fix API endpoints which require account authorisation
This commit is contained in:
parent
090de0554b
commit
ad39e68cd6
GPG key ID:
CF99829C92678188
|
|
@ -20,20 +20,20 @@ func Handler(app *model.AppState) http.Handler {
|
||||||
mux := http.NewServeMux()
|
mux := http.NewServeMux()
|
||||||
|
|
||||||
mux.Handle("/login", loginHandler(app))
|
mux.Handle("/login", loginHandler(app))
|
||||||
mux.Handle("/logout", RequireAccount(app, logoutHandler(app)))
|
mux.Handle("/logout", requireAccount(app, logoutHandler(app)))
|
||||||
|
|
||||||
mux.Handle("/register", registerAccountHandler(app))
|
mux.Handle("/register", registerAccountHandler(app))
|
||||||
|
|
||||||
mux.Handle("/account", RequireAccount(app, accountIndexHandler(app)))
|
mux.Handle("/account", requireAccount(app, accountIndexHandler(app)))
|
||||||
mux.Handle("/account/", RequireAccount(app, http.StripPrefix("/account", accountHandler(app))))
|
mux.Handle("/account/", requireAccount(app, http.StripPrefix("/account", accountHandler(app))))
|
||||||
|
|
||||||
mux.Handle("/release/", RequireAccount(app, http.StripPrefix("/release", serveRelease(app))))
|
mux.Handle("/release/", requireAccount(app, http.StripPrefix("/release", serveRelease(app))))
|
||||||
mux.Handle("/artist/", RequireAccount(app, http.StripPrefix("/artist", serveArtist(app))))
|
mux.Handle("/artist/", requireAccount(app, http.StripPrefix("/artist", serveArtist(app))))
|
||||||
mux.Handle("/track/", RequireAccount(app, http.StripPrefix("/track", serveTrack(app))))
|
mux.Handle("/track/", requireAccount(app, http.StripPrefix("/track", serveTrack(app))))
|
||||||
|
|
||||||
mux.Handle("/static/", http.StripPrefix("/static", staticHandler()))
|
mux.Handle("/static/", http.StripPrefix("/static", staticHandler()))
|
||||||
|
|
||||||
mux.Handle("/", RequireAccount(app, AdminIndexHandler(app)))
|
mux.Handle("/", requireAccount(app, AdminIndexHandler(app)))
|
||||||
|
|
||||||
// response wrapper to make sure a session cookie exists
|
// response wrapper to make sure a session cookie exists
|
||||||
return enforceSession(app, mux)
|
return enforceSession(app, mux)
|
||||||
|
|
@ -381,7 +381,7 @@ func logoutHandler(app *model.AppState) http.Handler {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func RequireAccount(app *model.AppState, next http.Handler) http.HandlerFunc {
|
func requireAccount(app *model.AppState, next http.Handler) http.HandlerFunc {
|
||||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
session := r.Context().Value("session").(*model.Session)
|
session := r.Context().Value("session").(*model.Session)
|
||||||
if session.Account == nil {
|
if session.Account == nil {
|
||||||
|
|
|
||||||
74
api/api.go
74
api/api.go
|
|
@ -1,11 +1,13 @@
|
||||||
package api
|
package api
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"arimelody-web/admin"
|
|
||||||
"arimelody-web/controller"
|
"arimelody-web/controller"
|
||||||
"arimelody-web/model"
|
"arimelody-web/model"
|
||||||
)
|
)
|
||||||
|
|
@ -36,10 +38,10 @@ func Handler(app *model.AppState) http.Handler {
|
||||||
ServeArtist(app, artist).ServeHTTP(w, r)
|
ServeArtist(app, artist).ServeHTTP(w, r)
