Example #1
0
// Examine the request for a valid session cookie. If one is found, return the username and user permissions. If the cookie is somehow invalid it will be unset.
//
// If dbValidate is set to true the username specified in the cookie will be loaded and validated againsts the database. If the user no longer exists the session will be unset. This also means that the returned User will have fully populated fields.
func Challenge(w http.ResponseWriter, r *http.Request, dbValidate bool) (*data.User, int) {
	session, _ := store.Get(r, "rter-credentials") // Will return an empty map if there isn't a valid session cookie

	user := new(data.User)

	uval, ok := session.Values["username"]
	if !ok {
		deleteSession(session, w, r)
		return nil, 0
	}

	user.Username, ok = uval.(string)
	if !ok {
		deleteSession(session, w, r)
		return nil, 0
	}

	if dbValidate {
		err := storage.Select(user)

		if err != nil {
			log.Println(err)
			if err == storage.ErrZeroAffected {
				log.Println("Valid Cookie for non-existant user: "******"permissions"]
	if !ok {
		return user, 0
	}

	permissions, ok := pval.(int)
	if !ok {
		return user, 0
	}

	return user, permissions
}
Example #2
0
File: crud.go Project: cyc115/rter
// Generic Update handler
func Update(w http.ResponseWriter, r *http.Request) {
	user, permissions := auth.Challenge(w, r, true)
	if user == nil || permissions < 1 {
		http.Error(w, "Please Login", http.StatusUnauthorized)
		return
	}

	w.Header().Set("Access-Control-Allow-Origin", "*")
	w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")

	vars := mux.Vars(r)
	var (
		val interface{} // Generic container for the updated object
		err error
	)

	// Build a URI like representation of the datatype
	types := []string{vars["datatype"]}

	if childtype, ok := vars["childtype"]; ok {
		types = append(types, childtype)
	}

	// Switch based on that URI like representation and instantiate something in the generic container. Also infer the identifier from the vars and perform validation.
	switch strings.Join(types, "/") {
	case "items":
		v := new(data.Item)
		v.ID, err = strconv.ParseInt(vars["key"], 10, 64)

		val = v
	case "items/comments":
		v := new(data.ItemComment)
		v.ID, err = strconv.ParseInt(vars["childkey"], 10, 64)

		val = v
	case "users":
		if vars["key"] != user.Username {
			http.Error(w, "Please don't hack other users", http.StatusUnauthorized)
			return
		}

		v := new(data.User)
		v.Username = vars["key"]

		val = v
	case "users/direction":
		v := new(data.UserDirection)
		v.Username = vars["key"]

		val = v
	case "roles":
		v := new(data.Role)
		v.Title = vars["key"]

		val = v
	case "taxonomy":
		v := new(data.Term)
		v.Term = vars["key"]

		val = v
	case "taxonomy/ranking":
		v := new(data.TermRanking)
		v.Term = vars["key"]

		val = v
	default:
		http.NotFound(w, r)
		return
	}

	if err != nil {
		log.Println(err, vars)
		http.Error(w, "Malformed key in URI", http.StatusBadRequest)
		return
	}

	err = storage.Select(val) //Load previous values so that update is non distructive of empty fields

	if err == storage.ErrZeroAffected {
		http.NotFound(w, r)
		return
	} else if err != nil {
		log.Println(err)
		http.Error(w, "Select3 Database error, likely due to malformed request.", http.StatusInternalServerError)
		return
	}

	// Decode the JSON into our generic object. The decode will leave unscpecified fields untouched.
	decoder := json.NewDecoder(r.Body)
	err = decoder.Decode(&val)

	if err != nil {
		log.Println(err)
		http.Error(w, "Malformed json.", http.StatusBadRequest)
		return
	}

	// Validate JSON, run pre-update hooks, etc...
	//We must reset fields we set earlier incase they were changed during the JSON decode
	switch v := val.(type) {
	case (*data.Item):
		v.ID, err = strconv.ParseInt(vars["key"], 10, 64)
		v.Author = user.Username
	case (*data.ItemComment):
		v.ID, err = strconv.ParseInt(vars["childkey"], 10, 64)
		v.Author = user.Username
	case (*data.User):
		v.Username = vars["key"]
	case (*data.UserDirection):
		v.Username = vars["key"]
		v.LockUsername = user.Username
	case (*data.Role):
		v.Title = vars["key"]
	case (*data.Term):
		v.Term = vars["key"]
		v.Author = user.Username
	case (*data.TermRanking):
		v.Term = vars["key"]
	}

	if err != nil {
		log.Println(err, vars)
		http.Error(w, "Malformed key in URI", http.StatusBadRequest)
		return
	}

