commit
1a44d7ca31
125
lib/api.js
125
lib/api.js
|
@ -183,9 +183,9 @@ module.exports = function (Server) {
|
|||
app.post("/api/login", function (req, res) {
|
||||
res.type("application/jsonp");
|
||||
res.setHeader("Access-Control-Allow-Origin", "*");
|
||||
var name = req.body.name;
|
||||
var pw = req.body.pw;
|
||||
var session = req.body.session;
|
||||
var name = req.body.name || "";
|
||||
var pw = req.body.pw || "";
|
||||
var session = req.body.session || "";
|
||||
|
||||
// for some reason CyTube previously allowed guest logins
|
||||
// over the API...wat
|
||||
|
@ -226,6 +226,15 @@ module.exports = function (Server) {
|
|||
res.setHeader("Access-Control-Allow-Origin", "*");
|
||||
var name = req.body.name;
|
||||
var pw = req.body.pw;
|
||||
if (typeof name !== "string" ||
|
||||
typeof pw !== "string") {
|
||||
res.status(400);
|
||||
res.jsonp({
|
||||
success: false,
|
||||
error: "Invalid request"
|
||||
});
|
||||
return;
|
||||
}
|
||||
var ip = getIP(req);
|
||||
|
||||
// Limit registrations per IP within a certain time period
|
||||
|
@ -300,6 +309,17 @@ module.exports = function (Server) {
|
|||
var oldpw = req.body.oldpw;
|
||||
var newpw = req.body.newpw;
|
||||
|
||||
if (typeof name !== "string" ||
|
||||
typeof oldpw !== "string" ||
|
||||
typeof newpw !== "string") {
|
||||
res.status(400);
|
||||
res.jsonp({
|
||||
success: false,
|
||||
error: "Invalid request"
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
if(!oldpw || !newpw) {
|
||||
res.jsonp({
|
||||
success: false,
|
||||
|
@ -340,6 +360,15 @@ module.exports = function (Server) {
|
|||
res.setHeader("Access-Control-Allow-Origin", "*");
|
||||
var name = req.body.name;
|
||||
var email = req.body.email;
|
||||
if (typeof name !== "string" ||
|
||||
typeof email !== "string") {
|
||||
res.status(400);
|
||||
res.jsonp({
|
||||
success: false,
|
||||
error: "Invalid request"
|
||||
});
|
||||
return;
|
||||
}
|
||||
var ip = getIP(req);
|
||||
var hash = false;
|
||||
|
||||
|
@ -407,6 +436,14 @@ module.exports = function (Server) {
|
|||
app.get("/api/account/passwordrecover", function (req, res) {
|
||||
res.type("application/jsonp");
|
||||
var hash = req.query.hash;
|
||||
if (typeof hash !== "string") {
|
||||
res.status(400);
|
||||
res.jsonp({
|
||||
success: false,
|
||||
error: "Invalid request"
|
||||
});
|
||||
return;
|
||||
}
|
||||
var ip = getIP(req);
|
||||
|
||||
db.recoverUserPassword(hash, function (err, auth) {
|
||||
|
@ -457,6 +494,25 @@ module.exports = function (Server) {
|
|||
var session = req.body.session;
|
||||
var img = req.body.profile_image;
|
||||
var text = req.body.profile_text;
|
||||
if (typeof name !== "string" ||
|
||||
typeof session !== "string" ||
|
||||
typeof img !== "string" ||
|
||||
typeof text !== "string") {
|
||||
res.status(400);
|
||||
res.jsonp({
|
||||
success: false,
|
||||
error: "Invalid request"
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
if (img.length > 255) {
|
||||
img = img.substring(0, 255);
|
||||
}
|
||||
|
||||
if (text.length > 255) {
|
||||
text = text.substring(0, 255);
|
||||
}
|
||||
|
||||
db.userLoginSession(name, session, function (err, row) {
|
||||
if(err) {
|
||||
|
@ -507,6 +563,18 @@ module.exports = function (Server) {
|
|||
var pw = req.body.pw;
|
||||
var email = req.body.email;
|
||||
|
||||
if (typeof name !== "string" ||
|
||||
typeof pw !== "string" ||
|
||||
typeof email !== "string") {
|
||||
res.status(400);
|
||||
res.jsonp({
|
||||
success: false,
|
||||
error: "Invalid request"
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
if(!email.match(/^[\w_\.]+@[\w_\.]+[a-z]+$/i)) {
|
||||
res.jsonp({
|
||||
success: false,
|
||||
|
@ -555,6 +623,16 @@ module.exports = function (Server) {
|
|||
var name = req.query.name;
|
||||
var session = req.query.session;
|
||||
|
||||
if (typeof name !== "string" ||
|
||||
typeof session !== "string") {
|
||||
res.status(400);
|
||||
res.jsonp({
