wekan/models/exportPDF.js

import { ReactiveCache } from '/imports/reactiveCache';
import { TAPi18n } from '/imports/i18n';
import { runOnServer } from './runOnServer';

runOnServer(function() {
  // the ExporterCardPDF class is only available on server and in order to import
  // it here we use runOnServer to have it inside a function instead of an
  // if (Meteor.isServer) block
  import { ExporterCardPDF } from './server/ExporterCardPDF';
  import { Picker } from 'meteor/communitypackages:picker';

  // todo XXX once we have a real API in place, move that route there
  // todo XXX also  share the route definition between the client and the server
  // so that we could use something like
  // `ApiRoutes.path('boards/exportExcel', boardId)``
  // on the client instead of copy/pasting the route path manually between the
  // client and the server.
  /**
   * @operation exportExcel
   * @tag Boards
   *
   * @summary This route is used to export the board Excel.
   *
   * @description If user is already logged-in, pass loginToken as param
   * "authToken": '/api/boards/:boardId/exportExcel?authToken=:token'
   *
   * See https://blog.kayla.com.au/server-side-route-authentication-in-meteor/
   * for detailed explanations
   *
   * @param {string} boardId the ID of the board we are exporting
   * @param {string} authToken the loginToken
   */
  Picker.route('/api/boards/:boardId/lists/:listId/cards/:cardId/exportPDF', async function (params, req, res) {
    const boardId = params.boardId;
    const paramListId = req.params.listId;
    const paramCardId = req.params.cardId;
    let user = null;
    let impersonateDone = false;
    let adminId = null;

    // First check if board exists and is public to avoid unnecessary authentication
    const board = await ReactiveCache.getBoard(boardId);
    if (!board) {
      res.end('Board not found');
      return;
    }

    // If board is public, skip expensive authentication operations
    if (board.isPublic()) {
      // Public boards don't require authentication - skip hash operations
      const exporterCardPDF = new ExporterCardPDF(boardId);
      exporterCardPDF.build(res);
      return;
    }

    // Only perform expensive authentication for private boards
    const loginToken = params.query.authToken;
    if (loginToken) {
      // Validate token length to prevent resource abuse
      if (loginToken.length > 10000) {
        if (process.env.DEBUG === 'true') {
          console.warn('Suspiciously long auth token received, rejecting to prevent resource abuse');
        }
        res.end('Invalid token');
        return;
      }

      const hashToken = Accounts._hashLoginToken(loginToken);
      user = await ReactiveCache.getUser({
        'services.resume.loginTokens.hashedToken': hashToken,
      });
      adminId = user._id.toString();
      impersonateDone = await ReactiveCache.getImpersonatedUser({ adminId: adminId });
    } else if (!Meteor.settings.public.sandstorm) {
      Authentication.checkUserId(req.userId);
      user = await ReactiveCache.getUser({
        _id: req.userId,
        isAdmin: true,
      });
    }

    const exporterCardPDF = new ExporterCardPDF(boardId);
    if (exporterCardPDF.canExport(user) || impersonateDone) {
      if (impersonateDone) {
        ImpersonatedUsers.insert({
          adminId: adminId,
          boardId: boardId,
          reason: 'exportCardPDF',
        });
      }

      exporterCardPDF.build(res);
    } else {
      res.end(TAPi18n.__('user-can-not-export-card-to-pdf'));
    }
  });
});
Move every Users.findOne(idOrFirstObjectSelector, options) to the ReactiveCache 3 years ago			`import { ReactiveCache } from '/imports/reactiveCache';`
Switch tap:i18n to custom TAPi18n implementation 5 years ago			`import { TAPi18n } from '/imports/i18n';`
remove unused exceljs from client bundle 5 years ago			`import { runOnServer } from './runOnServer';`

