fix API endpoints which require account authorisation

2025-01-24 18:49:04 +00:00 · 2025-01-24 18:49:04 +00:00 · ad39e68cd6
parent 090de0554b
commit ad39e68cd6
2 changed files with 70 additions and 20 deletions
--- a/admin/http.go
+++ b/admin/http.go
@ -20,20 +20,20 @@ func Handler(app *model.AppState) http.Handler {
    mux := http.NewServeMux()

    mux.Handle("/login", loginHandler(app))
-    mux.Handle("/logout", RequireAccount(app, logoutHandler(app)))
+    mux.Handle("/logout", requireAccount(app, logoutHandler(app)))

    mux.Handle("/register", registerAccountHandler(app))

-    mux.Handle("/account", RequireAccount(app, accountIndexHandler(app)))
-    mux.Handle("/account/", RequireAccount(app, http.StripPrefix("/account", accountHandler(app))))
+    mux.Handle("/account", requireAccount(app, accountIndexHandler(app)))
+    mux.Handle("/account/", requireAccount(app, http.StripPrefix("/account", accountHandler(app))))

-    mux.Handle("/release/", RequireAccount(app, http.StripPrefix("/release", serveRelease(app))))
-    mux.Handle("/artist/", RequireAccount(app, http.StripPrefix("/artist", serveArtist(app))))
-    mux.Handle("/track/", RequireAccount(app, http.StripPrefix("/track", serveTrack(app))))
+    mux.Handle("/release/", requireAccount(app, http.StripPrefix("/release", serveRelease(app))))
+    mux.Handle("/artist/", requireAccount(app, http.StripPrefix("/artist", serveArtist(app))))
+    mux.Handle("/track/", requireAccount(app, http.StripPrefix("/track", serveTrack(app))))

    mux.Handle("/static/", http.StripPrefix("/static", staticHandler()))

-    mux.Handle("/", RequireAccount(app, AdminIndexHandler(app)))
+    mux.Handle("/", requireAccount(app, AdminIndexHandler(app)))

    // response wrapper to make sure a session cookie exists
    return enforceSession(app, mux)
@ -381,7 +381,7 @@ func logoutHandler(app *model.AppState) http.Handler {
    })
 }

-func RequireAccount(app *model.AppState, next http.Handler) http.HandlerFunc {
+func requireAccount(app *model.AppState, next http.Handler) http.HandlerFunc {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        session := r.Context().Value("session").(*model.Session)
        if session.Account == nil {
--- a/api/api.go
+++ b/api/api.go
@ -1,11 +1,13 @@
 package api

 import (
+	"context"
+	"errors"
 	"fmt"
 	"net/http"
+	"os"
 	"strings"

