From 9e1ec8a67360c2d2ac23e061950b93ee265ec077 Mon Sep 17 00:00:00 2001 From: TomatoCake <60300461+DEVTomatoCake@users.noreply.github.com> Date: Wed, 5 Jun 2024 07:19:30 +0200 Subject: [PATCH] Ban API compat & Bulk Ban endpoint (#1120) Co-authored-by: Madeline <46743919+MaddyUnderStars@users.noreply.github.com> --- .../email_templates/new_login_location.html | 3 +- .../password_reset_request.html | 3 +- assets/email_templates/verify_email.html | 1 - assets/openapi.json | Bin 581350 -> 573995 bytes assets/schemas.json | Bin 20473634 -> 18446882 bytes package.json | 1 + src/api/routes/guilds/#guild_id/bans.ts | 33 +++-- src/api/routes/guilds/#guild_id/bulk-ban.ts | 130 ++++++++++++++++++ src/api/util/handlers/route.ts | 24 ++-- src/util/schemas/BulkBanSchema.ts | 22 +++ src/util/util/Constants.ts | 9 +- 11 files changed, 193 insertions(+), 33 deletions(-) create mode 100644 src/api/routes/guilds/#guild_id/bulk-ban.ts create mode 100644 src/util/schemas/BulkBanSchema.ts diff --git a/assets/email_templates/new_login_location.html b/assets/email_templates/new_login_location.html index 8c188def..f1c5f8c5 100644 --- a/assets/email_templates/new_login_location.html +++ b/assets/email_templates/new_login_location.html @@ -73,7 +73,6 @@ @p;7L1AnEq z?@eLaRXY8`WhR#G?`|<|Wt?7qi>YLKLL`&N^bIwPa??NXGe%9%w_{}A{_i+bJL7b} zU5xi8KTu`e9{-q0mSg&>1B^V=3wAQfPEVM}A+X)%E>j@$^!i=Q?Cs63nShuXh*^M` zb$jz`wzgol(wuDFq{QhPm#~UVFOXrCnXVwjCO&;$1pBe+0c%*kO)8R|Y@o`qJ>W3= zea7t{wzAG<-p*mquERE6$B$iX`hk0FMhL~*P2JfeS-0~Eadx4UKp#we^uc5& zJ2T(R@B8Na{l4$xi~D|<-#63m&T7!q9^J5PEn?O8s=7|26|fQ#xT z4A=i4We`+^D)2{%#p2HuJ%&&T&P%zPSw)-kGi>E-HjG|Cd&!HNj&i4eLPc!3w}ixE zRA-s<`&oSO5R)6L;L}B;YJ=3|`vaD2_fpx4(TLWq(Jony*qWis z+$2*q(ks&_9iX}`Yr3rR&otHH3byuiKF?8^6PwUahuKk5=%7}%PgWh)oK?8J3zuyskJEGyok&?&#@G3R8jG>DIxpO+mE6p#$q|#`XiT~0bvY@Gz=lq8 zg`yq`8w&RPHT!I^#=~i1&DT8a$nsvt?mQ2_Bq~x1wPHLkY}8jH7KK$y1LZs9!4U({ zZ-SSNPPyS%1?Rx!66}Ke`*DtF#MHqd4(i>NoKTZ?X(o->>`F8X)_*2XvUourv^U~R zhy}3c^)X*!%!g_h!TUXW$U5I{hk%04K|sO^$RnsSvG4%hK8HG-ve**7kNGPK9;@;tTTCOc{*17P6}E`*(VM7J>fw)5H(S^L9HA5c zL5^no-Nk}*{Cv!$mX$1~av1p*70g~v`z0GLeIiMT$pD@mg7vSE2vZ+oJyHA_o0maFdqURgby)s`i|?35X4I*0@XL9`owyv zG>_h4Vq&6LDk89QRpL$H8{&buB7KpVStcHoxK$>-EJCq~av;!&Trl&9+=X>NhnNlt kyJ7Vr*#k2n*BHECD#>tar#laV?}|ASbBdIhQ{3j{pRQ?}WB>pF diff --git a/assets/schemas.json b/assets/schemas.json index ecc87b03290a04a5a4311cf723c224abb54bc159..7a57dfcf5dac412b69d459413e85bcc0240fe948 100644 GIT binary patch delta 5850 zcma)=X;4#F6vyX=KnO7*AcRE{M5$W}!XV&o)Z&H>8Ar5Hqz^uDAeoq_ zaF;v&Onc;!O&os~_w!1(KS=B2Rh5okgLnFR+HX&UhCXT+7`H3P4>&`F75MuLqG>}y z@Guc_u0Ab#HG!