263 lines
6.1 KiB
Go
263 lines
6.1 KiB
Go
package s3browser
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"mime"
|
|
"net/http"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/golang-jwt/jwt"
|
|
"github.com/gorilla/mux"
|
|
"github.com/graphql-go/graphql"
|
|
"github.com/graphql-go/graphql/gqlerrors"
|
|
"github.com/graphql-go/handler"
|
|
"github.com/minio/minio-go/v7"
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
)
|
|
|
|
type JWTClaims struct {
|
|
jwt.StandardClaims
|
|
}
|
|
|
|
// initHttp setup and start the http server. Blocking
|
|
func initHttp(resolveContext context.Context, schema graphql.Schema, address string) error {
|
|
r := mux.NewRouter()
|
|
|
|
gqlHandler := handler.New(&handler.Config{
|
|
Schema: &schema,
|
|
Pretty: true,
|
|
GraphiQL: false,
|
|
Playground: true,
|
|
FormatErrorFn: func(err error) gqlerrors.FormattedError {
|
|
switch err := err.(type) {
|
|
case gqlerrors.FormattedError:
|
|
log.Error("GQL: ", err.Message)
|
|
case *gqlerrors.Error:
|
|
log.Errorf("GQL: '%s' at '%v'", err.Message, err.Path)
|
|
}
|
|
return gqlerrors.FormatError(err)
|
|
},
|
|
})
|
|
|
|
r.Use(func(h http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
|
|
|
token := getTokenFromRequest(r)
|
|
|
|
if token != "" {
|
|
parsedToken, err := parseJWT(token)
|
|
|
|
if err == nil && parsedToken.Valid {
|
|
newRequest := r.WithContext(context.WithValue(r.Context(), "jwt", parsedToken))
|
|
h.ServeHTTP(rw, newRequest)
|
|
return
|
|
}
|
|
}
|
|
|
|
h.ServeHTTP(rw, r)
|
|
})
|
|
})
|
|
|
|
r.HandleFunc("/api/graphql", func(rw http.ResponseWriter, r *http.Request) {
|
|
token := r.Context().Value("jwt")
|
|
gqlHandler.ContextHandler(context.WithValue(resolveContext, "jwt", token), rw, r)
|
|
})
|
|
|
|
r.HandleFunc("/api/file", func(rw http.ResponseWriter, r *http.Request) {
|
|
httpGetFile(resolveContext, rw, r)
|
|
}).Methods("GET")
|
|
|
|
r.HandleFunc("/api/file", func(rw http.ResponseWriter, r *http.Request) {
|
|
httpPostFile(resolveContext, rw, r)
|
|
}).Methods("POST")
|
|
|
|
r.HandleFunc("/api/cookie", setLoginCookie).Methods("POST")
|
|
|
|
r.HandleFunc("/api/logout", logout).Methods("POST")
|
|
|
|
// Init the embedded static files
|
|
initStatic(r)
|
|
|
|
return http.ListenAndServe(address, r)
|
|
}
|
|
|
|
func httpGetFile(ctx context.Context, rw http.ResponseWriter, r *http.Request) {
|
|
if is, _ := isAuth(r.Context()); !is {
|
|
rw.WriteHeader(http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
s3Client := ctx.Value("s3Client").(*minio.Client)
|
|
id := r.URL.Query().Get("id")
|
|
|
|
log.Debug("S3 call 'StatObject': ", id)
|
|
objInfo, err := s3Client.StatObject(context.Background(), bucketName, id, minio.GetObjectOptions{})
|
|
|
|
if err != nil {
|
|
rw.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
reqEtag := r.Header.Get("If-None-Match")
|
|
if reqEtag == objInfo.ETag {
|
|
rw.WriteHeader(http.StatusNotModified)
|
|
return
|
|
}
|
|
|
|
log.Debug("S3 call 'GetObject': ", id)
|
|
obj, err := s3Client.GetObject(context.Background(), bucketName, id, minio.GetObjectOptions{})
|
|
|
|
if err != nil {
|
|
rw.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
rw.Header().Set("Cache-Control", "must-revalidate")
|
|
rw.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", filepath.Base((objInfo.Key))))
|
|
rw.Header().Set("Content-Type", objInfo.ContentType)
