441 lines
14 KiB
Go
441 lines
14 KiB
Go
package api
|
|
|
|
import(
|
|
"context"
|
|
"errors"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"party.at/party/cmd/party/common"
|
|
"party.at/party/internal/data"
|
|
"party.at/party/internal/validator"
|
|
|
|
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/url"
|
|
"strconv"
|
|
)
|
|
|
|
type Api struct {
|
|
App *common.Application
|
|
}
|
|
|
|
type contextKey string
|
|
|
|
const userKey contextKey = "user"
|
|
|
|
func SetUser(r *http.Request, user *data.User) *http.Request {
|
|
return r.WithContext(context.WithValue(r.Context(), userKey, user))
|
|
}
|
|
|
|
func GetUser(r *http.Request) *data.User {
|
|
user, ok := r.Context().Value(userKey).(*data.User)
|
|
if !ok {
|
|
panic("missing user value in request context")
|
|
}
|
|
return user
|
|
}
|
|
|
|
func (api *Api) Authenticate(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Add("Vary", "Authorization")
|
|
|
|
authorizationHeader := r.Header.Get("Authorization")
|
|
if authorizationHeader == "" {
|
|
r = SetUser(r, data.AnonymousUser)
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
headerParts := strings.Split(authorizationHeader, " ")
|
|
if len(headerParts) != 2 || headerParts[0] != "Bearer" {
|
|
api.InvalidAuthenticationTokenResponse(w, r)
|
|
return
|
|
}
|
|
|
|
token := headerParts[1]
|
|
v := validator.New()
|
|
if data.ValidateTokenPlaintext(v, token); !v.Valid() {
|
|
api.InvalidAuthenticationTokenResponse(w, r)
|
|
return
|
|
}
|
|
|
|
userIdentity, err := api.App.Models.UserIdentities.GetForToken(data.ScopeAuthentication, token)
|
|
if err != nil {
|
|
switch {
|
|
case errors.Is(err, data.ErrRecordNotFound):
|
|
api.InvalidAuthenticationTokenResponse(w, r)
|
|
default:
|
|
api.ServerErrorResponse(w, r, err)
|
|
}
|
|
return
|
|
}
|
|
|
|
user, err := api.App.Models.Users.Get(userIdentity.UserID)
|
|
if err != nil {
|
|
switch {
|
|
case errors.Is(err, data.ErrRecordNotFound):
|
|
api.InvalidCredentialsResponse(w, r)
|
|
default:
|
|
api.ServerErrorResponse(w, r, err)
|
|
}
|
|
return
|
|
}
|
|
|
|
r = SetUser(r, user)
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
type envelope map[string]interface{}
|
|
|
|
type apiError struct {
|
|
Code common.ErrorCode `json:"code,omitempty"`
|
|
Message string `json:"message"`
|
|
Details map[string]string `json:"details,omitempty"`
|
|
}
|
|
|
|
|
|
|
|
// ── JSON helpers ─────────────────────────────────────────────────────────────
|
|
|
|
func (api *Api) writeJSON(w http.ResponseWriter, status int, data envelope, headers http.Header) error {
|
|
js, err := json.MarshalIndent(data, "", "\t")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
js = append(js, '\n')
|
|
for key, value := range headers {
|
|
w.Header()[key] = value
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(status)
|
|
w.Write(js)
|
|
return nil
|
|
}
|
|
|
|
func (api *Api) readJSON(w http.ResponseWriter, r *http.Request, dst interface{}) error {
|
|
r.Body = http.MaxBytesReader(w, r.Body, 1048576)
|
|
dec := json.NewDecoder(r.Body)
|
|
dec.DisallowUnknownFields()
|
|
|
|
err := dec.Decode(dst)
|
|
if err != nil {
|
|
var syntaxError *json.SyntaxError
|
|
var unmarshalTypeError *json.UnmarshalTypeError
|
|
var invalidUnmarshalError *json.InvalidUnmarshalError
|
|
|
|
switch {
|
|
case errors.As(err, &syntaxError):
|
|
return fmt.Errorf("body contains badly-formed JSON (at character %d)", syntaxError.Offset)
|
|
case errors.Is(err, io.ErrUnexpectedEOF):
|
|
return errors.New("body contains badly-formed JSON")
|
|
case errors.As(err, &unmarshalTypeError):
|
|
if unmarshalTypeError.Field != "" {
|
|
return fmt.Errorf("body contains incorrect JSON type for field %q", unmarshalTypeError.Field)
|
|
}
|
|
return fmt.Errorf("body contains incorrect JSON type (at character %d)", unmarshalTypeError.Offset)
|
|
case errors.Is(err, io.EOF):
|
|
return errors.New("body must not be empty")
|
|
case strings.HasPrefix(err.Error(), "json: unknown field "):
|
|
fieldName := strings.TrimPrefix(err.Error(), "json: unknown field ")
|
|
return fmt.Errorf("body contains unknown key %s", fieldName)
|
|
case err.Error() == "http: request body too large":
|
|
return fmt.Errorf("body must not be larger than 1048576 bytes")
|
|
case errors.As(err, &invalidUnmarshalError):
|
|
panic(err)
|
|
default:
|
|
return err
|
|
}
|
|
}
|
|
|
|
err = dec.Decode(&struct{}{})
|
|
if err != io.EOF {
|
|
return errors.New("body must only contain a single JSON value")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (api *Api) readIDParam(r *http.Request) (int64, error) {
|
|
id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
|
|
if err != nil || id < 1 {
|
|
return 0, errors.New("invalid id parameter")
|
|
}
|
|
return id, nil
|
|
