Merge pull request #743 from hackmdio/fix-to-use-url-safe-base64

Fix to use url-safe base64 in note url
2018-03-18 15:13:06 +01:00 · 2018-03-18 15:13:06 +01:00 · f6df2deb84
parent 6b30f66272 8bfe51940f
commit f6df2deb84
7 changed files with 101 additions and 10 deletions
--- a/lib/history.js
+++ b/lib/history.js
@ -1,6 +1,7 @@
 'use strict'
 // history
 // external modules
+var LZString = require('lz-string')

 // core
 var config = require('./config')
@ -27,7 +28,20 @@ function getHistory (userid, callback) {
    }
    var history = {}
    if (user.history) {
-      history = parseHistoryToObject(JSON.parse(user.history))
+      history = JSON.parse(user.history)
+      // migrate LZString encoded note id to base64url encoded note id
+      for (let i = 0, l = history.length; i < l; i++) {
+        try {
+          let id = LZString.decompressFromBase64(history[i].id)
+          if (id && models.Note.checkNoteIdValid(id)) {
+            history[i].id = models.Note.encodeNoteId(id)
+          }
+        } catch (err) {
+          // most error here comes from LZString, ignore
+          logger.error(err)
+        }
+      }
+      history = parseHistoryToObject(history)
    }
    if (config.debug) {
      logger.info('read history success: ' + user.id)
--- a/lib/models/note.js
+++ b/lib/models/note.js
@ -3,6 +3,7 @@
 var fs = require('fs')
 var path = require('path')
 var LZString = require('lz-string')
+var base64url = require('base64url')
 var md = require('markdown-it')()
 var metaMarked = require('meta-marked')
 var cheerio = require('cheerio')
@ -114,6 +115,24 @@ module.exports = function (sequelize, DataTypes) {
          return false
        }
      },
+      encodeNoteId: function (id) {
+        // remove dashes in UUID and encode in url-safe base64
+        let str = id.replace(/-/g, '')
+        let hexStr = Buffer.from(str, 'hex')
+        return base64url.encode(hexStr)
+      },
+      decodeNoteId: function (encodedId) {
+        // decode from url-safe base64
+        let id = base64url.toBuffer(encodedId).toString('hex')
+        // add dashes between the UUID string parts
+        let idParts = []
+        idParts.push(id.substr(0, 8))
+        idParts.push(id.substr(8, 4))
+        idParts.push(id.substr(12, 4))
+        idParts.push(id.substr(16, 4))
+        idParts.push(id.substr(20, 12))
+        return idParts.join('-')
+      },
      checkNoteIdValid: function (id) {
        var uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i
        var result = id.match(uuidRegex)
@ -190,13 +209,25 @@ module.exports = function (sequelize, DataTypes) {
              return _callback(err, null)
            })
          },
+          // parse note id by LZString is deprecated, here for compability
          parseNoteIdByLZString: function (_callback) {
            // try to parse note id by LZString Base64
            try {
              var id = LZString.decompressFromBase64(noteId)
              if (id && Note.checkNoteIdValid(id)) { return callback(null, id) } else { return _callback(null, null) }
            } catch (err) {
-              return _callback(err, null)
+              logger.error(err)
+              return _callback(null, null)
+            }
+          },
+          parseNoteIdByBase64Url: function (_callback) {
+            // try to parse note id by base64url
+            try {
+              var id = Note.decodeNoteId(noteId)
+              if (id && Note.checkNoteIdValid(id)) { return callback(null, id) } else { return _callback(null, null) }
+            } catch (err) {
+              logger.error(err)
+              return _callback(null, null)
            }
          },
          parseNoteIdByShortId: function (_callback) {
--- a/lib/realtime.js
+++ b/lib/realtime.js
@ -5,7 +5,6 @@ var cookie = require('cookie')
 var cookieParser = require('cookie-parser')
 var url = require('url')
 var async = require('async')
-var LZString = require('lz-string')
 var randomcolor = require('randomcolor')
 var Chance = require('chance')
 var chance = new Chance()
@ -703,7 +702,7 @@ function operationCallback (socket, operation) {
 }

 function updateHistory (userId, note, time) {
-  var noteId = note.alias ? note.alias : LZString.compressToBase64(note.id)
+  var noteId = note.alias ? note.alias : models.Note.encodeNoteId(note.id)
  if (note.server) history.updateHistory(userId, noteId, note.server.document, time)
 }

