Implement deleting of pastes

2019-09-21 13:11:38 +02:00 · 2019-09-21 13:11:38 +02:00 · 1c926a4864
commit 1c926a4864
parent 173ae7665b
4 changed files with 240 additions and 161 deletions
--- a/assets/templates/txt/pasteMeta.txt.tmpl
+++ b/assets/templates/txt/pasteMeta.txt.tmpl
@ -1,5 +1,17 @@
-key: {{.Paste.Key}}
-type: {{.Paste.Type}}
-state: {{.Paste.State}}
-created: {{.Paste.TimeCreated}}
-owner: {{if .IsOwner}}yes{{else}}no{{end}}
+METADATA on <{{.Request.Host}}/{{.Paste.Key}}>:
+
+TYPE: {{.Paste.Type}}
+STATE: {{.Paste.State}}
+{{if .Paste.TimeCreated.IsZero -}}
+CREATED: undefined
+{{else -}}
+CREATED: {{.Paste.TimeCreated}}
+{{end -}}
+DELETE TOKEN: {{.CanDelete.String}}
+
+{{if and (ne .Paste.State.String "deleted") .CanDelete.Bool}}
+```
+# To delete this {{.Paste.Type}}, execute:
+curl --request "DELETE" "{{.Request.Host}}/{{.Paste.Key}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}"
+```
+{{end}}
--- a/handlers/handlers.go
+++ b/handlers/handlers.go
@ -4,13 +4,13 @@ import (
 	"crypto/rand"
 	"crypto/subtle"
 	"encoding/base64"
+	"encoding/hex"
 	"fmt"
 	"log"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
-	"unicode"

 	"github.com/gorilla/mux"
 	"github.com/pkg/errors"
@ -20,29 +20,39 @@ import (
 	"gitea.hashru.nl/dsprenkels/rushlink/gobmarsh"
 )

-type PasteType int
-type PasteState int
+type pasteType int
+type pasteState int

-type StoredPaste struct {
-	Type        PasteType
-	State       PasteState
+type storedPaste struct {
+	Type        pasteType
+	State       pasteState
 	Content     []byte
 	Key         string
-	OwnerToken  [16]byte
+	DeleteToken [16]byte
 	TimeCreated time.Time
 }

 const (
-	TypePaste PasteType = iota
-	TypeRedirect
+	typeUndef    pasteType = 0
+	typePaste              = 1
+	typeRedirect           = 2
 )

 const (
-	StatePresent PasteState = iota
-	StateDeleted
+	stateUndef   pasteState = 0
+	statePresent            = 1
+	stateDeleted            = 2
 )

-const CookieOwnerToken = "owner_token"
+type viewPaste uint
+
+const (
+	_ viewPaste = 1 << iota
+	viewNoRedirect
+	viewShowMeta
+)
+
+const CookieDeleteToken = "owner_token"

 // These keys are designated reserved, and will not be randomly chosen
 var ReservedPasteKeys = []string{"xd42", "example"}
@ -51,22 +61,26 @@ var ReservedPasteKeys = []string{"xd42", "example"}
 var base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
 var base64Encoder = base64.RawURLEncoding.WithPadding(base64.NoPadding)

-func (t PasteType) String() string {
+func (t pasteType) String() string {
 	switch t {
-	case TypePaste:
+	case typeUndef:
+		return "unknown"
+	case typePaste:
 		return "paste"
-	case TypeRedirect:
+	case typeRedirect:
 		return "redirect"
 	default:
 		return "invalid"
 	}
 }

-func (t PasteState) String() string {
+func (t pasteState) String() string {
 	switch t {
-	case StatePresent:
+	case stateUndef:
+		return "unknown"
+	case statePresent:
 		return "present"
-	case StateDeleted:
+	case stateDeleted:
 		return "deleted"
 	default:
 		return "invalid"
@ -74,10 +88,89 @@ func (t PasteState) String() string {
 }

 func indexGetHandler(w http.ResponseWriter, r *http.Request) {
-	render(w, r, "index", nil)
+	render(w, r, "index", map[string]interface{}{})
 }

