Start implementing webhooks

src/api/middlewares/Authentication.ts

@@ -16,8 +16,8 @@
 	along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 
-import { checkToken, Rights } from "@spacebar/util";
 import * as Sentry from "@sentry/node";
+import { checkToken, Rights } from "@spacebar/util";
 import { NextFunction, Request, Response } from "express";
 import { HTTPError } from "lambert-server";
 
@@ -32,7 +32,7 @@ export const NO_AUTHORIZATION_ROUTES = [
 	"/auth/forgot",
 	"/auth/reset",
 	// Routes with a seperate auth system
-	"/webhooks/",
+	/\/webhooks\/\d+\/\w+\/?/, // no token requires auth
 	// Public information endpoints
 	"/ping",
 	"/gateway",

src/api/routes/channels/#channel_id/webhooks.ts

@@ -26,8 +26,8 @@ import {
 	WebhookCreateSchema,
 	WebhookType,
 	handleFile,
-	trimSpecial,
 	isTextChannel,
+	trimSpecial,
 } from "@spacebar/util";
 import crypto from "crypto";
 import { Request, Response, Router } from "express";
@@ -35,10 +35,12 @@ import { HTTPError } from "lambert-server";
 
 const router: Router = Router();
 
-//TODO: implement webhooks
 router.get(
 	"/",
 	route({
+		description:
+			"Returns a list of channel webhook objects. Requires the MANAGE_WEBHOOKS permission.",
+		permission: "MANAGE_WEBHOOKS",
 		responses: {
 			200: {
 				body: "APIWebhookArray",
@@ -46,7 +48,18 @@ router.get(
 		},
 	}),
 	async (req: Request, res: Response) => {
-		res.json([]);
+		const { channel_id } = req.params;
+		const webhooks = await Webhook.find({
+			where: { channel_id },
+			relations: [
+				"user",
+				"guild",
+				"source_guild",
+				"application" /*"source_channel"*/,
+			],
+		});
+
+		return res.json(webhooks);
 	},
 );
 
@@ -89,15 +102,15 @@ router.post(
 
 		if (avatar) avatar = await handleFile(`/avatars/${channel_id}`, avatar);
 
-		const hook = Webhook.create({
+		const hook = await Webhook.create({
 			type: WebhookType.Incoming,
 			name,
 			avatar,
 			guild_id: channel.guild_id,
 			channel_id: channel.id,
 			user_id: req.user_id,
-			token: crypto.randomBytes(24).toString("base64"),
+			token: crypto.randomBytes(24).toString("base64url"),
-		});
+		}).save();
 
 		const user = await User.getPublicUser(req.user_id);
 

src/api/routes/guilds/#guild_id/webhooks.ts

@@ -16,12 +16,37 @@
 	along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 
-import { Router, Response, Request } from "express";
 import { route } from "@spacebar/api";
+import { Webhook } from "@spacebar/util";
+import { Request, Response, Router } from "express";
 const router = Router();
 
-//TODO: implement webhooks
+router.get(
-router.get("/", route({}), async (req: Request, res: Response) => {
+	"/",
-	res.json([]);
+	route({
-});
+		description:
+			"Returns a list of guild webhook objects. Requires the MANAGE_WEBHOOKS permission.",
+		permission: "MANAGE_WEBHOOKS",
+		responses: {
+			200: {
+				body: "APIWebhookArray",
+			},
+		},
+	}),
+	async (req: Request, res: Response) => {
+		const { guild_id } = req.params;
+		const webhooks = await Webhook.find({
+			where: { guild_id },
+			relations: [
+				"user",
+				"guild",
+				"source_guild",
+				"application" /*"source_channel"*/,
+			],
+		});
+
+		return res.json(webhooks);
+	},
+);
+
 export default router;

