rushlink/handlers/handlers.go

401 lines
9.7 KiB
Go
Raw Normal View History

package handlers
2019-08-25 21:33:56 +02:00
import (
"crypto/rand"
2019-09-01 01:41:01 +02:00
"crypto/subtle"
"encoding/base64"
2019-09-21 13:11:38 +02:00
"encoding/hex"
2019-08-25 21:33:56 +02:00
"fmt"
"log"
"net/http"
"net/url"
2019-09-01 01:41:01 +02:00
"strings"
2019-08-25 21:33:56 +02:00
"time"
2019-08-29 23:40:24 +02:00
"github.com/gorilla/mux"
"github.com/pkg/errors"
2019-08-25 21:33:56 +02:00
bolt "go.etcd.io/bbolt"
2019-09-15 17:43:09 +02:00
"gitea.hashru.nl/dsprenkels/rushlink/db"
"gitea.hashru.nl/dsprenkels/rushlink/gobmarsh"
2019-08-25 21:33:56 +02:00
)
2019-09-21 13:11:38 +02:00
type pasteType int
type pasteState int
2019-08-25 21:33:56 +02:00
2019-09-21 13:11:38 +02:00
type storedPaste struct {
Type pasteType
State pasteState
Content []byte
2019-09-15 22:54:07 +02:00
Key string
2019-09-21 21:03:31 +02:00
DeleteToken string
2019-08-25 21:33:56 +02:00
TimeCreated time.Time
}
const (
2019-09-21 13:11:38 +02:00
typeUndef pasteType = 0
typePaste = 1
typeRedirect = 2
)
const (
2019-09-21 13:11:38 +02:00
stateUndef pasteState = 0
statePresent = 1
stateDeleted = 2
2019-08-25 21:33:56 +02:00
)
2019-09-21 13:11:38 +02:00
type viewPaste uint
const (
_ viewPaste = 1 << iota
viewNoRedirect
viewShowMeta
)
const CookieDeleteToken = "owner_token"
2019-09-01 01:41:01 +02:00
2019-09-01 12:04:43 +02:00
// These keys are designated reserved, and will not be randomly chosen
2019-09-15 22:54:07 +02:00
var ReservedPasteKeys = []string{"xd42", "example"}
2019-09-01 12:04:43 +02:00
2019-09-01 01:41:01 +02:00
// Base64 encoding and decoding
var base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
var base64Encoder = base64.RawURLEncoding.WithPadding(base64.NoPadding)
2019-09-01 01:41:01 +02:00
2019-09-21 13:11:38 +02:00
func (t pasteType) String() string {
2019-09-01 01:41:01 +02:00
switch t {
2019-09-21 13:11:38 +02:00
case typeUndef:
return "unknown"
case typePaste:
2019-09-15 22:54:07 +02:00
return "paste"
2019-09-21 13:11:38 +02:00
case typeRedirect:
2019-09-15 22:54:07 +02:00
return "redirect"
2019-09-01 01:41:01 +02:00
default:
2019-09-15 22:54:07 +02:00
return "invalid"
2019-09-01 01:41:01 +02:00
}
}
2019-09-21 13:11:38 +02:00
func (t pasteState) String() string {
2019-09-01 01:41:01 +02:00
switch t {
2019-09-21 13:11:38 +02:00
case stateUndef:
return "unknown"
case statePresent:
2019-09-15 22:54:07 +02:00
return "present"
2019-09-21 13:11:38 +02:00
case stateDeleted:
2019-09-15 22:54:07 +02:00
return "deleted"
2019-09-01 01:41:01 +02:00
default:
2019-09-15 22:54:07 +02:00
return "invalid"
2019-09-01 01:41:01 +02:00
}
}
2019-09-19 21:29:25 +02:00
func indexGetHandler(w http.ResponseWriter, r *http.Request) {
2019-09-21 13:11:38 +02:00
render(w, r, "index", map[string]interface{}{})
2019-08-25 21:33:56 +02:00
}
2019-09-21 13:11:38 +02:00
func viewPasteHandler(w http.ResponseWriter, r *http.Request) {
viewPasteHandlerInner(w, r, 0)
}
2019-09-21 13:11:38 +02:00
func viewPasteHandlerNoRedirect(w http.ResponseWriter, r *http.Request) {
viewPasteHandlerInner(w, r, viewNoRedirect)
}
2019-09-21 13:11:38 +02:00
func viewPasteHandlerMeta(w http.ResponseWriter, r *http.Request) {
viewPasteHandlerInner(w, r, viewShowMeta)
2019-09-01 01:41:01 +02:00
}
2019-09-21 13:11:38 +02:00
