meower-media-co / meower-server Goto Github PK
View Code? Open in Web Editor NEWOfficial source code for the backend that powers the Meower social media platform.
License: MIT License
Official source code for the backend that powers the Meower social media platform.
License: MIT License
IMO putting everything in one file makes it crammed, why not separate parts of the backend into separate files and call them from the main.py
file? It improves readability and doesn't cause any harm to the functionality..
And using JSON for storing data is fine, but in my experience, it has caused significant overhead with large files. A database system should get rid of writing to multiple files manually (especially if you have multiple files open in the program at once), and decrease read/write times. sqlite
may be a good idea, it's comes as a default Python library.
I know that this will take quite a lot of time to implement, I may be able to help.
Please do consider this, thanks!
When I was trying to get my own Meower Server to work on the Meower Client, I noticed that I could just login onto the normal server (using a development client) without any issues.
That's a problem!
Because I literally had an access to the secret moderation panel (through idk if it worked or not), and I had an access to everything! Creating posts, changing settings ETC....
That could lead to custom clients be able to connect to the Meower server.
Change the trust key ASAP!!
^
by adding a person to chat 2 times, you can cause the user to have some weird side effects, those include:
i might be putting a temporary fix in svelte until its fixed
^
to repro (n svelte):
Recieving
Sadly, we could not take action on one of your recent reports. The content you reported was not severe enough to warrant action being taken. We still want to thank you for your help with keeping Meower a safe and welcoming place!
is one thing, but not even knowing what on earth that report was is another thing, and quite annoying too. Same goes for
We took action on one of your recent reports. Thank you for your help with keeping Meower a safe and welcoming place!
What recent report was taken action on???
Instead, Meower should send the messages containing the message and/or user that had their content/account taken action on.
Examples:
Sadly, we could not take action on one of your recent reports. The content you reported was not severe enough to warrant action being taken. We still want to thank you for your help with keeping Meower a safe and welcoming place!
Content reported: Welcome to Meower! We welcome you with open arms! You can get started by making friends in the global chat or home, or by searching for people and adding them to a group chat. We hope you have fun! (Inbox Message)
Sadly, we could not take action on one of your recent reports. The content you reported was not severe enough to warrant action being taken. We still want to thank you for your help with keeping Meower a safe and welcoming place!
User reported: @joshtheverynicenormaluser
We took action on one of your recent reports. Thank you for your help with keeping Meower a safe and welcoming place!
Content reported: am evil hacker ban me or will destroy meower (Posted by @definitelynotjoshtheveryevilhacker)
We took action on one of your recent reports. Thank you for your help with keeping Meower a safe and welcoming place!
User reported: @definitelynotjoshtheveryevilhacker
Currently at https://api.meower.org/ there is a placeholder but this page could be used for basic documentation, similar to that in the README but perhaps with more detail and examples. Alternatively the documentation could have its own /docs
route. Thoughts?
Re: DM from @tnix100
TL;DR, This is a security vulnerability found in the Set ID command, originally used for unmodified CloudLink server users to specify a username. Since SetID is not used in Meower as it has been replaced with AutoID, it's functionality still remains, leading to this vuln...
How are you able to pull off this vulnerability?
By basicly logging into Meower with a valid account and waiting to gain the server's trust, then at the right moment setting your ID to be the ID of another account.
What will this security vulnerability let you achieve?
Depending on the timing it will have different outcomes.
What actions did we (as in 'we' I mean William and I) take to protect Meower and it's users?
Potential Fix
Not sure if this will patch everything related to this bug, but removing the 'setid' command from the Meower server is a good first step.
Solution: Disabling functionality within CloudLink Server, deeming the following commands...
...Disabled.
would help in these ways:
^
Traceback (most recent call last):
File "meower.py", line 2, in <module>
import uuid
File "/opt/virtualenvs/python3/lib/python3.8/site-packages/uuid.py", line 138
if not 0 <= time_low < 1<<32L:
^
SyntaxError: invalid syntax
Please, we need this
^
This feature will allow the user to view all account activity such as last login timestamp, last known IP address, and account creation timestamps.
This will also permit the user to provide an email to open up the possibility for an account recovery system as well as email-based notifications. More ideas suggested for this.
