package api
import (
"encoding/json"
"net/http"
"reflect"
"strconv"
"strings"
"github.com/lbryio/lbry.go/errors"
"github.com/lbryio/lbry.go/util"
"github.com/lbryio/lbry.go/validator"
v "github.com/lbryio/ozzo-validation"
"github.com/spf13/cast"
)
const authTokenParam = "auth_token"
// Server HTTP Header Settings. Set on header if exists
// ie. "Content-Type" - "application/json; charset=utf-8"
// ie. "X-Content-Type-Options" - "nosniff"
// ie. "X-Frame-Options" - "deny"
// ie."Content-Security-Policy" - "default-src 'none'"
// ie. "X-XSS-Protection" - "1; mode=block"
// ie. "Server" - "lbry.io"
// ie. "Referrer-Policy" - "same-origin"
// ie. "Strict-Transport-Security" - "max-age=31536000; preload"
// ie. "Access-Control-Allow-Origin" -"<header.Origin>"
// ie. "Access-Control-Allow-Methods" - "GET, POST, OPTIONS"
var HeaderSettings map[string]string
// LogError Allows specific error logging for the server at specific points.
var LogError = func(*http.Request, *Response, error) {}
// LogInfo Allows for specific logging information.
var LogInfo = func(*http.Request, *Response) {}
// TraceEnabled Attaches a trace field to the JSON response when enabled.
var TraceEnabled = false
var errAuthenticationRequired = errors.Base("authentication required")
var errNotAuthenticated = errors.Base("could not authenticate user")
var errForbidden = errors.Base("you are not authorized to perform this action")
// StatusError represents an error with an associated HTTP status code.
type StatusError struct {
Status int
Err error
}
// Allows StatusError to satisfy the error interface.
func (se StatusError) Error() string {
return se.Err.Error()
}
// Response is returned by API handlers
type Response struct {
Status int
Data interface{}
RedirectURL string
Error error
}
// Handler handles API requests
type Handler func(r *http.Request) Response
func (h Handler) callHandlerSafely(r *http.Request) (rsp Response) {
defer func() {
if r := recover(); r != nil {
err, ok := r.(error)
if !ok {
err = errors.Err("%v", r)
}
rsp = Response{Error: errors.Wrap(err, 2)}
}
}()
return h(r)
}
func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Set header settings
if HeaderSettings != nil {
//Multiple readers, no writers is okay
for key, value := range HeaderSettings {
w.Header().Set(key, value)
}
}
// Stop here if its a preflighted OPTIONS request
if r.Method == "OPTIONS" {
return
}
rsp := h.callHandlerSafely(r)
if rsp.Status == 0 {
if rsp.Error != nil {
if statusError, ok := rsp.Error.(StatusError); ok {
rsp.Status = statusError.Status
} else if errors.Is(rsp.Error, errAuthenticationRequired) {
rsp.Status = http.StatusUnauthorized
} else if errors.Is(rsp.Error, errNotAuthenticated) || errors.Is(rsp.Error, errForbidden) {
rsp.Status = http.StatusForbidden
} else {
rsp.Status = http.StatusInternalServerError
}
} else if rsp.RedirectURL != "" {
rsp.Status = http.StatusFound
} else {
rsp.Status = http.StatusOK
}
}
success := rsp.Status < http.StatusBadRequest
consoleText := r.RemoteAddr + " [" + strconv.Itoa(rsp.Status) + "]: " + r.Method + " " + r.URL.Path
if success {
LogInfo(r, &rsp)
} else {
LogError(r, &rsp, errors.Base(consoleText))
}
// redirect
if rsp.Status >= http.StatusMultipleChoices && rsp.Status < http.StatusBadRequest {
http.Redirect(w, r, rsp.RedirectURL, rsp.Status)
return
} else if rsp.RedirectURL != "" {
LogError(r, &rsp, errors.Base("status code "+strconv.Itoa(rsp.Status)+
" does not indicate a redirect, but RedirectURL is non-empty '"+
rsp.RedirectURL+"'"))
}
var errorString *string
if rsp.Error != nil {
errorStringRaw := rsp.Error.Error()
errorString = &errorStringRaw
}
var trace []string
if TraceEnabled && errors.HasTrace(rsp.Error) {
trace = strings.Split(errors.Trace(rsp.Error), "\n")
for index, element := range trace {
