feat: allow unauthenticated uploads

Author: stonith404

.env.example

@@ -5,6 +5,7 @@ APP_URL=http://localhost:3000
 SHOW_HOME_PAGE=true
 ALLOW_REGISTRATION=true
 MAX_FILE_SIZE=1000000000
+ALLOW_UNAUTHENTICATED_SHARES=false
 
 # SECURITY
 JWT_SECRET=long-random-string

backend/.env.example

@@ -2,6 +2,7 @@
 APP_URL=http://localhost:3000
 ALLOW_REGISTRATION=true
 MAX_FILE_SIZE=5000000000
+ALLOW_UNAUTHENTICATED_SHARES=false
 
 # SECURITY
 JWT_SECRET=random-string

backend/prisma/schema.prisma

@@ -40,8 +40,8 @@ model Share {
   views        Int      @default(0)
   expiration   DateTime
 
-  creatorId String
-  creator   User           @relation(fields: [creatorId], references: [id])
+  creatorId String?
+  creator   User?           @relation(fields: [creatorId], references: [id])
   security  ShareSecurity?
   files     File[]
 }

backend/src/auth/guard/jwt.guard.ts

@@ -1,7 +1,14 @@
+import { ExecutionContext } from "@nestjs/common";
 import { AuthGuard } from "@nestjs/passport";
+import { Observable } from "rxjs";
 
 export class JwtGuard extends AuthGuard("jwt") {
   constructor() {
     super();
   }
+  canActivate(
+    context: ExecutionContext
+  ): boolean | Promise<boolean> | Observable<boolean> {
+    return  process.env.ALLOW_UNAUTHENTICATED_SHARES == "true" ? true : super.canActivate(context);
+  }
 }

backend/src/auth/strategy/jwt.strategy.ts

@@ -11,6 +11,7 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
     super({
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
       secretOrKey: config.get("JWT_SECRET"),
+    
     });
   }
 

backend/src/share/guard/shareOwner.guard.ts

@@ -28,6 +28,8 @@ export class ShareOwnerGuard implements CanActivate {
 
     if (!share) throw new NotFoundException("Share not found");
 
+    if(!share.creatorId) return true;
+
     return share.creatorId == (request.user as User).id;
   }
 }

backend/src/share/share.service.ts

@@ -24,7 +24,7 @@ export class ShareService {
     private jwtService: JwtService
   ) {}
 
-  async create(share: CreateShareDTO, user: User) {
+  async create(share: CreateShareDTO, user?: User) {
     if (!(await this.isShareIdAvailable(share.id)).isAvailable)
       throw new BadRequestException("Share id already in use");
 
@@ -58,7 +58,7 @@ export class ShareService {
       data: {
         ...share,
         expiration: expirationDate,
-        creator: { connect: { id: user.id } },
+        creator: { connect: user ? { id: user.id } : undefined },
         security: { create: share.security },
       },
     });
@@ -154,6 +154,8 @@ export class ShareService {
     });
 
     if (!share) throw new NotFoundException("Share not found");
+    if (!share.creatorId)
+      throw new ForbiddenException("Anonymous shares can't be deleted");
 
     await this.fileService.deleteAllFiles(shareId);
     await this.prisma.share.delete({ where: { id: shareId } });

frontend/.env.example

@@ -1,3 +1,4 @@
 SHOW_HOME_PAGE=true
 ALLOW_REGISTRATION=true
 MAX_FILE_SIZE=1000000000
+ALLOW_UNAUTHENTICATED_SHARES=false

frontend/next.config.js

@@ -5,6 +5,7 @@ const nextConfig = {
     ALLOW_REGISTRATION: process.env.ALLOW_REGISTRATION,
     SHOW_HOME_PAGE: process.env.SHOW_HOME_PAGE,
     MAX_FILE_SIZE: process.env.MAX_FILE_SIZE,
+    ALLOW_UNAUTHENTICATED_SHARES: process.env.ALLOW_UNAUTHENTICATED_SHARES
   }
 }