Implement deleting of pastes

This commit is contained in:
Daan Sprenkels 2019-09-21 13:11:38 +02:00
parent 173ae7665b
commit 1c926a4864
4 changed files with 240 additions and 161 deletions

View File

@ -1,5 +1,17 @@
key: {{.Paste.Key}} METADATA on <{{.Request.Host}}/{{.Paste.Key}}>:
type: {{.Paste.Type}}
state: {{.Paste.State}} TYPE: {{.Paste.Type}}
created: {{.Paste.TimeCreated}} STATE: {{.Paste.State}}
owner: {{if .IsOwner}}yes{{else}}no{{end}} {{if .Paste.TimeCreated.IsZero -}}
CREATED: undefined
{{else -}}
CREATED: {{.Paste.TimeCreated}}
{{end -}}
DELETE TOKEN: {{.CanDelete.String}}
{{if and (ne .Paste.State.String "deleted") .CanDelete.Bool}}
```
# To delete this {{.Paste.Type}}, execute:
curl --request "DELETE" "{{.Request.Host}}/{{.Paste.Key}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}"
```
{{end}}

View File

@ -4,13 +4,13 @@ import (
"crypto/rand" "crypto/rand"
"crypto/subtle" "crypto/subtle"
"encoding/base64" "encoding/base64"
"encoding/hex"
"fmt" "fmt"
"log" "log"
"net/http" "net/http"
"net/url" "net/url"
"strings" "strings"
"time" "time"
"unicode"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/pkg/errors" "github.com/pkg/errors"
@ -20,29 +20,39 @@ import (
"gitea.hashru.nl/dsprenkels/rushlink/gobmarsh" "gitea.hashru.nl/dsprenkels/rushlink/gobmarsh"
) )
type PasteType int type pasteType int
type PasteState int type pasteState int
type StoredPaste struct { type storedPaste struct {
Type PasteType Type pasteType
State PasteState State pasteState
Content []byte Content []byte
Key string Key string
OwnerToken [16]byte DeleteToken [16]byte
TimeCreated time.Time TimeCreated time.Time
} }
const ( const (
TypePaste PasteType = iota typeUndef pasteType = 0
TypeRedirect typePaste = 1
typeRedirect = 2
) )
const ( const (
StatePresent PasteState = iota stateUndef pasteState = 0
StateDeleted statePresent = 1
stateDeleted = 2
) )
const CookieOwnerToken = "owner_token" type viewPaste uint
const (
_ viewPaste = 1 << iota
viewNoRedirect
viewShowMeta
)
const CookieDeleteToken = "owner_token"
// These keys are designated reserved, and will not be randomly chosen // These keys are designated reserved, and will not be randomly chosen
var ReservedPasteKeys = []string{"xd42", "example"} var ReservedPasteKeys = []string{"xd42", "example"}
@ -51,22 +61,26 @@ var ReservedPasteKeys = []string{"xd42", "example"}
var base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_" var base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
var base64Encoder = base64.RawURLEncoding.WithPadding(base64.NoPadding) var base64Encoder = base64.RawURLEncoding.WithPadding(base64.NoPadding)
func (t PasteType) String() string { func (t pasteType) String() string {
switch t { switch t {
case TypePaste: case typeUndef:
return "unknown"
case typePaste:
return "paste" return "paste"
case TypeRedirect: case typeRedirect:
return "redirect" return "redirect"
default: default:
return "invalid" return "invalid"
} }
} }
func (t PasteState) String() string { func (t pasteState) String() string {
switch t { switch t {
case StatePresent: case stateUndef:
return "unknown"
case statePresent:
return "present" return "present"
case StateDeleted: case stateDeleted:
return "deleted" return "deleted"
default: default:
return "invalid" return "invalid"
@ -74,10 +88,89 @@ func (t PasteState) String() string {
} }
func indexGetHandler(w http.ResponseWriter, r *http.Request) { func indexGetHandler(w http.ResponseWriter, r *http.Request) {
render(w, r, "index", nil) render(w, r, "index", map[string]interface{}{})
} }
func indexPostHandler(w http.ResponseWriter, r *http.Request) { func viewPasteHandler(w http.ResponseWriter, r *http.Request) {
viewPasteHandlerInner(w, r, 0)
}
func viewPasteHandlerNoRedirect(w http.ResponseWriter, r *http.Request) {
viewPasteHandlerInner(w, r, viewNoRedirect)
}
func viewPasteHandlerMeta(w http.ResponseWriter, r *http.Request) {
viewPasteHandlerInner(w, r, viewShowMeta)
}
func viewPasteHandlerInner(w http.ResponseWriter, r *http.Request, flags viewPaste) {
vars := mux.Vars(r)
key := vars["key"]
var storedPaste *storedPaste