-func indexPostHandler(w http.ResponseWriter, r *http.Request) {
+func viewPasteHandler(w http.ResponseWriter, r *http.Request) {
+	viewPasteHandlerInner(w, r, 0)
+}
+
+func viewPasteHandlerNoRedirect(w http.ResponseWriter, r *http.Request) {
+	viewPasteHandlerInner(w, r, viewNoRedirect)
+}
+
+func viewPasteHandlerMeta(w http.ResponseWriter, r *http.Request) {
+	viewPasteHandlerInner(w, r, viewShowMeta)
+}
+
+func viewPasteHandlerInner(w http.ResponseWriter, r *http.Request, flags viewPaste) {
+	vars := mux.Vars(r)
+	key := vars["key"]
+	var storedPaste *storedPaste
+	if err := db.DB.View(func(tx *bolt.Tx) error {
+		var err error
+		storedPaste, err = getURL(tx, key)
+		return err
+	}); err != nil {
+		log.Printf("error: %v\n", err)
+		renderInternalServerError(w, r, err)
+		return
+	}
+	if storedPaste == nil {
+		renderError(w, r, http.StatusNotFound, "url key not found in the database")
+		return
+	}
+
+	if flags&viewShowMeta != 0 {
+		canDelete := struct {
+			Bool   bool
+			String string
+		}{Bool: false}
+		deleteToken, err := getDeleteTokenFromRequest(r)
+		if err != nil {
+			canDelete.String = "invalid"
+		} else if deleteToken == nil {
+			canDelete.String = "undefined"
+		} else {
+			if subtle.ConstantTimeCompare(deleteToken[:], storedPaste.DeleteToken[:]) == 1 {
+				canDelete.Bool = true
+				canDelete.String = "correct"
+			} else {
+				canDelete.String = "invalid"
+			}
+		}
+
+		data := map[string]interface{}{
+			"Paste":     storedPaste,
+			"CanDelete": canDelete,
+		}
+		render(w, r, "pasteMeta", data)
+		return
+	}
+
+	switch storedPaste.State {
+	case statePresent:
+		if flags&viewNoRedirect == 0 {
+			rawurl := string(storedPaste.Content)
+			urlParse, err := url.Parse(rawurl)
+			if err != nil {
+				log.Printf("error: invalid URL ('%v') in database for key '%v': %v\n", rawurl, storedPaste.Key, err)
+				renderInternalServerError(w, r, "invalid url in database")
+				return
+			}
+			http.Redirect(w, r, urlParse.String(), http.StatusSeeOther)
+		}
+		w.Write(storedPaste.Content)
+	case stateDeleted:
+		renderError(w, r, http.StatusGone, "key has been deleted")
+	default:
+		log.Printf("error: invalid storedPaste.State (%v) for key '%v'\n", storedPaste.State, storedPaste.Key)
+		msg := fmt.Sprintf("internal server error: invalid storedPaste.State (%v\n)", storedPaste.State)
+		renderInternalServerError(w, r, msg)
+	}
+}
+
+func newPasteHandler(w http.ResponseWriter, r *http.Request) {
 	if err := r.ParseMultipartForm(50 * 1000 * 1000); err != nil {
 		log.Printf("error: %v\n", err)
 		renderInternalServerError(w, r, err)
@ -99,77 +192,10 @@ func indexPostHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	shortenPostHandler(w, r)
+	newRedirectPasteHandler(w, r)
 }

