api: minor refactor

Notesnook.API/Controllers/UsersController.cs

@@ -18,7 +18,9 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 using System;
+using System.Net.Http;
 using System.Security.Claims;
+using System.Text.Json;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http.Timeouts;
@@ -28,13 +30,16 @@ using Notesnook.API.Interfaces;
 using Notesnook.API.Models;
 using Notesnook.API.Models.Responses;
 using Streetwriters.Common;
+using Streetwriters.Common.Accessors;
+using Streetwriters.Common.Extensions;
+using Streetwriters.Common.Messages;
 
 namespace Notesnook.API.Controllers
 {
     [ApiController]
     [Authorize]
     [Route("users")]
-    public class UsersController(IUserService UserService, ILogger<UsersController> logger) : ControllerBase
+    public class UsersController(IUserService UserService, WampServiceAccessor serviceAccessor, ILogger<UsersController> logger) : ControllerBase
     {
         [HttpPost]
         [AllowAnonymous]
@@ -85,6 +90,43 @@ namespace Notesnook.API.Controllers
             }
         }
 
+        [HttpPatch("password/{type}")]
+        public async Task<IActionResult> ChangePassword([FromRoute] string type, [FromBody] ChangePasswordForm form)
+        {
+            var userId = User.GetUserId();
+            var clientId = User.FindFirstValue("client_id");
+            var jti = User.FindFirstValue("jti");
+            var isPasswordReset = type == "reset";
+            try
+            {
+                var result = isPasswordReset ? await serviceAccessor.UserAccountService.ResetPasswordAsync(userId, form.NewPassword) : await serviceAccessor.UserAccountService.ChangePasswordAsync(userId, form.OldPassword, form.NewPassword);
+                if (!result)
+                    return BadRequest("Failed to change password.");
+
+                await UserService.SetUserKeysAsync(userId, form.UserKeys);
+
+                await serviceAccessor.UserAccountService.ClearSessionsAsync(userId, clientId, all: false, jti, null);
+
+                await WampServers.MessengerServer.PublishMessageAsync(MessengerServerTopics.SendSSETopic, new SendSSEMessage
+                {
+                    UserId = userId,
+                    OriginTokenId = jti,
+                    Message = new Message
+                    {
+                        Type = "logout",
+                        Data = JsonSerializer.Serialize(new { reason = "Password changed." })
+                    }
+                });
+
+                return Ok();
+            }
+            catch (Exception ex)
+            {
+                logger.LogError(ex, "Failed to change password");
+                return BadRequest(new { error = ex.Message });
+            }
+        }
+
         [HttpPost("reset")]
         public async Task<IActionResult> Reset([FromForm] bool removeAttachments)
         {

Notesnook.API/Models/ChangePasswordForm.cs

@@ -0,0 +1,24 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Notesnook.API.Models
+{
+    public class ChangePasswordForm
+    {
+        public string? OldPassword
+        {
+            get; set;
+        }
+
+        [Required]
+        public required string NewPassword
+        {
+            get; set;
+        }
+
+        [Required]
+        public required UserKeys UserKeys
+        {
+            get; set;
+        }
+    }
+}

Notesnook.API/Models/ResetPasswordForm.cs

@@ -0,0 +1,19 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Notesnook.API.Models
+{
+    public class ResetPasswordForm
+    {
+        [Required]
+        public required string NewPassword
+        {
+            get; set;
+        }
+
+        [Required]
+        public required UserKeys UserKeys
+        {
+            get; set;
+        }
+    }
+}

Notesnook.API/Models/Responses/UserResponse.cs

@@ -15,6 +15,11 @@ namespace Notesnook.API.Models.Responses
 
         [JsonPropertyName("monographPasswordsKey")]
         public EncryptedData? MonographPasswordsKey { get; set; }
+        [JsonPropertyName("dataEncryptionKey")]
+        public EncryptedData? DataEncryptionKey { get; set; }
+
+        [JsonPropertyName("legacyDataEncryptionKey")]
+        public EncryptedData? LegacyDataEncryptionKey { get; set; }
 
         [JsonPropertyName("inboxKeys")]
         public InboxKeys? InboxKeys { get; set; }

Notesnook.API/Models/SyncItem.cs

@@ -98,6 +98,14 @@ namespace Notesnook.API.Models
             get; set;
         }
 
+        [JsonPropertyName("keyVersion")]
+        [DataMember(Name = "keyVersion")]
+        [MessagePack.Key("keyVersion")]
+        public int? KeyVersion
+        {
+            get; set;
+        }
+
         [JsonPropertyName("alg")]
         [DataMember(Name = "alg")]
         [MessagePack.Key("alg")]

