willdot.net / tangled-fork
forked from tangled.org/core
Monorepo for Tangled
fork atom
tangled-fork / appview / middleware / middleware.go
at master 352 lines 9.6 kB view raw
1package middleware 2 3import ( 4 "context" 5 "fmt" 6 "log" 7 "net/http" 8 "net/url" 9 "slices" 10 "strconv" 11 "strings" 12 13 "github.com/bluesky-social/indigo/atproto/identity" 14 "github.com/go-chi/chi/v5" 15 "tangled.org/core/appview/db" 16 "tangled.org/core/appview/oauth" 17 "tangled.org/core/appview/pages" 18 "tangled.org/core/appview/pagination" 19 "tangled.org/core/appview/reporesolver" 20 "tangled.org/core/idresolver" 21 "tangled.org/core/orm" 22 "tangled.org/core/rbac" 23) 24 25type Middleware struct { 26 oauth *oauth.OAuth 27 db *db.DB 28 enforcer *rbac.Enforcer 29 repoResolver *reporesolver.RepoResolver 30 idResolver *idresolver.Resolver 31 pages *pages.Pages 32} 33 34func New(oauth *oauth.OAuth, db *db.DB, enforcer *rbac.Enforcer, repoResolver *reporesolver.RepoResolver, idResolver *idresolver.Resolver, pages *pages.Pages) Middleware { 35 return Middleware{ 36 oauth: oauth, 37 db: db, 38 enforcer: enforcer, 39 repoResolver: repoResolver, 40 idResolver: idResolver, 41 pages: pages, 42 } 43} 44 45type middlewareFunc func(http.Handler) http.Handler 46 47func AuthMiddleware(o *oauth.OAuth) middlewareFunc { 48 return func(next http.Handler) http.Handler { 49 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 50 returnURL := "/" 51 if u, err := url.Parse(r.Header.Get("Referer")); err == nil { 52 returnURL = u.RequestURI() 53 } 54 55 loginURL := fmt.Sprintf("/login?return_url=%s", url.QueryEscape(returnURL)) 56 57 redirectFunc := func(w http.ResponseWriter, r *http.Request) { 58 http.Redirect(w, r, loginURL, http.StatusTemporaryRedirect) 59 } 60 if r.Header.Get("HX-Request") == "true" { 61 redirectFunc = func(w http.ResponseWriter, _ *http.Request) { 62 w.Header().Set("HX-Redirect", loginURL) 63 w.WriteHeader(http.StatusOK) 64 } 65 } 66 67 sess, err := o.ResumeSession(r) 68 if err != nil { 69 log.Println("failed to resume session, redirecting...", "err", err, "url", r.URL.String()) 70 redirectFunc(w, r) 71 return 72 } 73 74 if sess == nil { 75 log.Printf("session is nil, redirecting...") 76 redirectFunc(w, r) 77 return 78 } 79 80 next.ServeHTTP(w, r) 81 }) 82 } 83} 84 85func Paginate(next http.Handler) http.Handler { 86 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 87 page := pagination.FirstPage() 88 89 offsetVal := r.URL.Query().Get("offset") 90 if offsetVal != "" { 91 offset, err := strconv.Atoi(offsetVal) 92 if err != nil { 93 log.Println("invalid offset") 94 } else { 95 page.Offset = offset 96 } 97 } 98 99 limitVal := r.URL.Query().Get("limit") 100 if limitVal != "" { 101 limit, err := strconv.Atoi(limitVal) 102 if err != nil { 103 log.Println("invalid limit") 104 } else { 105 page.Limit = limit 106 } 107 } 108 109 ctx := pagination.IntoContext(r.Context(), page) 110 next.ServeHTTP(w, r.WithContext(ctx)) 111 }) 112} 113 114func (mw Middleware) knotRoleMiddleware(group string) middlewareFunc { 115 return func(next http.Handler) http.Handler { 116 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 117 // requires auth also 118 actor := mw.oauth.GetMultiAccountUser(r) 119 if actor == nil { 120 // we need a logged in user 121 log.Printf("not logged in, redirecting") 122 http.Error(w, "Forbiden", http.StatusUnauthorized) 