diff --git a/assets/templates/txt/pasteMeta.txt.tmpl b/assets/templates/txt/pasteMeta.txt.tmpl index 5ca0503..51e0719 100644 --- a/assets/templates/txt/pasteMeta.txt.tmpl +++ b/assets/templates/txt/pasteMeta.txt.tmpl @@ -1,5 +1,17 @@ -key: {{.Paste.Key}} -type: {{.Paste.Type}} -state: {{.Paste.State}} -created: {{.Paste.TimeCreated}} -owner: {{if .IsOwner}}yes{{else}}no{{end}} +METADATA on <{{.Request.Host}}/{{.Paste.Key}}>: + +TYPE: {{.Paste.Type}} +STATE: {{.Paste.State}} +{{if .Paste.TimeCreated.IsZero -}} +CREATED: undefined +{{else -}} +CREATED: {{.Paste.TimeCreated}} +{{end -}} +DELETE TOKEN: {{.CanDelete.String}} + +{{if and (ne .Paste.State.String "deleted") .CanDelete.Bool}} +``` +# To delete this {{.Paste.Type}}, execute: +curl --request "DELETE" "{{.Request.Host}}/{{.Paste.Key}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}" +``` +{{end}} diff --git a/handlers/handlers.go b/handlers/handlers.go index a40fa7a..5815a5c 100644 --- a/handlers/handlers.go +++ b/handlers/handlers.go @@ -4,13 +4,13 @@ import ( "crypto/rand" "crypto/subtle" "encoding/base64" + "encoding/hex" "fmt" "log" "net/http" "net/url" "strings" "time" - "unicode" "github.com/gorilla/mux" "github.com/pkg/errors" @@ -20,29 +20,39 @@ import ( "gitea.hashru.nl/dsprenkels/rushlink/gobmarsh" ) -type PasteType int -type PasteState int +type pasteType int +type pasteState int -type StoredPaste struct { - Type PasteType - State PasteState +type storedPaste struct { + Type pasteType + State pasteState Content []byte Key string - OwnerToken [16]byte + DeleteToken [16]byte TimeCreated time.Time } const ( - TypePaste PasteType = iota - TypeRedirect + typeUndef pasteType = 0 + typePaste = 1 + typeRedirect = 2 ) const ( - StatePresent PasteState = iota - StateDeleted + stateUndef pasteState = 0 + statePresent = 1 + stateDeleted = 2 ) -const CookieOwnerToken = "owner_token" +type viewPaste uint + +const ( + _ viewPaste = 1 << iota + viewNoRedirect + viewShowMeta +) + +const CookieDeleteToken = "owner_token" // These keys are designated reserved, and will not be randomly chosen var ReservedPasteKeys = []string{"xd42", "example"} @@ -51,22 +61,26 @@ var ReservedPasteKeys = []string{"xd42", "example"} var base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_" var base64Encoder = base64.RawURLEncoding.WithPadding(base64.NoPadding) -func (t PasteType) String() string { +func (t pasteType) String() string { switch t { - case TypePaste: + case typeUndef: + return "unknown" + case typePaste: return "paste" - case TypeRedirect: + case typeRedirect: return "redirect" default: return "invalid" } } -func (t PasteState) String() string { +func (t pasteState) String() string { switch t { - case StatePresent: + case stateUndef: + return "unknown" + case statePresent: return "present" - case StateDeleted: + case stateDeleted: return "deleted" default: return "invalid" @@ -74,10 +88,89 @@ func (t PasteState) String() string { } func indexGetHandler(w http.ResponseWriter, r *http.Request) { - render(w, r, "index", nil) + render(w, r, "index", map[string]interface{}{}) } -func indexPostHandler(w http.ResponseWriter, r *http.Request) { +func viewPasteHandler(w http.ResponseWriter, r *http.Request) { + viewPasteHandlerInner(w, r, 0) +} + +func viewPasteHandlerNoRedirect(w http.ResponseWriter, r *http.Request) { + viewPasteHandlerInner(w, r, viewNoRedirect) +} + +func viewPasteHandlerMeta(w http.ResponseWriter, r *http.Request) { + viewPasteHandlerInner(w, r, viewShowMeta) +} + +func viewPasteHandlerInner(w http.ResponseWriter, r *http.Request, flags viewPaste) { + vars := mux.Vars(r) + key := vars["key"] + var storedPaste *storedPaste + if err := db.DB.View(func(tx *bolt.Tx) error { + var err error + storedPaste, err = getURL(tx, key) + return err + }); err != nil { + log.Printf("error: %v\n", err) + renderInternalServerError(w, r, err) + return + } + if storedPaste == nil { + renderError(w, r, http.StatusNotFound, "url key not found in the database") + return + } + + if flags&viewShowMeta != 0 { + canDelete := struct { + Bool bool + String string + }{Bool: false} + deleteToken, err := getDeleteTokenFromRequest(r) + if err != nil { + canDelete.String = "invalid" + } else if deleteToken == nil { + canDelete.String = "undefined" + } else { + if subtle.ConstantTimeCompare(deleteToken[:], storedPaste.DeleteToken[:]) == 1 { + canDelete.Bool = true + canDelete.String = "correct" + } else { + canDelete.String = "invalid" + } + } + + data := map[string]interface{}{ + "Paste": storedPaste, + "CanDelete": canDelete, + } + render(w, r, "pasteMeta", data) + return + } + + switch storedPaste.State { + case statePresent: + if flags&viewNoRedirect == 0 { + rawurl := string(storedPaste.Content) + urlParse, err := url.Parse(rawurl) + if err != nil { + log.Printf("error: invalid URL ('%v') in database for key '%v': %v\n", rawurl, storedPaste.Key, err) + renderInternalServerError(w, r, "invalid url in database") + return + } + http.Redirect(w, r, urlParse.String(), http.StatusSeeOther) + } + w.Write(storedPaste.Content) + case stateDeleted: + renderError(w, r, http.StatusGone, "key has been deleted") + default: + log.Printf("error: invalid storedPaste.State (%v) for key '%v'\n", storedPaste.State, storedPaste.Key) + msg := fmt.Sprintf("internal server error: invalid storedPaste.State (%v\n)", storedPaste.State) + renderInternalServerError(w, r, msg) + } +} + +func newPasteHandler(w http.ResponseWriter, r *http.Request) { if err := r.ParseMultipartForm(50 * 1000 * 1000); err != nil { log.Printf("error: %v\n", err) renderInternalServerError(w, r, err) @@ -99,77 +192,10 @@ func indexPostHandler(w http.ResponseWriter, r *http.Request) { return } - shortenPostHandler(w, r) + newRedirectPasteHandler(w, r) } -func pasteGetHandler(w http.ResponseWriter, r *http.Request) { - pasteGetHandlerInner(w, r, false, false) -} - -func pasteGetHandlerNoRedirect(w http.ResponseWriter, r *http.Request) { - pasteGetHandlerInner(w, r, true, false) -} - -func pasteGetHandlerMeta(w http.ResponseWriter, r *http.Request) { - pasteGetHandlerInner(w, r, false, true) -} - -func pasteGetHandlerInner(w http.ResponseWriter, r *http.Request, noRedirect, showMeta bool) { - vars := mux.Vars(r) - key := vars["key"] - var storedPaste *StoredPaste - if err := db.DB.View(func(tx *bolt.Tx) error { - var err error - storedPaste, err = getURL(tx, []byte(key)) - return err - }); err != nil { - log.Printf("error: %v\n", err) - renderInternalServerError(w, r, err) - return - } - if storedPaste == nil { - renderError(w, r, http.StatusNotFound, "url key not found in the database") - return - } - - if showMeta { - isOwner := false - ownerToken, ok := getOwnerTokenFromRequest(r) - if ok && subtle.ConstantTimeCompare(ownerToken[:], storedPaste.OwnerToken[:]) == 1 { - isOwner = true - } - - data := map[string]interface{}{ - "Paste": storedPaste, - "IsOwner": isOwner, - } - render(w, r, "pasteMeta", data) - return - } - - switch storedPaste.State { - case StatePresent: - if !noRedirect { - rawurl := string(storedPaste.Content) - urlParse, err := url.Parse(rawurl) - if err != nil { - log.Printf("error: invalid URL ('%v') in database for key '%v': %v\n", rawurl, storedPaste.Key, err) - renderInternalServerError(w, r, "invalid