2019-11-09 15:50:12 +01:00
|
|
|
package rushlink
|
2019-08-25 21:33:56 +02:00
|
|
|
|
|
|
|
import (
|
2019-09-01 01:41:01 +02:00
|
|
|
"crypto/subtle"
|
2019-08-25 21:33:56 +02:00
|
|
|
"fmt"
|
|
|
|
"log"
|
2019-11-10 19:03:57 +01:00
|
|
|
"mime/multipart"
|
2019-08-25 21:33:56 +02:00
|
|
|
"net/http"
|
|
|
|
"net/url"
|
2019-11-10 19:03:57 +01:00
|
|
|
"os"
|
2023-04-30 12:03:23 +02:00
|
|
|
"strconv"
|
2019-12-19 23:17:37 +01:00
|
|
|
"strings"
|
2019-08-25 21:33:56 +02:00
|
|
|
"time"
|
|
|
|
|
2020-10-25 17:33:51 +01:00
|
|
|
"gitea.hashru.nl/dsprenkels/rushlink/internal/db"
|
2019-11-10 19:03:57 +01:00
|
|
|
"github.com/google/uuid"
|
2019-08-29 23:40:24 +02:00
|
|
|
"github.com/gorilla/mux"
|
|
|
|
"github.com/pkg/errors"
|
2019-08-25 21:33:56 +02:00
|
|
|
)
|
|
|
|
|
2020-05-30 18:34:59 +02:00
|
|
|
const (
|
|
|
|
// formParseMaxMemory value is based on the default value that is used in
|
|
|
|
// Request.ParseMultipartForm.
|
|
|
|
formParseMaxMemory = 32 << 20 // 32 MB
|
2020-07-27 14:53:19 +02:00
|
|
|
|
|
|
|
// highOnlineEntropy is the desired entropy of an "unguessable" paste URL
|
|
|
|
// (in bits). It should be chosen such that it should be hard for an
|
|
|
|
// attacker to find *any* key that should not be found.
|
|
|
|
// It is desired that the probability to guess a good key is small.
|
|
|
|
//
|
|
|
|
// [ amount of pastes ]
|
|
|
|
// Pr[ good key ] = ---------------------------
|
|
|
|
// [ amount of possible keys ]
|
|
|
|
//
|
|
|
|
// So with a conservative [ amount of pastes ] = 2^32 (= 4 billion), and
|
|
|
|
// an [ amount of possible keys ] = 2^80 then the probability of a correct
|
|
|
|
// guess is 2^-48.
|
|
|
|
highOnlineEntropy = 80
|
2020-05-30 18:34:59 +02:00
|
|
|
)
|
|
|
|
|
2019-09-21 13:11:38 +02:00
|
|
|
type viewPaste uint
|
|
|
|
|
|
|
|
const (
|
|
|
|
_ viewPaste = 1 << iota
|
|
|
|
viewNoRedirect
|
|
|
|
viewShowMeta
|
|
|
|
)
|
|
|
|
|
2019-12-17 11:03:29 +01:00
|
|
|
type canDelete uint
|
|
|
|
|
|
|
|
const (
|
|
|
|
canDeleteUndef canDelete = iota
|
|
|
|
canDeleteYes
|
|
|
|
canDeleteNo
|
|
|
|
)
|
|
|
|
|
|
|
|
func (cd *canDelete) Bool() bool {
|
|
|
|
return *cd == canDeleteYes
|
|
|
|
}
|
|
|
|
|
|
|
|
func (cd *canDelete) String() string {
|
|
|
|
switch *cd {
|
|
|
|
case canDeleteUndef:
|
|
|
|
return "undefined"
|
|
|
|
case canDeleteYes:
|
|
|
|
return "correct"
|
|
|
|
case canDeleteNo:
|
|
|
|
return "invalid"
|
|
|
|
default:
|
|
|
|
panic("unreachable")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-12-16 11:51:41 +01:00
|
|
|
func (rl *rushlink) staticGetHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
rl.renderStatic(w, r, mux.Vars(r)["path"])
|
|
|
|
}
|
|
|
|
|
2019-12-03 23:08:58 +01:00
|
|
|
func (rl *rushlink) indexGetHandler(w http.ResponseWriter, r *http.Request) {
