fix(config): new opts: admin_limit, user_limit, disabled_extensions (#68)

config.example.toml

@@ -9,4 +9,7 @@ database_url = 'postgres://postgres:postgres@postgres/postgres'
 route = '/u'
 embed_route = '/a'
 length = 6
-directory = './uploads'
+directory = './uploads'
+user_limit = 104900000 # 100mb
+admin_limit = 104900000 # 100mb
+disabled_extentions = ['jpg']

server/validateConfig.js

@@ -16,7 +16,10 @@ module.exports = async config => {
     path('uploader.route', 'string'),
     path('uploader.embed_route', 'string'),
     path('uploader.length', 'number'),
-    path('uploader.directory', 'string')
+    path('uploader.directory', 'string'),
+    path('uploader.admin_limit', 'number'),
+    path('uploader.user_limit', 'number'),
+    path('uploader.disabled_extentions', 'object'),
   ];
 
   let errors = 0;
@@ -25,11 +28,11 @@ module.exports = async config => {
     const path = paths[i];
     const value = dot(path.path, config);
     if (value === undefined) {
-      Logger.get('config').error(`there was no ${path.path} in config`);
+      Logger.get('config').error(`there was no ${path.path} in config which was required`);
       ++errors;
     }
-    const type = typeof value;
 
+    const type = typeof value;
     if (value !== undefined && type !== path.type) {
       Logger.get('config').error(`expected ${path.type} on ${path.path}, but got ${type}`);
       ++errors;

src/lib/readConfig.js

@@ -2,7 +2,7 @@ const { existsSync, readFileSync } = require('fs');
 const { join } = require('path');
 const Logger = require('./logger');
 
-const e = (val, type, fn) => ({ val, type, fn });
+const e = (val, type, fn, required = true) => ({ val, type, fn, required });
 
 const envValues = [
   e('SECURE', 'boolean', (c, v) => c.core.secure = v),
@@ -13,7 +13,10 @@ const envValues = [
   e('UPLOADER_ROUTE', 'string', (c, v) => c.uploader.route = v),
   e('UPLOADER_EMBED_ROUTE', 'string', (c, v) => c.uploader.embed_route = v),
   e('UPLOADER_LENGTH', 'number', (c, v) => c.uploader.length = v),
-  e('UPLOADER_DIRECTORY', 'string', (c, v) => c.uploader.directory = v)
+  e('UPLOADER_DIRECTORY', 'string', (c, v) => c.uploader.directory = v),
+  e('UPLOADER_ADMIN_LIMIT', 'number', (c, v) => c.uploader.admin_limit = v),
+  e('UPLOADER_USER_LIMIT', 'number', (c, v) => c.uploader.user_limit = v),
+  e('UPLOADER_DISABLED_EXTS', 'array', (c, v) => c.uploader.disabled_extentions = v),
 ];
 
 module.exports = () => {
@@ -35,17 +38,17 @@ function tryReadEnv() {
       secure: undefined,
       secret: undefined,
       host: undefined,
-      port: undefined
-    },
-    database: {
-      type: undefined,
-      url: undefined
+      port: undefined,
+      database_url: undefined,
     },
     uploader: {
       route: undefined,
       embed_route: undefined,
       length: undefined,
-      directory: undefined
+      directory: undefined,
+      admin_limit: undefined,
+      user_limit: undefined,
+      disabled_extentions: undefined
     }
   };
 
@@ -53,7 +56,7 @@ function tryReadEnv() {
     const envValue = envValues[i];
     let value = process.env[envValue.val];
 
-    if (!value) {
+    if (envValue.required && !value) {
       Logger.get('config').error('there is no config file or required environment variables... exiting...');
 
       process.exit(1);
@@ -62,6 +65,7 @@ function tryReadEnv() {
     envValues[i].fn(config, value);
     if (envValue.type === 'number') value = parseToNumber(value);
     else if (envValue.type === 'boolean') value = parseToBoolean(value);
+    else if (envValue.type === 'array') value = parseToArray(value);
     envValues[i].fn(config, value);
   }
 
@@ -79,4 +83,8 @@ function parseToBoolean(value) {
   // infer that it is a string since env values are only strings
   if (!value || value === 'false') return false;
   else return true;
+}
+
+function parseToArray(value) {
+  return value.split(',');
 }

src/lib/types.ts

@@ -27,6 +27,15 @@ export interface ConfigUploader {
 
   // Where uploads are stored
   directory: string;
+
+  // Admin file upload limit
+  admin_limit: number;
+
+  // User file upload limit
+  user_limit: number;
+
+  // Disabled extensions to block from uploading
+  disabled_extentions: string[];
 }
 
 export interface Config {

src/pages/api/upload.ts

@@ -22,11 +22,12 @@ async function handler(req: NextApiReq, res: NextApiRes) {
   });
   if (!user) return res.forbid('authorization incorect');
   if (!req.file) return res.error('no file');
+  if (req.file.size > zconfig.uploader[user.administrator ? 'admin_limit' : 'user_limit']) return res.error('file size too big');
 
   const ext = req.file.originalname.split('.').pop();
-
+  if (zconfig.uploader.disabled_extentions.includes(ext)) return res.error('disabled extension recieved: ' + ext);
+  
   const rand = randomChars(zconfig.uploader.length);
-
   const image = await prisma.image.create({
     data: {
       file: `${rand}.${ext}`,

src/pages/api/users.ts

@@ -35,7 +35,9 @@ async function handler(req: NextApiReq, res: NextApiRes) {
         administrator: true,
         token: true,
         embedColor: true,
-        embedTitle: true
+        embedTitle: true,
+        customTheme: true,
+        systemTheme: true
       }
     });
     return res.json(all_users);