Upload and download attachments, and added License file

src/api/core/accounts.rs

@@ -31,7 +31,7 @@ struct KeysData {
 
 #[post("/accounts/register", data = "<data>")]
 fn register(data: Json<RegisterData>, conn: DbConn) -> Result<(), BadRequest<Json>> {
-    if CONFIG.signups_allowed {
+    if !CONFIG.signups_allowed {
         err!(format!("Signups not allowed"))
     }
     println!("DEBUG - {:#?}", data);
@@ -81,7 +81,7 @@ fn post_keys(data: Json<KeysData>, headers: Headers, conn: DbConn) -> Result<Jso
 }
 
 #[post("/accounts/password", data = "<data>")]
-fn post_password(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
+fn post_password(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<(), BadRequest<Json>> {
     let key = data["key"].as_str().unwrap();
     let password_hash = data["masterPasswordHash"].as_str().unwrap();
     let new_password_hash = data["newMasterPasswordHash"].as_str().unwrap();
@@ -94,14 +94,13 @@ fn post_password(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<Js
 
     user.set_password(new_password_hash);
     user.key = key.to_string();
-
     user.save(&conn);
 
-    Ok(Json(json!({})))
+    Ok(())
 }
 
 #[post("/accounts/security-stamp", data = "<data>")]
-fn post_sstamp(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
+fn post_sstamp(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<(), BadRequest<Json>> {
     let password_hash = data["masterPasswordHash"].as_str().unwrap();
 
     let mut user = headers.user;
@@ -111,14 +110,15 @@ fn post_sstamp(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<Json
     }
 
     user.reset_security_stamp();
+    user.save(&conn);
 
-    Ok(Json(json!({})))
+    Ok(())
 }
 
 #[post("/accounts/email-token", data = "<data>")]
-fn post_email(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
-    println!("{:#?}", data);
+fn post_email(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<(), BadRequest<Json>> {
     let password_hash = data["masterPasswordHash"].as_str().unwrap();
+    let new_email = data["newEmail"].as_str().unwrap();
 
     let mut user = headers.user;
 
@@ -126,11 +126,18 @@ fn post_email(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<Json,
         err!("Invalid password")
     }
 
-    err!("Not implemented")
+    if User::find_by_mail(new_email, &conn).is_some() {
+        err!("Email already in use");
+    }
+
+    user.email = new_email.to_string();
+    user.save(&conn);
+
+    Ok(())
 }
 
 #[post("/accounts/delete", data = "<data>")]
-fn delete_account(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
+fn delete_account(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<(), BadRequest<Json>> {
     let password_hash = data["masterPasswordHash"].as_str().unwrap();
 
     let mut user = headers.user;
@@ -139,6 +146,10 @@ fn delete_account(data: Json<Value>, headers: Headers, conn: DbConn) -> Result<J
         err!("Invalid password")
     }
 
+    // Delete all ciphers by user_uuid
+    // Delete all devices by user_uuid
+    // Delete user
+
     err!("Not implemented")
 }
 

src/api/core/ciphers.rs

@@ -1,4 +1,5 @@
 use std::io::{Cursor, Read};
+use std::path::Path;
 
 use rocket::{Route, Data};
 use rocket::http::ContentType;
@@ -6,14 +7,21 @@ use rocket::response::status::BadRequest;
 
 use rocket_contrib::{Json, Value};
 
-use multipart::server::Multipart;
+use multipart::server::{Multipart, SaveResult};
+use multipart::server::save::SavedData;
+
+use data_encoding::HEXLOWER;
 
 use db::DbConn;
 use db::models::*;
+
 use util;
+use crypto;
 
 use auth::Headers;
 
+use CONFIG;
+
 #[get("/sync")]
 fn sync(headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
     let user = headers.user;
@@ -22,7 +30,7 @@ fn sync(headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
     let folders_json: Vec<Value> = folders.iter().map(|c| c.to_json()).collect();
 
     let ciphers = Cipher::find_by_user(&user.uuid, &conn);
-    let ciphers_json: Vec<Value> = ciphers.iter().map(|c| c.to_json()).collect();
+    let ciphers_json: Vec<Value> = ciphers.iter().map(|c| c.to_json(&conn)).collect();
 