|
2020-05-11 22:45:56 +02:00
|
|
|
rl.render(w, r, http.StatusOK, "index", map[string]interface{}{})
|
2019-09-01 01:41:01 +02:00
|
|
|
}
|
|
|
|
|
2019-12-03 23:08:58 +01:00
|
|
|
func (rl *rushlink) viewPasteHandler(w http.ResponseWriter, r *http.Request) {
|
2019-12-17 11:03:29 +01:00
|
|
|
rl.viewPasteHandlerFlags(w, r, 0)
|
2019-08-31 00:02:01 +02:00
|
|
|
}
|
|
|
|
|
2019-12-03 23:08:58 +01:00
|
|
|
func (rl *rushlink) viewPasteHandlerNoRedirect(w http.ResponseWriter, r *http.Request) {
|
2019-12-17 11:03:29 +01:00
|
|
|
rl.viewPasteHandlerFlags(w, r, viewNoRedirect)
|
2019-08-31 00:02:01 +02:00
|
|
|
}
|
|
|
|
|
2019-12-03 23:08:58 +01:00
|
|
|
func (rl *rushlink) viewPasteHandlerMeta(w http.ResponseWriter, r *http.Request) {
|
2019-12-17 11:03:29 +01:00
|
|
|
rl.viewPasteHandlerFlags(w, r, viewShowMeta)
|
2019-09-01 01:41:01 +02:00
|
|
|
}
|
|
|
|
|
2019-12-17 11:03:29 +01:00
|
|
|
func (rl *rushlink) viewPasteHandlerFlags(w http.ResponseWriter, r *http.Request, flags viewPaste) {
|
2019-08-29 00:50:26 +02:00
|
|
|
vars := mux.Vars(r)
|
|
|
|
key := vars["key"]
|
2020-10-25 17:33:51 +01:00
|
|
|
var p *db.Paste
|
|
|
|
var fu *db.FileUpload
|
|
|
|
var notFound bool
|
|
|
|
err := rl.db.Transaction(func(tx *db.Database) error {
|
2019-08-29 00:50:26 +02:00
|
|
|
var err error
|
2020-10-25 17:33:51 +01:00
|
|
|
p, err = db.GetPaste(tx, key)
|
2019-11-10 19:03:57 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2020-10-25 17:33:51 +01:00
|
|
|
if p != nil && p.Type == db.PasteTypeFileUpload {
|
2019-11-10 19:03:57 +01:00
|
|
|
var id uuid.UUID
|
|
|
|
copy(id[:], p.Content)
|
2020-10-25 17:33:51 +01:00
|
|
|
fu, err = db.GetFileUpload(tx, id)
|
2019-11-10 19:03:57 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
2020-07-27 16:57:09 +02:00
|
|
|
})
|
2020-10-25 17:33:51 +01:00
|
|
|
if notFound {
|
|
|
|
err = db.ErrPasteDoesNotExist
|
|
|
|
}
|
2020-07-27 16:57:09 +02:00
|
|
|
if err != nil {
|
2020-10-25 17:33:51 +01:00
|
|
|
status := db.ErrHTTPStatusCode(err)
|
2020-07-27 16:57:09 +02:00
|
|
|
if status == http.StatusInternalServerError {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
rl.renderError(w, r, status, err.Error())
|
2019-09-01 01:41:01 +02:00
|
|
|
return
|
|
|
|
}
|
2019-12-17 11:03:29 +01:00
|
|
|
rl.viewPasteHandlerInner(w, r, flags, p, fu)
|
|
|
|
}
|
2019-09-01 01:41:01 +02:00
|
|
|
|
2020-10-25 17:33:51 +01:00
|
|
|
func (rl *rushlink) viewPasteHandlerInner(w http.ResponseWriter, r *http.Request, flags viewPaste, p *db.Paste, fu *db.FileUpload) {
|
2019-12-17 11:03:29 +01:00
|
|
|
if flags&viewShowMeta != 0 {
|
|
|
|
rl.viewPasteHandlerInnerMeta(w, r, p, fu)
|
2020-01-05 00:14:53 +01:00
|
|
|
return
|
2019-08-29 00:50:26 +02:00
|
|
|
}
|