|
||||
success: false,
|
||||
error: "Invalid request"
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
db.userLoginSession(name, session, function (err, row) {
|
||||
if(err) {
|
||||
res.jsonp({
|
||||
|
@ -593,6 +671,17 @@ module.exports = function (Server) {
|
|||
var session = req.query.session;
|
||||
var types = req.query.actions;
|
||||
|
||||
if (typeof name !== "string" ||
|
||||
typeof session !== "string" ||
|
||||
typeof types !== "string") {
|
||||
res.status(400);
|
||||
res.jsonp({
|
||||
success: false,
|
||||
error: "Invalid request"
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
db.userLoginSession(name, session, function (err, row) {
|
||||
if(err) {
|
||||
if(err !== "Invalid session" &&
|
||||
|
@ -644,6 +733,16 @@ module.exports = function (Server) {
|
|||
var name = req.query.name;
|
||||
var session = req.query.session;
|
||||
|
||||
if (typeof name !== "string" ||
|
||||
typeof session !== "string") {
|
||||
res.status(400);
|
||||
res.jsonp({
|
||||
success: false,
|
||||
error: "Invalid request"
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
db.userLoginSession(name, session, function (err, row) {
|
||||
if(err) {
|
||||
if(err !== "Invalid session" &&
|
||||
|
@ -671,6 +770,16 @@ module.exports = function (Server) {
|
|||
var name = req.query.name;
|
||||
var session = req.query.session;
|
||||
|
||||
if (typeof name !== "string" ||
|
||||
typeof session !== "string") {
|
||||
res.status(400);
|
||||
res.jsonp({
|
||||
success: false,
|
||||
error: "Invalid request"
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
db.userLoginSession(name, session, function (err, row) {
|
||||
if(err) {
|
||||
if(err !== "Invalid session" &&
|
||||
|
@ -698,6 +807,16 @@ module.exports = function (Server) {
|
|||
var name = req.query.name;
|
||||
var session = req.query.session;
|
||||
|
||||
if (typeof name !== "string" ||
|
||||
typeof session !== "string") {
|
||||
res.status(400);
|
||||
res.jsonp({
|
||||
success: false,
|
||||
error: "Invalid request"
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
db.userLoginSession(name, session, function (err, row) {
|
||||
if(err) {
|
||||
if(err !== "Invalid session" &&
|
||||
|
|
|
@ -826,6 +826,9 @@ Channel.prototype.handlePendingJoins = function () {
|
|||
};
|
||||
|
||||
Channel.prototype.userJoin = function(user, password) {
|
||||
if (typeof password === "string" && password.length > 100) {
|
||||
password = password.substring(0, 100);
|
||||
}
|
||||
var self = this;
|
||||
if (!self.ready) {
|
||||
self.addPendingJoin(user, password);
|
||||
|
@ -1869,12 +1872,13 @@ Channel.prototype.tryUpdate = function(user, data) {
|
|||
return;
|
||||
}
|
||||
|
||||
if(this.playlist.current.media.id != data.id) {
|
||||
if (this.playlist.current.media.id !== data.id ||
|
||||
isNaN(+data.currentTime)) {
|
||||
return;
|
||||
}
|
||||
|
||||
this.playlist.current.media.currentTime = data.currentTime;
|
||||
this.playlist.current.media.paused = data.paused;
|
||||
this.playlist.current.media.currentTime = +data.currentTime;
|
||||
this.playlist.current.media.paused = Boolean(data.paused);
|
||||
this.sendAll("mediaUpdate", this.playlist.current.media.timeupdate());
|
||||
}
|
||||
|
||||
|
@ -1928,6 +1932,10 @@ Channel.prototype.tryOpenPoll = function(user, data) {
|
|||
return;
|
||||
}
|
||||
|
||||
for (var i = 0; i < data.opts.length; i++) {
|
||||
data.opts[i] = ""+data.opts[i];
|
||||
}
|
||||
|
||||
var obscured = (data.obscured === true);
|
||||
var poll = new Poll(user.name, data.title, data.opts, obscured);
|
||||
this.poll = poll;
|
||||
|
@ -2013,10 +2021,7 @@ Channel.prototype.trySetLock = function(user, data) {
|
|||
return;
|
||||
}
|
||||
|
||||
if(data.locked == undefined) {
|
||||
return;
|
||||
}
|
||||
|
||||
data.locked = Boolean(data.locked);
|
||||
this.logger.log("*** " + user.name + " set playlist lock to " + data.locked);
|
||||
this.setLock(data.locked);
|
