diff --git a/src/discord/utils.js b/src/discord/utils.js index 8cb241b0..dc96ff8a 100644 --- a/src/discord/utils.js +++ b/src/discord/utils.js @@ -5,6 +5,13 @@ const assert = require("assert").strict const {reg} = require("../matrix/read-registration") +const {db} = require("../passthrough") + +/** @type {import("xxhash-wasm").XXHashAPI} */ // @ts-ignore +let hasher = null +// @ts-ignore +require("xxhash-wasm")().then(h => hasher = h) + const EPOCH = 1420070400000 /** @@ -123,6 +130,9 @@ function timestampToSnowflakeInexact(timestamp) { function getPublicUrlForCdn(url) { const match = url.match(/https:\/\/(cdn|media)\.discordapp\.(?:com|net)\/attachments\/([0-9]+)\/([0-9]+)\/([-A-Za-z0-9_.,]+)/) if (!match) return url + const unsignedHash = hasher.h64(match[3]) // attachment ID + const signedHash = unsignedHash - 0x8000000000000000n // shifting down to signed 64-bit range + db.prepare("INSERT OR IGNORE INTO media_proxy (permitted_hash) VALUES (?)").run(signedHash) return `${reg.ooye.bridge_origin}/download/discord${match[1]}/${match[2]}/${match[3]}/${match[4]}` } diff --git a/src/web/routes/download-discord.js b/src/web/routes/download-discord.js index 047dd944..ee640747 100644 --- a/src/web/routes/download-discord.js +++ b/src/web/routes/download-discord.js @@ -4,6 +4,11 @@ const assert = require("assert/strict") const {defineEventHandler, getValidatedRouterParams, sendRedirect, createError} = require("h3") const {z} = require("zod") +/** @type {import("xxhash-wasm").XXHashAPI} */ // @ts-ignore +let hasher = null +// @ts-ignore +require("xxhash-wasm")().then(h => hasher = h) + const {discord, as, select} = require("../../passthrough") const schema = { @@ -31,7 +36,10 @@ function defineMediaProxyHandler(domain) { return defineEventHandler(async event => { const params = await getValidatedRouterParams(event, schema.params.parse) - const row = select("channel_room", "channel_id", {channel_id: params.channel_id}).get() + const unsignedHash = hasher.h64(params.attachment_id) + const signedHash = unsignedHash - 0x8000000000000000n // shifting down to signed 64-bit range + + const row = select("media_proxy", "permitted_hash", {permitted_hash: signedHash}).get() if (row == null) { throw createError({ status: 403,