function collectFiles(media, fn){ var files = []; for(var file in req.files){ var f = req.files[file]; var slug = req.body.season && req.body.episode ? media.title + "-S" + req.body.season + "E" + req.body.episode : media.title; var filename = "DataZone" + '-' + _.str.slugify(slug) + '.' + f.extension; var directory = rndm(60); //TODO: put file to the hard disk with most space var newFile = { _id: mongoose.Types.ObjectId(), name:filename, orginal_name:f.originalname, extension:f.extension, size:f.size, ip:req.ip, time:new Date(), user:req.user.username, directory:directory, path:f.path, url: conf.fs_location['local'].uri + '/media/' + directory + '/' + filename, location: path.join(conf.fs_location['local'].parent, '/media/',directory,filename), location_parent: conf.fs_location['local'].parent, migrated:false, price: parseInt(price[file]) } newFile.fs_location = newFile.location; if(req.body.season && req.body.episode){ newFile.season = uploaded_season = parseInt(req.body.season); newFile.episode = uploaded_episode = parseInt(req.body.episode); } files.push(newFile); } fn(null, media, files); },
function moveFile(fn){ file = req.files.file; if(!file){ fn("no file"); } filename = "v2h_" + rndm(5) +'-' + _.str.slugify(file.originalname) + '.' + file.extension; fse.move(file.path, path.join(__dirname, '../public/devices/', filename),fn) },
it('returns three stages of middleware', function () { var id = rndm(), hsuProtect = hsu({ secret: 'secretvalue' }); expect(hsuProtect(id)).to.have.property('setup'); expect(hsuProtect(id)).to.have.property('verify'); expect(hsuProtect(id)).to.have.property('complete'); });
it('and will timeout after the specified TTL', function (done) { this.timeout(3000); var shortHsuProtect = hsu({ secret: '%Y77JjYC9>d#,', ttl: 1 }), id = rndm(), app = createApp(), agent, urlToSign = 'https://domain.com/reset/fail?user=6dg3tct749fj&ion=1&espv=2', signedUrl; app.get('/account/reset', shortHsuProtect(id).setup, function (req, res, next) { // let's tamper with the URL signedUrl = url.parse(req.signUrl(urlToSign), true); res.status(200).end(); }); app.get('/reset/fail', shortHsuProtect(id).verify, function (req, res, next) { res.status(200).end(); }); app.use(timedOutErrorHandler); agent = createAgent(app); // request to retrieve the signedUrl agent .get('/account/reset') .expect(200, function (err, res) { if (err) { return done(err); } // wait three seconds and then request the path of the signed url setTimeout(function () { // now request the path of the signed url agent .get(url.parse(signedUrl, true).path) .expect(403, /timed out/, done); }, 2000); }) });
it('provides a signUrl function', function (done) { var id = rndm(), app = createApp(); app.get('/', hsuProtect(id).setup, function (req, res, next) { return res.status(200).send(Object.keys(req).indexOf('signUrl') >= 0 && typeof req.signUrl === 'function'); }); createAgent(app) .get('/') .expect(200, 'true', done); });
it('and 403 upon verification failure', function (done) { var id = rndm(), app = createApp(), agent, urlToSign = '/reset/fail', signedUrl; app.get('/account/reset', hsuProtect(id).setup, function (req, res, next) { // let's tamper with the URL var tamperedUrl = url.parse(req.signUrl(urlToSign), true); tamperedUrl.query.user += '1'; tamperedUrl.search = querystring.stringify(tamperedUrl.query); signedUrl = tamperedUrl.format(); res.status(200).end(); }); app.get('/reset/fail', hsuProtect(id).verify, function (req, res, next) { res.status(200).end(); }); app.use(tamperedErrorHandler); agent = createAgent(app); // request to retrieve the signedUrl agent .get('/account/reset') .expect(200, function (err, res) { if (err) { return done(err); } // now request the path of the signed url agent .get(url.parse(signedUrl, true).path) .expect(403, /tampered/, done); }) });
