diff --git a/routes/api/image.js b/routes/api/image.js index 353d1bc39..5194295ac 100644 --- a/routes/api/image.js +++ b/routes/api/image.js @@ -16,7 +16,7 @@ const imageType = require('image-type'); const sanitizeFilename = require('sanitize-filename'); const wrap = require('express-promise-wrap').wrap; -router.get('/:imageId/:filename', auth.checkApiAuth, wrap(async (req, res, next) => { +router.get('/:imageId/:filename', auth.checkApiAuthOrElectron, wrap(async (req, res, next) => { const image = await sql.getFirst("SELECT * FROM images WHERE image_id = ?", [req.params.imageId]); if (!image) { @@ -28,7 +28,7 @@ router.get('/:imageId/:filename', auth.checkApiAuth, wrap(async (req, res, next) res.send(image.data); })); -router.post('', auth.checkApiAuth, multer.single('upload'), wrap(async (req, res, next) => { +router.post('', auth.checkApiAuthOrElectron, multer.single('upload'), wrap(async (req, res, next) => { const sourceId = req.headers.source_id; const noteId = req.query.noteId; const file = req.file; diff --git a/services/auth.js b/services/auth.js index 93b0d463f..40a2bec57 100644 --- a/services/auth.js +++ b/services/auth.js @@ -28,6 +28,20 @@ async function checkAuthForMigrationPage(req, res, next) { } } +// for electron things which need network stuff +// currently we're doing that for file upload because handling form data seems to be difficult +async function checkApiAuthOrElectron(req, res, next) { + if (!req.session.loggedIn && !utils.isElectron()) { + res.status(401).send("Not authorized"); + } + else if (await sql.isDbUpToDate()) { + next(); + } + else { + res.status(409).send("Mismatched app versions"); // need better response than that + } +} + async function checkApiAuth(req, res, next) { if (!req.session.loggedIn) { res.status(401).send("Not authorized"); @@ -63,5 +77,6 @@ module.exports = { checkAuthForMigrationPage, checkApiAuth, checkApiAuthForMigrationPage, - checkAppNotInitialized + checkAppNotInitialized, + checkApiAuthOrElectron }; \ No newline at end of file