url in database") - return - } - http.Redirect(w, r, urlParse.String(), http.StatusSeeOther) - } - w.Write(storedPaste.Content) - case StateDeleted: - renderError(w, r, http.StatusGone, "key has been deleted") - default: - log.Printf("error: invalid storedPaste.State (%v) for key '%v'\n", storedPaste.State, storedPaste.Key) - msg := fmt.Sprintf("internal server error: invalid storedPaste.State (%v\n)", storedPaste.State) - renderInternalServerError(w, r, msg) - } -} - -func shortenPostHandler(w http.ResponseWriter, r *http.Request) { +func newRedirectPasteHandler(w http.ResponseWriter, r *http.Request) { rawurl := r.PostForm.Get("shorten") userURL, err := url.ParseRequestURI(rawurl) if err != nil { @@ -186,18 +212,15 @@ func shortenPostHandler(w http.ResponseWriter, r *http.Request) { return } - var storedPaste *StoredPaste + var storedPaste *storedPaste if err := db.DB.Update(func(tx *bolt.Tx) error { - ownerKey, ok := getOwnerTokenFromRequest(r) - if ok == false { - // Owner key not supplied or invalid, generate a new one - ownerKey, err = generateOwnerToken() - if err != nil { - return errors.Wrap(err, "generating OwnerToken") - } + // Generate a new delete token for this paste + deleteToken, err := generateDeleteToken() + if err != nil { + return errors.Wrap(err, "generating delete token") } - sp, err := shortenURL(tx, userURL, ownerKey) + sp, err := shortenURL(tx, userURL, deleteToken) storedPaste = sp return err }); err != nil { @@ -206,34 +229,71 @@ func shortenPostHandler(w http.ResponseWriter, r *http.Request) { return } - saveURL, err := r.URL.Parse(string(storedPaste.Key)) + deleteToken := hex.EncodeToString(storedPaste.DeleteToken[:]) + saveRawurl := fmt.Sprintf("%v/%v?deleteToken=%v", r.Host, string(storedPaste.Key), deleteToken) + saveURL, err := r.URL.Parse(saveRawurl) if err != nil { err = errors.Wrap(err, "parsing url") log.Printf("error: %v\n", err) renderInternalServerError(w, r, err) return } - var base64OwnerToken = make([]byte, 24) - base64Encoder.Encode(base64OwnerToken, storedPaste.OwnerToken[:]) // TODO(dsprenkels) Put this into a template w.WriteHeader(http.StatusOK) - fmt.Fprintf(w, "URL saved at %v\n", saveURL) - isNotPrint := func(r rune) bool { return !unicode.IsPrint(r) } - fmt.Fprintf(w, "Owner key is %s\n", strings.TrimRightFunc(string(base64OwnerToken), isNotPrint)) + fmt.Fprintf(w, "%v\n", saveURL) +} + +// Delete a URL from the database +func deletePasteHandler(w http.ResponseWriter, r *http.Request) { + // TODO(dsprenkels) LEFT HERE; this functionality still untested + vars := mux.Vars(r) + key := vars["key"] + + deleteToken, err := getDeleteTokenFromRequest(r) + if err != nil { + renderError(w, r, http.StatusBadRequest, "invalid delete token") + return + } else if deleteToken == nil { + renderError(w, r, http.StatusBadRequest, "no delete token provided") + return + } + + var errorCode int + if err := db.DB.Update(func(tx *bolt.Tx) error { + paste, err := getURL(tx, key) + if err != nil { + errorCode = http.StatusNotFound + return err + } + if subtle.ConstantTimeCompare(deleteToken[:], paste.DeleteToken[:]) == 1 { + // Replace the old paste with a new empty paste + return savePaste(tx, key, storedPaste{ + Key: paste.Key, + State: stateDeleted, + DeleteToken: paste.DeleteToken, + }) + } + errorCode = http.StatusForbidden + return errors.New("invalid delete token") + }); err != nil { + log.Printf("error: %v\n", err) + renderError(w, r, errorCode, fmt.Sprintf("error: %v", err)) + return + } } // Retrieve a URL from the database -func getURL(tx *bolt.Tx, key []byte) (*StoredPaste, error) { - shortenBucket := tx.Bucket([]byte(db.BUCKET_PASTES)) - if shortenBucket == nil { - return nil, fmt.Errorf("bucket %v does not exist", db.BUCKET_PASTES) +func getURL(tx *bolt.Tx, key string) (*storedPaste, error) { + pastesBucket := tx.Bucket([]byte(db.BUCKET_PASTES)) + if pastesBucket == nil { + return nil, errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES) } - storedBytes := shortenBucket.Get(key) + storedBytes := pastesBucket.Get([]byte(key)) if storedBytes == nil { return nil, nil } - storedPaste := &StoredPaste{} + storedPaste := &storedPaste{} err := gobmarsh.Unmarshal(storedBytes, storedPaste) return storedPaste, err } @@ -241,10 +301,10 @@ func getURL(tx *bolt.Tx, key []byte) (*StoredPaste, error) { // Add a new URL to the database // // Returns the new ID if the url was successfully shortened -func shortenURL(tx *bolt.Tx, userURL *url.URL, ownerKey [16]byte) (*StoredPaste, error) { - shortenBucket := tx.Bucket([]byte(db.BUCKET_PASTES)) - if shortenBucket == nil { - return nil, fmt.Errorf("bucket %v does not exist", db.BUCKET_PASTES) +func shortenURL(tx *bolt.Tx, userURL *url.URL, deleteToken [16]byte) (*storedPaste, error) { + pastesBucket := tx.Bucket([]byte(db.BUCKET_PASTES)) + if pastesBucket == nil { + return nil, errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES) } // Generate a key until it is not in the database, this occurs in O(log N), @@ -258,7 +318,7 @@ func shortenURL(tx *bolt.Tx, userURL *url.URL, ownerKey [16]byte) (*StoredPaste, return nil, errors.Wrap(err, "url-key generation failed") } - found := shortenBucket.Get([]byte(urlKey)) + found := pastesBucket.Get([]byte(urlKey)) if found == nil { break } @@ -278,24 +338,36 @@ func shortenURL(tx *bolt.Tx, userURL *url.URL, ownerKey [16]byte) (*StoredPaste, } // Store the new key - storedPaste := StoredPaste{ - Type: TypeRedirect, - State: StatePresent, + storedPaste := storedPaste{ + Type: typeRedirect, + State: statePresent, Content: []byte(userURL.String()), Key: urlKey, - OwnerToken: ownerKey, + DeleteToken: deleteToken, TimeCreated: time.Now().UTC(), } - storedBytes, err := gobmarsh.Marshal(storedPaste) - if err != nil { - return nil, errors.Wrap(err, "encoding for database failed") - } - if err := shortenBucket.Put([]byte(urlKey), storedBytes); err != nil { - return nil, errors.Wrap(err, "database transaction failed") + if err := savePaste(tx, urlKey, storedPaste); err != nil { + return nil, err } return &storedPaste, nil } +func savePaste(tx *bolt.Tx, key string, paste storedPaste) error { + bucket := tx.Bucket([]byte(db.BUCKET_PASTES)) + if bucket == nil { + return errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES) + } + + buf, err := gobmarsh.Marshal(paste) + if err != nil { + return errors.Wrap(err, "encoding for database failed") + } + if err := bucket.Put([]byte(key), buf); err != nil { + return errors.Wrap(err, "database transaction failed") + } + return nil +} + func generateURLKey(epoch int) (string, error) { urlKey := make([]byte, 4+epoch) _, err := rand.Read(urlKey) @@ -331,26 +403,26 @@ func generateURLKey(epoch int) (string, error) { return string(urlKey), nil } -func generateOwnerToken() ([16]byte, error) { - var ownerKey [16]byte - _, err := rand.Read(ownerKey[:]) +func generateDeleteToken() ([16]byte, error) { + var deleteToken [16]byte + _, err := rand.Read(deleteToken[:]) if err != nil { - return ownerKey, err + return deleteToken, err } - return ownerKey, nil + return deleteToken, nil } -func getOwnerTokenFromRequest(r *http.Request) ([16]byte, bool) { - var ownerKey [16]byte - ownerKeyCookie, err := r.Cookie(CookieOwnerToken) - if err != nil && err != http.ErrNoCookie { - return ownerKey, false +func getDeleteTokenFromRequest(r *http.Request) (*[16]byte, error) { + deleteTokenQuery := r.URL.Query().Get("deleteToken") + if deleteTokenQuery == "" { + return nil, nil } - if ownerKeyCookie != nil { - n, err := base64Encoder.Strict().Decode(ownerKey[:], []byte(ownerKeyCookie.Value)) - if err == nil || n == 16 { - return ownerKey, true - } + var deleteToken [16]byte + n, err := hex.Decode(deleteToken[:], []byte(deleteTokenQuery)) + if err != nil { + return nil, errors.Wrap(err, "decoding hex") + } else if n != 16 { + return nil, errors.Errorf("invalid deleteToken length (%v bytes)", n) } - return ownerKey, false + return &deleteToken, nil } diff --git a/handlers/router.go b/handlers/router.go index b59c58d..f811bef 100644 --- a/handlers/router.go +++ b/handlers/router.go @@ -12,10 +12,12 @@ func StartMainServer() { // Initialize Gorilla router router := mux.NewRouter() router.HandleFunc("/", indexGetHandler).Methods("GET") - router.HandleFunc("/", indexPostHandler).Methods("POST") - router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}", pasteGetHandler).Methods("GET") - router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/nr", pasteGetHandlerNoRedirect).Methods("GET") - router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/meta", pasteGetHandlerMeta).Methods("GET") + router.HandleFunc("/", newPasteHandler).Methods("POST") + router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}", viewPasteHandler).Methods("GET") + router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/nr", viewPasteHandlerNoRedirect).Methods("GET") + router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/meta", viewPasteHandlerMeta).Methods("GET") + router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}", deletePasteHandler).Methods("DELETE") + router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/delete", deletePasteHandler).Methods("POST") srv := &http.Server{ Handler: router, diff --git a/handlers/views.go b/handlers/views.go index fe080a7..44df17b 100644 --- a/handlers/views.go +++ b/handlers/views.go @@ -79,6 +79,9 @@ func render(w http.ResponseWriter, r *http.Request, tmplName string, data map[st fmt.Fprintf(w, "error parsing Accept header: %v\n", err) } + // Add the request to the template data + data["Request"] = r + switch contentType { case "text/plain": w.Header().Set("Content-Type", "text/plain") @@ -97,7 +100,7 @@ func render(w http.ResponseWriter, r *http.Request, tmplName string, data map[st } // Construct a (lazy) plain-text view for inclusion in 
-		pre := func() string {
+		data["Pre"] = func() string {
 			tmpl := textTemplates[tmplName]
 			if tmpl == nil {
 				panic(fmt.Errorf("'%v' not in textTemplates", tmplName))
@@ -108,7 +111,6 @@ func render(w http.ResponseWriter, r *http.Request, tmplName string, data map[st
 			}
 			return buf.String()
 		}
-		data = mergeData(map[string]interface{}{"Pre": pre}, data)
 		err = tmpl.Execute(w, data)
 	default:
 		// Fall back to plain text without template
@@ -131,15 +133,6 @@ func renderInternalServerError(w http.ResponseWriter, r *http.Request, err inter
 	renderError(w, r, http.StatusInternalServerError, msg)
 }
 
-// Merge the second data map into the first one, overwriting any key that is
-// already present.
-func mergeData(into, from map[string]interface{}) map[string]interface{} {
-	for k, v := range from {
-		into[k] = v
-	}
-	return into
-}
-
 // Try to resolve the preferred content-type for the response to this request.
 //
 // This is done by reading from the `types` argument. If one of them matches