From a041e6a21f3f789257ecb8fe45334bc09cf7985f Mon Sep 17 00:00:00 2001
From: TestingPlant <>
Date: Wed, 12 Jul 2023 01:55:30 +0000
Subject: [PATCH] fix!: remove /api/post

The code handling /api/post is similar to the code handling /post, but
/api/post has some bugs such as allowing banned users to upload files.
Making /post the only API able to upload files would reduce duplicated
code which reduces the chance of bugs.

Although this removes /api/post, it shouldn't cause any issues since
/api/post isn't currently usable because it requires a multipart
request, but the code uses get_json which only works when the
mimetype is application/json.
---
 main                   | 54 +-----------------------------------------
 templates/apidocs.html |  4 ++--
 2 files changed, 3 insertions(+), 55 deletions(-)

diff --git a/main b/main
index 64a1f11..42c3be4 100644
--- a/main
+++ b/main
@@ -394,58 +394,6 @@ def apilogin():
             "error": "https://http.cat/images/400.jpg"
         }, 400
 
-@app.route("/api/post", methods=("GET", "POST"))
-def apipost():
-    usersession = request.cookies.get("session_DO_NOT_SHARE")
-    if usersession:
-        if request.method == "POST":
-
-            data = request.get_json()
-            title = data["id"]
-
-            if title == "":
-                return {
-                    "error": "no title"
-                }, 403
-
-            if "file" not in request.files:
-                return {
-                    "error": "no file"
-                }, 403
-
-            file = request.files["file"]
-            if file.filename == "":
-                return {
-                    "error": "no file"
-                }, 403
-
-            if not allowed_file(file.filename):
-                return {
-                    "error": "invalid file format"
-                }, 403
-            
-            filename = secure_filename(file.filename)
-            finalfilename = secrets.token_hex(64) + filename
-
-            file.save(os.path.join(UPLOAD_FOLDER, finalfilename))
-            imgurl = "/cdn/" + finalfilename
-
-            userCookie = get_session(usersession)
-            user = get_user(userCookie["id"])
-
-            if not user["banned"] == "0":
-                return {
-                    "error": "banned"
-                }, 403
-
-            conn = get_db_connection()
-            conn.execute("INSERT INTO posts (textstr, imageurl, creator, created) VALUES (?, ?, ?, ?)",
-                         (title, imgurl, userCookie["id"], str(time.time())))
-            conn.commit()
-            conn.close()
-
-            return "success", 200
-
 @app.route("/apidocs", methods=("GET", "POST"))
 def apidocs():
     usersession = request.cookies.get("session_DO_NOT_SHARE")
@@ -750,4 +698,4 @@ if __name__ == "__main__":
         sock.bind(('', int(PORT)))
         serve(app, sockets=[sock])
 
-    print("[INFO] Server stopped")
\ No newline at end of file
+    print("[INFO] Server stopped")
diff --git a/templates/apidocs.html b/templates/apidocs.html
index 28c7118..5cb8f28 100644
--- a/templates/apidocs.html
+++ b/templates/apidocs.html
@@ -35,7 +35,7 @@
     for API things that require authentication, you will need to set the <code>session_DO_NOT_SHARE</code> cookie. the key might expire after 180 days.<br><br>
     
     GET <code>/api/frontpage</code> - returns frontpage<br><br>
-    POST <code>/api/post</code> - post ctas - authentication required<br>
+    POST <code>/post</code> - post ctas - authentication required<br>
     <code>title</code>, being the title of the post and <code>file</code>, being an image file.<br>
     Supported file extensions: "png", "apng", "jpg", "jpeg", "gif", "svg", "webp"<br><br>
     POST <code>/api/comment</code> - comment on posts - authentication required<br>
@@ -50,4 +50,4 @@
     </div>
 </body>
 
-</html>
\ No newline at end of file
+</html>