if strings.HasPrefix(element, "\t") {
trace[index] = strings.Replace(element, "\t", " ", 1)
}
}
}
// http://choly.ca/post/go-json-marshalling/
jsonResponse, err := json.MarshalIndent(&struct {
Success bool `json:"success"`
Error *string `json:"error"`
Data interface{} `json:"data"`
Trace []string `json:"_trace,omitempty"`
}{
Success: success,
Error: errorString,
Data: rsp.Data,
Trace: trace,
}, "", " ")
if err != nil {
LogError(r, &rsp, errors.Prefix("Error encoding JSON response: ", err))
}
if rsp.Status >= http.StatusInternalServerError {
LogError(r, &rsp, errors.Prefix(r.Method+" "+r.URL.Path+"\n", rsp.Error))
}
w.WriteHeader(rsp.Status)
w.Write(jsonResponse)
}
func FormValues(r *http.Request, params interface{}, validationRules []*v.FieldRules) error {
ref := reflect.ValueOf(params)
if !ref.IsValid() || ref.Kind() != reflect.Ptr || ref.Elem().Kind() != reflect.Struct {
return errors.Err("'params' must be a pointer to a struct")
}
structType := ref.Elem().Type()
structValue := ref.Elem()
fields := map[string]bool{}
for i := 0; i < structType.NumField(); i++ {
name := structType.Field(i).Name
underscoredName := util.Underscore(name)
value := strings.TrimSpace(r.FormValue(underscoredName))
// if param is not set at all, continue
// comes after call to r.FormValue so form values get parsed internally (if they arent already)
if len(r.Form[underscoredName]) == 0 {
continue
}
fields[underscoredName] = true
isPtr := false
var finalValue reflect.Value
structField := structValue.FieldByName(name)
structFieldKind := structField.Kind()
if structFieldKind == reflect.Ptr {
isPtr = true
structFieldKind = structField.Type().Elem().Kind()
}
switch structFieldKind {
case reflect.String:
finalValue = reflect.ValueOf(value)
case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
if value == "" {
continue
}
castVal, err := cast.ToInt64E(value)
if err != nil {
return errors.Err("%s: must be an integer", underscoredName)
}
switch structFieldKind {
case reflect.Int:
finalValue = reflect.ValueOf(int(castVal))
case reflect.Int8:
finalValue = reflect.ValueOf(int8(castVal))
case reflect.Int16:
finalValue = reflect.ValueOf(int16(castVal))
case reflect.Int32:
finalValue = reflect.ValueOf(int32(castVal))
case reflect.Int64:
finalValue = reflect.ValueOf(castVal)
}
case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
if value == "" {
continue
}
castVal, err := cast.ToUint64E(value)
if err != nil {
return errors.Err("%s: must be an unsigned integer", underscoredName)
}
switch structFieldKind {
case reflect.Uint:
finalValue = reflect.ValueOf(uint(castVal))
case reflect.Uint8:
finalValue = reflect.ValueOf(uint8(castVal))
case reflect.Uint16:
finalValue = reflect.ValueOf(uint16(castVal))
case reflect.Uint32:
finalValue = reflect.ValueOf(uint32(castVal))
case reflect.Uint64:
finalValue = reflect.ValueOf(castVal)
}
case reflect.Bool:
if value == "" {
continue
}
if !validator.IsBoolString(value) {
return errors.Err("%s: must be one of the following values: %s",
underscoredName, strings.Join(validator.GetBoolStringValues(), ", "))
}
finalValue = reflect.ValueOf(validator.IsTruthy(value))
default:
return errors.Err("field %s is an unsupported type", name)
}
if isPtr {
if structField.IsNil() {
structField.Set(reflect.New(structField.Type().Elem()))
}
structField.Elem().Set(finalValue)
} else {
structField.Set(finalValue)
}
}
var extraParams []string
for k := range r.Form {
if _, ok := fields[k]; !ok && k != authTokenParam { //TODO: fix this AUTH_PARAM hack
extraParams = append(extraParams, k)
}
}
if len(extraParams) > 0 {
return errors.Err("Extraneous params: " + strings.Join(extraParams, ", "))
}
if len(validationRules) > 0 {
validationErr := v.ValidateStruct(params, validationRules...)
if validationErr != nil {
return errors.Err(validationErr)
}
}
return nil
}