if err := db.DB.View(func(tx *bolt.Tx) error {
var err error
storedPaste, err = getURL(tx, key)
return err
}); err != nil {
log.Printf("error: %v\n", err)
renderInternalServerError(w, r, err)
return
}
if storedPaste == nil {
renderError(w, r, http.StatusNotFound, "url key not found in the database")
return
}
if flags&viewShowMeta != 0 {
canDelete := struct {
Bool bool
String string
}{Bool: false}
deleteToken, err := getDeleteTokenFromRequest(r)
if err != nil {
canDelete.String = "invalid"
} else if deleteToken == nil {
canDelete.String = "undefined"
} else {
if subtle.ConstantTimeCompare(deleteToken[:], storedPaste.DeleteToken[:]) == 1 {
canDelete.Bool = true
canDelete.String = "correct"
} else {
canDelete.String = "invalid"
}
}
data := map[string]interface{}{
"Paste": storedPaste,
"CanDelete": canDelete,
}
render(w, r, "pasteMeta", data)
return
}
switch storedPaste.State {
case statePresent:
if flags&viewNoRedirect == 0 {
rawurl := string(storedPaste.Content)
urlParse, err := url.Parse(rawurl)
if err != nil {
log.Printf("error: invalid URL ('%v') in database for key '%v': %v\n", rawurl, storedPaste.Key, err)
renderInternalServerError(w, r, "invalid url in database")
return
}
http.Redirect(w, r, urlParse.String(), http.StatusSeeOther)
}
w.Write(storedPaste.Content)
case stateDeleted:
renderError(w, r, http.StatusGone, "key has been deleted")
default:
log.Printf("error: invalid storedPaste.State (%v) for key '%v'\n", storedPaste.State, storedPaste.Key)
msg := fmt.Sprintf("internal server error: invalid storedPaste.State (%v\n)", storedPaste.State)
renderInternalServerError(w, r, msg)
}
}
func newPasteHandler(w http.ResponseWriter, r *http.Request) {
if err := r.ParseMultipartForm(50 * 1000 * 1000); err != nil { if err := r.ParseMultipartForm(50 * 1000 * 1000); err != nil {
log.Printf("error: %v\n", err) log.Printf("error: %v\n", err)
renderInternalServerError(w, r, err) renderInternalServerError(w, r, err)
@ -99,77 +192,10 @@ func indexPostHandler(w http.ResponseWriter, r *http.Request) {
return return
} }
shortenPostHandler(w, r) newRedirectPasteHandler(w, r)
} }
func pasteGetHandler(w http.ResponseWriter, r *http.Request) { func newRedirectPasteHandler(w http.ResponseWriter, r *http.Request) {
pasteGetHandlerInner(w, r, false, false)
}
func pasteGetHandlerNoRedirect(w http.ResponseWriter, r *http.Request) {
pasteGetHandlerInner(w, r, true, false)
}
func pasteGetHandlerMeta(w http.ResponseWriter, r *http.Request) {
pasteGetHandlerInner(w, r, false, true)
}
func pasteGetHandlerInner(w http.ResponseWriter, r *http.Request, noRedirect, showMeta bool) {
vars := mux.Vars(r)
key := vars["key"]
var storedPaste *StoredPaste
if err := db.DB.View(func(tx *bolt.Tx) error {
var err error
storedPaste, err = getURL(tx, []byte(key))
return err
}); err != nil {
log.Printf("error: %v\n", err)
renderInternalServerError(w, r, err)
return
}
if storedPaste == nil {
renderError(w, r, http.StatusNotFound, "url key not found in the database")
return
}
if showMeta {
isOwner := false
ownerToken, ok := getOwnerTokenFromRequest(r)
if ok && subtle.ConstantTimeCompare(ownerToken[:], storedPaste.OwnerToken[:]) == 1 {
isOwner = true
}
data := map[string]interface{}{
"Paste": storedPaste,
"IsOwner": isOwner,
}
render(w, r, "pasteMeta", data)
return
}
switch storedPaste.State {
case StatePresent:
if !noRedirect {
rawurl := string(storedPaste.Content)
urlParse, err := url.Parse(rawurl)
if err != nil {
log.Printf("error: invalid URL ('%v') in database for key '%v': %v\n", rawurl, storedPaste.Key, err)
renderInternalServerError(w, r, "invalid url in database")
return
}
http.Redirect(w, r, urlParse.String(), http.StatusSeeOther)
}
w.Write(storedPaste.Content)
case StateDeleted:
renderError(w, r, http.StatusGone, "key has been deleted")
default:
log.Printf("error: invalid storedPaste.State (%v) for key '%v'\n", storedPaste.State, storedPaste.Key)
msg := fmt.Sprintf("internal server error: invalid storedPaste.State (%v\n)", storedPaste.State)
renderInternalServerError(w, r, msg)
}
}
func shortenPostHandler(w http.ResponseWriter, r *http.Request) {
