Home Explore Help
Sign In
LBP
/
miniflux_v2
mirror of https://github.com/miniflux/v2.git
4
0
Fork 0
Files Issues 0 Wiki
Tree: 04d85b3c63
Branches Tags
miniflux_v2
/
ui
/
middleware.go

middleware.go 4.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158 
  1. // Copyright 2018 Frédéric Guillot. All rights reserved.
    2. 

  2. // Use of this source code is governed by the Apache 2.0
    3. 

  3. // license that can be found in the LICENSE file.
    4. 

  4. 

  5. package ui // import "miniflux.app/ui"
    6. 

  6. 

  7. import (
    8. 

  8. 	"context"
    9. 

  9. 	"errors"
    10. 

  10. 	"net/http"
    11. 

  11. 

  12. 	"miniflux.app/config"
    13. 

  13. 	"miniflux.app/http/cookie"
    14. 

  14. 	"miniflux.app/http/request"
    15. 

  15. 	"miniflux.app/http/response/html"
    16. 

  16. 	"miniflux.app/http/route"
    17. 

  17. 	"miniflux.app/storage"
    18. 

  18. 	"miniflux.app/logger"
    19. 

  19. 	"miniflux.app/model"
    20. 

  20. 

  21. 	"github.com/gorilla/mux"
    22. 

  22. )
    23. 

  23. 

  24. type middleware struct {
    25. 

  25. 	router *mux.Router
    26. 

  26. 	cfg *config.Config
    27. 

  27. 	store *storage.Storage
    28. 

  28. }
    29. 

  29. 

  30. func newMiddleware(router *mux.Router, cfg *config.Config, store *storage.Storage) *middleware {
    31. 

  31. 	return &middleware{router, cfg, store}
    32. 

  32. }
    33. 

  33. 

  34. func (m *middleware) handleUserSession(next http.Handler) http.Handler {
    35. 

  35. 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    36. 

  36. 		session := m.getUserSessionFromCookie(r)
    37. 

  37. 

  38. 		if session == nil {
    39. 

  39. 			if m.isPublicRoute(r) {
    40. 

  40. 				next.ServeHTTP(w, r)
    41. 

  41. 			} else {
    42. 

  42. 				logger.Debug("[UI:UserSession] Session not found, redirect to login page")
    43. 

  43. 				html.Redirect(w, r, route.Path(m.router, "login"))
    44. 

  44. 			}
    45. 

  45. 		} else {
    46. 

  46. 			logger.Debug("[UI:UserSession] %s", session)
    47. 

  47. 

  48. 			ctx := r.Context()
    49. 

  49. 			ctx = context.WithValue(ctx, request.UserIDContextKey, session.UserID)
    50. 

  50. 			ctx = context.WithValue(ctx, request.IsAuthenticatedContextKey, true)
    51. 

  51. 			ctx = context.WithValue(ctx, request.UserSessionTokenContextKey, session.Token)
    52. 

  52. 

  53. 			next.ServeHTTP(w, r.WithContext(ctx))
    54. 

  54. 		}
    55. 

  55. 	})
    56. 

  56. }
    57. 

  57. 

  58. func (m *middleware) handleAppSession(next http.Handler) http.Handler {
    59. 

  59. 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    60. 

  60. 		var err error
    61. 

  61. 		session := m.getAppSessionValueFromCookie(r)
    62. 

  62. 

  63. 		if session == nil {
    64. 

  64. 			if (request.IsAuthenticated(r)) {
    65. 

  65. 				userID := request.UserID(r)
    66. 

  66. 				logger.Debug("[UI:AppSession] Cookie expired but user #%d is logged: creating a new session", userID)
    67. 

  67. 				session, err = m.store.CreateAppSessionWithUserPrefs(userID)
    68. 

  68. 				if err != nil {
    69. 

  69. 					html.ServerError(w, r, err)
    70. 

  70. 					return
    71. 

  71. 				}
    72. 

  72. 			} else {
    73. 

  73. 				logger.Debug("[UI:AppSession] Session not found, creating a new one")
    74. 

  74. 				session, err = m.store.CreateAppSession()
    75. 

  75. 				if err != nil {
    76. 

  76. 					html.ServerError(w, r, err)
    77. 

  77. 					return
    78. 

  78. 				}
    79. 

  79. 			}
    80. 

  80. 

