DIG-Network · MichaelTaylor3D · Sep 17, 2024 · Sep 17, 2024 · Sep 17, 2024 · Sep 17, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [0.0.1-alpha.9](https://github.com/DIG-Network/dig-propagation-server/compare/v0.0.1-alpha.8...v0.0.1-alpha.9) (2024-09-17)
+
+
+### Features
+
+* allow write access to writers without authorization ([36752be](https://github.com/DIG-Network/dig-propagation-server/commit/36752be952aa522a96b8efdc7ed2dad8e2ec45cf))
+
+### [0.0.1-alpha.8](https://github.com/DIG-Network/dig-propagation-server/compare/v0.0.1-alpha.7...v0.0.1-alpha.8) (2024-09-17)
+
+
+### Features
+
+* allow write access to writers without authorization ([15b298c](https://github.com/DIG-Network/dig-propagation-server/commit/15b298c68bb2f1894ea58f2a3e214fbe661d8ca5))
+
 ### [0.0.1-alpha.7](https://github.com/DIG-Network/dig-propagation-server/compare/v0.0.1-alpha.6...v0.0.1-alpha.7) (2024-09-16)
 
 ### [0.0.1-alpha.6](https://github.com/DIG-Network/dig-propagation-server/compare/v0.0.1-alpha.5...v0.0.1-alpha.6) (2024-09-10)

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "dig-propagation-server",
-  "version": "0.0.1-alpha.7",
+  "version": "0.0.1-alpha.9",
   "description": "",
   "type": "commonjs",
   "main": "./dist/index.js",

diff --git a/src/controllers/merkleTreeController.ts b/src/controllers/merkleTreeController.ts
@@ -6,7 +6,7 @@ import { HttpError } from "../utils/HttpError";
 import { generateNonce } from "../utils/nonce";
 
 // @ts-ignore
-import { DataStore, Wallet } from "@dignetwork/dig-sdk";
+import { DataStore, Wallet, getStoresList } from "@dignetwork/dig-sdk";
 import { pipeline } from "stream";
 import { promisify } from "util";
 import { getStorageLocation } from "../utils/storage";
@@ -15,7 +15,10 @@ const streamPipeline = promisify(pipeline);
 
 const digFolderPath = getStorageLocation();
 
-export const storeStatus = async (req: Request, res: Response): Promise<void> => {
+export const storeStatus = async (
+  req: Request,
+  res: Response
+): Promise<void> => {
   try {
     const { storeId } = req.params;
 
@@ -35,25 +38,25 @@ export const storeStatus = async (req: Request, res: Response): Promise<void> =>
 
     res.status(statusCode).json({ error: errorMessage });
   }
-}
+};
 
 // Controller to handle HEAD requests for /stores/:storeId
 export const headStore = async (req: Request, res: Response): Promise<void> => {
   try {
-    const authHeader = req.headers.authorization || "";
-    const [providedUsername, providedPassword] = Buffer.from(
-      authHeader.split(" ")[1],
-      "base64"
-    )
-      .toString("utf-8")
-      .split(":");
+    //  const authHeader = req.headers.authorization || "";
+    //  const [providedUsername, providedPassword] = Buffer.from(
+    //     authHeader.split(" ")[1],
+    //    "base64"
+    //  )
+    //     .toString("utf-8")
+    //    .split(":");
 
     const { username, password } = await getCredentials();
 
-    console.log("Provided credentials:", providedUsername, providedPassword);
-    if (providedUsername !== username || providedPassword !== password) {
-      throw new HttpError(401, "Unauthorized");
-    }
+    // console.log("Provided credentials:", providedUsername, providedPassword);
+    // if (providedUsername !== username || providedPassword !== password) {
+    //   throw new HttpError(401, "Unauthorized");
+    // }
 
     const userNonce = await generateNonce(username);
 
@@ -63,7 +66,12 @@ export const headStore = async (req: Request, res: Response): Promise<void> => {
       throw new HttpError(400, "Missing path parameters");
     }
 
-    const manifestPath = path.join(digFolderPath, "stores", storeId, "manifest.dat");
+    const manifestPath = path.join(
+      digFolderPath,
+      "stores",
+      storeId,
+      "manifest.dat"
+    );
 
     if (!fs.existsSync(manifestPath)) {
       res
@@ -125,7 +133,12 @@ export const getStore = async (req: Request, res: Response) => {
     }
 
     // Construct the full file path
-    const fullPath = path.join(digFolderPath, "stores", storeId, relativeFilePath);
+    const fullPath = path.join(
+      digFolderPath,
+      "stores",
+      storeId,
+      relativeFilePath
+    );
 
     // Check if the file exists
     if (!fs.existsSync(fullPath)) {
@@ -172,19 +185,29 @@ export const putStore = async (req: Request, res: Response): Promise<void> => {
 
     console.log("Authorization credentials extracted.");
 
-    const { username, password } = await getCredentials();
-
-    if (providedUsername !== username || providedPassword !== password) {
-      console.log("Provided credentials do not match stored credentials.");
-      throw new HttpError(401, "Unauthorized");
-    }
-
     const { storeId } = req.params;
     if (!storeId) {
       console.log("storeId is missing in the path parameters.");
       throw new HttpError(400, "Missing storeId in path parameters.");
     }
 
+    const { username, password } = await getCredentials();
+
+    const storeList = getStoresList();
+
+    // If the store is already tracked by this peer, anyone that has write
+    // access to the store (checked further down) can upload updates without authorization since its
+    // essentially the same as if an upate was pull from another peer.
+    // You only need credentials to track new stores.
+
+    if (
+      !storeList.includes(storeId) &&
+      (providedUsername !== username || providedPassword !== password)
+    ) {
+      console.log("Provided credentials do not match stored credentials.");
+      throw new HttpError(401, "Unauthorized");
+    }
+
     console.log(`storeId received: ${storeId}`);
 
     // These parameters are expected to be in the query or headers, not the body for a file upload
@@ -198,7 +221,9 @@ export const putStore = async (req: Request, res: Response): Promise<void> => {
       throw new HttpError(400, "Missing required headers.");
     }
 
-    console.log(`Received headers: keyOwnershipSig=${keyOwnershipSig}, publicKey=${publicKey}, nonce=${nonce}, filename=${filename}`);
+    console.log(
+      `Received headers: keyOwnershipSig=${keyOwnershipSig}, publicKey=${publicKey}, nonce=${nonce}, filename=${filename}`
+    );
 
     let fileKey = path.join(filename);
 
@@ -219,16 +244,17 @@ export const putStore = async (req: Request, res: Response): Promise<void> => {
     console.log("Key ownership signature verified successfully.");
 
     // Check store ownership
-  //  console.log("Checking store ownership...");
-  //  const isOwner = await hasMetadataWritePermissions(
-  //    Buffer.from(storeId, "hex"),
-  //    Buffer.from(publicKey, "hex")
-  //  );
-
-  //  if (!isOwner) {
-  //    console.log("User does not have write access to this store.");
-  //    throw new HttpError(403, "You do not have write access to this store.");
-  //  }
+    console.log("Checking store ownership...");
+    const dataStore = DataStore.from(storeId);
+
+    const isOwner = await dataStore.hasMetaWritePermissions(
+      Buffer.from(publicKey, "hex")
+    );
+
+    if (!isOwner) {
+      console.log("User does not have write access to this store.");
+      throw new HttpError(403, "You do not have write access to this store.");
+    }
 
     console.log("User has write access to the store.");