123 return 124 } 125 domain := chi.URLParam(r, "domain") 126 if domain == "" { 127 http.Error(w, "malformed url", http.StatusBadRequest) 128 return 129 } 130 131 ok, err := mw.enforcer.E.HasGroupingPolicy(actor.Active.Did, group, domain) 132 if err != nil || !ok { 133 log.Printf("%s does not have perms of a %s in domain %s", actor.Active.Did, group, domain) 134 http.Error(w, "Forbiden", http.StatusUnauthorized) 135 return 136 } 137 138 next.ServeHTTP(w, r) 139 }) 140 } 141} 142 143func (mw Middleware) KnotOwner() middlewareFunc { 144 return mw.knotRoleMiddleware("server:owner") 145} 146 147func (mw Middleware) RepoPermissionMiddleware(requiredPerm string) middlewareFunc { 148 return func(next http.Handler) http.Handler { 149 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 150 // requires auth also 151 actor := mw.oauth.GetMultiAccountUser(r) 152 if actor == nil { 153 // we need a logged in user 154 log.Printf("not logged in, redirecting") 155 http.Error(w, "Forbiden", http.StatusUnauthorized) 156 return 157 } 158 f, err := mw.repoResolver.Resolve(r) 159 if err != nil { 160 http.Error(w, "malformed url", http.StatusBadRequest) 161 return 162 } 163 164 ok, err := mw.enforcer.E.Enforce(actor.Active.Did, f.Knot, f.DidSlashRepo(), requiredPerm) 165 if err != nil || !ok { 166 log.Printf("%s does not have perms of a %s in repo %s", actor.Active.Did, requiredPerm, f.DidSlashRepo()) 167 http.Error(w, "Forbiden", http.StatusUnauthorized) 168 return 169 } 170 171 next.ServeHTTP(w, r) 172 }) 173 } 174} 175 176func (mw Middleware) ResolveIdent() middlewareFunc { 177 excluded := []string{"favicon.ico"} 178 179 return func(next http.Handler) http.Handler { 180 return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 181 didOrHandle := chi.URLParam(req, "user") 182 didOrHandle = strings.TrimPrefix(didOrHandle, "@") 183 184 if slices.Contains(excluded, didOrHandle) { 185 next.ServeHTTP(w, req) 186 return 187 } 188 189 id, err := mw.idResolver.ResolveIdent(req.Context(), didOrHandle) 190 if err != nil { 191 // invalid did or handle 192 log.Printf("failed to resolve did/handle '%s': %s\n", didOrHandle, err) 193 mw.pages.Error404(w) 194 return 195 } 196 197 ctx := context.WithValue(req.Context(), "resolvedId", *id) 198 199 next.ServeHTTP(w, req.WithContext(ctx)) 200 }) 201 } 202} 203 204func (mw Middleware) ResolveRepo() middlewareFunc { 205 return func(next http.Handler) http.Handler { 206 return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 207 repoName := chi.URLParam(req, "repo") 208 repoName = strings.TrimSuffix(repoName, ".git") 209 210 id, ok := req.Context().Value("resolvedId").(identity.Identity) 211 if !ok { 212 log.Println("malformed middleware") 213 w.WriteHeader(http.StatusInternalServerError) 214 return 215 } 216 217 repo, err := db.GetRepo( 218 mw.db, 219 orm.FilterEq("did", id.DID.String()), 220 orm.FilterEq("name", repoName), 221 ) 222 if err != nil { 223 log.Println("failed to resolve repo", "err", err) 224 w.WriteHeader(http.StatusNotFound) 225 mw.pages.ErrorKnot404(w) 226 return 227 } 228 229 ctx := context.WithValue(req.Context(), "repo", repo) 230 next.ServeHTTP(w, req.WithContext(ctx)) 231 }) 232 } 233} 234 235// middleware that is tacked on top of /{user}/{repo}/pulls/{pull} 236func (mw Middleware) ResolvePull() middlewareFunc { 237 return func(next