Request validation for cron (#5307)

* chore: add validations for /api/cron.*

* fix: coerce limit to number

* fix: review

server/routes/api/cron/cron.test.ts

@@ -0,0 +1,111 @@
+import { getTestServer } from "@server/test/support";
+
+const server = getTestServer();
+
+describe("POST /api/cron.daily", () => {
+  it("should require token", async () => {
+    const res = await server.post("/api/cron.daily");
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toBe("token is required");
+  });
+
+  it("should validate token", async () => {
+    const res = await server.post("/api/cron.daily", {
+      body: {
+        token: "token",
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(401);
+    expect(body.message).toBe("Invalid secret token");
+  });
+
+  it("should validate limit", async () => {
+    const res = await server.post("/api/cron.daily", {
+      body: {
+        limit: -1,
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toBe("limit: Number must be greater than 0");
+  });
+});
+
+describe("GET /api/cron.daily", () => {
+  it("should require token", async () => {
+    const res = await server.get("/api/cron.daily");
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toBe("token is required");
+  });
+
+  it("should validate token", async () => {
+    const res = await server.get("/api/cron.daily?token=token");
+    const body = await res.json();
+    expect(res.status).toEqual(401);
+    expect(body.message).toBe("Invalid secret token");
+  });
+
+  it("should validate limit", async () => {
+    const res = await server.get("/api/cron.daily?limit=-1");
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toBe("limit: Number must be greater than 0");
+  });
+});
+
+describe("POST /api/utils.gc", () => {
+  it("should require token", async () => {
+    const res = await server.post("/api/utils.gc");
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toBe("token is required");
+  });
+
+  it("should validate token", async () => {
+    const res = await server.post("/api/utils.gc", {
+      body: {
+        token: "token",
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(401);
+    expect(body.message).toBe("Invalid secret token");
+  });
+
+  it("should validate limit", async () => {
+    const res = await server.post("/api/utils.gc", {
+      body: {
+        limit: -1,
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toBe("limit: Number must be greater than 0");
+  });
+});
+
+describe("GET /api/utils.gc", () => {
+  it("should require token", async () => {
+    const res = await server.get("/api/utils.gc");
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toBe("token is required");
+  });
+
+  it("should validate token", async () => {
+    const res = await server.get("/api/utils.gc?token=token");
+    const body = await res.json();
+    expect(res.status).toEqual(401);
+    expect(body.message).toBe("Invalid secret token");
+  });
+
+  it("should validate limit", async () => {
+    const res = await server.get("/api/utils.gc?limit=-1");
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toBe("limit: Number must be greater than 0");
+  });
+});

server/routes/api/cron/cron.ts

@@ -0,0 +1,45 @@
+import crypto from "crypto";
+import Router from "koa-router";
+import env from "@server/env";
+import { AuthenticationError } from "@server/errors";
+import validate from "@server/middlewares/validate";
+import tasks from "@server/queues/tasks";
+import { APIContext } from "@server/types";
+import * as T from "./schema";
+
+const router = new Router();
+
+const cronHandler = async (ctx: APIContext<T.CronSchemaReq>) => {
+  const token = (ctx.input.body.token ?? ctx.input.query.token) as string;
+  const limit = ctx.input.body.limit ?? ctx.input.query.limit;
+
+  if (
+    token.length !== env.UTILS_SECRET.length ||
+    !crypto.timingSafeEqual(
+      Buffer.from(env.UTILS_SECRET),
+      Buffer.from(String(token))
+    )
+  ) {
+    throw AuthenticationError("Invalid secret token");
+  }
+
+  for (const name in tasks) {
+    const TaskClass = tasks[name];
+    if (TaskClass.cron) {
+      await TaskClass.schedule({ limit });
+    }
+  }
+
+  ctx.body = {
+    success: true,
+  };
+};
+
+router.get("cron.:period", validate(T.CronSchema), cronHandler);
+router.post("cron.:period", validate(T.CronSchema), cronHandler);
+
+// For backwards compatibility
+router.get("utils.gc", validate(T.CronSchema), cronHandler);
+router.post("utils.gc", validate(T.CronSchema), cronHandler);
+
+export default router;

server/routes/api/cron/index.ts

@@ -0,0 +1 @@
+export { default } from "./cron";

server/routes/api/cron/schema.ts

@@ -0,0 +1,18 @@
+import { isEmpty } from "lodash";
+import { z } from "zod";
+import BaseSchema from "../BaseSchema";
+
+export const CronSchema = BaseSchema.extend({
+  body: z.object({
+    token: z.string().optional(),
+    limit: z.coerce.number().gt(0).default(500),
+  }),
+  query: z.object({
+    token: z.string().optional(),
+    limit: z.coerce.number().gt(0).default(500),
+  }),
+}).refine((req) => !(isEmpty(req.body.token) && isEmpty(req.query.token)), {
+  message: "token is required",
+});
+
+export type CronSchemaReq = z.infer<typeof CronSchema>;