kawa/CubeAdmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial push

Browse Source
This commit is contained in:
Sébastien QUEROL
2026-03-08 15:49:34 +01:00
parent 8da12bb7d1
commit 47127f276d
101 changed files with 13844 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
app/api/files/delete/route.ts Normal file
View File

@@ -0,0 +1,47 @@
import { NextRequest, NextResponse } from "next/server";
import { auth } from "@/lib/auth";
import { sanitizeFilePath } from "@/lib/security/sanitize";
import { db } from "@/lib/db";
import { auditLogs } from "@/lib/db/schema";
import { nanoid } from "nanoid";
import { getClientIp } from "@/lib/security/rateLimit";
import * as fs from "node:fs";
import * as path from "node:path";
export async function DELETE(req: NextRequest) {
const session = await auth.api.getSession({ headers: req.headers });
if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
if (!["superadmin", "admin"].includes(session.user.role ?? "")) {
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
const mcBase = path.resolve(process.env.MC_SERVER_PATH ?? "/opt/minecraft/server");
const { filePath } = await req.json();
let resolvedPath: string;
try {
resolvedPath = sanitizeFilePath(filePath, mcBase);
} catch {
return NextResponse.json({ error: "Invalid path" }, { status: 400 });
}
if (!fs.existsSync(resolvedPath)) {
return NextResponse.json({ error: "File not found" }, { status: 404 });
}
const stat = fs.statSync(resolvedPath);
if (stat.isDirectory()) {
fs.rmSync(resolvedPath, { recursive: true });
} else {
fs.unlinkSync(resolvedPath);
}
const ip = getClientIp(req);
await db.insert(auditLogs).values({
id: nanoid(), userId: session.user.id,
action: "file.delete", target: "file", targetId: path.relative(mcBase, resolvedPath),
details: null, ipAddress: ip, createdAt: Date.now(),
});
return NextResponse.json({ success: true });
}

37
app/api/files/download/route.ts Normal file
View File

@@ -0,0 +1,37 @@
import { NextRequest, NextResponse } from "next/server";
import { auth } from "@/lib/auth";
import { sanitizeFilePath } from "@/lib/security/sanitize";
import * as fs from "node:fs";
import * as path from "node:path";
export async function GET(req: NextRequest) {
const session = await auth.api.getSession({ headers: req.headers });
if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
const mcBase = path.resolve(process.env.MC_SERVER_PATH ?? "/opt/minecraft/server");
const filePath = req.nextUrl.searchParams.get("path") ?? "";
let resolvedPath: string;
try {
resolvedPath = sanitizeFilePath(filePath, mcBase);
} catch {
return NextResponse.json({ error: "Invalid path" }, { status: 400 });
}
if (!fs.existsSync(resolvedPath) || fs.statSync(resolvedPath).isDirectory()) {
return NextResponse.json({ error: "File not found" }, { status: 404 });
}
const fileName = path.basename(resolvedPath);
const fileBuffer = fs.readFileSync(resolvedPath);
return new NextResponse(fileBuffer, {
headers: {
"Content-Disposition": `attachment; filename="${encodeURIComponent(fileName)}"`,
"Content-Type": "application/octet-stream",
"Content-Length": String(fileBuffer.length),
// Prevent XSS via content sniffing
"X-Content-Type-Options": "nosniff",
},
});
}

