Albirew/nyaa-pantsu
Archivé
1
0
Bifurcation 0

API update completely functionnal for app usage (#987)

The api has been tested and works as intended.
Now users do not have to go on the website to get back their token, they
just have to register.
Torrents show the right stats and username on api request when search is
done
User model when converted to JSON gives us the apitoken and md5 hash of
email (for gravatar)
Verification on upload is done by token and username instead of token
only
Errors are now given in json format in the api
Global api response handler for less code redundancy and same response
pattern
Moved user auth check in cookie_helper to user.go
Fixed bug with CSRF prevention in /api
Added translation strings
Cette révision appartient à :
akuma06 2017-06-13 08:01:57 +02:00 révisé par ewhal
Parent 7ee5e913b1
révision b0aa111511
7 fichiers modifiés avec 277 ajouts et 131 suppressions

Voir le fichier

@ -55,6 +55,8 @@ type UserJSON struct {
ID uint `json:"user_id"`
Username string `json:"username"`
Status int `json:"status"`
APIToken string `json:"token"`
MD5 string `json:"md5"`
CreatedAt string `json:"created_at"`
LikingCount int `json:"liking_count"`
LikedCount int `json:"liked_count"`
@ -145,6 +147,8 @@ func (u *User) ToJSON() UserJSON {
json := UserJSON{
ID: u.ID,
Username: u.Username,
APIToken: u.APIToken,
MD5: u.MD5,
Status: u.Status,
CreatedAt: u.CreatedAt.Format(time.RFC3339),
LikingCount: len(u.Followers),

