From 3340cf7f2b1f12aeac82795fd1c85896f10bc5d7 Mon Sep 17 00:00:00 2001
From: NGUYEN DINH Quoc-Huy <quochuy@gmail.com>
Date: Mon, 28 Mar 2022 09:47:50 +1100
Subject: [PATCH] Update uploadCsHandler to use the original imageHash as
 storage key allow detection of images already stored

---
 src/upload.ts | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/upload.ts b/src/upload.ts
index 7fd0904..c48e73c 100644
--- a/src/upload.ts
+++ b/src/upload.ts
@@ -231,22 +231,29 @@ export async function uploadCsHandler(ctx: KoaContext) {
         .update(fileData)
         .digest()
 
-        // extra check if client manges to lie about the content-length
+    // extra check if client manages to lie about the content-length
     APIError.assert((file.stream as any).truncated !== true,
         APIError.Code.PayloadTooLarge)
 
-    const imageHash = createHash('sha256')
+    // Expecting the signature to be based on the integrity checksum of the image
+    const expectedSignature = createHash('sha256')
         .update('ImageSigningChallenge')
         .update(fileHash)
         .digest()
 
+    // Used to generate the image storage key
+    const imageHash = createHash('sha256')
+        .update('ImageSigningChallenge')
+        .update(fileData)
+        .digest()
+
     const [account] = await rpcClient.database.getAccounts([ctx.params['username']])
     APIError.assert(account, APIError.Code.NoSuchAccount)
 
     let validSignature = false
     let publicKey
     try {
-        publicKey = signature.recover(imageHash).toString()
+        publicKey = signature.recover(expectedSignature).toString()
     } catch (cause) {
         throw new APIError({code: APIError.Code.InvalidSignature, cause})
     }
-- 
GitLab