clean up some weirdness in the router (#80)

This commit is contained in:
Tobi Smethurst 2021-07-07 15:46:42 +02:00 committed by GitHub
parent 3568579218
commit c71e55ecc4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 336 additions and 85 deletions

View file

@ -38,6 +38,9 @@
func (m *Module) AuthorizeGETHandler(c *gin.Context) { func (m *Module) AuthorizeGETHandler(c *gin.Context) {
l := m.log.WithField("func", "AuthorizeGETHandler") l := m.log.WithField("func", "AuthorizeGETHandler")
s := sessions.Default(c) s := sessions.Default(c)
s.Options(sessions.Options{
MaxAge: 120, // give the user 2 minutes to sign in before expiring their session
})
// UserID will be set in the session by AuthorizePOSTHandler if the caller has already gone through the authentication flow // UserID will be set in the session by AuthorizePOSTHandler if the caller has already gone through the authentication flow
// If it's not set, then we don't know yet who the user is, so we need to redirect them to the sign in page. // If it's not set, then we don't know yet who the user is, so we need to redirect them to the sign in page.
@ -117,9 +120,6 @@ func (m *Module) AuthorizePOSTHandler(c *gin.Context) {
l := m.log.WithField("func", "AuthorizePOSTHandler") l := m.log.WithField("func", "AuthorizePOSTHandler")
s := sessions.Default(c) s := sessions.Default(c)
// At this point we know the user has said 'yes' to allowing the application and oauth client
// work for them, so we can set the
// We need to retrieve the original form submitted to the authorizeGEThandler, and // We need to retrieve the original form submitted to the authorizeGEThandler, and
// recreate it on the request so that it can be used further by the oauth2 library. // recreate it on the request so that it can be used further by the oauth2 library.
// So first fetch all the values from the session. // So first fetch all the values from the session.
@ -153,8 +153,13 @@ func (m *Module) AuthorizePOSTHandler(c *gin.Context) {
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing userid"}) c.JSON(http.StatusBadRequest, gin.H{"error": "session missing userid"})
return return
} }
// we're done with the session so we can clear it now // we're done with the session so we can clear it now
s.Clear() s.Clear()
if err := s.Save(); err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
// now set the values on the request // now set the values on the request
values := url.Values{} values := url.Values{}

View file

@ -67,6 +67,7 @@
&gtsmodel.Emoji{}, &gtsmodel.Emoji{},
&gtsmodel.Instance{}, &gtsmodel.Instance{},
&gtsmodel.Notification{}, &gtsmodel.Notification{},
&gtsmodel.RouterSession{},
&oauth.Token{}, &oauth.Token{},
&oauth.Client{}, &oauth.Client{},
} }
@ -94,7 +95,7 @@
federatingDB := federatingdb.New(dbService, c, log) federatingDB := federatingdb.New(dbService, c, log)
router, err := router.New(c, log) router, err := router.New(c, dbService, log)
if err != nil { if err != nil {
return fmt.Errorf("error creating router: %s", err) return fmt.Errorf("error creating router: %s", err)
} }

View file

@ -44,7 +44,7 @@
c := testrig.NewTestConfig() c := testrig.NewTestConfig()
dbService := testrig.NewTestDB() dbService := testrig.NewTestDB()
testrig.StandardDBSetup(dbService) testrig.StandardDBSetup(dbService)
router := testrig.NewTestRouter() router := testrig.NewTestRouter(dbService)
storageBackend := testrig.NewTestStorage() storageBackend := testrig.NewTestStorage()
testrig.StandardStorageSetup(storageBackend, "./testrig/media") testrig.StandardStorageSetup(storageBackend, "./testrig/media")

View file

@ -0,0 +1,26 @@
/*
GoToSocial
Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package gtsmodel
// RouterSession is used to store and retrieve settings for a router session.
type RouterSession struct {
ID string `pg:"type:CHAR(26),pk,notnull"`
Auth []byte `pg:",notnull"`
Crypt []byte `pg:",notnull"`
}

41
internal/router/attach.go Normal file
View file

@ -0,0 +1,41 @@
/*
GoToSocial
Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package router
import "github.com/gin-gonic/gin"
// AttachHandler attaches the given gin.HandlerFunc to the router with the specified method and path.
// If the path is set to ANY, then the handlerfunc will be used for ALL methods at its given path.
func (r *router) AttachHandler(method string, path string, handler gin.HandlerFunc) {
if method == "ANY" {
r.engine.Any(path, handler)
} else {
r.engine.Handle(method, path, handler)
}
}
// AttachMiddleware attaches a gin middleware to the router that will be used globally
func (r *router) AttachMiddleware(middleware gin.HandlerFunc) {
r.engine.Use(middleware)
}
// AttachNoRouteHandler attaches a gin.HandlerFunc to NoRoute to handle 404's
func (r *router) AttachNoRouteHandler(handler gin.HandlerFunc) {
r.engine.NoRoute(handler)
}