}
|
|
|
|
func (api *Api) readString(qs url.Values, key, defaultValue string) string {
|
|
if s := qs.Get(key); s != "" {
|
|
return s
|
|
}
|
|
return defaultValue
|
|
}
|
|
|
|
func (api *Api) readInt(qs url.Values, key string, defaultValue int, v *validator.Validator) int {
|
|
s := qs.Get(key)
|
|
if s == "" {
|
|
return defaultValue
|
|
}
|
|
i, err := strconv.Atoi(s)
|
|
if err != nil {
|
|
v.AddError(key, "must be an integer value")
|
|
return defaultValue
|
|
}
|
|
return i
|
|
}
|
|
|
|
// ── Error responses ──────────────────────────────────────────────────────────
|
|
|
|
func (api *Api) LogError(r *http.Request, err error) {
|
|
api.App.Logger.PrintError(err, map[string]string{
|
|
"request_method": r.Method,
|
|
"request_url": r.URL.String(),
|
|
})
|
|
}
|
|
|
|
func (api *Api) errorResponse(w http.ResponseWriter, r *http.Request, status int, ae apiError) {
|
|
if err := common.WriteJSON(w, status, common.Envelope{"error": ae}, nil); err != nil {
|
|
api.App.LogError(r, err)
|
|
w.WriteHeader(500)
|
|
}
|
|
}
|
|
|
|
func (api *Api) ServerErrorResponse(w http.ResponseWriter, r *http.Request, err error) {
|
|
api.App.LogError(r, err)
|
|
api.errorResponse(w, r, http.StatusInternalServerError, apiError{
|
|
Message: "the server encountered a problem and could not process your request",
|
|
})
|
|
}
|
|
|
|
func (api *Api) NotFoundResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusNotFound, apiError{
|
|
Message: "the requested resource could not be found",
|
|
})
|
|
}
|
|
|
|
func (api *Api) MethodNotAllowedResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusMethodNotAllowed, apiError{
|
|
Message: fmt.Sprintf("the %s method is not supported for this resource", r.Method),
|
|
})
|
|
}
|
|
|
|
func (api *Api) BadRequestResponse(w http.ResponseWriter, r *http.Request, err error) {
|
|
api.errorResponse(w, r, http.StatusBadRequest, apiError{Message: err.Error()})
|
|
}
|
|
|
|
func (api *Api) FailedValidationResponse(w http.ResponseWriter, r *http.Request, errors map[string]string) {
|
|
api.errorResponse(w, r, http.StatusUnprocessableEntity, apiError{
|
|
Code: common.ErrCodeValidationFailed,
|
|
Message: "validation failed",
|
|
Details: errors,
|
|
})
|
|
}
|
|
|
|
func (api *Api) EditConflictResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusConflict, apiError{
|
|
Code: common.ErrCodeEditConflict,
|
|
Message: "unable to update the record due to an edit conflict, please try again",
|
|
})
|
|
}
|
|
|
|
func (api *Api) InvalidCredentialsResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusUnauthorized, apiError{
|
|
Code: common.ErrCodeInvalidCredentials,
|
|
Message: "invalid authentication credentials",
|
|
})
|
|
}
|
|
|
|
func (api *Api) InvalidAuthenticationTokenResponse(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("WWW-Authenticate", "Bearer")
|
|
api.errorResponse(w, r, http.StatusUnauthorized, apiError{
|
|
Code: common.ErrCodeInvalidAuthToken,
|
|
Message: "invalid or missing authentication token",
|
|
})
|
|
}
|
|
|
|
func (api *Api) RateLimitExceededResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusTooManyRequests, apiError{
|
|
Message: "rate limit exceeded",
|
|
})
|
|
}
|
|
|
|
func (api *Api) AuthenticationRequiredResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusUnauthorized, apiError{
|
|
Code: common.ErrCodeAuthRequired,
|
|
Message: "you must be authenticated to access this resource",
|
|
})
|
|
}
|
|
|
|
func (api *Api) InactiveAccountResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusForbidden, apiError{
|
|
Code: common.ErrCodeInactiveAccount,
|
|
Message: "your user account must be activated to access this resource",
|
|
})
|
|
}
|
|
|
|
func (api *Api) NotPermittedResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusForbidden, apiError{
|
|
Code: common.ErrCodeNotPermitted,
|
|
Message: "your user account doesn't have the necessary permissions to access this resource",
|
|
})
|
|
}
|
|
|
|
func (api *Api) AlreadyVotedResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusConflict, apiError{
|
|
Code: common.ErrCodeAlreadyVoted,
|
|
Message: "your user account already voted for this issue",
|
|
})
|
|
}
|
|
|
|
func (api *Api) AlreadyBlindSignedResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusConflict, apiError{
|
|
Code: common.ErrCodeAlreadyBlindSigned,
|
|
Message: "already requested a blind signature for this issue",
|
|
})
|
|
}
|
|
|
|
func (api *Api) BlindedVoteOutOfRangeResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusUnprocessableEntity, apiError{
|
|
Code: common.ErrCodeBlindedVoteRange,
|
|
Message: "blinded_vote is out of valid range",
|
|
})
|
|
}
|
|
|
|
func (api *Api) InvalidSignatureResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusUnprocessableEntity, apiError{
