        // we could send an explicit error message, but on the other hand the only
        // way to get there is by hacking the UI so let's keep it raw.
        JsonRoutes.sendResult(res, 403);
      }
    },
  );

  /**
   * @operation exportCSV/TSV
   * @tag Boards
   *
   * @summary This route is used to export the board to a CSV or TSV file format.
   *
   * @description If user is already logged-in, pass loginToken as param
   *
   * See https://blog.kayla.com.au/server-side-route-authentication-in-meteor/
   * for detailed explanations
   *
   * @param {string} boardId the ID of the board we are exporting
   * @param {string} authToken the loginToken
   * @param {string} delimiter delimiter to use while building export. Default is comma ','
   */
  Picker.route('/api/boards/:boardId/export/csv', function (params, req, res) {
    const boardId = params.boardId;
    let user = null;
    let impersonateDone = false;
    let adminId = null;

    // First check if board exists and is public to avoid unnecessary authentication
    const board = ReactiveCache.getBoard(boardId);
    if (!board) {
      res.writeHead(404);
      res.end('Board not found');
      return;
    }

    // If board is public, skip expensive authentication operations
    if (board.isPublic()) {
      // Public boards don't require authentication - skip hash operations
      const exporter = new Exporter(boardId);

      if( params.query.delimiter == "\t" ) {
        // TSV file
        res.writeHead(200, {
          'Content-Type': 'text/tsv',
        });
      }
      else {
        // CSV file (comma or semicolon)
        res.writeHead(200, {
          'Content-Type': 'text/csv; charset=utf-8',
        });
        // Adding UTF8 BOM to quick fix MS Excel issue
        // use Uint8Array to prevent from converting bytes to string
        res.write(new Uint8Array([0xEF, 0xBB, 0xBF]));
      }
      res.write(exporter.buildCsv(params.query.delimiter, 'en'));
      res.end();
      return;
    }

    // Only perform expensive authentication for private boards
    const loginToken = params.query.authToken;
    if (loginToken) {
      // Validate token length to prevent resource abuse
      if (loginToken.length > 10000) {
        if (process.env.DEBUG === 'true') {
          console.warn('Suspiciously long auth token received, rejecting to prevent resource abuse');
        }
        res.writeHead(400);
        res.end('Invalid token');
        return;
      }

      const hashToken = Accounts._hashLoginToken(loginToken);
      user = ReactiveCache.getUser({
        'services.resume.loginTokens.hashedToken': hashToken,
      });
      adminId = user._id.toString();
      impersonateDone = ReactiveCache.getImpersonatedUser({ adminId: adminId });
    } else if (!Meteor.settings.public.sandstorm) {
      Authentication.checkUserId(req.userId);
      user = ReactiveCache.getUser({
        _id: req.userId,
        isAdmin: true,
      });
    }

    const exporter = new Exporter(boardId);
    if (exporter.canExport(user) || impersonateDone) {
      if (impersonateDone) {
        let exportType = 'exportCSV';
        if( params.query.delimiter == "\t" ) {
          exportType = 'exportTSV';
        }
        ImpersonatedUsers.insert({
          adminId: adminId,
          boardId: boardId,
          reason: exportType,
        });
      }

      let userLanguage = 'en';
      if (user && user.profile) {
        userLanguage = user.profile.language
      }

      if( params.query.delimiter == "\t" ) {
        // TSV file
        res.writeHead(200, {
          'Content-Type': 'text/tsv',
        });
      }
      else {
        // CSV file (comma or semicolon)
        res.writeHead(200, {
          'Content-Type': 'text/csv; charset=utf-8',
        });
        // Adding UTF8 BOM to quick fix MS Excel issue
        // use Uint8Array to prevent from converting bytes to string
        res.write(new Uint8Array([0xEF, 0xBB, 0xBF]));
      }
      res.write(exporter.buildCsv(params.query.delimiter, userLanguage));
      res.end();
    } else {
      res.writeHead(403);
      res.end('Permission Error');
    }
  });
}