||||
}
|
||||
|
@ -2036,6 +2041,11 @@ Channel.prototype.tryRemoveFilter = function(user, f) {
|
|||
return;
|
||||
}
|
||||
|
||||
// Don't care about the other parameters since we're just removing
|
||||
if (typeof f.name !== "string") {
|
||||
return;
|
||||
}
|
||||
|
||||
this.logger.log("%%% " + user.name + " removed filter: " + f.name);
|
||||
this.removeFilter(f);
|
||||
}
|
||||
|
@ -2079,6 +2089,14 @@ Channel.prototype.tryUpdateFilter = function(user, f) {
|
|||
return;
|
||||
}
|
||||
|
||||
if (f.replace.length > 1000) {
|
||||
f.replace = f.replace.substring(0, 1000);
|
||||
}
|
||||
|
||||
if (f.flags.length > 4) {
|
||||
f.flags = f.flags.substring(0, 4);
|
||||
}
|
||||
|
||||
var re = f.source;
|
||||
var flags = f.flags;
|
||||
// Temporary fix
|
||||
|
@ -2304,7 +2322,10 @@ Channel.prototype.tryUpdateMotd = function(user, data) {
|
|||
return;
|
||||
}
|
||||
|
||||
data.motd = data.motd || "";
|
||||
if (data.motd.length > 20000) {
|
||||
data.motd = data.motd.substring(0, 20000);
|
||||
}
|
||||
|
||||
this.updateMotd(data.motd);
|
||||
this.logger.log("%%% " + user.name + " set the MOTD");
|
||||
}
|
||||
|
@ -2432,29 +2453,6 @@ Channel.prototype.sendMessage = function (user, msg, meta, filter) {
|
|||
}
|
||||
};
|
||||
|
||||
Channel.prototype.sendMessageOld = function(username, msg, msgclass, data) {
|
||||
// I don't want HTML from strangers
|
||||
msg = sanitize(msg).escape();
|
||||
msg = this.filterMessage(msg);
|
||||
var msgobj = {
|
||||
username: username,
|
||||
msg: msg,
|
||||
msgclass: msgclass,
|
||||
time: Date.now()
|
||||
};
|
||||
if(data) {
|
||||
for(var key in data) {
|
||||
msgobj[key] = data[key];
|
||||
}
|
||||
}
|
||||
this.sendAll("chatMsg", msgobj);
|
||||
this.chatbuffer.push(msgobj);
|
||||
if(this.chatbuffer.length > 15)
|
||||
this.chatbuffer.shift();
|
||||
var unescaped = sanitize(msg).entityDecode();
|
||||
this.logger.log("<" + username + "." + msgclass + "> " + unescaped);
|
||||
};
|
||||
|
||||
/* REGION Rank stuff */
|
||||
|
||||
Channel.prototype.trySetRank = function(user, data) {
|
||||
|
|
10
lib/poll.js
10
lib/poll.js
|
@ -8,11 +8,19 @@ The above copyright notice and this permission notice shall be included in all c
|
|||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
*/
|
||||
const link = /(\w+:\/\/(?:[^:\/\[\]\s]+|\[[0-9a-f:]+\])(?::\d+)?(?:\/[^\/\s]*)*)/ig;
|
||||
var XSS = require("./xss");
|
||||
|
||||
var Poll = function(initiator, title, options, obscured) {
|
||||
this.initiator = initiator;
|
||||
this.title = title;
|
||||
title = XSS.sanitizeText(title);
|
||||
this.title = title.replace(link, "<a href=\"$1\" target=\"_blank\">$1</a>");
|
||||
this.options = options;
|
||||
for (var i = 0; i < this.options.length; i++) {
|
||||
this.options[i] = XSS.sanitizeText(this.options[i]);
|
||||
this.options[i] = this.options[i].replace(link, "<a href=\"$1\" target=\"_blank\">$1</a>");
|
||||
|
||||
}
|
||||
this.obscured = obscured || false;
|
||||
this.counts = new Array(options.length);
|
||||
for(var i = 0; i < this.counts.length; i++) {
|
||||
|
|
48
lib/user.js
48
lib/user.js
|
@ -34,8 +34,6 @@ var User = function (socket) {
|
|||
afk: false,
|
||||
icon: false
|
||||
};
|
||||
this.throttle = {};
|
||||
this.flooded = {};
|
||||
this.queueLimiter = $util.newRateLimiter();
|
||||
this.chatLimiter = $util.newRateLimiter();
|
||||
this.profile = {
|
||||
|
@ -59,38 +57,6 @@ User.prototype.inPendingChannel = function () {
|
|||
return this.pendingChannel != null && !this.pendingChannel.dead;
|
||||
};
|
||||
|
||||
// Throttling/cooldown
|
||||
User.prototype.noflood = function (name, hz) {
|
||||
var time = new Date().getTime();
|
||||
if (!(name in this.throttle)) {
|
||||
this.throttle[name] = [time];
|
||||
return false;
|
||||
} else if (name in this.flooded && time < this.flooded[name]) {
|
||||
this.socket.emit("noflood", {
|
||||
action: name,
|
||||
msg: "You're still on cooldown!"
