feat: reverse shares (#86)

* add first concept

* add reverse share funcionality to frontend

* allow creator to limit share expiration

* moved reverse share in seperate module

* add table to manage reverse shares

* delete complete share if reverse share was deleted

* optimize function names

* add db migration

* enable reverse share email notifications

* fix config variable descriptions

* fix migration for new installations

backend/src/app.module.ts

@@ -13,6 +13,7 @@ import { PrismaModule } from "./prisma/prisma.module";
 import { ShareModule } from "./share/share.module";
 import { UserModule } from "./user/user.module";
 import { ClamScanModule } from "./clamscan/clamscan.module";
+import { ReverseShareModule } from "./reverseShare/reverseShare.module";
 
 @Module({
   imports: [
@@ -30,6 +31,7 @@ import { ClamScanModule } from "./clamscan/clamscan.module";
     }),
     ScheduleModule.forRoot(),
     ClamScanModule,
+    ReverseShareModule,
   ],
   providers: [
     {

backend/src/config/config.service.ts

@@ -29,6 +29,7 @@ export class ConfigService {
 
   async listForAdmin() {
     return await this.prisma.config.findMany({
+      orderBy: { id: "asc" },
       where: { locked: { equals: false } },
     });
   }

backend/src/email/email.service.ts

@@ -8,6 +8,9 @@ export class EmailService {
   constructor(private config: ConfigService) {}
 
   getTransporter() {
+    if (!this.config.get("SMTP_ENABLED"))
+      throw new InternalServerErrorException("SMTP is disabled");
+
     return nodemailer.createTransport({
       host: this.config.get("SMTP_HOST"),
       port: parseInt(this.config.get("SMTP_PORT")),
@@ -19,8 +22,12 @@ export class EmailService {
     });
   }
 
-  async sendMail(recipientEmail: string, shareId: string, creator: User) {
-    if (!this.config.get("ENABLE_EMAIL_RECIPIENTS"))
+  async sendMailToShareRecepients(
+    recipientEmail: string,
+    shareId: string,
+    creator?: User
+  ) {
+    if (!this.config.get("ENABLE_SHARE_EMAIL_RECIPIENTS"))
       throw new InternalServerErrorException("Email service disabled");
 
     const shareUrl = `${this.config.get("APP_URL")}/share/${shareId}`;
@@ -28,11 +35,25 @@ export class EmailService {
     await this.getTransporter().sendMail({
       from: `"Pingvin Share" <${this.config.get("SMTP_EMAIL")}>`,
       to: recipientEmail,
-      subject: this.config.get("EMAIL_SUBJECT"),
+      subject: this.config.get("SHARE_RECEPIENTS_EMAIL_SUBJECT"),
       text: this.config
-        .get("EMAIL_MESSAGE")
+        .get("SHARE_RECEPIENTS_EMAIL_MESSAGE")
+        .replaceAll("\\n", "\n")
+        .replaceAll("{creator}", creator?.username ?? "Someone")
+        .replaceAll("{shareUrl}", shareUrl),
+    });
+  }
+
+  async sendMailToReverseShareCreator(recipientEmail: string, shareId: string) {
+    const shareUrl = `${this.config.get("APP_URL")}/share/${shareId}`;
+
+    await this.getTransporter().sendMail({
+      from: `"Pingvin Share" <${this.config.get("SMTP_EMAIL")}>`,
+      to: recipientEmail,
+      subject: this.config.get("REVERSE_SHARE_EMAIL_SUBJECT"),
+      text: this.config
+        .get("REVERSE_SHARE_EMAIL_MESSAGE")
         .replaceAll("\\n", "\n")
-        .replaceAll("{creator}", creator.username)
         .replaceAll("{shareUrl}", shareUrl),
     });
   }

backend/src/file/file.controller.ts

@@ -14,6 +14,7 @@ import * as contentDisposition from "content-disposition";
 import { Response } from "express";
 import { JwtGuard } from "src/auth/guard/jwt.guard";
 import { FileDownloadGuard } from "src/file/guard/fileDownload.guard";
+import { CreateShareGuard } from "src/share/guard/createShare.guard";
 import { ShareOwnerGuard } from "src/share/guard/shareOwner.guard";
 import { ShareSecurityGuard } from "src/share/guard/shareSecurity.guard";
 import { FileService } from "./file.service";
@@ -24,7 +25,7 @@ export class FileController {
 