	// Run the update
	err = storage.Update(val)

	if err == storage.ErrZeroAffected {
		w.WriteHeader(http.StatusNotModified)
		return
	} else if err != nil {
		log.Println(err)
		http.Error(w, "Update2 Database error, likely due to malformed request.", http.StatusInternalServerError)
		return
	}

	w.Header().Set("Content-Type", "application/json") // Header are important when GZIP is enabled

	// Return the updated item
	encoder := json.NewEncoder(w)
	err = encoder.Encode(val)

	if err != nil {
		log.Println(err)
	}
}
Example #3
0
File: crud.go Project: cyc115/rter
// Generic Read handler for reading single objects
func Read(w http.ResponseWriter, r *http.Request) {
	//No Auth for the moment

	w.Header().Set("Access-Control-Allow-Origin", "*")
	w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")

	vars := mux.Vars(r)

	var (
		val interface{} // Generic container for the read object
		err error
	)

	// Build a URI like representation of the datatype
	types := []string{vars["datatype"]}

	if childtype, ok := vars["childtype"]; ok {
		types = append(types, childtype)
	}

	// Switch based on that URI like representation and instantiate something in the generic container. Also infer the identifier from the vars and perform validation.
	switch strings.Join(types, "/") {
	case "items":
		item := new(data.Item)
		item.ID, err = strconv.ParseInt(vars["key"], 10, 64)

		val = item
	case "items/comments":
		comment := new(data.ItemComment)
		comment.ID, err = strconv.ParseInt(vars["childkey"], 10, 64)

		val = comment

	case "users":
		user := new(data.User)
		user.Username = vars["key"]

		val = user
	case "users/direction":
		direction := new(data.UserDirection)
		direction.Username = vars["key"]

		val = direction
	case "roles":
		role := new(data.Role)
		role.Title = vars["key"]

		val = role
	case "taxonomy":
		term := new(data.Term)
		term.Term = vars["key"]

		val = term
	case "taxonomy/ranking":
		ranking := new(data.TermRanking)
		ranking.Term = vars["key"]

		val = ranking
	default:
		http.NotFound(w, r)
		return
	}

	if err != nil {
		log.Println(err)
		http.Error(w, "Malformed key in URI", http.StatusBadRequest)
		return
	}

	// Perform the Select
	err = storage.Select(val)

	if err == storage.ErrZeroAffected {
		http.Error(w, "No matches for query", http.StatusNotFound)
		return
	} else if err != nil {
		log.Println(err)
		http.Error(w, "Select Database error, likely due to malformed request", http.StatusInternalServerError)
		return
	}

	// Important. Let's never send salt/hash out.
	switch v := val.(type) {
	case *data.User:
		v.Salt = ""
		v.Password = ""
	}

	w.Header().Set("Content-Type", "application/json") // Header are important when GZIP is enabled

	// Return the object we've selected from the database.
	encoder := json.NewEncoder(w)
	err = encoder.Encode(val)

	if err != nil {
		log.Println(err)
	}
}
Example #4
0
// Handle requests containing JSON with user credentials. If the credentials are valid the response will set a session cookie effectively logging in the user.
//
// Expected JSON format:
// 	{"Username":"******", "Password":"******"}
//
// Invalid credentials will result in a 401 StatusUnauthorized response. Malformed JSON will result in a 400 StatusBadRequest or possibly 500 StatusInternalServerError.
func AuthHandlerFunc(w http.ResponseWriter, r *http.Request) {
	// Parse the JSON into a user object
	loginInfo := new(data.User)

	decoder := json.NewDecoder(r.Body)
	err := decoder.Decode(&loginInfo)

	if err != nil {
		log.Println("JSON problem")
		log.Println(err)
		http.Error(w, "Malformed json.", http.StatusBadRequest)
		return
	}

	// Try and load the actual user
	user := new(data.User)
	user.Username = loginInfo.Username

	err = storage.Select(user)

	if err == storage.ErrZeroAffected {
		log.Println("No such user: "******"Invalid credentials.", http.StatusUnauthorized)
		return
	} else if err != nil {
		log.Println(err)
		http.Error(w, "Database error, likely due to malformed request.", http.StatusInternalServerError)
		return
	}

