[pocketbase#215] added server-side handlers for serving private files

spxvszero · Apr 4, 2023 · 64c3e3b · 64c3e3b
1 parent 9f76ad2
commit 64c3e3b
Show file tree

Hide file tree

Showing 21 changed files with 519 additions and 42 deletions.
diff --git a/apis/collection_test.go b/apis/collection_test.go
@@ -1097,7 +1097,7 @@ func TestCollectionUpdate(t *testing.T) {
 	}
 }
 
-func TestCollectionImport(t *testing.T) {
+func TestCollectionsImport(t *testing.T) {
 	totalCollections := 10
 
 	scenarios := []tests.ApiScenario{
@@ -1157,7 +1157,7 @@ func TestCollectionImport(t *testing.T) {
 			},
 			ExpectedEvents: map[string]int{
 				"OnCollectionsBeforeImportRequest": 1,
-				"OnModelBeforeDelete":              7,
+				"OnModelBeforeDelete":              4,
 			},
 			AfterTestFunc: func(t *testing.T, app *tests.TestApp, e *echo.Echo) {
 				collections := []*models.Collection{}

diff --git a/apis/file.go b/apis/file.go
@@ -1,13 +1,23 @@
 package apis
 
 import (
+	"errors"
 	"fmt"
+	"log"
+	"net/http"
+	"strings"
 
 	"github.com/labstack/echo/v5"
+	"github.com/pocketbase/dbx"
 	"github.com/pocketbase/pocketbase/core"
 	"github.com/pocketbase/pocketbase/models"
 	"github.com/pocketbase/pocketbase/models/schema"
+	"github.com/pocketbase/pocketbase/resolvers"
+	"github.com/pocketbase/pocketbase/tokens"
 	"github.com/pocketbase/pocketbase/tools/list"
+	"github.com/pocketbase/pocketbase/tools/search"
+	"github.com/pocketbase/pocketbase/tools/security"
+	"github.com/spf13/cast"
 )
 
 var imageContentTypes = []string{"image/png", "image/jpg", "image/jpeg", "image/gif"}
@@ -18,6 +28,7 @@ func bindFileApi(app core.App, rg *echo.Group) {
 	api := fileApi{app: app}
 
 	subGroup := rg.Group("/files", ActivityLogger(app))
+	subGroup.POST("/token", api.fileToken, RequireAdminOrRecordAuth())
 	subGroup.HEAD("/:collection/:recordId/:filename", api.download, LoadCollectionContext(api.app))
 	subGroup.GET("/:collection/:recordId/:filename", api.download, LoadCollectionContext(api.app))
 }
@@ -26,6 +37,37 @@ type fileApi struct {
 	app core.App
 }
 
+func (api *fileApi) fileToken(c echo.Context) error {
+	event := new(core.FileTokenEvent)
+	event.HttpContext = c
+
+	if admin, _ := c.Get(ContextAdminKey).(*models.Admin); admin != nil {
+		event.Model = admin
+		event.Token, _ = tokens.NewAdminFileToken(api.app, admin)
+	} else if record, _ := c.Get(ContextAuthRecordKey).(*models.Record); record != nil {
+		event.Model = record
+		event.Token, _ = tokens.NewRecordFileToken(api.app, record)
+	}
+
+	handlerErr := api.app.OnFileBeforeTokenRequest().Trigger(event, func(e *core.FileTokenEvent) error {
+		if e.Token == "" {
+			return NewBadRequestError("Failed to generate file token.", nil)
+		}
+
+		return e.HttpContext.JSON(http.StatusOK, map[string]string{
+			"token": e.Token,
+		})
+	})
+
+	if handlerErr == nil {
+		if err := api.app.OnFileAfterTokenRequest().Trigger(event); err != nil && api.app.IsDebug() {
+			log.Println(err)
+		}
+	}
+
+	return handlerErr
+}
+
 func (api *fileApi) download(c echo.Context) error {
 	collection, _ := c.Get(ContextCollectionKey).(*models.Collection)
 	if collection == nil {
@@ -49,7 +91,21 @@ func (api *fileApi) download(c echo.Context) error {
 		return NewNotFoundError("", nil)
 	}
 
-	options, _ := fileField.Options.(*schema.FileOptions)
+	options, ok := fileField.Options.(*schema.FileOptions)
+	if !ok {
+		return NewBadRequestError("", errors.New("Failed to load file options."))
+	}
+
+	// check whether the request is authorized to view the private file
+	if options.Private {
+		token := c.QueryParam("token")
+
+		adminOrAuthRecord, _ := api.findAdminOrAuthRecordByFileToken(token)
+
+		if !api.canAccessRecord(adminOrAuthRecord, record, record.Collection().ViewRule) {
+			return NewForbiddenError("Invalid file token or unsufficient permissions to access the resource.", nil)
+		}
+	}
 
 	baseFilesPath := record.BaseFilesPath()
 