http.Handler) http.Handler { 238 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 239 f, err := mw.repoResolver.Resolve(r) 240 if err != nil { 241 log.Println("failed to fully resolve repo", err) 242 w.WriteHeader(http.StatusNotFound) 243 mw.pages.ErrorKnot404(w) 244 return 245 } 246 247 prId := chi.URLParam(r, "pull") 248 prIdInt, err := strconv.Atoi(prId) 249 if err != nil { 250 log.Println("failed to parse pr id", err) 251 mw.pages.Error404(w) 252 return 253 } 254 255 pr, err := db.GetPull(mw.db, f.RepoAt(), prIdInt) 256 if err != nil { 257 log.Println("failed to get pull and comments", err) 258 mw.pages.Error404(w) 259 return 260 } 261 262 ctx := context.WithValue(r.Context(), "pull", pr) 263 264 if pr.IsStacked() { 265 stack, err := db.GetStack(mw.db, pr.StackId) 266 if err != nil { 267 log.Println("failed to get stack", err) 268 return 269 } 270 abandonedPulls, err := db.GetAbandonedPulls(mw.db, pr.StackId) 271 if err != nil { 272 log.Println("failed to get abandoned pulls", err) 273 return 274 } 275 276 ctx = context.WithValue(ctx, "stack", stack) 277 ctx = context.WithValue(ctx, "abandonedPulls", abandonedPulls) 278 } 279 280 next.ServeHTTP(w, r.WithContext(ctx)) 281 }) 282 } 283} 284 285// middleware that is tacked on top of /{user}/{repo}/issues/{issue} 286func (mw Middleware) ResolveIssue(next http.Handler) http.Handler { 287 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 288 f, err := mw.repoResolver.Resolve(r) 289 if err != nil { 290 log.Println("failed to fully resolve repo", err) 291 w.WriteHeader(http.StatusNotFound) 292 mw.pages.ErrorKnot404(w) 293 return 294 } 295 296 issueIdStr := chi.URLParam(r, "issue") 297 issueId, err := strconv.Atoi(issueIdStr) 298 if err != nil { 299 log.Println("failed to fully resolve issue ID", err) 300 mw.pages.Error404(w) 301 return 302 } 303 304 issue, err := db.GetIssue(mw.db, f.RepoAt(), issueId) 305 if err != nil { 306 log.Println("failed to get issues", "err", err) 307 mw.pages.Error404(w) 308 return 309 } 310 311 ctx := context.WithValue(r.Context(), "issue", issue) 312 next.ServeHTTP(w, r.WithContext(ctx)) 313 }) 314} 315 316// this should serve the go-import meta tag even if the path is technically 317// a 404 like tangled.sh/oppi.li/go-git/v5 318// 319// we're keeping the tangled.sh go-import tag too to maintain backward 320// compatiblity for modules that still point there. they will be redirected 321// to fetch source from tangled.org 322func (mw Middleware) GoImport() middlewareFunc { 323 return func(next http.Handler) http.Handler { 324 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 325 f, err := mw.repoResolver.Resolve(r) 326 if err != nil { 327 log.Println("failed to fully resolve repo", err) 328 w.WriteHeader(http.StatusNotFound) 329 mw.pages.ErrorKnot404(w) 330 return 331 } 332 333 fullName := reporesolver.GetBaseRepoPath(r, f) 334 335 if r.Header.Get("User-Agent") == "Go-http-client/1.1" { 336 if r.URL.Query().Get("go-get") == "1" { 337 html := fmt.Sprintf( 338 `<meta name="go-import" content="tangled.sh/%s git https://tangled.sh/%s"/> 339<meta name="go-import" content="tangled.org/%s git https://tangled.org/%s"/>`, 340 fullName, fullName, 341 fullName, fullName, 342 ) 343 w.Header().Set("Content-Type", "text/html") 344 w.Write([]byte(html)) 345 return 346 } 347 } 348 349 next.ServeHTTP(w, r) 350 }) 351 } 352}