Voir le fichier

@ -2,7 +2,6 @@ package router
import (
"encoding/json"
"errors"
"html"
"net/http"
"strconv"
@ -17,7 +16,11 @@ import (
"github.com/NyaaPantsu/nyaa/service/torrent"
"github.com/NyaaPantsu/nyaa/service/upload"
"github.com/NyaaPantsu/nyaa/service/user"
"github.com/NyaaPantsu/nyaa/service/user/form"
"github.com/NyaaPantsu/nyaa/util/crypto"
"github.com/NyaaPantsu/nyaa/util/log"
msg "github.com/NyaaPantsu/nyaa/util/messages"
"github.com/NyaaPantsu/nyaa/util/modelHelper"
"github.com/NyaaPantsu/nyaa/util/search"
"github.com/gorilla/mux"
)
@ -135,51 +138,49 @@ func APIViewHeadHandler(w http.ResponseWriter, r *http.Request) {
// APIUploadHandler : Controller for uploading a torrent with api
func APIUploadHandler(w http.ResponseWriter, r *http.Request) {
token := r.Header.Get("Authorization")
user, _, _, err := userService.RetrieveUserByAPIToken(token)
username := r.FormValue("username")
user, _, _, _, err := userService.RetrieveUserByAPITokenAndName(token, username)
messages := msg.GetMessages(r)
defer r.Body.Close()
if err != nil {
http.Error(w, "Error API token doesn't exist", http.StatusBadRequest)
return
messages.AddError("errors", "Error API token doesn't exist")
}
if !uploadService.IsUploadEnabled(user) {
http.Error(w, "Error uploads are disabled", http.StatusBadRequest)
return
messages.AddError("errors", "Error uploads are disabled")
}
if user.ID == 0 {
http.Error(w, apiService.ErrAPIKey.Error(), http.StatusUnauthorized)
return
messages.ImportFromError("errors", apiService.ErrAPIKey)
}
if !messages.HasErrors() {
upload := apiService.TorrentRequest{}
contentType := r.Header.Get("Content-Type")
if contentType != "application/json" && !strings.HasPrefix(contentType, "multipart/form-data") && r.Header.Get("Content-Type") != "application/x-www-form-urlencoded" {
// TODO What should we do here ? upload is empty so we shouldn't
// create a torrent from it
http.Error(w, errors.New("Please provide either of Content-Type: application/json header or multipart/form-data").Error(), http.StatusInternalServerError)
return
messages.AddError("errors", "Please provide either of Content-Type: application/json header or multipart/form-data")
}
// As long as the right content-type is sent, formValue is smart enough to parse it
err = upload.ExtractInfo(r)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
messages.ImportFromError("errors", err)
}
if !messages.HasErrors() {
status := model.TorrentStatusNormal
if upload.Remake { // overrides trusted
status = model.TorrentStatusRemake
} else if user.IsTrusted() {
status = model.TorrentStatusTrusted
}
err = torrentService.ExistOrDelete(upload.Infohash, user)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
messages.ImportFromError("errors", err)
}
if !messages.HasErrors() {
torrent := model.Torrent{
Name: upload.Name,
Category: upload.CategoryID,
@ -205,7 +206,7 @@ func APIUploadHandler(w http.ResponseWriter, r *http.Request) {
} else {
log.Errorf("Unable to create elasticsearch client: %s", err)
}
messages.AddInfoT("infos", "torrent_uploaded")
torrentService.NewTorrentEvent(Router, user, &torrent)
// add filelist to files db, if we have one
if len(upload.FileList) > 0 {
@ -219,59 +220,59 @@ func APIUploadHandler(w http.ResponseWriter, r *http.Request) {
db.ORM.Create(&file)
}
}
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
apiResponseHandler(w, r, torrent.ToJSON())
return
}
}
}
apiResponseHandler(w, r)
}
// APIUpdateHandler : Controller for updating a torrent with api
// FIXME Impossible to update a torrent uploaded by user 0
func APIUpdateHandler(w http.ResponseWriter, r *http.Request) {
token := r.Header.Get("Authorization")
user, _, _, err := userService.RetrieveUserByAPIToken(token)
username := r.FormValue("username")
user, _, _, _, err := userService.RetrieveUserByAPITokenAndName(token, username)
defer r.Body.Close()
messages := msg.GetMessages(r)
if err != nil {
http.Error(w, "Error API token doesn't exist", http.StatusBadRequest)
return
messages.AddError("errors", "Error API token doesn't exist")
}
if !uploadService.IsUploadEnabled(user) {
http.Error(w, "Error uploads are disabled", http.StatusBadRequest)
return
messages.AddError("errors", "Error uploads are disabled")
}
if user.ID == 0 {
http.Error(w, apiService.ErrAPIKey.Error(), http.StatusForbidden)
return
messages.ImportFromError("errors", apiService.ErrAPIKey)
}
contentType := r.Header.Get("Content-Type")
if contentType != "application/json" && !strings.HasPrefix(contentType, "multipart/form-data") && r.Header.Get("Content-Type") != "application/x-www-form-urlencoded" {
// TODO What should we do here ? upload is empty so we shouldn't
// create a torrent from it
http.Error(w, errors.New("Please provide either of Content-Type: application/json header or multipart/form-data").Error(), http.StatusInternalServerError)
return