Notesnook.API/Models/UserKeys.cs

@@ -24,6 +24,8 @@ namespace Notesnook.API.Models
         public EncryptedData? AttachmentsKey { get; set; }
         public EncryptedData? MonographPasswordsKey { get; set; }
         public InboxKeys? InboxKeys { get; set; }
+        public EncryptedData? DataEncryptionKey { get; set; }
+        public EncryptedData? LegacyDataEncryptionKey { get; set; }
     }
 
     public class InboxKeys

Notesnook.API/Models/UserSettings.cs

@@ -55,6 +55,8 @@ namespace Notesnook.API.Models
         public EncryptedData? VaultKey { get; set; }
         public EncryptedData? AttachmentsKey { get; set; }
         public EncryptedData? MonographPasswordsKey { get; set; }
+        public EncryptedData? DataEncryptionKey { get; set; }
+        public EncryptedData? LegacyDataEncryptionKey { get; set; }
         public InboxKeys? InboxKeys { get; set; }
         public Limit? StorageLimit { get; set; }
 

Notesnook.API/Services/UserService.cs

@@ -18,6 +18,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 using System;
+using System.Collections.Generic;
 using System.Net.Http;
 using System.Text.Json;
 using System.Threading;
@@ -133,6 +134,8 @@ namespace Notesnook.API.Services
                 PhoneNumber = user.PhoneNumber,
                 AttachmentsKey = userSettings.AttachmentsKey,
                 MonographPasswordsKey = userSettings.MonographPasswordsKey,
+                DataEncryptionKey = userSettings.DataEncryptionKey,
+                LegacyDataEncryptionKey = userSettings.LegacyDataEncryptionKey,
                 InboxKeys = userSettings.InboxKeys,
                 Salt = userSettings.Salt,
                 Subscription = subscription,
@@ -155,6 +158,11 @@ namespace Notesnook.API.Services
             {
                 userSettings.MonographPasswordsKey = keys.MonographPasswordsKey;
             }
+            if (keys.DataEncryptionKey != null)
+                userSettings.DataEncryptionKey = keys.DataEncryptionKey;
+            if (keys.LegacyDataEncryptionKey != null)
+                userSettings.LegacyDataEncryptionKey = keys.LegacyDataEncryptionKey;
+
             if (keys.InboxKeys != null)
             {
                 if (keys.InboxKeys.Public == null || keys.InboxKeys.Private == null)
@@ -268,6 +276,8 @@ namespace Notesnook.API.Services
 
             userSettings.AttachmentsKey = null;
             userSettings.MonographPasswordsKey = null;
+            userSettings.DataEncryptionKey = null;
+            userSettings.LegacyDataEncryptionKey = null;
             userSettings.VaultKey = null;
             userSettings.InboxKeys = null;
             userSettings.LastSynced = 0;

Streetwriters.Common/Interfaces/IUserAccountService.cs

@@ -10,7 +10,11 @@ namespace Streetwriters.Common.Interfaces
         Task<UserModel?> GetUserAsync(string clientId, string userId);
         [WampProcedure("co.streetwriters.identity.users.delete_user")]
         Task DeleteUserAsync(string clientId, string userId, string password);
-        // [WampProcedure("co.streetwriters.identity.users.create_user")]
-        // Task<UserModel> CreateUserAsync();
+        [WampProcedure("co.streetwriters.identity.users.change_password")]
+        Task<bool> ChangePasswordAsync(string userId, string oldPassword, string newPassword);
+        [WampProcedure("co.streetwriters.identity.users.reset_password")]
+        Task<bool> ResetPasswordAsync(string userId, string newPassword);
+        [WampProcedure("co.streetwriters.identity.users.clear_sessions")]
+        Task<bool> ClearSessionsAsync(string userId, string clientId, bool all, string jti, string? refreshToken);
     }
 }

Streetwriters.Data/DbContexts/MongoDbContext.cs

@@ -33,9 +33,6 @@ namespace Streetwriters.Data.DbContexts
         public static IMongoClient CreateMongoDbClient(IDbSettings dbSettings)
         {
             var settings = MongoClientSettings.FromConnectionString(dbSettings.ConnectionString);
-            settings.MaxConnectionPoolSize = 500;
-            settings.MinConnectionPoolSize = 0;
-            settings.HeartbeatInterval = TimeSpan.FromSeconds(60);
             return new MongoClient(settings);
         }
 

