grpc: Move /posts/<id> to backend

apps/juxtaposition-ui/src/api/post.ts

@@ -0,0 +1,65 @@
+import { apiFetchUser } from '@/fetch';
+import type { UserTokens } from '@/fetch';
+
+/* !!! HEY
+ * This type lives in apps/miiverse-api/src/services/internal/contract/post.ts
+ * Modify it there and copy-paste here! */
+
+/* This type is the contract for the frontend. If we make changes to the db, this shape should be kept. */
+export type PostDto = {
+	id: string;
+	title_id?: string; // number
+	screen_name: string;
+	body: string;
+	app_data?: string; // nintendo base64
+
+	painting?: string; // base64 or '', undef for PMs
+	screenshot?: string; // URL frag (leading /) or '', undef for PMs
+	screenshot_length?: number;
+
+	search_key?: string[]; // can be []
+	topic_tag?: string; // can be ''
+
+	community_id: string; // number
+	created_at: string; // ISO Z
+	feeling_id?: number;
+
+	is_autopost: boolean;
+	is_community_private_autopost: boolean;
+	is_spoiler: boolean;
+	is_app_jumpable: boolean;
+
+	empathy_count: number;
+	country_id: number;
+	language_id: number;
+
+	mii: string; // nintendo base64
+	mii_face_url: string; // full URL (cdn., r2-cdn.)
+
+	pid: number;
+	platform_id?: number;
+	region_id?: number;
+	parent: string | null;
+
+	reply_count: number;
+	verified: boolean;
+
+	message_to_pid: string | null;
+	removed: boolean;
+	removed_by?: number;
+	removed_at?: string; // ISO Z
+	removed_reason?: string;
+
+	yeahs: number[];
+};
+
+/**
+ * Fetches a Post for a given ID.
+ * @param tokens User to perform fetch as. Responses will be according to this users' permissions (user, moderator etc.)
+ * @param post_id The ID of the post to get.
+ * @returns Post object
+ */
+export async function getPostById(tokens: UserTokens, post_id: string): Promise<PostDto | null> {
+	const post = await apiFetchUser<PostDto>(tokens, `/api/v1/posts/${post_id}`);
+	return post;
+}

apps/juxtaposition-ui/src/config.ts

@@ -9,6 +9,8 @@ const schema = z.object({
 	logSensitive: zodCoercedBoolean().default(false),
 	httpPort: z.coerce.number().default(8080),
 	httpCookieDomain: z.string().default('.pretendo.network'),
+	/** "Safe" base origin for login-redirect validation */
+	httpBaseUrl: z.string().default('https://juxt.pretendo.network'),
 	/** Configures proxy trust (X-Forwarded-For etc.). Can be `true` to unconditionally trust, or
 	 *  provide a numeric hop count, or comma-seperated CIDR ranges.
 	 *  See https://expressjs.com/en/guide/behind-proxies.html
@@ -94,7 +96,8 @@ export const config = {
 	http: {
 		port: unmappedConfig.httpPort,
 		cookieDomain: unmappedConfig.httpCookieDomain,
-		trustProxy: unmappedConfig.httpTrustProxy
+		trustProxy: unmappedConfig.httpTrustProxy,
+		baseUrl: unmappedConfig.httpBaseUrl
 	},
 	metrics: {
 		enabled: unmappedConfig.metricsEnabled,

apps/juxtaposition-ui/src/fetch.ts

@@ -26,7 +26,7 @@ function isErrorHttpStatus(status: number): boolean {
 	return status >= 400 && status < 600;
 }
 
-export async function apiFetch<T>(path: string, options?: FetchOptions): Promise<T> {
+export async function apiFetch<T>(path: string, options?: FetchOptions): Promise<T | null> {
 	const defaultedOptions = {
 		method: 'GET',
 		headers: {},
@@ -45,7 +45,9 @@ export async function apiFetch<T>(path: string, options?: FetchOptions): Promise
 		metadata
 	});
 
-	if (isErrorHttpStatus(response.status)) {
+	if (response.status === 404) {
+		return null;
+	} else if (isErrorHttpStatus(response.status)) {
 		throw FetchError(response, `HTTP error! status: ${response.status} ${response.payload}`);
 	}
 
@@ -57,7 +59,7 @@ export type UserTokens = {
 	oauthToken?: string;
 };
 