messages.AddError("errors", "Please provide either of Content-Type: application/json header or multipart/form-data")
}
update := apiService.UpdateRequest{}
err = update.Update.ExtractEditInfo(r)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
messages.ImportFromError("errors", err)
}
if !messages.HasErrors() {
torrent := model.Torrent{}
db.ORM.Where("torrent_id = ?", r.FormValue("id")).First(&torrent)
if torrent.ID == 0 {
http.Error(w, apiService.ErrTorrentID.Error(), http.StatusBadRequest)
return
messages.ImportFromError("errors", apiService.ErrTorrentID)
}
if torrent.UploaderID != 0 && torrent.UploaderID != user.ID { //&& user.Status != mod
http.Error(w, apiService.ErrRights.Error(), http.StatusForbidden)
return
messages.ImportFromError("errors", apiService.ErrRights)
}
update.UpdateTorrent(&torrent, user)
torrentService.UpdateTorrent(torrent)
}
apiResponseHandler(w, r)
}
// APISearchHandler : Controller for searching with api
func APISearchHandler(w http.ResponseWriter, r *http.Request) {
@ -309,3 +310,112 @@ func APISearchHandler(w http.ResponseWriter, r *http.Request) {
return
}
}
// APILoginHandler : Login with API
// This is not an OAuth api like and shouldn't be used for anything except getting the API Token in order to not store a password
func APILoginHandler(w http.ResponseWriter, r *http.Request) {
b := form.LoginForm{}
messages := msg.GetMessages(r)
contentType := r.Header.Get("Content-type")
if !strings.HasPrefix(contentType, "application/json") && !strings.HasPrefix(contentType, "multipart/form-data") && !strings.HasPrefix(contentType, "application/x-www-form-urlencoded") {
// TODO What should we do here ? upload is empty so we shouldn't
// create a torrent from it
messages.AddError("errors", "Please provide either of Content-Type: application/json header or multipart/form-data")
}
if strings.HasPrefix(contentType, "multipart/form-data") || strings.HasPrefix(contentType, "application/x-www-form-urlencoded") {
modelHelper.BindValueForm(&b, r)
} else {
decoder := json.NewDecoder(r.Body)
err := decoder.Decode(&b)
if err != nil {
messages.ImportFromError("errors", err)
}
}
defer r.Body.Close()
modelHelper.ValidateForm(&b, messages)
if !messages.HasErrors() {
user, _, errorUser := userService.CreateUserAuthenticationAPI(r, &b)
if errorUser == nil {
messages.AddInfo("infos", "Logged")
apiResponseHandler(w, r, user.ToJSON())
return
}
messages.ImportFromError("errors", errorUser)
}
apiResponseHandler(w, r)
}
// APIRefreshTokenHandler : Refresh Token with API
func APIRefreshTokenHandler(w http.ResponseWriter, r *http.Request) {
token := r.Header.Get("Authorization")
username := r.FormValue("username")
user, _, _, _, err := userService.RetrieveUserByAPITokenAndName(token, username)
defer r.Body.Close()
messages := msg.GetMessages(r)
if err != nil {
messages.AddError("errors", "Error API token doesn't exist")
}
if !messages.HasErrors() {
user.APIToken, _ = crypto.GenerateRandomToken32()
user.APITokenExpiry = time.Unix(0, 0)
_, errorUser := userService.UpdateRawUser(user)
if errorUser == nil {
messages.AddInfoT("infos", "profile_updated")
apiResponseHandler(w, r, user.ToJSON())
return
}
messages.ImportFromError("errors", errorUser)
}
apiResponseHandler(w, r)
}
// APICheckTokenHandler : Check Token with API
func APICheckTokenHandler(w http.ResponseWriter, r *http.Request) {
token := r.Header.Get("Authorization")
username := r.FormValue("username")
user, _, _, _, err := userService.RetrieveUserByAPITokenAndName(token, username)
defer r.Body.Close()
messages := msg.GetMessages(r)
if err != nil {
messages.AddError("errors", "Error API token doesn't exist")
} else {
messages.AddInfo("infos", "Logged")
}
apiResponseHandler(w, r, user.ToJSON())
}
// This function is the global response for every simple Post Request API
// Please use it. Responses are of the type:
// {ok: bool, [errors | infos]: ArrayOfString [, data: ArrayOfObjects, all_errors: ArrayOfObjects]}
// To send errors or infos, you just need to use the Messages Util
func apiResponseHandler(w http.ResponseWriter, r *http.Request, obj ...interface{}) {
messages := msg.GetMessages(r)
var apiJSON []byte
w.Header().Set("Content-Type", "application/json")
if !messages.HasErrors() {
mapOk := map[string]interface{}{"ok": true, "infos": messages.GetInfos("infos")}
if len(obj) > 0 {
mapOk["data"] = obj
if len(obj) == 1 {
mapOk["data"] = obj[0]
}
}
apiJSON, _ = json.Marshal(mapOk)
} else { // We need to show error messages
mapNotOk := map[string]interface{}{"ok": false, "errors": messages.GetErrors("errors"), "all_errors": messages.GetAllErrors()}
if len(obj) > 0 {
mapNotOk["data"] = obj
if len(obj) == 1 {
mapNotOk["data"] = obj[0]
}
}
if len(messages.GetAllErrors()) > 0 && len(messages.GetErrors("errors")) == 0 {
mapNotOk["errors"] = "errors"
}
apiJSON, _ = json.Marshal(mapNotOk)
}
w.Write(apiJSON)
}