Streetwriters.Identity/Controllers/AccountController.cs

@@ -25,6 +25,7 @@ using System.Security.Claims;
 using System.Text.Json;
 using System.Threading.Tasks;
 using AspNetCore.Identity.Mongo.Model;
+using IdentityServer4.Extensions;
 using IdentityServer4.Stores;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
@@ -149,6 +150,7 @@ namespace Streetwriters.Identity.Controllers
         [EnableRateLimiting("strict")]
         public async Task<IActionResult> ResetUserPassword([FromForm] ResetPasswordForm form)
         {
+
             var client = Clients.FindClientById(form.ClientId);
             if (client == null) return BadRequest("Invalid client_id.");
 
@@ -160,9 +162,9 @@ namespace Streetwriters.Identity.Controllers
 #if (DEBUG || STAGING)
             return Ok(callbackUrl);
 #else
-            logger.LogInformation("Password reset email sent to: {Email}, callback URL: {CallbackUrl}", user.Email, callbackUrl);
-            await EmailSender.SendPasswordResetEmailAsync(user.Email, callbackUrl, client);
-            return Ok();
+                        logger.LogInformation("Password reset email sent to: {Email}, callback URL: {CallbackUrl}", user.Email, callbackUrl);
+                        await EmailSender.SendPasswordResetEmailAsync(user.Email, callbackUrl, client);
+                        return Ok();
 #endif
         }
 
@@ -248,34 +250,6 @@ namespace Streetwriters.Identity.Controllers
                         }
                         return BadRequest(result.Errors.ToErrors());
                     }
-                case "change_password":
-                    {
-                        ArgumentNullException.ThrowIfNull(form.OldPassword);
-                        ArgumentNullException.ThrowIfNull(form.NewPassword);
-                        var result = await UserManager.ChangePasswordAsync(user, form.OldPassword, form.NewPassword);
-                        if (result.Succeeded)
-                        {
-                            await SendLogoutMessageAsync(user.Id.ToString(), "Password changed.");
-                            return Ok();
-                        }
-                        return BadRequest(result.Errors.ToErrors());
-                    }
-                case "reset_password":
-                    {
-                        ArgumentNullException.ThrowIfNull(form.NewPassword);
-                        var result = await UserManager.RemovePasswordAsync(user);
-                        if (result.Succeeded)
-                        {
-                            await MFAService.ResetMFAAsync(user);
-                            result = await UserManager.AddPasswordAsync(user, form.NewPassword);
-                            if (result.Succeeded)
-                            {
-                                await SendLogoutMessageAsync(user.Id.ToString(), "Password reset.");
-                                return Ok();
-                            }
-                        }
-                        return BadRequest(result.Errors.ToErrors());
-                    }
                 case "change_marketing_consent":
                     {
                         var claimType = $"{client.Id}:marketing_consent";
@@ -294,40 +268,14 @@ namespace Streetwriters.Identity.Controllers
         [HttpPost("sessions/clear")]
         public async Task<IActionResult> ClearUserSessions([FromQuery] bool all, [FromForm] string? refresh_token)
         {
-            var client = Clients.FindClientById(User.FindFirstValue("client_id"));
-            if (client == null) return BadRequest("Invalid client_id.");
-
-            var user = await UserManager.GetUserAsync(User) ?? throw new Exception("User not found.");
-            if (!await UserService.IsUserValidAsync(UserManager, user, client.Id)) return BadRequest($"Unable to find user with ID '{user.Id}'.");
-
             var jti = User.FindFirstValue("jti");
-
-            var grants = await PersistedGrantStore.GetAllAsync(new PersistedGrantFilter
-            {
-                ClientId = client.Id,
-                SubjectId = user.Id.ToString()
-            });
-            string? refreshTokenKey = refresh_token != null ? GetHashedKey(refresh_token, PersistedGrantTypes.RefreshToken) : null;
-            var removedKeys = new List<string>();
-            foreach (var grant in grants)
-            {
-                if (!all && (grant.Data.Contains(jti) || grant.Key == refreshTokenKey)) continue;
-                await PersistedGrantStore.RemoveAsync(grant.Key);
-                removedKeys.Add(grant.Key);
-            }
-
-            await WampServers.NotesnookServer.PublishMessageAsync(IdentityServerTopics.ClearCacheTopic, new ClearCacheMessage(removedKeys));
-            await WampServers.MessengerServer.PublishMessageAsync(IdentityServerTopics.ClearCacheTopic, new ClearCacheMessage(removedKeys));
-            await WampServers.SubscriptionServer.PublishMessageAsync(IdentityServerTopics.ClearCacheTopic, new ClearCacheMessage(removedKeys));
-            await SendLogoutMessageAsync(user.Id.ToString(), "Session revoked.");
+            var userId = User.GetSubjectId();
+            var clientId = User.FindFirstValue("client_id");
+            if (await UserAccountService.ClearSessionsAsync(userId, clientId, all, refresh_token, jti))
+                await SendLogoutMessageAsync(userId, "Session revoked.");
             return Ok();
         }
 
