From dbba54c7ad1df84a4e7af71ed806b4c48c1a5fd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kasper=20Rynning-T=C3=B8nnesen?= <kasper@kasperrt.no>
Date: Fri, 16 Mar 2018 10:28:10 +0100
Subject: [PATCH] Origin for api-tokens

---
 server/apps/client.js                         |  4 +-
 server/public/assets/js/functions.js          | 11 +++-
 server/public/assets/js/listeners.js          |  1 +
 server/public/assets/js/token_apply.js        |  4 ++
 .../public/layouts/client/channel.handlebars  |  2 -
 server/public/layouts/client/token.handlebars | 21 ++-----
 server/routing/client/api.js                  | 62 ++++++++++++++-----
 7 files changed, 68 insertions(+), 37 deletions(-)

diff --git a/server/apps/client.js b/server/apps/client.js
index 03103a2f..71fe8782 100755
--- a/server/apps/client.js
+++ b/server/apps/client.js
@@ -38,7 +38,9 @@ var bodyParser = require('body-parser');
 var cookieParser = require("cookie-parser");
 var cookies = require("cookie");
 var helmet = require('helmet')
-app.use(helmet())
+app.use(helmet({
+  frameguard: false
+}));
 app.use( bodyParser.json() );       // to support JSON-encoded bodies
 app.use(bodyParser.urlencoded({     // to support URL-encoded bodies
 	extended: true
diff --git a/server/public/assets/js/functions.js b/server/public/assets/js/functions.js
index 50c1f1ba..54eccabc 100644
--- a/server/public/assets/js/functions.js
+++ b/server/public/assets/js/functions.js
@@ -168,6 +168,7 @@ function get_list_ajax() {
         type: "POST",
         data: {
             userpass: "",
+            token: zoff_api_token,
         },
         url: "/api/list/" + chan.toLowerCase(),
         success: function(response) {
@@ -242,7 +243,8 @@ function get_np_ajax() {
         type: "POST",
         data: {
             userpass: "",
-            fetch_song: true
+            fetch_song: true,
+            token: zoff_api_token
         },
         url: "/api/list/" + chan.toLowerCase() + "/__np__",
         success: function(response) {
@@ -269,7 +271,8 @@ function del_ajax(id) {
         type: "DELETE",
         data: {
             adminpass: "",
-            userpass: ""
+            userpass: "",
+            token: zoff_api_token
         },
         url: "/api/list/" + chan.toLowerCase() + "/" + id,
         success: function(response) {
@@ -301,6 +304,7 @@ function add_ajax(id, title, duration, playlist, num, full_num, start, end) {
             duration: duration,
             end_time: end,
             start_time: start,
+            token: zoff_api_token
         },
         url: "/api/list/" + chan.toLowerCase() + "/" + id,
         success: function(response) {
@@ -327,7 +331,8 @@ function vote_ajax(id) {
         type: "PUT",
         data: {
             adminpass: "",
-            userpass: ""
+            userpass: "",
+            token: zoff_api_token
         },
         url: "/api/list/" + chan.toLowerCase() + "/" + id,
         success: function(response) {
diff --git a/server/public/assets/js/listeners.js b/server/public/assets/js/listeners.js
index a71a8a48..6305e0b3 100755
--- a/server/public/assets/js/listeners.js
+++ b/server/public/assets/js/listeners.js
@@ -29,6 +29,7 @@ var showDiscovery						= false;
 var player_ready 	   	  		= false;
 var viewers 			  		= 1;
 var temp_user_pass 				= "";
+var zoff_api_token = "AhmC4Yg2BhaWPZBXeoWK96DAiAVfbou8TUG2IXtD3ZQ=";
 var retry_frontpage;
 var chromecast_specs_sent = false;
 var dragging 					= false;
diff --git a/server/public/assets/js/token_apply.js b/server/public/assets/js/token_apply.js
index 51760d06..33141669 100644
--- a/server/public/assets/js/token_apply.js
+++ b/server/public/assets/js/token_apply.js
@@ -16,6 +16,8 @@ $(document).ready(function() {
     $(".token-form").on("submit", function(e) {
         e.preventDefault();
         var email = $("#email_address").val();
+        var origin = $("#origin").val();
+        $("#origin").attr("readonly", true);
         $("#email_address").attr("readonly", true);
         $(".submit").toggleClass("disabled");
         $(".full-form-token").removeClass("hide");
@@ -24,6 +26,7 @@ $(document).ready(function() {
             type: "POST",
             url: "/api/apply",
             data: {
+                origin: origin,
                 email: email,
                 "g-recaptcha-response": captcha_response,
             },
@@ -34,6 +37,7 @@ $(document).ready(function() {
                 } else {
                     $("#email_address").attr("readonly", false);
                     $(".submit").toggleClass("disabled");
+                    $("#origin").attr("readonly", false);
                     grecaptcha.reset();
                     Materialize.toast("Something went wrong. Sure that email hasn't been used for another token?", 3000, "red lighten");
                 }
diff --git a/server/public/layouts/client/channel.handlebars b/server/public/layouts/client/channel.handlebars
index 32d64138..0a4dbf43 100755
--- a/server/public/layouts/client/channel.handlebars
+++ b/server/public/layouts/client/channel.handlebars
@@ -11,8 +11,6 @@
             {{/if}}
             {{> channel/tabs}}
         </div>
-        <!--<div id="playbar">
-        </div>-->
     </main>
 </div>
 <ul class="context-menu-list context-menu-root hide">
diff --git a/server/public/layouts/client/token.handlebars b/server/public/layouts/client/token.handlebars
index 20a10150..c35989ba 100644
--- a/server/public/layouts/client/token.handlebars
+++ b/server/public/layouts/client/token.handlebars
@@ -12,20 +12,6 @@
         </div>
     </nav>
     {{> modal/about}}
-    <div id="donation" class="modal">
-        <div class="modal-content">
-            <h4>Thanks!</h4>
-            <p>Thanks for your donation, we love you &lt;3
-                <br><br>
-                We will use the money for something awesome, just you wait and see!
-                <br><br>
-                We might also add your name somewhere in the code as a sign of gratitude, see if you can find it! (Might take a day or two for us to see the donation and implement it..)
-            </p>
-        </div>
-        <div class="modal-footer">
-            <a href="#" class="modal-action modal-close waves-effect waves-green btn-flat">I'm awesome! (Close)</a>
-        </div>
-    </div>
 </header>
 <div id="main-container" class="token-container">
     <main class="center-align container">
@@ -41,6 +27,7 @@
                 <p>Apply for a API-token with your email here! You'll get an email on the specified address, with a link. Follow that link, and the token will be shown to you! Take good care of it, and don't lose it. It won't be shown to you again.</p>
                 <p>If you're wondering anything about how the api works, there is a guide on our GitHub. You can also click <a href="https://zoff.me/api/help">HERE</a> to be taken to the detailed README.</p>
                 <p>As of now, the tokens have a limit of 100 requests a second. If you need a higher limit, just contact the team and we'll set you up for as much as you need.</p>
+                <p>If you want to restrict the token for use on one domain only, you can change the Origin from * to the website of your choice (if you want for https://zoff.me, then you'd input <b>zoff.me</b>).</p>
             {{/if}}
         </div>
         {{#if activated}}
@@ -50,7 +37,11 @@
             <div class="row center">
               <div class="input-field col s6 offset-s3">
                   <label for="email_address" class="noselect">Email</label>
-                <input type="email" autocomplete="off" class="validate" id="email_address" />
+                  <input type="email" autocomplete="off" class="validate" id="email_address" />
+              </div>
+              <div class="input-field col s6 offset-s3">
+                  <label for="origin" class="noselect">Origin</label>
+                  <input type="text" autocomplete="off" id="origin" value="*" />
               </div>
             </div>
             <div class="col offset-m3">
diff --git a/server/routing/client/api.js b/server/routing/client/api.js
index ce864c69..26d7568f 100644
--- a/server/routing/client/api.js
+++ b/server/routing/client/api.js
@@ -75,7 +75,7 @@ var error = {
         results: [],
     },
     wrong_token: {
-        status: 403,
+        status: 400,
         error: "You're using a faulty token. Try getting a new token, or send the request without the token.",
         success: false,
         results: [],
@@ -185,14 +185,18 @@ router.route('/api/list/:channel_name/:video_id').delete(function(req, res) {
         }
         token_db.collection("api_token").find({token: token}, function(err, token_docs) {
             var authorized = false;
-            if(token_docs.length == 1 && token_docs[0].token == token) {
+            var origin;
+            try {
+                origin = req.headers.referer.split("/")[2];
+            } catch(e) { origin = ""; }
+            if(token_docs.length == 1 && token_docs[0].token == token && (token_docs[0].origin == "*" || token_docs[0].origin == origin)) {
