package main import ( "bytes" "fmt" "github.com/dballard/transmet/categories" "github.com/dballard/transmet/news" "github.com/dballard/transmet/user" "github.com/gorilla/mux" "github.com/gorilla/sessions" "io/ioutil" "net/http" "path" "regexp" "strconv" "strings" txtTemplate "text/template" "time" ) func GetFlashes(session *sessions.Session) map[string]interface{} { var flashes = make(map[string]interface{}) flashes["error"] = session.Flashes(flash_err) flashes["info"] = session.Flashes(flash_info) return flashes } func sessionWipe(session *sessions.Session) { session.Values = make(map[interface{}]interface{}) } func initSessionUser(r *http.Request) (*user.User, *sessions.Session) { // TODO verify ssl session session, _ := store.Get(r, "c_user") if session.Values["username"] == nil { return nil, session } return user.NewUserFromUsername(db, session.Values["username"].(string)), session } // wrapper for handlers requiring a User func userHandler(next func(http.ResponseWriter, *http.Request, *user.User, *sessions.Session)) func(http.ResponseWriter, *http.Request) { return func(w http.ResponseWriter, r *http.Request) { user, session := initSessionUser(r) if user == nil { http.Redirect(w, r, "/login", http.StatusFound) } else { next(w, r, user, session) } } } // wrapper for handlers forking on GET and POST // r.HandleFunc("/login", getPostHandler(LoginFormHandler, LoginPostHandler)) func getPostHandler(getFn, postFn func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) { return func(w http.ResponseWriter, r *http.Request) { if r.Method == "GET" { getFn(w, r) } else { // POST postFn(w, r) } } } // Log in page handler func LoginFormHandler(w http.ResponseWriter, r *http.Request) { session, _ := store.Get(r, "c_user") flashes := GetFlashes(session) session.Save(r, w) ShowTemplate("login", w, r, map[string]interface{}{"flashes": flashes}) } // handler for login POST // TODO: proper per account and client flood control rate limiting // currently weak per call slow down is by-passable at scale func LoginPostHandler(w http.ResponseWriter, r *http.Request) { fmt.Println("LoginPostHandler()") time.Sleep(500 * time.Millisecond) // WEAK poor mans rate limiting for logins r.ParseForm() username := r.PostFormValue("username") // lookup user password := r.PostFormValue("password") user := user.NewUserFromAuth(db, username, password) if user != nil { session, _ := store.Get(r, "c_user") session.Values["username"] = user.Username session.Save(r, w) if r.URL.Query().Get("url") != "" { http.Redirect(w, r, "/add?"+r.URL.RawQuery, http.StatusFound) } http.Redirect(w, r, "/", http.StatusFound) } else { time.Sleep(500 * time.Millisecond) // WEAK bypassable poor mans rate limiting for failed logins session, _ := store.Get(r, "c_user") session.AddFlash("Username or password", flash_err) session.Save(r, w) http.Redirect(w, r, "/login?"+r.URL.RawQuery, http.StatusFound) } } // logout POST handler func LogoutHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { //session.Options = &sessions.Options{MaxAge: -1} sessionWipe(session) session.Save(r, w) http.Redirect(w, r, "/", http.StatusFound) } func getUrlTitle(url string) string { resp, err := http.Get(url) if err != nil { fmt.Println("Error looking up link", url, ":", err) } else { body, err := ioutil.ReadAll(resp.Body) if err != nil { fmt.Println("Error reading link", url, ":", err) } else { re := regexp.MustCompile("< *[Tt][Ii][Tt][Ll][Ee] *>(.*)") title := re.FindStringSubmatch(string(body)) if title != nil { return strings.TrimSpace(title[1]) } } } return "" } // ?url= func addFormHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { categories.LoadCategories(db) flashes := GetFlashes(session) session.Save(r, w) var url = r.URL.Query().Get("url") reHttp := regexp.MustCompile("^https?://") if url != "" && !reHttp.Match([]byte(url)) { url = "http://" + url } title := r.URL.Query().Get("title") if title == "" && url != "" { title = getUrlTitle(url) } var notes = "" selection := r.URL.Query().Get("selection") if selection != "" { notes = "" + selection + "" } popup := r.URL.Query().Get("popup") ShowTemplate("post", w, r, map[string]interface{}{"mode": "add", "user": user, "flashes": flashes, "link": url, "categories": categories.CategoriesTree, "title": title, "popup": popup, "category_id": -1, "notes": notes}) } func addPostHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { news := news.News{} news.Title = r.FormValue("title") news.Notes = r.FormValue("notes") news.Url = r.FormValue("link") popup := r.FormValue("popup") category_id, err := strconv.Atoi(r.FormValue("category")) if err != nil { var flashes = make(map[string]interface{}) flashes["error"] = []string{"Category required: " + err.Error()} ShowTemplate("post", w, r, map[string]interface{}{"mode": "add", "user": user, "flashes": flashes, "link": news.Url, "categories": categories.CategoriesTree, "title": news.Title, "popup": popup, "notes": news.Notes, "category_id": news.Category_id}) return } news.Category_id = category_id err = news.Insert(db) if err != nil { var flashes = make(map[string]interface{}) flashes["error"] = []string{"Error saving news: " + err.Error()} ShowTemplate("post", w, r, map[string]interface{}{"mode": "add", "user": user, "flashes": flashes, "link": news.Url, "categories": categories.CategoriesTree, "title": news.Title, "popup": popup, "notes": news.Notes, "category_id": news.Category_id}) return } else { session.AddFlash("Added news \""+news.Title+"\"", flash_info) session.Save(r, w) if popup == "1" { http.Redirect(w, r, "/news/added", http.StatusFound) } else { http.Redirect(w, r, "/", http.StatusFound) } } } func editFormHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { categories.LoadCategories(db) flashes := GetFlashes(session) id, idErr := strconv.Atoi(mux.Vars(r)["id"]) if idErr != nil { session.AddFlash("Could not understand news id", flash_err) session.Save(r, w) http.Redirect(w, r, "/news", http.StatusFound) return } newsItem, err := news.Get(db, id) if err != nil { session.AddFlash("Could not load news item "+strconv.Itoa(id), flash_err) session.Save(r, w) http.Redirect(w, r, "/news", http.StatusFound) return } session.Save(r, w) ShowTemplate("post", w, r, map[string]interface{}{"mode": "edit", "user": user, "flashes": flashes, "categories": categories.CategoriesTree, "link": newsItem.Url, "title": newsItem.Title, "notes": newsItem.Notes, "popup": false, "category_id": newsItem.Category_id, "id": newsItem.Id()}) return } func editPostHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { id, idErr := strconv.Atoi(mux.Vars(r)["id"]) if idErr != nil { session.AddFlash("Error trying to save news item", flash_err) session.Save(r, w) http.Redirect(w, r, "/news", http.StatusFound) return } news, err := news.Get(db, id) if err != nil { fmt.Println("Error trying to edit news item that doesn't exist") session.AddFlash("Error trying to save news item", flash_err) session.Save(r, w) http.Redirect(w, r, "/news", http.StatusFound) return } news.Title = r.FormValue("title") news.Notes = r.FormValue("notes") news.Url = r.FormValue("link") category_id, err := strconv.Atoi(r.FormValue("category")) if err != nil { var flashes = make(map[string]interface{}) flashes["error"] = []string{"Category required: " + err.Error()} ShowTemplate("post", w, r, map[string]interface{}{"mode": "edit", "user": user, "flashes": flashes, "link": news.Url, "categories": categories.CategoriesTree, "title": news.Title, "popup": false, "notes": news.Notes, "category_id": news.Category_id, "id": news.Id()}) return } news.Category_id = category_id err = news.Update(db) if err != nil { var flashes = make(map[string]interface{}) flashes["error"] = []string{"Error saving news: " + err.Error()} ShowTemplate("post", w, r, map[string]interface{}{"mode": "edit", "user": user, "flashes": flashes, "link": news.Url, "categories": categories.CategoriesTree, "title": news.Title, "popup": false, "notes": news.Notes, "category_id": news.Category_id, "id": news.Id()}) return } else { session.AddFlash("Updated news \""+news.Title+"\"", flash_info) session.Save(r, w) http.Redirect(w, r, "/", http.StatusFound) } } func templateFormHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { flashes := GetFlashes(session) session.Save(r, w) news, count, err := news.Unexported(db) if err != nil { return } var templateBuf bytes.Buffer template, err := txtTemplate.ParseFiles("templates/html_template.txt") if err != nil { fmt.Println("Error processing html_tempalte:", err) } err = template.Execute(&templateBuf, map[string]interface{}{"news": news}) if err != nil { fmt.Println("Exec err: ", err) } ShowTemplate("export", w, r, map[string]interface{}{"user": user, "flashes": flashes, "template": &templateBuf, "count": count, "url": config.Url}) } func exportHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { err := news.MarkExported(db) if err != nil { session.AddFlash("Error marking last batch of news exported", flash_err) } else { session.AddFlash("Last batch of news marked exported", flash_info) } session.Save(r, w) http.Redirect(w, r, "/export", http.StatusFound) } func addedHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { flashes := GetFlashes(session) session.Save(r, w) ShowTemplate("added", w, r, map[string]interface{}{"user": user, "flashes": flashes}) } func deleteHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { id, idErr := strconv.Atoi(mux.Vars(r)["id"]) if idErr != nil { session.AddFlash("Invalid news to delete", flash_err) } else { err := news.Delete(db, id) if err != nil { session.AddFlash("Error commiting to Database", flash_err) } else { session.AddFlash("Deleted