func viewPasteHandlerInner(w http.ResponseWriter, r *http.Request, flags viewPaste) {
2019-08-29 00:50:26 +02:00
vars := mux.Vars(r)
key := vars["key"]
2019-09-21 13:11:38 +02:00
var storedPaste *storedPaste
if err := db.DB.View(func(tx *bolt.Tx) error {
2019-08-29 00:50:26 +02:00
var err error
2019-09-21 13:11:38 +02:00
storedPaste, err = getURL(tx, key)
2019-08-29 00:50:26 +02:00
return err
}); err != nil {
log.Printf("error: %v\n", err)
2019-09-19 21:42:01 +02:00
renderInternalServerError(w, r, err)
2019-08-29 00:50:26 +02:00
return
}
if storedPaste == nil {
2019-09-19 21:42:01 +02:00
renderError(w, r, http.StatusNotFound, "url key not found in the database")
2019-09-01 01:41:01 +02:00
return
}
2019-09-21 13:11:38 +02:00
if flags&viewShowMeta != 0 {
canDelete := struct {
Bool bool
String string
}{Bool: false}
2019-09-21 21:03:31 +02:00
deleteToken := getDeleteTokenFromRequest(r)
if deleteToken == "" {
2019-09-21 13:11:38 +02:00
canDelete.String = "undefined"
} else {
2019-09-21 21:03:31 +02:00
if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(storedPaste.DeleteToken)) == 1 {
2019-09-21 13:11:38 +02:00
canDelete.Bool = true
canDelete.String = "correct"
} else {
canDelete.String = "invalid"
}
2019-09-01 01:41:01 +02:00
}
2019-09-15 22:54:07 +02:00
data := map[string]interface{}{
2019-09-21 13:11:38 +02:00
"Paste": storedPaste,
"CanDelete": canDelete,
2019-09-15 22:54:07 +02:00
}
2019-09-19 21:42:01 +02:00
render(w, r, "pasteMeta", data)
return
2019-08-29 00:50:26 +02:00
}
2019-09-01 01:41:01 +02:00
switch storedPaste.State {
2019-09-21 13:11:38 +02:00
case statePresent:
if flags&viewNoRedirect == 0 {
rawurl := string(storedPaste.Content)
urlParse, err := url.Parse(rawurl)
if err != nil {
log.Printf("error: invalid URL ('%v') in database for key '%v': %v\n", rawurl, storedPaste.Key, err)
2019-09-19 21:42:01 +02:00
renderInternalServerError(w, r, "invalid url in database")
return
}
http.Redirect(w, r, urlParse.String(), http.StatusSeeOther)
}
w.Write(storedPaste.Content)
2019-09-21 13:11:38 +02:00
case stateDeleted:
2019-09-21 21:03:31 +02:00
renderError(w, r, http.StatusGone, "paste has been deleted")
2019-08-29 00:50:26 +02:00
default:
log.Printf("error: invalid storedPaste.State (%v) for key '%v'\n", storedPaste.State, storedPaste.Key)
2019-09-15 21:34:41 +02:00
msg := fmt.Sprintf("internal server error: invalid storedPaste.State (%v\n)", storedPaste.State)
2019-09-19 21:42:01 +02:00
renderInternalServerError(w, r, msg)
2019-08-29 00:50:26 +02:00
}
}
2019-09-21 13:11:38 +02:00
func newPasteHandler(w http.ResponseWriter, r *http.Request) {
if err := r.ParseMultipartForm(50 * 1000 * 1000); err != nil {
log.Printf("error: %v\n", err)
renderInternalServerError(w, r, err)
return
}
// Determine what kind of post this is, currently only `shorten=...`
if len(r.PostForm) == 0 {
renderError(w, r, http.StatusBadRequest, "empty body in POST request\n")
return
}
shorten_values, prs := r.PostForm["shorten"]
if !prs {
renderError(w, r, http.StatusBadRequest, "no 'shorten' param given\n")
return
}
if len(shorten_values) != 1 {
renderError(w, r, http.StatusBadRequest, "only one 'shorten' param is allowed per request\n")
return
}
newRedirectPasteHandler(w, r)
}
func newRedirectPasteHandler(w http.ResponseWriter, r *http.Request) {
2019-08-25 21:33:56 +02:00
rawurl := r.PostForm.Get("shorten")
userURL, err := url.ParseRequestURI(rawurl)
