Merge pull request #4 from lpimem/develop

bugfix

Author: lpimem

.gitignore

@@ -5,3 +5,5 @@ db/*.db
 .idea
 static/*.js
 static/*.map
+*.env
+.DS_Store

README.md

@@ -2,7 +2,6 @@
 
 HLC Server
 
-
 ## Benchmarks
 
 ### 04/20/2017
@@ -14,4 +13,19 @@ BenchmarkGetPagenote/10-8  	  100000	    198909 ns/op	   16058 B/op	     562 all
 BenchmarkGetPagenote/100-8 	   20000	    776848 ns/op	   72858 B/op	    3540 allocs/op
 BenchmarkGetPagenote/1000-8     2000	   6432966 ns/op	  690328 B/op	   33258 allocs/op
 BenchmarkGetPagenoteP-8        50000	    293017 ns/op	   73156 B/op	    3543 allocs/op
+```
+
+## Notes
+
+Set environmnet variables before deploying/testing. 
+
+- `HLC_SESSION_SECRET`
+- `HLC_SESSION_KEY_USER`
+- `HLC_SESSION_KEY_SID`
+- `GOOGLE_OAUTH2_CLIENT_ID`
+
+Generate a random string:
+
+```bash
+env LC_CTYPE=C tr -dc "a-zA-Z0-9-_\$\?" < /dev/urandom | fold -w 64 | head -n 1
 ```

auth/auth.go

@@ -16,12 +16,14 @@ import (
 const admin string = "admin"
 const adminUserID storage.UserID = 1
 
+
+
 // Authenticate implements the interceptor interface.
 // It adds a flag to the request context to indicate if the
 // request is authenticated. If authenticated, it also checks
 // if the request is trying to access an admin URI and returns
 // error if the request is not from the admin user.
-func Authenticate(req *http.Request) (*http.Request, error) {
+func Authenticate(req *http.Request, respWriter http.ResponseWriter) (*http.Request, bool, error) {
 	var (
 		uid storage.UserID
 		sid string
@@ -35,21 +37,25 @@ func Authenticate(req *http.Request) (*http.Request, error) {
 	if err != nil {
 		log.Info("cannot extract uid/sid:", sid, uid, err)
 		ctx = context.WithValue(ctx, REASON, err.Error())
-		req = req.WithContext(ctx)
-		return req, authorize(ctx, req)
-	}
-	if err = VerifySession(sid, uid, nil); err != nil {
+	} else if err = VerifySession(sid, uid, nil); err != nil {
 		log.Info("invalid session", sid, uid, err)
 		ctx = context.WithValue(ctx, REASON, err.Error())
-		req = req.WithContext(ctx)
-		return req, authorize(ctx, req)
+	} else {
+		log.Debug("User ", uid, " is authenticated")
+		ctx = context.WithValue(ctx, USER_ID, uid)
+		ctx = context.WithValue(ctx, SESSION_ID, sid)
+		ctx = context.WithValue(ctx, AUTHENTICATED, true)
 	}
-	ctx = context.WithValue(ctx, USER_ID, uid)
-	ctx = context.WithValue(ctx, SESSION_ID, sid)
-	ctx = context.WithValue(ctx, AUTHENTICATED, true)
 	req = req.WithContext(ctx)
-	log.Info("request from", uid, "is authorized.")
-	return req, authorize(ctx, req)
+	err = authorize(ctx, req)
+	if err != nil {
+		log.Warn("User ", uid, " is not authorized to access ", req.URL.Path)
+		ctx = context.WithValue(ctx, REASON, err.Error())
+		req = req.WithContext(ctx)
+		conf.RedirectToLogin(conf.EncodePath(req.URL), respWriter, req)
+	}
+	handledIfError := true
+	return req, handledIfError, err
 }
 