rawurl := r.PostForm.Get("shorten") rawurl := r.PostForm.Get("shorten")
userURL, err := url.ParseRequestURI(rawurl) userURL, err := url.ParseRequestURI(rawurl)
if err != nil { if err != nil {
@ -186,18 +212,15 @@ func shortenPostHandler(w http.ResponseWriter, r *http.Request) {
return return
} }
var storedPaste *StoredPaste var storedPaste *storedPaste
if err := db.DB.Update(func(tx *bolt.Tx) error { if err := db.DB.Update(func(tx *bolt.Tx) error {
ownerKey, ok := getOwnerTokenFromRequest(r) // Generate a new delete token for this paste
if ok == false { deleteToken, err := generateDeleteToken()
// Owner key not supplied or invalid, generate a new one
ownerKey, err = generateOwnerToken()
if err != nil { if err != nil {
return errors.Wrap(err, "generating OwnerToken") return errors.Wrap(err, "generating delete token")
}
} }
sp, err := shortenURL(tx, userURL, ownerKey) sp, err := shortenURL(tx, userURL, deleteToken)
storedPaste = sp storedPaste = sp
return err return err
}); err != nil { }); err != nil {
@ -206,34 +229,71 @@ func shortenPostHandler(w http.ResponseWriter, r *http.Request) {
return return
} }
saveURL, err := r.URL.Parse(string(storedPaste.Key)) deleteToken := hex.EncodeToString(storedPaste.DeleteToken[:])
saveRawurl := fmt.Sprintf("%v/%v?deleteToken=%v", r.Host, string(storedPaste.Key), deleteToken)
saveURL, err := r.URL.Parse(saveRawurl)
if err != nil { if err != nil {
err = errors.Wrap(err, "parsing url") err = errors.Wrap(err, "parsing url")
log.Printf("error: %v\n", err) log.Printf("error: %v\n", err)
renderInternalServerError(w, r, err) renderInternalServerError(w, r, err)
return return
} }
var base64OwnerToken = make([]byte, 24)
base64Encoder.Encode(base64OwnerToken, storedPaste.OwnerToken[:])
// TODO(dsprenkels) Put this into a template // TODO(dsprenkels) Put this into a template
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
fmt.Fprintf(w, "URL saved at %v\n", saveURL) fmt.Fprintf(w, "%v\n", saveURL)
isNotPrint := func(r rune) bool { return !unicode.IsPrint(r) } }
fmt.Fprintf(w, "Owner key is %s\n", strings.TrimRightFunc(string(base64OwnerToken), isNotPrint))
// Delete a URL from the database
func deletePasteHandler(w http.ResponseWriter, r *http.Request) {
// TODO(dsprenkels) LEFT HERE; this functionality still untested
vars := mux.Vars(r)
key := vars["key"]
deleteToken, err := getDeleteTokenFromRequest(r)
if err != nil {
renderError(w, r, http.StatusBadRequest, "invalid delete token")
return
} else if deleteToken == nil {
renderError(w, r, http.StatusBadRequest, "no delete token provided")
return
}
var errorCode int
if err := db.DB.Update(func(tx *bolt.Tx) error {
paste, err := getURL(tx, key)
if err != nil {
errorCode = http.StatusNotFound
return err
}
if subtle.ConstantTimeCompare(deleteToken[:], paste.DeleteToken[:]) == 1 {
// Replace the old paste with a new empty paste
return savePaste(tx, key, storedPaste{
Key: paste.Key,
State: stateDeleted,
DeleteToken: paste.DeleteToken,
})
}
errorCode = http.StatusForbidden
return errors.New("invalid delete token")
}); err != nil {
log.Printf("error: %v\n", err)
renderError(w, r, errorCode, fmt.Sprintf("error: %v", err))
return
}
} }
// Retrieve a URL from the database // Retrieve a URL from the database
func getURL(tx *bolt.Tx, key []byte) (*StoredPaste, error) { func getURL(tx *bolt.Tx, key string) (*storedPaste, error) {
shortenBucket := tx.Bucket([]byte(db.BUCKET_PASTES)) pastesBucket := tx.Bucket([]byte(db.BUCKET_PASTES))
if shortenBucket == nil { if pastesBucket == nil {
return nil, fmt.Errorf("bucket %v does not exist", db.BUCKET_PASTES) return nil, errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
} }
storedBytes := shortenBucket.Get(key) storedBytes := pastesBucket.Get([]byte(key))
if storedBytes == nil { if storedBytes == nil {
return nil, nil return nil, nil
} }
storedPaste := &StoredPaste{} storedPaste := &storedPaste{}
err := gobmarsh.Unmarshal(storedBytes, storedPaste) err := gobmarsh.Unmarshal(storedBytes, storedPaste)
return storedPaste, err return storedPaste, err
} }