   @Post()
   @SkipThrottle()
-  @UseGuards(JwtGuard, ShareOwnerGuard)
+  @UseGuards(CreateShareGuard, ShareOwnerGuard)
   async create(
     @Query() query: any,
 

backend/src/file/file.module.ts

@@ -1,11 +1,12 @@
 import { Module } from "@nestjs/common";
 import { JwtModule } from "@nestjs/jwt";
+import { ReverseShareModule } from "src/reverseShare/reverseShare.module";
 import { ShareModule } from "src/share/share.module";
 import { FileController } from "./file.controller";
 import { FileService } from "./file.service";
 
 @Module({
-  imports: [JwtModule.register({}), ShareModule],
+  imports: [JwtModule.register({}), ReverseShareModule, ShareModule],
   controllers: [FileController],
   providers: [FileService],
   exports: [FileService],

backend/src/file/file.service.ts

@@ -30,7 +30,7 @@ export class FileService {
 
     const share = await this.prisma.share.findUnique({
       where: { id: shareId },
-      include: { files: true },
+      include: { files: true, reverseShare: true },
     });
 
     if (share.uploadLocked)
@@ -64,9 +64,12 @@ export class FileService {
       0
     );
 
+    const shareSizeSum = fileSizeSum + diskFileSize + buffer.byteLength;
+
     if (
-      fileSizeSum + diskFileSize + buffer.byteLength >
-      this.config.get("MAX_SHARE_SIZE")
+      shareSizeSum > this.config.get("MAX_SHARE_SIZE") ||
+      (share.reverseShare?.maxShareSize &&
+        shareSizeSum > parseInt(share.reverseShare.maxShareSize))
     ) {
       throw new HttpException(
         "Max share size exceeded",

backend/src/reverseShare/dto/createReverseShare.dto.ts

@@ -0,0 +1,12 @@
+import { IsBoolean, IsString } from "class-validator";
+
+export class CreateReverseShareDTO {
+  @IsBoolean()
+  sendEmailNotification: boolean;
+
+  @IsString()
+  maxShareSize: string;
+
+  @IsString()
+  shareExpiration: string;
+}

backend/src/reverseShare/dto/reverseShare.dto.ts

@@ -0,0 +1,18 @@
+import { Expose, plainToClass } from "class-transformer";
+
+export class ReverseShareDTO {
+  @Expose()
+  id: string;
+
+  @Expose()
+  maxShareSize: string;
+
+  @Expose()
+  shareExpiration: Date;
+
+  from(partial: Partial<ReverseShareDTO>) {
+    return plainToClass(ReverseShareDTO, partial, {
+      excludeExtraneousValues: true,
+    });
+  }
+}

backend/src/reverseShare/dto/reverseShareTokenWithShare.ts

@@ -0,0 +1,23 @@
+import { OmitType } from "@nestjs/mapped-types";
+import { Expose, plainToClass, Type } from "class-transformer";
+import { MyShareDTO } from "src/share/dto/myShare.dto";
+import { ReverseShareDTO } from "./reverseShare.dto";
+
+export class ReverseShareTokenWithShare extends OmitType(ReverseShareDTO, [
+  "shareExpiration",
+] as const) {
+  @Expose()
+  shareExpiration: Date;
+
+  @Expose()
+  @Type(() => OmitType(MyShareDTO, ["recipients"] as const))
+  share: Omit<MyShareDTO, "recipients" | "files" | "from" | "fromList">;
+
+  fromList(partial: Partial<ReverseShareTokenWithShare>[]) {
+    return partial.map((part) =>
+      plainToClass(ReverseShareTokenWithShare, part, {
+        excludeExtraneousValues: true,
+      })
+    );
+  }
+}

