apps/meteor/server/routes/userDataDownload.ts
import type { IncomingMessage, ServerResponse } from 'http';
import { hashLoginToken } from '@rocket.chat/account-utils';
import type { IIncomingMessage, IUser, IUserDataFile } from '@rocket.chat/core-typings';
import { UserDataFiles, Users } from '@rocket.chat/models';
import { Cookies } from 'meteor/ostrio:cookies';
import { WebApp } from 'meteor/webapp';
import { match } from 'path-to-regexp';
import { FileUpload } from '../../app/file-upload/server';
import { settings } from '../../app/settings/server';
const cookies = new Cookies();
const matchUID = async (uid: string | undefined, token: string | undefined, ownerUID: string) => {
return (
uid &&
token &&
uid === ownerUID &&
Boolean(await Users.findOneByIdAndLoginToken(uid, hashLoginToken(token), { projection: { _id: 1 } }))
);
};
const isRequestFromOwner = async (req: IIncomingMessage, ownerUID: IUser['_id']) => {
if (await matchUID(req.query.rc_uid, req.query.rc_token, ownerUID)) {
return true;
}
if (
req.headers.cookie &&
(await matchUID(cookies.get('rc_uid', req.headers.cookie), cookies.get('rc_token', req.headers.cookie), ownerUID))
) {
return true;
}
for await (const uid of [req.headers['x-user-id']].flat()) {
for await (const token of [req.headers['x-auth-token']].flat()) {
if (await matchUID(uid, token, ownerUID)) {
return true;
}
}
}
return false;
};
const sendUserDataFile = (file: IUserDataFile) => (req: IncomingMessage, res: ServerResponse, next: () => void) => {
const userDataStore = FileUpload.getStore('UserDataFiles');
if (!userDataStore?.get) {
res.writeHead(403).end(); // @todo: maybe we should return a better error?
return;
}
res.setHeader('Content-Security-Policy', "default-src 'none'");
res.setHeader('Cache-Control', 'max-age=31536000');
void userDataStore.get(file, req, res, next);
};
const matchFileRoute = match<{ fileID: string }>('/:fileID', { decode: decodeURIComponent });
const userDataDownloadHandler = async (req: IncomingMessage, res: ServerResponse, next: () => void) => {
const downloadEnabled = settings.get<boolean>('UserData_EnableDownload');
if (!downloadEnabled) {
res.writeHead(403).end();
return;
}
const match = matchFileRoute(req.url ?? '/');
if (match === false) {
res.writeHead(404).end();
return;
}
const file = await UserDataFiles.findOneById(match.params.fileID);
if (!file) {
res.writeHead(404).end();
return;
}
if (!file.userId || !(await isRequestFromOwner(req as IIncomingMessage, file.userId))) {
res.writeHead(403).end();
return;
}
sendUserDataFile(file)(req, res, next);
};
WebApp.connectHandlers.use('/data-export/', userDataDownloadHandler);