 // IsSessionTimeout returns if duration since lastAccess exceeds the max session lifetime

auth/auth_test.go

@@ -56,6 +56,8 @@ func TestAuthenticate(t *testing.T) {
 		&authCase{"sid missing", "", uint32(10), false},
 	}
 
+	var w *httptest.ResponseRecorder
+
 	for _, byCookie := range []bool{true, false} {
 		for _, tc := range testCases {
 			var tcname string
@@ -73,14 +75,16 @@ func TestAuthenticate(t *testing.T) {
 				if byCookie {
 					req, err = setByCookie(req, tc.UID, tc.Sid)
 					if err != nil {
+						t.Error(conf.SessionKeySID())
 						t.Error(err)
 						t.Fail()
 						return
 					}
 				} else {
 					req, err = setByHeader(req, tc.UID, tc.Sid)
 				}
-				req, err = Authenticate(req)
+				w = httptest.NewRecorder() 
+				req, _, err = Authenticate(req, w)
 				if IsAuthenticated(req) != tc.Suc {
 					log.Debug(req.Context().Value(AUTHENTICATED))
 					log.Debug(req.Context().Value(USER_ID))
@@ -134,7 +138,9 @@ func TestAuthorizeAdmin(t *testing.T) {
 				t.Fail()
 				return
 			}
-			req, err = Authenticate(req)
+			
+			w := httptest.NewRecorder() 
+			req, _, err = Authenticate(req, w)
 			pass := IsAuthenticated(req) && err == nil
 			if pass != tc.Suc {
 				if err != nil {

build-macos.sh

@@ -0,0 +1,20 @@
+DIR=$(dirname `realpath -P $0`)
+cd $DIR
+CGO_ENABLED=1 go build --ldflags -s "$@" -v -o build/hlcsrv
+ret=$!
+if [[ ${ret} -ne 0 ]]; then
+    echo "If go-sqlite3 is complaining, try the following commands. 
+    brew install FiloSottile/musl-cross/musl-cross  
+    brew install mingw-w64
+If you are cross compiling from macos to linux, try this:
+    GOOS=linux GOARCH=amd64 CC=x86_64-linux-musl-gcc ./build-macos.sh
+Reference:
+* https://github.com/mattn/go-sqlite3/issues/372#issuecomment-396863368
+* https://github.com/mattn/go-sqlite3/issues/372#issuecomment-398001083"
+    exit ${ret}
+fi
+rsync -a db/*.sql build/db/
+rsync -a view build/
+rsync -a static build/
+rsync -a scripts/*.sh build/
+exit $ret

build.sh

@@ -1,3 +1,10 @@
-cp db/*.sql build/db/
+DIR=$(dirname `readlink -f $0`)
+cd $DIR
+
 go build --ldflags -s -o build/hlcsrv
-rsync -a --progress view build/
+ret=$!
+rsync -a db/*.sql build/db/
+rsync -a view build/
+rsync -a static build/
+rsync -a scripts/*.sh build/
+exit $ret

clean.sh

@@ -0,0 +1,5 @@
+DIR=$(dirname `readlink -f "$0"`)
+
+if [[ -d $DIR/build/ ]] ; then
+  rm -rf $DIR/build/*
+fi

conf/config.go

@@ -1,11 +1,21 @@
 package conf
 
 import "os"
+import "net/http"
+import "net/url"
+import "github.com/go-playground/log"
 
 var debugFlag = false
 
+const (
+	_HLC_NEXT = "hlc.next"
+)
+
 // IsDebug returns true should the app run in debugging mode.
 func IsDebug() bool {
+	if os.Getenv("HLC_DEBUG") == "1"{
+		return true
+	}
 	return debugFlag
 }
 
@@ -22,7 +32,7 @@ func SetDebug(option bool) {
  *   ```
  */
 func SessionSecret() string {
-	return "8M3W5A0CGYFx_bzjMzAFqLZ8esI3F0_CveBbgDZLd0hc2ManB3il2Cw9IPcY7Fr1"
+	return os.Getenv("HLC_SESSION_SECRET")
 }
 