backend/src/reverseShare/guards/reverseShareOwner.guard.ts

@@ -0,0 +1,22 @@
+import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
+import { User } from "@prisma/client";
+import { Request } from "express";
+import { PrismaService } from "src/prisma/prisma.service";
+
+@Injectable()
+export class ReverseShareOwnerGuard implements CanActivate {
+  constructor(private prisma: PrismaService) {}
+
+  async canActivate(context: ExecutionContext) {
+    const request: Request = context.switchToHttp().getRequest();
+    const { reverseShareId } = request.params;
+
+    const reverseShare = await this.prisma.reverseShare.findUnique({
+      where: { id: reverseShareId },
+    });
+
+    if (!reverseShare) return false;
+
+    return reverseShare.creatorId == (request.user as User).id;
+  }
+}

backend/src/reverseShare/reverseShare.controller.ts

@@ -0,0 +1,64 @@
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  NotFoundException,
+  Param,
+  Post,
+  UseGuards,
+} from "@nestjs/common";
+import { Throttle } from "@nestjs/throttler";
+import { User } from "@prisma/client";
+import { GetUser } from "src/auth/decorator/getUser.decorator";
+import { JwtGuard } from "src/auth/guard/jwt.guard";
+import { ConfigService } from "src/config/config.service";
+import { CreateReverseShareDTO } from "./dto/createReverseShare.dto";
+import { ReverseShareDTO } from "./dto/reverseShare.dto";
+import { ReverseShareTokenWithShare } from "./dto/reverseShareTokenWithShare";
+import { ReverseShareOwnerGuard } from "./guards/reverseShareOwner.guard";
+import { ReverseShareService } from "./reverseShare.service";
+
+@Controller("reverseShares")
+export class ReverseShareController {
+  constructor(
+    private reverseShareService: ReverseShareService,
+    private config: ConfigService
+  ) {}
+
+  @Post()
+  @UseGuards(JwtGuard)
+  async create(@Body() body: CreateReverseShareDTO, @GetUser() user: User) {
+    const token = await this.reverseShareService.create(body, user.id);
+
+    const link = `${this.config.get("APP_URL")}/upload/${token}`;
+
+    return { token, link };
+  }
+
+  @Throttle(20, 60)
+  @Get(":reverseShareToken")
+  async getByToken(@Param("reverseShareToken") reverseShareToken: string) {
+    const isValid = await this.reverseShareService.isValid(reverseShareToken);
+
+    if (!isValid) throw new NotFoundException("Reverse share token not found");
+
+    return new ReverseShareDTO().from(
+      await this.reverseShareService.getByToken(reverseShareToken)
+    );
+  }
+
+  @Get()
+  @UseGuards(JwtGuard)
+  async getAllByUser(@GetUser() user: User) {
+    return new ReverseShareTokenWithShare().fromList(
+      await this.reverseShareService.getAllByUser(user.id)
+    );
+  }
+
+  @Delete(":reverseShareId")
+  @UseGuards(JwtGuard, ReverseShareOwnerGuard)
+  async remove(@Param("reverseShareId") id: string) {
+    await this.reverseShareService.remove(id);
+  }
+}

backend/src/reverseShare/reverseShare.module.ts

@@ -0,0 +1,12 @@
+import { forwardRef, Module } from "@nestjs/common";
+import { FileModule } from "src/file/file.module";
+import { ReverseShareController } from "./reverseShare.controller";
+import { ReverseShareService } from "./reverseShare.service";
+
+@Module({
+  imports: [forwardRef(() => FileModule)],
+  controllers: [ReverseShareController],
+  providers: [ReverseShareService],
+  exports: [ReverseShareService],
+})
+export class ReverseShareModule {}