2019-09-01 01:41:01 +02:00
|
|
|
|
2019-09-22 14:03:27 +02:00
|
|
|
switch p.State {
|
2020-10-25 17:33:51 +01:00
|
|
|
case db.PasteStatePresent:
|
2019-11-10 19:03:57 +01:00
|
|
|
switch p.Type {
|
2020-10-25 17:33:51 +01:00
|
|
|
case db.PasteTypeFileUpload:
|
2019-11-10 19:03:57 +01:00
|
|
|
if fu == nil {
|
2019-12-17 11:03:29 +01:00
|
|
|
panic(fmt.Sprintf("file for id %v does not exist in database\n", string(p.Content)))
|
2019-08-31 00:02:01 +02:00
|
|
|
}
|
2019-12-19 23:17:37 +01:00
|
|
|
rl.viewFileUploadHandler(w, r, fu)
|
|
|
|
return
|
2020-10-25 17:33:51 +01:00
|
|
|
case db.PasteTypeRedirect:
|
2020-07-27 16:57:55 +02:00
|
|
|
if flags&viewNoRedirect != 0 {
|
|
|
|
w.Write([]byte(p.RedirectURL().String()))
|
|
|
|
return
|
2019-12-19 23:17:37 +01:00
|
|
|
}
|
2020-07-27 16:57:55 +02:00
|
|
|
http.Redirect(w, r, p.RedirectURL().String(), http.StatusTemporaryRedirect)
|
2019-12-19 23:17:37 +01:00
|
|
|
return
|
2019-11-10 19:03:57 +01:00
|
|
|
default:
|
|
|
|
panic("paste type unsupported")
|
|
|
|
}
|
2019-12-19 23:17:37 +01:00
|
|
|
|
2020-10-25 17:33:51 +01:00
|
|
|
case db.PasteStateDeleted:
|
2019-12-15 12:18:50 +01:00
|
|
|
rl.renderError(w, r, http.StatusGone, "paste has been deleted\n")
|
2019-12-19 23:17:37 +01:00
|
|
|
return
|
2019-08-29 00:50:26 +02:00
|
|
|
default:
|
2019-10-15 23:19:45 +02:00
|
|
|
panic(errors.Errorf("invalid paste.State (%v) for key '%v'", p.State, p.Key))
|
2019-08-29 00:50:26 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-10-25 17:33:51 +01:00
|
|
|
func (rl *rushlink) viewFileUploadHandler(w http.ResponseWriter, r *http.Request, fu *db.FileUpload) {
|
2019-12-19 23:17:37 +01:00
|
|
|
filePath := fu.Path(rl.fs)
|
|
|
|
file, err := os.Open(filePath)
|
|
|
|
if err != nil {
|
|
|
|
if os.IsNotExist(err) {
|
|
|
|
log.Printf("error: '%v' should exist according to the database, but it doesn't", filePath)
|
|
|
|
rl.renderError(w, r, http.StatusNotFound, "file not found")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
// unexpected error
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
var modtime time.Time
|
|
|
|
info, err := file.Stat()
|
|
|
|
if err != nil {
|
|
|
|
log.Printf("error: %v", errors.Wrapf(err, "could not stat file '%v'", filePath))
|
|
|
|
} else {
|
|
|
|
modtime = info.ModTime()
|
|
|
|
}
|
|
|
|
|
|
|
|
// Provide the real filename to the client (to be used in Ctrl+S etc.)
|
|
|
|
quotedName := strings.ReplaceAll(fu.FileName, "\"", "\\\"")
|
|
|
|
w.Header().Set("Content-Disposition", fmt.Sprintf("inline; filename=\"%s\"", quotedName))
|
|
|
|
|
|
|
|
// We use http.ServeContent (instead of http.ServeFile) because we cannot
|
|
|
|
// use http.ServeFile together with the assertion that the file exists,
|
|
|
|
// without introducing a TOCTOU flaw.
