auth exception for images in electron

routes/api/image.js

@@ -16,7 +16,7 @@ const imageType = require('image-type');
 const sanitizeFilename = require('sanitize-filename');
 const wrap = require('express-promise-wrap').wrap;
 
-router.get('/:imageId/:filename', auth.checkApiAuth, wrap(async (req, res, next) => {
+router.get('/:imageId/:filename', auth.checkApiAuthOrElectron, wrap(async (req, res, next) => {
     const image = await sql.getFirst("SELECT * FROM images WHERE image_id = ?", [req.params.imageId]);
 
     if (!image) {
@@ -28,7 +28,7 @@ router.get('/:imageId/:filename', auth.checkApiAuth, wrap(async (req, res, next)
     res.send(image.data);
 }));
 
-router.post('', auth.checkApiAuth, multer.single('upload'), wrap(async (req, res, next) => {
+router.post('', auth.checkApiAuthOrElectron, multer.single('upload'), wrap(async (req, res, next) => {
     const sourceId = req.headers.source_id;
     const noteId = req.query.noteId;
     const file = req.file;

services/auth.js

@@ -28,6 +28,20 @@ async function checkAuthForMigrationPage(req, res, next) {
     }
 }
 
+// for electron things which need network stuff
+// currently we're doing that for file upload because handling form data seems to be difficult
+async function checkApiAuthOrElectron(req, res, next) {
+    if (!req.session.loggedIn && !utils.isElectron()) {
+        res.status(401).send("Not authorized");
+    }
+    else if (await sql.isDbUpToDate()) {
+        next();
+    }
+    else {
+        res.status(409).send("Mismatched app versions"); // need better response than that
+    }
+}
+
 async function checkApiAuth(req, res, next) {
     if (!req.session.loggedIn) {
         res.status(401).send("Not authorized");
@@ -63,5 +77,6 @@ module.exports = {
     checkAuthForMigrationPage,
     checkApiAuth,
     checkApiAuthForMigrationPage,
-    checkAppNotInitialized
+    checkAppNotInitialized,
+    checkApiAuthOrElectron
 };