fix API endpoints which require account authorisation
This commit is contained in:
parent
090de0554b
commit
ad39e68cd6
GPG key ID:
CF99829C92678188
|
|
@ -20,20 +20,20 @@ func Handler(app *model.AppState) http.Handler {
|
|||
mux := http.NewServeMux()
|
||||
|
||||
mux.Handle("/login", loginHandler(app))
|
||||
mux.Handle("/logout", RequireAccount(app, logoutHandler(app)))
|
||||
mux.Handle("/logout", requireAccount(app, logoutHandler(app)))
|
||||
|
||||
mux.Handle("/register", registerAccountHandler(app))
|
||||
|
||||
mux.Handle("/account", RequireAccount(app, accountIndexHandler(app)))
|
||||
mux.Handle("/account/", RequireAccount(app, http.StripPrefix("/account", accountHandler(app))))
|
||||
mux.Handle("/account", requireAccount(app, accountIndexHandler(app)))
|
||||
mux.Handle("/account/", requireAccount(app, http.StripPrefix("/account", accountHandler(app))))
|
||||
|
||||
mux.Handle("/release/", RequireAccount(app, http.StripPrefix("/release", serveRelease(app))))
|
||||
mux.Handle("/artist/", RequireAccount(app, http.StripPrefix("/artist", serveArtist(app))))
|
||||
mux.Handle("/track/", RequireAccount(app, http.StripPrefix("/track", serveTrack(app))))
|
||||
mux.Handle("/release/", requireAccount(app, http.StripPrefix("/release", serveRelease(app))))
|
||||
mux.Handle("/artist/", requireAccount(app, http.StripPrefix("/artist", serveArtist(app))))
|
||||
mux.Handle("/track/", requireAccount(app, http.StripPrefix("/track", serveTrack(app))))
|
||||
|
||||
mux.Handle("/static/", http.StripPrefix("/static", staticHandler()))
|
||||
|
||||
mux.Handle("/", RequireAccount(app, AdminIndexHandler(app)))
|
||||
mux.Handle("/", requireAccount(app, AdminIndexHandler(app)))
|
||||
|
||||
// response wrapper to make sure a session cookie exists
|
||||
return enforceSession(app, mux)
|
||||
|
|
@ -381,7 +381,7 @@ func logoutHandler(app *model.AppState) http.Handler {
|
|||
})
|
||||
}
|
||||
|
||||
func RequireAccount(app *model.AppState, next http.Handler) http.HandlerFunc {
|
||||
func requireAccount(app *model.AppState, next http.Handler) http.HandlerFunc {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
session := r.Context().Value("session").(*model.Session)
|
||||
if session.Account == nil {
|
||||
|
|
|
|||
74
api/api.go
74
api/api.go
|
|
@ -1,11 +1,13 @@
|
|||
package api
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"arimelody-web/admin"
|
||||
"arimelody-web/controller"
|
||||
"arimelody-web/model"
|
||||
)
|
||||
|
|
@ -36,10 +38,10 @@ func Handler(app *model.AppState) http.Handler {
|
|||
ServeArtist(app, artist).ServeHTTP(w, r)
|
||||
case http.MethodPut:
|
||||
// PUT /api/v1/artist/{id} (admin)
|
||||
admin.RequireAccount(app, UpdateArtist(app, artist)).ServeHTTP(w, r)
|
||||
requireAccount(app, UpdateArtist(app, artist)).ServeHTTP(w, r)
|
||||
case http.MethodDelete:
|
||||
// DELETE /api/v1/artist/{id} (admin)
|
||||
admin.RequireAccount(app, DeleteArtist(app, artist)).ServeHTTP(w, r)
|
||||
requireAccount(app, DeleteArtist(app, artist)).ServeHTTP(w, r)
|
||||
default:
|
||||
http.NotFound(w, r)
|
||||
}
|
||||
|
|
@ -51,7 +53,7 @@ func Handler(app *model.AppState) http.Handler {
|
|||
ServeAllArtists(app).ServeHTTP(w, r)
|
||||
case http.MethodPost:
|
||||
// POST /api/v1/artist (admin)
|
||||
admin.RequireAccount(app, CreateArtist(app)).ServeHTTP(w, r)
|
||||
requireAccount(app, CreateArtist(app)).ServeHTTP(w, r)
|
||||
default:
|
||||
http.NotFound(w, r)
|
||||
}
|
||||
|
|
@ -78,10 +80,10 @@ func Handler(app *model.AppState) http.Handler {
|
|||
ServeRelease(app, release).ServeHTTP(w, r)
|
||||
case http.MethodPut:
|
||||
// PUT /api/v1/music/{id} (admin)
|
||||
admin.RequireAccount(app, UpdateRelease(app, release)).ServeHTTP(w, r)
|
||||
