fd1682e11b
The session cookie now sets the Secure attribute (server.secure_cookies, default true). Adds chi RealIP and Recoverer middleware plus a securityHeaders middleware that emits a Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy on every response. HSTS is intentionally left to the TLS-terminating proxy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
189 lines
6.3 KiB
Go
189 lines
6.3 KiB
Go
// Package handlers wires HTTP routes for Veola. Each file in the package owns
|
|
// a related cluster of routes; this file holds the shared App container and
|
|
// helper functions used across all handlers.
|
|
package handlers
|
|
|
|
import (
|
|
"context"
|
|
"log/slog"
|
|
"net/http"
|
|
"strconv"
|
|
"time"
|
|
|
|
"github.com/a-h/templ"
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/go-chi/chi/v5/middleware"
|
|
|
|
"veola/internal/apify"
|
|
"veola/internal/auth"
|
|
"veola/internal/config"
|
|
"veola/internal/db"
|
|
"veola/internal/ntfy"
|
|
"veola/internal/scheduler"
|
|
"veola/templates"
|
|
)
|
|
|
|
type App struct {
|
|
Cfg *config.Config
|
|
Store *db.Store
|
|
Auth *auth.Manager
|
|
Apify *apify.Client
|
|
Ntfy *ntfy.Client
|
|
Scheduler *scheduler.Scheduler
|
|
Preview *PreviewCache
|
|
}
|
|
|
|
func New(cfg *config.Config, store *db.Store, am *auth.Manager, ap *apify.Client, nt *ntfy.Client, sc *scheduler.Scheduler) *App {
|
|
return &App{
|
|
Cfg: cfg, Store: store, Auth: am,
|
|
Apify: ap, Ntfy: nt, Scheduler: sc,
|
|
Preview: NewPreviewCache(10 * time.Minute),
|
|
}
|
|
}
|
|
|
|
// Routes returns the chi router with everything wired up.
|
|
func (a *App) Routes() http.Handler {
|
|
r := chi.NewRouter()
|
|
// Applied to everything, including static assets and error responses.
|
|
// RealIP rewrites RemoteAddr from X-Forwarded-For — safe only because
|
|
// Veola is expected to sit behind a trusted proxy (Traefik) that sets
|
|
// it; Traefik must be configured to strip client-supplied values.
|
|
r.Use(middleware.RealIP)
|
|
r.Use(middleware.Recoverer)
|
|
r.Use(securityHeaders)
|
|
|
|
fs := http.FileServer(http.Dir("./static"))
|
|
r.Handle("/static/*", http.StripPrefix("/static/", fs))
|
|
|
|
// All other routes pass through session loading + setup gate.
|
|
r.Group(func(r chi.Router) {
|
|
r.Use(a.Auth.Sessions.LoadAndSave)
|
|
r.Use(a.Auth.LoadUser)
|
|
r.Use(a.setupGate)
|
|
|
|
// Public auth pages.
|
|
r.Get("/login", a.GetLogin)
|
|
r.With(a.Auth.CSRFProtect).Post("/login", a.PostLogin)
|
|
r.Get("/setup", a.GetSetup)
|
|
r.With(a.Auth.CSRFProtect).Post("/setup", a.PostSetup)
|
|
|
|
// Authenticated section.
|
|
r.Group(func(r chi.Router) {
|
|
r.Use(a.Auth.RequireAuth)
|
|
r.With(a.Auth.CSRFProtect).Post("/logout", a.PostLogout)
|
|
|
|
r.Get("/", a.GetDashboard)
|
|
r.Get("/dashboard/refresh", a.GetDashboardRefresh)
|
|
|
|
r.Get("/items", a.GetItems)
|
|
r.Get("/items/new", a.GetNewItem)
|
|
r.With(a.Auth.CSRFProtect).Post("/items/preview", a.PostPreview)
|
|
r.With(a.Auth.CSRFProtect).Post("/items", a.PostCreateItem)
|
|
r.Get("/items/{id}/edit", a.GetEditItem)
|
|
r.With(a.Auth.CSRFProtect).Post("/items/{id}", a.PostUpdateItem)
|
|
r.With(a.Auth.CSRFProtect).Post("/items/{id}/toggle", a.PostToggleItem)
|
|
r.With(a.Auth.CSRFProtect).Post("/items/{id}/delete", a.PostDeleteItem)
|
|
r.With(a.Auth.CSRFProtect).Post("/items/{id}/run", a.PostRunItem)
|
|
r.Get("/items/{id}/error", a.GetItemError)
|
|
r.Get("/items/{id}/results", a.GetItemResults)
|
|
|
|
r.Get("/results", a.GetGlobalResults)
|
|
|
|
r.Get("/settings", a.GetSettings)
|
|
r.With(a.Auth.CSRFProtect).Post("/settings", a.PostSettings)
|
|
r.With(a.Auth.CSRFProtect).Post("/settings/password", a.PostPasswordChange)
|
|
r.With(a.Auth.CSRFProtect).Post("/settings/test-ntfy", a.PostTestNtfy)
|
|
r.With(a.Auth.CSRFProtect).Post("/settings/test-apify", a.PostTestApify)
|
|
r.With(a.Auth.CSRFProtect).Post("/settings/test-ebay", a.PostTestEbay)
|
|
r.With(a.Auth.CSRFProtect, a.Auth.RequireAdmin).Post("/users", a.PostCreateUser)
|
|
r.With(a.Auth.CSRFProtect, a.Auth.RequireAdmin).Post("/users/{id}/delete", a.PostDeleteUser)
|
|
r.With(a.Auth.CSRFProtect, a.Auth.RequireAdmin).Post("/users/{id}/reset-password", a.PostResetPassword)
|
|
})
|
|
})
|
|
return r
|
|
}
|
|
|
|
// setupGate redirects every request to /setup if no users exist.
|
|
func (a *App) setupGate(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/setup" || isStaticPath(r.URL.Path) {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
n, err := a.Store.UserCount(r.Context())
|
|
if err != nil {
|
|
http.Error(w, "db error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if n == 0 {
|
|
http.Redirect(w, r, "/setup", http.StatusSeeOther)
|
|
return
|
|
}
|
|
// Once at least one user exists, /setup is a 404.
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
// securityHeaders sets defensive response headers on every request.
|
|
//
|
|
// Scripts and styles are restricted to 'self': Tailwind is vendored
|
|
// (static/css/tailwind.css), htmx and Chart.js are vendored, and the only
|
|
// inline <script> (the price chart) was externalized to static/js. The sole
|
|
// remote origins are Google Fonts (stylesheet + font files), per the agreed
|
|
// deviation to keep fonts on a CDN.
|
|
//
|
|
// img-src additionally allows any https: origin: listing thumbnails come from
|
|
// an open-ended set of marketplace CDNs (eBay, Amazon, Mercari, Yahoo, ...)
|
|
// that cannot be enumerated. Images execute no code, so this is a low-risk
|
|
// relaxation while script/style/connect stay locked to 'self'.
|
|
//
|
|
// HSTS is intentionally omitted: it belongs at the TLS-terminating proxy.
|
|
func securityHeaders(next http.Handler) http.Handler {
|
|
const csp = "default-src 'self'; " +
|
|
"img-src 'self' data: https:; " +
|
|
"font-src 'self' https://fonts.gstatic.com; " +
|
|
"style-src 'self' https://fonts.googleapis.com; " +
|
|
"script-src 'self'; " +
|
|
"connect-src 'self'; " +
|
|
"frame-ancestors 'none'; base-uri 'self'; object-src 'none'; form-action 'self'"
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
h := w.Header()
|
|
h.Set("X-Content-Type-Options", "nosniff")
|
|
h.Set("X-Frame-Options", "DENY")
|
|
h.Set("Referrer-Policy", "same-origin")
|
|
h.Set("Content-Security-Policy", csp)
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
func isStaticPath(p string) bool {
|
|
return len(p) >= 8 && p[:8] == "/static/"
|
|
}
|
|
|
|
func (a *App) page(r *http.Request, title, active string) templates.Page {
|
|
return templates.Page{
|
|
Title: title,
|
|
Active: active,
|
|
CSRFToken: a.Auth.CSRFToken(r.Context()),
|
|
CurrentUser: auth.CurrentUserFromRequest(r),
|
|
}
|
|
}
|
|
|
|
func render(w http.ResponseWriter, r *http.Request, c templ.Component) {
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
if err := c.Render(r.Context(), w); err != nil {
|
|
slog.Error("render failed", "err", err)
|
|
}
|
|
}
|
|
|
|
func parseInt64(s string) int64 {
|
|
n, _ := strconv.ParseInt(s, 10, 64)
|
|
return n
|
|
}
|
|
|
|
func intParam(r *http.Request, key string) int64 {
|
|
return parseInt64(chi.URLParam(r, key))
|
|
}
|
|
|
|
func ctxBg() context.Context { return context.Background() }
|