                 authorized = true;
             }
             checkOveruseApiToken(authorized, token_docs, res, function() {
                 checkTimeout(guid, res, authorized, "DELETE", function() {
                     if(token != "" && !authorized) {
                         updateTimeout(guid, res, authorized, "DELETE", function(err, docs) {
-                            res.status(403).send(JSON.stringify(error.wrong_token));
+                            res.status(400).send(JSON.stringify(error.wrong_token));
                             return;
                         });
                     } else {
@@ -336,14 +340,18 @@ router.route('/api/conf/:channel_name').put(function(req, res) {
         }
         token_db.collection("api_token").find({token: token}, function(err, token_docs) {
             var authorized = false;
-            if(token_docs.length == 1 && token_docs[0].token == token) {
+            var origin;
+            try {
+                origin = req.headers.referer.split("/")[2];
+            } catch(e) { origin = ""; }
+            if(token_docs.length == 1 && token_docs[0].token == token && (token_docs[0].origin == "*" || token_docs[0].origin == origin)) {
                 authorized = true;
             }
             checkOveruseApiToken(authorized, token_docs, res, function() {
                 checkTimeout(guid, res, authorized, "CONFIG", function() {
                     if(token != "" && !authorized) {
                         updateTimeout(guid, res, authorized, "CONFIG", function(err, docs) {
-                            res.status(403).send(JSON.stringify(error.wrong_token));
+                            res.status(400).send(JSON.stringify(error.wrong_token));
                             return;
                         });
                     } else {
@@ -459,14 +467,18 @@ router.route('/api/list/:channel_name/:video_id').put(function(req,res) {
         }
         token_db.collection("api_token").find({token: token}, function(err, token_docs) {
             var authorized = false;
-            if(token_docs.length == 1 && token_docs[0].token == token) {
+            var origin;
+            try {
+                origin = req.headers.referer.split("/")[2];
+            } catch(e) { origin = ""; }
+            if(token_docs.length == 1 && token_docs[0].token == token && (token_docs[0].origin == "*" || token_docs[0].origin == origin)) {
                 authorized = true;
             }
             checkOveruseApiToken(authorized, token_docs, res, function() {
                 checkTimeout(guid, res, authorized, "PUT", function() {
                     if(token != "" && !authorized) {
                         updateTimeout(guid, res, authorized, "PUT", function(err, docs) {
-                            res.status(403).send(JSON.stringify(error.wrong_token));
+                            res.status(400).send(JSON.stringify(error.wrong_token));
                             return;
                         });
                     } else {
@@ -549,14 +561,18 @@ router.route('/api/list/:channel_name/__np__').post(function(req, res) {
         }
         token_db.collection("api_token").find({token: token}, function(err, token_docs) {
             var authorized = false;
-            if(token_docs.length == 1 && token_docs[0].token == token) {
+            var origin;
+            try {
+                origin = req.headers.referer.split("/")[2];
+            } catch(e) { origin = ""; }
+            if(token_docs.length == 1 && token_docs[0].token == token && (token_docs[0].origin == "*" || token_docs[0].origin == origin)) {
                 authorized = true;
             }
             checkOveruseApiToken(authorized, token_docs, res, function() {
                 checkTimeout(guid, res, authorized, "POST", function() {
                     if(token != "" && !authorized) {
                         updateTimeout(guid, res, authorized, "POST", function(err, docs) {
-                            res.status(403).send(JSON.stringify(error.wrong_token));
+                            res.status(400).send(JSON.stringify(error.wrong_token));
                             return;
                         });
                     } else {
@@ -672,14 +688,18 @@ router.route('/api/list/:channel_name/:video_id').post(function(req,res) {
         }
         token_db.collection("api_token").find({token: token}, function(err, token_docs) {
             var authorized = false;
-            if(token_docs.length == 1 && token_docs[0].token == token) {