This should also implement an account deletion feature, as mentioned in https://github.com/meower-media-co/Meower/issues/96
Also, a much needed feature is the ability to change/reset account passwords, as mentioned in https://github.com/meower-media-co/Meower/issues/49
^
Current implementation as of now is to store home posts to /Meower/Posts/ and index these posts into a JSON file in /Meower/Categories/Home/ formatted as M:D:Y.json. This is inefficient for storage and can bug out if the file is larger than the maximum allowable packet size in CloudLink.
Possible improvement for this is to make post_home store posts in /Meower/Categories/Home/ instead and modify the get_home command to pull a directory listing of that directory, shorten it down to the most recent posts within the last hour, and trim if needed to even smaller amounts if the listing is larger than the maximum allowable packet size.
see the title
Use a conf.py file with the contents
from dotenv import dotenv_values
from os import enviorn as os_env
environ = {
**dotenv_values(".env")
**os_env
}
def getenv(key: str, default=None) -> str:
return environ.get(key, default)
and import that instead
^
Since Beta 6 is not yet ready, the current Beta 5.x server's CL implementation will be upgraded to use Cloudlink 4.
When a client disconnects, there is a chance for the socket handler to not cause on close, so cloudlink is unable to delete the clients websocket connection.
In meower, this leads to always online (until restart) users or bots. Where the user or bot is unable to login to there account. Meower returns a internal error
When a socket is not deleted and you try to interact with it, it raises an error saying the client is closed.
Possible fix:
Catch the error and delete the client object and update ulist
Hello, i am making an (small) update to the servers but the py files not loading
Originally posted by Melt2002 December 18, 2021
It would be cool to see a bot that pulls messages from Meower and posts them in Discord.
Originally posted by Melt2002 December 18, 2021 not posted by william melt posted it melt posted it dont get it confused
^
^
Use watchdog library to detect changes, and use os.execv() to restart.
Whenever i assign a listener to the trust key, it wont respond with the listener once the server gets the msg sometimes
idk if its reproducable, but it needs to be fixed
Meower refuses to log ne in, it just says a E:103 error during the pass auth (i think) process (using cookies) and shows the server down screen
^
RCS is a feature originally featured in Yoom, which allowed moderators and the sysadmin to login to a special command prompt that allowed them to manage the server, view and respond to reports, delete/modify posts, and more.
Meower will have a level-of-trust system. It's levels are described below.
Level 1 - Only allow moderators to manage reports and delete posts. Applies to new moderators.
Level 2 - Also allow moderators to modify posts and block IP addresses. Promoted moderators only.
Level 3 - Permit moderators to create announcements. Only the most trusted moderators can get this level.
Level 4 - Sysadmin only, allows for all the above + ability to restart or shutdown the server at will.
This feature will function as an API making a staff page possible as well as the ability to moderate posts directly within Meower.
This feature will be helpful to develop a python GUI for managing the server.
This will also make possible the following feature: meower-media-co/Meower-Vanilla#97
Pretty self explanatory to anyone who has had their client glitch out from scratch json packets. This would essentially send an error code when someone attempts to send a scratch json packet, and simply reject it. (e.g. "E:023 | Scratch packet rejected" or "E:023 | Packet rejected".)
When using the command ip_ban
it will only ban the user if they're not already in the users
array for IP bans. This is a problem because if a user gets IP banned but comes online with another IP, that IP cannot be banned until their previous IP is unbanned through the ip_pardon
command.
I feel as though ip_ban
should ban their last IP (stored in their userdata), and ip_pardon
should attempt to pardon every IP they've logged in with previously. If you agree I can make a PR to get this added.
makes custom clients ask for permission and never touch passwords
admin - meower admin
meower:status - check server status
meower:write - read and write posts
meower:chat - read and write public chat
meower:privchat - read and write private chat
meower:all - everything meower
A common thing people do is change their password, then forget it, but still remember their old one.
A useful feature would be to store the previous password (hashed) for 14 days after the password is changed.
When a password is entered, the server would check the main password, but if it doesn't match, it would check the previous password (if applicable).
If the password matches the previous password variable, but not the primary variable, it would send a status code informing the client that the password was valid within the past 14 days, but was changed (time) ago from a (device) in (location). It should not allow the user to log in as then anyone with the previous password can log in which is a security vulnerability.