-func pasteGetHandler(w http.ResponseWriter, r *http.Request) {
-	pasteGetHandlerInner(w, r, false, false)
-}
-
-func pasteGetHandlerNoRedirect(w http.ResponseWriter, r *http.Request) {
-	pasteGetHandlerInner(w, r, true, false)
-}
-
-func pasteGetHandlerMeta(w http.ResponseWriter, r *http.Request) {
-	pasteGetHandlerInner(w, r, false, true)
-}
-
-func pasteGetHandlerInner(w http.ResponseWriter, r *http.Request, noRedirect, showMeta bool) {
-	vars := mux.Vars(r)
-	key := vars["key"]
-	var storedPaste *StoredPaste
-	if err := db.DB.View(func(tx *bolt.Tx) error {
-		var err error
-		storedPaste, err = getURL(tx, []byte(key))
-		return err
-	}); err != nil {
-		log.Printf("error: %v\n", err)
-		renderInternalServerError(w, r, err)
-		return
-	}
-	if storedPaste == nil {
-		renderError(w, r, http.StatusNotFound, "url key not found in the database")
-		return
-	}
-
-	if showMeta {
-		isOwner := false
-		ownerToken, ok := getOwnerTokenFromRequest(r)
-		if ok && subtle.ConstantTimeCompare(ownerToken[:], storedPaste.OwnerToken[:]) == 1 {
-			isOwner = true
-		}
-
-		data := map[string]interface{}{
-			"Paste":   storedPaste,
-			"IsOwner": isOwner,
-		}
-		render(w, r, "pasteMeta", data)
-		return
-	}
-
-	switch storedPaste.State {
-	case StatePresent:
-		if !noRedirect {
-			rawurl := string(storedPaste.Content)
-			urlParse, err := url.Parse(rawurl)
-			if err != nil {
-				log.Printf("error: invalid URL ('%v') in database for key '%v': %v\n", rawurl, storedPaste.Key, err)
-				renderInternalServerError(w, r, "invalid url in database")
-				return
-			}
-			http.Redirect(w, r, urlParse.String(), http.StatusSeeOther)
-		}
-		w.Write(storedPaste.Content)
-	case StateDeleted:
-		renderError(w, r, http.StatusGone, "key has been deleted")
-	default:
-		log.Printf("error: invalid storedPaste.State (%v) for key '%v'\n", storedPaste.State, storedPaste.Key)
-		msg := fmt.Sprintf("internal server error: invalid storedPaste.State (%v\n)", storedPaste.State)
-		renderInternalServerError(w, r, msg)
-	}
-}
-
-func shortenPostHandler(w http.ResponseWriter, r *http.Request) {
+func newRedirectPasteHandler(w http.ResponseWriter, r *http.Request) {
 	rawurl := r.PostForm.Get("shorten")
 	userURL, err := url.ParseRequestURI(rawurl)
 	if err != nil {
@ -186,18 +212,15 @@ func shortenPostHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	var storedPaste *StoredPaste
+	var storedPaste *storedPaste
 	if err := db.DB.Update(func(tx *bolt.Tx) error {
-		ownerKey, ok := getOwnerTokenFromRequest(r)
-		if ok == false {
-			// Owner key not supplied or invalid, generate a new one
-			ownerKey, err = generateOwnerToken()
-			if err != nil {
-				return errors.Wrap(err, "generating OwnerToken")
-			}
+		// Generate a new delete token for this paste
+		deleteToken, err := generateDeleteToken()
+		if err != nil {
+			return errors.Wrap(err, "generating delete token")
 		}

-		sp, err := shortenURL(tx, userURL, ownerKey)
+		sp, err := shortenURL(tx, userURL, deleteToken)
 		storedPaste = sp
 		return err
 	}); err != nil {
@ -206,34 +229,71 @@ func shortenPostHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	saveURL, err := r.URL.Parse(string(storedPaste.Key))
+	deleteToken := hex.EncodeToString(storedPaste.DeleteToken[:])
+	saveRawurl := fmt.Sprintf("%v/%v?deleteToken=%v", r.Host, string(storedPaste.Key), deleteToken)
+	saveURL, err := r.URL.Parse(saveRawurl)
 	if err != nil {
 		err = errors.Wrap(err, "parsing url")
 		log.Printf("error: %v\n", err)
 		renderInternalServerError(w, r, err)
 		return
 	}
-	var base64OwnerToken = make([]byte, 24)
-	base64Encoder.Encode(base64OwnerToken, storedPaste.OwnerToken[:])

 	// TODO(dsprenkels) Put this into a template
 	w.WriteHeader(http.StatusOK)
-	fmt.Fprintf(w, "URL saved at %v\n", saveURL)
-	isNotPrint := func(r rune) bool { return !unicode.IsPrint(r) }
-	fmt.Fprintf(w, "Owner key is %s\n", strings.TrimRightFunc(string(base64OwnerToken), isNotPrint))
+	fmt.Fprintf(w, "%v\n", saveURL)
+}
+
+// Delete a URL from the database
+func deletePasteHandler(w http.ResponseWriter, r *http.Request) {
+	// TODO(dsprenkels) LEFT HERE; this functionality still untested
+	vars := mux.Vars(r)
+	key := vars["key"]
+
+	deleteToken, err := getDeleteTokenFromRequest(r)
+	if err != nil {
+		renderError(w, r, http.StatusBadRequest, "invalid delete token")
+		return
+	} else if deleteToken == nil {
+		renderError(w, r, http.StatusBadRequest, "no delete token provided")
+		return
+	}
+
+	var errorCode int
+	if err := db.DB.Update(func(tx *bolt.Tx) error {
+		paste, err := getURL(tx, key)
+		if err != nil {
+			errorCode = http.StatusNotFound
+			return err
+		}
+		if subtle.ConstantTimeCompare(deleteToken[:], paste.DeleteToken[:]) == 1 {
+			// Replace the old paste with a new empty paste
+			return savePaste(tx, key, storedPaste{
+				Key:         paste.Key,
+				State:       stateDeleted,
+				DeleteToken: paste.DeleteToken,
+			})
+		}
+		errorCode = http.StatusForbidden
+		return errors.New("invalid delete token")
+	}); err != nil {
+		log.Printf("error: %v\n", err)
+		renderError(w, r, errorCode, fmt.Sprintf("error: %v", err))
+		return
+	}
 }