88
internal/router/cors.go Normal file
View file

@ -0,0 +1,88 @@
/*
GoToSocial
Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package router
import (
"time"
"github.com/gin-contrib/cors"
"github.com/gin-gonic/gin"
"github.com/superseriousbusiness/gotosocial/internal/config"
)
var corsConfig = cors.Config{
// TODO: make this customizable so instance admins can specify an origin for CORS requests
AllowAllOrigins: true,
// adds the following:
// "chrome-extension://"
// "safari-extension://"
// "moz-extension://"
// "ms-browser-extension://"
AllowBrowserExtensions: true,
AllowMethods: []string{
"POST",
"PUT",
"DELETE",
"GET",
"PATCH",
"OPTIONS",
},
AllowHeaders: []string{
// basic cors stuff
"Origin",
"Content-Length",
"Content-Type",
// needed to pass oauth bearer tokens
"Authorization",
// needed for websocket upgrade requests
"Upgrade",
"Sec-WebSocket-Extensions",
"Sec-WebSocket-Key",
"Sec-WebSocket-Protocol",
"Sec-WebSocket-Version",
"Connection",
},
AllowWebSockets: true,
ExposeHeaders: []string{
// needed for accessing next/prev links when making GET timeline requests
"Link",
// needed so clients can handle rate limits
"X-RateLimit-Reset",
"X-RateLimit-Limit",
"X-RateLimit-Remaining",
"X-Request-Id",
// websocket stuff
"Connection",
"Sec-WebSocket-Accept",
"Upgrade",
},
MaxAge: 2 * time.Minute,
}
// useCors attaches the corsConfig above to the given gin engine
func useCors(cfg *config.Config, engine *gin.Engine) error {
c := cors.New(corsConfig)
engine.Use(c)
return nil
}

