package s3browser import ( "context" "fmt" "io" "mime" "net/http" "path/filepath" "time" "github.com/golang-jwt/jwt" jwtRequest "github.com/golang-jwt/jwt/request" "github.com/gorilla/mux" "github.com/graphql-go/graphql" "github.com/graphql-go/graphql/gqlerrors" "github.com/graphql-go/handler" "github.com/minio/minio-go/v7" log "github.com/sirupsen/logrus" ) type JWTClaims struct { jwt.StandardClaims } type CookieExtractor struct { Name string } func (c *CookieExtractor) ExtractToken(req *http.Request) (string, error) { cookie, err := req.Cookie(c.Name) if err == nil && len(cookie.Value) != 0 { return cookie.Value, nil } return "", jwtRequest.ErrNoTokenInRequest } // initHttp setup and start the http server. Blocking func initHttp(resolveContext context.Context, schema graphql.Schema, address string) error { r := mux.NewRouter() gqlHandler := handler.New(&handler.Config{ Schema: &schema, Pretty: true, GraphiQL: false, Playground: true, FormatErrorFn: func(err error) gqlerrors.FormattedError { switch err := err.(type) { case gqlerrors.FormattedError: log.Error("GQL: ", err.Message) case *gqlerrors.Error: log.Errorf("GQL: '%s' at '%v'", err.Message, err.Path) } return gqlerrors.FormatError(err) }, }) r.Use(func(h http.Handler) http.Handler { return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { parsedToken, err := jwtRequest.ParseFromRequestWithClaims(r, jwtRequest.MultiExtractor{ jwtRequest.AuthorizationHeaderExtractor, &CookieExtractor{Name: "jwt"}, }, &JWTClaims{}, jwtKeyFunc) if err == nil && parsedToken.Valid { newRequest := r.WithContext(context.WithValue(r.Context(), "jwt", parsedToken)) h.ServeHTTP(rw, newRequest) return } h.ServeHTTP(rw, r) }) }) r.HandleFunc("/api/graphql", func(rw http.ResponseWriter, r *http.Request) { token := r.Context().Value("jwt") gqlHandler.ContextHandler(context.WithValue(resolveContext, "jwt", token), rw, r) }) r.HandleFunc("/api/file", func(rw http.ResponseWriter, r *http.Request) { httpGetFile(resolveContext, rw, r) }).Methods("GET") r.HandleFunc("/api/file", func(rw http.ResponseWriter, r *http.Request) { httpPostFile(resolveContext, rw, r) }).Methods("POST") r.HandleFunc("/api/cookie", setLoginCookie).Methods("POST") r.HandleFunc("/api/logout", logout).Methods("POST") r.HandleFunc("/api/refresh", refreshToken).Methods("POST") // Init the embedded static files initStatic(r) return http.ListenAndServe(address, r) } func httpGetFile(ctx context.Context, rw http.ResponseWriter, r *http.Request) { if is, _ := isAuth(r.Context()); !is { rw.WriteHeader(http.StatusUnauthorized) return } s3Client := ctx.Value("s3Client").(*minio.Client) id := r.URL.Query().Get("id") log.Debug("S3 call 'StatObject': ", id) objInfo, err := s3Client.StatObject(context.Background(), bucketName, id, minio.GetObjectOptions{}) if err != nil { rw.WriteHeader(http.StatusInternalServerError) return } reqEtag := r.Header.Get("If-None-Match") if reqEtag == objInfo.ETag { rw.WriteHeader(http.StatusNotModified) return } log.Debug("S3 call 'GetObject': ", id) obj, err := s3Client.GetObject(context.Background(), bucketName, id, minio.GetObjectOptions{}) if err != nil { rw.WriteHeader(http.StatusInternalServerError) return } rw.Header().Set("Cache-Control", "must-revalidate") rw.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", filepath.Base((objInfo.Key)))) rw.Header().Set("Content-Type", objInfo.ContentType) rw.Header().Set("ETag", objInfo.ETag) _, err = io.Copy(rw, obj) if err != nil { rw.WriteHeader(http.StatusInternalServerError) return } } func httpPostFile(ctx context.Context, rw http.ResponseWriter, r *http.Request) { if is, _ := isAuth(r.Context()); !is { rw.WriteHeader(http.StatusUnauthorized) return } s3Client := ctx.Value("s3Client").(*minio.Client) id := r.URL.Query().Get("id") log.Debug("Upload file: ", id) contentType := r.Header.Get("Content-Type") mimeType, _, _ := mime.ParseMediaType(contentType) log.Debug("S3 call 'PutObject': ", id) info, err := s3Client.PutObject(context.Background(), bucketName, id, r.Body, r.ContentLength, minio.PutObjectOptions{ ContentType: mimeType, }) if err != nil { rw.WriteHeader(http.StatusInternalServerError) return } // Invalidate cache invalidateCache(ctx, info.Key) rw.WriteHeader(http.StatusCreated) } func jwtKeyFunc(t *jwt.Token) (interface{}, error) { if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", t.Header["alg"]) } return []byte("TODO"), nil } //setLoginCookie if provieded a valid JWT in the body then set a httpOnly cookie with the token func setLoginCookie(rw http.ResponseWriter, r *http.Request) { body, err := io.ReadAll(r.Body) defer r.Body.Close() if err != nil { rw.WriteHeader(http.StatusInternalServerError) return } tokenString := string(body) token, err := jwt.ParseWithClaims(tokenString, &JWTClaims{}, jwtKeyFunc) if err != nil { rw.WriteHeader(http.StatusInternalServerError) return } if !token.Valid { rw.WriteHeader(http.StatusUnauthorized) return } claims, ok := token.Claims.(*JWTClaims) if !ok { rw.WriteHeader(http.StatusInternalServerError) return } cookie := &http.Cookie{ Name: "jwt", Value: tokenString, HttpOnly: true, SameSite: http.SameSiteStrictMode, Path: "/api", Expires: time.Unix(claims.ExpiresAt, 0), } http.SetCookie(rw, cookie) rw.WriteHeader(http.StatusNoContent) } //logout removes the jwt cookie func logout(rw http.ResponseWriter, r *http.Request) { cookie := &http.Cookie{ Name: "jwt", Value: "", Path: "/api", Expires: time.Unix(0, 0), HttpOnly: true, SameSite: http.SameSiteStrictMode, } http.SetCookie(rw, cookie) rw.WriteHeader(http.StatusNoContent) } func refreshToken(rw http.ResponseWriter, r *http.Request) { if is, _ := isAuth(r.Context()); !is { rw.WriteHeader(http.StatusUnauthorized) return } oldToken, ok := r.Context().Value("jwt").(*jwt.Token) if !ok { rw.WriteHeader(http.StatusInternalServerError) return } claims, ok := oldToken.Claims.(*JWTClaims) if !ok { rw.WriteHeader(http.StatusInternalServerError) return } token := createJWT(claims) tokenString, err := token.SignedString([]byte("TODO")) if err != nil { rw.WriteHeader(http.StatusInternalServerError) return } cookie := &http.Cookie{ Name: "jwt", Value: tokenString, HttpOnly: true, SameSite: http.SameSiteStrictMode, Path: "/api", Expires: time.Unix(int64(claims.ExpiresAt), 0), } http.SetCookie(rw, cookie) }