Obviously, the time, device, and location info will need to come from somewhere other than a status code, for example, stored hashed by the previous password on the API.
I also have a mockup of a popup showing this feature put to use:
When the user contacts [email protected] to change the password, the support person should be able to switch the previous and primary password variables around, making the previous password the primary password. If emails are added in the CL4 port, you should also require a code from an email for added security.
^
In the future, meower will only have the trust key "meower". Due to how CloudLink's Trusted Access feature works, I cannot remove Trust Keys as it wouldn't work with a vanilla copy of CloudLink, and if I wanted to turn it off I would also need to disable IP blocking.
Instead, we just share a generic trust key "meower" and heavily improve authentication and other server-side protections.
This feature was also historically used as a version check, but in the future the server will implement a command to check the client's version string and compare it against a list of compatible versions, and will tell the client if it's out of date or not.
(from MB docs)
Specify the client headers. If a library is misbehaving, this will help us handle the issues that may cause by temporarily blacklisting the client versions.
(make this a required step in the process of connecting to the server.)
Issue: CL4 api endpoint authenticate
command is not functional
Log:
[2023-02-02 10:07:30,913 | 1675350450.913019] (24412 - MainThread) INFO: Cloudlink server v0.1.9.2
[2023-02-02 10:07:30,957 | 1675350450.957789] (24412 - MainThread) INFO: server listening on 0.0.0.0:3001
[2023-02-02 10:08:33,186 | 1675350513.186868] (24412 - MainThread) INFO: connection open
[2023-02-02 10:08:33,186 | 1675350513.186868] (24412 - MainThread) INFO: Client 0 connected: 127.0.0.1
[2023-02-02 10:19:02,857 | 1675351142.857281] (24412 - MainThread) ERROR: Exception was raised: "'User' object has no attribute 'get_following'"
Traceback (most recent call last):
File "D:\meower-server\meower\run_cl4.py", line 8, in <module>
cl.run(ip="0.0.0.0", port=3001)
File "D:\meower-server\meower\src\cl4\cloudlink\server\server.py", line 76, in run
self.asyncio.run(self.__run__(ip, port))
File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\runners.py", line 190, in run
return runner.run(main)
File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\runners.py", line 118, in run
return self._loop.run_until_complete(task)
File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\base_events.py", line 637, in run_until_complete
self.run_forever()
File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\windows_events.py", line 321, in run_forever
super().run_forever()
File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\base_events.py", line 604, in run_forever
self._run_once()
File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\base_events.py", line 1909, in _run_once
handle._run()
File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\events.py", line 80, in _run
self._context.run(self._callback, *self._args)
File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\site-packages\websockets\legacy\server.py", line 236, in handler
await self.ws_handler(self)
File "D:\meower-server\meower\src\cl4\cloudlink\server\server.py", line 563, in __handler__
result = await self.__run_method__(client, message)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\meower-server\meower\src\cl4\cloudlink\server\server.py", line 475, in __run_method__
return await self.__cl_method_handler__(client, message)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\meower-server\meower\src\cl4\cloudlink\server\server.py", line 410, in __cl_method_handler__
await method(client, message, listener)
File "D:\meower-server\meower\src\cl4\commands.py", line 60, in authenticate
"following": session.user.get_following(),
^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'User' object has no attribute 'get_following'
[2023-02-02 10:19:02,864 | 1675351142.864737] (24412 - MainThread) INFO: Client 0 disconnected: 127.0.0.1 - Code 1011 and reason "Unexpected exception was raised"
[2023-02-02 10:19:02,873 | 1675351142.873714] (24412 - MainThread) INFO: connection closed
mashedpotatos
Describe the bug
This is a test.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Test
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context
This is a test
every page after 3 i believe for me atleast has the last 9 or so user querys be the same every time. may be different on other devices, an example of this is on the bettermeower 1.5.0 branch. or the diference between https://api.meower.org/search/users?autoget&page=15&q= and https://api.meower.org/search/users?autoget&page=14&q=
If the feature detects a username that already exists with a I
, and the fake includes l
, the server can return Account exists
.
^
also will make possible the user notifs feature as mentioned in meower-media-co/Meower-Vanilla#23
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.