|
|
|
|
http.ServeContent(w, r, fu.FileName, modtime, file)
|
|
|
|
}
|
|
|
|
|
2020-10-25 17:33:51 +01:00
|
|
|
func (rl *rushlink) viewPasteHandlerInnerMeta(w http.ResponseWriter, r *http.Request, p *db.Paste, fu *db.FileUpload) {
|
2019-12-17 11:03:29 +01:00
|
|
|
var cd canDelete
|
|
|
|
deleteToken := getDeleteTokenFromRequest(r)
|
|
|
|
if deleteToken != "" {
|
|
|
|
if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(p.DeleteToken)) == 1 {
|
|
|
|
cd = canDeleteYes
|
|
|
|
} else {
|
|
|
|
cd = canDeleteNo
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
var fileExt string
|
|
|
|
if fu != nil {
|
|
|
|
fileExt = fu.Ext()
|
|
|
|
}
|
|
|
|
data := map[string]interface{}{
|
2020-05-11 22:32:35 +02:00
|
|
|
"Paste": p,
|
|
|
|
"FileExt": fileExt,
|
|
|
|
"CanDeleteString": cd.String(),
|
|
|
|
"CanDeleteBool": cd.Bool(),
|
2019-12-17 11:03:29 +01:00
|
|
|
}
|
2020-05-11 22:45:56 +02:00
|
|
|
var status int
|
2020-10-25 17:33:51 +01:00
|
|
|
if p.State == db.PasteStateDeleted {
|
2020-05-11 22:45:56 +02:00
|
|
|
status = http.StatusGone
|
|
|
|
} else {
|
|
|
|
status = http.StatusOK
|
|
|
|
}
|
|
|
|
rl.render(w, r, status, "pasteMeta", data)
|
2019-12-17 11:03:29 +01:00
|
|
|
}
|
|
|
|
|
2020-10-25 17:33:51 +01:00
|
|
|
func (rl *rushlink) viewActionSuccess(w http.ResponseWriter, r *http.Request, p *db.Paste, fu *db.FileUpload) {
|
2019-12-17 11:03:29 +01:00
|
|
|
var fileExt string
|
|
|
|
if fu != nil {
|
|
|
|
fileExt = fu.Ext()
|
|
|
|
}
|
2020-05-09 00:43:07 +02:00
|
|
|
// Redirect to the new paste.
|
|
|
|
pasteURL := url.URL{
|
|
|
|
Path: fmt.Sprintf("/%s%s/meta", p.Key, fileExt),
|
|
|
|
RawQuery: fmt.Sprintf("deleteToken=%s", url.QueryEscape(p.DeleteToken)),
|
|
|
|
}
|
|
|
|
http.Redirect(w, r, pasteURL.String(), http.StatusFound)
|
|
|
|
// But still render the page for CURL-like clients.
|
2020-05-11 22:32:35 +02:00
|
|
|
cd := canDeleteYes
|
2019-12-17 11:03:29 +01:00
|
|
|
data := map[string]interface{}{
|
2020-05-11 22:32:35 +02:00
|
|
|
"Paste": p,
|
|
|
|
"FileExt": fileExt,
|
|
|
|
"CanDeleteString": cd.String(),
|
|
|
|
"CanDeleteBool": cd.Bool(),
|
2019-12-17 11:03:29 +01:00
|
|
|
}
|
2020-05-11 22:45:56 +02:00
|
|
|
rl.render(w, r, 0, "pasteMeta", data)
|
2019-12-17 11:03:29 +01:00
|
|
|
}
|
|
|
|
|
2019-12-03 23:08:58 +01:00
|
|
|
func (rl *rushlink) newPasteHandler(w http.ResponseWriter, r *http.Request) {
|
2023-04-30 12:03:23 +02:00
|
|
|
// Check if the user is authenticated
|
2023-04-30 21:26:10 +02:00
|
|
|
user := rl.authenticateUser(w, r, false, nil)
|
|
|
|
if user == nil {
|
2023-04-30 12:03:23 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-05-30 18:34:59 +02:00
|
|
|
if err := r.ParseMultipartForm(formParseMaxMemory); err != nil {
|
2019-11-22 18:41:54 +01:00
|
|
|
msg := fmt.Sprintf("could not parse form: %v\n", err)
|
2019-12-15 12:18:50 +01:00
|
|
|
rl.renderError(w, r, http.StatusBadRequest, msg)
|
2019-11-10 19:03:57 +01:00
|
|
|
return
|
2019-09-21 13:11:38 +02:00
|
|
|
}
|
|
|
|
|
2020-05-30 18:34:59 +02:00
|
|
|
fileHeaders, fileHeadersPrs := r.MultipartForm.File["file"]
|
|
|
|
shortens, shortensPrs := r.MultipartForm.Value["shorten"]
|
|
|
|
|
|
|
|
if !shortensPrs && !fileHeadersPrs {
|
|
|
|
rl.renderError(w, r, http.StatusBadRequest, "no 'file' and no 'shorten' fields given in form\n")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if shortensPrs && fileHeadersPrs {
|
|
|
|
