diff --git a/src/invidious.cr b/src/invidious.cr index 6b9c985a..1ecc9d83 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -1323,25 +1323,27 @@ post "/signout" do |env| sid = env.get? "sid" referer = get_referer(env) - if user - user = user.as(User) - sid = sid.as(String) - token = env.params.body["csrf_token"]? + if !user + next env.redirect referer + end - begin - validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) - rescue ex - error_message = ex.message - env.response.status_code = 400 - next templated "error" - end + user = user.as(User) + sid = sid.as(String) + token = env.params.body["csrf_token"]? - PG_DB.exec("DELETE FROM session_ids * WHERE id = $1", sid) + begin + validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) + rescue ex + error_message = ex.message + env.response.status_code = 400 + next templated "error" + end - env.request.cookies.each do |cookie| - cookie.expires = Time.utc(1990, 1, 1) - env.response.cookies << cookie - end + PG_DB.exec("DELETE FROM session_ids * WHERE id = $1", sid) + + env.request.cookies.each do |cookie| + cookie.expires = Time.utc(1990, 1, 1) + env.response.cookies << cookie end env.redirect referer @@ -1889,13 +1891,13 @@ get "/data_control" do |env| user = env.get? "user" referer = get_referer(env) - if user - user = user.as(User) - - templated "data_control" - else - env.redirect referer + if !user + next env.redirect referer end + + user = user.as(User) + + templated "data_control" end post "/data_control" do |env| @@ -2048,15 +2050,15 @@ get "/change_password" do |env| sid = env.get? "sid" referer = get_referer(env) - if user - user = user.as(User) - sid = sid.as(String) - csrf_token = generate_response(sid, {":change_password"}, HMAC_KEY, PG_DB) - - templated "change_password" - else - env.redirect referer + if !user + next env.redirect referer end + + user = user.as(User) + sid = sid.as(String) + csrf_token = generate_response(sid, {":change_password"}, HMAC_KEY, PG_DB) + + templated "change_password" end post "/change_password" do |env| @@ -2066,64 +2068,66 @@ post "/change_password" do |env| sid = env.get? "sid" referer = get_referer(env) - if user - user = user.as(User) - sid = sid.as(String) - token = env.params.body["csrf_token"]? + if !user + next env.redirect referer + end - # We don't store passwords for Google accounts - if !user.password - error_message = "Cannot change password for Google accounts" - env.response.status_code = 400 - next templated "error" - end + user = user.as(User) + sid = sid.as(String) + token = env.params.body["csrf_token"]? - begin - validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) - rescue ex - error_message = ex.message - env.response.status_code = 400 - next templated "error" - end + # We don't store passwords for Google accounts + if !user.password + error_message = "Cannot change password for Google accounts" + env.response.status_code = 400 + next templated "error" + end - password = env.params.body["password"]? - if !password - error_message = translate(locale, "Password is a required field") - env.response.status_code = 401 - next templated "error" - end + begin + validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) + rescue ex + error_message = ex.message + env.response.status_code = 400 + next templated "error" + end - new_passwords = env.params.body.select { |k, v| k.match(/^new_password\[\d+\]$/) }.map { |k, v| v } + password = env.params.body["password"]? + if !password + error_message = translate(locale, "Password is a required field") + env.response.status_code = 401 + next templated "error" + end - if new_passwords.size <= 1 || new_passwords.uniq.size != 1 - error_message = translate(locale, "New passwords must match") - env.response.status_code = 400 - next templated "error" - end + new_passwords = env.params.body.select { |k, v| k.match(/^new_password\[\d+\]$/) }.map { |k, v| v } - new_password = new_passwords.uniq[0] - if new_password.empty? - error_message = translate(locale, "Password cannot be empty") - env.response.status_code = 401 - next templated "error" - end + if new_passwords.size <= 1 || new_passwords.uniq.size != 1 + error_message = translate(locale, "New passwords must match") + env.response.status_code = 400 + next templated "error" + end - if new_password.bytesize > 55 - error_message = translate(locale, "Password should not be longer than 55 characters") - env.response.status_code = 400 - next templated "error" - end + new_password = new_passwords.uniq[0] + if new_password.empty? + error_message = translate(locale, "Password cannot be empty") + env.response.status_code = 401 + next templated "error" + end - if !Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) - error_message = translate(locale, "Incorrect password") - env.response.status_code = 401 - next templated "error" - end + if new_password.bytesize > 55 + error_message = translate(locale, "Password should not be longer than 55 characters") + env.response.status_code = 400 + next templated "error" + end - new_password = Crypto::Bcrypt::Password.create(new_password, cost: 10) - PG_DB.exec("UPDATE users SET password = $1 WHERE email = $2", new_password.to_s, user.email) + if !Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) + error_message = translate(locale, "Incorrect password") + env.response.status_code = 401 + next templated "error" end + new_password = Crypto::Bcrypt::Password.create(new_password, cost: 10) + PG_DB.exec("UPDATE users SET password = $1 WHERE email = $2", new_password.to_s, user.email) + env.redirect referer end @@ -2134,15 +2138,15 @@ get "/delete_account" do |env| sid = env.get? "sid" referer = get_referer(env) - if user - user = user.as(User) - sid = sid.as(String) - csrf_token = generate_response(sid, {":delete_account"}, HMAC_KEY, PG_DB) - - templated "delete_account" - else - env.redirect referer + if !user + next env.redirect referer end + + user = user.as(User) + sid = sid.as(String) + csrf_token = generate_response(sid, {":delete_account"}, HMAC_KEY, PG_DB) + + templated "delete_account" end post "/delete_account" do |env| @@ -2152,28 +2156,30 @@ post "/delete_account" do |env| sid = env.get? "sid" referer = get_referer(env) - if user - user = user.as(User) - sid = sid.as(String) - token = env.params.body["csrf_token"]? + if !user + next env.redirect referer + end - begin - validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) - rescue ex - error_message = ex.message - env.response.status_code = 400 - next templated "error" - end + user = user.as(User) + sid = sid.as(String) + token = env.params.body["csrf_token"]? - view_name = "subscriptions_#{sha256(user.email)}" - PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email) - PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email) - PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}") + begin + validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) + rescue ex + error_message = ex.message + env.response.status_code = 400 + next templated "error" + end - env.request.cookies.each do |cookie| - cookie.expires = Time.utc(1990, 1, 1) - env.response.cookies << cookie - end + view_name = "subscriptions_#{sha256(user.email)}" + PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email) + PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email) + PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}") + + env.request.cookies.each do |cookie| + cookie.expires = Time.utc(1990, 1, 1) + env.response.cookies << cookie end env.redirect referer @@ -2186,15 +2192,15 @@ get "/clear_watch_history" do |env| sid = env.get? "sid" referer = get_referer(env) - if user - user = user.as(User) - sid = sid.as(String) - csrf_token = generate_response(sid, {":clear_watch_history"}, HMAC_KEY, PG_DB) - - templated "clear_watch_history" - else - env.redirect referer + if !user + next env.redirect referer end + + user = user.as(User) + sid = sid.as(String) + csrf_token = generate_response(sid, {":clear_watch_history"}, HMAC_KEY, PG_DB) + + templated "clear_watch_history" end post "/clear_watch_history" do |env| @@ -2204,22 +2210,23 @@ post "/clear_watch_history" do |env| sid = env.get? "sid" referer = get_referer(env) - if user - user = user.as(User) - sid = sid.as(String) - token = env.params.body["csrf_token"]? + if !user + next env.redirect referer + end - begin - validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) - rescue ex - error_message = ex.message - env.response.status_code = 400 - next templated "error" - end + user = user.as(User) + sid = sid.as(String) + token = env.params.body["csrf_token"]? - PG_DB.exec("UPDATE users SET watched = '{}' WHERE email = $1", user.email) + begin + validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) + rescue ex + error_message = ex.message + env.response.status_code = 400 + next templated "error" end + PG_DB.exec("UPDATE users SET watched = '{}' WHERE email = $1", user.email) env.redirect referer end @@ -2230,25 +2237,25 @@ get "/authorize_token" do |env| sid = env.get? "sid" referer = get_referer(env) - if user - user = user.as(User) - sid = sid.as(String) - csrf_token = generate_response(sid, {":authorize_token"}, HMAC_KEY, PG_DB) - - scopes = env.params.query["scopes"]?.try &.split(",") - scopes ||= [] of String + if !user + next env.redirect referer + end - callback_url = env.params.query["callback_url"]? - if callback_url - callback_url = URI.parse(callback_url) - end + user = user.as(User) + sid = sid.as(String) + csrf_token = generate_response(sid, {":authorize_token"}, HMAC_KEY, PG_DB) - expire = env.params.query["expire"]?.try &.to_i? + scopes = env.params.query["scopes"]?.try &.split(",") + scopes ||= [] of String - templated "authorize_token" - else - env.redirect referer + callback_url = env.params.query["callback_url"]? + if callback_url + callback_url = URI.parse(callback_url) end + + expire = env.params.query["expire"]?.try &.to_i? + + templated "authorize_token" end post "/authorize_token" do |env| @@ -2258,44 +2265,46 @@ post "/authorize_token" do |env| sid = env.get? "sid" referer = get_referer(env) - if user - user = env.get("user").as(User) - sid = sid.as(String) - token = env.params.body["csrf_token"]? - - begin - validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) - rescue ex - error_message = ex.message - env.response.status_code = 400 - next templated "error" - end + if !user + next env.redirect referer + end - scopes = env.params.body.select { |k, v| k.match(/^scopes\[\d+\]$/) }.map { |k, v| v } - callback_url = env.params.body["callbackUrl"]? - expire = env.params.body["expire"]?.try &.to_i? + user = env.get("user").as(User) + sid = sid.as(String) + token = env.params.body["csrf_token"]? - access_token = generate_token(user.email, scopes, expire, HMAC_KEY, PG_DB) + begin + validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) + rescue ex + error_message = ex.message + env.response.status_code = 400 + next templated "error" + end - if callback_url - access_token = URI.escape(access_token) - url = URI.parse(callback_url) + scopes = env.params.body.select { |k, v| k.match(/^scopes\[\d+\]$/) }.map { |k, v| v } + callback_url = env.params.body["callbackUrl"]? + expire = env.params.body["expire"]?.try &.to_i? - if url.query - query = HTTP::Params.parse(url.query.not_nil!) - else - query = HTTP::Params.new - end + access_token = generate_token(user.email, scopes, expire, HMAC_KEY, PG_DB) - query["token"] = access_token - url.query = query.to_s + if callback_url + access_token = URI.escape(access_token) + url = URI.parse(callback_url) - env.redirect url.to_s + if url.query + query = HTTP::Params.parse(url.query.not_nil!) else - csrf_token = "" - env.set "access_token", access_token - templated "authorize_token" + query = HTTP::Params.new end + + query["token"] = access_token + url.query = query.to_s + + env.redirect url.to_s + else + csrf_token = "" + env.set "access_token", access_token + templated "authorize_token" end end