diff --git a/activitypub.go b/activitypub.go index 081fcea..a6ef1da 100644 --- a/activitypub.go +++ b/activitypub.go @@ -1,758 +1,753 @@ /* * Copyright © 2018-2019 A Bunch Tell LLC. * * This file is part of WriteFreely. * * WriteFreely is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, included * in the LICENSE file in this source code package. */ package writefreely import ( "bytes" "crypto/sha256" "database/sql" "encoding/base64" "encoding/json" "fmt" "io/ioutil" "net/http" "net/http/httputil" "net/url" "strconv" "time" "github.com/gorilla/mux" "github.com/writeas/activity/streams" "github.com/writeas/httpsig" "github.com/writeas/impart" "github.com/writeas/nerds/store" "github.com/writeas/web-core/activitypub" "github.com/writeas/web-core/activitystreams" "github.com/writeas/web-core/log" ) const ( // TODO: delete. don't use this! apCustomHandleDefault = "blog" ) type RemoteUser struct { ID int64 ActorID string Inbox string SharedInbox string Handle string } func (ru *RemoteUser) AsPerson() *activitystreams.Person { return &activitystreams.Person{ BaseObject: activitystreams.BaseObject{ Type: "Person", Context: []interface{}{ activitystreams.Namespace, }, ID: ru.ActorID, }, Inbox: ru.Inbox, Endpoints: activitystreams.Endpoints{ SharedInbox: ru.SharedInbox, }, } } func handleFetchCollectionActivities(app *App, w http.ResponseWriter, r *http.Request) error { w.Header().Set("Server", serverSoftware) vars := mux.Vars(r) alias := vars["alias"] // TODO: enforce visibility // Get base Collection data var c *Collection var err error if app.cfg.App.SingleUser { c, err = app.db.GetCollectionByID(1) } else { c, err = app.db.GetCollection(alias) } if err != nil { return err } c.hostName = app.cfg.App.Host p := c.PersonObject() return impart.RenderActivityJSON(w, p, http.StatusOK) } func handleFetchCollectionOutbox(app *App, w http.ResponseWriter, r *http.Request) error { w.Header().Set("Server", serverSoftware) vars := mux.Vars(r) alias := vars["alias"] // TODO: enforce visibility // Get base Collection data var c *Collection var err error if app.cfg.App.SingleUser { c, err = app.db.GetCollectionByID(1) } else { c, err = app.db.GetCollection(alias) } if err != nil { return err } c.hostName = app.cfg.App.Host if app.cfg.App.SingleUser { if alias != c.Alias { return ErrCollectionNotFound } } res := &CollectionObj{Collection: *c} app.db.GetPostsCount(res, false) accountRoot := c.FederatedAccount() page := r.FormValue("page") p, err := strconv.Atoi(page) if err != nil || p < 1 { // Return outbox oc := activitystreams.NewOrderedCollection(accountRoot, "outbox", res.TotalPosts) return impart.RenderActivityJSON(w, oc, http.StatusOK) } // Return outbox page ocp := activitystreams.NewOrderedCollectionPage(accountRoot, "outbox", res.TotalPosts, p) ocp.OrderedItems = []interface{}{} posts, err := app.db.GetPosts(app.cfg, c, p, false, true, false) for _, pp := range *posts { pp.Collection = res o := pp.ActivityObject(app) a := activitystreams.NewCreateActivity(o) ocp.OrderedItems = append(ocp.OrderedItems, *a) } return impart.RenderActivityJSON(w, ocp, http.StatusOK) } func handleFetchCollectionFollowers(app *App, w http.ResponseWriter, r *http.Request) error { w.Header().Set("Server", serverSoftware) vars := mux.Vars(r) alias := vars["alias"] // TODO: enforce visibility // Get base Collection data var c *Collection var err error if app.cfg.App.SingleUser { c, err = app.db.GetCollectionByID(1) } else { c, err = app.db.GetCollection(alias) } if err != nil { return err } c.hostName = app.cfg.App.Host accountRoot := c.FederatedAccount() folls, err := app.db.GetAPFollowers(c) if err != nil { return err } page := r.FormValue("page") p, err := strconv.Atoi(page) if err != nil || p < 1 { // Return outbox oc := activitystreams.NewOrderedCollection(accountRoot, "followers", len(*folls)) return impart.RenderActivityJSON(w, oc, http.StatusOK) } // Return outbox page ocp := activitystreams.NewOrderedCollectionPage(accountRoot, "followers", len(*folls), p) ocp.OrderedItems = []interface{}{} /* for _, f := range *folls { ocp.OrderedItems = append(ocp.OrderedItems, f.ActorID) } */ return impart.RenderActivityJSON(w, ocp, http.StatusOK) } func handleFetchCollectionFollowing(app *App, w http.ResponseWriter, r *http.Request) error { w.Header().Set("Server", serverSoftware) vars := mux.Vars(r) alias := vars["alias"] // TODO: enforce visibility // Get base Collection data var c *Collection