CalvinBackup/notesnook-sync-server_customPrivateV1
1
0
Fork 0
mirror of https://github.com/streetwriters/notesnook-sync-server.git synced 2026-02-12 11:12:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

identity: fix user subscription claim value incorrect for legacy pro users

Browse Source
This commit is contained in:
Abdullah Atta
2025-10-13 11:27:07 +05:00
parent 131df3df04
commit d1421d640f
8 changed files with 44 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
Notesnook.API/Controllers/MonographsController.cs
View File

@@ -105,7 +105,7 @@ namespace Notesnook.API.Controllers
if (existingMonograph != null && !existingMonograph.Deleted) return await UpdateAsync(deviceId, monograph);
if (monograph.EncryptedContent == null)
monograph.CompressedContent = (await CleanupContentAsync(monograph.Content)).CompressBrotli();
monograph.CompressedContent = (await CleanupContentAsync(User, monograph.Content)).CompressBrotli();
monograph.UserId = userId;
monograph.DatePublished = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds();
@@ -157,7 +157,7 @@ namespace Notesnook.API.Controllers
return base.BadRequest("Monograph is too big. Max allowed size is 15mb.");
if (monograph.EncryptedContent == null)
monograph.CompressedContent = (await CleanupContentAsync(monograph.Content)).CompressBrotli();
monograph.CompressedContent = (await CleanupContentAsync(User, monograph.Content)).CompressBrotli();
else
monograph.Content = null;
@@ -309,25 +309,15 @@ namespace Notesnook.API.Controllers
});
}
private async Task<string> CleanupContentAsync(string content)
private async Task<string> CleanupContentAsync(ClaimsPrincipal user, string content)
{
if (Constants.IS_SELF_HOSTED) return content;
try
{
var json = JsonSerializer.Deserialize<MonographContent>(content);
var html = json.Data;
if (!Constants.IS_SELF_HOSTED && !User.IsUserSubscribed())
{
var config = Configuration.Default.WithDefaultLoader();
var context = BrowsingContext.New(config);
var document = await context.OpenAsync(r => r.Content(html));
foreach (var element in document.QuerySelectorAll("a,iframe,img,object,svg,button,link"))
{
element.Remove();
}
html = document.ToHtml();
}
if (User.IsUserSubscribed())
if (user.IsUserSubscribed())
{
var config = Configuration.Default.WithDefaultLoader();
var context = BrowsingContext.New(config);
@@ -336,7 +326,23 @@ namespace Notesnook.API.Controllers
{
var href = element.GetAttribute("href");
if (string.IsNullOrEmpty(href)) continue;
if (!await analyzer.IsURLSafeAsync(href)) element.RemoveAttribute("href");
if (!await analyzer.IsURLSafeAsync(href))
{
await Slogger<MonographsController>.Info("CleanupContentAsync", "Malicious URL detected: " + href);
element.RemoveAttribute("href");
}
}
html = document.ToHtml();
}
else
{
var config = Configuration.Default.WithDefaultLoader();
var context = BrowsingContext.New(config);
var document = await context.OpenAsync(r => r.Content(html));
foreach (var element in document.QuerySelectorAll("a,iframe,img,object,svg,button,link"))
{
foreach (var attr in element.Attributes)
element.RemoveAttribute(attr.Name);
}
html = document.ToHtml();
}

2
Notesnook.API/Extensions/ClaimsPrincipalExtensions.cs
View File

@@ -7,7 +7,7 @@ namespace System.Security.Claims
{
public static class ClaimsPrincipalExtensions
{
private readonly static string[] SUBSCRIBED_CLAIMS = ["believer", "education", "essential", "pro", "premium", "premium_canceled"];
private readonly static string[] SUBSCRIBED_CLAIMS = ["believer", "education", "essential", "pro", "legacy_pro"];
public static bool IsUserSubscribed(this ClaimsPrincipal user)
=> user.Claims.Any((c) => c.Type == "notesnook:status" && SUBSCRIBED_CLAIMS.Contains(c.Value));
}