createStatusController: prevent non-public posts

2023-07-02 01:13:17 -05:00 · 2023-07-02 01:13:17 -05:00 · 6a20df2704
parent 22ea907e86
commit 6a20df2704
2 changed files with 18 additions and 6 deletions
--- a/src/controllers/api/statuses.ts
+++ b/src/controllers/api/statuses.ts
@ -1,12 +1,20 @@
-import { type AppContext, AppController } from '@/app.ts';
+import { type AppController } from '@/app.ts';
 import { getAncestors, getDescendants, getEvent, publish } from '@/client.ts';
-import { Kind, validator, z } from '@/deps.ts';
+import { Kind, z } from '@/deps.ts';
 import { type Event } from '@/event.ts';
 import { signEvent } from '@/sign.ts';
 import { toStatus } from '@/transmute.ts';
+import { parseBody } from '@/utils.ts';

 const createStatusSchema = z.object({
+  in_reply_to_id: z.string().optional().catch(undefined),
+  language: z.string().optional().catch(undefined),
+  media_ids: z.array(z.string()).optional().catch(undefined),
+  scheduled_at: z.string().datetime().optional().catch(undefined),
+  sensitive: z.boolean().catch(false),
+  spoiler_text: z.string().optional().catch(undefined),
  status: z.string(),
+  visibility: z.enum(['public', 'unlisted', 'private', 'direct']).optional().catch(undefined),
 });

 const statusController: AppController = async (c) => {
@ -20,12 +28,17 @@ const statusController: AppController = async (c) => {
  return c.json({ error: 'Event not found.' }, 404);
 };

-const createStatusController = validator('json', async (value, c: AppContext) => {
-  const result = createStatusSchema.safeParse(value);
+const createStatusController: AppController = async (c) => {
+  const body = await parseBody(c.req.raw);
+  const result = createStatusSchema.safeParse(body);

  if (result.success) {
    const { data } = result;

+    if (data.visibility !== 'public') {
+      return c.json({ error: 'Only posting publicly is supported.' }, 422);
+    }
+
    const event = await signEvent({
      kind: Kind.Text,
      content: data.status,
@ -39,7 +52,7 @@ const createStatusController = validator('json', async (value, c: AppContext) =>
  } else {
    return c.json({ error: 'Bad request' }, 400);
  }
-});
+};

 const contextController: AppController = async (c) => {
  const id = c.req.param('id');
--- a/src/deps.ts
+++ b/src/deps.ts
@ -4,7 +4,6 @@ export {
  type Handler,
  Hono,
  type MiddlewareHandler,
-  validator,
 } from 'https://deno.land/x/hono@v3.0.2/mod.ts';
 export { HTTPException } from 'https://deno.land/x/hono@v3.0.2/http-exception.ts';
 export { cors, logger } from 'https://deno.land/x/hono@v3.0.2/middleware.ts';