			`runOnServer(function() {`
			`// the ExporterCardPDF class is only available on server and in order to import`
			`// it here we use runOnServer to have it inside a function instead of an`
			`// if (Meteor.isServer) block`
			`import { ExporterCardPDF } from './server/ExporterCardPDF';`
Replace Picker for community packages version & small 5 years ago			`import { Picker } from 'meteor/communitypackages:picker';`
remove unused exceljs from client bundle 5 years ago
Export Card to PDF. In Progress. Thanks to xet7 ! 5 years ago			`// todo XXX once we have a real API in place, move that route there`
			`// todo XXX also share the route definition between the client and the server`
			`// so that we could use something like`
			// `ApiRoutes.path('boards/exportExcel', boardId)``
			`// on the client instead of copy/pasting the route path manually between the`
			`// client and the server.`
			`/**`
			`* @operation exportExcel`
			`* @tag Boards`
			`*`
			`* @summary This route is used to export the board Excel.`
			`*`
			`* @description If user is already logged-in, pass loginToken as param`
			`* "authToken": '/api/boards/:boardId/exportExcel?authToken=:token'`
			`*`
			`* See https://blog.kayla.com.au/server-side-route-authentication-in-meteor/`
			`* for detailed explanations`
			`*`
			`* @param {string} boardId the ID of the board we are exporting`
			`* @param {string} authToken the loginToken`
			`*/`
Update ReactiveCache call sites to use async/await for Meteor 3.0 Part 3 of ReactiveCache async migration: - Add await before all ReactiveCache.getX() calls - Make functions containing ReactiveCache calls async - Convert forEach/map/filter loops with async callbacks to for...of - Update model helpers, Meteor methods, JsonRoutes handlers - Update collection hooks (.before/.after insert/update/remove) - Update .allow() callbacks to async Files updated across models/ and server/ directories: - Model files: cards, boards, lists, swimlanes, activities, users, checklists, checklistItems, customFields, attachments, integrations, cardComments, settings files, creators, exporters, and more - Server files: publications, methods, notifications, routes, migrations 4 months ago			`Picker.route('/api/boards/:boardId/lists/:listId/cards/:cardId/exportPDF', async function (params, req, res) {`
Export Card to PDF. In Progress. Thanks to xet7 ! 5 years ago			`const boardId = params.boardId;`
			`const paramListId = req.params.listId;`
			`const paramCardId = req.params.cardId;`
			`let user = null;`
			`let impersonateDone = false;`
			`let adminId = null;`
Security Fix: Computational Resource Abuse in Export endpoints. Thanks to Anynymous Security Researcher and xet7 ! 8 months ago
			`// First check if board exists and is public to avoid unnecessary authentication`
Update ReactiveCache call sites to use async/await for Meteor 3.0 Part 3 of ReactiveCache async migration: - Add await before all ReactiveCache.getX() calls - Make functions containing ReactiveCache calls async - Convert forEach/map/filter loops with async callbacks to for...of - Update model helpers, Meteor methods, JsonRoutes handlers - Update collection hooks (.before/.after insert/update/remove) - Update .allow() callbacks to async Files updated across models/ and server/ directories: - Model files: cards, boards, lists, swimlanes, activities, users, checklists, checklistItems, customFields, attachments, integrations, cardComments, settings files, creators, exporters, and more - Server files: publications, methods, notifications, routes, migrations 4 months ago			`const board = await ReactiveCache.getBoard(boardId);`
Security Fix: Computational Resource Abuse in Export endpoints. Thanks to Anynymous Security Researcher and xet7 ! 8 months ago			`if (!board) {`
			`res.end('Board not found');`
			`return;`
			`}`

			`// If board is public, skip expensive authentication operations`
			`if (board.isPublic()) {`
			`// Public boards don't require authentication - skip hash operations`
			`const exporterCardPDF = new ExporterCardPDF(boardId);`
			`exporterCardPDF.build(res);`
			`return;`
			`}`