     Ok(Json(json!({
         "Profile": user.to_json(),
@@ -42,7 +50,7 @@ fn sync(headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
 fn get_ciphers(headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
     let ciphers = Cipher::find_by_user(&headers.user.uuid, &conn);
 
-    let ciphers_json: Vec<Value> = ciphers.iter().map(|c| c.to_json()).collect();
+    let ciphers_json: Vec<Value> = ciphers.iter().map(|c| c.to_json(&conn)).collect();
 
     Ok(Json(json!({
       "Data": ciphers_json,
@@ -58,10 +66,10 @@ fn get_cipher(uuid: String, headers: Headers, conn: DbConn) -> Result<Json, BadR
     };
 
     if cipher.user_uuid != headers.user.uuid {
-        err!("Cipher is now owned by user")
+        err!("Cipher is not owned by user")
     }
 
-    Ok(Json(cipher.to_json()))
+    Ok(Json(cipher.to_json(&conn)))
 }
 
 #[derive(Deserialize, Debug)]
@@ -86,7 +94,15 @@ fn post_ciphers(data: Json<CipherData>, headers: Headers, conn: DbConn) -> Resul
                                  data.favorite.unwrap_or(false));
 
     if let Some(ref folder_id) = data.folderId {
-        // TODO: Validate folder is owned by user
+        match Folder::find_by_uuid(folder_id, &conn) {
+            Some(folder) => {
+                if folder.user_uuid != headers.user.uuid {
+                    err!("Folder is not owned by user")
+                }
+            }
+            None => err!("Folder doesn't exist")
+        }
+
         cipher.folder_uuid = Some(folder_id.clone());
     }
 
@@ -107,7 +123,7 @@ fn post_ciphers(data: Json<CipherData>, headers: Headers, conn: DbConn) -> Resul
 
     cipher.save(&conn);
 
-    Ok(Json(cipher.to_json()))
+    Ok(Json(cipher.to_json(&conn)))
 }
 
 fn value_from_data(data: &CipherData) -> Result<Value, &'static str> {
@@ -180,48 +196,77 @@ fn post_ciphers_import(data: Json<Value>, headers: Headers, conn: DbConn) -> Res
 
 #[post("/ciphers/<uuid>/attachment", format = "multipart/form-data", data = "<data>")]
 fn post_attachment(uuid: String, data: Data, content_type: &ContentType, headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
-    // TODO: Check if cipher exists
+    let cipher = match Cipher::find_by_uuid(&uuid, &conn) {
+        Some(cipher) => cipher,
+        None => err!("Cipher doesn't exist")
+    };
 
-    let mut params = content_type.params();
-    let boundary_pair = params.next().expect("No boundary provided"); // ("boundary", "----WebKitFormBoundary...")
-    let boundary = boundary_pair.1;
-
-    use data_encoding::BASE64URL;
-    use crypto;
-    use CONFIG;
-
-    // TODO: Maybe use the same format as the official server?
-    let attachment_id = BASE64URL.encode(&crypto::get_random_64());
-    let path = format!("{}/{}/{}", CONFIG.attachments_folder,
-                       headers.user.uuid, attachment_id);
-    println!("Path {:#?}", path);
-
-    let mut mp = Multipart::with_body(data.open(), boundary);
-    match mp.save().with_dir(path).into_entries() {
-        Some(entries) => {
-            println!("Entries {:#?}", entries);
-
-            let saved_file = &entries.files["data"][0]; // Only one file at a time
-            let file_name = &saved_file.filename; // This is provided by the client, don't trust it
-            let file_size = &saved_file.size;
-        }
-        None => err!("No data entries")
+    if cipher.user_uuid != headers.user.uuid {
+        err!("Cipher is not owned by user")
     }
 
