rushlink/handlers.go

390 lines
10 KiB
Go
Raw Normal View History

2019-11-09 15:50:12 +01:00
package rushlink
2019-08-25 21:33:56 +02:00
import (
2019-09-01 01:41:01 +02:00
"crypto/subtle"
2019-08-25 21:33:56 +02:00
"fmt"
"log"
2019-11-10 19:03:57 +01:00
"mime/multipart"
2019-08-25 21:33:56 +02:00
"net/http"
"net/url"
2019-11-10 19:03:57 +01:00
"os"
"strings"
2019-08-25 21:33:56 +02:00
"time"
"gitea.hashru.nl/dsprenkels/rushlink/internal/db"
2019-11-10 19:03:57 +01:00
"github.com/google/uuid"
2019-08-29 23:40:24 +02:00
"github.com/gorilla/mux"
"github.com/pkg/errors"
2019-08-25 21:33:56 +02:00
bolt "go.etcd.io/bbolt"
)
2019-09-21 13:11:38 +02:00
type viewPaste uint
const (
_ viewPaste = 1 << iota
viewNoRedirect
viewShowMeta
)
const cookieDeleteToken = "owner_token"
2019-09-01 01:41:01 +02:00
type canDelete uint
const (
canDeleteUndef canDelete = iota
canDeleteYes
canDeleteNo
)
func (cd *canDelete) Bool() bool {
return *cd == canDeleteYes
}
func (cd *canDelete) String() string {
switch *cd {
case canDeleteUndef:
return "undefined"
case canDeleteYes:
return "correct"
case canDeleteNo:
return "invalid"
default:
panic("unreachable")
}
}
2019-12-16 11:51:41 +01:00
func (rl *rushlink) staticGetHandler(w http.ResponseWriter, r *http.Request) {
rl.renderStatic(w, r, mux.Vars(r)["path"])
}
func (rl *rushlink) indexGetHandler(w http.ResponseWriter, r *http.Request) {
rl.render(w, r, "index", map[string]interface{}{})
2019-09-01 01:41:01 +02:00
}
func (rl *rushlink) viewPasteHandler(w http.ResponseWriter, r *http.Request) {
rl.viewPasteHandlerFlags(w, r, 0)
}
func (rl *rushlink) viewPasteHandlerNoRedirect(w http.ResponseWriter, r *http.Request) {
rl.viewPasteHandlerFlags(w, r, viewNoRedirect)
}
func (rl *rushlink) viewPasteHandlerMeta(w http.ResponseWriter, r *http.Request) {
rl.viewPasteHandlerFlags(w, r, viewShowMeta)
2019-09-01 01:41:01 +02:00
}
func (rl *rushlink) viewPasteHandlerFlags(w http.ResponseWriter, r *http.Request, flags viewPaste) {
2019-08-29 00:50:26 +02:00
vars := mux.Vars(r)
key := vars["key"]
var p *db.Paste
var fu *db.FileUpload
if err := rl.db.Bolt.View(func(tx *bolt.Tx) error {
2019-08-29 00:50:26 +02:00
var err error
p, err = db.GetPaste(tx, key)
2019-11-10 19:03:57 +01:00
if err != nil {
return err
}
if p != nil && p.Type == db.PasteTypeFileUpload {
2019-11-10 19:03:57 +01:00
var id uuid.UUID
copy(id[:], p.Content)
fu, err = db.GetFileUpload(tx, id)
2019-11-10 19:03:57 +01:00
if err != nil {
return err
}
}
return nil
2019-08-29 00:50:26 +02:00
}); err != nil {
panic(err)
2019-08-29 00:50:26 +02:00
}
2019-11-10 19:03:57 +01:00
if p == nil {
rl.renderError(w, r, http.StatusNotFound, "url key not found in the database")
2019-09-01 01:41:01 +02:00
return
}
rl.viewPasteHandlerInner(w, r, flags, p, fu)
}
2019-09-01 01:41:01 +02:00
func (rl *rushlink) viewPasteHandlerInner(w http.ResponseWriter, r *http.Request, flags viewPaste, p *db.Paste, fu *db.FileUpload) {
if flags&viewShowMeta != 0 {