@ -241,10 +301,10 @@ func getURL(tx *bolt.Tx, key []byte) (*StoredPaste, error) {
// Add a new URL to the database // Add a new URL to the database
// //
// Returns the new ID if the url was successfully shortened // Returns the new ID if the url was successfully shortened
func shortenURL(tx *bolt.Tx, userURL *url.URL, ownerKey [16]byte) (*StoredPaste, error) { func shortenURL(tx *bolt.Tx, userURL *url.URL, deleteToken [16]byte) (*storedPaste, error) {
shortenBucket := tx.Bucket([]byte(db.BUCKET_PASTES)) pastesBucket := tx.Bucket([]byte(db.BUCKET_PASTES))
if shortenBucket == nil { if pastesBucket == nil {
return nil, fmt.Errorf("bucket %v does not exist", db.BUCKET_PASTES) return nil, errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
} }
// Generate a key until it is not in the database, this occurs in O(log N), // Generate a key until it is not in the database, this occurs in O(log N),
@ -258,7 +318,7 @@ func shortenURL(tx *bolt.Tx, userURL *url.URL, ownerKey [16]byte) (*StoredPaste,
return nil, errors.Wrap(err, "url-key generation failed") return nil, errors.Wrap(err, "url-key generation failed")
} }
found := shortenBucket.Get([]byte(urlKey)) found := pastesBucket.Get([]byte(urlKey))
if found == nil { if found == nil {
break break
} }
@ -278,24 +338,36 @@ func shortenURL(tx *bolt.Tx, userURL *url.URL, ownerKey [16]byte) (*StoredPaste,
} }
// Store the new key // Store the new key
storedPaste := StoredPaste{ storedPaste := storedPaste{
Type: TypeRedirect, Type: typeRedirect,
State: StatePresent, State: statePresent,
Content: []byte(userURL.String()), Content: []byte(userURL.String()),
Key: urlKey, Key: urlKey,
OwnerToken: ownerKey, DeleteToken: deleteToken,
TimeCreated: time.Now().UTC(), TimeCreated: time.Now().UTC(),
} }
storedBytes, err := gobmarsh.Marshal(storedPaste) if err := savePaste(tx, urlKey, storedPaste); err != nil {
if err != nil { return nil, err
return nil, errors.Wrap(err, "encoding for database failed")
}
if err := shortenBucket.Put([]byte(urlKey), storedBytes); err != nil {
return nil, errors.Wrap(err, "database transaction failed")
} }
return &storedPaste, nil return &storedPaste, nil
} }
func savePaste(tx *bolt.Tx, key string, paste storedPaste) error {
bucket := tx.Bucket([]byte(db.BUCKET_PASTES))
if bucket == nil {
return errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
}
buf, err := gobmarsh.Marshal(paste)
if err != nil {
return errors.Wrap(err, "encoding for database failed")
}
if err := bucket.Put([]byte(key), buf); err != nil {
return errors.Wrap(err, "database transaction failed")
}
return nil
}
func generateURLKey(epoch int) (string, error) { func generateURLKey(epoch int) (string, error) {
urlKey := make([]byte, 4+epoch) urlKey := make([]byte, 4+epoch)
_, err := rand.Read(urlKey) _, err := rand.Read(urlKey)
@ -331,26 +403,26 @@ func generateURLKey(epoch int) (string, error) {
return string(urlKey), nil return string(urlKey), nil
} }
func generateOwnerToken() ([16]byte, error) { func generateDeleteToken() ([16]byte, error) {
var ownerKey [16]byte var deleteToken [16]byte
_, err := rand.Read(ownerKey[:]) _, err := rand.Read(deleteToken[:])
if err != nil { if err != nil {
return ownerKey, err return deleteToken, err
} }
return ownerKey, nil return deleteToken, nil
} }
func getOwnerTokenFromRequest(r *http.Request) ([16]byte, bool) { func getDeleteTokenFromRequest(r *http.Request) (*[16]byte, error) {
var ownerKey [16]byte deleteTokenQuery := r.URL.Query().Get("deleteToken")
ownerKeyCookie, err := r.Cookie(CookieOwnerToken) if deleteTokenQuery == "" {
if err != nil && err != http.ErrNoCookie { return nil, nil
return ownerKey, false
} }
if ownerKeyCookie != nil { var deleteToken [16]byte
n, err := base64Encoder.Strict().Decode(ownerKey[:], []byte(ownerKeyCookie.Value)) n, err := hex.Decode(deleteToken[:], []byte(deleteTokenQuery))
if err == nil || n == 16 { if err != nil {
return ownerKey, true return nil, errors.Wrap(err, "decoding hex")
} else if n != 16 {
return nil, errors.Errorf("invalid deleteToken length (%v bytes)", n)
} }
} return &deleteToken, nil
return ownerKey, false
} }