backend/src/reverseShare/reverseShare.service.ts

@@ -0,0 +1,94 @@
+import { BadRequestException, Injectable } from "@nestjs/common";
+import * as moment from "moment";
+import { ConfigService } from "src/config/config.service";
+import { FileService } from "src/file/file.service";
+import { PrismaService } from "src/prisma/prisma.service";
+import { CreateReverseShareDTO } from "./dto/createReverseShare.dto";
+
+@Injectable()
+export class ReverseShareService {
+  constructor(
+    private config: ConfigService,
+    private prisma: PrismaService,
+    private fileService: FileService
+  ) {}
+
+  async create(data: CreateReverseShareDTO, creatorId: string) {
+    // Parse date string to date
+    const expirationDate = moment()
+      .add(
+        data.shareExpiration.split("-")[0],
+        data.shareExpiration.split(
+          "-"
+        )[1] as moment.unitOfTime.DurationConstructor
+      )
+      .toDate();
+
+    const globalMaxShareSize = this.config.get("MAX_SHARE_SIZE");
+
+    if (globalMaxShareSize < data.maxShareSize)
+      throw new BadRequestException(
+        `Max share size can't be greater than ${globalMaxShareSize} bytes.`
+      );
+
+    const reverseShare = await this.prisma.reverseShare.create({
+      data: {
+        shareExpiration: expirationDate,
+        maxShareSize: data.maxShareSize,
+        sendEmailNotification: data.sendEmailNotification,
+        creatorId,
+      },
+    });
+
+    return reverseShare.token;
+  }
+
+  async getByToken(reverseShareToken: string) {
+    const reverseShare = await this.prisma.reverseShare.findUnique({
+      where: { token: reverseShareToken },
+    });
+
+    return reverseShare;
+  }
+
+  async getAllByUser(userId: string) {
+    const reverseShares = await this.prisma.reverseShare.findMany({
+      where: {
+        creatorId: userId,
+        shareExpiration: { gt: new Date() },
+      },
+      orderBy: {
+        shareExpiration: "desc",
+      },
+      include: { share: { include: { creator: true } } },
+    });
+
+    return reverseShares;
+  }
+
+  async isValid(reverseShareToken: string) {
+    const reverseShare = await this.prisma.reverseShare.findUnique({
+      where: { token: reverseShareToken },
+    });
+
+    if (!reverseShare) return false;
+
+    const isExpired = new Date() > reverseShare.shareExpiration;
+    const isUsed = reverseShare.used;
+
+    return !(isExpired || isUsed);
+  }
+
+  async remove(id: string) {
+    const share = await this.prisma.share.findFirst({
+      where: { reverseShare: { id } },
+    });
+
+    if (share) {
+      await this.prisma.share.delete({ where: { id: share.id } });
+      await this.fileService.deleteAllFiles(share.id);
+    } else {
+      await this.prisma.reverseShare.delete({ where: { id } });
+    }
+  }
+}

backend/src/share/guard/createShare.guard.ts

@@ -0,0 +1,29 @@
+import { ExecutionContext, Injectable } from "@nestjs/common";
+import { JwtGuard } from "src/auth/guard/jwt.guard";
+import { ConfigService } from "src/config/config.service";
+import { ReverseShareService } from "src/reverseShare/reverseShare.service";
+
+@Injectable()
+export class CreateShareGuard extends JwtGuard {
+  constructor(
+    configService: ConfigService,
+    private reverseShareService: ReverseShareService
+  ) {
+    super(configService);
+  }
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    if (await super.canActivate(context)) return true;
+
+    const reverseShareTokenId = context.switchToHttp().getRequest()
+      .cookies.reverse_share_token;
+
+    if (!reverseShareTokenId) return false;
+
+    const isReverseShareTokenValid = await this.reverseShareService.isValid(
+      reverseShareTokenId
+    );
+
+    return isReverseShareTokenValid;
+  }
+}