rl.viewPasteHandlerInnerMeta(w, r, p, fu)
2020-01-05 00:14:53 +01:00
return
2019-08-29 00:50:26 +02:00
}
2019-09-01 01:41:01 +02:00
switch p.State {
case db.PasteStatePresent:
2019-11-10 19:03:57 +01:00
switch p.Type {
case db.PasteTypeFileUpload:
2019-11-10 19:03:57 +01:00
if fu == nil {
panic(fmt.Sprintf("file for id %v does not exist in database\n", string(p.Content)))
}
rl.viewFileUploadHandler(w, r, fu)
return
case db.PasteTypeRedirect:
if flags&viewNoRedirect == 0 {
http.Redirect(w, r, p.RedirectURL().String(), http.StatusTemporaryRedirect)
}
return
2019-11-10 19:03:57 +01:00
default:
panic("paste type unsupported")
}
case db.PasteStateDeleted:
rl.renderError(w, r, http.StatusGone, "paste has been deleted\n")
return
2019-08-29 00:50:26 +02:00
default:
panic(errors.Errorf("invalid paste.State (%v) for key '%v'", p.State, p.Key))
2019-08-29 00:50:26 +02:00
}
}
func (rl *rushlink) viewFileUploadHandler(w http.ResponseWriter, r *http.Request, fu *db.FileUpload) {
filePath := fu.Path(rl.fs)
file, err := os.Open(filePath)
if err != nil {
if os.IsNotExist(err) {
log.Printf("error: '%v' should exist according to the database, but it doesn't", filePath)
rl.renderError(w, r, http.StatusNotFound, "file not found")
return
}
// unexpected error
panic(err)
}
var modtime time.Time
info, err := file.Stat()
if err != nil {
log.Printf("error: %v", errors.Wrapf(err, "could not stat file '%v'", filePath))
} else {
modtime = info.ModTime()
}
// Provide the real filename to the client (to be used in Ctrl+S etc.)
quotedName := strings.ReplaceAll(fu.FileName, "\"", "\\\"")
w.Header().Set("Content-Disposition", fmt.Sprintf("inline; filename=\"%s\"", quotedName))
// We use http.ServeContent (instead of http.ServeFile) because we cannot
// use http.ServeFile together with the assertion that the file exists,
// without introducing a TOCTOU flaw.
http.ServeContent(w, r, fu.FileName, modtime, file)
}
func (rl *rushlink) viewPasteHandlerInnerMeta(w http.ResponseWriter, r *http.Request, p *db.Paste, fu *db.FileUpload) {
var cd canDelete
deleteToken := getDeleteTokenFromRequest(r)
if deleteToken != "" {
if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(p.DeleteToken)) == 1 {
cd = canDeleteYes
} else {
cd = canDeleteNo
}
}
var fileExt string
if fu != nil {
fileExt = fu.Ext()
}
data := map[string]interface{}{
2020-05-11 22:32:35 +02:00
"Paste": p,
"FileExt": fileExt,
"CanDeleteString": cd.String(),
"CanDeleteBool": cd.Bool(),
}
rl.render(w, r, "pasteMeta", data)
return
}
2020-05-11 22:26:45 +02:00
func (rl *rushlink) viewActionSuccess(w http.ResponseWriter, r *http.Request, p *db.Paste, fu *db.FileUpload) {
var fileExt string
if fu != nil {
fileExt = fu.Ext()
}
// Redirect to the new paste.
pasteURL := url.URL{
Path: fmt.Sprintf("/%s%s/meta", p.Key, fileExt),
RawQuery: fmt.Sprintf("deleteToken=%s", url.QueryEscape(p.DeleteToken)),
}
http.Redirect(w, r, pasteURL.String(), http.StatusFound)
// But still render the page for CURL-like clients.