View File

@ -12,10 +12,12 @@ func StartMainServer() {
// Initialize Gorilla router // Initialize Gorilla router
router := mux.NewRouter() router := mux.NewRouter()
router.HandleFunc("/", indexGetHandler).Methods("GET") router.HandleFunc("/", indexGetHandler).Methods("GET")
router.HandleFunc("/", indexPostHandler).Methods("POST") router.HandleFunc("/", newPasteHandler).Methods("POST")
router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}", pasteGetHandler).Methods("GET") router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}", viewPasteHandler).Methods("GET")
router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/nr", pasteGetHandlerNoRedirect).Methods("GET") router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/nr", viewPasteHandlerNoRedirect).Methods("GET")
router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/meta", pasteGetHandlerMeta).Methods("GET") router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/meta", viewPasteHandlerMeta).Methods("GET")
router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}", deletePasteHandler).Methods("DELETE")
router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/delete", deletePasteHandler).Methods("POST")
srv := &http.Server{ srv := &http.Server{
Handler: router, Handler: router,

View File

@ -79,6 +79,9 @@ func render(w http.ResponseWriter, r *http.Request, tmplName string, data map[st
fmt.Fprintf(w, "error parsing Accept header: %v\n", err) fmt.Fprintf(w, "error parsing Accept header: %v\n", err)
} }
// Add the request to the template data
data["Request"] = r
switch contentType { switch contentType {
case "text/plain": case "text/plain":
w.Header().Set("Content-Type", "text/plain") w.Header().Set("Content-Type", "text/plain")
@ -97,7 +100,7 @@ func render(w http.ResponseWriter, r *http.Request, tmplName string, data map[st
} }
// Construct a (lazy) plain-text view for inclusion in <pre> // Construct a (lazy) plain-text view for inclusion in <pre>
pre := func() string { data["Pre"] = func() string {
tmpl := textTemplates[tmplName] tmpl := textTemplates[tmplName]
if tmpl == nil { if tmpl == nil {
panic(fmt.Errorf("'%v' not in textTemplates", tmplName)) panic(fmt.Errorf("'%v' not in textTemplates", tmplName))
@ -108,7 +111,6 @@ func render(w http.ResponseWriter, r *http.Request, tmplName string, data map[st
} }
return buf.String() return buf.String()
} }
data = mergeData(map[string]interface{}{"Pre": pre}, data)
err = tmpl.Execute(w, data) err = tmpl.Execute(w, data)
default: default:
// Fall back to plain text without template // Fall back to plain text without template
@ -131,15 +133,6 @@ func renderInternalServerError(w http.ResponseWriter, r *http.Request, err inter
renderError(w, r, http.StatusInternalServerError, msg) renderError(w, r, http.StatusInternalServerError, msg)
} }
// Merge the second data map into the first one, overwriting any key that is
// already present.
func mergeData(into, from map[string]interface{}) map[string]interface{} {
for k, v := range from {
into[k] = v
}
return into
}
// Try to resolve the preferred content-type for the response to this request. // Try to resolve the preferred content-type for the response to this request.
// //
// This is done by reading from the `types` argument. If one of them matches // This is done by reading from the `types` argument. If one of them matches