news post", flash_info) } } session.Save(r, w) http.Redirect(w, r, "/", http.StatusFound) } func categoriesFormHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { flashes := GetFlashes(session) session.Save(r, w) categories.LoadCategories(db) ShowTemplate("categories", w, r, map[string]interface{}{"user": user, "flashes": flashes, "categories": categories.CategoriesTree}) } func categoriesPostHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { http.Redirect(w, r, "/categories", http.StatusFound) } func categoryFromReqArg(arg string) *categories.Category { if cid, err := strconv.Atoi(arg); err != nil { return nil } else if category, ok := categories.CategoriesFlat[cid]; !ok { return nil } else { return category } } func categoryChangeParentHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { categories.LoadCategories(db) category := categoryFromReqArg(mux.Vars(r)["id"]) parent := categoryFromReqArg(r.FormValue("parent")) if category == nil { session.AddFlash("Invalid category", flash_err) } else if parent != nil && category.Id == parent.Id { session.AddFlash("Cannot set category parent to itself", flash_err) } else { err := category.ChangeParent(db, parent) if err != nil { session.AddFlash("Error commiting to Database", flash_err) } else { session.AddFlash("Changed category parent", flash_info) } } session.Save(r, w) http.Redirect(w, r, "/categories", http.StatusFound) } func categoryAddHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { name := r.FormValue("name") parent, perr := strconv.Atoi(r.FormValue("parent")) if perr != nil { parent = -1 } if name == "" { session.AddFlash("Invalid category name", flash_err) } else { err := categories.Add(db, name, parent) if err != nil { session.AddFlash("Error commiting to Database", flash_err) } else { session.AddFlash("Added category", flash_info) } } session.Save(r, w) http.Redirect(w, r, "/categories", http.StatusFound) } func categoryDeleteHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { id, idErr := strconv.Atoi(mux.Vars(r)["id"]) if idErr != nil { session.AddFlash("Invalid category to delete", flash_err) } else { err := categories.Delete(db, id) if err != nil { session.AddFlash("Error commiting to Database", flash_err) } else { session.AddFlash("Deleted category", flash_info) } } session.Save(r, w) http.Redirect(w, r, "/categories", http.StatusFound) } func newsFormHandler(w http.ResponseWriter, r *http.Request, user *user.User, session *sessions.Session) { flashes := GetFlashes(session) session.Save(r, w) var offset = 0 var amount = 100 argOffset, eOffset := strconv.Atoi(r.FormValue("offset")) if eOffset == nil { offset = amount * argOffset } news, count, err := news.LoadPage(db, offset, amount) if err != nil { session.AddFlash("Error loading news", flash_err) } ShowTemplate("news", w, r, map[string]interface{}{"user": user, "flashes": flashes, "news": news, "count": count, "offset": argOffset, "amount": amount, "categories": categories.CategoriesFlat, "url": config.Url}) } func ServeFileHandler(res http.ResponseWriter, req *http.Request) { fname := path.Base(req.URL.Path) http.ServeFile(res, req, "./"+fname) } func init_route_handlers() *mux.Router { r := mux.NewRouter() // Basic Handle - static files - no CSRF wrapper r.PathPrefix("/js/").Handler(http.StripPrefix("/js/", http.FileServer(http.Dir("js/")))) r.PathPrefix("/css/").Handler(http.StripPrefix("/css/", http.FileServer(http.Dir("css/")))) r.PathPrefix("/fonts/").Handler(http.StripPrefix("/fonts", http.FileServer(http.Dir("fonts/")))) r.HandleFunc("/favicon.ico", ServeFileHandler) rGet := r.Methods("GET").Subrouter() rPost := r.Methods("POST").Subrouter() rGet.HandleFunc("/login", LoginFormHandler) rPost.HandleFunc("/login", LoginPostHandler) rPost.HandleFunc("/logout", userHandler(LogoutHandler)) rGet.HandleFunc("/news/add", userHandler(addFormHandler)) rPost.HandleFunc("/news/add", userHandler(addPostHandler)) rGet.HandleFunc("/", userHandler(newsFormHandler)) rGet.HandleFunc("/news", userHandler(newsFormHandler)) rGet.HandleFunc("/news/export", userHandler(templateFormHandler)) rPost.HandleFunc("/news/export", userHandler(exportHandler)) rGet.HandleFunc("/news/added", userHandler(addedHandler)) rPost.HandleFunc("/news/{id:[0-9]+}/delete", userHandler(deleteHandler)) rGet.HandleFunc("/news/{id:[0-9]+}/edit", userHandler(editFormHandler)) rPost.HandleFunc("/news/{id:[0-9]+}/edit", userHandler(editPostHandler)) rGet.HandleFunc("/categories", userHandler(categoriesFormHandler)) rPost.HandleFunc("/caegories", userHandler(categoriesPostHandler)) rPost.HandleFunc("/categories/{id:[0-9]+}/change-parent", userHandler(categoryChangeParentHandler)) rPost.HandleFunc("/categories/add", userHandler(categoryAddHandler)) rPost.HandleFunc("/categories/{id:[0-9]+}/delete", userHandler(categoryDeleteHandler)) return r }