Voir le fichier

@ -96,6 +96,9 @@ func init() {
api.Handle("/view/{id}", wrapHandler(gzipAPIViewHandler)).Methods("GET")
api.HandleFunc("/view/{id}", APIViewHeadHandler).Methods("HEAD")
api.HandleFunc("/upload", APIUploadHandler).Methods("POST")
api.HandleFunc("/login", APILoginHandler).Methods("POST")
api.HandleFunc("/token/check", APICheckTokenHandler).Methods("GET")
api.HandleFunc("/token/refresh", APIRefreshTokenHandler).Methods("GET")
api.HandleFunc("/search", APISearchHandler)
api.HandleFunc("/search/{page}", APISearchHandler)
api.HandleFunc("/update", APIUpdateHandler).Methods("PUT")
@ -145,7 +148,7 @@ func init() {
Router.NotFoundHandler = http.HandlerFunc(NotFoundHandler)
CSRFRouter = nosurf.New(Router)
CSRFRouter.ExemptPath("/api")
CSRFRouter.ExemptRegexp("/api(?:/.+)*")
CSRFRouter.ExemptPath("/mod")
CSRFRouter.ExemptPath("/upload")
CSRFRouter.ExemptPath("/user/login")

Voir le fichier

@ -11,12 +11,10 @@ import (
"github.com/NyaaPantsu/nyaa/db"
"github.com/NyaaPantsu/nyaa/model"
formStruct "github.com/NyaaPantsu/nyaa/service/user/form"
msg "github.com/NyaaPantsu/nyaa/util/messages"
"github.com/NyaaPantsu/nyaa/util/modelHelper"
"github.com/NyaaPantsu/nyaa/util/timeHelper"
"github.com/gorilla/context"
"github.com/gorilla/securecookie"
"golang.org/x/crypto/bcrypt"
)
const (
@ -81,36 +79,7 @@ func ClearCookie(w http.ResponseWriter) (int, error) {
}
// SetCookieHandler sets the authentication cookie
func SetCookieHandler(w http.ResponseWriter, r *http.Request, email string, pass string) (int, error) {
if email == "" || pass == "" {
return http.StatusNotFound, errors.New("No username/password entered")
}
var user model.User
messages := msg.GetMessages(r)
// search by email or username
isValidEmail := formStruct.EmailValidation(email, messages)
messages.ClearErrors("email") // We need to clear the error added on messages
if isValidEmail {
if db.ORM.Where("email = ?", email).First(&user).RecordNotFound() {
return http.StatusNotFound, errors.New("User not found")
}
} else {
if db.ORM.Where("username = ?", email).First(&user).RecordNotFound() {
return http.StatusNotFound, errors.New("User not found")
}
}
err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(pass))
if err != nil {
return http.StatusUnauthorized, errors.New("Password incorrect")
}
if user.IsBanned() {
return http.StatusUnauthorized, errors.New("Account banned")
}
if user.IsScraped() {
return http.StatusUnauthorized, errors.New("Account need activation from Moderators, please contact us")
}
func SetCookieHandler(w http.ResponseWriter, r *http.Request, user model.User) (int, error) {
maxAge := getMaxAge()
validUntil := timeHelper.FewDurationLater(time.Duration(maxAge) * time.Second)
encoded, err := EncodeCookie(user.ID, validUntil)
@ -136,7 +105,11 @@ func SetCookieHandler(w http.ResponseWriter, r *http.Request, email string, pass
func RegisterHanderFromForm(w http.ResponseWriter, r *http.Request, registrationForm formStruct.RegistrationForm) (int, error) {
username := registrationForm.Username // email isn't set at this point
pass := registrationForm.Password
return SetCookieHandler(w, r, username, pass)
user, status, err := checkAuth(r, username, pass)
if err != nil {
return status, err
}
return SetCookieHandler(w, r, user)
}
// RegisterHandler sets a cookie when user registered.