src/api/routes/webhooks/#webhook_id/#token/index.ts

@@ -0,0 +1,215 @@
+import { handleMessage, route } from "@spacebar/api";
+import {
+	Attachment,
+	Config,
+	DiscordApiErrors,
+	FieldErrors,
+	Message,
+	Webhook,
+	WebhookExecuteSchema,
+	uploadFile,
+} from "@spacebar/util";
+import { Request, Response, Router } from "express";
+import { HTTPError } from "lambert-server";
+import multer from "multer";
+import { MoreThan } from "typeorm";
+const router = Router();
+
+router.get(
+	"/",
+	route({
+		description: "Returns a webhook object for the given id.",
+		responses: {
+			200: {
+				body: "APIWebhook",
+			},
+			404: {},
+		},
+	}),
+	async (req: Request, res: Response) => {
+		const { webhook_id, token } = req.params;
+		const webhook = await Webhook.findOne({
+			where: {
+				id: webhook_id,
+			},
+			relations: ["channel", "guild", "application"],
+		});
+
+		if (!webhook) {
+			throw DiscordApiErrors.UNKNOWN_WEBHOOK;
+		}
+
+		if (webhook.token !== token) {
+			throw DiscordApiErrors.INVALID_WEBHOOK_TOKEN_PROVIDED;
+		}
+
+		return res.json(webhook);
+	},
+);
+
+// TODO: config max upload size
+const messageUpload = multer({
+	limits: {
+		fileSize: Config.get().limits.message.maxAttachmentSize,
+		fields: 10,
+		// files: 1
+	},
+	storage: multer.memoryStorage(),
+}); // max upload 50 mb
+
+// https://discord.com/developers/docs/resources/webhook#execute-webhook
+router.post(
+	"/",
+	messageUpload.any(),
+	(req, res, next) => {
+		if (req.body.payload_json) {
+			req.body = JSON.parse(req.body.payload_json);
+		}
+
+		next();
+	},
+	route({
+		requestBody: "WebhookExecuteSchema",
+		query: {
+			wait: {
+				type: "boolean",
+				required: false,
+				description:
+					"waits for server confirmation of message send before response, and returns the created message body",
+			},
+			thread_id: {
+				type: "string",
+				required: false,
+				description:
+					"Send a message to the specified thread within a webhook's channel.",
+			},
+		},
+		responses: {
+			204: {},
+			400: {
+				body: "APIErrorResponse",
+			},
+			404: {},
+		},
+	}),
+	async (req: Request, res: Response) => {
+		const { webhook_id, token } = req.params;
+		const body = req.body as WebhookExecuteSchema;
+		const attachments: Attachment[] = [];
+
+		// ensure one of content, embeds, components, or file is present
+		if (
+			!body.content &&
+			!body.embeds &&
+			!body.components &&
+			!body.file &&
+			!body.attachments
+		) {
+			throw DiscordApiErrors.CANNOT_SEND_EMPTY_MESSAGE;
+		}
+
+		// block username from containing certain words
+		// TODO: configurable additions
+		const blockedContains = ["discord", "clyde", "spacebar"];
+		for (const word of blockedContains) {
+			if (body.username?.toLowerCase().includes(word)) {
+				return res.status(400).json({
+					username: [`Username cannot contain "${word}"`],
+				});
+			}
+		}
+
+		// block username from being certain words
+		// TODO: configurable additions
+		const blockedEquals = ["everyone", "here"];
+		for (const word of blockedEquals) {
+			if (body.username?.toLowerCase() === word) {
+				return res.status(400).json({
+					username: [`Username cannot be "${word}"`],
+				});
+			}
+		}
+
+		const webhook = await Webhook.findOne({
+			where: {
+				id: webhook_id,
+			},
+			relations: ["channel", "guild", "application"],
+		});
+
+		if (!webhook) {
+			throw DiscordApiErrors.UNKNOWN_WEBHOOK;
+		}
+
+		if (!webhook.channel.isWritable()) {
+			throw new HTTPError(
+				`Cannot send messages to channel of type ${webhook.channel.type}`,
+				400,
+			);
+		}
+
+		if (webhook.token !== token) {
+			throw DiscordApiErrors.INVALID_WEBHOOK_TOKEN_PROVIDED;
+		}
+
+		// TODO: creating messages by users checks if the user can bypass rate limits, we cant do that on webhooks, but maybe we could check the application if there is one?
+		const limits = Config.get().limits;
+		if (limits.absoluteRate.register.enabled) {
+			const count = await Message.count({
+				where: {
+					channel_id: webhook.channel_id,
+					timestamp: MoreThan(
+						new Date(
+							Date.now() - limits.absoluteRate.sendMessage.window,
+						),
+					),
+				},
+			});
+
+			if (count >= limits.absoluteRate.sendMessage.limit)
+				throw FieldErrors({
+					channel_id: {
+						code: "TOO_MANY_MESSAGES",
+						message: req.t("common:toomany.MESSAGE"),
+					},
+				});
+		}
+
+		const files = (req.files as Express.Multer.File[]) ?? [];
+		for (const currFile of files) {
+			try {
+				const file = await uploadFile(
+					`/attachments/${webhook.channel.id}`,
+					currFile,
+				);
+				attachments.push(
+					Attachment.create({ ...file, proxy_url: file.url }),
+				);
+			} catch (error) {
+				return res.status(400).json({ message: error?.toString() });
+			}
+		}
+
+		// TODO: set username and avatar based on body
+
+		const embeds = body.embeds || [];
+		const message = await handleMessage({
+			...body,
+			type: 0,
+			pinned: false,
+			webhook_id: webhook.id,
+			application_id: webhook.application?.id,
+			embeds,
+			channel_id: webhook.channel_id,
+			attachments,
+			timestamp: new Date(),
+		});
+		// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+		//@ts-ignore dont care2
+		message.edited_timestamp = null;
+
+		webhook.channel.last_message_id = message.id;
+	},
+);
+
+export default router;