|
||||||
case http.MethodPut:
|
case http.MethodPut:
|
||||||
// PUT /api/v1/artist/{id} (admin)
|
// PUT /api/v1/artist/{id} (admin)
|
||||||
admin.RequireAccount(app, UpdateArtist(app, artist)).ServeHTTP(w, r)
|
requireAccount(app, UpdateArtist(app, artist)).ServeHTTP(w, r)
|
||||||
case http.MethodDelete:
|
case http.MethodDelete:
|
||||||
// DELETE /api/v1/artist/{id} (admin)
|
// DELETE /api/v1/artist/{id} (admin)
|
||||||
admin.RequireAccount(app, DeleteArtist(app, artist)).ServeHTTP(w, r)
|
requireAccount(app, DeleteArtist(app, artist)).ServeHTTP(w, r)
|
||||||
default:
|
default:
|
||||||
http.NotFound(w, r)
|
http.NotFound(w, r)
|
||||||
}
|
}
|
||||||
|
|
@ -51,7 +53,7 @@ func Handler(app *model.AppState) http.Handler {
|
||||||
ServeAllArtists(app).ServeHTTP(w, r)
|
ServeAllArtists(app).ServeHTTP(w, r)
|
||||||
case http.MethodPost:
|
case http.MethodPost:
|
||||||
// POST /api/v1/artist (admin)
|
// POST /api/v1/artist (admin)
|
||||||
admin.RequireAccount(app, CreateArtist(app)).ServeHTTP(w, r)
|
requireAccount(app, CreateArtist(app)).ServeHTTP(w, r)
|
||||||
default:
|
default:
|
||||||
http.NotFound(w, r)
|
http.NotFound(w, r)
|
||||||
}
|
}
|
||||||
|
|
@ -78,10 +80,10 @@ func Handler(app *model.AppState) http.Handler {
|
||||||
ServeRelease(app, release).ServeHTTP(w, r)
|
ServeRelease(app, release).ServeHTTP(w, r)
|
||||||
case http.MethodPut:
|
case http.MethodPut:
|
||||||
// PUT /api/v1/music/{id} (admin)
|
// PUT /api/v1/music/{id} (admin)
|
||||||
admin.RequireAccount(app, UpdateRelease(app, release)).ServeHTTP(w, r)
|
requireAccount(app, UpdateRelease(app, release)).ServeHTTP(w, r)
|
||||||
case http.MethodDelete:
|
case http.MethodDelete:
|
||||||
// DELETE /api/v1/music/{id} (admin)
|
// DELETE /api/v1/music/{id} (admin)
|
||||||
admin.RequireAccount(app, DeleteRelease(app, release)).ServeHTTP(w, r)
|
requireAccount(app, DeleteRelease(app, release)).ServeHTTP(w, r)
|
||||||
default:
|
default:
|
||||||
http.NotFound(w, r)
|
http.NotFound(w, r)
|
||||||
}
|
}
|
||||||
|
|
@ -93,7 +95,7 @@ func Handler(app *model.AppState) http.Handler {
|
||||||
ServeCatalog(app).ServeHTTP(w, r)
|
ServeCatalog(app).ServeHTTP(w, r)
|
||||||
case http.MethodPost:
|
case http.MethodPost:
|
||||||
// POST /api/v1/music (admin)
|
// POST /api/v1/music (admin)
|
||||||
admin.RequireAccount(app, CreateRelease(app)).ServeHTTP(w, r)
|
requireAccount(app, CreateRelease(app)).ServeHTTP(w, r)
|
||||||
default:
|
default:
|
||||||
http.NotFound(w, r)
|
http.NotFound(w, r)
|
||||||
}
|
}
|
||||||
|
|
@ -117,13 +119,13 @@ func Handler(app *model.AppState) http.Handler {
|
||||||
switch r.Method {
|
switch r.Method {
|
||||||
case http.MethodGet:
|
case http.MethodGet:
|
||||||
// GET /api/v1/track/{id} (admin)
|
// GET /api/v1/track/{id} (admin)
|
||||||
admin.RequireAccount(app, ServeTrack(app, track)).ServeHTTP(w, r)
|
requireAccount(app, ServeTrack(app, track)).ServeHTTP(w, r)
|
||||||
case http.MethodPut:
|
case http.MethodPut:
|
||||||
// PUT /api/v1/track/{id} (admin)
|
// PUT /api/v1/track/{id} (admin)
|
||||||
admin.RequireAccount(app, UpdateTrack(app, track)).ServeHTTP(w, r)