	// Validate
	if !user.Auth(loginInfo.Password) {
		log.Println("Wrong Password for: ", user.Username)
		http.Error(w, "Invalid credentials.", http.StatusUnauthorized)
		return
	}

	// Get role permissions
	role := new(data.Role)
	role.Title = user.Role

	err = storage.Select(role)

	if err != nil {
		log.Println("Issues loading role during auth", err)
		role.Permissions = 0 // Default to no permissions
	}

	// Build a cookie session
	session, _ := store.Get(r, "rter-credentials")

	session.Values["username"] = user.Username
	session.Values["role"] = user.Role
	session.Values["permissions"] = role.Permissions

	err = session.Save(r, w)

	if err != nil {
		log.Println(err)
	}
}
Example #5
0
// Handle a POST request with an image, phone_id, lat, lng and heading. Return a target heading from the web UI
func MultiUploadHandler(rterDir string, uploadPath string, w http.ResponseWriter, r *http.Request) {
	imageFile, header, err := r.FormFile("image")
	if err != nil {
		return
	}

	user := new(data.User)
	user.Username = r.FormValue("phone_id")

	err = storage.Select(user)

	if err == storage.ErrZeroAffected {
		user.Role = "public"
		storage.Insert(user)
		// log.Println("upload failed, phone_id invalid:", user.Username)
		// http.Error(w, "Invalid credentials.", http.StatusUnauthorized)
		// return
	} else if err != nil {
		log.Println(err)
		http.Error(w, "Database error, likely due to malformed request.", http.StatusInternalServerError)
		return
	}

	os.Mkdir(filepath.Join(uploadPath, user.Username), os.ModeDir|0775)

	matchingItems := make([]*data.Item, 0)
	err = storage.SelectWhere(&matchingItems, "WHERE Type=\"streaming-video-v0\" AND Author=?", user.Username)

	exists := true

	if err == storage.ErrZeroAffected {
		exists = false
	} else if err != nil {
		log.Println(err)
		http.Error(w, "Database error, likely due to malformed request.", http.StatusInternalServerError)
		return
	}

	var item *data.Item

	if exists {
		item = matchingItems[0]
	} else {
		item = new(data.Item)
	}

	item.Author = user.Username

	item.Type = "streaming-video-v0"
	item.Live = true
	item.HasGeo = true
	item.HasHeading = true

	item.Lat, err = strconv.ParseFloat(r.FormValue("lat"), 64)
	if err != nil {
		item.HasGeo = false
	}

	item.Lng, err = strconv.ParseFloat(r.FormValue("lng"), 64)
	if err != nil {
		item.HasGeo = false
	}

	item.Heading, err = strconv.ParseFloat(r.FormValue("heading"), 64)
	if err != nil {
		item.HasHeading = false
	}

	item.StartTime = time.Now()
	item.StopTime = item.StartTime
	path := uploadPath

	if strings.HasSuffix(header.Filename, ".png") {
		path = filepath.Join(path, fmt.Sprintf("%v/%v.png", user.Username, item.StopTime.UnixNano()))
	} else if strings.HasSuffix(header.Filename, ".jpg") || strings.HasSuffix(header.Filename, "jpeg") {
		path = filepath.Join(path, fmt.Sprintf("%v/%v.jpg", user.Username, item.StopTime.UnixNano()))
	}

	outputFile, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE, 0664)

	if err != nil {
		log.Println(err)
		http.Error(w, "Error, likely due to malformed request.", http.StatusInternalServerError)
	}
	defer outputFile.Close()

	io.Copy(outputFile, imageFile)

	path = path[len(rterDir):]

	item.ContentURI = path
	item.ThumbnailURI = path

	if exists {
		storage.Update(item)
	} else {
		storage.Insert(item)
	}

	userDirection := new(data.UserDirection)
	userDirection.Username = user.Username

	err = storage.Select(userDirection)

	if err != nil {
		log.Println(err)
		http.Error(w, "Database error, likely due to malformed request.", http.StatusInternalServerError)
		return
	}

	w.Write([]byte(strconv.FormatFloat(userDirection.Heading, 'f', 6, 64)))
}