Download Token - bounty offered

chrismccoy

I have a members forum with files we attach, on the old forum, we used mod_auth_token to generate an expiring link so the real file could not be shared.

mod_auth_token is an apache module, it bascially took the md5 hash of the secret string, the hex value of the date, plus the filename.

Im looking to implement something simliar with nodebb.

If anyone has any suggestions, bascially just replacing the url that is spit in to the editor with the token url.

rbeer

Just to clarify, that I understood correctly:

A user uploads a file, it's stored on the server as, let's say, ./uploads/file-123.txt.
But instead of publishing https://yourboard.org/uploads/file-123.txt, you want https://yourboard.org/files/someHash, which expires after a configurable time?
But anyway, my credo is: Nothing's impossible in programming; only a matter of time.

I'm fairly new to nodeBB myself, but I have extended/created two plugins alongside some other minor fixes, so far:
topic-events and smoothshorts.
Leave me a message here or at [email protected] for specifics, in case you're interested.

yariplus

Sounds like a cool plugin!

chrismccoy

yes thats bascially it.

here is an example

/downloads/hello.zip (which accessed directly is denied)

the token version would be

/downloads/aa1469dd64687462ee30378e14d34105/55918ae6/hello.zip

the token is md5 hash of the secret string + filename + time in hex

final url is path + token + hextime + filename

Would probably be easy to edit a plugin like imgbed, instead of images, for zip files, and instead of linking to to markdown img format, generate the token and spit that out.

Bri

You'd probably need to hook into the uploader, as that's where the file path (and link) is being generated; the imgbed plugin only parses for certain urls and wraps it in the correct markdown syntax to make it display as an image instead of a link. I'm just not sure if there's a hook for the uploader...

rbeer

Indeed, there is: filter:uploadFile.

rbeer

@chrismccoy
Is this, more or less, what you are looking for?
Please consider this an early alpha preview, that will most definetly clutter the * peep * out of your log.

npm i nodebb-plugin-expiring-uploads

I've taken the liberty to replace the md5- with xx-hashs. MD5 is outdated since years and quite verbose (aa1469dd64687462ee30378e14d34105 vs. 6edebbb6).
The outcoming url is of the form:
ht*p://nodebb/uploads/xxhash/CreationTimestamp-in-hex/filename.ext
e.g. ht*p://lsw.local/uploads/705bab4a/14e6b6e49dc/droid-sans-mono.zip

The seed of xxhash is the first part (up to the first - ) of your nodeBB's secret (config.json).

On the HDD, files are stored in /nodeBB/expiring_uploads/ as opposed to /nodeBB/public/uploads/files/, since everything in /public/ could be guessed, as all of its contents seem to be blindly exposed to the clients. Please note, that my lazily hardcoding the / could make this plugin fail on Windows. I'll change that, or at least check whether the NodeBB core takes care of it.

The created links are routed, but you can't actually download the file, yet.

The plugin hook (filter:uploadFile) is pretty needy - or powerful; depending on your point of view. Anyway, it breaks out of (returns from) the core function, handling uploads, as early as it can get. Meaning, that the plugin has to handle everything like allowed filetypes, -sizes and such. I assume, that you e.g. don't want to have uploaded pictures expire. It's in there, but only rudimentarily, for now. That's why I haven't started the ACP part of it, yet.

In the end the plugin will surely have an option to choose, but for starters: What's your preference, the least setup effort for you? Would you rather define filetypes which should be expiring or those who should not?
Another aproach would be to add a second "Expiring Upload" button to the composer. This way the built-in button would follow the general setup (e.g. allowed filetypes images) and the added button would only accept .zip, .gz, .pdf, what have you.

julian

Awesome work @rbeer I think this merits a badge... welcome to the 3rd party developers group

rbeer

@julian
Wow! How about that for incentive? Well, let me tell you: To me it's a great one. I fell in love with NodeBB the second I tested it. Becoming a part of its development puts a satisfied grin on my face - they have yet to invent an emoji for that. (see; not even close)

chrismccoy

wow thanks for this, generates the url good, zip, and rar files would probably only need to expire.

julian

One wonders if @rbeer got the bounty

chrismccoy

what needs to be done to let the links work (dl links) ?

rbeer

Download the latest version
npm update nodebb-plugin-expiring-uploads

You still have to edit the settings by hand in the .js file, though. I tend to procrastinate UI, but it's definetly next on the list.

chrismccoy

one thing, if i have the files set as private, meaning you have to have a user account to download, the expiring link loads for non public as well.

rbeer

@chrismccoy
Done. Moved to Plugins.