--- a/lib/response.js
+++ b/lib/response.js
@ -3,7 +3,6 @@
 // external modules
 var fs = require('fs')
 var markdownpdf = require('markdown-pdf')
-var LZString = require('lz-string')
 var shortId = require('shortid')
 var querystring = require('querystring')
 var request = require('request')
@ -124,7 +123,7 @@ function newNote (req, res, next) {
    alias: req.alias ? req.alias : null,
    content: req.body ? req.body : ''
  }).then(function (note) {
-    return res.redirect(config.serverurl + '/' + LZString.compressToBase64(note.id))
+    return res.redirect(config.serverurl + '/' + models.Note.encodeNoteId(note.id))
  }).catch(function (err) {
    logger.error(err)
    return response.errorInternalError(res)
@ -179,7 +178,7 @@ function showNote (req, res, next) {
  findNote(req, res, function (note) {
    // force to use note id
    var noteId = req.params.noteId
-    var id = LZString.compressToBase64(note.id)
+    var id = models.Note.encodeNoteId(note.id)
    if ((note.alias && noteId !== note.alias) || (!note.alias && noteId !== id)) { return res.redirect(config.serverurl + '/' + (note.alias || id)) }
    return responseHackMD(res, note)
  })
@ -321,7 +320,7 @@ function actionPDF (req, res, note) {
 function actionGist (req, res, note) {
  var data = {
    client_id: config.github.clientID,
-    redirect_uri: config.serverurl + '/auth/github/callback/' + LZString.compressToBase64(note.id) + '/gist',
+    redirect_uri: config.serverurl + '/auth/github/callback/' + models.Note.encodeNoteId(note.id) + '/gist',
    scope: 'gist',
    state: shortId.generate()
  }
@ -418,7 +417,7 @@ function publishNoteActions (req, res, next) {
    var action = req.params.action
    switch (action) {
      case 'edit':
-        res.redirect(config.serverurl + '/' + (note.alias ? note.alias : LZString.compressToBase64(note.id)))
+        res.redirect(config.serverurl + '/' + (note.alias ? note.alias : models.Note.encodeNoteId(note.id)))
        break
      default:
        res.redirect(config.serverurl + '/s/' + note.shortid)
@ -432,7 +431,7 @@ function publishSlideActions (req, res, next) {
    var action = req.params.action
    switch (action) {
      case 'edit':
-        res.redirect(config.serverurl + '/' + (note.alias ? note.alias : LZString.compressToBase64(note.id)))
+        res.redirect(config.serverurl + '/' + (note.alias ? note.alias : models.Note.encodeNoteId(note.id)))
        break
      default:
        res.redirect(config.serverurl + '/p/' + note.shortid)
--- a/package.json
+++ b/package.json
@ -18,6 +18,7 @@
    "Idle.Js": "git+https://github.com/shawnmclean/Idle.js",
    "async": "^2.1.4",
    "aws-sdk": "^2.7.20",
+    "base64url": "^2.0.0",
    "blueimp-md5": "^2.6.0",
    "body-parser": "^1.15.2",
    "bootstrap": "^3.3.7",
--- a/public/js/history.js
+++ b/public/js/history.js
@ -3,6 +3,12 @@

 import store from 'store'
 import S from 'string'
+import LZString from 'lz-string'
+
+import {
+  checkNoteIdValid,
+  encodeNoteId
+} from './utils'

 import {
    checkIfAuth
@ -291,6 +297,15 @@ function parseToHistory (list, notehistory, callback) {
  else if (!list || !notehistory) callback(list, notehistory)
  else if (notehistory && notehistory.length > 0) {
    for (let i = 0; i < notehistory.length; i++) {
+      // migrate LZString encoded id to base64url encoded id
+      try {
+        let id = LZString.decompressFromBase64(notehistory[i].id)
+        if (id && checkNoteIdValid(id)) {
+          notehistory[i].id = encodeNoteId(id)
+        }
+      } catch (err) {
+        console.error(err)
+      }
            // parse time to timestamp and fromNow
      const timestamp = (typeof notehistory[i].time === 'number' ? moment(notehistory[i].time) : moment(notehistory[i].time, 'MMMM Do YYYY, h:mm:ss a'))
      notehistory[i].timestamp = timestamp.valueOf()
--- a/public/js/utils.js
+++ b/public/js/utils.js
@ -0,0 +1,32 @@
+import base64url from 'base64url'
+
+let uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i
+
+export function checkNoteIdValid (id) {
+  let result = id.match(uuidRegex)
+  if (result && result.length === 1) {
+    return true
+  } else {
+    return false
+  }
+}
+
+export function encodeNoteId (id) {
+  // remove dashes in UUID and encode in url-safe base64
+  let str = id.replace(/-/g, '')
+  let hexStr = Buffer.from(str, 'hex')
+  return base64url.encode(hexStr)
+}
+
+export function decodeNoteId (encodedId) {
+  // decode from url-safe base64
+  let id = base64url.toBuffer(encodedId).toString('hex')
+  // add dashes between the UUID string parts
+  let idParts = []
+  idParts.push(id.substr(0, 8))
+  idParts.push(id.substr(8, 4))
+  idParts.push(id.substr(12, 4))
+  idParts.push(id.substr(16, 4))
+  idParts.push(id.substr(20, 12))
+  return idParts.join('-')
+}