View file

@ -20,22 +20,24 @@
import ( import (
"context" "context"
"crypto/rand"
"fmt" "fmt"
"net/http" "net/http"
"os"
"path/filepath"
"time" "time"
"github.com/gin-contrib/cors"
"github.com/gin-contrib/sessions"
"github.com/gin-contrib/sessions/memstore"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/config"
"github.com/superseriousbusiness/gotosocial/internal/db"
"golang.org/x/crypto/acme/autocert" "golang.org/x/crypto/acme/autocert"
) )
var (
readTimeout = 60 * time.Second
writeTimeout = 30 * time.Second
idleTimeout = 30 * time.Second
readHeaderTimeout = 30 * time.Second
)
// Router provides the REST interface for gotosocial, using gin. // Router provides the REST interface for gotosocial, using gin.
type Router interface { type Router interface {
// Attach a gin handler to the router with the given method and path // Attach a gin handler to the router with the given method and path
@ -96,31 +98,17 @@ func (r *router) Stop(ctx context.Context) error {
return r.srv.Shutdown(ctx) return r.srv.Shutdown(ctx)
} }
// AttachHandler attaches the given gin.HandlerFunc to the router with the specified method and path.
// If the path is set to ANY, then the handlerfunc will be used for ALL methods at its given path.
func (r *router) AttachHandler(method string, path string, handler gin.HandlerFunc) {
if method == "ANY" {
r.engine.Any(path, handler)
} else {
r.engine.Handle(method, path, handler)
}
}
// AttachMiddleware attaches a gin middleware to the router that will be used globally
func (r *router) AttachMiddleware(middleware gin.HandlerFunc) {
r.engine.Use(middleware)
}
// AttachNoRouteHandler attaches a gin.HandlerFunc to NoRoute to handle 404's
func (r *router) AttachNoRouteHandler(handler gin.HandlerFunc) {
r.engine.NoRoute(handler)
}
// New returns a new Router with the specified configuration, using the given logrus logger. // New returns a new Router with the specified configuration, using the given logrus logger.
func New(config *config.Config, logger *logrus.Logger) (Router, error) { //
lvl, err := logrus.ParseLevel(config.LogLevel) // The given DB is only used in the New function for parsing config values, and is not otherwise
// pinned to the router.
func New(cfg *config.Config, db db.DB, logger *logrus.Logger) (Router, error) {
// gin has different log modes; for convenience, we match the gin log mode to
// whatever log mode has been set for logrus
lvl, err := logrus.ParseLevel(cfg.LogLevel)
if err != nil { if err != nil {
return nil, fmt.Errorf("couldn't parse log level %s to set router level: %s", config.LogLevel, err) return nil, fmt.Errorf("couldn't parse log level %s to set router level: %s", cfg.LogLevel, err)
} }
switch lvl { switch lvl {
case logrus.TraceLevel, logrus.DebugLevel: case logrus.TraceLevel, logrus.DebugLevel:
@ -131,52 +119,43 @@ func New(config *config.Config, logger *logrus.Logger) (Router, error) {
// create the actual engine here -- this is the core request routing handler for gts // create the actual engine here -- this is the core request routing handler for gts
engine := gin.Default() engine := gin.Default()
engine.Use(cors.New(cors.Config{
AllowAllOrigins: true,
AllowBrowserExtensions: true,
AllowMethods: []string{"POST", "PUT", "DELETE", "GET", "PATCH", "OPTIONS"},
AllowHeaders: []string{"Origin", "Content-Length", "Content-Type", "Authorization", "Upgrade", "Sec-WebSocket-Extensions", "Sec-WebSocket-Key", "Sec-WebSocket-Protocol", "Sec-WebSocket-Version", "Connection"},
AllowWebSockets: true,
ExposeHeaders: []string{"Link", "X-RateLimit-Reset", "X-RateLimit-Limit", " X-RateLimit-Remaining", "X-Request-Id", "Connection", "Sec-WebSocket-Accept", "Upgrade"},
MaxAge: 2 * time.Minute,
}))
engine.MaxMultipartMemory = 8 << 20 // 8 MiB engine.MaxMultipartMemory = 8 << 20 // 8 MiB
// create a new session store middleware // enable cors on the engine
store, err := sessionStore() if err := useCors(cfg, engine); err != nil {
if err != nil { return nil, err
return nil, fmt.Errorf("error creating session store: %s", err)
} }
engine.Use(sessions.Sessions("gotosocial-session", store))
// load html templates for use by the router // load templates onto the engine
cwd, err := os.Getwd() if err := loadTemplates(cfg, engine); err != nil {
if err != nil { return nil, err
return nil, fmt.Errorf("error getting current working directory: %s", err)
} }
tmPath := filepath.Join(cwd, fmt.Sprintf("%s*", config.TemplateConfig.BaseDir))
logger.Debugf("loading templates from %s", tmPath)
engine.LoadHTMLGlob(tmPath)
// create the actual http server here // enable session store middleware on the engine
if err := useSession(cfg, db, engine); err != nil {
return nil, err
}
// create the http server here, passing the gin engine as handler
s := &http.Server{ s := &http.Server{
Handler: engine, Handler: engine,
ReadTimeout: 60 * time.Second, ReadTimeout: readTimeout,
WriteTimeout: 30 * time.Second, WriteTimeout: writeTimeout,
IdleTimeout: 30 * time.Second, IdleTimeout: idleTimeout,
ReadHeaderTimeout: 30 * time.Second, ReadHeaderTimeout: readHeaderTimeout,
} }
var m *autocert.Manager
// We need to spawn the underlying server slightly differently depending on whether lets encrypt is enabled or not. // We need to spawn the underlying server slightly differently depending on whether lets encrypt is enabled or not.
// In either case, the gin engine will still be used for routing requests. // In either case, the gin engine will still be used for routing requests.
if config.LetsEncryptConfig.Enabled {
var m *autocert.Manager
if cfg.LetsEncryptConfig.Enabled {
// le IS enabled, so roll up an autocert manager for handling letsencrypt requests // le IS enabled, so roll up an autocert manager for handling letsencrypt requests
m = &autocert.Manager{ m = &autocert.Manager{
Prompt: autocert.AcceptTOS, Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist(config.Host), HostPolicy: autocert.HostWhitelist(cfg.Host),
Cache: autocert.DirCache(config.LetsEncryptConfig.CertDir), Cache: autocert.DirCache(cfg.LetsEncryptConfig.CertDir),
Email: config.LetsEncryptConfig.EmailAddress, Email: cfg.LetsEncryptConfig.EmailAddress,
} }
// and create an HTTPS server // and create an HTTPS server
s.Addr = ":https" s.Addr = ":https"
@ -190,27 +169,11 @@ func New(config *config.Config, logger *logrus.Logger) (Router, error) {
logger: logger, logger: logger,
engine: engine, engine: engine,
srv: s, srv: s,
config: config, config: cfg,
certManager: m, certManager: m,
}, nil }, nil
} }
// sessionStore returns a new session store with a random auth and encryption key.
// This means that cookies using the store will be reset if gotosocial is restarted!
func sessionStore() (memstore.Store, error) {
auth := make([]byte, 32)
crypt := make([]byte, 32)
if _, err := rand.Read(auth); err != nil {
return nil, err
}
if _, err := rand.Read(crypt); err != nil {
return nil, err
}
return memstore.NewStore(auth, crypt), nil
}
func httpsRedirect(w http.ResponseWriter, req *http.Request) { func httpsRedirect(w http.ResponseWriter, req *http.Request) {
target := "https://" + req.Host + req.URL.Path target := "https://" + req.Host + req.URL.Path