|
|
Code: common.ErrCodeInvalidSignature,
|
|
Message: "invalid signature",
|
|
})
|
|
}
|
|
|
|
func (api *Api) VoteAlreadyCastResponse(w http.ResponseWriter, r *http.Request) {
|
|
api.errorResponse(w, r, http.StatusConflict, apiError{
|
|
Code: common.ErrCodeVoteAlreadyCast,
|
|
Message: "this vote has already been cast",
|
|
})
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// func (app *Application) errorResponse(w http.ResponseWriter, r *http.Request, status int, ae apiError) {
|
|
// if err := WriteJSON(w, status, Envelope{"error": ae}, nil); err != nil {
|
|
// app.LogError(r, err)
|
|
// w.WriteHeader(500)
|
|
// }
|
|
// }
|
|
|
|
// func (app *Application) ServerErrorResponse(w http.ResponseWriter, r *http.Request, err error) {
|
|
// app.LogError(r, err)
|
|
// app.errorResponse(w, r, http.StatusInternalServerError, apiError{
|
|
// Message: "the server encountered a problem and could not process your request",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) NotFoundResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusNotFound, apiError{
|
|
// Message: "the requested resource could not be found",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) MethodNotAllowedResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusMethodNotAllowed, apiError{
|
|
// Message: fmt.Sprintf("the %s method is not supported for this resource", r.Method),
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) BadRequestResponse(w http.ResponseWriter, r *http.Request, err error) {
|
|
// app.errorResponse(w, r, http.StatusBadRequest, apiError{Message: err.Error()})
|
|
// }
|
|
|
|
// func (app *Application) FailedValidationResponse(w http.ResponseWriter, r *http.Request, errors map[string]string) {
|
|
// app.errorResponse(w, r, http.StatusUnprocessableEntity, apiError{
|
|
// Code: ErrCodeValidationFailed,
|
|
// Message: "validation failed",
|
|
// Details: errors,
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) EditConflictResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusConflict, apiError{
|
|
// Code: ErrCodeEditConflict,
|
|
// Message: "unable to update the record due to an edit conflict, please try again",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) InvalidCredentialsResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusUnauthorized, apiError{
|
|
// Code: ErrCodeInvalidCredentials,
|
|
// Message: "invalid authentication credentials",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) RateLimitExceededResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusTooManyRequests, apiError{
|
|
// Message: "rate limit exceeded",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) AuthenticationRequiredResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusUnauthorized, apiError{
|
|
// Code: ErrCodeAuthRequired,
|
|
// Message: "you must be authenticated to access this resource",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) InactiveAccountResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusForbidden, apiError{
|
|
// Code: ErrCodeInactiveAccount,
|
|
// Message: "your user account must be activated to access this resource",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) NotPermittedResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusForbidden, apiError{
|
|
// Code: ErrCodeNotPermitted,
|
|
// Message: "your user account doesn't have the necessary permissions to access this resource",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) AlreadyVotedResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusConflict, apiError{
|
|
// Code: ErrCodeAlreadyVoted,
|
|
// Message: "your user account already voted for this issue",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) AlreadyBlindSignedResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusConflict, apiError{
|
|
// Code: ErrCodeAlreadyBlindSigned,
|
|
// Message: "already requested a blind signature for this issue",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) BlindedVoteOutOfRangeResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusUnprocessableEntity, apiError{
|
|
// Code: ErrCodeBlindedVoteRange,
|
|
// Message: "blinded_vote is out of valid range",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) InvalidSignatureResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusUnprocessableEntity, apiError{
|
|
// Code: ErrCodeInvalidSignature,
|
|
// Message: "invalid signature",
|
|
// })
|
|
// }
|
|
|
|
// func (app *Application) VoteAlreadyCastResponse(w http.ResponseWriter, r *http.Request) {
|
|
// app.errorResponse(w, r, http.StatusConflict, apiError{
|
|
// Code: ErrCodeVoteAlreadyCast,
|
|
// Message: "this vote has already been cast",
|
|
// })
|
|
// }
|
|
|