2020-05-11 22:32:35 +02:00
cd := canDeleteYes
data := map[string]interface{}{
2020-05-11 22:32:35 +02:00
"Paste": p,
"FileExt": fileExt,
"CanDeleteString": cd.String(),
"CanDeleteBool": cd.Bool(),
}
rl.render(w, r, "pasteMeta", data)
return
}
func (rl *rushlink) newPasteHandler(w http.ResponseWriter, r *http.Request) {
2019-11-22 18:41:54 +01:00
file, fileHeader, err := r.FormFile("file")
if err == nil {
rl.newFileUploadPasteHandler(w, r, file, *fileHeader)
2019-11-22 18:41:54 +01:00
return
} else if err == http.ErrMissingFile {
// Fallthrough
} else {
msg := fmt.Sprintf("could not parse form: %v\n", err)
rl.renderError(w, r, http.StatusBadRequest, msg)
2019-11-10 19:03:57 +01:00
return
2019-09-21 13:11:38 +02:00
}
2019-11-22 18:41:54 +01:00
shorten := r.FormValue("shorten")
if shorten != "" {
rl.newRedirectPasteHandler(w, r, shorten)
2019-09-21 13:11:38 +02:00
return
}
2019-11-10 19:03:57 +01:00
rl.renderError(w, r, http.StatusBadRequest, "no 'file' and no 'shorten' fields given in form\n")
2019-11-10 19:03:57 +01:00
}
func (rl *rushlink) newFileUploadPasteHandler(w http.ResponseWriter, r *http.Request, file multipart.File, header multipart.FileHeader) {
var fu *db.FileUpload
var paste *db.Paste
if err := rl.db.Bolt.Update(func(tx *bolt.Tx) error {
2019-11-10 19:03:57 +01:00
var err error
fu, err = db.NewFileUpload(rl.fs, file, header.Filename)
2019-11-10 19:03:57 +01:00
if err != nil {
panic(errors.Wrap(err, "creating fileUpload"))
}
if err := fu.Save(tx); err != nil {
panic(errors.Wrap(err, "saving fileUpload in db"))
}
2019-11-10 19:03:57 +01:00
paste, err = shortenFileUploadID(tx, fu.ID)
return err
}); err != nil {
panic(err)
}
2020-05-11 22:26:45 +02:00
rl.viewActionSuccess(w, r, paste, fu)
2019-11-10 19:03:57 +01:00
}
func (rl *rushlink) newPasteHandlerURLEncoded(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
2019-11-10 19:03:57 +01:00
if err := r.ParseForm(); err != nil {
next(w, r)
2019-09-21 13:11:38 +02:00
return
}
2019-11-10 19:03:57 +01:00
shorten := r.PostFormValue("shorten")
if shorten == "" {
rl.renderError(w, r, http.StatusBadRequest, "no 'shorten' param given\n")
2019-09-21 13:11:38 +02:00
return
}
rl.newRedirectPasteHandler(w, r, shorten)
2019-09-21 13:11:38 +02:00
}
func (rl *rushlink) newRedirectPasteHandler(w http.ResponseWriter, r *http.Request, rawurl string) {
userURL, err := url.Parse(rawurl)
2019-08-25 21:33:56 +02:00
if err != nil {
2019-09-15 21:34:41 +02:00
msg := fmt.Sprintf("invalid url (%v): %v", err, rawurl)
rl.renderError(w, r, http.StatusBadRequest, msg)
2019-08-25 21:33:56 +02:00
return
}
if userURL.Scheme == "" {
rl.renderError(w, r, http.StatusBadRequest, "invalid url (unspecified scheme)\n")
2019-08-25 21:33:56 +02:00
return
}
if userURL.Host == "" {
rl.renderError(w, r, http.StatusBadRequest, "invalid url (unspecified host)\n")
2019-08-25 21:33:56 +02:00
return
}
var paste *db.Paste
if err := rl.db.Bolt.Update(func(tx *bolt.Tx) error {
2019-09-21 21:03:31 +02:00
var err error
paste, err = shortenURL(tx, userURL)
2019-08-25 21:33:56 +02:00
return err
}); err != nil {
panic(err)
2019-08-25 21:33:56 +02:00
}
2020-05-11 22:26:45 +02:00
rl.viewActionSuccess(w, r, paste, nil)
2019-09-21 13:11:38 +02:00
}
// Delete a URL from the database