|
requireAccount(app, UpdateTrack(app, track)).ServeHTTP(w, r)
|
||||||
case http.MethodDelete:
|
case http.MethodDelete:
|
||||||
// DELETE /api/v1/track/{id} (admin)
|
// DELETE /api/v1/track/{id} (admin)
|
||||||
admin.RequireAccount(app, DeleteTrack(app, track)).ServeHTTP(w, r)
|
requireAccount(app, DeleteTrack(app, track)).ServeHTTP(w, r)
|
||||||
default:
|
default:
|
||||||
http.NotFound(w, r)
|
http.NotFound(w, r)
|
||||||
}
|
}
|
||||||
|
|
@ -132,10 +134,10 @@ func Handler(app *model.AppState) http.Handler {
|
||||||
switch r.Method {
|
switch r.Method {
|
||||||
case http.MethodGet:
|
case http.MethodGet:
|
||||||
// GET /api/v1/track (admin)
|
// GET /api/v1/track (admin)
|
||||||
admin.RequireAccount(app, ServeAllTracks(app)).ServeHTTP(w, r)
|
requireAccount(app, ServeAllTracks(app)).ServeHTTP(w, r)
|
||||||
case http.MethodPost:
|
case http.MethodPost:
|
||||||
// POST /api/v1/track (admin)
|
// POST /api/v1/track (admin)
|
||||||
admin.RequireAccount(app, CreateTrack(app)).ServeHTTP(w, r)
|
requireAccount(app, CreateTrack(app)).ServeHTTP(w, r)
|
||||||
default:
|
default:
|
||||||
http.NotFound(w, r)
|
http.NotFound(w, r)
|
||||||
}
|
}
|
||||||
|
|
@ -143,3 +145,51 @@ func Handler(app *model.AppState) http.Handler {
|
||||||
|
|
||||||
return mux
|
return mux
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func requireAccount(app *model.AppState, next http.Handler) http.Handler {
|
||||||
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
session, err := getSession(app, r)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Fprintf(os.Stderr, "WARN: Failed to get session: %v\n", err)
|
||||||
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if session.Account == nil {
|
||||||
|
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
ctx := context.WithValue(r.Context(), "session", session)
|
||||||
|
next.ServeHTTP(w, r.WithContext(ctx))
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func getSession(app *model.AppState, r *http.Request) (*model.Session, error) {
|
||||||
|
var token string
|
||||||
|
|
||||||
|
// check cookies first
|
||||||
|
sessionCookie, err := r.Cookie(model.COOKIE_TOKEN)
|
||||||
|
if err != nil && err != http.ErrNoCookie {
|
||||||
|
return nil, errors.New(fmt.Sprintf("Failed to retrieve session cookie: %v\n", err))
|
||||||
|
}
|
||||||
|
if sessionCookie != nil {
|
||||||
|
token = sessionCookie.Value
|
||||||
|
} else {
|
||||||
|
// check Authorization header
|
||||||
|
token = strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
|
||||||
|
}
|
||||||
|
|
||||||
|
if token == "" { return nil, nil }
|
||||||
|
|
||||||
|
// fetch existing session
|
||||||
|
session, err := controller.GetSession(app.DB, token)
|
||||||
|
|
||||||
|
if err != nil && !strings.Contains(err.Error(), "no rows") {
|
||||||
|
return nil, errors.New(fmt.Sprintf("Failed to retrieve session: %v\n", err))
|
||||||
|
}
|
||||||
|
|
||||||
|
if session != nil {
|
||||||
|
// TODO: consider running security checks here (i.e. user agent mismatches)
|
||||||
|
}
|
||||||
|
|
||||||
|
return session, nil
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue