CalvinBackup/notesnook-sync-server_customPrivateV1
1
0
Fork 0
mirror of https://github.com/streetwriters/notesnook-sync-server.git synced 2026-02-12 11:12:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

identity: fix user subscription claim value incorrect for legacy pro users

Browse Source
This commit is contained in:
Abdullah Atta
2025-10-13 11:27:07 +05:00
parent 131df3df04
commit d1421d640f
8 changed files with 44 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
Notesnook.API/Controllers/MonographsController.cs
View File

@@ -105,7 +105,7 @@ namespace Notesnook.API.Controllers
if (existingMonograph != null && !existingMonograph.Deleted) return await UpdateAsync(deviceId, monograph);
if (monograph.EncryptedContent == null)
monograph.CompressedContent = (await CleanupContentAsync(monograph.Content)).CompressBrotli();
monograph.CompressedContent = (await CleanupContentAsync(User, monograph.Content)).CompressBrotli();
monograph.UserId = userId;
monograph.DatePublished = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds();
@@ -157,7 +157,7 @@ namespace Notesnook.API.Controllers
return base.BadRequest("Monograph is too big. Max allowed size is 15mb.");
if (monograph.EncryptedContent == null)
monograph.CompressedContent = (await CleanupContentAsync(monograph.Content)).CompressBrotli();
monograph.CompressedContent = (await CleanupContentAsync(User, monograph.Content)).CompressBrotli();
else
monograph.Content = null;
@@ -309,25 +309,15 @@ namespace Notesnook.API.Controllers
});
}
private async Task<string> CleanupContentAsync(string content)
private async Task<string> CleanupContentAsync(ClaimsPrincipal user, string content)
{
if (Constants.IS_SELF_HOSTED) return content;
try
{
var json = JsonSerializer.Deserialize<MonographContent>(content);
var html = json.Data;
if (!Constants.IS_SELF_HOSTED && !User.IsUserSubscribed())
{
var config = Configuration.Default.WithDefaultLoader();
var context = BrowsingContext.New(config);
var document = await context.OpenAsync(r => r.Content(html));
foreach (var element in document.QuerySelectorAll("a,iframe,img,object,svg,button,link"))
{
element.Remove();
}
html = document.ToHtml();
}
if (User.IsUserSubscribed())
if (user.IsUserSubscribed())
{
var config = Configuration.Default.WithDefaultLoader();
var context = BrowsingContext.New(config);
@@ -336,7 +326,23 @@ namespace Notesnook.API.Controllers
{
var href = element.GetAttribute("href");
if (string.IsNullOrEmpty(href)) continue;
if (!await analyzer.IsURLSafeAsync(href)) element.RemoveAttribute("href");
if (!await analyzer.IsURLSafeAsync(href))
{
await Slogger<MonographsController>.Info("CleanupContentAsync", "Malicious URL detected: " + href);
element.RemoveAttribute("href");
}
}
html = document.ToHtml();
}
else
{
var config = Configuration.Default.WithDefaultLoader();
var context = BrowsingContext.New(config);
var document = await context.OpenAsync(r => r.Content(html));
foreach (var element in document.QuerySelectorAll("a,iframe,img,object,svg,button,link"))
{
foreach (var attr in element.Attributes)
element.RemoveAttribute(attr.Name);
}
html = document.ToHtml();
}

2
Notesnook.API/Extensions/ClaimsPrincipalExtensions.cs
View File

@@ -7,7 +7,7 @@ namespace System.Security.Claims
{
public static class ClaimsPrincipalExtensions
{
private readonly static string[] SUBSCRIBED_CLAIMS = ["believer", "education", "essential", "pro", "premium", "premium_canceled"];
private readonly static string[] SUBSCRIBED_CLAIMS = ["believer", "education", "essential", "pro", "legacy_pro"];
public static bool IsUserSubscribed(this ClaimsPrincipal user)
=> user.Claims.Any((c) => c.Type == "notesnook:status" && SUBSCRIBED_CLAIMS.Contains(c.Value));
}

1
Streetwriters.Common/Interfaces/IUserSubscriptionService.cs
View File

@@ -9,5 +9,6 @@ namespace Streetwriters.Common.Interfaces
{
[WampProcedure("co.streetwriters.subscriptions.subscriptions.get_user_subscription")]
Task<Subscription> GetUserSubscriptionAsync(string clientId, string userId);
Subscription TransformUserSubscription(Subscription subscription);
}
}