			`// Only perform expensive authentication for private boards`
Export Card to PDF. In Progress. Thanks to xet7 ! 5 years ago			`const loginToken = params.query.authToken;`
			`if (loginToken) {`
Security Fix: Computational Resource Abuse in Export endpoints. Thanks to Anynymous Security Researcher and xet7 ! 8 months ago			`// Validate token length to prevent resource abuse`
			`if (loginToken.length > 10000) {`
			`if (process.env.DEBUG === 'true') {`
			`console.warn('Suspiciously long auth token received, rejecting to prevent resource abuse');`
			`}`
			`res.end('Invalid token');`
			`return;`
			`}`

Export Card to PDF. In Progress. Thanks to xet7 ! 5 years ago			`const hashToken = Accounts._hashLoginToken(loginToken);`
Update ReactiveCache call sites to use async/await for Meteor 3.0 Part 3 of ReactiveCache async migration: - Add await before all ReactiveCache.getX() calls - Make functions containing ReactiveCache calls async - Convert forEach/map/filter loops with async callbacks to for...of - Update model helpers, Meteor methods, JsonRoutes handlers - Update collection hooks (.before/.after insert/update/remove) - Update .allow() callbacks to async Files updated across models/ and server/ directories: - Model files: cards, boards, lists, swimlanes, activities, users, checklists, checklistItems, customFields, attachments, integrations, cardComments, settings files, creators, exporters, and more - Server files: publications, methods, notifications, routes, migrations 4 months ago			`user = await ReactiveCache.getUser({`
Export Card to PDF. In Progress. Thanks to xet7 ! 5 years ago			`'services.resume.loginTokens.hashedToken': hashToken,`
			`});`
			`adminId = user._id.toString();`
Update ReactiveCache call sites to use async/await for Meteor 3.0 Part 3 of ReactiveCache async migration: - Add await before all ReactiveCache.getX() calls - Make functions containing ReactiveCache calls async - Convert forEach/map/filter loops with async callbacks to for...of - Update model helpers, Meteor methods, JsonRoutes handlers - Update collection hooks (.before/.after insert/update/remove) - Update .allow() callbacks to async Files updated across models/ and server/ directories: - Model files: cards, boards, lists, swimlanes, activities, users, checklists, checklistItems, customFields, attachments, integrations, cardComments, settings files, creators, exporters, and more - Server files: publications, methods, notifications, routes, migrations 4 months ago			`impersonateDone = await ReactiveCache.getImpersonatedUser({ adminId: adminId });`
Export Card to PDF. In Progress. Thanks to xet7 ! 5 years ago			`} else if (!Meteor.settings.public.sandstorm) {`
			`Authentication.checkUserId(req.userId);`
Update ReactiveCache call sites to use async/await for Meteor 3.0 Part 3 of ReactiveCache async migration: - Add await before all ReactiveCache.getX() calls - Make functions containing ReactiveCache calls async - Convert forEach/map/filter loops with async callbacks to for...of - Update model helpers, Meteor methods, JsonRoutes handlers - Update collection hooks (.before/.after insert/update/remove) - Update .allow() callbacks to async Files updated across models/ and server/ directories: - Model files: cards, boards, lists, swimlanes, activities, users, checklists, checklistItems, customFields, attachments, integrations, cardComments, settings files, creators, exporters, and more - Server files: publications, methods, notifications, routes, migrations 4 months ago			`user = await ReactiveCache.getUser({`
Export Card to PDF. In Progress. Thanks to xet7 ! 5 years ago			`_id: req.userId,`
			`isAdmin: true,`
			`});`
			`}`
remove unused exceljs from client bundle 5 years ago
			`const exporterCardPDF = new ExporterCardPDF(boardId);`
Export Card to PDF. In Progress. Thanks to xet7 ! 5 years ago			`if (exporterCardPDF.canExport(user) \|\| impersonateDone) {`
			`if (impersonateDone) {`
			`ImpersonatedUsers.insert({`
			`adminId: adminId,`
			`boardId: boardId,`
			`reason: 'exportCardPDF',`
			`});`
			`}`

			`exporterCardPDF.build(res);`
			`} else {`
			`res.end(TAPi18n.__('user-can-not-export-card-to-pdf'));`
			`}`
			`});`
remove unused exceljs from client bundle 5 years ago			`});`