appview/middleware/middleware.go at push-sssuxsytslts · julien.rbrt.fr/tangled-core

Monorepo for Tangled — https://tangled.org
tangled-core / appview / middleware / middleware.go
at push-sssuxsytslts 8.6 kB view raw
  1package middleware
  2
  3import (
  4	"context"
  5	"fmt"
  6	"log"
  7	"net/http"
  8	"net/url"
  9	"slices"
 10	"strconv"
 11	"strings"
 12	"time"
 13
 14	"github.com/bluesky-social/indigo/atproto/identity"
 15	"github.com/go-chi/chi/v5"
 16	"tangled.sh/tangled.sh/core/appview/db"
 17	"tangled.sh/tangled.sh/core/appview/oauth"
 18	"tangled.sh/tangled.sh/core/appview/pages"
 19	"tangled.sh/tangled.sh/core/appview/pagination"
 20	"tangled.sh/tangled.sh/core/appview/reporesolver"
 21	"tangled.sh/tangled.sh/core/idresolver"
 22	"tangled.sh/tangled.sh/core/rbac"
 23)
 24
 25type Middleware struct {
 26	oauth        *oauth.OAuth
 27	db           *db.DB
 28	enforcer     *rbac.Enforcer
 29	repoResolver *reporesolver.RepoResolver
 30	idResolver   *idresolver.Resolver
 31	pages        *pages.Pages
 32}
 33
 34func New(oauth *oauth.OAuth, db *db.DB, enforcer *rbac.Enforcer, repoResolver *reporesolver.RepoResolver, idResolver *idresolver.Resolver, pages *pages.Pages) Middleware {
 35	return Middleware{
 36		oauth:        oauth,
 37		db:           db,
 38		enforcer:     enforcer,
 39		repoResolver: repoResolver,
 40		idResolver:   idResolver,
 41		pages:        pages,
 42	}
 43}
 44
 45type middlewareFunc func(http.Handler) http.Handler
 46
 47func AuthMiddleware(a *oauth.OAuth) middlewareFunc {
 48	return func(next http.Handler) http.Handler {
 49		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 50			returnURL := "/"
 51			if u, err := url.Parse(r.Header.Get("Referer")); err == nil {
 52				returnURL = u.RequestURI()
 53			}
 54
 55			loginURL := fmt.Sprintf("/login?return_url=%s", url.QueryEscape(returnURL))
 56
 57			redirectFunc := func(w http.ResponseWriter, r *http.Request) {
 58				http.Redirect(w, r, loginURL, http.StatusTemporaryRedirect)
 59			}
 60			if r.Header.Get("HX-Request") == "true" {
 61				redirectFunc = func(w http.ResponseWriter, _ *http.Request) {
 62					w.Header().Set("HX-Redirect", loginURL)
 63					w.WriteHeader(http.StatusOK)
 64				}
 65			}
 66
 67			_, auth, err := a.GetSession(r)
 68			if err != nil {
 69				log.Println("not logged in, redirecting", "err", err)
 70				redirectFunc(w, r)
 71				return
 72			}
 73
 74			if !auth {
 75				log.Printf("not logged in, redirecting")
 76				redirectFunc(w, r)
 77				return
 78			}
 79
 80			next.ServeHTTP(w, r)
 81		})
 82	}
 83}
 84
 85func Paginate(next http.Handler) http.Handler {
 86	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 87		page := pagination.FirstPage()
 88
 89		offsetVal := r.URL.Query().Get("offset")
 90		if offsetVal != "" {
 91			offset, err := strconv.Atoi(offsetVal)
 92			if err != nil {
 93				log.Println("invalid offset")
 94			} else {
 95				page.Offset = offset
 96			}
 97		}
 98
 99		limitVal := r.URL.Query().Get("limit")
100		if limitVal != "" {
101			limit, err := strconv.Atoi(limitVal)
102			if err != nil {
103				log.Println("invalid limit")
104			} else {
105				page.Limit = limit
106			}
107		}
108
109		ctx := context.WithValue(r.Context(), "page", page)
110		next.ServeHTTP(w, r.WithContext(ctx))
111	})
112}
113
114func (mw Middleware) knotRoleMiddleware(group string) middlewareFunc {
115	return func(next http.Handler) http.Handler {
116		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
117			// requires auth also
118			actor := mw.oauth.GetUser(r)
119			if actor == nil {
120				// we need a logged in user
121				log.Printf("not logged in, redirecting")
122				http.Error(w, "Forbiden", http.StatusUnauthorized)
123				return
124			}
125			domain := chi.URLParam(r, "domain")
126			if domain == "" {
127				http.Error(w, "malformed url", http.StatusBadRequest)
128				return
129			}
130
131			ok, err := mw.enforcer.E.HasGroupingPolicy(actor.Did, group, domain)
132			if err != nil || !ok {
133				// we need a logged in user
134				log.Printf("%s does not have perms of a %s in domain %s", actor.Did, group, domain)
135				http.Error(w, "Forbiden", http.StatusUnauthorized)
136				return
137			}
138
139			next.ServeHTTP(w, r)
140		})
141	}
142}
143
144func (mw Middleware) KnotOwner() middlewareFunc {
145	return mw.knotRoleMiddleware("server:owner")
146}
147
148func (mw Middleware) RepoPermissionMiddleware(requiredPerm string) middlewareFunc {
149	return func(next http.Handler) http.Handler {
150		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
151			// requires auth also
152			actor := mw.oauth.GetUser(r)
153			if actor == nil {
154				// we need a logged in user
155				log.Printf("not logged in, redirecting")
156				http.Error(w, "Forbiden", http.StatusUnauthorized)
157				return
158			}
159			f, err := mw.repoResolver.Resolve(r)