2
Streetwriters.Identity/Controllers/SignupController.cs
View File

@@ -109,7 +109,7 @@ namespace Streetwriters.Identity.Controllers
await UserManager.AddToRoleAsync(user, client.Id);
if (Constants.IS_SELF_HOSTED)
{
await UserManager.AddClaimAsync(user, UserService.SubscriptionPlanToClaim(client.Id, SubscriptionPlan.BELIEVER));
await UserManager.AddClaimAsync(user, new Claim(UserService.GetClaimKey(client.Id), "believer"));
}
else
{

13
Streetwriters.Identity/MessageHandlers/CreateSubscription.cs
View File

@@ -30,20 +30,19 @@ namespace Streetwriters.Identity.MessageHandlers
{
public class CreateSubscription
{
public static async Task Process(CreateSubscriptionMessage message, UserManager<User> userManager)
public static async Task Process(Subscription subscription, UserManager<User> userManager)
{
var user = await userManager.FindByIdAsync(message.UserId);
var client = Clients.FindClientByAppId(message.AppId);
var user = await userManager.FindByIdAsync(subscription.UserId);
var client = Clients.FindClientByAppId(subscription.AppId);
if (client == null || user == null) return;
IdentityUserClaim<string> statusClaim = user.Claims.FirstOrDefault((c) => c.ClaimType == UserService.GetClaimKey(client.Id));
Claim subscriptionClaim = UserService.SubscriptionTypeToClaim(client.Id, message.Type);
Claim subscriptionClaim = UserService.SubscriptionPlanToClaim(client.Id, subscription);
if (statusClaim?.ClaimValue == subscriptionClaim.Value) return;
if (statusClaim != null)
await userManager.ReplaceClaimAsync(user, statusClaim.ToClaim(), subscriptionClaim);
// we no longer accept legacy subscriptions.
// else
// await userManager.AddClaimAsync(user, subscriptionClaim);
else
await userManager.AddClaimAsync(user, subscriptionClaim);
}
}

49
Streetwriters.Identity/MessageHandlers/CreateSubscriptionV2.cs
View File

@@ -1,49 +0,0 @@
/*
This file is part of the Notesnook Sync Server project (https://notesnook.com/)
Copyright (C) 2023 Streetwriters (Private) Limited
This program is free software: you can redistribute it and/or modify
it under the terms of the Affero GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
Affero GNU General Public License for more details.
You should have received a copy of the Affero GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
using System.Threading.Tasks;
using Streetwriters.Common.Messages;
using Streetwriters.Common.Models;
using Streetwriters.Common;
using Microsoft.AspNetCore.Identity;
using System.Security.Claims;
using System.Linq;
using Streetwriters.Identity.Services;
namespace Streetwriters.Identity.MessageHandlers
{
public class CreateSubscriptionV2
{
public static async Task Process(CreateSubscriptionMessageV2 message, UserManager<User> userManager)
{
var user = await userManager.FindByIdAsync(message.UserId);
var client = Clients.FindClientByAppId(message.AppId);
if (client == null || user == null) return;
IdentityUserClaim<string> statusClaim = user.Claims.FirstOrDefault((c) => c.ClaimType == UserService.GetClaimKey(client.Id));
Claim subscriptionClaim = UserService.SubscriptionPlanToClaim(client.Id, message.Plan);
if (statusClaim?.ClaimValue == subscriptionClaim.Value) return;
if (statusClaim != null)
await userManager.ReplaceClaimAsync(user, statusClaim.ToClaim(), subscriptionClaim);
else
await userManager.AddClaimAsync(user, subscriptionClaim);
}
}
}

