no 405

.gitignore

@@ -8,3 +8,4 @@
 !/README.md
 !/files/www/qonq.js
 !/favicon.ico
+!/antiscrape.js

README.md

@@ -17,13 +17,12 @@ The following environment variables are optional.
 
 | Variable | Description | Default |
 |----------|-------------|---------|
-| `HOSTNAMES` | Comma-separated list of hostnames that will be chosen at random for the URL sent back after an upload. | request hostname |
-| `DISCORD_WEBHOOK` | Discord webhook url that uploads will be sent to to make them pre-load the embed, which theoretically makes it faster. | `undefined` (disabled) |
+| `BASE_HOSTNAME` | Overrides the hostname for generating URLs. | host header on the upload request |
+| `DISCORD_WEBHOOK` | Discord webhook url that newly-uploaded URLs will be sent to to pre-load their embed, which theoretically makes them embed again faster. | `undefined` (disabled) |
 | `PORT` | TCP port to listen on | `8568` |
 | `ADDRESS` | Address to bind to | `'0.0.0.0'` (all) |
 | `FILES_DIR` | Directory to store the files in | `'files'` (relative of working directory) |
-| `TMP_DIR` | Directory to store pending uploads in | `os.tmpdir()` |
-| `TRUST_PROXY` | Value for express's [`'trust proxy'`](https://expressjs.com/en/5x/api.html#trust.proxy.options.table) setting | `'127.0.0.1'` |
+| `TRUST_PROXY` | Value for express's [`'trust proxy'`](https://expressjs.com/en/5x/api.html#trust.proxy.options.table) setting | `'loopback'` |
 
