Make every auth token store to a specific folder, return where the fi…

…le was saved, filter path traversal (even tho we are the only one using it...) and allow checking if a file already exists

backend/src/main/kotlin/net/perfectdreams/etherealgambi/backend/routes/api/v1/PostUploadFileRoute.kt

@@ -35,11 +35,22 @@ class PostUploadFileRoute(val m: EtherealGambi) : BaseRoute("/api/v1/upload") {
 
         val fileData = Base64.getDecoder().decode(request.dataBase64)
 
-        val file = File(m.files, request.path)
+        if (request.path.contains("..")) {
+            call.respondText(Json.encodeToString(UploadFileResponse.PathTraversalDisallowed))
+            return
+        }
+
+        val writeToPath = "/${authorizationToken.folder}/${request.path}"
+        val file = File(m.files, writeToPath)
+        if (request.failIfFileAlreadyExists && file.exists()) {
+            call.respondText(Json.encodeToString(UploadFileResponse.FileAlreadyExists))
+            return
+        }
+
         val folder = file.parentFile
         folder.mkdirs()
         file.writeBytes(fileData)
 
-        call.respondText(Json.encodeToString(UploadFileResponse.Success))
+        call.respondText(Json.encodeToString(UploadFileResponse.Success(writeToPath)))
     }
 }

backend/src/main/kotlin/net/perfectdreams/etherealgambi/backend/utils/EtherealGambiConfig.kt

@@ -9,12 +9,7 @@ data class EtherealGambiConfig(
     @Serializable
     data class AuthorizationToken(
         val name: String,
-        val token: String
-    )
-
-    @Serializable
-    data class OptimizationSettings(
-        val path: String,
-        val useOptiPNG: Boolean
+        val folder: String,
+        val token: String,
     )
 }

build.gradle.kts

@@ -3,12 +3,9 @@ plugins {
     kotlin("plugin.serialization") version libs.versions.kotlin apply false
 }
 
-group = "net.perfectdreams.etherealgambi"
-version = "1.0.1-SNAPSHOT"
-
 allprojects {
     group = "net.perfectdreams.etherealgambi"
-    version = "1.0.1"
+    version = "1.0.2"
 
     repositories {
         mavenCentral()

client/src/main/kotlin/net/perfectdreams/etherealgambi/client/EtherealGambiClient.kt

@@ -10,6 +10,7 @@ import kotlinx.serialization.decodeFromString
 import kotlinx.serialization.encodeToString
 import kotlinx.serialization.json.Json
 import net.perfectdreams.etherealgambi.data.api.UploadFileRequest
+import net.perfectdreams.etherealgambi.data.api.UploadFileResponse
 import net.perfectdreams.etherealgambi.data.api.requests.ImageVariantsRequest
 import net.perfectdreams.etherealgambi.data.api.responses.ImageVariantsResponse
 import java.io.Closeable
@@ -32,14 +33,14 @@ class EtherealGambiClient(baseUrl: String) : Closeable {
         )
     }
 
-    suspend fun uploadFile(token: String, path: String, data: ByteArray) {
-        return Json.decodeFromString(
+    suspend fun uploadFile(token: String, path: String, failIfFileAlreadyExists: Boolean, data: ByteArray): UploadFileResponse {
+        return Json.decodeFromString<UploadFileResponse>(
             http.post("$baseUrl/api/v1/upload") {
                 header(HttpHeaders.Authorization, token)
 
                 setBody(
                     TextContent(
-                        Json.encodeToString(UploadFileRequest(path, Base64.getEncoder().encodeToString(data))),
+                        Json.encodeToString(UploadFileRequest(path, failIfFileAlreadyExists, Base64.getEncoder().encodeToString(data))),
                         ContentType.Application.Json
                     )
                 )

common/src/main/kotlin/net/perfectdreams/etherealgambi/data/api/UploadFile.kt

@@ -5,13 +5,20 @@ import kotlinx.serialization.Serializable
 @Serializable
 data class UploadFileRequest(
     val path: String,
-    val dataBase64: String
+    val failIfFileAlreadyExists: Boolean,
+    val dataBase64: String,
 )
 
 @Serializable
 sealed class UploadFileResponse {
     @Serializable
-    data object Success : UploadFileResponse()
+    data class Success(val path: String) : UploadFileResponse()
+
+    @Serializable
+    data object FileAlreadyExists : UploadFileResponse()
+
+    @Serializable
+    data object PathTraversalDisallowed : UploadFileResponse()
 
     @Serializable
     data object Unauthorized : UploadFileResponse()