60
app/api/files/list/route.ts Normal file
View File

@@ -0,0 +1,60 @@
import { NextRequest, NextResponse } from "next/server";
import { auth } from "@/lib/auth";
import { checkRateLimit, getClientIp } from "@/lib/security/rateLimit";
import { sanitizeFilePath } from "@/lib/security/sanitize";
import * as fs from "node:fs";
import * as path from "node:path";
export async function GET(req: NextRequest) {
const session = await auth.api.getSession({ headers: req.headers });
if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
const ip = getClientIp(req);
const { allowed } = checkRateLimit(ip);
if (!allowed) return NextResponse.json({ error: "Too many requests" }, { status: 429 });
const mcBase = path.resolve(process.env.MC_SERVER_PATH ?? "/opt/minecraft/server");
const relativePath = new URL(req.url).searchParams.get("path") ?? "/";
let resolvedPath: string;
try {
resolvedPath = sanitizeFilePath(relativePath, mcBase);
} catch {
return NextResponse.json({ error: "Invalid path" }, { status: 400 });
}
try {
const entries = fs.readdirSync(resolvedPath, { withFileTypes: true });
const files = entries.map((entry) => {
const fullPath = path.join(resolvedPath, entry.name);
let size = 0;
let modifiedAt = 0;
try {
const stat = fs.statSync(fullPath);
size = stat.size;
modifiedAt = stat.mtimeMs;
} catch {}
return {
name: entry.name,
path: path.relative(mcBase, fullPath),
isDirectory: entry.isDirectory(),
size,
modifiedAt,
};
});
// Sort: directories first, then files, alphabetically
files.sort((a, b) => {
if (a.isDirectory !== b.isDirectory) return a.isDirectory ? -1 : 1;
return a.name.localeCompare(b.name);
});
return NextResponse.json({
path: path.relative(mcBase, resolvedPath) || "/",
entries: files,
});
} catch (err) {
return NextResponse.json({ error: "Cannot read directory" }, { status: 500 });
}
}

71
app/api/files/upload/route.ts Normal file
View File

@@ -0,0 +1,71 @@
import { NextRequest, NextResponse } from "next/server";
import { auth } from "@/lib/auth";
import { checkRateLimit, getClientIp } from "@/lib/security/rateLimit";
import { sanitizeFilePath } from "@/lib/security/sanitize";
import { db } from "@/lib/db";
import { auditLogs } from "@/lib/db/schema";
import { nanoid } from "nanoid";
import * as fs from "node:fs";
import * as path from "node:path";
const MAX_FILE_SIZE = 500 * 1024 * 1024; // 500 MB
const BLOCKED_EXTENSIONS = new Set([".exe", ".bat", ".cmd", ".sh", ".ps1"]);
export async function POST(req: NextRequest) {
const session = await auth.api.getSession({ headers: req.headers });
if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
if (!["superadmin", "admin"].includes(session.user.role ?? "")) {
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
const ip = getClientIp(req);
const { allowed } = checkRateLimit(ip, 20);
if (!allowed) return NextResponse.json({ error: "Too many requests" }, { status: 429 });
const mcBase = path.resolve(process.env.MC_SERVER_PATH ?? "/opt/minecraft/server");
const targetDir = req.nextUrl.searchParams.get("path") ?? "/";
let resolvedDir: string;
try {
resolvedDir = sanitizeFilePath(targetDir, mcBase);
} catch {
return NextResponse.json({ error: "Invalid path" }, { status: 400 });
}
const formData = await req.formData();
const file = formData.get("file") as File | null;
if (!file) return NextResponse.json({ error: "No file provided" }, { status: 400 });
// Check file size
if (file.size > MAX_FILE_SIZE) {
return NextResponse.json({ error: "File too large (max 500 MB)" }, { status: 413 });
}
// Check extension
const ext = path.extname(file.name).toLowerCase();
if (BLOCKED_EXTENSIONS.has(ext)) {
return NextResponse.json({ error: "File type not allowed" }, { status: 400 });
}
// Sanitize filename: allow alphanumeric, dots, dashes, underscores, spaces
const safeName = file.name.replace(/[^a-zA-Z0-9._\- ]/g, "_");
const destPath = path.join(resolvedDir, safeName);
// Ensure destination is still within base
if (!destPath.startsWith(mcBase)) {
return NextResponse.json({ error: "Invalid destination" }, { status: 400 });
}
const buffer = Buffer.from(await file.arrayBuffer());
fs.mkdirSync(resolvedDir, { recursive: true });
fs.writeFileSync(destPath, buffer);
await db.insert(auditLogs).values({
id: nanoid(), userId: session.user.id,
action: "file.upload", target: "file", targetId: path.relative(mcBase, destPath),
details: JSON.stringify({ size: file.size, name: safeName }), ipAddress: ip, createdAt: Date.now(),
});
return NextResponse.json({ success: true, path: path.relative(mcBase, destPath) });
}