if err != nil {
2019-09-15 21:34:41 +02:00
msg := fmt.Sprintf("invalid url (%v): %v", err, rawurl)
2019-09-19 21:42:01 +02:00
renderError(w, r, http.StatusBadRequest, msg)
2019-08-25 21:33:56 +02:00
return
}
if userURL.Scheme == "" {
2019-09-19 21:42:01 +02:00
renderError(w, r, http.StatusBadRequest, "invalid url (unspecified scheme)")
2019-08-25 21:33:56 +02:00
return
}
if userURL.Host == "" {
2019-09-19 21:42:01 +02:00
renderError(w, r, http.StatusBadRequest, "invalid url (unspecified host)")
2019-08-25 21:33:56 +02:00
return
}
2019-09-21 13:11:38 +02:00
var storedPaste *storedPaste
if err := db.DB.Update(func(tx *bolt.Tx) error {
2019-09-21 13:11:38 +02:00
// Generate a new delete token for this paste
2019-09-21 21:03:31 +02:00
var err error
storedPaste, err = shortenURL(tx, userURL)
2019-08-25 21:33:56 +02:00
return err
}); err != nil {
2019-08-29 00:50:26 +02:00
log.Printf("error: %v\n", err)
2019-09-19 21:42:01 +02:00
renderInternalServerError(w, r, err)
2019-08-25 21:33:56 +02:00
return
}
2019-09-21 21:03:31 +02:00
data := map[string]interface{}{"Paste": storedPaste}
render(w, r, "newRedirectPasteSuccess", data)
2019-09-21 13:11:38 +02:00
}
// Delete a URL from the database
func deletePasteHandler(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
key := vars["key"]
2019-09-21 21:03:31 +02:00
deleteToken := getDeleteTokenFromRequest(r)
if deleteToken == "" {
2019-09-21 13:11:38 +02:00
renderError(w, r, http.StatusBadRequest, "no delete token provided")
return
}
var errorCode int
if err := db.DB.Update(func(tx *bolt.Tx) error {
paste, err := getURL(tx, key)
if err != nil {
errorCode = http.StatusNotFound
return err
}
2019-09-21 21:03:31 +02:00
if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(paste.DeleteToken)) == 1 {
2019-09-21 13:11:38 +02:00
// Replace the old paste with a new empty paste
return savePaste(tx, key, storedPaste{
Key: paste.Key,
State: stateDeleted,
DeleteToken: paste.DeleteToken,
})
}
errorCode = http.StatusForbidden
return errors.New("invalid delete token")
}); err != nil {
log.Printf("error: %v\n", err)
renderError(w, r, errorCode, fmt.Sprintf("error: %v", err))
return
}
2019-08-29 00:50:26 +02:00
}
// Retrieve a URL from the database
2019-09-21 13:11:38 +02:00
func getURL(tx *bolt.Tx, key string) (*storedPaste, error) {
pastesBucket := tx.Bucket([]byte(db.BUCKET_PASTES))
if pastesBucket == nil {
return nil, errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
2019-08-29 00:50:26 +02:00
}
2019-09-21 13:11:38 +02:00
storedBytes := pastesBucket.Get([]byte(key))
2019-08-29 00:50:26 +02:00
if storedBytes == nil {
return nil, nil
}
2019-09-21 13:11:38 +02:00
storedPaste := &storedPaste{}
err := gobmarsh.Unmarshal(storedBytes, storedPaste)
return storedPaste, err
2019-08-25 21:33:56 +02:00
}
// Add a new URL to the database
//
// Returns the new ID if the url was successfully shortened
2019-09-21 21:03:31 +02:00
func shortenURL(tx *bolt.Tx, userURL *url.URL) (*storedPaste, error) {
2019-09-21 13:11:38 +02:00
pastesBucket := tx.Bucket([]byte(db.BUCKET_PASTES))
if pastesBucket == nil {
return nil, errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
2019-08-25 21:33:56 +02:00
}
// Generate a key until it is not in the database, this occurs in O(log N),
// where N is the amount of keys stored in the url-shorten database.