  81. 			http.SetCookie(w, cookie.New(cookie.CookieAppSessionID, session.ID, m.cfg.IsHTTPS, m.cfg.BasePath()))
    82. 

  82. 		} else {
    83. 

  83. 			logger.Debug("[UI:AppSession] %s", session)
    84. 

  84. 		}
    85. 

  85. 

  86. 		if r.Method == "POST" {
    87. 

  87. 			formValue := r.FormValue("csrf")
    88. 

  88. 			headerValue := r.Header.Get("X-Csrf-Token")
    89. 

  89. 

  90. 			if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {
    91. 

  91. 				logger.Error(`[UI:AppSession] Invalid or missing CSRF token: Form="%s", Header="%s"`, formValue, headerValue)
    92. 

  92. 				html.BadRequest(w, r, errors.New("Invalid or missing CSRF"))
    93. 

  93. 				return
    94. 

  94. 			}
    95. 

  95. 		}
    96. 

  96. 

  97. 		ctx := r.Context()
    98. 

  98. 		ctx = context.WithValue(ctx, request.SessionIDContextKey, session.ID)
    99. 

  99. 		ctx = context.WithValue(ctx, request.CSRFContextKey, session.Data.CSRF)
    100. 

  100. 		ctx = context.WithValue(ctx, request.OAuth2StateContextKey, session.Data.OAuth2State)
    101. 

  101. 		ctx = context.WithValue(ctx, request.FlashMessageContextKey, session.Data.FlashMessage)
    102. 

  102. 		ctx = context.WithValue(ctx, request.FlashErrorMessageContextKey, session.Data.FlashErrorMessage)
    103. 

  103. 		ctx = context.WithValue(ctx, request.UserLanguageContextKey, session.Data.Language)
    104. 

  104. 		ctx = context.WithValue(ctx, request.UserThemeContextKey, session.Data.Theme)
    105. 

  105. 		ctx = context.WithValue(ctx, request.PocketRequestTokenContextKey, session.Data.PocketRequestToken)
    106. 

  106. 		next.ServeHTTP(w, r.WithContext(ctx))
    107. 

  107. 	})
    108. 

  108. }
    109. 

  109. 

  110. func (m *middleware) getAppSessionValueFromCookie(r *http.Request) *model.Session {
    111. 

  111. 	cookieValue := request.CookieValue(r, cookie.CookieAppSessionID)
    112. 

  112. 	if cookieValue == "" {
    113. 

  113. 		return nil
    114. 

  114. 	}
    115. 

  115. 

  116. 	session, err := m.store.AppSession(cookieValue)
    117. 

  117. 	if err != nil {
    118. 

  118. 		logger.Error("[UI:AppSession] %v", err)
    119. 

  119. 		return nil
    120. 

  120. 	}
    121. 

  121. 

  122. 	return session
    123. 

  123. }
    124. 

  124. 

  125. func (m *middleware) isPublicRoute(r *http.Request) bool {
    126. 

  126. 	route := mux.CurrentRoute(r)
    127. 

  127. 	switch route.GetName() {
    128. 

  128. 	case "login",
    129. 

  129. 		"checkLogin",
    130. 

  130. 		"stylesheet",
    131. 

  131. 		"javascript",
    132. 

  132. 		"oauth2Redirect",
    133. 

  133. 		"oauth2Callback",
    134. 

  134. 		"appIcon",
    135. 

  135. 		"favicon",
    136. 

  136. 		"webManifest",
    137. 

  137. 		"robots",
    138. 

  138. 		"healthcheck":
    139. 

  139. 		return true
    140. 

  140. 	default:
    141. 

  141. 		return false
    142. 

  142. 	}
    143. 

  143. }
    144. 

  144. 

  145. func (m *middleware) getUserSessionFromCookie(r *http.Request) *model.UserSession {
    146. 

  146. 	cookieValue := request.CookieValue(r, cookie.CookieUserSessionID)
    147. 

  147. 	if cookieValue == "" {
    148. 

  148. 		return nil
    149. 

  149. 	}
    150. 

  150. 

  151. 	session, err := m.store.UserSessionByToken(cookieValue)
    152. 

  152. 	if err != nil {
    153. 

  153. 		logger.Error("[UI:UserSession] %v", err)
    154. 

  154. 		return nil
    155. 

  155. 	}
    156. 

  156. 

  157. 	return session
    158. 

  158. }
    159.