var err error if app.cfg.App.SingleUser { c, err = app.db.GetCollectionByID(1) } else { c, err = app.db.GetCollection(alias) } if err != nil { return err } c.hostName = app.cfg.App.Host accountRoot := c.FederatedAccount() page := r.FormValue("page") p, err := strconv.Atoi(page) if err != nil || p < 1 { // Return outbox oc := activitystreams.NewOrderedCollection(accountRoot, "following", 0) return impart.RenderActivityJSON(w, oc, http.StatusOK) } // Return outbox page ocp := activitystreams.NewOrderedCollectionPage(accountRoot, "following", 0, p) ocp.OrderedItems = []interface{}{} return impart.RenderActivityJSON(w, ocp, http.StatusOK) } func handleFetchCollectionInbox(app *App, w http.ResponseWriter, r *http.Request) error { w.Header().Set("Server", serverSoftware) vars := mux.Vars(r) alias := vars["alias"] var c *Collection var err error if app.cfg.App.SingleUser { c, err = app.db.GetCollectionByID(1) } else { c, err = app.db.GetCollection(alias) } if err != nil { // TODO: return Reject? return err } c.hostName = app.cfg.App.Host if debugging { dump, err := httputil.DumpRequest(r, true) if err != nil { log.Error("Can't dump: %v", err) } else { log.Info("Rec'd! %q", dump) } } var m map[string]interface{} if err := json.NewDecoder(r.Body).Decode(&m); err != nil { return err } a := streams.NewAccept() p := c.PersonObject() var to *url.URL var isFollow, isUnfollow bool fullActor := &activitystreams.Person{} var remoteUser *RemoteUser res := &streams.Resolver{ FollowCallback: func(f *streams.Follow) error { isFollow = true // 1) Use the Follow concrete type here // 2) Errors are propagated to res.Deserialize call below m["@context"] = []string{activitystreams.Namespace} b, _ := json.Marshal(m) if debugging { log.Info("Follow: %s", b) } _, followID := f.GetId() if followID == nil { log.Error("Didn't resolve follow ID") } else { aID := c.FederatedAccount() + "#accept-" + store.GenerateFriendlyRandomString(20) acceptID, err := url.Parse(aID) if err != nil { log.Error("Couldn't parse generated Accept URL '%s': %v", aID, err) } a.SetId(acceptID) } a.AppendObject(f.Raw()) _, to = f.GetActor(0) obj := f.Raw().GetObjectIRI(0) a.AppendActor(obj) // First get actor information if to == nil { return fmt.Errorf("No valid `to` string") } fullActor, remoteUser, err = getActor(app, to.String()) if err != nil { return err } return impart.RenderActivityJSON(w, m, http.StatusOK) }, UndoCallback: func(u *streams.Undo) error { isUnfollow = true m["@context"] = []string{activitystreams.Namespace} b, _ := json.Marshal(m) if debugging { log.Info("Undo: %s", b) } a.AppendObject(u.Raw()) _, to = u.GetActor(0) // TODO: get actor from object.object, not object obj := u.Raw().GetObjectIRI(0) a.AppendActor(obj) if to != nil { // Populate fullActor from DB? remoteUser, err = getRemoteUser(app, to.String()) if err != nil { if iErr, ok := err.(*impart.HTTPError); ok { if iErr.Status == http.StatusNotFound { log.Error("No remoteuser info for Undo event!") } } return err } else { fullActor = remoteUser.AsPerson() } } else { log.Error("No to on Undo!") } return impart.RenderActivityJSON(w, m, http.StatusOK) }, } if err := res.Deserialize(m); err != nil { // 3) Any errors from #2 can be handled, or the payload is an unknown type. log.Error("Unable to resolve Follow: %v", err) if debugging { log.Error("Map: %s", m) } return err } go func() { time.Sleep(2 * time.Second) am, err := a.Serialize() if err != nil { log.Error("Unable to serialize Accept: %v", err) return } am["@context"] = []string{activitystreams.Namespace} if to == nil { log.Error("No to! %v", err) return } err = makeActivityPost(app.cfg.App.Host, p, fullActor.Inbox, am) if err != nil { log.Error("Unable to make activity POST: %v", err) return } if isFollow { t, err := app.db.Begin() if err != nil { log.Error("Unable to start transaction: %v", err) return } var followerID int64 if remoteUser != nil { followerID = remoteUser.ID } else { // Add follower locally, since it wasn't found before res, err := t.Exec("INSERT INTO remoteusers (actor_id, inbox, shared_inbox) VALUES (?, ?, ?)", fullActor.ID, fullActor.Inbox, fullActor.Endpoints.SharedInbox) if err != nil { if !app.db.isDuplicateKeyErr(err) { t.Rollback() log.Error("Couldn't add new remoteuser in DB: %v\n", err) return } } followerID, err = res.LastInsertId() if err != nil { t.Rollback() log.Error("no lastinsertid for followers, rolling back: %v", err) return } // Add in key _, err = t.Exec("INSERT INTO remoteuserkeys (id, remote_user_id, public_key) VALUES (?, ?, ?)", fullActor.PublicKey.ID, followerID, fullActor.PublicKey.PublicKeyPEM) if err != nil { if !app.db.isDuplicateKeyErr(err) { t.Rollback() log.Error("Couldn't add follower keys in DB: %v\n", err) return } } } // Add follow _, err = t.Exec("INSERT INTO remotefollows (collection_id, remote_user_id, created) VALUES (?, ?, "+app.db.now()+")", c.ID, followerID) if err != nil { if !app.db.isDuplicateKeyErr(err) { t.Rollback() log.Error("Couldn't add follower in DB: %v\n", err) return } } err = t.Commit() if err != nil { t.Rollback() log.Error("Rolling back after Commit(): %v\n", err) return } } else if isUnfollow { // Remove follower locally _, err = app.db.Exec("DELETE FROM remotefollows WHERE collection_id = ? AND remote_user_id = (SELECT id FROM remoteusers WHERE actor_id = ?)", c.ID, to.String()) if err != nil { log.Error("Couldn't remove follower from DB: %v\n", err) } } }() return nil } func makeActivityPost(hostName string, p *activitystreams.Person, url string, m interface{}) error { log.Info("POST %s", url) b, err := json.Marshal(m) if err != nil { return err } r, _ := http.NewRequest("POST", url, bytes.NewBuffer(b)) r.Header.Add("Content-Type", "application/activity+json") r.Header.Set("User-Agent", "Go ("+serverSoftware+"/"+softwareVer+"; +"+hostName+")") h := sha256.New() h.Write(b) r.Header.Add("Digest", "SHA-256="+base64.StdEncoding.EncodeToString(h.Sum(nil))) // Sign using the 'Signature' header privKey, err := activitypub.DecodePrivateKey(p.GetPrivKey()) if err != nil { return err } signer := httpsig.NewSigner(p.PublicKey.ID, privKey, httpsig.RSASHA256, []string{"(request-target)", "date", "host", "digest"}) err = signer.SignSigHeader(r) if err != nil { log.Error("Can't sign: %v", err) } if debugging { dump, err := httputil.DumpRequestOut(r, true) if err != nil { log.Error("Can't dump: %v", err) } else { log.Info("%s", dump) } } resp, err := http.DefaultClient.Do(r) if err != nil { return err } if resp != nil && resp.Body != nil { defer resp.Body.Close() } body, err := ioutil.ReadAll(resp.Body) if err != nil { return err } if debugging { log.Info("Status : %s", resp.Status) log.Info("Response: %s", body) } return nil } func resolveIRI(hostName, url string) ([]byte, error) { log.Info("GET %s", url) r, _ := http.NewRequest("GET", url, nil) r.Header.Add("Accept", "application/activity+json") r.Header.Set("User-Agent", "Go ("+serverSoftware+"/"+softwareVer+"; +"+hostName+")") if debugging { dump, err := httputil.DumpRequestOut(r, true) if err != nil { log.Error("Can't dump: %v", err) } else { log.Info("%s", dump) } } resp, err := http.DefaultClient.Do(r) if err != nil { return nil, err } if resp != nil && resp.Body != nil { defer resp.Body.Close() } body, err := ioutil.ReadAll(resp.Body) if err != nil { return nil, err } if debugging { log.Info("Status : %s", resp.Status) log.Info("Response: %s", body) } return body, nil } func deleteFederatedPost(app *App, p *PublicPost, collID int64) error { if debugging { log.Info("Deleting federated post!") } p.Collection.hostName = app.cfg.App.Host actor := p.Collection.PersonObject(collID) na := p.ActivityObject(app) // Add followers p.Collection.ID = collID followers, err := app.db.GetAPFollowers(&p.Collection.Collection) if err != nil { log.Error("Couldn't delete post (get followers)! %v", err) return err } inboxes := map[string][]string{} for _, f := range *followers { inbox := f.SharedInbox if inbox == "" { inbox = f.Inbox } if _, ok := inboxes[inbox]; ok { inboxes[inbox] = append(inboxes[inbox], f.ActorID) } else { inboxes[inbox] = []string{f.ActorID} } } for si, instFolls := range inboxes { na.CC = []string{} for _, f := range instFolls { na.CC = append(na.CC, f) } err = makeActivityPost(app.cfg.App.Host, actor, si, activitystreams.NewDeleteActivity(na)) if err != nil { log.Error("Couldn't delete post! %v", err) } } return nil } func federatePost(app *App, p *PublicPost, collID int64, isUpdate bool) error { if debugging { if isUpdate { log.Info("Federating updated post!") } else { log.Info("Federating new post!") } } actor := p.Collection.PersonObject(collID) na := p.ActivityObject(app) // Add followers p.Collection.ID = collID followers, err := app.db.GetAPFollowers(&p.Collection.Collection) if err != nil { log.Error("Couldn't post! %v", err) return err } log.Info("Followers for %d: %+v", collID, followers) inboxes := map[string][]string{} for _, f := range *followers { inbox := f.SharedInbox if inbox == "" { inbox = f.Inbox } if _, ok := inboxes[inbox]; ok { // check if we're already sending to this shared inbox inboxes[inbox] = append(inboxes[inbox], f.ActorID) } else { // add the new shared inbox to the list inboxes[inbox] = []string{f.ActorID} } } var activity *activitystreams.Activity // for each one of the shared inboxes for si, instFolls := range inboxes { // add all followers from that instance // to the CC field na.CC = []string{} for _, f := range instFolls { na.CC = append(na.CC, f) } // create a new "Create" activity // with our article as object if isUpdate { activity = activitystreams.NewUpdateActivity(na) } else { activity = activitystreams.NewCreateActivity(na) activity.To = na.To activity.CC = na.CC } // and post it to that sharedInbox err = makeActivityPost(app.cfg.App.Host, actor, si, activity) if err != nil { log.Error("Couldn't post! %v", err) } } // re-create the object so that the CC list gets reset and has // the mentioned users. This might seem wasteful but the code is // cleaner than adding the mentioned users to CC here instead of // in p.ActivityObject() na = p.ActivityObject(app) for _, tag := range na.Tag { if tag.Type == "Mention" { activity = activitystreams.NewCreateActivity(na) activity.To = na.To activity.CC = na.CC // This here might be redundant in some cases as we might have already // sent this to the sharedInbox of this instance above, but we need too // much logic to catch this at the expense of the odd extra request. // I don't believe we'd ever have too many mentions in a single post that this // could become a burden. - - fmt.Println(tag.HRef) - fmt.Println("aaa") remoteUser, err := getRemoteUser(app, tag.HRef) err = makeActivityPost(app.cfg.App.Host, actor, remoteUser.Inbox, activity) if err != nil { log.Error("Couldn't post! %v", err) } - // log.Info("Activity", activity) - } } return nil } func getRemoteUser(app *App, actorID string) (*RemoteUser, error) { u := RemoteUser{ActorID: actorID} err := app.db.QueryRow("SELECT id, inbox, shared_inbox, handle FROM remoteusers WHERE actor_id = ?", actorID).Scan(&u.ID, &u.Inbox, &u.SharedInbox, &u.Handle) switch { case err == sql.ErrNoRows: return nil, impart.HTTPError{http.StatusNotFound, "No remote user with that ID."} case err != nil: log.Error("Couldn't get remote user %s: %v", actorID, err) return nil, err } return &u, nil } // getRemoteUserFromHandle retrieves the profile page of a remote user // from the @user@server.tld handle func getRemoteUserFromHandle(app *App, handle string) (*RemoteUser, error) { u := RemoteUser{Handle: handle} err := app.db.QueryRow("SELECT id, actor_id, inbox, shared_inbox FROM remoteusers WHERE handle = ?", handle).Scan(&u.ID, &u.ActorID, &u.Inbox, &u.SharedInbox) switch { case err == sql.ErrNoRows: return nil, impart.HTTPError{http.StatusNotFound, "No remote user with that handle."} case err != nil: log.Error("Couldn't get remote user %s: %v", handle, err) return nil, err } return &u, nil } func getActor(app *App, actorIRI string) (*activitystreams.Person, *RemoteUser, error) { log.Info("Fetching actor %s locally", actorIRI) actor := &activitystreams.Person{} remoteUser, err := getRemoteUser(app, actorIRI) if err != nil { if iErr, ok := err.(impart.HTTPError); ok { if iErr.Status == http.StatusNotFound { // Fetch remote actor log.Info("Not found; fetching actor %s remotely", actorIRI) actorResp, err := resolveIRI(app.cfg.App.Host, actorIRI) if err != nil { log.Error("Unable to get actor! %v", err) return nil, nil, impart.HTTPError{http.StatusInternalServerError, "Couldn't fetch actor."} } if err := unmarshalActor(actorResp, actor); err != nil { log.Error("Unable to unmarshal actor! %v", err) return nil, nil, impart.HTTPError{http.StatusInternalServerError, "Couldn't parse actor."