owl-blogs/cmd/owl/web/editor_handler.go

242 lines
6.0 KiB
Go

package web
import (
"h4kor/owl-blogs"
"net/http"
"time"
"github.com/julienschmidt/httprouter"
)
func isUserLoggedIn(user *owl.User, r *http.Request) bool {
sessionCookie, err := r.Cookie("session")
if err != nil {
return false
}
return user.ValidateSession(sessionCookie.Value)
}
func setCSRFCookie(w http.ResponseWriter) string {
csrfToken := owl.GenerateRandomString(32)
cookie := http.Cookie{
Name: "csrf_token",
Value: csrfToken,
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
}
http.SetCookie(w, &cookie)
return csrfToken
}
func checkCSRF(r *http.Request) bool {
// CSRF check
formCsrfToken := r.FormValue("csrf_token")
cookieCsrfToken, err := r.Cookie("csrf_token")
if err != nil {
println("Error getting csrf token from cookie: ", err.Error())
return false
}
if formCsrfToken != cookieCsrfToken.Value {
println("Invalid csrf token")
return false
}
return true
}
func userLoginGetHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Request, httprouter.Params) {
return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
user, err := getUserFromRepo(repo, ps)
if err != nil {
println("Error getting user: ", err.Error())
notFoundHandler(repo)(w, r)
return
}
if isUserLoggedIn(&user, r) {
http.Redirect(w, r, user.EditorUrl(), http.StatusFound)
return
}
csrfToken := setCSRFCookie(w)
html, err := owl.RenderLoginPage(user, csrfToken)
if err != nil {
println("Error rendering login page: ", err.Error())
w.WriteHeader(http.StatusInternalServerError)
html, _ := owl.RenderUserError(user, owl.ErrorMessage{
Error: "Internal server error",
Message: "Internal server error",
})
w.Write([]byte(html))
return
}
w.Write([]byte(html))
}
}
func userLoginPostHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Request, httprouter.Params) {
return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
user, err := getUserFromRepo(repo, ps)
if err != nil {
println("Error getting user: ", err.Error())
notFoundHandler(repo)(w, r)
return
}
err = r.ParseForm()
if err != nil {
println("Error parsing form: ", err.Error())
w.WriteHeader(http.StatusInternalServerError)
html, _ := owl.RenderUserError(user, owl.ErrorMessage{
Error: "Internal server error",
Message: "Internal server error",
})
w.Write([]byte(html))
return
}
// CSRF check
if !checkCSRF(r) {
w.WriteHeader(http.StatusBadRequest)
html, _ := owl.RenderUserError(user, owl.ErrorMessage{
Error: "CSRF Error",
Message: "Invalid csrf token",
})
w.Write([]byte(html))
return
}
password := r.Form.Get("password")
if password == "" {
userLoginGetHandler(repo)(w, r, ps)
return
}
if !user.VerifyPassword(password) {
userLoginGetHandler(repo)(w, r, ps)
return
}
// set session cookie
cookie := http.Cookie{
Name: "session",
Value: user.CreateNewSession(),
Path: "/",
Expires: time.Now().Add(30 * 24 * time.Hour),
HttpOnly: true,
}
http.SetCookie(w, &cookie)
http.Redirect(w, r, user.EditorUrl(), http.StatusFound)
}
}
func userEditorGetHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Request, httprouter.Params) {
return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
user, err := getUserFromRepo(repo, ps)
if err != nil {
println("Error getting user: ", err.Error())
notFoundHandler(repo)(w, r)
return
}
if !isUserLoggedIn(&user, r) {
http.Redirect(w, r, user.EditorLoginUrl(), http.StatusFound)
return
}
csrfToken := setCSRFCookie(w)
html, err := owl.RenderEditorPage(user, csrfToken)
if err != nil {
println("Error rendering editor page: ", err.Error())
w.WriteHeader(http.StatusInternalServerError)
html, _ := owl.RenderUserError(user, owl.ErrorMessage{
Error: "Internal server error",
Message: "Internal server error",
})
w.Write([]byte(html))
return
}
w.Write([]byte(html))
}
}
func userEditorPostHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Request, httprouter.Params) {
return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
user, err := getUserFromRepo(repo, ps)
if err != nil {
println("Error getting user: ", err.Error())
notFoundHandler(repo)(w, r)
return
}
if !isUserLoggedIn(&user, r) {
http.Redirect(w, r, user.EditorLoginUrl(), http.StatusFound)
return
}
err = r.ParseForm()
if err != nil {
println("Error parsing form: ", err.Error())
w.WriteHeader(http.StatusInternalServerError)
html, _ := owl.RenderUserError(user, owl.ErrorMessage{
Error: "Internal server error",
Message: "Internal server error",
})
w.Write([]byte(html))
return
}
// CSRF check
if !checkCSRF(r) {
w.WriteHeader(http.StatusBadRequest)
html, _ := owl.RenderUserError(user, owl.ErrorMessage{
Error: "CSRF Error",
Message: "Invalid csrf token",
})
w.Write([]byte(html))
return
}
// get form values
post_type := r.Form.Get("type")
title := r.Form.Get("title")
description := r.Form.Get("description")
content := r.Form.Get("content")
draft := r.Form.Get("draft")
// validate form values
if post_type == "article" && title == "" {
userEditorGetHandler(repo)(w, r, ps)
return
}
if post_type == "" {
userEditorGetHandler(repo)(w, r, ps)
return
}
// create post
post, err := user.CreateNewPostFull(owl.PostMeta{
Type: post_type,
Title: title,
Description: description,
Draft: draft == "on",
Date: time.Now(),
}, content)
if err != nil {
println("Error creating post: ", err.Error())
w.WriteHeader(http.StatusInternalServerError)
html, _ := owl.RenderUserError(user, owl.ErrorMessage{
Error: "Internal server error",
Message: "Internal server error",
})
w.Write([]byte(html))
return
}
// redirect to post
if !post.Meta().Draft {
http.Redirect(w, r, post.FullUrl(), http.StatusFound)
} else {
http.Redirect(w, r, user.EditorUrl(), http.StatusFound)
}
}
}