@@ -119,3 +175,77 @@ func (api *fileApi) download(c echo.Context) error {
 		return nil
 	})
 }
+
+func (api *fileApi) findAdminOrAuthRecordByFileToken(fileToken string) (models.Model, error) {
+	fileToken = strings.TrimSpace(fileToken)
+	if fileToken == "" {
+		return nil, errors.New("missing file token")
+	}
+
+	claims, _ := security.ParseUnverifiedJWT(strings.TrimSpace(fileToken))
+	tokenType := cast.ToString(claims["type"])
+
+	switch tokenType {
+	case tokens.TypeAdmin:
+		admin, err := api.app.Dao().FindAdminByToken(
+			fileToken,
+			api.app.Settings().AdminFileToken.Secret,
+		)
+		if err == nil && admin != nil {
+			return admin, nil
+		}
+	case tokens.TypeAuthRecord:
+		record, err := api.app.Dao().FindAuthRecordByToken(
+			fileToken,
+			api.app.Settings().RecordFileToken.Secret,
+		)
+		if err == nil && record != nil {
+			return record, nil
+		}
+	}
+
+	return nil, errors.New("missing or invalid file token")
+}
+
+// @todo move to a helper and maybe combine with the realtime checks when refactoring the realtime service
+func (api *fileApi) canAccessRecord(adminOrAuthRecord models.Model, record *models.Record, accessRule *string) bool {
+	admin, _ := adminOrAuthRecord.(*models.Admin)
+	if admin != nil {
+		// admins can access everything
+		return true
+	}
+
+	if accessRule == nil {
+		// only admins can access this record
+		return false
+	}
+
+	ruleFunc := func(q *dbx.SelectQuery) error {
+		if *accessRule == "" {
+			return nil // empty public rule
+		}
+
+		// mock request data
+		requestData := &models.RequestData{
+			Method: "GET",
+		}
+		requestData.AuthRecord, _ = adminOrAuthRecord.(*models.Record)
+
+		resolver := resolvers.NewRecordFieldResolver(api.app.Dao(), record.Collection(), requestData, true)
+		expr, err := search.FilterData(*accessRule).BuildExpr(resolver)
+		if err != nil {
+			return err
+		}
+		resolver.UpdateQuery(q)
+		q.AndWhere(expr)
+
+		return nil
+	}
+
+	foundRecord, err := api.app.Dao().FindRecordById(record.Collection().Id, record.Id, ruleFunc)
+	if err == nil && foundRecord != nil {
+		return true
+	}
+
+	return false
+}
diff --git a/apis/file_test.go b/apis/file_test.go
@@ -8,9 +8,60 @@ import (
 	"runtime"
 	"testing"
 
+	"github.com/labstack/echo/v5"
+	"github.com/pocketbase/pocketbase/daos"
 	"github.com/pocketbase/pocketbase/tests"
+	"github.com/pocketbase/pocketbase/tools/types"
 )
 