rl.renderError(w, r, http.StatusBadRequest, "both 'file' and 'shorten' fields provided in form\n")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if shortensPrs {
|
2023-04-30 12:03:23 +02:00
|
|
|
rl.newRedirectPasteHandler(w, r, user, shortens[0])
|
2020-05-30 18:34:59 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
if fileHeadersPrs {
|
|
|
|
fileHeader := fileHeaders[0]
|
|
|
|
file, err := fileHeader.Open()
|
|
|
|
if err != nil {
|
|
|
|
rl.renderInternalServerError(w, r, err)
|
|
|
|
return
|
|
|
|
}
|
2023-04-30 12:03:23 +02:00
|
|
|
rl.newFileUploadPasteHandler(w, r, user, file, *fileHeader)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
func (rl *rushlink) createUserHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// Check if the user is authenticated as an admin
|
|
|
|
user := rl.authenticateUser(w, r, true, nil)
|
|
|
|
if user == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := r.ParseMultipartForm(formParseMaxMemory); err != nil {
|
|
|
|
msg := fmt.Sprintf("could not parse form: %v\n", err)
|
|
|
|
rl.renderError(w, r, http.StatusBadRequest, msg)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
new_username := r.FormValue("username")
|
|
|
|
new_password := r.FormValue("password")
|
|
|
|
new_admin, _ := strconv.ParseBool(r.FormValue("admin"))
|
|
|
|
|
|
|
|
// Create the user
|
|
|
|
if err := db.NewUser(rl.db, new_username, new_password, new_admin); err != nil {
|
|
|
|
// Failed to create the user, return a 500 Internal Server Error response
|
|
|
|
http.Error(w, "Failed to create user", http.StatusInternalServerError)
|
2019-09-21 13:11:38 +02:00
|
|
|
return
|
|
|
|
}
|
2023-04-30 12:03:23 +02:00
|
|
|
|
|
|
|
// Return a 201 Created response
|
|
|
|
w.WriteHeader(http.StatusCreated)
|
|
|
|
}
|
|
|
|
|
2023-04-30 21:26:10 +02:00
|
|
|
func (rl *rushlink) setWWWAuthenticate(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// Set authentication headers for Basic Authentication
|
|
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
|
|
}
|
|
|
|
|
2023-04-30 12:03:23 +02:00
|
|
|
func (rl *rushlink) authenticateUser(w http.ResponseWriter, r *http.Request, shouldBeAdmin bool, canAlsoBe *string) *db.User {
|
|
|
|
// Check if the user is authenticated
|
|
|
|
username, password, ok := r.BasicAuth()
|
|
|
|
if !ok {
|
|
|
|
// User is not authenticated, return a 401 Unauthorized response
|
2023-04-30 21:26:10 +02:00
|
|
|
rl.setWWWAuthenticate(w, r)
|
2023-04-30 12:03:23 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Authenticate the user
|
|
|
|
user, err := db.Authenticate(rl.db, username, password)
|
2023-04-30 21:26:10 +02:00
|
|
|
if err != nil {
|
|
|
|
rl.setWWWAuthenticate(w, r)
|
|
|
|
log.Printf("authentication failure: %s", err)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if (shouldBeAdmin && !user.Admin && (canAlsoBe == nil || *canAlsoBe != user.User)) {
|
2023-04-30 12:03:23 +02:00
|
|
|
// Authentication failed, return a 401 Unauthorized response
|
2023-04-30 21:26:10 +02:00
|
|
|
rl.setWWWAuthenticate(w, r)
|
|
|
|
log.Printf("user '%s' should be admin (or '%s'), but isn't", username, canAlsoBe)
|
2023-04-30 12:03:23 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return user
|
|
|
|
}
|
|
|
|
func (rl *rushlink) deleteUserHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// Parse the user ID from the request URL
|
|
|
|
vars := mux.Vars(r)
|
|
|
|
userName := vars["user"]
|
|
|
|
|
|
|
|
// Check if the user is authenticated as an admin or self
|
|
|
|