src/api/routes/webhooks/#webhook_id/index.ts

@@ -0,0 +1,32 @@
+import { route } from "@spacebar/api";
+import { Webhook } from "@spacebar/util";
+import { Request, Response, Router } from "express";
+const router = Router();
+
+router.get(
+	"/",
+	route({
+		description: "Returns a webhook object for the given id.",
+		responses: {
+			200: {
+				body: "APIWebhook",
+			},
+			404: {},
+		},
+	}),
+	async (req: Request, res: Response) => {
+		const { webhook_id } = req.params;
+		const webhook = await Webhook.findOneOrFail({
+			where: { id: webhook_id },
+			relations: [
+				"user",
+				"guild",
+				"source_guild",
+				"application" /*"source_channel"*/,
+			],
+		});
+		return res.json(webhook);
+	},
+);
+
+export default router;

src/util/schemas/MessageCreateSchema.ts

@@ -18,7 +18,7 @@
 
 import { Embed } from "@spacebar/util";
 
-type Attachment = {
+export type MessageCreateAttachment = {
 	id: string;
 	filename: string;
 };
@@ -52,7 +52,7 @@ export interface MessageCreateSchema {
 	TODO: we should create an interface for attachments
 	TODO: OpenWAAO<-->attachment-style metadata conversion
 	**/
-	attachments?: Attachment[];
+	attachments?: MessageCreateAttachment[];
 	sticker_ids?: string[];
 	// eslint-disable-next-line @typescript-eslint/no-explicit-any
 	components?: any[];

src/util/schemas/WebhookCreateSchema.ts

@@ -16,7 +16,6 @@
 	along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 
-// TODO: webhooks
 export interface WebhookCreateSchema {
 	/**
 	 * @maxLength 80

src/util/schemas/WebhookExecuteSchema.ts

@@ -0,0 +1,46 @@
+/*
+	Spacebar: A FOSS re-implementation and extension of the Discord.com backend.
+	Copyright (C) 2023 Spacebar and Spacebar Contributors
+	
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published
+	by the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+	
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+	
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
+import { Embed } from "../entities";
+import { MessageCreateAttachment } from "./MessageCreateSchema";
+
+export interface WebhookExecuteSchema {
+	content?: string;
+	username?: string;
+	avatar_url?: string;
+	tts?: boolean;
+	embeds?: Embed[];
+	allowed_mentions?: {
+		parse?: string[];
+		roles?: string[];
+		users?: string[];
+		replied_user?: boolean;
+	};
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	components?: any[];
+	file?: { filename: string };
+	payload_json?: string;
+	/**
+	TODO: we should create an interface for attachments
+	TODO: OpenWAAO<-->attachment-style metadata conversion
+	**/
+	attachments?: MessageCreateAttachment[];
+	flags?: number;
+	thread_name?: string;
+	applied_tags?: string[];
+}

src/util/schemas/index.ts

@@ -79,5 +79,6 @@ export * from "./VoiceStateUpdateSchema";
 export * from "./VoiceVideoSchema";
 export * from "./WebAuthnSchema";
 export * from "./WebhookCreateSchema";
+export * from "./WebhookExecuteSchema";
 export * from "./WidgetModifySchema";
 export * from "./responses";

src/util/util/Constants.ts

@@ -576,7 +576,7 @@ export const DiscordApiErrors = {
 	UNKNOWN_TOKEN: new ApiError("Unknown token", 10012),
 	UNKNOWN_USER: new ApiError("Unknown user", 10013),
 	UNKNOWN_EMOJI: new ApiError("Unknown emoji", 10014),
-	UNKNOWN_WEBHOOK: new ApiError("Unknown webhook", 10015),
+	UNKNOWN_WEBHOOK: new ApiError("Unknown webhook", 10015, 404),
 	UNKNOWN_WEBHOOK_SERVICE: new ApiError("Unknown webhook service", 10016),
 	UNKNOWN_CONNECTION: new ApiError("Unknown connection", 10017, 400),
 	UNKNOWN_SESSION: new ApiError("Unknown session", 10020),