it('and remove the salt once complete', function (done) { var id = rndm(), app = createApp(), agent, urlToSign = 'https://domain.com/reset?user=6dg3tct749fj&ion=1&espv=2', signedUrl; app.get('/', hsuProtect(id).setup, function (req, res, next) { // sign the url signedUrl = req.signUrl(urlToSign); // make sure req.session.hsuDigest exists return res.send(Object.keys(req.session).indexOf(`hsu-${id}`) >= 0); }); app.get('/reset', hsuProtect(id).verify, hsuProtect(id).complete, function (req, res, next) { // we're done with this HSU req.hsuComplete(); // the req.session.hsuDigest value should no longer exist return res.send(Object.keys(req.session).indexOf(`hsu-${id}`) >= 0); }); agent = createAgent(app); // request to retrieve the signedUrl agent .get('/') .expect(200, 'true', function (err, res) { if (err) { return done(err); } // complete the process agent .get(url.parse(signedUrl, true).path) .expect(200, 'false', done); }); });
it('and will 403 if a previously signed URL is used', function (done) { var id = rndm(), app = createApp(), agent, urlToSign = 'https://domain.com/reset/fail?user=6dg3tct749fj&ion=1&espv=2', signedUrl; app.get('/account/reset', hsuProtect(id).setup, function (req, res, next) { signedUrl = req.signUrl(urlToSign); req.signUrl(urlToSign) res.status(200).end(); }); app.get('/reset/fail', hsuProtect(id).verify, function (req, res, next) { res.status(200).end(); }); app.use(tamperedErrorHandler); agent = createAgent(app); // request to retrieve the signedUrl agent .get('/account/reset') .expect(200, function (err, res) { if (err) { return done(err); } // now request the path of the signed url agent .get(url.parse(signedUrl, true).path) .expect(403, /tampered/, done); }) });
convertFromBuffer(srtBuffer: Buffer): Promise<subtitleType> { const randomString = rndm(16); const filename = `${randomString}.vtt`; const { basePath, port } = this; const fullPath = path.join(basePath, filename); return new Promise((resolve, reject) => { srt2vtt(srtBuffer, (error?: Error, vttBuffer: Buffer) => { if (error) reject(error); fs.writeFile(fullPath, vttBuffer, () => { resolve({ filename, basePath, port, fullPath, buffer: vttBuffer }); }); }); }); }
it('and store the salt in the users session', function (done) { var id = rndm(), app = createApp(), urlToSign = 'https://domain.com/reset?user=6dg3tct749fj&ion=1&espv=2'; app.get('/', hsuProtect(id).setup, function (req, res, next) { // sign the url req.signUrl(urlToSign); // make sure req.session.hsuDigest exists return res.send(Object.keys(req.session).indexOf(`hsu-${id}`) >= 0); }); // request to retrieve the signedUrl createAgent(app) .get('/') .expect(200, 'true', done); });
it('will only support one HMAC digest per ID at a time', function (done) { var id = rndm(), app = createApp(), agent, urlToSign = 'https://domain.com/reset?user=6dg3tct749fj&ion=1&espv=2', signedUrl; app.get('/account/reset', hsuProtect(id).setup, function (req, res, next) { req.signUrl(urlToSign); signedUrl = req.signUrl(urlToSign); res.status(200).end(); }); app.get('/reset', hsuProtect(id).verify, function (req, res, next) { res.status(200).end(); }); agent = createAgent(app); // request to retrieve the signedUrl agent .get('/account/reset') .expect(200, function (err, res) { if (err) { return done(err); } // now request the path of the signed url agent .get(url.parse(signedUrl, true).path) .expect(200, done); }) });
it('will protect the URL', function (done) { var id = rndm(), app = createApp(), urlToSign = 'https://domain.com/reset?user=6dg3tct749fj&ion=1&espv=2', signedUrl; app.get('/reset/account', hsuProtect(id).setup, function (req, res, next) { // retrieve the signed URL signedUrl = req.signUrl(urlToSign); res.status(200).end(); }); app.get('/reset', hsuProtect(id).verify, function (req, res, next) { res.status(200).end(); }); app.use(tamperedErrorHandler); // request to retrieve the signedUrl createAgent(app) .get('/reset/account') .expect(200, function (err, res) { if (err) { return done(err); } // try the signed URL on another agent (simulating a new client), it should error createAgent(app) .get(url.parse(signedUrl, true).path) .expect(403, /tampered/, done); }); });