user := rl.authenticateUser(w, r, true, &userName)
|
|
|
|
if user == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Delete the user
|
|
|
|
if err := db.DeleteUser(rl.db, userName); err != nil {
|
|
|
|
// Failed to delete the user, return a 500 Internal Server Error response
|
|
|
|
http.Error(w, "Failed to delete user", http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Return a 204 No Content response
|
|
|
|
w.WriteHeader(http.StatusNoContent)
|
|
|
|
}
|
|
|
|
func (rl *rushlink) changeUserHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// Parse the user ID from the request URL
|
|
|
|
vars := mux.Vars(r)
|
|
|
|
userName := vars["user"]
|
|
|
|
|
|
|
|
// Check if the user is authenticated as an admin or self
|
|
|
|
user := rl.authenticateUser(w, r, true, &userName)
|
|
|
|
if user == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Parse the request multipart form
|
|
|
|
if err := r.ParseMultipartForm(formParseMaxMemory); err != nil {
|
|
|
|
msg := fmt.Sprintf("could not parse form: %v\n", err)
|
|
|
|
rl.renderError(w, r, http.StatusBadRequest, msg)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the user record from the database
|
|
|
|
updatedUser := new(db.User)
|
|
|
|
if err := rl.db.Where("user = ?", userName).First(&updatedUser).Error; err != nil {
|
|
|
|
// User record not found, return a 404 Not Found response
|
|
|
|
http.NotFound(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the updated user data from the form
|
|
|
|
if newUsername := r.FormValue("new_username"); newUsername != "" {
|
|
|
|
updatedUser.User = newUsername
|
|
|
|
}
|
|
|
|
if newPassword := r.FormValue("new_password"); newPassword != "" {
|
|
|
|
hashedPassword, err := db.HashPassword(newPassword)
|
|
|
|
if err != nil {
|
|
|
|
msg := fmt.Sprintf("could not hash password: %v\n", err)
|
|
|
|
rl.renderError(w, r, http.StatusInternalServerError, msg)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
updatedUser.Password = hashedPassword
|
|
|
|
}
|
|
|
|
if newAdminStr := r.FormValue("new_admin"); newAdminStr != "" {
|
|
|
|
newAdmin, err := strconv.ParseBool(newAdminStr)
|
|
|
|
if err != nil {
|
|
|
|
msg := fmt.Sprintf("could not parse admin status: %v\n", err)
|
|
|
|
rl.renderError(w, r, http.StatusBadRequest, msg)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
updatedUser.Admin = newAdmin
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the user is trying to update their own admin status
|
|
|
|
if updatedUser.Admin && !user.Admin {
|
|
|
|
// User is trying to update their own admin status, return a 403 Forbidden response
|
|
|
|
http.Error(w, "You do not have permission to update your own admin status", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update the user in the database
|
|
|
|
if err := db.ChangeUser(rl.db, userName, updatedUser); err != nil {
|
|
|
|
// Failed to update the user, return a 500 Internal Server Error response
|
|
|
|
http.Error(w, "Failed to update user", http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Return a 200 OK response
|
|
|
|
w.WriteHeader(http.StatusOK)
|
2019-11-10 19:03:57 +01:00
|
|
|
}
|
|
|
|
|
2023-04-30 12:03:23 +02:00
|
|
|
func (rl *rushlink) newFileUploadPasteHandler(w http.ResponseWriter, r *http.Request, user *db.User, file multipart.File, header multipart.FileHeader) {
|
2020-10-25 17:33:51 +01:00
|
|
|
var fu *db.FileUpload
|
|
|
|
var paste *db.Paste
|
|
|
|
if err := rl.db.Transaction(func(tx *db.Database) error {
|
2019-11-10 19:03:57 +01:00
|
|
|
var err error
|
2023-04-30 12:03:23 +02:00
|
|
|
fu, err = db.NewFileUpload(rl.fs, file, user, header.Filename)
|
2019-11-10 19:03:57 +01:00
|
|
|
if err != nil {
|
|
|
|
panic(errors.Wrap(err, "creating fileUpload"))
|
|
|
|
}
|
2019-12-03 23:08:58 +01:00
|
|
|
if err := fu.Save(tx); err != nil {
|
|
|
|
panic(errors.Wrap(err, "saving fileUpload in db"))
|
|
|
|
}
|
2019-11-10 19:03:57 +01:00
|
|
|
|
2023-04-30 12:03:23 +02:00
|
|
|
paste, err = shortenFileUploadID(tx, user, fu.PubID)
|
2019-11-10 19:03:57 +01:00
|
|
|
return err
|
|
|
|
}); err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
2020-05-11 22:26:45 +02:00
|
|
|
rl.viewActionSuccess(w, r, paste, fu)
|
2019-11-10 19:03:57 +01:00
|
|
|
}
|
|
|
|
|
2023-04-30 12:03:23 +02:00
|
|
|
func (rl *rushlink) newRedirectPasteHandler(w http.ResponseWriter, r *http.Request, user *db.User, rawurl string) {
|
2020-04-22 16:11:32 +02:00
|
|
|
userURL, err := url.Parse(rawurl)
|
2019-08-25 21:33:56 +02:00
|
|
|
if err != nil {
|
2019-09-15 21:34:41 +02:00
|
|
|
msg := fmt.Sprintf("invalid url (%v): %v", err, rawurl)
|
2019-12-15 12:18:50 +01:00
|
|
|
rl.renderError(w, r, http.StatusBadRequest, msg)
|
2019-08-25 21:33:56 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
if userURL.Scheme == "" {
|
2019-12-15 12:18:50 +01:00
|
|
|
rl.renderError(w, r, http.StatusBadRequest, "invalid url (unspecified scheme)\n")
|
2019-08-25 21:33:56 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
if userURL.Host == "" {
|
2019-12-15 12:18:50 +01:00
|
|
|
rl.renderError(w, r, http.StatusBadRequest, "invalid url (unspecified host)\n")
|
2019-08-25 21:33:56 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-10-25 17:33:51 +01:00
|
|
|
var paste *db.Paste
|
|
|
|
if err := rl.db.Transaction(func(tx *db.Database) error {
|
2019-09-21 21:03:31 +02:00
|
|
|
var err error
|
2023-04-30 12:03:23 +02:00
|
|
|
paste, err = shortenURL(tx, user, userURL)
|
2019-08-25 21:33:56 +02:00
|
|
|
return err
|
|
|
|
}); err != nil {
|
2019-10-15 23:19:45 +02:00
|
|
|
panic(err)
|
2019-08-25 21:33:56 +02:00
|
|
|
}
|
2020-05-11 22:26:45 +02:00
|
|
|
rl.viewActionSuccess(w, r, paste, nil)
|
2019-09-21 13:11:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Delete a URL from the database
|
2019-12-03 23:08:58 +01:00
|
|
|
func (rl *rushlink) deletePasteHandler(w http.ResponseWriter, r *http.Request) {
|
2019-09-21 13:11:38 +02:00
|
|
|
vars := mux.Vars(r)
|
|
|
|
key := vars["key"]
|
|
|
|
|
2019-09-21 21:03:31 +02:00
|
|
|
deleteToken := getDeleteTokenFromRequest(r)
|
|
|
|
if deleteToken == "" {
|
2019-12-15 12:18:50 +01:00
|
|
|
rl.renderError(w, r, http.StatusBadRequest, "no delete token provided\n")
|
2019-09-21 13:11:38 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var errorCode int
|
2020-10-25 17:33:51 +01:00
|
|
|
var paste *db.Paste
|
|
|
|
if err := rl.db.Transaction(func(tx *db.Database) error {
|
2019-12-16 06:21:21 +01:00
|
|
|
var err error
|
2020-10-25 17:33:51 +01:00
|
|
|
paste, err = db.GetPaste(tx, key)
|
2019-09-21 13:11:38 +02:00
|
|
|
if err != nil {
|
|
|
|
errorCode = http.StatusNotFound
|
|
|
|
return err
|
|
|
|
}
|
2020-10-25 17:33:51 +01:00
|
|
|
if paste.State == db.PasteStateDeleted {
|
2019-11-22 18:41:54 +01:00
|
|
|
errorCode = http.StatusGone
|
|
|
|
return errors.New("already deleted")
|
2019-09-21 13:11:38 +02:00
|
|
|
}
|
2019-12-16 06:21:21 +01:00
|
|
|
if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(paste.DeleteToken)) == 0 {