 // Retrieve a URL from the database
-func getURL(tx *bolt.Tx, key []byte) (*StoredPaste, error) {
-	shortenBucket := tx.Bucket([]byte(db.BUCKET_PASTES))
-	if shortenBucket == nil {
-		return nil, fmt.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
+func getURL(tx *bolt.Tx, key string) (*storedPaste, error) {
+	pastesBucket := tx.Bucket([]byte(db.BUCKET_PASTES))
+	if pastesBucket == nil {
+		return nil, errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
 	}
-	storedBytes := shortenBucket.Get(key)
+	storedBytes := pastesBucket.Get([]byte(key))
 	if storedBytes == nil {
 		return nil, nil
 	}
-	storedPaste := &StoredPaste{}
+	storedPaste := &storedPaste{}
 	err := gobmarsh.Unmarshal(storedBytes, storedPaste)
 	return storedPaste, err
 }
@ -241,10 +301,10 @@ func getURL(tx *bolt.Tx, key []byte) (*StoredPaste, error) {
 // Add a new URL to the database
 //
 // Returns the new ID if the url was successfully shortened
-func shortenURL(tx *bolt.Tx, userURL *url.URL, ownerKey [16]byte) (*StoredPaste, error) {
-	shortenBucket := tx.Bucket([]byte(db.BUCKET_PASTES))
-	if shortenBucket == nil {
-		return nil, fmt.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
+func shortenURL(tx *bolt.Tx, userURL *url.URL, deleteToken [16]byte) (*storedPaste, error) {
+	pastesBucket := tx.Bucket([]byte(db.BUCKET_PASTES))
+	if pastesBucket == nil {
+		return nil, errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
 	}

 	// Generate a key until it is not in the database, this occurs in O(log N),
@ -258,7 +318,7 @@ func shortenURL(tx *bolt.Tx, userURL *url.URL, ownerKey [16]byte) (*StoredPaste,
 			return nil, errors.Wrap(err, "url-key generation failed")
 		}

-		found := shortenBucket.Get([]byte(urlKey))
+		found := pastesBucket.Get([]byte(urlKey))
 		if found == nil {
 			break
 		}
@ -278,24 +338,36 @@ func shortenURL(tx *bolt.Tx, userURL *url.URL, ownerKey [16]byte) (*StoredPaste,
 	}

 	// Store the new key
-	storedPaste := StoredPaste{
-		Type:        TypeRedirect,
-		State:       StatePresent,
+	storedPaste := storedPaste{
+		Type:        typeRedirect,
+		State:       statePresent,
 		Content:     []byte(userURL.String()),
 		Key:         urlKey,
-		OwnerToken:  ownerKey,
+		DeleteToken: deleteToken,
 		TimeCreated: time.Now().UTC(),
 	}
-	storedBytes, err := gobmarsh.Marshal(storedPaste)
-	if err != nil {
-		return nil, errors.Wrap(err, "encoding for database failed")
-	}
-	if err := shortenBucket.Put([]byte(urlKey), storedBytes); err != nil {
-		return nil, errors.Wrap(err, "database transaction failed")
+	if err := savePaste(tx, urlKey, storedPaste); err != nil {
+		return nil, err
 	}
 	return &storedPaste, nil
 }

+func savePaste(tx *bolt.Tx, key string, paste storedPaste) error {
+	bucket := tx.Bucket([]byte(db.BUCKET_PASTES))
+	if bucket == nil {
+		return errors.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
+	}
+
+	buf, err := gobmarsh.Marshal(paste)
+	if err != nil {
+		return errors.Wrap(err, "encoding for database failed")
+	}
+	if err := bucket.Put([]byte(key), buf); err != nil {
+		return errors.Wrap(err, "database transaction failed")
+	}
+	return nil
+}
+
 func generateURLKey(epoch int) (string, error) {
 	urlKey := make([]byte, 4+epoch)
 	_, err := rand.Read(urlKey)
@ -331,26 +403,26 @@ func generateURLKey(epoch int) (string, error) {
 	return string(urlKey), nil
 }