+            var origin;
+            try {
+                origin = req.headers.referer.split("/")[2];
+            } catch(e) { origin = ""; }
+            if(token_docs.length == 1 && token_docs[0].token == token && (token_docs[0].origin == "*" || token_docs[0].origin == origin)) {
                 authorized = true;
             }
             checkOveruseApiToken(authorized, token_docs, res, function() {
                 checkTimeout(guid, res, authorized, "POST", function() {
                     if(token != "" && !authorized) {
                         updateTimeout(guid, res, authorized, "POST", function(err, docs) {
-                            res.status(403).send(JSON.stringify(error.wrong_token));
+                            res.status(400).send(JSON.stringify(error.wrong_token));
                             return;
                         });
                     } else {
@@ -897,14 +917,18 @@ router.route('/api/conf/:channel_name').post(function(req, res) {
 
         token_db.collection("api_token").find({token: token}, function(err, token_docs) {
             var authorized = false;
-            if(token_docs.length == 1 && token_docs[0].token == token) {
+            var origin;
+            try {
+                origin = req.headers.referer.split("/")[2];
+            } catch(e) { origin = ""; }
+            if(token_docs.length == 1 && token_docs[0].token == token && (token_docs[0].origin == "*" || token_docs[0].origin == origin)) {
                 authorized = true;
             }
             checkOveruseApiToken(authorized, token_docs, res, function() {
                 checkTimeout(guid, res, authorized, "POST", function() {
                     if(token != "" && !authorized) {
                         updateTimeout(guid, res, authorized, "DELETE", function(err, docs) {
-                            res.status(403).send(JSON.stringify(error.wrong_token));
+                            res.status(400).send(JSON.stringify(error.wrong_token));
                             return;
                         });
                     } else {
@@ -1016,14 +1040,18 @@ router.route('/api/list/:channel_name').post(function(req, res) {
 
         token_db.collection("api_token").find({token: token}, function(err, token_docs) {
             var authorized = false;
-            if(token_docs.length == 1 && token_docs[0].token == token) {
+            var origin;
+            try {
+                origin = req.headers.referer.split("/")[2];
+            } catch(e) { origin = ""; }
+            if(token_docs.length == 1 && token_docs[0].token == token && (token_docs[0].origin == "*" || token_docs[0].origin == origin)) {
                 authorized = true;
             }
             checkOveruseApiToken(authorized, token_docs, res, function() {
                 checkTimeout(guid, res, authorized, "POST", function() {
                     if(token != "" && !authorized) {
                         updateTimeout(guid, res, authorized, "POST", function(err, docs) {
-                            res.status(403).send(JSON.stringify(error.wrong_token));
+                            res.status(400).send(JSON.stringify(error.wrong_token));
                             return;
                         });
                     } else {
@@ -1092,6 +1120,8 @@ try {
             return;
         }
         if(req.recaptcha.error == null) {
+            var origin = "*";
+            if(req.body.origin != undefined && req.body.origin != "") origin = req.body.origin;
             var name = req.body.email;
             var id = crypto.createHash('sha256').update(uniqid()).digest('base64');
             var uniqid_link = crypto.createHash('sha256').update(uniqid()).digest('hex');
@@ -1102,7 +1132,7 @@ try {
                 }
                 token_db.collection("api_links").find({token: token}, function(e, d) {
                     if(results_find.length == 0 || (d.length == 0 && results_find.length > 0 && !results_find[0].active)) {
-                        token_db.collection("api_token").insert({name: name, token: id, usage: 0, active: false, limit: 100}, function(err, docs){
+                        token_db.collection("api_token").insert({name: name, origin: origin, token: id, usage: 0, active: false, limit: 100}, function(err, docs){
                            token_db.collection("api_links").insert({id: uniqid_link, token: id, createdAt: new Date()}, function(err, docs) {
                                let transporter = nodemailer.createTransport(mailconfig);