requireAccount(app, UpdateRelease(app, release)).ServeHTTP(w, r)
|
||||
case http.MethodDelete:
|
||||
// DELETE /api/v1/music/{id} (admin)
|
||||
admin.RequireAccount(app, DeleteRelease(app, release)).ServeHTTP(w, r)
|
||||
requireAccount(app, DeleteRelease(app, release)).ServeHTTP(w, r)
|
||||
default:
|
||||
http.NotFound(w, r)
|
||||
}
|
||||
|
|
@ -93,7 +95,7 @@ func Handler(app *model.AppState) http.Handler {
|
|||
ServeCatalog(app).ServeHTTP(w, r)
|
||||
case http.MethodPost:
|
||||
// POST /api/v1/music (admin)
|
||||
admin.RequireAccount(app, CreateRelease(app)).ServeHTTP(w, r)
|
||||
requireAccount(app, CreateRelease(app)).ServeHTTP(w, r)
|
||||
default:
|
||||
http.NotFound(w, r)
|
||||
}
|
||||
|
|
@ -117,13 +119,13 @@ func Handler(app *model.AppState) http.Handler {
|
|||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
// GET /api/v1/track/{id} (admin)
|
||||
admin.RequireAccount(app, ServeTrack(app, track)).ServeHTTP(w, r)
|
||||
requireAccount(app, ServeTrack(app, track)).ServeHTTP(w, r)
|
||||
case http.MethodPut:
|
||||
// PUT /api/v1/track/{id} (admin)
|
||||
admin.RequireAccount(app, UpdateTrack(app, track)).ServeHTTP(w, r)
|
||||
requireAccount(app, UpdateTrack(app, track)).ServeHTTP(w, r)
|
||||
case http.MethodDelete:
|
||||
// DELETE /api/v1/track/{id} (admin)
|
||||
admin.RequireAccount(app, DeleteTrack(app, track)).ServeHTTP(w, r)
|
||||
requireAccount(app, DeleteTrack(app, track)).ServeHTTP(w, r)
|
||||
default:
|
||||
http.NotFound(w, r)
|
||||
}
|
||||
|
|
@ -132,10 +134,10 @@ func Handler(app *model.AppState) http.Handler {
|
|||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
// GET /api/v1/track (admin)
|
||||
admin.RequireAccount(app, ServeAllTracks(app)).ServeHTTP(w, r)
|
||||
requireAccount(app, ServeAllTracks(app)).ServeHTTP(w, r)
|
||||
case http.MethodPost:
|
||||
// POST /api/v1/track (admin)
|
||||
admin.RequireAccount(app, CreateTrack(app)).ServeHTTP(w, r)
|
||||
requireAccount(app, CreateTrack(app)).ServeHTTP(w, r)
|
||||
default:
|
||||
http.NotFound(w, r)
|
||||
}
|
||||
|
|
@ -143,3 +145,51 @@ func Handler(app *model.AppState) http.Handler {
|
|||
|
||||
return mux
|
||||
}
|
||||
|
||||
func requireAccount(app *model.AppState, next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
session, err := getSession(app, r)
|
||||
if err != nil {
|
||||
fmt.Fprintf(os.Stderr, "WARN: Failed to get session: %v\n", err)
|
||||
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
if session.Account == nil {
|
||||
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
ctx := context.WithValue(r.Context(), "session", session)
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
})
|
||||
}
|
||||
|
||||
func getSession(app *model.AppState, r *http.Request) (*model.Session, error) {
|
||||
var token string
|
||||
|
||||
// check cookies first
|
||||
sessionCookie, err := r.Cookie(model.COOKIE_TOKEN)
|
||||
if err != nil && err != http.ErrNoCookie {
|
||||
return nil, errors.New(fmt.Sprintf("Failed to retrieve session cookie: %v\n", err))
|
||||
}
|
||||
if sessionCookie != nil {
|
||||
token = sessionCookie.Value
|
||||
} else {
|
||||
// check Authorization header
|
||||
token = strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
|
||||
}
|
||||
|
||||
if token == "" { return nil, nil }
|
||||
|
||||
// fetch existing session
|
||||
session, err := controller.GetSession(app.DB, token)
|
||||
|
||||
if err != nil && !strings.Contains(err.Error(), "no rows") {
|
||||
return nil, errors.New(fmt.Sprintf("Failed to retrieve session: %v\n", err))
|
||||
}
|
||||
|
||||
if session != nil {
|
||||
// TODO: consider running security checks here (i.e. user agent mismatches)
|
||||
}
|
||||
|
||||
return session, nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue