package admin import ( "context" "fmt" "net/http" "os" "path/filepath" "strings" "time" "arimelody-web/controller" "arimelody-web/global" "arimelody-web/model" "github.com/jmoiron/sqlx" "golang.org/x/crypto/bcrypt" ) type TemplateData struct { Account *model.Account Token string } func Handler(db *sqlx.DB) http.Handler { mux := http.NewServeMux() mux.Handle("/login", LoginHandler(db)) mux.Handle("/register", createAccountHandler(db)) mux.Handle("/logout", RequireAccount(db, LogoutHandler(db))) mux.Handle("/account", RequireAccount(db, AccountHandler(db))) mux.Handle("/static/", http.StripPrefix("/static", staticHandler())) mux.Handle("/release/", RequireAccount(db, http.StripPrefix("/release", serveRelease()))) mux.Handle("/artist/", RequireAccount(db, http.StripPrefix("/artist", serveArtist()))) mux.Handle("/track/", RequireAccount(db, http.StripPrefix("/track", serveTrack()))) mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.URL.Path != "/" { http.NotFound(w, r) return } account, err := controller.GetAccountByRequest(db, r) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %s\n", err) } if account == nil { http.Redirect(w, r, "/admin/login", http.StatusFound) return } releases, err := controller.GetAllReleases(db, false, 0, true) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to pull releases: %s\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } artists, err := controller.GetAllArtists(db) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to pull artists: %s\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } tracks, err := controller.GetOrphanTracks(db) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to pull orphan tracks: %s\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } type IndexData struct { Account *model.Account Releases []*model.Release Artists []*model.Artist Tracks []*model.Track } err = pages["index"].Execute(w, IndexData{ Account: account, Releases: releases, Artists: artists, Tracks: tracks, }) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to render admin index: %s\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } })) return mux } func RequireAccount(db *sqlx.DB, next http.Handler) http.HandlerFunc { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { account, err := controller.GetAccountByRequest(db, r) if err != nil { http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err) return } if account == nil { // TODO: include context in redirect http.Redirect(w, r, "/admin/login", http.StatusFound) return } ctx := context.WithValue(r.Context(), "account", account) next.ServeHTTP(w, r.WithContext(ctx)) }) } func LoginHandler(db *sqlx.DB) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.Method == http.MethodGet { account, err := controller.GetAccountByRequest(db, r) if err != nil { http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err) return } if account != nil { http.Redirect(w, r, "/admin", http.StatusFound) return } err = pages["login"].Execute(w, TemplateData{}) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Error rendering admin login page: %s\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } return } if r.Method != http.MethodPost { http.NotFound(w, r); return } err := r.ParseForm() if err != nil { http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) return } type LoginRequest struct { Username string `json:"username"` Password string `json:"password"` TOTP string `json:"totp"` } credentials := LoginRequest{ Username: r.Form.Get("username"), Password: r.Form.Get("password"), TOTP: r.Form.Get("totp"), } account, err := controller.GetAccount(db, credentials.Username) if err != nil { http.Error(w, "Invalid username or password", http.StatusBadRequest) return } if account == nil { http.Error(w, "Invalid username or password", http.StatusBadRequest) return } err = bcrypt.CompareHashAndPassword([]byte(account.Password), []byte(credentials.Password)) if err != nil { http.Error(w, "Invalid username or password", http.StatusBadRequest) return } // TODO: check TOTP // login success! token, err := controller.CreateToken(db, account.ID, r.UserAgent()) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to create token: %v\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } cookie := http.Cookie{} cookie.Name = global.COOKIE_TOKEN cookie.Value = token.Token cookie.Expires = token.ExpiresAt if strings.HasPrefix(global.Config.BaseUrl, "https") { cookie.Secure = true } cookie.HttpOnly = true cookie.Path = "/" http.SetCookie(w, &cookie) err = pages["login"].Execute(w, TemplateData{ Account: account, Token: token.Token, }) if err != nil { fmt.Printf("Error rendering admin login page: %s\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } }) } func LogoutHandler(db *sqlx.DB) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodGet { http.NotFound(w, r) return } tokenStr := controller.GetTokenFromRequest(db, r) if len(tokenStr) > 0 { err := controller.DeleteToken(db, tokenStr) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to revoke token: %v\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } } cookie := http.Cookie{} cookie.Name = global.COOKIE_TOKEN cookie.Value = "" cookie.Expires = time.Now() if strings.HasPrefix(global.Config.BaseUrl, "https") { cookie.Secure = true } cookie.HttpOnly = true cookie.Path = "/" http.SetCookie(w, &cookie) http.Redirect(w, r, "/admin/login", http.StatusFound) }) } func createAccountHandler(db *sqlx.DB) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { checkAccount, err := controller.GetAccountByRequest(db, r) if err != nil { fmt.Printf("WARN: Failed to fetch account: %s\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } if checkAccount != nil { // user is already logged in http.Redirect(w, r, "/admin", http.StatusFound) return } type CreateAccountResponse struct { Account *model.Account Message string } render := func(data CreateAccountResponse) { err := pages["create-account"].Execute(w, data) if err != nil { fmt.Printf("WARN: Error rendering create account page: %s\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) } } if r.Method == http.MethodGet { render(CreateAccountResponse{}) return } if r.Method != http.MethodPost { http.NotFound(w, r) return } err = r.ParseForm() if err != nil { render(CreateAccountResponse{ Message: "Malformed data.", }) return } type RegisterRequest struct { Username string `json:"username"` Email string `json:"email"` Password string `json:"password"` Invite string `json:"invite"` } credentials := RegisterRequest{ Username: r.Form.Get("username"), Email: r.Form.Get("email"), Password: r.Form.Get("password"), Invite: r.Form.Get("invite"), } // make sure code exists in DB invite, err := controller.GetInvite(db, credentials.Invite) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve invite: %v\n", err) render(CreateAccountResponse{ Message: "Something went wrong. Please try again.", }) return } if invite == nil || time.Now().After(invite.ExpiresAt) { if invite != nil { err := controller.DeleteInvite(db, invite.Code) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) } } render(CreateAccountResponse{ Message: "Invalid invite code.", }) return } hashedPassword, err := bcrypt.GenerateFromPassword([]byte(credentials.Password), bcrypt.DefaultCost) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to generate password hash: %v\n", err) render(CreateAccountResponse{ Message: "Something went wrong. Please try again.", }) return } account := model.Account{ Username: credentials.Username, Password: string(hashedPassword), Email: credentials.Email, AvatarURL: "/img/default-avatar.png", } err = controller.CreateAccount(db, &account) if err != nil { if strings.HasPrefix(err.Error(), "pq: duplicate key") { render(CreateAccountResponse{ Message: "An account with that username already exists.", }) return } fmt.Fprintf(os.Stderr, "WARN: Failed to create account: %v\n", err) render(CreateAccountResponse{ Message: "Something went wrong. Please try again.", }) return } err = controller.DeleteInvite(db, invite.Code) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) } // registration success! token, err := controller.CreateToken(db, account.ID, r.UserAgent()) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to create token: %v\n", err) // gracefully redirect user to login page http.Redirect(w, r, "/admin/login", http.StatusFound) return } cookie := http.Cookie{} cookie.Name = global.COOKIE_TOKEN cookie.Value = token.Token cookie.Expires = token.ExpiresAt if strings.HasPrefix(global.Config.BaseUrl, "https") { cookie.Secure = true } cookie.HttpOnly = true cookie.Path = "/" http.SetCookie(w, &cookie) err = pages["login"].Execute(w, TemplateData{ Account: &account, Token: token.Token, }) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to render login page: %v\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } }) } func staticHandler() http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { info, err := os.Stat(filepath.Join("admin", "static", filepath.Clean(r.URL.Path))) // does the file exist? if err != nil { if os.IsNotExist(err) { http.NotFound(w, r) return } } // is thjs a directory? (forbidden) if info.IsDir() { http.NotFound(w, r) return } http.FileServer(http.Dir(filepath.Join("admin", "static"))).ServeHTTP(w, r) }) }