-        private static string GetHashedKey(string value, string grantType)
-        {
-            return (value + ":" + grantType).Sha256();
-        }
-
         private async Task SendLogoutMessageAsync(string userId, string reason)
         {
             await SendMessageAsync(userId, new Message

Streetwriters.Identity/Services/UserAccountService.cs

@@ -1,16 +1,22 @@
 using System;
+using System.Collections.Generic;
 using System.Linq;
+using System.Text.Json;
 using System.Threading.Tasks;
+using IdentityServer4;
+using IdentityServer4.Stores;
 using Microsoft.AspNetCore.Identity;
+using Streetwriters.Common;
 using Streetwriters.Common.Enums;
 using Streetwriters.Common.Interfaces;
+using Streetwriters.Common.Messages;
 using Streetwriters.Common.Models;
 using Streetwriters.Identity.Interfaces;
 using Streetwriters.Identity.Models;
 
 namespace Streetwriters.Identity.Services
 {
-    public class UserAccountService(UserManager<User> userManager, IMFAService mfaService) : IUserAccountService
+    public class UserAccountService(UserManager<User> userManager, IMFAService mfaService, IPersistedGrantStore persistedGrantStore) : IUserAccountService
     {
         public async Task<UserModel?> GetUserAsync(string clientId, string userId)
         {
@@ -54,5 +60,58 @@ namespace Streetwriters.Identity.Services
 
             await userManager.DeleteAsync(user);
         }
+
+        public async Task<bool> ChangePasswordAsync(string userId, string oldPassword, string newPassword)
+        {
+            var user = await userManager.FindByIdAsync(userId) ?? throw new Exception("User not found.");
+
+            var result = await userManager.ChangePasswordAsync(user, oldPassword, newPassword);
+            return result.Succeeded;
+        }
+
+        public async Task<bool> ResetPasswordAsync(string userId, string newPassword)
+        {
+            var user = await userManager.FindByIdAsync(userId) ?? throw new Exception("User not found.");
+
+            var result = await userManager.RemovePasswordAsync(user);
+            if (!result.Succeeded) return false;
+
+            await mfaService.ResetMFAAsync(user);
+            result = await userManager.AddPasswordAsync(user, newPassword);
+            return result.Succeeded;
+        }
+
+        public async Task<bool> ClearSessionsAsync(string userId, string clientId, bool all, string jti, string? refreshToken)
+        {
+            var client = Clients.FindClientById(clientId) ?? throw new Exception("Invalid client_id.");
+
+            var user = await userManager.FindByIdAsync(userId) ?? throw new Exception("User not found.");
+            if (!await UserService.IsUserValidAsync(userManager, user, client.Id)) throw new Exception($"Unable to find user with ID '{user.Id}'.");
+
+            var grants = await persistedGrantStore.GetAllAsync(new PersistedGrantFilter
+            {
+                ClientId = client.Id,
+                SubjectId = user.Id.ToString()
+            });
+            string? refreshTokenKey = refreshToken != null ? GetHashedKey(refreshToken, IdentityServerConstants.PersistedGrantTypes.RefreshToken) : null;
+            List<string> removedKeys = [];
+            foreach (var grant in grants)
+            {
+                if (!all && (grant.Data.Contains(jti) || grant.Key == refreshTokenKey)) continue;
+                await persistedGrantStore.RemoveAsync(grant.Key);
+                removedKeys.Add(grant.Key);
+            }
+
+            await WampServers.NotesnookServer.PublishMessageAsync(IdentityServerTopics.ClearCacheTopic, new ClearCacheMessage(removedKeys));
+            await WampServers.MessengerServer.PublishMessageAsync(IdentityServerTopics.ClearCacheTopic, new ClearCacheMessage(removedKeys));
+            await WampServers.SubscriptionServer.PublishMessageAsync(IdentityServerTopics.ClearCacheTopic, new ClearCacheMessage(removedKeys));
+            // await SendLogoutMessageAsync(user.Id.ToString(), "Session revoked.");
+            return true;
+        }
+
+        private static string GetHashedKey(string value, string grantType)
+        {
+            return (value + ":" + grantType).Sha256();
+        }
     }
 }