it('and verify it', function (done) { var id = rndm(), app = createApp(), agent, urlToSign = '/reset', signedUrl; app.get('/account/reset', hsuProtect(id).setup, function (req, res, next) { signedUrl = req.signUrl(urlToSign); res.status(200).end(); }); app.get('/reset', hsuProtect(id).verify, function (req, res, next) { res.status(200).end(); }); agent = createAgent(app); // request to retrieve the signedUrl agent .get('/account/reset') .expect(200, function (err, res) { if (err) { return done(err); } // now request the path of the signed url agent .get(url.parse(signedUrl, true).path) .expect(200, done); }) });
"use strict";function Tokens(e){if(!(this instanceof Tokens))return new Tokens(e);var n=e||{},t=void 0!==n.saltLength?n.saltLength:8;if("number"!=typeof t||!isFinite(t)||1>t)throw new TypeError("option saltLength must be finite number > 1");var r=void 0!==n.secretLength?n.secretLength:18;if("number"!=typeof r||!isFinite(r)||1>r)throw new TypeError("option secretLength must be finite number > 1");this.saltLength=t,this.secretLength=r}var rndm=require("rndm"),scmp=require("scmp"),uid=require("uid-safe"),crypto=require("crypto"),escape=require("base64-url").escape;module.exports=Tokens,Tokens.prototype.create=function(e){if(!e||"string"!=typeof e)throw new TypeError("argument secret is required");return this._tokenize(e,rndm(this.saltLength))},Tokens.prototype.secret=function(e){return uid(this.secretLength,e)},Tokens.prototype.secretSync=function(){return uid.sync(this.secretLength)},Tokens.prototype._tokenize=function(e,n){var t=crypto.createHash("sha1").update(n+"-"+e,"ascii").digest("base64");return escape(n+"-"+t)},Tokens.prototype.verify=function(e,n){if(!e||"string"!=typeof e)return!1;if(!n||"string"!=typeof n)return!1;var t=n.indexOf("-");if(-1===t)return!1;var r=n.substr(0,t),i=this._tokenize(e,r);return scmp(n,i)};
// create a csrf token function create(secret) { return tokenize(secret, rndm(saltLength)) }
it('allows multiple instances of HSU to run concurrently', function (done) { var idOne = rndm(), idTwo = rndm(), app = createApp(), agent, urlToSignOne = '/one?user=6dg3tct749fj&ion=1&espv=2', urlToSignTwo = '/two?user=6dg3tct749fj&ion=1&espv=2', signedUrlOne, signedUrlTwo; app.get('/pre/one', hsuProtect(idOne).setup, function (req, res, next) { signedUrlOne = req.signUrl(urlToSignOne); res.status(200).end(); }); app.get('/pre/two', hsuProtect(idTwo).setup, function (req, res, next) { signedUrlTwo = req.signUrl(urlToSignTwo); res.status(200).end(); }); app.get('/one', hsuProtect(idOne).verify, function (req, res, next) { res.status(200).end(); }); app.get('/two', hsuProtect(idTwo).verify, function (req, res, next) { res.status(200).end(); }); agent = createAgent(app); // request to retrieve signedUrlOne agent .get('/pre/one') .expect(200, function (err, res) { if (err) { return done(err); } // request to retrieve signedUrlTwo agent .get('/pre/two') .expect(200, function (err, res) { // now request signedUrlOne agent .get(url.parse(signedUrlTwo, true).path) .expect(200, function (err, res) { // now request signedUrlTwo agent .get(url.parse(signedUrlOne, true).path) .expect(200, done); }); }); }); });
it('and will 403 if request repeated after completion', function (done) { var id = rndm(), app = createApp(), agent, urlToSign = 'https://domain.com/reset?user=6dg3tct749fj&ion=1&espv=2', signedUrl; app.get('/reset/account', hsuProtect(id).setup, function (req, res, next) { // retrieve the signed URL signedUrl = req.signUrl(urlToSign); res.status(200).end(); }); app.get('/reset', hsuProtect(id).verify, function (req, res, next) { res.status(200).end(); }); app.get('/complete', hsuProtect(id).complete, function (req, res, next) { // we're done with this HSU req.hsuComplete(); res.status(200).end(); }); app.use(tamperedErrorHandler); agent = createAgent(app); // request to retrieve the signedUrl agent .get('/reset/account') .expect(200, function (err, res) { if (err) { return done(err); } // verify the url agent .get(url.parse(signedUrl, true).path) .expect(200, function (err, res) { // complete the process agent .get('/complete') .expect(200, function (err, res) { if (err) { return done(err); } // try and verify the URL again, it should error agent .get(url.parse(signedUrl, true).path) .expect(403, /tampered/, done); }) }); }); });