backend/src/share/share.controller.ts

@@ -6,24 +6,31 @@ import {
   HttpCode,
   Param,
   Post,
+  Req,
   UseGuards,
 } from "@nestjs/common";
 import { Throttle } from "@nestjs/throttler";
 import { User } from "@prisma/client";
+import { Request } from "express";
 import { GetUser } from "src/auth/decorator/getUser.decorator";
 import { JwtGuard } from "src/auth/guard/jwt.guard";
+import { ConfigService } from "src/config/config.service";
 import { CreateShareDTO } from "./dto/createShare.dto";
 import { MyShareDTO } from "./dto/myShare.dto";
 import { ShareDTO } from "./dto/share.dto";
 import { ShareMetaDataDTO } from "./dto/shareMetaData.dto";
 import { SharePasswordDto } from "./dto/sharePassword.dto";
+import { CreateShareGuard } from "./guard/createShare.guard";
 import { ShareOwnerGuard } from "./guard/shareOwner.guard";
 import { ShareSecurityGuard } from "./guard/shareSecurity.guard";
 import { ShareTokenSecurity } from "./guard/shareTokenSecurity.guard";
 import { ShareService } from "./share.service";
 @Controller("shares")
 export class ShareController {
-  constructor(private shareService: ShareService) {}
+  constructor(
+    private shareService: ShareService,
+    private config: ConfigService
+  ) {}
 
   @Get()
   @UseGuards(JwtGuard)
@@ -46,9 +53,16 @@ export class ShareController {
   }
 
   @Post()
-  @UseGuards(JwtGuard)
-  async create(@Body() body: CreateShareDTO, @GetUser() user: User) {
-    return new ShareDTO().from(await this.shareService.create(body, user));
+  @UseGuards(CreateShareGuard)
+  async create(
+    @Body() body: CreateShareDTO,
+    @Req() request: Request,
+    @GetUser() user: User
+  ) {
+    const { reverse_share_token } = request.cookies;
+    return new ShareDTO().from(
+      await this.shareService.create(body, user, reverse_share_token)
+    );
   }
 
   @Delete(":id")
@@ -59,11 +73,15 @@ export class ShareController {
 
   @Post(":id/complete")
   @HttpCode(202)
-  @UseGuards(JwtGuard, ShareOwnerGuard)
-  async complete(@Param("id") id: string) {
-    return new ShareDTO().from(await this.shareService.complete(id));
+  @UseGuards(CreateShareGuard, ShareOwnerGuard)
+  async complete(@Param("id") id: string, @Req() request: Request) {
+    const { reverse_share_token } = request.cookies;
+    return new ShareDTO().from(
+      await this.shareService.complete(id, reverse_share_token)
+    );
   }
 
+  @Throttle(10, 60)
   @Get("isShareIdAvailable/:id")
   async isShareIdAvailable(@Param("id") id: string) {
     return this.shareService.isShareIdAvailable(id);

backend/src/share/share.module.ts

@@ -3,6 +3,7 @@ import { JwtModule } from "@nestjs/jwt";
 import { ClamScanModule } from "src/clamscan/clamscan.module";
 import { EmailModule } from "src/email/email.module";
 import { FileModule } from "src/file/file.module";
+import { ReverseShareModule } from "src/reverseShare/reverseShare.module";
 import { ShareController } from "./share.controller";
 import { ShareService } from "./share.service";
 
@@ -11,6 +12,7 @@ import { ShareService } from "./share.service";
     JwtModule.register({}),
     EmailModule,
     ClamScanModule,
+    ReverseShareModule,
     forwardRef(() => FileModule),
   ],
   controllers: [ShareController],

backend/src/share/share.service.ts

@@ -15,6 +15,7 @@ import { ConfigService } from "src/config/config.service";
 import { EmailService } from "src/email/email.service";
 import { FileService } from "src/file/file.service";
 import { PrismaService } from "src/prisma/prisma.service";
+import { ReverseShareService } from "src/reverseShare/reverseShare.service";
 import { CreateShareDTO } from "./dto/createShare.dto";
 
