added key auth support for rw operations (upload, non-expiring download)

2025-12-17 04:30:57 +01:00 · 2023-03-06 19:46:06 +01:00
parent 2a2e41126d
commit cd0939cbc8
13 changed files with 124 additions and 20 deletions
--- a/upd/api/auth.go
+++ b/upd/api/auth.go
@@ -0,0 +1,64 @@
+/*
+Copyright © 2023 Thomas von Dein
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package api
+
+import (
+	"crypto/sha256"
+	"crypto/subtle"
+	"github.com/gofiber/fiber/v2"
+	//"github.com/gofiber/keyauth/v2"
+	"regexp"
+	"strings"
+)
+
+var Authurls []*regexp.Regexp
+var Apikeys []string
+
+func AuthSetApikeys(keys []string) {
+	Apikeys = keys
+}
+
+func AuthSetEndpoints(prefix string, version string, endpoints []string) {
+	for _, endpoint := range endpoints {
+		Authurls = append(Authurls, regexp.MustCompile("^"+prefix+version+endpoint))
+	}
+}
+
+func validateAPIKey(c *fiber.Ctx, key string) (bool, error) {
+	for _, apiKey := range Apikeys {
+		hashedAPIKey := sha256.Sum256([]byte(apiKey))
+		hashedKey := sha256.Sum256([]byte(key))
+
+		if subtle.ConstantTimeCompare(hashedAPIKey[:], hashedKey[:]) == 1 {
+			return true, nil
+		}
+	}
+	return true, nil
+	//return false, keyauth.ErrMissingOrMalformedAPIKey
+}
+
+func authFilter(c *fiber.Ctx) bool {
+	originalURL := strings.ToLower(c.OriginalURL())
+
+	for _, pattern := range Authurls {
+		if pattern.MatchString(originalURL) {
+			return false
+		}
+	}
+	return true
+}
--- a/upd/api/fileio.go
+++ b/upd/api/fileio.go
@@ -63,7 +63,7 @@ func ProcessFormFiles(cfg *cfg.Config, members []string, id string) (string, str
 	Filename := ""

 	if len(members) == 1 {
-		returnUrl = strings.Join([]string{cfg.Url + cfg.ApiPrefix + ApiVersion, "file", id, members[0]}, "/")
+		returnUrl = strings.Join([]string{cfg.Url, "download", id, members[0]}, "/")
 		Filename = members[0]
 	} else {
 		zipfile := Ts() + "data.zip"
--- a/upd/api/handlers.go
+++ b/upd/api/handlers.go
@@ -39,8 +39,7 @@ func FilePut(c *fiber.Ctx, cfg *cfg.Config, db *Db) (string, error) {
 	// the  file is being stored  as is.
 	//
 	// Returns the  name of the uploaded file.
-	//
-	// FIXME: normalize or rename filename of single file to avoid dumb file names
+
 	id := uuid.NewString()

 	var returnUrl string
@@ -99,7 +98,7 @@ func FilePut(c *fiber.Ctx, cfg *cfg.Config, db *Db) (string, error) {
 	return returnUrl, nil
 }

-func FileGet(c *fiber.Ctx, cfg *cfg.Config, db *Db) error {
+func FileGet(c *fiber.Ctx, cfg *cfg.Config, db *Db, shallExpire ...bool) error {
 	// deliver  a file and delete  it if expire is set to asap

 	// we ignore c.Params("file"), cause  it may be malign. Also we've
@@ -127,13 +126,17 @@ func FileGet(c *fiber.Ctx, cfg *cfg.Config, db *Db) error {
 	// finally put the file to the client
 	err = c.Download(filename, file)

-	go func() {
-		// check if we need to delete the file now and do it in the background
-		if upload.Expire == "asap" {
-			cleanup(filepath.Join(cfg.StorageDir, id))
-			db.Delete(id)
+	if len(shallExpire) > 0 {
+		if shallExpire[0] == true {
+			go func() {
+				// check if we need to delete the file now and do it in the background
+				if upload.Expire == "asap" {
+					cleanup(filepath.Join(cfg.StorageDir, id))
+					db.Delete(id)
+				}
+			}()
 		}
-	}()
+	}

 	return err
 }
--- a/upd/api/server.go
+++ b/upd/api/server.go
@@ -21,6 +21,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"github.com/gofiber/fiber/v2/middleware/logger"
 	"github.com/gofiber/fiber/v2/middleware/requestid"
+	"github.com/gofiber/keyauth/v2"
 	"github.com/tlinden/up/upd/cfg"
 )

@@ -47,30 +48,49 @@ func Runserver(cfg *cfg.Config, args []string) error {
 	}
 	defer db.Close()

+	AuthSetEndpoints(cfg.ApiPrefix, ApiVersion, []string{"/file"})
+	AuthSetApikeys(cfg.Apikeys)
+
+	auth := keyauth.New(keyauth.Config{
+		Validator: validateAPIKey,
+	})
+
+	shallExpire := true
+
 	api := router.Group(cfg.ApiPrefix + ApiVersion)
 	{
-		api.Post("/file/", func(c *fiber.Ctx) error {
+		// authenticated routes
+		api.Post("/file/", auth, func(c *fiber.Ctx) error {
 			msg, err := FilePut(c, cfg, db)
 			return SendResponse(c, msg, err)
 		})

-		api.Get("/file/:id/:file", func(c *fiber.Ctx) error {
+		api.Get("/file/:id/:file", auth, func(c *fiber.Ctx) error {
 			return FileGet(c, cfg, db)
 		})

-		api.Get("/file/:id/", func(c *fiber.Ctx) error {
+		api.Get("/file/:id/", auth, func(c *fiber.Ctx) error {
 			return FileGet(c, cfg, db)
 		})

-		api.Delete("/file/:id/", func(c *fiber.Ctx) error {
+		api.Delete("/file/:id/", auth, func(c *fiber.Ctx) error {
 			return FileDelete(c, cfg, db)
 		})
 	}

+	// public routes
 	router.Get("/", func(c *fiber.Ctx) error {
 		return c.Send([]byte("welcome to upload api, use /api enpoint!"))
 	})

+	router.Get("/download/:id/:file", func(c *fiber.Ctx) error {
+		return FileGet(c, cfg, db, shallExpire)
+	})
+
+	router.Get("/download/:id/", func(c *fiber.Ctx) error {
+		return FileGet(c, cfg, db, shallExpire)
+	})
+
 	return router.Listen(cfg.Listen)

 }