~s&Nrzwae=f;42T*eWd2$)J zj06r0g|pislZ;8&GiH4v<<{J47$l!f1@ONX7uaL*3DzXM?x1kRZbXbSxlBRa|_JRQNo^ph1b`k^7h z?8FWeUAi^$6hf5NT#WW|Md&RSk1iG?xc$1Z%T);O*!J-ynD=P@UUvm!H^yah6=G$q zrrL1gLW^}VX$b4@=tG}Poq^D%g*DSBU}C=HX>5i&J4TQlsgI|cD7}$D|FL>!xDly0 zKy}ghkzgosa);}Q9s#z!PYqqMp@a&^PzmLu^&KLpU#peU9X+wrFz$@ZF<|nKPOOa~Fgu`{6Jolj- z;rchT%)tmh=-REHufXK|mMi%`A)KT{ys?v+dqQXnr)~;k&gdoL>SgtpKNEG4IB zLglSsTT3?_+V!Pfh?H7cP*#TVr0V>EQp~OqI3fAplq(Q1qoq-Y^Dx{w)6s5(aVqpU zJ{Y~;wi6rO*ujDJNvVBl%PrF#EJ^=984l9|Kg1Z4g}7Xx{tU}j_5BP@Z41w4`HfVN!2AYBAec| zZ?#XZBx6)-2mLsR8PvxdR1z4SF4xFrrgq8xa5= z^&{rndo<8!#Qy(IWUx*n?)TqS)9O%H$n5m?5+2dOvqi=^keKAJg1SJl3e3sZ_OlZG zkubaMz0ty~TN{#CN=+O@FO>Vi&in`Kpm(8M4TiM7KA@|S`a{7Xvh&Y3G)5~Hu3`q^InA=52j?zD0A7`u4wy>TY#FrE3HT5E_?i+QC zl(4PZUlzQWg;xFfnmNAB{8@et! znq$JT(NcbNcOcOtymz$Ze5iH+S%z_6=(6Q}OiD1>fS|2u`v;LF>_wJL%3hW}DJcVz zl8kz&mh1e$&{`P;H$9dHf+2K#kfqv90h!*pO1Lg_a)I-YJVN2-jAoVNbd38*C4sy` zB7=ZCXNI!P@us^&$O?r2yjh_o)rctaw!y{+u|)hA`NK&Z#ilw}$2w0JB=QkB?aTS$0E3!?8T8l3zdQfnTF%;NMs_2+IXMaEYa^Rfg zCfu9ceC{{T@3}A8e)c2N_ScSw?6c^jrrDHgyTk3VRk)|tD0aJAm+i~d&!S6xVZqc| zkZSeGx)|E`j%=aJePIS^KAqXAkN340vVv+hLj!M-!E|kvng+=M-t1CU!QmTvf6@^Temib@am1UDR=v-XzOjW5=UG!8=*$8@y z%(Aa{b_|uhZ8Fo+*W;6@^VM~!Klm2Nsb0=AxSbBWo2E2GMs4jpY?dPF^RBKNXkfWy zq7Mhc;>cTcDm5^-pmIkgNjI6}$a$hPm0FU55(CSpUS*m-QYo)fOFb@Csh_0Sn|?xf zeQwGMJV#quA(XShGR`+xm}=1G(X_yK{F(Ug<{P58TuM`MV^tMdOwrd<=aVNV29?)2 zXiDd}Sn}@MHYzYlU*&Ms)0CCTlLB|8+o^S7zBZe0A16CSCVY2SS5Zf~qowbjFqW28 zU0&FHWnrpITgCGC{#dnTmjA~z?e+f9v;}Up^6Kdobq>4#bNk*rWvl;HPg6X~H`D3a zi8Dj4eB6oF+uaWP)&Ip&t4*OJ%cU4fn_;&2O~eLZB={{{{cMka8Y$}KXe#p>BB<=C zE(7)Yq!4oKJeL`y;RrDGubCM^iqlC4=Y`8OIOagHuWWW6U0N0$On>RmPj5RguU4w2 zh9mkhZBdKtwEu~UnKamubrb2%$B*$p8dj}(N>$HPhoja;tx3iV|3riK2B#}@{0`j+ zn)7I=`T7#o<$up^*;Av+Zl_vdtFoz;vQpu(Iqb6bkgO^dHL_Z#)~j}pY_rRX_Sa8< z4vyA)9~ca>QpuyCmMl-B%kIANpj@FbwP{9GddbkY=fjX~OiXyncM1d{h!LIQKo|6k@VFIVasRoSW7T>ouB#%0SU+qBKx z*ZSO8ZFS7oHtFTxPNO5+h9w79dF!#+iF9#Uw2{)6=;QU;%W+ZeZ?coVS$WbIvlDdI zYO?GJPW-o(JogQKg04pK9q&va>2Q214c`--F!bKaa|`o=)uD~|c)OIZx0WkzIuaM2 zC{@t5((EKENi~>g)QJgkH2B2&6obR5G&Iu4jpGxC`ERK%wbJHNE2wp1P&B=sUr-b^ zPs@?3H)G|NoLK(~i<~yU#^#oXws5yRrQ}BKlhfXJl~SR~F4gH$-P*g-J}&Lf&|GA9 zAPxKUrA=1a9+wSP>j{ucB%{oHIne;L?q!*;98M{{>ViV{@)}a zwH*#KcaPLJ=*U@iM+&~{wR!~K^_;%zgQu_bmlia)Ze1?jYtNeo<1o&wp7k|{gmu3g zT#gXOfQ{vVt-Cp7lY|Nd-3X4|h(LP(EbMJPc`sz41oyWDQG#>W{H~`Z`H|k`o;0{$h&QE zIQ32nkMbW;=RX`RQFLzHI73Hk9xF%;OiMj2C1^KH)Y*|~qi}0{^3d^YgU=bv-CI+? zG-8JkIxft12#LjWbwAYsHehpuy=smAZoo#5oZBI(;?SPpLlP1jiOnpr14kH&%C}6- z2Iz)vX1c{5Q`iF3BdABX)gz?A4i#_wID7+&66ofpTV#|+9t3Q_W(RxUM$3JuM*y1} zY|>yG#IOTVO^9vi=B8WR@<~iBU;{Qg*e%iV_XMHwhsGbX#vf_04dTt>#9fGO#5T9s z9@0I_ksN74b|br4X7`xwsXje)LpL+s;_f4IeJo%DHaFP68$N0?#*(PExmDXDVan*2 zQHlUIJJ^pqGoHlWNWkU=yHF9Z!l}Wz+)czl^F3>PR=tr%HBUL zIdGYW`<#o6VtRRAiAglq=gmdbBkFlY{Uk+f-hAEdfDPE}V88m}_?t261Z-Zg3l#C* zm-)>|Y`|s*JAFif8?XVJ9c<<1!XjL$1hCn`u31&I35gBZ++dRiJ6!ZXHl-4}p_`j- z@zv3(U!XMt*z92Mmu@(P#0G43u&c9YwufPdJa)*l+99tsvtO#b$%e#6VzW!