 @Injectable()
@@ -25,10 +26,11 @@ export class ShareService {
     private emailService: EmailService,
     private config: ConfigService,
     private jwtService: JwtService,
+    private reverseShareService: ReverseShareService,
     private clamScanService: ClamScanService
   ) {}
 
-  async create(share: CreateShareDTO, user?: User) {
+  async create(share: CreateShareDTO, user?: User, reverseShareToken?: string) {
     if (!(await this.isShareIdAvailable(share.id)).isAvailable)
       throw new BadRequestException("Share id already in use");
 
@@ -39,30 +41,36 @@ export class ShareService {
       share.security.password = await argon.hash(share.security.password);
     }
 
-    // We have to add an exception for "never" (since moment won't like that)
     let expirationDate: Date;
-    if (share.expiration !== "never") {
-      expirationDate = moment()
-        .add(
-          share.expiration.split("-")[0],
-          share.expiration.split(
-            "-"
-          )[1] as moment.unitOfTime.DurationConstructor
-        )
-        .toDate();
 
-      // Throw error if expiration date is now
-      if (expirationDate.setMilliseconds(0) == new Date().setMilliseconds(0))
-        throw new BadRequestException("Invalid expiration date");
+    // If share is created by a reverse share token override the expiration date
+    if (reverseShareToken) {
+      const { shareExpiration } = await this.reverseShareService.getByToken(
+        reverseShareToken
+      );
+
+      expirationDate = shareExpiration;
     } else {
-      expirationDate = moment(0).toDate();
+      // We have to add an exception for "never" (since moment won't like that)
+      if (share.expiration !== "never") {
+        expirationDate = moment()
+          .add(
+            share.expiration.split("-")[0],
+            share.expiration.split(
+              "-"
+            )[1] as moment.unitOfTime.DurationConstructor
+          )
+          .toDate();
+      } else {
+        expirationDate = moment(0).toDate();
+      }
     }
 
     fs.mkdirSync(`./data/uploads/shares/${share.id}`, {
       recursive: true,
     });
 
-    return await this.prisma.share.create({
+    const shareTuple = await this.prisma.share.create({
       data: {
         ...share,
         expiration: expirationDate,
@@ -75,6 +83,18 @@ export class ShareService {
         },
       },
     });
+
+    if (reverseShareToken) {
+      // Assign share to reverse share token
+      await this.prisma.reverseShare.update({
+        where: { token: reverseShareToken },
+        data: {
+          shareId: share.id,
+        },
+      });
+    }
+
+    return shareTuple;
   }
 
   async createZip(shareId: string) {
@@ -96,10 +116,15 @@ export class ShareService {
     await archive.finalize();
   }
 
-  async complete(id: string) {
+  async complete(id: string, reverseShareToken?: string) {
     const share = await this.prisma.share.findUnique({
       where: { id },
-      include: { files: true, recipients: true, creator: true },
+      include: {
+        files: true,
+        recipients: true,
+        creator: true,
+        reverseShare: { include: { creator: true } },
+      },
     });
 
     if (await this.isShareCompleted(id))
@@ -118,16 +143,34 @@ export class ShareService {
 
     // Send email for each recepient
     for (const recepient of share.recipients) {
-      await this.emailService.sendMail(
+      await this.emailService.sendMailToShareRecepients(
         recepient.email,
         share.id,
         share.creator
       );
     }
 
+    if (
+      share.reverseShare &&
+      this.config.get("SMTP_ENABLED") &&
+      share.reverseShare.sendEmailNotification
+    ) {
+      await this.emailService.sendMailToReverseShareCreator(
+        share.reverseShare.creator.email,
+        share.id
+      );
+    }
+
     // Check if any file is malicious with ClamAV
     this.clamScanService.checkAndRemove(share.id);
 
+    if (reverseShareToken) {
+      await this.prisma.reverseShare.update({
+        where: { token: reverseShareToken },
+        data: { used: true },
+      });
+    }
+
     return await this.prisma.share.update({
       where: { id },
       data: { uploadLocked: true },