56
Streetwriters.Identity/Services/UserService.cs
View File

@@ -17,6 +17,7 @@ You should have received a copy of the Affero GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
using System;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
@@ -28,27 +29,6 @@ namespace Streetwriters.Identity.Services
{
public class UserService
{
private static SubscriptionType? GetUserSubscriptionStatus(string clientId, User user)
{
var claimKey = GetClaimKey(clientId);
var status = user.Claims.FirstOrDefault((c) => c.ClaimType == claimKey).ClaimValue;
switch (status)
{
case "basic":
return SubscriptionType.BASIC;
case "trial":
return SubscriptionType.TRIAL;
case "premium":
return SubscriptionType.PREMIUM;
case "premium_canceled":
return SubscriptionType.PREMIUM_CANCELED;
case "premium_expired":
return SubscriptionType.PREMIUM_EXPIRED;
default:
return null;
}
}
private static SubscriptionPlan? GetUserSubscriptionPlan(string clientId, User user)
{
var claimKey = GetClaimKey(clientId);
@@ -72,39 +52,23 @@ namespace Streetwriters.Identity.Services
public static bool IsSMSMFAAllowed(string clientId, User user)
{
var legacyStatus = GetUserSubscriptionStatus(clientId, user);
var status = GetUserSubscriptionPlan(clientId, user);
if (legacyStatus == null && status == null) return false;
return legacyStatus == SubscriptionType.PREMIUM ||
legacyStatus == SubscriptionType.PREMIUM_CANCELED ||
if (status == null) return false;
return status == SubscriptionPlan.LEGACY_PRO ||
status == SubscriptionPlan.PRO ||
status == SubscriptionPlan.EDUCATION ||
status == SubscriptionPlan.BELIEVER;
}
public static Claim SubscriptionTypeToClaim(string clientId, SubscriptionType type)
public static Claim SubscriptionPlanToClaim(string clientId, Subscription subscription)
{
var claimKey = GetClaimKey(clientId);
switch (type)
{
case SubscriptionType.BASIC:
return new Claim(claimKey, "basic");
case SubscriptionType.TRIAL:
return new Claim(claimKey, "trial");
case SubscriptionType.PREMIUM:
return new Claim(claimKey, "premium");
case SubscriptionType.PREMIUM_CANCELED:
return new Claim(claimKey, "premium_canceled");
case SubscriptionType.PREMIUM_EXPIRED:
return new Claim(claimKey, "premium_expired");
}
return null;
}
public static Claim SubscriptionPlanToClaim(string clientId, SubscriptionPlan plan)
{
var claimKey = GetClaimKey(clientId);
switch (plan)
// just in case
if (subscription.ExpiryDate <= DateTimeOffset.UtcNow.ToUnixTimeMilliseconds())
return new Claim(claimKey, "free");
switch (subscription.Plan)
{
case SubscriptionPlan.FREE:
return new Claim(claimKey, "free");
@@ -116,6 +80,8 @@ namespace Streetwriters.Identity.Services
return new Claim(claimKey, "essential");
case SubscriptionPlan.PRO:
return new Claim(claimKey, "pro");
case SubscriptionPlan.LEGACY_PRO:
return new Claim(claimKey, "legacy_pro");
}
return null;
}

14
Streetwriters.Identity/Startup.cs
View File

@@ -235,26 +235,16 @@ namespace Streetwriters.Identity
{
realm.Services.RegisterCallee(() => app.ApplicationServices.CreateScope().ServiceProvider.GetRequiredService<IUserAccountService>());
realm.Subscribe(SubscriptionServerTopics.CreateSubscriptionTopic, async (CreateSubscriptionMessage message) =>
realm.Subscribe(SubscriptionServerTopics.CreateSubscriptionTopic, async (Subscription subscription) =>
{
using (var serviceScope = app.ApplicationServices.CreateScope())
{
var services = serviceScope.ServiceProvider;
var userManager = services.GetRequiredService<UserManager<User>>();
await MessageHandlers.CreateSubscription.Process(message, userManager);
await MessageHandlers.CreateSubscription.Process(subscription, userManager);
}
});
realm.Subscribe(SubscriptionServerTopics.CreateSubscriptionV2Topic, async (CreateSubscriptionMessageV2 message) =>
{
using (var serviceScope = app.ApplicationServices.CreateScope())
{
var services = serviceScope.ServiceProvider;
var userManager = services.GetRequiredService<UserManager<User>>();
await MessageHandlers.CreateSubscriptionV2.Process(message, userManager);
}
});
realm.Subscribe(SubscriptionServerTopics.DeleteSubscriptionTopic, async (DeleteSubscriptionMessage message) =>
{
using (var serviceScope = app.ApplicationServices.CreateScope())