^^WIs2 zodMX~U{gy>sa|9~H#-Kg4c$C-N1QC#4c*YqO}EgpyB&=`z-9+~uy{c#5*x6&!6ps1 zUL3YBS{aP)AG&|cx_?8uBRUs9jw_WQyV+%TS^s&HSl54BG%6G5W~bXP(=9aJ ze?_$o*xX=KAhs8ts`&&5x2UW(Rw$w0s?412#L@O<608aCj?VvxD8T^p0?xZUflt zU@us|8V9xFqs4Tw1_MaoW`|p}e$di^as=fFx6~H@FyFleXOIClJJ`2P z{sk_xgHnWFDUx5et_8hpBsROmZfXDZ8I&S`%?&oSM8}7TX)muIhS-K~j=BvZ|U?ORxoC z3t+Ydh!d(v!f+FH3%9yOywdvgS-=KtZm_AS>;)5jekmfHUfXC{<9j`7Dy5#55(0Hg zM~Xhlf5X?YDtqd6miyhW!{sqAf&nU>iH1vyLc~JScgXl{^oK=PSV)teLSEA6(OWe+Xa$HZ$1%f@cd{ z!!tP$VIof`rzF&oH*k)#%j8*$18m_sy_S|r6H(bLtGuPro!#k^ufDPEpVAI&011LnW2a?+!NV>0o za5M56dCe`awXO)deaLHWc`ZuQKZ-OUuo2kY0^5IvrN~?O@rMb}4c**y4?K91;2N&E zxh_2P8QLN!v$>VowEfJft;lQSHMhJDT*qYmQcFB#i$gPfgAW?0G3E46KpoVXQ5UOb zez^jdK1OZAt~SwX?ojGmeir?0;O2%~WNbgzfS>ULY<95A`p>_QOJf2yH`o-oLPNyY z7cNF(6p2wJvr*)b?l;F@%)w9++08S%k5*n@gpwP&+3D`s)nMwm&?-rFD7?X&8}FX% z=Yyn8kPX?~WN-b|rv}M}(IiHb%tn(vHx`FVE<`pWn^$B{QfS3sOx)0q`n?xdYV7IU z5+RMzQSXl65W1&Smx(Y(m@^A=@((X*O>THhz. */ @@ -19,7 +19,6 @@ import { getIpAdress, route } from "@spacebar/api"; import { Ban, - BanModeratorSchema, BanRegistrySchema, DiscordApiErrors, GuildBanAddEvent, @@ -82,7 +81,7 @@ router.get( ); router.get( - "/:user", + "/:user_id", route({ permission: "BAN_MEMBERS", responses: { @@ -98,23 +97,21 @@ router.get( }, }), async (req: Request, res: Response) => { - const { guild_id } = req.params; - const user_id = req.params.ban; + const { guild_id, user_id } = req.params; - let ban = (await Ban.findOneOrFail({ + const ban = (await Ban.findOneOrFail({ where: { guild_id: guild_id, user_id: user_id }, })) as BanRegistrySchema; if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // pretend self-bans don't exist to prevent victim chasing - /* Filter secret from registry. */ + const banInfo = { + user: await User.getPublicUser(ban.user_id), + reason: ban.reason, + }; - ban = ban as BanModeratorSchema; - - delete ban.ip; - - return res.json(ban); + return res.json(banInfo); }, ); @@ -151,6 +148,12 @@ router.put( if (req.permission?.cache.guild?.owner_id === banned_user_id) throw new HTTPError("You can't ban the owner", 400); + const existingBan = await Ban.findOne({ + where: { guild_id: guild_id, user_id: banned_user_id }, + }); + // Bans on already banned users are silently ignored + if (existingBan) return res.status(204).send(); + const banned_user = await User.getPublicUser(banned_user_id); const ban = Ban.create({ @@ -174,7 +177,7 @@ router.put( } as GuildBanAddEvent), ]); - return res.json(ban); + return res.status(204).send(); }, ); diff --git a/src/api/routes/guilds/#guild_id/bulk-ban.ts b/src/api/routes/guilds/#guild_id/bulk-ban.ts new file mode 100644 index 00000000..f544103a --- /dev/null +++ b/src/api/routes/guilds/#guild_id/bulk-ban.ts @@ -0,0 +1,130 @@ +/* + Spacebar: A FOSS re-implementation and extension of the Discord.com backend. + Copyright (C) 2023 Spacebar and Spacebar Contributors + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +import { getIpAdress, route } from "@spacebar/api"; +import { + Ban, + DiscordApiErrors, + GuildBanAddEvent, + Member, + User, + emitEvent, +} from "@spacebar/util"; +import { Request, Response, Router } from "express"; +import { HTTPError } from "lambert-server"; + +const router: Router = Router(); + +router.post( + "/", + route({ + requestBody: "BulkBanSchema", + permission: ["BAN_MEMBERS", "MANAGE_GUILD"], + responses: { + 200: { + body: "Ban", + }, + 400: { + body: "APIErrorResponse", + }, + 403: { + body: "APIErrorResponse", + }, + }, + }), + async (req: Request, res: Response) => { + const { guild_id } = req.params; + + const userIds: Array = req.body.user_ids; + if (!userIds) throw new HTTPError("The user_ids array is missing", 400); + if (userIds.length > 200) + throw new HTTPError( + "The user_ids array must be between 1 and 200 in length", + 400, + ); + + const banned_users = []; + const failed_users = []; + for await (const banned_user_id of userIds) { + if ( + req.user_id === banned_user_id && + banned_user_id === req.permission?.cache.guild?.owner_id + ) { + failed_users.push(banned_user_id); + continue; + } + + if (req.permission?.cache.guild?.owner_id === banned_user_id) { + failed_users.push(banned_user_id); + continue; + } + + const existingBan = await Ban.findOne({ + where: { guild_id: guild_id, user_id: banned_user_id }, + }); + if (existingBan) { + failed_users.push(banned_user_id); + continue; + } + + let banned_user; + try { + banned_user = await User.getPublicUser(banned_user_id); + } catch { + failed_users.push(banned_user_id); + continue; + } + + const ban = Ban.create({ + user_id: banned_user_id, + guild_id: guild_id, + ip: getIpAdress(req), + executor_id: req.user_id, + reason: req.body.reason, // || otherwise empty + }); + + try { + await Promise.all([ + Member.removeFromGuild(banned_user_id, guild_id), + ban.save(), + emitEvent({ + event: "GUILD_BAN_ADD", + data: { + guild_id: guild_id, + user: banned_user, + }, + guild_id: guild_id, + } as GuildBanAddEvent), + ]); + banned_users.push(banned_user_id); + } catch { + failed_users.push(banned_user_id); + continue; + } + } + + if (banned_users.length === 0 && failed_users.length > 0) + throw DiscordApiErrors.BULK_BAN_FAILED; + return res.json({ + banned_users: banned_users, + failed_users: failed_users, + }); + }, +); + +export default router; diff --git a/src/api/util/handlers/route.ts b/src/api/util/handlers/route.ts index 5a0b48e6..2c98783a 100644 --- a/src/api/util/handlers/route.ts +++ b/src/api/util/handlers/route.ts @@ -1,17 +1,17 @@ /* Spacebar: A FOSS re-implementation and extension of the Discord.com backend. Copyright (C) 2023 Spacebar and Spacebar Contributors - + This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. - + You should have received a copy of the GNU Affero General Public License along with this program. If not, see . */ @@ -90,19 +90,23 @@ export function route(opts: RouteOptions) { return async (req: Request, res: Response, next: NextFunction) => { if (opts.permission) { - const required = new Permissions(opts.permission); req.permission = await getPermission( req.user_id, req.params.guild_id, req.params.channel_id, ); - // bitfield comparison: check if user lacks certain permission - if (!req.permission.has(required)) { - throw DiscordApiErrors.MISSING_PERMISSIONS.withParams( - opts.permission as string, - ); - } + const requiredPerms = Array.isArray(opts.permission) + ? opts.permission + : [opts.permission]; + requiredPerms.forEach((perm) => { + // bitfield comparison: check if user lacks certain permission + if (!req.permission!.has(new Permissions(perm))) { + throw DiscordApiErrors.MISSING_PERMISSIONS.withParams( + perm as string, + ); + } + }); } if (opts.right) { diff --git a/src/util/schemas/BulkBanSchema.ts b/src/util/schemas/BulkBanSchema.ts new file mode 100644 index 00000000..48a7bac8 --- /dev/null +++ b/src/util/schemas/BulkBanSchema.ts @@ -0,0 +1,22 @@ +/* + Spacebar: A FOSS re-implementation and extension of the Discord.com backend. + Copyright (C) 2023 Spacebar and Spacebar Contributors + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +export interface BulkBanSchema { + user_ids: string[]; + delete_message_seconds?: number; +} diff --git a/src/util/util/Constants.ts b/src/util/util/Constants.ts index e68bb0b7..98ae2d31 100644 --- a/src/util/util/Constants.ts +++ b/src/util/util/Constants.ts @@ -1,17 +1,17 @@ /* Spacebar: A FOSS re-implementation and extension of the Discord.com backend. Copyright (C) 2023 Spacebar and Spacebar Contributors - + This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. - + You should have received a copy of the GNU Affero General Public License along with this program. If not, see . */ @@ -553,6 +553,8 @@ export const VerificationLevels = [ * * LOTTIE_ANIMATION_MAXIMUM_DIMENSIONS * * STICKER_FRAME_RATE_TOO_SMALL_OR_TOO_LARGE * * STICKER_ANIMATION_DURATION_MAXIMUM + * * AUTOMODERATOR_BLOCK + * * BULK_BAN_FAILED * * UNKNOWN_VOICE_STATE * @typedef {string} APIError */ @@ -1001,6 +1003,7 @@ export const DiscordApiErrors = { "Message was blocked by automatic moderation", 200000, ), + BULK_BAN_FAILED: new ApiError("Failed to ban users", 500000), //Other errors UNKNOWN_VOICE_STATE: new ApiError("Unknown Voice State", 10065, 404),