mirror of
https://github.com/turt2live/matrix-dimension.git
synced 2024-10-01 01:05:53 -04:00
Add the missing "embed-ability" api for widgets
This commit is contained in:
parent
a73fb53dcb
commit
a6dae219a5
75
src/api/dimension/DimensionWidgetService.ts
Normal file
75
src/api/dimension/DimensionWidgetService.ts
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
import { GET, Path, QueryParam } from "typescript-rest";
|
||||||
|
import { LogService } from "matrix-js-snippets";
|
||||||
|
import * as url from "url";
|
||||||
|
import { ApiError } from "../ApiError";
|
||||||
|
import * as dns from "dns-then";
|
||||||
|
import config from "../../config";
|
||||||
|
import { Netmask } from "netmask";
|
||||||
|
import * as request from "request";
|
||||||
|
|
||||||
|
interface EmbedCapabilityResponse {
|
||||||
|
canEmbed: boolean;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* API for widgets
|
||||||
|
*/
|
||||||
|
@Path("/api/v1/dimension/widgets")
|
||||||
|
export class DimensionWidgetService {
|
||||||
|
|
||||||
|
@GET
|
||||||
|
@Path("embeddable")
|
||||||
|
public async isEmbeddable(@QueryParam("url") checkUrl: string): Promise<EmbedCapabilityResponse> {
|
||||||
|
LogService.info("DimensionWidgetService", "Checking to see if a url is embeddable: " + checkUrl);
|
||||||
|
|
||||||
|
const parsed = url.parse(checkUrl);
|
||||||
|
|
||||||
|
// Only allow http and https
|
||||||
|
if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
|
||||||
|
throw new ApiError(400, "Invalid scheme: " + parsed.protocol);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get the IP address we're trying to connect to so we can ensure it's not blacklisted
|
||||||
|
const hostname = parsed.hostname.split(":")[0];
|
||||||
|
let addresses = [];
|
||||||
|
try {
|
||||||
|
addresses = await dns.resolve(hostname);
|
||||||
|
} catch (err) {
|
||||||
|
LogService.error("DimensionWidgetService", err);
|
||||||
|
}
|
||||||
|
if (!addresses || addresses.length === 0) throw new ApiError(400, "Cannot resolve host " + hostname);
|
||||||
|
|
||||||
|
// Check the blacklist
|
||||||
|
for (const ipOrCidr of config.widgetBlacklist) {
|
||||||
|
const block = new Netmask(ipOrCidr);
|
||||||
|
for (const address of addresses) {
|
||||||
|
if (block.contains(address)) {
|
||||||
|
throw new ApiError(400, "Address blacklisted");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Now we need to verify we can actually make the request
|
||||||
|
await new Promise((resolve, _reject) => {
|
||||||
|
request(checkUrl, (err, response) => {
|
||||||
|
if (err) {
|
||||||
|
LogService.error("DimensionWidgetService", err);
|
||||||
|
throw new ApiError(400, "Failed to contact host");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (response.statusCode >= 200 && response.statusCode < 300) {
|
||||||
|
// 200 OK
|
||||||
|
const xFrameOptions = (response.headers["x-frame-options"] || '').toLowerCase();
|
||||||
|
|
||||||
|
if (xFrameOptions === "sameorigin" || xFrameOptions === "deny") {
|
||||||
|
throw new ApiError(400, "X-Frame-Options prevents embedding");
|
||||||
|
}
|
||||||
|
|
||||||
|
resolve();
|
||||||
|
} else throw new ApiError(400, "Non-success status code returned");
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
return {canEmbed: true};
|
||||||
|
}
|
||||||
|
}
|
@ -2,7 +2,7 @@ import { Injectable } from "@angular/core";
|
|||||||
import { Http } from "@angular/http";
|
import { Http } from "@angular/http";
|
||||||
import { AuthedApi } from "../authed-api";
|
import { AuthedApi } from "../authed-api";
|
||||||
import { FE_IntegrationsResponse } from "../../models/dimension-responses";
|
import { FE_IntegrationsResponse } from "../../models/dimension-responses";
|
||||||
import { FE_Integration, FE_Widget } from "../../models/integration";
|
import { FE_Integration } from "../../models/integration";
|
||||||
|
|
||||||
@Injectable()
|
@Injectable()
|
||||||
export class IntegrationsApiService extends AuthedApi {
|
export class IntegrationsApiService extends AuthedApi {
|
||||||
@ -26,15 +26,6 @@ export class IntegrationsApiService extends AuthedApi {
|
|||||||
return this.authedPost("/api/v1/dimension/integrations/room/" + roomId + "/integrations/" + category + "/" + type + "/config", newConfig).map(r => r.json()).toPromise();
|
return this.authedPost("/api/v1/dimension/integrations/room/" + roomId + "/integrations/" + category + "/" + type + "/config", newConfig).map(r => r.json()).toPromise();
|
||||||
}
|
}
|
||||||
|
|
||||||
public getWidget(type: string): Promise<FE_Widget> {
|
|
||||||
return this.getIntegration("widget", type).then(i => <FE_Widget>i);
|
|
||||||
}
|
|
||||||
|
|
||||||
public isEmbeddable(url: string): Promise<any> { // 200 = success, anything else = error
|
|
||||||
return this.http.get("/api/v1/dimension/widgets/embeddable", {params: {url: url}})
|
|
||||||
.map(r => r.json()).toPromise();
|
|
||||||
}
|
|
||||||
|
|
||||||
public removeIntegration(category: string, type: string, roomId: string): Promise<any> {
|
public removeIntegration(category: string, type: string, roomId: string): Promise<any> {
|
||||||
return this.authedDelete("/api/v1/dimension/integrations/room/" + roomId + "/integrations/" + category + "/" + type).map(r => r.json()).toPromise();
|
return this.authedDelete("/api/v1/dimension/integrations/room/" + roomId + "/integrations/" + category + "/" + type).map(r => r.json()).toPromise();
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user