|
|
rw.Header().Set("ETag", objInfo.ETag)
|
|
|
|
_, err = io.Copy(rw, obj)
|
|
|
|
if err != nil {
|
|
rw.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
}
|
|
|
|
func httpPostFile(ctx context.Context, rw http.ResponseWriter, r *http.Request) {
|
|
if is, _ := isAuth(r.Context()); !is {
|
|
rw.WriteHeader(http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
s3Client := ctx.Value("s3Client").(*minio.Client)
|
|
|
|
id := r.URL.Query().Get("id")
|
|
|
|
log.Debug("Upload file: ", id)
|
|
|
|
contentType := r.Header.Get("Content-Type")
|
|
mimeType, _, _ := mime.ParseMediaType(contentType)
|
|
|
|
log.Debug("S3 call 'PutObject': ", id)
|
|
info, err := s3Client.PutObject(context.Background(), bucketName, id, r.Body, r.ContentLength, minio.PutObjectOptions{
|
|
ContentType: mimeType,
|
|
})
|
|
|
|
if err != nil {
|
|
rw.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Invalidate cache
|
|
invalidateCache(ctx, info.Key)
|
|
|
|
rw.WriteHeader(http.StatusCreated)
|
|
}
|
|
|
|
//parseJWT parse a JWT. does not check if token is valid. Returns error if non was provided
|
|
func parseJWT(token string) (*jwt.Token, error) {
|
|
if token == "" {
|
|
return nil, fmt.Errorf("No token provided")
|
|
}
|
|
|
|
parsed, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
|
|
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
|
|
}
|
|
return []byte("TODO"), nil
|
|
})
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return parsed, nil
|
|
|
|
}
|
|
|
|
//getTokenFromRequest looks for a JWT in the "Authorization" header or in the cookies
|
|
func getTokenFromRequest(r *http.Request) string {
|
|
// get token from header
|
|
authHeader := strings.Split(r.Header.Get("Authorization"), "Bearer ")
|
|
if len(authHeader) == 2 {
|
|
return authHeader[1]
|
|
}
|
|
|
|
// Get cookie from cookie
|
|
cookie, err := r.Cookie("jwt") //TODO: change cookie name
|
|
|
|
if err == nil && len(cookie.Value) != 0 {
|
|
return cookie.Value
|
|
}
|
|
|
|
return ""
|
|
}
|
|
|
|
//setLoginCookie if provieded a valid JWT in the body then set a httpOnly cookie with the token
|
|
func setLoginCookie(rw http.ResponseWriter, r *http.Request) {
|
|
body, err := io.ReadAll(r.Body)
|
|
defer r.Body.Close()
|
|
|
|
if err != nil {
|
|
rw.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
tokenString := string(body)
|
|
|
|
token, err := parseJWT(tokenString)
|
|
|
|
if err != nil {
|
|
rw.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
if !token.Valid {
|
|
rw.WriteHeader(http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
claims, ok := token.Claims.(jwt.MapClaims)
|
|
|
|
if !ok {
|
|
rw.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
cookie := &http.Cookie{
|
|
Name: "jwt",
|
|
Value: tokenString,
|
|
HttpOnly: true,
|
|
SameSite: http.SameSiteStrictMode,
|
|
Path: "/api",
|
|
Expires: time.Unix(int64(claims["exp"].(float64)), 0),
|
|
}
|
|
|
|
http.SetCookie(rw, cookie)
|
|
|
|
rw.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
//logout removes the jwt cookie
|
|
func logout(rw http.ResponseWriter, r *http.Request) {
|
|
cookie := &http.Cookie{
|
|
Name: "jwt",
|
|
Value: "",
|
|
Path: "/api",
|
|
Expires: time.Unix(0, 0),
|
|
HttpOnly: true,
|
|
SameSite: http.SameSiteStrictMode,
|
|
}
|
|
|
|
http.SetCookie(rw, cookie)
|
|
|
|
rw.WriteHeader(http.StatusNoContent)
|
|
}
|