|
||||
});
|
||||
return true;
|
||||
} else {
|
||||
this.throttle[name].push(time);
|
||||
var diff = (time - this.throttle[name][0]) / 1000.0;
|
||||
// Twice might be an accident, more than that is probably spam
|
||||
if (this.throttle[name].length > 2) {
|
||||
var rate = this.throttle[name].length / diff;
|
||||
this.throttle[name] = [time];
|
||||
if (rate > hz) {
|
||||
this.flooded[name] = time + 5000;
|
||||
this.socket.emit("noflood", {
|
||||
action: name,
|
||||
msg: "Stop doing that so fast! Cooldown: 5s"
|
||||
});
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
User.prototype.setAFK = function (afk) {
|
||||
if (!this.inChannel())
|
||||
return;
|
||||
|
@ -149,8 +115,9 @@ User.prototype.initCallbacks = function () {
|
|||
|
||||
self.socket.on("joinChannel", function (data) {
|
||||
data = (typeof data !== "object") ? {} : data;
|
||||
if (self.inChannel() || self.inPendingChannel())
|
||||
if (self.inChannel() || self.inPendingChannel()) {
|
||||
return;
|
||||
}
|
||||
if (typeof data.name != "string") {
|
||||
return;
|
||||
}
|
||||
|
@ -166,6 +133,7 @@ User.prototype.initCallbacks = function () {
|
|||
self.pendingChannel = self.server.getChannel(data.name);
|
||||
if (self.loggedIn) {
|
||||
// TODO fix
|
||||
// I'm not sure what I meant by "fix", but I suppose I'll find out soon
|
||||
self.pendingChannel.getRank(self.name, function (err, rank) {
|
||||
if (!err && rank > self.rank)
|
||||
self.rank = rank;
|
||||
|
@ -187,6 +155,8 @@ User.prototype.initCallbacks = function () {
|
|||
var session = (typeof data.session === "string") ? data.session : "";
|
||||
if (pw.length > 100)
|
||||
pw = pw.substring(0, 100);
|
||||
if (session.length > 64)
|
||||
session = session.substring(0, 64);
|
||||
|
||||
if (self.loggedIn)
|
||||
return;
|
||||
|
@ -342,6 +312,10 @@ User.prototype.initCallbacks = function () {
|
|||
if (typeof data.query !== "string") {
|
||||
return;
|
||||
}
|
||||
// Soft limit to prevent someone from making a massive query
|
||||
if (data.query.length > 255) {
|
||||
data.query = data.query.substring(0, 255);
|
||||
}
|
||||
if (data.source === "yt") {
|
||||
var searchfn = InfoGetter.Getters.ytSearch;
|
||||
searchfn(data.query.split(" "), function (e, vids) {
|
||||
|
@ -526,6 +500,10 @@ User.prototype.initCallbacks = function () {
|
|||
if (typeof data.name !== "string") {
|
||||
return;
|
||||
}
|
||||
// Soft limit to prevent someone from saving a list with a massive name
|
||||
if (data.name.length > 200) {
|
||||
data.name = data.name.substring(0, 200);
|
||||
}
|
||||
if (self.rank < 1) {
|
||||
self.socket.emit("savePlaylist", {
|
||||
success: false,
|
||||
|
|
|
@ -1100,7 +1100,7 @@ Callbacks = {
|
|||
newPoll: function(data) {
|
||||
Callbacks.closePoll();
|
||||
var pollMsg = $("<div/>").addClass("poll-notify")
|
||||
.text(data.initiator + " opened a poll: \"" + data.title + "\"")
|
||||
.html(data.initiator + " opened a poll: \"" + data.title + "\"")
|
||||
.appendTo($("#messagebuffer"));
|
||||
scrollChat();
|
||||
|
||||
|
@ -1116,7 +1116,7 @@ Callbacks = {
|
|||
});
|
||||
}
|
||||
|
||||
$("<h3/>").text(data.title).appendTo(poll);
|
||||
$("<h3/>").html(data.title).appendTo(poll);
|
||||
for(var i = 0; i < data.options.length; i++) {
|
||||
(function(i) {
|
||||
var callback = function () {
|
||||
|
@ -1129,7 +1129,7 @@ Callbacks = {
|
|||
$(this).parent().addClass("option-selected");
|
||||
}
|
||||
$("<button/>").addClass("btn").text(data.counts[i])
|
||||
.prependTo($("<div/>").addClass("option").text(data.options[i])
|
||||
.prependTo($("<div/>").addClass("option").html(data.options[i])
|
||||
.appendTo(poll))
|
||||
.click(callback);
|
||||
})(i);
|
||||
|
|
Loading…
Reference in a new issue