diff --git a/server/api/authentication.js b/server/api/authentication.js index 6cc82e93f..c786c8259 100644 --- a/server/api/authentication.js +++ b/server/api/authentication.js @@ -30,26 +30,27 @@ export default function auth({ require = true } = {}) { throw httpErrors.Unauthorized('Authentication required'); } - // Get user without verifying payload signature - let payload; - try { - payload = JWT.decode(token); - } catch(_e) { - throw httpErrors.Unauthorized('Unable to decode JWT token'); - } - console.log(payload) - const user = await User.findOne({ - where: { id: payload.id }, - }); + if (token && require) { + // Get user without verifying payload signature + let payload; + try { + payload = JWT.decode(token); + } catch(_e) { + throw httpErrors.Unauthorized('Unable to decode JWT token'); + } + const user = await User.findOne({ + where: { id: payload.id }, + }); - try { - JWT.verify(token, user.jwtSecret); - } catch(e) { - throw httpErrors.Unauthorized('Invalid token'); - } + try { + JWT.verify(token, user.jwtSecret); + } catch(e) { + throw httpErrors.Unauthorized('Invalid token'); + } - ctx.state.token = token; - ctx.state.user = user; + ctx.state.token = token; + ctx.state.user = user; + } return next(); }; diff --git a/server/api/documents.js b/server/api/documents.js index 66f72282b..1f2782196 100644 --- a/server/api/documents.js +++ b/server/api/documents.js @@ -8,23 +8,35 @@ import { Document, Atlas } from '../models'; const router = new Router(); -router.post('documents.info', auth(), async (ctx) => { +router.post('documents.info', auth({ require: false }), async (ctx) => { let { id } = ctx.request.body; ctx.assertPresent(id, 'id is required'); - const team = await ctx.state.user.getTeam(); const document = await Document.findOne({ where: { id: id, - teamId: team.id, }, }); - if (!document) throw httpErrors.NotFound(); + // Don't expose private documents outside the team + if (document.private) { + if (!ctx.state.user) throw httpErrors.NotFound(); - ctx.body = { - data: await presentDocument(document, true), - }; + const team = await ctx.state.user.getTeam(); + if (document.teamId !== team.id) { + if (!document) throw httpErrors.NotFound(); + } + + ctx.body = { + data: await presentDocument(document, true), + }; + } else { + ctx.body = { + data: await presentDocument(document), + }; + } + + if (!document) throw httpErrors.NotFound(); }); diff --git a/server/presenters.js b/server/presenters.js index 6dbd73596..7c3977ec2 100644 --- a/server/presenters.js +++ b/server/presenters.js @@ -3,13 +3,13 @@ import Document from './models/Document'; export function presentUser(user) { return new Promise(async (resolve, reject) => { - resolve({ + const data = { id: user.id, name: user.name, username: user.username, - email: user.email, avatarUrl: user.slackData.image_192, - }); + }; + resolve(data); }); } @@ -62,6 +62,7 @@ export async function presentDocument(document, includeAtlas=false) { text: document.text, html: document.html, preview: document.preview, + private: document.private, createdAt: document.createdAt, updatedAt: document.updatedAt, atlas: document.atlaId, @@ -71,10 +72,10 @@ export async function presentDocument(document, includeAtlas=false) { if (includeAtlas) { const atlas = await document.getAtlas(); data.atlas = await presentAtlas(atlas, false); - - const user = await document.getUser(); - data.user = await presentUser(user, false); } + const user = await document.getUser(); + data.user = await presentUser(user); + return data; }