 // Page should be a request parameter, not a cookie
@@ -36,13 +46,13 @@ func SessionSecret() string {
 /*SessionKeyUser is the random seed for key name for User Id.
  */
 func SessionKeyUser() string {
-	return "FXtlPiHcOtUHJ5Z7u_sw5CvdO23LAbvHhNeUmzqC59N5gmffoHki4-mIdbUb89Qw"
+	return os.Getenv("HLC_SESSION_KEY_USER")
 }
 
 /*SessionKeySID is the key for session id
  */
 func SessionKeySID() string {
-	return "ogIbzGvEnFY2XfuQsLXv6a38dF49tvMuum4R27abuY5xAv0xF2Hc3SXkGoIcbWqd"
+	return os.Getenv("HLC_SESSION_KEY_SID");
 }
 
 /*SessionValidHours defines how long a session could be idle for.
@@ -59,7 +69,7 @@ func GoogleSignInAppID() string {
 }
 
 /*GoogleOAuthRedirectURL returns the OAuth2.0 redirect URL for 3-legged authentication.
-(Currently this is feature is not supported)
+(Currently this is feature is not implemented)
 */
 func GoogleOAuthRedirectURL() string {
 	return "http://127.0.0.1:5556/auth/google/callback"
@@ -68,3 +78,39 @@ func GoogleOAuthRedirectURL() string {
 func LoginURL() string {
 	return "/static/login.html"
 }
+
+func RedirectToLogin(next string, w http.ResponseWriter, r *http.Request) {
+	RedirectTo(LoginURL(), next, w, r)
+}
+
+func RedirectTo(redirectUrl string, next_url string,  w http.ResponseWriter, r *http.Request) {
+	log.Debug("Redirecting to ", redirectUrl, " -> ", next_url)
+	http.SetCookie(w, &http.Cookie{ Name: _HLC_NEXT, Value: next_url, Path: "/" })
+	http.Redirect(w, r, redirectUrl, http.StatusSeeOther)
+}
+
+func SetNext(w http.ResponseWriter, u *url.URL) {
+	encodedPath := EncodePath(u)
+	http.SetCookie(w, &http.Cookie{ Name: _HLC_NEXT, Value: encodedPath,  Path: "/" })
+}
+
+func GetNext(r *http.Request) (string, error) {
+	var (
+		err error
+		c *http.Cookie
+	)
+	if c, err = r.Cookie(_HLC_NEXT) ; err == nil {
+		return c.Value, err
+	}
+	return "", err
+}
+
+func EncodePath(u *url.URL) string {
+	log.Debug("Encoding:", u)
+	path := u.Path
+	if u.RawQuery != "" {
+		path += "%3F"
+		path += u.RawQuery
+	}
+	return path
+}

controller/app.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/go-playground/log"
 	"github.com/lpimem/hlcsrv/auth"
+	"github.com/lpimem/hlcsrv/security"
 	"github.com/lpimem/hlcsrv/conf"
 	"github.com/lpimem/hlcsrv/hlccookie"
 	"github.com/lpimem/hlcsrv/storage"
@@ -73,6 +74,7 @@ func Logout(w http.ResponseWriter, req *http.Request) {
 	if err != nil {
 		log.Error(err)
 	}
+	conf.RedirectTo("/", "", w, req)
 }
 
