From 1ce24f7e08ae1ae533536f3a37707fdfbe7d9333 Mon Sep 17 00:00:00 2001
From: Abhinav Adduri <abhinadduri@gmail.com>
Date: Fri, 7 Jul 2017 14:47:56 -0700
Subject: [PATCH] id is now independent on iv

---
 frontend/src/fileReceiver.js |  7 +++----
 server/portal_server.js      | 10 +++++++---
 server/storage.js            | 21 ++++++++++++---------
 test/aws.storage.test.js     |  3 ++-
 4 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/frontend/src/fileReceiver.js b/frontend/src/fileReceiver.js
index db3f1515..274b0328 100644
--- a/frontend/src/fileReceiver.js
+++ b/frontend/src/fileReceiver.js
@@ -36,7 +36,8 @@ class FileReceiver extends EventEmitter {
             resolve({
               data: this.result,
               aad: meta.aad,
-              filename: meta.filename
+              filename: meta.filename,
+              iv: meta.iv
             });
           };
 
@@ -62,13 +63,11 @@ class FileReceiver extends EventEmitter {
         ['encrypt', 'decrypt']
       )
     ]).then(([fdata, key]) => {
-      const salt = this.salt;
-
       return Promise.all([
         window.crypto.subtle.decrypt(
           {
             name: 'AES-GCM',
-            iv: salt,
+            iv: hexToArray(fdata.iv),
             additionalData: hexToArray(fdata.aad)
           },
           key,
diff --git a/server/portal_server.js b/server/portal_server.js
index 8439675f..50d4c732 100644
--- a/server/portal_server.js
+++ b/server/portal_server.js
@@ -137,7 +137,7 @@ app.post('/delete/:id', (req, res) => {
 });
 
 app.post('/upload/:id', (req, res, next) => {
-  if (!validateID(req.params.id)) {
+  if (!validateIV(req.params.id)) {
     res.sendStatus(404);
     return;
   }
@@ -148,9 +148,9 @@ app.post('/upload/:id', (req, res, next) => {
   req.busboy.on('file', (fieldname, file, filename) => {
     log.info('Uploading:', req.params.id);
 
-    storage.set(req.params.id, file, filename, meta).then(delete_token => {
+    storage.set(req.params.id, file, filename, meta).then(([delete_token, new_id]) => {
       const protocol = conf.env === 'production' ? 'https' : req.protocol;
-      const url = `${protocol}://${req.get('host')}/download/${req.params.id}/`;
+      const url = `${protocol}://${req.get('host')}/download/${new_id}/`;
       res.json({
         url,
         delete: delete_token
@@ -176,5 +176,9 @@ app.listen(conf.listen_port, () => {
 });
 
 const validateID = route_id => {
+  return route_id.match(/^[0-9a-fA-F]{10}$/) !== null;
+};
+
+const validateIV = route_id => {
   return route_id.match(/^[0-9a-fA-F]{24}$/) !== null;
 };
diff --git a/server/storage.js b/server/storage.js
index 2d37e163..ffa0a187 100644
--- a/server/storage.js
+++ b/server/storage.js
@@ -118,18 +118,20 @@ function localGet(id) {
 
 function localSet(id, file, filename, meta) {
   return new Promise((resolve, reject) => {
-    const fstream = fs.createWriteStream(path.join(__dirname, '../static', id));
+    const new_id = crypto.randomBytes(5).toString('hex');
+    const fstream = fs.createWriteStream(path.join(__dirname, '../static', new_id));
     file.pipe(fstream);
     fstream.on('close', () => {
       meta.delete = crypto.randomBytes(10).toString('hex');
-      redis_client.hmset(id, meta);
+      meta.id = id;
+      redis_client.hmset(new_id, meta);
       redis_client.expire(id, 86400000);
-      log.info('localSet:', 'Upload Finished of ' + id);
-      resolve(meta.delete);
+      log.info('localSet:', 'Upload Finished of ' + new_id);
+      resolve([meta.delete, new_id]);
     });
 
     fstream.on('error', () => {
-      log.error('localSet:', 'Failed upload of ' + id);
+      log.error('localSet:', 'Failed upload of ' + new_id);
       reject();
     });
   });
@@ -194,9 +196,10 @@ function awsGet(id) {
 }
 
 function awsSet(id, file, filename, meta) {
+  const new_id = crypto.randomBytes(5).toString('hex');
   const params = {
     Bucket: conf.s3_bucket,
-    Key: id,
+    Key: new_id,
     Body: file
   };
 
@@ -207,12 +210,12 @@ function awsSet(id, file, filename, meta) {
         reject();
       } else {
         meta.delete = crypto.randomBytes(10).toString('hex');
-
-        redis_client.hmset(id, meta);
+        meta.id = id;
+        redis_client.hmset(new_id, meta);
 
         redis_client.expire(id, 86400000);
         log.info('awsUploadFinish', 'Upload Finished of ' + filename);
-        resolve(meta.delete);
+        resolve([meta.delete, new_id]);
       }
     });
   });
diff --git a/test/aws.storage.test.js b/test/aws.storage.test.js
index 61fe5657..dc19d5fc 100644
--- a/test/aws.storage.test.js
+++ b/test/aws.storage.test.js
@@ -113,8 +113,9 @@ describe('Testing Set using aws', function() {
     s3Stub.upload.callsArgWith(1, null, {});
     return storage
       .set('123', {}, 'Filename.moz', {})
-      .then(deleteKey => {
+      .then(([deleteKey, id]) => {
         assert.equal(deleteKey, buf.toString('hex'));
+        assert.notEqual(id, null);
         assert.notEqual(deleteKey, null);
         assert(expire.calledOnce);
         assert(expire.calledWith('123', 86400000));