-export async function apiFetchUser<T>(tokens: UserTokens, path: string, options?: FetchOptions): Promise<T> {
+export async function apiFetchUser<T>(tokens: UserTokens, path: string, options?: FetchOptions): Promise<T | null> {
 	options = {
 		...options,
 		headers: {

apps/juxtaposition-ui/src/services/juxt-web/routes/console/posts.js

@@ -12,7 +12,7 @@ const upload = multer({ dest: 'uploads/' });
 const redis = require('@/redisCache');
 const { config } = require('@/config');
 const router = express.Router();
-const backend = require('@/backend');
+const { getPostById } = require('@/api/post');
 
 const postLimit = rateLimit({
 	windowMs: 15 * 1000, // 30 seconds
@@ -42,7 +42,10 @@ const yeahLimit = rateLimit({
 });
 
 router.get('/:post_id/oembed.json', async function (req, res) {
-	const post = await backend.getPostById(req.tokens, req.params.post_id);
+	const post = await getPostById(req.tokens, req.params.post_id);
+	if (!post) {
+		return res.sendStatus(404);
+	}
 	const doc = {
 		author_name: post.screen_name,
 		author_url: 'https://juxt.pretendo.network/users/show?pid=' + post.pid
@@ -110,9 +113,15 @@ router.get('/:post_id', async function (req, res) {
 	const userSettings = await database.getUserSettings(req.pid);
 	const userContent = await database.getUserContent(req.pid);
 
-	const post = await backend.getPostById(req.tokens, req.params.post_id);
+	const post = await getPostById(req.tokens, req.params.post_id);
+	if (!post) {
+		return res.redirect('/404');
+	}
 	if (post.parent) {
-		const parent = await backend.getPostById(req.tokens, post.parent);
+		const parent = await getPostById(req.tokens, post.parent);
+		if (!parent) {
+			return res.redirect('/404');
+		}
 		return res.redirect(`/posts/${parent.id}`);
 	}
 	const community = await database.getCommunityByID(post.community_id);
@@ -161,7 +170,7 @@ router.post('/:post_id/new', postLimit, upload.none(), async function (req, res)
 
 router.post('/:post_id/report', upload.none(), async function (req, res) {
 	const { reason, message, post_id } = req.body;
-	const post = await backend.getPostByID(req.tokens, post_id);
+	const post = await getPostById(req.tokens, post_id);
 	if (!reason || !post_id || !post) {
 		return res.redirect('/404');
 	}

apps/juxtaposition-ui/src/services/juxt-web/routes/web/login.js

@@ -65,7 +65,11 @@ router.post('/', async (req, res) => {
 	res.cookie('access_token', login.accessToken, { domain: cookieDomain, maxAge: expiration });
 	res.cookie('refresh_token', login.refreshToken, { domain: cookieDomain });
 	res.cookie('token_type', 'Bearer', { domain: cookieDomain });
-	res.redirect(redirect);
+
+	/* Only allow relative URLs (leading /) or absolute ones on config.http.baseUrl. */
+	const safe_redirect = new URL(redirect, config.http.baseUrl).origin == config.http.baseUrl ? redirect : '/';
+
+	res.redirect(safe_redirect);
 });
 
 module.exports = router;

apps/miiverse-api/package.json

@@ -23,10 +23,11 @@
 		"express": "^4.17.1",
 		"express-async-errors": "^3.1.1",
 		"express-prom-bundle": "^7.0.2",
+		"express-rate-limit": "^7.5.0",
 		"express-subdomain": "^1.0.5",
 		"fs-extra": "^9.0.0",
 		"moment": "^2.24.0",
-		"mongoose": "^6.10.1",
+		"mongoose": "^8.15.1",
 		"multer": "^1.4.5-lts.1",
 		"nice-grpc": "^2.1.12",
 		"node-snowflake": "0.0.1",

apps/miiverse-api/src/database.ts

@@ -11,7 +11,7 @@ import type { HydratedConversationDocument } from '@/types/mongoose/conversation
 import type { HydratedContentDocument } from '@/types/mongoose/content';
 import type { HydratedSettingsDocument } from '@/types/mongoose/settings';
 import type { HydratedEndpointDocument } from '@/types/mongoose/endpoint';
-import type { HydratedPostDocument, IPost } from '@/types/mongoose/post';
+import type { HydratedPostDocument, IPostInput } from '@/types/mongoose/post';
 import type { HydratedCommunityDocument } from '@/types/mongoose/community';
 
 let connection: mongoose.Connection;
@@ -97,7 +97,7 @@ export async function getPostReplies(postID: string, limit: number): Promise<Hyd
 	}).limit(limit);
 }
 
-export async function getDuplicatePosts(pid: number, post: IPost): Promise<HydratedPostDocument | null> {
+export async function getDuplicatePosts(pid: number, post: IPostInput): Promise<HydratedPostDocument | null> {
 	verifyConnected();
 
 	return Post.findOne({