} } } else { return nil, nil, err } } else { return nil, nil, err } } else { actor = remoteUser.AsPerson() } return actor, remoteUser, nil } // unmarshal actor normalizes the actor response to conform to // the type Person from github.com/writeas/web-core/activitysteams // // some implementations return different context field types // this converts any non-slice contexts into a slice func unmarshalActor(actorResp []byte, actor *activitystreams.Person) error { // FIXME: Hubzilla has an object for the Actor's url: cannot unmarshal object into Go struct field Person.url of type string // flexActor overrides the Context field to allow // all valid representations during unmarshal flexActor := struct { activitystreams.Person Context json.RawMessage `json:"@context,omitempty"` }{} if err := json.Unmarshal(actorResp, &flexActor); err != nil { return err } actor.Endpoints = flexActor.Endpoints actor.Followers = flexActor.Followers actor.Following = flexActor.Following actor.ID = flexActor.ID actor.Icon = flexActor.Icon actor.Inbox = flexActor.Inbox actor.Name = flexActor.Name actor.Outbox = flexActor.Outbox actor.PreferredUsername = flexActor.PreferredUsername actor.PublicKey = flexActor.PublicKey actor.Summary = flexActor.Summary actor.Type = flexActor.Type actor.URL = flexActor.URL func(val interface{}) { switch val.(type) { case []interface{}: // already a slice, do nothing actor.Context = val.([]interface{}) default: actor.Context = []interface{}{val} } }(flexActor.Context) return nil } diff --git a/collections.go b/collections.go index 431afd1..f0450b5 100644 --- a/collections.go +++ b/collections.go @@ -1,1106 +1,1103 @@ /* * Copyright © 2018 A Bunch Tell LLC. * * This file is part of WriteFreely. * * WriteFreely is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, included * in the LICENSE file in this source code package. */ package writefreely import ( "database/sql" "encoding/json" "fmt" "html/template" "math" "net/http" "net/url" "regexp" "strconv" "strings" "unicode" "github.com/gorilla/mux" "github.com/writeas/impart" "github.com/writeas/web-core/activitystreams" "github.com/writeas/web-core/auth" "github.com/writeas/web-core/bots" "github.com/writeas/web-core/log" waposts "github.com/writeas/web-core/posts" "github.com/writeas/writefreely/author" "github.com/writeas/writefreely/config" "github.com/writeas/writefreely/page" ) type ( // TODO: add Direction to db // TODO: add Language to db Collection struct { ID int64 `datastore:"id" json:"-"` Alias string `datastore:"alias" schema:"alias" json:"alias"` Title string `datastore:"title" schema:"title" json:"title"` Description string `datastore:"description" schema:"description" json:"description"` Direction string `schema:"dir" json:"dir,omitempty"` Language string `schema:"lang" json:"lang,omitempty"` StyleSheet string `datastore:"style_sheet" schema:"style_sheet" json:"style_sheet"` Script string `datastore:"script" schema:"script" json:"script,omitempty"` Public bool `datastore:"public" json:"public"` Visibility collVisibility `datastore:"private" json:"-"` Format string `datastore:"format" json:"format,omitempty"` Views int64 `json:"views"` OwnerID int64 `datastore:"owner_id" json:"-"` PublicOwner bool `datastore:"public_owner" json:"-"` URL string `json:"url,omitempty"` db *datastore hostName string } CollectionObj struct { Collection TotalPosts int `json:"total_posts"` Owner *User `json:"owner,omitempty"` Posts *[]PublicPost `json:"posts,omitempty"` } DisplayCollection struct { *CollectionObj Prefix string IsTopLevel bool CurrentPage int TotalPages int Format *CollectionFormat } SubmittedCollection struct { // Data used for updating a given collection ID int64 OwnerID uint64 // Form helpers PreferURL string `schema:"prefer_url" json:"prefer_url"` Privacy int `schema:"privacy" json:"privacy"` Pass string `schema:"password" json:"password"` MathJax bool `schema:"mathjax" json:"mathjax"` Handle string `schema:"handle" json:"handle"` // Actual collection values updated in the DB Alias *string `schema:"alias" json:"alias"` Title *string `schema:"title" json:"title"` Description *string `schema:"description" json:"description"` StyleSheet *sql.NullString `schema:"style_sheet" json:"style_sheet"` Script *sql.NullString `schema:"script" json:"script"` Visibility *int `schema:"visibility" json:"public"` Format *sql.NullString `schema:"format" json:"format"` } CollectionFormat struct { Format string } collectionReq struct { // Information about the collection request itself prefix, alias, domain string isCustomDomain bool // User-related fields isCollOwner bool } ) func (sc *SubmittedCollection) FediverseHandle() string { if sc.Handle == "" { return apCustomHandleDefault } return getSlug(sc.Handle, "") } // collVisibility represents the visibility level for the collection. type collVisibility int // Visibility levels. Values are bitmasks, stored in the database as // decimal numbers. If adding types, append them to this list. If removing, // replace the desired visibility with