home to your local SPACEGIRL 💫
arimelody.space
fixed viewing invisible releases with admin session
+46
-36
+3
-20
admin/http.go
+3
-20
admin/http.go
···
477
477
478
478
func enforceSession(app *model.AppState, next http.Handler) http.Handler {
479
479
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
480
-
sessionCookie, err := r.Cookie(model.COOKIE_TOKEN)
481
-
if err != nil && err != http.ErrNoCookie {
482
-
fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session cookie: %v\n", err)
480
+
session, err := controller.GetSessionFromRequest(app.DB, r)
481
+
if err != nil {
482
+
fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err)
483
483
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
484
484
return
485
-
}
486
-
487
-
var session *model.Session
488
-
489
-
if sessionCookie != nil {
490
-
// fetch existing session
491
-
session, err = controller.GetSession(app.DB, sessionCookie.Value)
492
-
493
-
if err != nil && !strings.Contains(err.Error(), "no rows") {
494
-
fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err)
495
-
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
496
-
return
497
-
}
498
-
499
-
if session != nil {
500
-
// TODO: consider running security checks here (i.e. user agent mismatches)
501
-
}
502
485
}
503
486
504
487
if session == nil {
+7
-1
api/release.go
+7
-1
api/release.go
···
19
19
// only allow authorised users to view hidden releases
20
20
privileged := false
21
21
if !release.Visible {
22
-
session := r.Context().Value("session").(*model.Session)
22
+
session, err := controller.GetSessionFromRequest(app.DB, r)
23
+
if err != nil {
24
+
fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err)
25
+
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
26
+
return
27
+
}
28
+
23
29
if session != nil && session.Account != nil {
24
30
// TODO: check privilege on release
25
31
privileged = true
-14
controller/account.go
-14
controller/account.go
···
2
2
3
3
import (
4
4
"arimelody-web/model"
5
-
"net/http"
6
5
"strings"
7
6
8
7
"github.com/jmoiron/sqlx"
···
75
74
}
76
75
77
76
return &account, nil
78
-
}
79
-
80
-
func GetSessionFromRequest(db *sqlx.DB, r *http.Request) string {
81
-
tokenStr := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
82
-
if len(tokenStr) > 0 {
83
-
return tokenStr
84
-
}
85
-
86
-
cookie, err := r.Cookie(model.COOKIE_TOKEN)
87
-
if err != nil {
88
-
return ""
89
-
}
90
-
return cookie.Value
91
77
}
92
78
93
79
func CreateAccount(db *sqlx.DB, account *model.Account) error {
+28
controller/session.go
+28
controller/session.go
···
2
2
3
3
import (
4
4
"database/sql"
5
+
"errors"
6
+
"fmt"
7
+
"net/http"
8
+
"strings"
5
9
"time"
6
10
7
11
"arimelody-web/model"
···
10
14
)
11
15
12
16
const TOKEN_LEN = 64
17
+
18
+
func GetSessionFromRequest(db *sqlx.DB, r *http.Request) (*model.Session, error) {
19
+
sessionCookie, err := r.Cookie(model.COOKIE_TOKEN)
20
+
if err != nil && err != http.ErrNoCookie {
21
+
return nil, errors.New(fmt.Sprintf("Failed to retrieve session cookie: %v", err))
22
+
}
23
+
24
+
var session *model.Session
25
+
26
+
if sessionCookie != nil {
27
+
// fetch existing session
28
+
session, err = GetSession(db, sessionCookie.Value)
29
+
30
+
if err != nil && !strings.Contains(err.Error(), "no rows") {
31
+
return nil, errors.New(fmt.Sprintf("Failed to retrieve session: %v", err))
32
+
}
33
+
34
+
if session != nil {
35
+
// TODO: consider running security checks here (i.e. user agent mismatches)
36
+
}
37
+
}
38
+
39
+
return session, nil
40
+
}
13
41
14
42
func CreateSession(db *sqlx.DB, userAgent string) (*model.Session, error) {
15
43
tokenString := GenerateAlnumString(TOKEN_LEN)
+8
-1
view/music.go
+8
-1
view/music.go
···
3
3
import (
4
4
"fmt"
5
5
"net/http"
6
+
"os"
6
7
7
8
"arimelody-web/controller"
8
9
"arimelody-web/model"
···
59
60
// only allow authorised users to view hidden releases
60
61
privileged := false
61
62
if !release.Visible {
62
-
session := r.Context().Value("session").(*model.Session)
63
+
session, err := controller.GetSessionFromRequest(app.DB, r)
64
+
if err != nil {
65
+
fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err)
66
+
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
67
+
return
68
+
}
69
+
63
70
if session != nil && session.Account != nil {
64
71
// TODO: check privilege on release
65
72
privileged = true