stream: encrypt cached stream data & clean up related modules

also limited CORS methods to GET and POST
2024-03-05 18:14:26 +06:00
parent 8d8b04dd1f
commit e282a9183f
4 changed files with 88 additions and 33 deletions
--- a/src/core/api.js
+++ b/src/core/api.js
@@ -51,7 +51,11 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {

    app.set('trust proxy', ['loopback', 'uniquelocal']);

-    app.use('/api/:type', cors(corsConfig));
+    app.use('/api/:type', cors({
+        methods: ['GET', 'POST'],
+        ...corsConfig
+    }));
+
    app.use('/api/json', apiLimiter);
    app.use('/api/stream', apiLimiterStream);
    app.use('/api/onDemand', apiLimiter);
@@ -60,6 +64,7 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
        try { decodeURIComponent(req.path) } catch (e) { return res.redirect('/') }
        next();
    });
+
    app.use('/api/json', express.json({
        verify: (req, res, buf) => {
            let acceptCon = String(req.header('Accept')) === "application/json";
@@ -71,6 +76,7 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
            }
        }
    }));
+
    // handle express.json errors properly (https://github.com/expressjs/express/issues/4065)
    app.use('/api/json', (err, req, res, next) => {
        let errorText = "invalid json body";
@@ -86,6 +92,7 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
            next();
        }
    });
+
    app.post('/api/json', async (req, res) => {
        try {
            let lang = languageCode(req);
@@ -118,13 +125,17 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
        try {
            switch (req.params.type) {
                case 'stream':
-                    if (req.query.t && req.query.h && req.query.e && req.query.t.toString().length === 21
-                    && req.query.h.toString().length === 64 && req.query.e.toString().length === 13) {
-                        let streamInfo = verifyStream(req.query.t, req.query.h, req.query.e);
+                    const q = req.query;
+                    const checkQueries = q.t && q.e && q.h && q.s && q.i;
+                    const checkBaseLength = q.t.length === 21 && q.e.length === 13;
+                    const checkSafeLength = q.h.length === 44 && q.s.length === 344 && q.i.length === 24;
+
+                    if (checkQueries && checkBaseLength && checkSafeLength) {
+                        let streamInfo = verifyStream(q.t, q.h, q.e, q.s, q.i);
                        if (streamInfo.error) {
                            return res.status(streamInfo.status).json(apiJSON(0, { t: streamInfo.error }).body);
                        }
-                        if (req.query.p) {
+                        if (q.p) {
                            return res.status(200).json({
                                status: "continue"
                            });
@@ -132,7 +143,7 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
                        return stream(res, streamInfo);
                    } else {
                        let j = apiJSON(0, {
-                            t: "stream token, hmac, or expiry timestamp is missing"
+                            t: "bad request. stream link may be incomplete or corrupted."
                        })
                        return res.status(j.status).json(j.body);
                    }
@@ -159,12 +170,15 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
            });
        }
    });
+
    app.get('/api/status', (req, res) => {
        res.status(200).end()
    });
+
    app.get('/favicon.ico', (req, res) => {
        res.sendFile(`${__dirname}/src/front/icons/favicon.ico`)
    });
+
    app.get('/*', (req, res) => {
        res.redirect('/api/json')
    });