Streetwriters.Identity/Startup.cs

@@ -53,6 +53,7 @@ using Streetwriters.Identity.Interfaces;
 using Streetwriters.Identity.Jobs;
 using Streetwriters.Identity.Services;
 using Streetwriters.Identity.Validation;
+using IdentityServer4.MongoDB.Configuration;
 
 namespace Streetwriters.Identity
 {
@@ -107,11 +108,6 @@ namespace Streetwriters.Identity
                 options.UsersCollection = "users";
                 // options.MigrationCollection = "migration";
                 options.ConnectionString = connectionString;
-                options.ClusterConfigurator = builder =>
-                {
-                    builder.ConfigureConnectionPool((c) => c.With(maxConnections: 500, minConnections: 0));
-                    builder.ConfigureServer(s => s.With(heartbeatInterval: TimeSpan.FromSeconds(60)));
-                };
             }).AddDefaultTokenProviders();
 
             services.AddIdentityServer(
@@ -137,6 +133,11 @@ namespace Streetwriters.Identity
             .AddKeyManagement()
             .AddFileSystemPersistence(Path.Combine(WebHostEnvironment.ContentRootPath, @"keystore"));
 
+            services.Configure<MongoDBConfiguration>(options =>
+            {
+                options.ConnectionString = connectionString;
+            });
+
             services.Configure<DataProtectionTokenProviderOptions>(options =>
             {
                 options.TokenLifespan = TimeSpan.FromHours(2);

cors-proxy/src/index.ts

@@ -210,7 +210,21 @@ const server = Bun.serve({
       });
     }
 
-    // Proxy the request
+    // Check if it's a YouTube URL and redirect instead of proxying
+    if (isYouTubeEmbed(targetUrl)) {
+      // YouTube URL detected, redirect to youtube-nocookie.com
+      logRequest(req.method, targetUrl, 200);
+      return new Response(serveYouTubeEmbed(targetUrl), {
+        status: 200,
+        headers: {
+          "Content-Type": "text/html; charset=utf-8",
+          "Content-Security-Policy": "frame-ancestors *",
+          "X-Frame-Options": "ALLOWALL",
+        },
+      });
+    }
+
+    // Proxy the request for non-YouTube URLs
     const response = await proxyRequest(targetUrl);
     logRequest(req.method, targetUrl, response.status);
     return response;
@@ -229,3 +243,80 @@ console.log(
 );
 console.log(`📋 Health check: http://${server.hostname}:${server.port}/health`);
 console.log(`🌍 Environment: ${Bun.env.NODE_ENV || "development"}`);
+
+/**
+ * This is required to bypass YouTube's Referrer Policy restrictions when
+ * embedding videos on the mobile app. It basically "proxies" the Referrer and
+ * allows any YouTube video to be embedded anywhere without restrictions.
+ */
+function serveYouTubeEmbed(url: string) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
+    <meta name="referrer" content="strict-origin-when-cross-origin">
+    <meta name="robots" content="noindex,nofollow">
+    <title>YouTube Video Embed</title>
+    <style>
+    * {
+        margin: 0;
+        padding: 0;
+        box-sizing:border-box
+    }
+
+    body, html {
+        overflow: hidden;
+        background:#000
+    }
+
+    iframe {
+        border: 0;
+        width: 100vw;
+        height: 100vh;
+        display: block
+    }
+    </style>
+</head>
+<body>
+    <iframe src="${transformYouTubeUrl(
+      url
+    )}" allow="accelerometer;autoplay;clipboard-write;encrypted-media;gyroscope;picture-in-picture;web-share" allowfullscreen referrerpolicy="strict-origin-when-cross-origin" title="Video player"></iframe>
+</body>
+</html>`;
+}
+
+// Check if URL is a YouTube embed (including youtube-nocookie.com)
+function isYouTubeEmbed(urlString: string) {
+  const url = new URL(urlString);
+  return (
+    (url.hostname === "www.youtube.com" ||
+      url.hostname === "youtube.com" ||
+      url.hostname === "m.youtube.com" ||
+      url.hostname === "www.youtube-nocookie.com" ||
+      url.hostname === "youtube-nocookie.com") &&
+    url.pathname.startsWith("/embed/")
+  );
+}
+
+// Transform YouTube URLs to use youtube-nocookie.com for enhanced privacy
+function transformYouTubeUrl(urlString: string): string {
+  try {
+    const url = new URL(urlString);
+
+    // Check if it's a YouTube domain
+    if (
+      url.hostname === "www.youtube.com" ||
+      url.hostname === "youtube.com" ||
+      url.hostname === "m.youtube.com"
+    ) {
+      // Replace with youtube-nocookie.com
+      url.hostname = "www.youtube-nocookie.com";
+      return url.toString();
+    }
+
+    return urlString;
+  } catch {
+    return urlString;
+  }
+}