 // GetPagenote handles get request to fetch notes for a user and a url
@@ -94,8 +96,12 @@ func Logout(w http.ResponseWriter, req *http.Request) {
 //   1. hlc_resp.proto https://github.com/lpimem/hlcproto/blob/e7787d65aea33d1eb97b3f1f208394ee6a59f187/hlc_resp.proto
 func GetPagenote(w http.ResponseWriter, req *http.Request) {
 	defer  log.WithTrace().Info("GetPagenote...")
+	security.EnableCORS(w)
+	if (isHTTPOption(req)) {
+		return
+	}
 	if !requireAuth(w, req) {
-		log.Warn("Not authorized...")
+		log.Warn("GetPagenote: not authorized...")
 		return
 	}
 	pn, err := parseGetNotesRequest(req)
@@ -120,10 +126,16 @@ func GetPagenote(w http.ResponseWriter, req *http.Request) {
 //   Serialized @hlcmsg.HlcResp message encoded in base64.
 func SavePagenote(w http.ResponseWriter, req *http.Request) {
 	defer  log.WithTrace().Info("SavePagenote...")
+	security.EnableCORS(w)
+	if (isHTTPOption(req)) {
+		return
+	}
 	if !requirePost(w, req) {
+		log.Warn("SavePagenote: invalid http method...")
 		return
 	}
 	if !requireAuth(w, req) {
+		log.Warn("SavePagenote: not authorized...")
 		return
 	}
 	pn, err := parseNewNotesRequest(req)
@@ -148,10 +160,16 @@ func SavePagenote(w http.ResponseWriter, req *http.Request) {
 // DeletePagenote handles the post request to delete an array of notes.
 func DeletePagenote(w http.ResponseWriter, req *http.Request) {
 	defer  log.WithTrace().Info("DeletePagenote...")
+	security.EnableCORS(w)
+	if (isHTTPOption(req)) {
+		return
+	}
 	if !requirePost(w, req) {
+		log.Warn("DeletePagenote: invalid http method...")
 		return
 	}
 	if !requireAuth(w, req) {
+		log.Warn("SavePagenote: not authorized...")
 		return
 	}
 	idList := parseRemoveNotesRequest(req)

controller/app_test.go

@@ -275,8 +275,9 @@ func TestLogout(t *testing.T) {
 	}
 	resp := httptest.NewRecorder()
 	Logout(resp, r)
-	if resp.Code != http.StatusOK {
-		t.Errorf("response code is not OK: %d", resp.Code)
+	expected := http.StatusSeeOther
+	if resp.Code != expected {
+		t.Errorf("response code is not %d: %d", expected, resp.Code)
 		t.Fail()
 	}
 
@@ -289,7 +290,8 @@ func TestLogout(t *testing.T) {
 		t.Error("session still exists after logout: ", lastAccess)
 		t.Fail()
 	}
-	if r, err = auth.Authenticate(r); err != nil {
+	w := httptest.NewRecorder()
+	if r, _, err = auth.Authenticate(r, w); err != nil {
 		t.Error("Authenticate error", err)
 		t.Fail()
 	}

controller/hlcimpl.go

@@ -4,7 +4,6 @@ import (
 	"encoding/base64"
 	"io/ioutil"
 	"net/http"
-	"net/url"
 	"strconv"
 
 	"github.com/go-playground/log"
@@ -33,9 +32,8 @@ func parseGetNotesRequest(r *http.Request) (*hlcmsg.Pagenote, error) {
 		err      error
 	)
 	params := r.URL.Query()
-	if uid, err = strconv.ParseUint(
-		params.Get("uid"), 10, 32); err != nil {
-		log.Error("cannot extract uid from request ", err)
+	if uid, err = strconv.ParseUint(params.Get("uid"), 10, 32); err != nil {
+		defer  log.WithTrace().Error("cannot extract uid from request ", err)
 		return nil, err
 	}
 	if pid, err = strconv.ParseUint(
@@ -102,13 +100,8 @@ func requirePost(w http.ResponseWriter, r *http.Request) bool {
 	return false
 }
 
-func encodePath(u *url.URL) string {
-	path := u.Path
-	if u.RawQuery != "" {
-		path += "%3F"
-		path += u.RawQuery
-	}
-	return path
+func isHTTPOption(r *http.Request) bool {
+	return r.Method == http.MethodOptions
 }
 
 func requireAuth(w http.ResponseWriter, r *http.Request) bool {
@@ -121,9 +114,6 @@ func requireAuth(w http.ResponseWriter, r *http.Request) bool {
 			errMsg = errMsg + ": " + reason.(string)
 		}
 		log.Warn(errMsg)
-		nextPage := encodePath(r.URL)
-		loginUrl := conf.LoginURL() + "?" + nextPage
-		http.Redirect(w, r, loginUrl, http.StatusSeeOther)
 		authorized = false
 	}
 	return authorized