160			if err != nil {
161				http.Error(w, "malformed url", http.StatusBadRequest)
162				return
163			}
164
165			ok, err := mw.enforcer.E.Enforce(actor.Did, f.Knot, f.DidSlashRepo(), requiredPerm)
166			if err != nil || !ok {
167				// we need a logged in user
168				log.Printf("%s does not have perms of a %s in repo %s", actor.Did, requiredPerm, f.OwnerSlashRepo())
169				http.Error(w, "Forbiden", http.StatusUnauthorized)
170				return
171			}
172
173			next.ServeHTTP(w, r)
174		})
175	}
176}
177
178func (mw Middleware) ResolveIdent() middlewareFunc {
179	excluded := []string{"favicon.ico"}
180
181	return func(next http.Handler) http.Handler {
182		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
183			didOrHandle := chi.URLParam(req, "user")
184			if slices.Contains(excluded, didOrHandle) {
185				next.ServeHTTP(w, req)
186				return
187			}
188
189			didOrHandle = strings.TrimPrefix(didOrHandle, "@")
190
191			id, err := mw.idResolver.ResolveIdent(req.Context(), didOrHandle)
192			if err != nil {
193				// invalid did or handle
194				log.Printf("failed to resolve did/handle '%s': %s\n", didOrHandle, err)
195				mw.pages.Error404(w)
196				return
197			}
198
199			ctx := context.WithValue(req.Context(), "resolvedId", *id)
200
201			next.ServeHTTP(w, req.WithContext(ctx))
202		})
203	}
204}
205
206func (mw Middleware) ResolveRepo() middlewareFunc {
207	return func(next http.Handler) http.Handler {
208		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
209			repoName := chi.URLParam(req, "repo")
210			id, ok := req.Context().Value("resolvedId").(identity.Identity)
211			if !ok {
212				log.Println("malformed middleware")
213				w.WriteHeader(http.StatusInternalServerError)
214				return
215			}
216
217			repo, err := db.GetRepo(mw.db, id.DID.String(), repoName)
218			if err != nil {
219				// invalid did or handle
220				log.Println("failed to resolve repo")
221				mw.pages.Error404(w)
222				return
223			}
224
225			ctx := context.WithValue(req.Context(), "knot", repo.Knot)
226			ctx = context.WithValue(ctx, "repoAt", repo.AtUri)
227			ctx = context.WithValue(ctx, "repoDescription", repo.Description)
228			ctx = context.WithValue(ctx, "repoSpindle", repo.Spindle)
229			ctx = context.WithValue(ctx, "repoAddedAt", repo.Created.Format(time.RFC3339))
230			next.ServeHTTP(w, req.WithContext(ctx))
231		})
232	}
233}
234
235// middleware that is tacked on top of /{user}/{repo}/pulls/{pull}
236func (mw Middleware) ResolvePull() middlewareFunc {
237	return func(next http.Handler) http.Handler {
238		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
239			f, err := mw.repoResolver.Resolve(r)
240			if err != nil {
241				log.Println("failed to fully resolve repo", err)
242				http.Error(w, "invalid repo url", http.StatusNotFound)
243				return
244			}
245
246			prId := chi.URLParam(r, "pull")
247			prIdInt, err := strconv.Atoi(prId)
248			if err != nil {
249				http.Error(w, "bad pr id", http.StatusBadRequest)
250				log.Println("failed to parse pr id", err)
251				return
252			}
253
254			pr, err := db.GetPull(mw.db, f.RepoAt, prIdInt)
255			if err != nil {
256				log.Println("failed to get pull and comments", err)
257				return
258			}
259
260			ctx := context.WithValue(r.Context(), "pull", pr)
261
262			if pr.IsStacked() {
263				stack, err := db.GetStack(mw.db, pr.StackId)
264				if err != nil {
265					log.Println("failed to get stack", err)
266					return
267				}
268				abandonedPulls, err := db.GetAbandonedPulls(mw.db, pr.StackId)
269				if err != nil {
270					log.Println("failed to get abandoned pulls", err)
271					return
272				}
273
274				ctx = context.WithValue(ctx, "stack", stack)
275				ctx = context.WithValue(ctx, "abandonedPulls", abandonedPulls)
276			}
277
278			next.ServeHTTP(w, r.WithContext(ctx))
279		})
280	}
281}
282
283// this should serve the go-import meta tag even if the path is technically
284// a 404 like tangled.sh/oppi.li/go-git/v5
285func (mw Middleware) GoImport() middlewareFunc {
286	return func(next http.Handler) http.Handler {
287		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
288			f, err := mw.repoResolver.Resolve(r)
289			if err != nil {
290				log.Println("failed to fully resolve repo", err)
291				http.Error(w, "invalid repo url", http.StatusNotFound)
292				return
293			}
294
295			fullName := f.OwnerHandle() + "/" + f.RepoName
296
297			if r.Header.Get("User-Agent") == "Go-http-client/1.1" {
298				if r.URL.Query().Get("go-get") == "1" {
299					html := fmt.Sprintf(
300						`<meta name="go-import" content="tangled.sh/%s git https://tangled.sh/%s"/>`,
301						fullName,
302						fullName,
303					)
304					w.Header().Set("Content-Type", "text/html")
305					w.Write([]byte(html))
306					return
307				}
308			}
309
310			next.ServeHTTP(w, r)
311		})
312	}
313}