-func generateOwnerToken() ([16]byte, error) {
-	var ownerKey [16]byte
-	_, err := rand.Read(ownerKey[:])
+func generateDeleteToken() ([16]byte, error) {
+	var deleteToken [16]byte
+	_, err := rand.Read(deleteToken[:])
 	if err != nil {
-		return ownerKey, err
+		return deleteToken, err
 	}
-	return ownerKey, nil
+	return deleteToken, nil
 }

-func getOwnerTokenFromRequest(r *http.Request) ([16]byte, bool) {
-	var ownerKey [16]byte
-	ownerKeyCookie, err := r.Cookie(CookieOwnerToken)
-	if err != nil && err != http.ErrNoCookie {
-		return ownerKey, false
+func getDeleteTokenFromRequest(r *http.Request) (*[16]byte, error) {
+	deleteTokenQuery := r.URL.Query().Get("deleteToken")
+	if deleteTokenQuery == "" {
+		return nil, nil
 	}
-	if ownerKeyCookie != nil {
-		n, err := base64Encoder.Strict().Decode(ownerKey[:], []byte(ownerKeyCookie.Value))
-		if err == nil || n == 16 {
-			return ownerKey, true
-		}
+	var deleteToken [16]byte
+	n, err := hex.Decode(deleteToken[:], []byte(deleteTokenQuery))
+	if err != nil {
+		return nil, errors.Wrap(err, "decoding hex")
+	} else if n != 16 {
+		return nil, errors.Errorf("invalid deleteToken length (%v bytes)", n)
 	}
-	return ownerKey, false
+	return &deleteToken, nil
 }
--- a/handlers/router.go
+++ b/handlers/router.go
@ -12,10 +12,12 @@ func StartMainServer() {
 	// Initialize Gorilla router
 	router := mux.NewRouter()
 	router.HandleFunc("/", indexGetHandler).Methods("GET")
-	router.HandleFunc("/", indexPostHandler).Methods("POST")
-	router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}", pasteGetHandler).Methods("GET")
-	router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/nr", pasteGetHandlerNoRedirect).Methods("GET")
-	router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/meta", pasteGetHandlerMeta).Methods("GET")
+	router.HandleFunc("/", newPasteHandler).Methods("POST")
+	router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}", viewPasteHandler).Methods("GET")
+	router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/nr", viewPasteHandlerNoRedirect).Methods("GET")
+	router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/meta", viewPasteHandlerMeta).Methods("GET")
+	router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}", deletePasteHandler).Methods("DELETE")
+	router.HandleFunc("/{key:[A-Za-z0-9-_]{4,}}/delete", deletePasteHandler).Methods("POST")

 	srv := &http.Server{
 		Handler:      router,
--- a/handlers/views.go
+++ b/handlers/views.go
@ -79,6 +79,9 @@ func render(w http.ResponseWriter, r *http.Request, tmplName string, data map[st
 		fmt.Fprintf(w, "error parsing Accept header: %v\n", err)
 	}

+	// Add the request to the template data
+	data["Request"] = r
+
 	switch contentType {
 	case "text/plain":
 		w.Header().Set("Content-Type", "text/plain")
@ -97,7 +100,7 @@ func render(w http.ResponseWriter, r *http.Request, tmplName string, data map[st
 		}

 		// Construct a (lazy) plain-text view for inclusion in <pre>
-		pre := func() string {
+		data["Pre"] = func() string {
 			tmpl := textTemplates[tmplName]
 			if tmpl == nil {
 				panic(fmt.Errorf("'%v' not in textTemplates", tmplName))
@ -108,7 +111,6 @@ func render(w http.ResponseWriter, r *http.Request, tmplName string, data map[st
 			}
 			return buf.String()
 		}
-		data = mergeData(map[string]interface{}{"Pre": pre}, data)
 		err = tmpl.Execute(w, data)
 	default:
 		// Fall back to plain text without template
@ -131,15 +133,6 @@ func renderInternalServerError(w http.ResponseWriter, r *http.Request, err inter
 	renderError(w, r, http.StatusInternalServerError, msg)
 }

-// Merge the second data map into the first one, overwriting any key that is
-// already present.
-func mergeData(into, from map[string]interface{}) map[string]interface{} {
-	for k, v := range from {
-		into[k] = v
-	}
-	return into
-}
-
 // Try to resolve the preferred content-type for the response to this request.
 //
 // This is done by reading from the `types` argument. If one of them matches