100
internal/router/session.go Normal file
View file

@ -0,0 +1,100 @@
/*
GoToSocial
Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package router
import (
"crypto/rand"
"errors"
"fmt"
"github.com/gin-contrib/sessions"
"github.com/gin-contrib/sessions/memstore"
"github.com/gin-gonic/gin"
"github.com/superseriousbusiness/gotosocial/internal/config"
"github.com/superseriousbusiness/gotosocial/internal/db"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
"github.com/superseriousbusiness/gotosocial/internal/id"
)
func useSession(cfg *config.Config, dbService db.DB, engine *gin.Engine) error {
// check if we have a saved router session already
routerSessions := []*gtsmodel.RouterSession{}
if err := dbService.GetAll(&routerSessions); err != nil {
if _, ok := err.(db.ErrNoEntries); !ok {
// proper error occurred
return err
}
}
var rs *gtsmodel.RouterSession
if len(routerSessions) == 1 {
// we have a router session stored
rs = routerSessions[0]
} else if len(routerSessions) == 0 {
// we have no router sessions so we need to create a new one
var err error
rs, err = routerSession(dbService)
if err != nil {
return fmt.Errorf("error creating new router session: %s", err)
}
} else {
// we should only have one router session stored ever
return errors.New("we had more than one router session in the db")
}
if rs == nil {
return errors.New("error getting or creating router session: router session was nil")
}
store := memstore.NewStore(rs.Auth, rs.Crypt)
sessionName := fmt.Sprintf("gotosocial-%s", cfg.Host)
engine.Use(sessions.Sessions(sessionName, store))
return nil
}
// routerSession generates a new router session with random auth and crypt bytes,
// puts it in the database for persistence, and returns it for use.
func routerSession(dbService db.DB) (*gtsmodel.RouterSession, error) {
auth := make([]byte, 32)
crypt := make([]byte, 32)
if _, err := rand.Read(auth); err != nil {
return nil, err
}
if _, err := rand.Read(crypt); err != nil {
return nil, err
}
rid, err := id.NewULID()
if err != nil {
return nil, err
}
rs := &gtsmodel.RouterSession{
ID: rid,
Auth: auth,
Crypt: crypt,
}
if err := dbService.Put(rs); err != nil {
return nil, err
}
return rs, nil
}

View file

@ -0,0 +1,23 @@
package router
import (
"fmt"
"os"
"path/filepath"
"github.com/gin-gonic/gin"
"github.com/superseriousbusiness/gotosocial/internal/config"
)
// loadTemplates loads html templates for use by the given engine
func loadTemplates(cfg *config.Config, engine *gin.Engine) error {
cwd, err := os.Getwd()
if err != nil {
return fmt.Errorf("error getting current working directory: %s", err)
}
tmPath := filepath.Join(cwd, fmt.Sprintf("%s*", cfg.TemplateConfig.BaseDir))
engine.LoadHTMLGlob(tmPath)
return nil
}

View file

@ -47,6 +47,7 @@
&gtsmodel.Emoji{}, &gtsmodel.Emoji{},
&gtsmodel.Instance{}, &gtsmodel.Instance{},
&gtsmodel.Notification{}, &gtsmodel.Notification{},
&gtsmodel.RouterSession{},
&oauth.Token{}, &oauth.Token{},
&oauth.Client{}, &oauth.Client{},
} }

View file

@ -18,11 +18,14 @@
package testrig package testrig
import "github.com/superseriousbusiness/gotosocial/internal/router" import (
"github.com/superseriousbusiness/gotosocial/internal/db"
"github.com/superseriousbusiness/gotosocial/internal/router"
)
// NewTestRouter returns a Router suitable for testing // NewTestRouter returns a Router suitable for testing
func NewTestRouter() router.Router { func NewTestRouter(db db.DB) router.Router {
r, err := router.New(NewTestConfig(), NewTestLog()) r, err := router.New(NewTestConfig(), db, NewTestLog())
if err != nil { if err != nil {
panic(err) panic(err)
} }