-	"arimelody-web/admin"
 	"arimelody-web/controller"
 	"arimelody-web/model"
 )
@ -36,10 +38,10 @@ func Handler(app *model.AppState) http.Handler {
            ServeArtist(app, artist).ServeHTTP(w, r)
        case http.MethodPut:
            // PUT /api/v1/artist/{id} (admin)
-            admin.RequireAccount(app, UpdateArtist(app, artist)).ServeHTTP(w, r)
+            requireAccount(app, UpdateArtist(app, artist)).ServeHTTP(w, r)
        case http.MethodDelete:
            // DELETE /api/v1/artist/{id} (admin)
-            admin.RequireAccount(app, DeleteArtist(app, artist)).ServeHTTP(w, r)
+            requireAccount(app, DeleteArtist(app, artist)).ServeHTTP(w, r)
        default:
            http.NotFound(w, r)
        }
@ -51,7 +53,7 @@ func Handler(app *model.AppState) http.Handler {
            ServeAllArtists(app).ServeHTTP(w, r)
        case http.MethodPost:
            // POST /api/v1/artist (admin)
-            admin.RequireAccount(app, CreateArtist(app)).ServeHTTP(w, r)
+            requireAccount(app, CreateArtist(app)).ServeHTTP(w, r)
        default:
            http.NotFound(w, r)
        }
@ -78,10 +80,10 @@ func Handler(app *model.AppState) http.Handler {
            ServeRelease(app, release).ServeHTTP(w, r)
        case http.MethodPut:
            // PUT /api/v1/music/{id} (admin)
-            admin.RequireAccount(app, UpdateRelease(app, release)).ServeHTTP(w, r)
+            requireAccount(app, UpdateRelease(app, release)).ServeHTTP(w, r)
        case http.MethodDelete:
            // DELETE /api/v1/music/{id} (admin)
-            admin.RequireAccount(app, DeleteRelease(app, release)).ServeHTTP(w, r)
+            requireAccount(app, DeleteRelease(app, release)).ServeHTTP(w, r)
        default:
            http.NotFound(w, r)
        }
@ -93,7 +95,7 @@ func Handler(app *model.AppState) http.Handler {
            ServeCatalog(app).ServeHTTP(w, r)
        case http.MethodPost:
            // POST /api/v1/music (admin)
-            admin.RequireAccount(app, CreateRelease(app)).ServeHTTP(w, r)
+            requireAccount(app, CreateRelease(app)).ServeHTTP(w, r)
        default:
            http.NotFound(w, r)
        }
@ -117,13 +119,13 @@ func Handler(app *model.AppState) http.Handler {
        switch r.Method {
        case http.MethodGet:
            // GET /api/v1/track/{id} (admin)
-            admin.RequireAccount(app, ServeTrack(app, track)).ServeHTTP(w, r)
+            requireAccount(app, ServeTrack(app, track)).ServeHTTP(w, r)
        case http.MethodPut:
            // PUT /api/v1/track/{id} (admin)
-            admin.RequireAccount(app, UpdateTrack(app, track)).ServeHTTP(w, r)
+            requireAccount(app, UpdateTrack(app, track)).ServeHTTP(w, r)
        case http.MethodDelete:
            // DELETE /api/v1/track/{id} (admin)
-            admin.RequireAccount(app, DeleteTrack(app, track)).ServeHTTP(w, r)
+            requireAccount(app, DeleteTrack(app, track)).ServeHTTP(w, r)
        default:
            http.NotFound(w, r)
        }
@ -132,10 +134,10 @@ func Handler(app *model.AppState) http.Handler {
        switch r.Method {
        case http.MethodGet:
            // GET /api/v1/track (admin)
-            admin.RequireAccount(app, ServeAllTracks(app)).ServeHTTP(w, r)
+            requireAccount(app, ServeAllTracks(app)).ServeHTTP(w, r)
        case http.MethodPost:
            // POST /api/v1/track (admin)
-            admin.RequireAccount(app, CreateTrack(app)).ServeHTTP(w, r)
+            requireAccount(app, CreateTrack(app)).ServeHTTP(w, r)
        default:
            http.NotFound(w, r)
        }
@ -143,3 +145,51 @@ func Handler(app *model.AppState) http.Handler {

    return mux
 }
+
+func requireAccount(app *model.AppState, next http.Handler) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        session, err := getSession(app, r)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to get session: %v\n", err)
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            return
+        }
+        if session.Account == nil {
+            http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+            return
+        }
+        ctx := context.WithValue(r.Context(), "session", session)
+        next.ServeHTTP(w, r.WithContext(ctx))
+    })
+}
+
+func getSession(app *model.AppState, r *http.Request) (*model.Session, error) {
+    var token string
+
+    // check cookies first
+    sessionCookie, err := r.Cookie(model.COOKIE_TOKEN)
+    if err != nil && err != http.ErrNoCookie {
+        return nil, errors.New(fmt.Sprintf("Failed to retrieve session cookie: %v\n", err))
+    }
+    if sessionCookie != nil {
+        token = sessionCookie.Value
+    } else {
+        // check Authorization header
+        token = strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
+    }
+
+    if token == "" { return nil, nil }
+
+    // fetch existing session
+    session, err := controller.GetSession(app.DB, token)
+
+    if err != nil && !strings.Contains(err.Error(), "no rows") {
+        return nil, errors.New(fmt.Sprintf("Failed to retrieve session: %v\n", err))
+    }
+
+    if session != nil {
+        // TODO: consider running security checks here (i.e. user agent mismatches)
+    }
+
+    return session, nil
+}