|
2019-11-22 18:41:54 +01:00
|
|
|
errorCode = http.StatusForbidden
|
|
|
|
return errors.New("invalid delete token")
|
|
|
|
}
|
2019-12-16 06:21:21 +01:00
|
|
|
if err := paste.Delete(tx, rl.fs); err != nil {
|
2019-11-22 18:41:54 +01:00
|
|
|
errorCode = http.StatusInternalServerError
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
2019-09-21 13:11:38 +02:00
|
|
|
}); err != nil {
|
|
|
|
log.Printf("error: %v\n", err)
|
2019-12-15 12:18:50 +01:00
|
|
|
rl.renderError(w, r, errorCode, fmt.Sprintf("error: %v\n", err))
|
2019-09-21 13:11:38 +02:00
|
|
|
return
|
|
|
|
}
|
2020-05-11 22:26:45 +02:00
|
|
|
rl.viewActionSuccess(w, r, paste, nil)
|
2019-08-29 00:50:26 +02:00
|
|
|
}
|
|
|
|
|
2019-11-10 19:03:57 +01:00
|
|
|
// Add a new fileUpload redirect to the database
|
|
|
|
//
|
|
|
|
// Returns the new paste key if the fileUpload was successfully added to the
|
|
|
|
// database
|
2023-04-30 12:03:23 +02:00
|
|
|
func shortenFileUploadID(tx *db.Database, user *db.User, id uuid.UUID) (*db.Paste, error) {
|
|
|
|
return shorten(tx, user, db.PasteTypeFileUpload, id[:])
|
2019-11-10 19:03:57 +01:00
|
|
|
}
|
|
|
|
|
2019-08-25 21:33:56 +02:00
|
|
|
// Add a new URL to the database
|
|
|
|
//
|
2019-11-10 19:03:57 +01:00
|
|
|
// Returns the new paste key if the url was successfully shortened
|
2023-04-30 12:03:23 +02:00
|
|
|
func shortenURL(tx *db.Database, user *db.User, userURL *url.URL) (*db.Paste, error) {
|
|
|
|
return shorten(tx, user, db.PasteTypeRedirect, []byte(userURL.String()))
|
2019-11-10 19:03:57 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Add a paste (of any kind) to the database with arbitrary content.
|
2023-04-30 12:03:23 +02:00
|
|
|
func shorten(tx *db.Database, user *db.User, ty db.PasteType, content []byte) (*db.Paste, error) {
|
2019-11-10 19:03:57 +01:00
|
|
|
// Generate the paste key
|
2020-07-27 14:53:19 +02:00
|
|
|
var keyEntropy int
|
2020-10-25 17:33:51 +01:00
|
|
|
if ty == db.PasteTypeFileUpload || ty == db.PasteTypePaste {
|
2020-07-27 14:53:19 +02:00
|
|
|
keyEntropy = highOnlineEntropy
|
|
|
|
}
|
2020-10-25 17:33:51 +01:00
|
|
|
pasteKey, err := db.GeneratePasteKey(tx, keyEntropy)
|
2019-09-22 14:03:27 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "generating paste key")
|
2019-08-25 21:33:56 +02:00
|
|
|
}
|
|
|
|
|
2019-09-21 21:03:31 +02:00
|
|
|
// Also generate a deleteToken
|
2020-10-25 17:33:51 +01:00
|
|
|
deleteToken, err := db.GenerateDeleteToken()
|
2019-09-21 21:03:31 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "generating delete token")
|
|
|
|
}
|
|
|
|
|
2019-08-25 21:33:56 +02:00
|
|
|
// Store the new key
|
2020-10-25 17:33:51 +01:00
|
|
|
p := db.Paste{
|
2019-11-10 19:03:57 +01:00
|
|
|
Type: ty,
|
2020-10-25 17:33:51 +01:00
|
|
|
State: db.PasteStatePresent,
|
2023-04-30 12:03:23 +02:00
|
|
|
CreatedBy: user.ID,
|
2019-11-10 19:03:57 +01:00
|
|
|
Content: content,
|
2019-09-22 14:03:27 +02:00
|
|
|
Key: pasteKey,
|
2019-09-21 13:11:38 +02:00
|
|
|
DeleteToken: deleteToken,
|
2019-08-25 21:33:56 +02:00
|
|
|
}
|
2019-12-03 23:08:58 +01:00
|
|
|
if err := p.Save(tx); err != nil {
|
2019-09-21 13:11:38 +02:00
|
|
|
return nil, err
|
|
|
|
}
|
2019-09-22 14:03:27 +02:00
|
|
|
return &p, nil
|
2019-09-01 01:41:01 +02:00
|
|
|
}
|
|
|
|
|
2019-09-21 21:03:31 +02:00
|
|
|
func getDeleteTokenFromRequest(r *http.Request) string {
|
|
|
|
return r.URL.Query().Get("deleteToken")
|
2019-09-01 01:41:01 +02:00
|
|
|
}
|