 
 Run with `node qonq.js` or your favorite init system.
@@ -35,12 +34,12 @@ Run with `node qonq.js` or your favorite init system.
   "Version": "12.4.1",
   "DestinationType": "ImageUploader, TextUploader, FileUploader",
   "RequestMethod": "POST",
-  "RequestURL": "http://localhost:8568/upload",
+  "RequestURL": "https://qonq.gq/",
   "Headers": {
-    "authentication": "paste value of AUTH_TOKEN here"
+    "authentication": "paste value of AUTH_TOKEN here",
+    "filename": "$filename$"
   },
-  "Body": "MultipartFormData",
-  "FileFormName": "file"
+  "Body": "Binary"
 }
 ```
 You can import this custom uploader config and modify the Request URL and authentication fields as necessary.

antiscrape.js

@@ -0,0 +1,15 @@
+// someone could iterate over all ~1.6 million possible file codes to download all files.
+// prevent this by banning IP addresses that request too many non-existant files.
+
+var ip404 = {};
+module.exports = (req, res, next) => {
+	if (ip404[req.ip]?.size > 10)
+		return res.status(403).send("Banned");
+	res.on("finish", () => {
+		if (res.statusCode == 404 && req.filecode) {
+			if (!ip404[req.ip]) ip404[req.ip] = new Set();
+			ip404[req.ip].add(req.filecode);
+		}
+	});
+	next();
+};

package-lock.json

@@ -8,7 +8,6 @@
         "colors": "^1.4.0",
         "dotenv": "^10.0.0",
         "express": "^4.17.1",
-        "formidable": "^1.2.2",
         "serve-favicon": "^2.5.0",
         "serve-index": "^1.9.1"
       }
@@ -215,14 +214,6 @@
         "node": ">= 0.8"
       }
     },
-    "node_modules/formidable": {
-      "version": "1.2.2",
-      "resolved": "https://registry.npmjs.org/formidable/-/formidable-1.2.2.tgz",
-      "integrity": "sha512-V8gLm+41I/8kguQ4/o1D3RIHRmhYFG4pnNyonvua+40rqcEmT4+V71yaZ3B457xbbgCsCfjSPi65u/W6vK1U5Q==",
-      "funding": {
-        "url": "https://ko-fi.com/tunnckoCore/commissions"
-      }
-    },
     "node_modules/forwarded": {
       "version": "0.1.2",
       "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.1.2.tgz",
@@ -743,11 +734,6 @@
         "unpipe": "~1.0.0"
       }
     },
-    "formidable": {
-      "version": "1.2.2",
-      "resolved": "https://registry.npmjs.org/formidable/-/formidable-1.2.2.tgz",
-      "integrity": "sha512-V8gLm+41I/8kguQ4/o1D3RIHRmhYFG4pnNyonvua+40rqcEmT4+V71yaZ3B457xbbgCsCfjSPi65u/W6vK1U5Q=="
-    },
     "forwarded": {
       "version": "0.1.2",
       "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.1.2.tgz",

package.json

@@ -3,7 +3,6 @@
     "colors": "^1.4.0",
     "dotenv": "^10.0.0",
     "express": "^4.17.1",
-    "formidable": "^1.2.2",
     "serve-favicon": "^2.5.0",
     "serve-index": "^1.9.1"
   }

qonq.js

@@ -1,23 +1,19 @@
 require("dotenv").config();
 var colors = require("colors");
 var express = require("express");
-var formidable = require("formidable");
 var serveIndex = require("serve-index");
 var serveFavicon = require("serve-favicon");
 var path = require("path");
 var fs = require("fs");
+try { var customGen = require("./customGen"); } catch(e) {}
 
 var FILES_DIR = process.env.FILES_DIR || "files";
-if (process.env.HOSTNAMES) {
-	var HOSTNAMES = process.env.HOSTNAMES.split(',');
-	var randomHostname = () => HOSTNAMES[Math.floor(Math.random() * HOSTNAMES.length)];
-}
 
 var app = express();
 app.set("env", "production");
-app.set('trust proxy', process.env.TRUST_PROXY || "127.0.0.1");
+app.set('trust proxy', process.env.TRUST_PROXY || "loopback");
 app.listen(process.env.PORT || 8568, process.env.ADDRESS);
-
+app.use((req,res,next) => { res.header("Access-Control-Allow-Origin", '*'); next(); });
 
 app.use((req, res, next)=>{
 	var d = new Date;
@@ -33,17 +29,12 @@ app.use(serveFavicon("favicon.ico"));
 
 app.post("*", (req, res, next) => {
 	if (req.headers.authentication != process.env.AUTH_TOKEN) return void res.status(403).send("Unauthorized");
-	var form = new formidable.IncomingForm({
-		maxFileSize: 2**30, // 1 GiB
-		maxFields: 1,
-		uploadDir: process.env.TMP_DIR
-	});
-	form.parse(req, function(err, fields, files) {
-		if (err) return void next(err);
-		var file = files.file;
-		if (!file) return void res.sendStatus(400);
 	(function trymkdir() {
-			var filecode = Math.random().toString(36).slice(2).substring(0,4);
+		if (customGen) {
+			var g = customGen(req);
+			var filecode = g.next().value;
+		}
+		filecode ||= Math.random().toString(36).slice(2).substring(0,4);
 		var webroot = path.join(FILES_DIR, filecode);
 		fs.mkdir(webroot, function (error) {
 			if (error) if (error.code == "EEXIST") {
@@ -51,28 +42,30 @@ app.post("*", (req, res, next) => {
 				trymkdir();
 			} else next(error);
 			else {
-					fs.rename(file.path, path.join(webroot, file.name), function (error) {
-						if (error) return void next(error);
-						let url = `${req.protocol}://${filecode}.${randomHostname?.() || req.hostname}`;
-						res.send(url);
+				var filename = req.headers.filename || "file";
+				var filepath = path.join(webroot, filename);
+				req.pipe(fs.createWriteStream(filepath));
+				req.on("close", () => {
+					var url = g?.next().value || `${req.protocol}://${filecode}.${process.env.BASE_HOSTNAME || req.hostname}`;
+					res.type('text').send(url);
 					require("./discord-preloader.js")(url);
 				});
 			}
 		});
 	})();
 });
-});
 
+app.use(require("./antiscrape"));
 
 app.get(['/', '/:code/', '/:code/*'], function(req, res, next){
 	var subdomain = req.subdomains.at(-1);
-	var filecode = subdomain || req.params.code;
-	if (!filecode) filecode = "www";
-	var webroot = path.join(FILES_DIR, filecode);
+	req.filecode = subdomain || req.params.code;
+	if (!req.filecode) req.filecode = "www";
+	var webroot = path.join(FILES_DIR, req.filecode);
 	fs.readdir(webroot, function(error, webrootdirlist) {
 		if (error) return void next(error.code == "ENOENT" ? "route" : error);
 		if (webrootdirlist.length > 1) {
-			if (subdomain) req.url = path.join(filecode, req.url);
+			if (subdomain) req.url = path.join(req.filecode, req.url);
 			next();
 		} else if (webrootdirlist.length == 1) {
 			res.sendFile(webrootdirlist[0], {
@@ -84,9 +77,3 @@ app.get(['/', '/:code/', '/:code/*'], function(req, res, next){
 		}
 	});
 }, express.static(FILES_DIR), serveIndex(FILES_DIR, {icons: true}));
-
-
-app.use((req, res) => {
-	if (req.method == "GET") res.status(404).send("This resource does not exist.");
-	else res.sendStatus(405);
-});