epoch := 0
2019-09-15 22:54:07 +02:00
var urlKey string
2019-08-25 21:33:56 +02:00
for {
var err error
urlKey, err = generateURLKey(epoch)
if err != nil {
return nil, errors.Wrap(err, "url-key generation failed")
}
2019-09-01 12:04:43 +02:00
2019-09-21 13:11:38 +02:00
found := pastesBucket.Get([]byte(urlKey))
2019-08-25 21:33:56 +02:00
if found == nil {
break
}
2019-09-01 12:04:43 +02:00
isReserved := false
for _, reservedKey := range ReservedPasteKeys {
2019-09-15 22:54:07 +02:00
if strings.HasPrefix(urlKey, reservedKey) {
2019-09-01 12:04:43 +02:00
isReserved = true
break
}
}
if !isReserved {
break
}
2019-08-25 21:33:56 +02:00
epoch++
}
2019-09-21 21:03:31 +02:00
// Also generate a deleteToken
deleteToken, err := generateDeleteToken()
if err != nil {
return nil, errors.Wrap(err, "generating delete token")
}
2019-08-25 21:33:56 +02:00
// Store the new key
2019-09-21 13:11:38 +02:00
storedPaste := storedPaste{
Type: typeRedirect,
State: statePresent,
Content: []byte(userURL.String()),
2019-08-29 00:50:26 +02:00
Key: urlKey,
2019-09-21 13:11:38 +02:00
DeleteToken: deleteToken,
2019-08-25 21:33:56 +02:00
TimeCreated: time.Now().UTC(),
}
2019-09-21 13:11:38 +02:00
if err := savePaste(tx, urlKey, storedPaste); err != nil {
return nil, err
}
return &storedPaste, nil
}
func savePaste(tx *bolt.Tx, key string, paste storedPaste) error {
bucket := tx.Bucket([]byte(db.BUCKET_PASTES))
if bucket == nil {
return errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
}
buf, err := gobmarsh.Marshal(paste)
2019-08-25 21:33:56 +02:00
if err != nil {
2019-09-21 13:11:38 +02:00
return errors.Wrap(err, "encoding for database failed")
2019-08-25 21:33:56 +02:00
}
2019-09-21 13:11:38 +02:00
if err := bucket.Put([]byte(key), buf); err != nil {
return errors.Wrap(err, "database transaction failed")
2019-08-25 21:33:56 +02:00
}
2019-09-21 13:11:38 +02:00
return nil
2019-08-25 21:33:56 +02:00
}
2019-09-15 22:54:07 +02:00
func generateURLKey(epoch int) (string, error) {
2019-08-25 21:33:56 +02:00
urlKey := make([]byte, 4+epoch)
_, err := rand.Read(urlKey)
if err != nil {
2019-09-15 22:54:07 +02:00
return "", err
2019-08-25 21:33:56 +02:00
}
// Put all the values in the range 0..64 for easier base64-encoding
for i := 0; i < len(urlKey); i++ {
urlKey[i] &= 0x3F
}
// Implement truncate-resistance by forcing the prefix to
// 0b111110xxxxxxxxxx
// ^----- {epoch} ones followed by a single 0
//
// Example when epoch is 1: prefix is 0b10.
i := 0
for i < epoch {
// Set this bit to 1
limb := i / 6
bit := i % 6
urlKey[limb] |= 1 << uint(5-bit)
i++
}
// Finally set the next bit to 0
limb := i / 6
bit := i % 6
urlKey[limb] &= ^(1 << uint(5-bit))
// Convert this ID to a canonical base64 notation
2019-08-29 00:50:26 +02:00
for i := range urlKey {
urlKey[i] = base64Alphabet[urlKey[i]]
}
2019-09-15 22:54:07 +02:00
return string(urlKey), nil
2019-08-25 21:33:56 +02:00
}
2019-09-01 01:41:01 +02:00
2019-09-21 21:03:31 +02:00
func generateDeleteToken() (string, error) {
2019-09-21 13:11:38 +02:00
var deleteToken [16]byte
_, err := rand.Read(deleteToken[:])
2019-09-01 01:41:01 +02:00
if err != nil {
2019-09-21 21:03:31 +02:00
return "", err
2019-09-01 01:41:01 +02:00
}
2019-09-21 21:03:31 +02:00
return hex.EncodeToString(deleteToken[:]), nil
2019-09-01 01:41:01 +02:00
}
2019-09-21 21:03:31 +02:00
func getDeleteTokenFromRequest(r *http.Request) string {
return r.URL.Query().Get("deleteToken")
2019-09-01 01:41:01 +02:00
}