Voir le fichier

@ -56,8 +56,8 @@ type RegistrationForm struct {
// LoginForm is used when a user logs in.
type LoginForm struct {
Username string `form:"username" needed:"true"`
Password string `form:"password" needed:"true"`
Username string `form:"username" needed:"true" json:"username"`
Password string `form:"password" needed:"true" json:"password"`
}
// UserForm is used when updating a user.

Voir le fichier

@ -13,6 +13,7 @@ import (
"github.com/NyaaPantsu/nyaa/service/user/permission"
"github.com/NyaaPantsu/nyaa/util/crypto"
"github.com/NyaaPantsu/nyaa/util/log"
msg "github.com/NyaaPantsu/nyaa/util/messages"
"github.com/NyaaPantsu/nyaa/util/modelHelper"
"golang.org/x/crypto/bcrypt"
)
@ -286,6 +287,15 @@ func RetrieveUserByAPIToken(apiToken string) (*model.User, string, int, error) {
return &user, apiToken, http.StatusOK, nil
}
// RetrieveUserByAPIToken retrieves a user by an API token
func RetrieveUserByAPITokenAndName(apiToken string, username string) (*model.User, string, string, int, error) {
var user model.User
if db.ORM.Unscoped().Where("api_token = ? AND username = ?", apiToken, username).First(&user).RecordNotFound() {
return &user, apiToken, username, http.StatusNotFound, errors.New("user not found")
}
return &user, apiToken, username, http.StatusOK, nil
}
// RetrieveUsersByEmail retrieves users by an email
func RetrieveUsersByEmail(email string) []*model.User {
var users []*model.User
@ -359,10 +369,52 @@ func GetFollowers(user *model.User) *model.User {
func CreateUserAuthentication(w http.ResponseWriter, r *http.Request) (int, error) {
var form formStruct.LoginForm
modelHelper.BindValueForm(&form, r)
user, status, err := CreateUserAuthenticationAPI(r, &form)
if err != nil {
return status, err
}
status, err = SetCookieHandler(w, r, user)
return status, err
}
// CreateUserAuthenticationAPI creates user authentication.
func CreateUserAuthenticationAPI(r *http.Request, form *formStruct.LoginForm) (model.User, int, error) {
username := form.Username
pass := form.Password
status, err := SetCookieHandler(w, r, username, pass)
return status, err
user, status, err := checkAuth(r, username, pass)
return user, status, err
}
func checkAuth(r *http.Request, email string, pass string) (model.User, int, error) {
var user model.User
if email == "" || pass == "" {
return user, http.StatusNotFound, errors.New("No username/password entered")
}
messages := msg.GetMessages(r)
// search by email or username
isValidEmail := formStruct.EmailValidation(email, messages)
messages.ClearErrors("email") // We need to clear the error added on messages
if isValidEmail {
if db.ORM.Where("email = ?", email).First(&user).RecordNotFound() {
return user, http.StatusNotFound, errors.New("User not found")
}
} else {
if db.ORM.Where("username = ?", email).First(&user).RecordNotFound() {
return user, http.StatusNotFound, errors.New("User not found")
}
}
err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(pass))
if err != nil {
return user, http.StatusUnauthorized, errors.New("Password incorrect")
}
if user.IsBanned() {
return user, http.StatusUnauthorized, errors.New("Account banned")
}
if user.IsScraped() {
return user, http.StatusUnauthorized, errors.New("Account need activation from Moderators, please contact us")
}
return user, http.StatusOK, nil
}
// SetFollow : Makes a user follow another

Voir le fichier

@ -767,6 +767,10 @@
"id": "new_torrent_uploaded",
"translation": "New torrent: \"%s\" from %s"
},
{
"id": "torrent_uploaded",
"translation": "torrent uploaded successfully!"
},
{
"id": "preferences",
"translation": "Preferences"