-    err!("Not implemented")
+    let mut params = content_type.params();
+    let boundary_pair = params.next().expect("No boundary provided");
+    let boundary = boundary_pair.1;
+
+    let base_path = Path::new(&CONFIG.attachments_folder).join(&cipher.uuid);
+
+    Multipart::with_body(data.open(), boundary).foreach_entry(|mut field| {
+        let name = field.headers.filename.unwrap(); // This is provided by the client, don't trust it
+
+        let file_name = HEXLOWER.encode(&crypto::get_random(vec![0; 10]));
+        let path = base_path.join(&file_name);
+
+        let size = match field.data.save()
+            .memory_threshold(0)
+            .size_limit(None)
+            .with_path(path) {
+            SaveResult::Full(SavedData::File(path, size)) => size as i32,
+            _ => return
+        };
+
+        let attachment = Attachment::new(file_name, cipher.uuid.clone(), name, size);
+        println!("Attachment: {:#?}", attachment);
+        attachment.save(&conn);
+    });
+
+    Ok(Json(cipher.to_json(&conn)))
+}
+
+#[post("/ciphers/<uuid>/attachment/<attachment_id>/delete", data = "<data>")]
+fn delete_attachment_post(uuid: String, attachment_id: String, data: Json<Value>, headers: Headers, conn: DbConn) -> Result<(), BadRequest<Json>> {
+    // Data contains a json object with the id, but we don't need it
+    delete_attachment(uuid, attachment_id, headers, conn)
 }
 
 #[delete("/ciphers/<uuid>/attachment/<attachment_id>")]
-fn delete_attachment(uuid: String, attachment_id: String, headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
-    if uuid != headers.user.uuid {
-        err!("Permission denied")
+fn delete_attachment(uuid: String, attachment_id: String, headers: Headers, conn: DbConn) -> Result<(), BadRequest<Json>> {
+    let attachment = match Attachment::find_by_id(&attachment_id, &conn) {
+        Some(attachment) => attachment,
+        None => err!("Attachment doesn't exist")
+    };
+
+    if attachment.cipher_uuid != uuid {
+        err!("Attachment from other cipher")
+    }
+
+    let cipher = match Cipher::find_by_uuid(&uuid, &conn) {
+        Some(cipher) => cipher,
+        None => err!("Cipher doesn't exist")
+    };
+
+    if cipher.user_uuid != headers.user.uuid {
+        err!("Cipher is not owned by user")
     }
 
     // Delete file
+    let file = attachment.get_file_path();
+    util::delete_file(&file);
 
     // Delete entry in cipher
+    attachment.delete(&conn);
 
-    err!("Not implemented")
+    Ok(())
 }
 
 #[post("/ciphers/<uuid>")]

src/api/core/mod.rs

@@ -26,6 +26,7 @@ pub fn routes() -> Vec<Route> {
         post_ciphers,
         post_ciphers_import,
         post_attachment,
+        delete_attachment_post,
         delete_attachment,
         post_cipher,
         put_cipher,
@@ -89,12 +90,27 @@ fn clear_device_token(uuid: String) -> Result<Json, BadRequest<Json>> { err!("No
 fn put_device_token(uuid: String) -> Result<Json, BadRequest<Json>> { err!("Not implemented") }
 
 
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct EquivDomainData {
+    ExcludedGlobalEquivalentDomains: Vec<i32>,
+    EquivalentDomains: Vec<Vec<String>>,
+}
+
 #[get("/settings/domains")]
 fn get_eq_domains() -> Result<Json, BadRequest<Json>> {
     err!("Not implemented")
 }
 
-#[post("/settings/domains")]
-fn post_eq_domains() -> Result<Json, BadRequest<Json>> {
+#[post("/settings/domains", data = "<data>")]
+fn post_eq_domains(data: Json<EquivDomainData>, headers: Headers, conn: DbConn) -> Result<Json, BadRequest<Json>> {
+    let excluded_globals = &data.ExcludedGlobalEquivalentDomains;
+    let equivalent_domains = &data.EquivalentDomains;
+
+    let mut user = headers.user;
+
+
+    //BODY. "{\"ExcludedGlobalEquivalentDomains\":[2],\"EquivalentDomains\":[[\"uoc.edu\",\"uoc.es\"]]}"
+
     err!("Not implemented")
 }

src/api/core/two_factor.rs

@@ -20,10 +20,10 @@ fn get_twofactor(headers: Headers) -> Result<Json, BadRequest<Json>> {
         Value::Null
     } else {
         json!([{
-                "Enabled": true,
-                "Type": 0,
-                "Object": "twoFactorProvider"
-            }])
+            "Enabled": true,
+            "Type": 0,
+            "Object": "twoFactorProvider"
+        }])
     };
 
     Ok(Json(json!({