+func TestFileToken(t *testing.T) {
+	scenarios := []tests.ApiScenario{
+		{
+			Name:            "unauthorized",
+			Method:          http.MethodPost,
+			Url:             "/api/files/token",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{`"data":{}`},
+		},
+		{
+			Name:   "auth record",
+			Method: http.MethodPost,
+			Url:    "/api/files/token",
+			RequestHeaders: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsInR5cGUiOiJhdXRoUmVjb3JkIiwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwiZXhwIjoyMjA4OTg1MjYxfQ.UwD8JvkbQtXpymT09d7J6fdA0aP9g4FJ1GPh_ggEkzc",
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"token":"`,
+			},
+			ExpectedEvents: map[string]int{
+				"OnFileBeforeTokenRequest": 1,
+				"OnFileAfterTokenRequest":  1,
+			},
+		},
+		{
+			Name:   "admin",
+			Method: http.MethodPost,
+			Url:    "/api/files/token",
+			RequestHeaders: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhZG1pbiIsImV4cCI6MjIwODk4NTI2MX0.M1m--VOqGyv0d23eeUc0r9xE8ZzHaYVmVFw1VZW6gT8",
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"token":"`,
+			},
+			ExpectedEvents: map[string]int{
+				"OnFileBeforeTokenRequest": 1,
+				"OnFileAfterTokenRequest":  1,
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
+
 func TestFileDownload(t *testing.T) {
 	_, currentFile, _, _ := runtime.Caller(0)
 	dataDirRelPath := "../tests/data/"
@@ -176,6 +227,125 @@ func TestFileDownload(t *testing.T) {
 				"OnFileDownloadRequest": 1,
 			},
 		},
+
+		// private file access checks
+		{
+			Name:            "private file - expired token",
+			Method:          http.MethodGet,
+			Url:             "/api/files/_pb_users_auth_/oap640cot4yru2s/test_kfd2wYLxkz.txt?thumb=100x100",
+			ExpectedStatus:  200,
+			ExpectedContent: []string{string(testFile)},
+			ExpectedEvents: map[string]int{
+				"OnFileDownloadRequest": 1,
+			},
+		},
+		{
+			Name:            "private file - admin with expired file token",
+			Method:          http.MethodGet,
+			Url:             "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsImV4cCI6MTY0MDk5MTY2MSwidHlwZSI6ImFkbWluIn0.g7Q_3UX6H--JWJ7yt1Hoe-1ugTX1KpbKzdt0zjGSe-E",
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+		},
+		{
+			Name:            "private file - admin with valid file token",
+			Method:          http.MethodGet,
+			Url:             "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsImV4cCI6MTg5MzQ1MjQ2MSwidHlwZSI6ImFkbWluIn0.LyAMpSfaHVsuUqIlqqEbhDQSdFzoPz_EIDcb2VJMBsU",
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"PNG"},
+			ExpectedEvents: map[string]int{
+				"OnFileDownloadRequest": 1,
+			},
+		},
+		{
+			Name:            "private file - guest without view access",
+			Method:          http.MethodGet,
+			Url:             "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png",
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+		},
+		{
+			Name:   "private file - guest with view access",
+			Method: http.MethodGet,
+			Url:    "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png",
+			BeforeTestFunc: func(t *testing.T, app *tests.TestApp, e *echo.Echo) {
+				dao := daos.New(app.Dao().DB())
+
+				// mock public view access
+				c, err := dao.FindCollectionByNameOrId("demo1")
+				if err != nil {
+					t.Fatalf("Failed to fetch mock collection: %v", err)
+				}
+				c.ViewRule = types.Pointer("")
+				if err := dao.SaveCollection(c); err != nil {
+					t.Fatalf("Failed to update mock collection: %v", err)
+				}
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"PNG"},
+			ExpectedEvents: map[string]int{
+				"OnFileDownloadRequest": 1,
+			},
+		},
+		{
+			Name:   "private file - auth record without view access",
+			Method: http.MethodGet,
+			Url:    "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsImV4cCI6MTg5MzQ1MjQ2MSwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwidHlwZSI6ImF1dGhSZWNvcmQifQ.0d_0EO6kfn9ijZIQWAqgRi8Bo1z7MKcg1LQpXhQsEPk",
+			BeforeTestFunc: func(t *testing.T, app *tests.TestApp, e *echo.Echo) {
+				dao := daos.New(app.Dao().DB())
+
+				// mock restricted user view access
+				c, err := dao.FindCollectionByNameOrId("demo1")
+				if err != nil {
+					t.Fatalf("Failed to fetch mock collection: %v", err)
+				}
+				c.ViewRule = types.Pointer("@request.auth.verified = true")
+				if err := dao.SaveCollection(c); err != nil {
+					t.Fatalf("Failed to update mock collection: %v", err)
+				}
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+		},
+		{
+			Name:   "private file - auth record with view access",
+			Method: http.MethodGet,
+			Url:    "/api/files/demo1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsImV4cCI6MTg5MzQ1MjQ2MSwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwidHlwZSI6ImF1dGhSZWNvcmQifQ.0d_0EO6kfn9ijZIQWAqgRi8Bo1z7MKcg1LQpXhQsEPk",
+			BeforeTestFunc: func(t *testing.T, app *tests.TestApp, e *echo.Echo) {
+				dao := daos.New(app.Dao().DB())
+
+				// mock user view access
+				c, err := dao.FindCollectionByNameOrId("demo1")
+				if err != nil {
+					t.Fatalf("Failed to fetch mock collection: %v", err)
+				}
+				c.ViewRule = types.Pointer("@request.auth.verified = false")
+				if err := dao.SaveCollection(c); err != nil {
+					t.Fatalf("Failed to update mock collection: %v", err)
+				}
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"PNG"},
+			ExpectedEvents: map[string]int{
+				"OnFileDownloadRequest": 1,
+			},
+		},
+		{
+			Name:            "private file in view (view's View API rule failure)",
+			Method:          http.MethodGet,
+			Url:             "/api/files/view1/al1h9ijdeojtsjy/300_Jsjq7RdBgA.png?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsImV4cCI6MTg5MzQ1MjQ2MSwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwidHlwZSI6ImF1dGhSZWNvcmQifQ.0d_0EO6kfn9ijZIQWAqgRi8Bo1z7MKcg1LQpXhQsEPk",
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+		},
+		{
+			Name:            "private file in view (view's View API rule success)",
+			Method:          http.MethodGet,
+			Url:             "/api/files/view1/84nmscqy84lsi1t/test_d61b33QdDU.txt?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsImV4cCI6MTg5MzQ1MjQ2MSwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwidHlwZSI6ImF1dGhSZWNvcmQifQ.0d_0EO6kfn9ijZIQWAqgRi8Bo1z7MKcg1LQpXhQsEPk",
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"test"},
+			ExpectedEvents: map[string]int{
+				"OnFileDownloadRequest": 1,
+			},
+		},
 	}
 
 	for _, scenario := range scenarios {

diff --git a/apis/realtime.go b/apis/realtime.go
@@ -307,7 +307,7 @@ func (api *realtimeApi) canAccessRecord(client subscriptions.Client, record *mod
 			return nil // empty public rule
 		}
 
-		// emulate request data
+		// mock request data
 		requestData := &models.RequestData{
 			Method: "GET",
 		}