func (rl *rushlink) deletePasteHandler(w http.ResponseWriter, r *http.Request) {
2019-09-21 13:11:38 +02:00
vars := mux.Vars(r)
key := vars["key"]
2019-09-21 21:03:31 +02:00
deleteToken := getDeleteTokenFromRequest(r)
if deleteToken == "" {
rl.renderError(w, r, http.StatusBadRequest, "no delete token provided\n")
2019-09-21 13:11:38 +02:00
return
}
var errorCode int
2019-12-16 06:21:21 +01:00
var paste *db.Paste
if err := rl.db.Bolt.Update(func(tx *bolt.Tx) error {
2019-12-16 06:21:21 +01:00
var err error
paste, err = db.GetPaste(tx, key)
2019-09-21 13:11:38 +02:00
if err != nil {
errorCode = http.StatusNotFound
return err
}
2019-12-16 06:21:21 +01:00
if paste.State == db.PasteStateDeleted {
2019-11-22 18:41:54 +01:00
errorCode = http.StatusGone
return errors.New("already deleted")
2019-09-21 13:11:38 +02:00
}
2019-12-16 06:21:21 +01:00
if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(paste.DeleteToken)) == 0 {
2019-11-22 18:41:54 +01:00
errorCode = http.StatusForbidden
return errors.New("invalid delete token")
}
2019-12-16 06:21:21 +01:00
if err := paste.Delete(tx, rl.fs); err != nil {
2019-11-22 18:41:54 +01:00
errorCode = http.StatusInternalServerError
return err
}
return nil
2019-09-21 13:11:38 +02:00
}); err != nil {
log.Printf("error: %v\n", err)
rl.renderError(w, r, errorCode, fmt.Sprintf("error: %v\n", err))
2019-09-21 13:11:38 +02:00
return
}
2020-05-11 22:26:45 +02:00
rl.viewActionSuccess(w, r, paste, nil)
2019-08-29 00:50:26 +02:00
}
2019-11-10 19:03:57 +01:00
// Add a new fileUpload redirect to the database
//
// Returns the new paste key if the fileUpload was successfully added to the
// database
func shortenFileUploadID(tx *bolt.Tx, id uuid.UUID) (*db.Paste, error) {
return shorten(tx, db.PasteTypeFileUpload, id[:])
2019-11-10 19:03:57 +01:00
}
2019-08-25 21:33:56 +02:00
// Add a new URL to the database
//
2019-11-10 19:03:57 +01:00
// Returns the new paste key if the url was successfully shortened
func shortenURL(tx *bolt.Tx, userURL *url.URL) (*db.Paste, error) {
return shorten(tx, db.PasteTypeRedirect, []byte(userURL.String()))
2019-11-10 19:03:57 +01:00
}
// Add a paste (of any kind) to the database with arbitrary content.
func shorten(tx *bolt.Tx, ty db.PasteType, content []byte) (*db.Paste, error) {
2019-11-10 19:03:57 +01:00
// Generate the paste key
pasteKey, err := db.GeneratePasteKey(tx)
if err != nil {
return nil, errors.Wrap(err, "generating paste key")
2019-08-25 21:33:56 +02:00
}
2019-09-21 21:03:31 +02:00
// Also generate a deleteToken
deleteToken, err := db.GenerateDeleteToken()
2019-09-21 21:03:31 +02:00
if err != nil {
return nil, errors.Wrap(err, "generating delete token")
}
2019-08-25 21:33:56 +02:00
// Store the new key
p := db.Paste{
2019-11-10 19:03:57 +01:00
Type: ty,
State: db.PasteStatePresent,
2019-11-10 19:03:57 +01:00
Content: content,
Key: pasteKey,
2019-09-21 13:11:38 +02:00
DeleteToken: deleteToken,
2019-08-25 21:33:56 +02:00
TimeCreated: time.Now().UTC(),
}
if err := p.Save(tx); err != nil {
2019-09-21 13:11:38 +02:00
return nil, err
}
return &p, nil
2019-09-01 01:41:01 +02:00
}
2019-09-21 21:03:31 +02:00
func getDeleteTokenFromRequest(r *http.Request) string {
return r.URL.Query().Get("deleteToken")
2019-09-01 01:41:01 +02:00
}