a new value. const CollUnlisted collVisibility = 0 const ( CollPublic collVisibility = 1 << iota CollPrivate CollProtected ) var collVisibilityStrings = map[string]collVisibility{ "unlisted": CollUnlisted, "public": CollPublic, "private": CollPrivate, "protected": CollProtected, } func defaultVisibility(cfg *config.Config) collVisibility { vis, ok := collVisibilityStrings[cfg.App.DefaultVisibility] if !ok { vis = CollUnlisted } return vis } func (cf *CollectionFormat) Ascending() bool { return cf.Format == "novel" } func (cf *CollectionFormat) ShowDates() bool { return cf.Format == "blog" } func (cf *CollectionFormat) PostsPerPage() int { if cf.Format == "novel" { return postsPerPage } return postsPerPage } // Valid returns whether or not a format value is valid. func (cf *CollectionFormat) Valid() bool { return cf.Format == "blog" || cf.Format == "novel" || cf.Format == "notebook" } // NewFormat creates a new CollectionFormat object from the Collection. func (c *Collection) NewFormat() *CollectionFormat { cf := &CollectionFormat{Format: c.Format} // Fill in default format if cf.Format == "" { cf.Format = "blog" } return cf } func (c *Collection) IsUnlisted() bool { return c.Visibility == 0 } func (c *Collection) IsPrivate() bool { return c.Visibility&CollPrivate != 0 } func (c *Collection) IsProtected() bool { return c.Visibility&CollProtected != 0 } func (c *Collection) IsPublic() bool { return c.Visibility&CollPublic != 0 } func (c *Collection) FriendlyVisibility() string { if c.IsPrivate() { return "Private" } if c.IsPublic() { return "Public" } if c.IsProtected() { return "Password-protected" } return "Unlisted" } func (c *Collection) ShowFooterBranding() bool { // TODO: implement this setting return true } // CanonicalURL returns a fully-qualified URL to the collection. func (c *Collection) CanonicalURL() string { return c.RedirectingCanonicalURL(false) } func (c *Collection) DisplayCanonicalURL() string { us := c.CanonicalURL() u, err := url.Parse(us) if err != nil { return us } p := u.Path if p == "/" { p = "" } return u.Hostname() + p } func (c *Collection) RedirectingCanonicalURL(isRedir bool) string { if c.hostName == "" { // If this is true, the human programmers screwed up. So ask for a bug report and fail, fail, fail log.Error("[PROGRAMMER ERROR] WARNING: Collection.hostName is empty! Federation and many other things will fail! If you're seeing this in the wild, please report this bug and let us know what you were doing just before this: https://github.com/writeas/writefreely/issues/new?template=bug_report.md") } if isSingleUser { return c.hostName + "/" } return fmt.Sprintf("%s/%s/", c.hostName, c.Alias) } // PrevPageURL provides a full URL for the previous page of collection posts, // returning a /page/N result for pages >1 func (c *Collection) PrevPageURL(prefix string, n int, tl bool) string { u := "" if n == 2 { // Previous page is 1; no need for /page/ prefix if prefix == "" { u = "/" } // Else leave off trailing slash } else { u = fmt.Sprintf("/page/%d", n-1) } if tl { return u } return "/" + prefix + c.Alias + u } // NextPageURL provides a full URL for the next page of collection posts func (c *Collection) NextPageURL(prefix string, n int, tl bool) string { if tl { return fmt.Sprintf("/page/%d", n+1) } return fmt.Sprintf("/%s%s/page/%d", prefix, c.Alias, n+1) } func (c *Collection) DisplayTitle() string { if c.Title != "" { return c.Title } return c.Alias } func (c *Collection) StyleSheetDisplay() template.CSS { return template.CSS(c.StyleSheet) } // ForPublic modifies the Collection for public consumption, such as via // the API. func (c *Collection) ForPublic() { c.URL = c.CanonicalURL() } var isAvatarChar = regexp.MustCompile("[a-z0-9]").MatchString func (c *Collection) PersonObject(ids ...int64) *activitystreams.Person { accountRoot := c.FederatedAccount() p := activitystreams.NewPerson(accountRoot) p.URL = c.CanonicalURL() uname := c.Alias p.PreferredUsername = uname p.Name = c.DisplayTitle() p.Summary = c.Description if p.Name != "" { if av := c.AvatarURL(); av != "" { p.Icon = activitystreams.Image{ Type: "Image", MediaType: "image/png", URL: av, } } } collID := c.ID if len(ids) > 0 { collID = ids[0] } pub, priv := c.db.GetAPActorKeys(collID) if pub != nil { p.AddPubKey(pub) p.SetPrivKey(priv) } return p } func (c *Collection) AvatarURL() string { fl := string(unicode.ToLower([]rune(c.DisplayTitle())[0])) if !isAvatarChar(fl) { return "" } return c.hostName + "/img/avatars/" + fl + ".png" } func (c *Collection) FederatedAPIBase() string { return c.hostName + "/" } func (c *Collection) FederatedAccount() string { accountUser := c.Alias return c.FederatedAPIBase() + "api/collections/" + accountUser } func (c *Collection) RenderMathJax() bool { return c.db.CollectionHasAttribute(c.ID, "render_mathjax") } func newCollection(app *App, w http.ResponseWriter, r *http.Request) error { reqJSON := IsJSON(r.Header.Get("Content-Type")) alias := r.FormValue("alias") title := r.FormValue("title") var missingParams, accessToken string var u *User c := struct { Alias string `json:"alias" schema:"alias"` Title string `json:"title" schema:"title"` Web bool `json:"web" schema:"web"` }{} if reqJSON { // Decode JSON request decoder := json.NewDecoder(r.Body) err := decoder.Decode(&c) if err != nil { log.Error("Couldn't parse post update JSON request: %v\n", err) return ErrBadJSON } } else { // TODO: move form parsing to formDecoder c.Alias = alias c.Title = title } if c.Alias == "" { if c.Title != "" { // If only a title was given, just use it to generate the alias. c.Alias = getSlug(c.Title, "") } else { missingParams += "`alias` " } } if c.Title == "" { missingParams += "`title` " } if missingParams != "" { return impart.HTTPError{http.StatusBadRequest, fmt.Sprintf("Parameter(s) %srequired.", missingParams)} } var userID int64 if reqJSON && !c.Web { accessToken = r.Header.Get("Authorization") if accessToken == "" { return ErrNoAccessToken } userID = app.db.GetUserID(accessToken) if userID == -1 { return ErrBadAccessToken } } else { u = getUserSession(app, r) if u == nil { return ErrNotLoggedIn } userID = u.ID } if !author.IsValidUsername(app.cfg, c.Alias) { return impart.HTTPError{http.StatusPreconditionFailed, "Collection alias isn't valid."} } coll, err := app.db.CreateCollection(app.cfg, c.Alias, c.Title, userID) if err != nil { // TODO: handle this return err } res := &CollectionObj{Collection: *coll} if reqJSON { return impart.WriteSuccess(w, res, http.StatusCreated) } redirectTo := "/me/c/" // TODO: redirect to pad when necessary return impart.HTTPError{http.StatusFound, redirectTo} } func apiCheckCollectionPermissions(app *App, r *http.Request, c *Collection) (int64, error) { accessToken := r.Header.Get("Authorization") var userID int64 = -1 if accessToken != "" { userID = app.db.GetUserID(accessToken) } isCollOwner := userID == c.OwnerID if c.IsPrivate() && !isCollOwner { // Collection is private, but user isn't authenticated return -1, ErrCollectionNotFound } if c.IsProtected() { // TODO: check access token return -1, ErrCollectionUnauthorizedRead } return userID, nil } // fetchCollection handles the API endpoint for retrieving collection data. func fetchCollection(app *App, w http.ResponseWriter, r *http.Request) error { accept := r.Header.Get("Accept") if strings.Contains(accept, "application/activity+json") { return handleFetchCollectionActivities(app, w, r) } vars := mux.Vars(r) alias := vars["alias"] // TODO: move this logic into a common getCollection function // Get base Collection data c, err := app.db.GetCollection(alias) if err != nil { return err } c.hostName = app.cfg.App.Host // Redirect users who aren't requesting JSON reqJSON := IsJSON(r.Header.Get("Content-Type")) if !reqJSON { return impart.HTTPError{http.StatusFound, c.CanonicalURL()} } // Check permissions userID, err := apiCheckCollectionPermissions(app, r, c) if err != nil { return err } isCollOwner := userID == c.OwnerID // Fetch extra data about the Collection res := &CollectionObj{Collection: *c} if c.PublicOwner { u, err := app.db.GetUserByID(res.OwnerID) if err != nil { // Log the error and just continue log.Error("Error getting user for collection: %v", err) } else { res.Owner = u } } app.db.GetPostsCount(res, isCollOwner) // Strip non-public information res.Collection.ForPublic() return impart.WriteSuccess(w, res, http.StatusOK) } // fetchCollectionPosts handles an API endpoint for retrieving a collection's // posts. func fetchCollectionPosts(app *App, w http.ResponseWriter, r *http.Request) error { vars := mux.Vars(r) alias := vars["alias"] c, err := app.db.GetCollection(alias) if err != nil { return err } c.hostName = app.cfg.App.Host // Check permissions userID, err := apiCheckCollectionPermissions(app, r, c) if err != nil { return err } isCollOwner := userID == c.OwnerID // Get page page := 1 if p := r.FormValue("page"); p != "" { pInt, _ := strconv.Atoi(p) if pInt > 0 { page = pInt } } posts, err := app.db.GetPosts(app.cfg, c, page, isCollOwner, false, false) if err != nil { return err } coll := &CollectionObj{Collection: *c, Posts: posts} app.db.GetPostsCount(coll, isCollOwner) // Strip non-public information coll.Collection.ForPublic() // Transform post bodies if needed if r.FormValue("body") == "html" { for _, p := range *coll.Posts { p.Content = waposts.ApplyMarkdown([]byte(p.Content)) } } return impart.WriteSuccess(w, coll, http.StatusOK) } type CollectionPage struct { page.StaticPage *DisplayCollection IsCustomDomain bool IsWelcome bool IsOwner bool CanPin bool Username string Collections *[]Collection PinnedPosts *[]PublicPost IsAdmin bool CanInvite bool } func (c *CollectionObj) ScriptDisplay() template.JS { return template.JS(c.Script) } var jsSourceCommentReg = regexp.MustCompile("(?m)^// src:(.+)$") func (c *CollectionObj) ExternalScripts() []template.URL { scripts := []template.URL{} if c.Script == "" { return scripts } matches := jsSourceCommentReg.FindAllStringSubmatch(c.Script, -1) for _, m := range matches { scripts = append(scripts, template.URL(strings.TrimSpace(m[1]))) } return scripts } func (c *CollectionObj) CanShowScript() bool { return false } func processCollectionRequest(cr *collectionReq, vars map[string]string, w http.ResponseWriter, r *http.Request) error { cr.prefix = vars["prefix"] cr.alias = vars["collection"] // Normalize the URL, redirecting user to consistent post URL if cr.alias != strings.ToLower(cr.alias) { return impart.HTTPError{http.StatusMovedPermanently, fmt.Sprintf("/%s/", strings.ToLower(cr.alias))} } return nil } // processCollectionPermissions checks the permissions for the given // collectionReq, returning a Collection if access is granted; otherwise this // renders any necessary collection pages, for example, if requesting a custom // domain that doesn't yet have a collection associated, or if a collection // requires a password. In either case, this will return nil, nil -- thus both // values should ALWAYS be checked to determine whether or not to continue. func processCollectionPermissions(app *App, cr *collectionReq, u *User, w http.ResponseWriter, r *http.Request) (*Collection, error) { // Display collection if this is a collection var c *Collection var err error if app.cfg.App.SingleUser { c, err = app.db.GetCollectionByID(1) } else { c, err = app.db.GetCollection(cr.alias) } // TODO: verify we don't reveal the existence of a private collection with redirection if err != nil { if err, ok := err.(impart.HTTPError); ok { if err.Status == http.StatusNotFound { if cr.isCustomDomain { // User is on the site from a custom domain //tErr := pages["404-domain.tmpl"].ExecuteTemplate(w, "base", pageForHost(page.StaticPage{}, r)) //if tErr != nil { //log.Error("Unable to render 404-domain page: %v", err) //} return nil, nil } if len(cr.alias) >= minIDLen && len(cr.alias) <= maxIDLen { // Alias is within post ID range, so just be sure this isn't a post if app.db.PostIDExists(cr.alias) { // TODO: use StatusFound for vanity post URLs when we implement them return nil, impart.HTTPError{http.StatusMovedPermanently, "/" + cr.alias} } } // Redirect if necessary newAlias := app.db.GetCollectionRedirect(cr.alias) if newAlias != "" { return nil, impart.HTTPError{http.StatusFound, "/" + newAlias + "/"} } } } return nil, err } c.hostName = app.cfg.App.Host // Update CollectionRequest to reflect owner status cr.isCollOwner = u != nil && u.ID == c.OwnerID // Check permissions if !cr.isCollOwner { if c.IsPrivate() { return nil, ErrCollectionNotFound } else if c.IsProtected() { uname := "" if u != nil { uname = u.Username } // See if we've authorized this collection authd := isAuthorizedForCollection(app, c.Alias, r) if !authd { p := struct { page.StaticPage *CollectionObj Username string Next string Flashes []template.HTML }{ StaticPage: pageForReq(app, r), CollectionObj: &CollectionObj{Collection: *c}, Username: uname, Next: r.FormValue("g"), Flashes: []template.HTML{}, } // Get owner information p.CollectionObj.Owner, err = app.db.GetUserByID(c.OwnerID) if err != nil { // Log the error and just continue log.Error("Error getting user for collection: %v", err) } flashes, _ := getSessionFlashes(app, w, r, nil) for _, flash := range flashes { p.Flashes = append(p.Flashes, template.HTML(flash)) } err = templates["password-collection"].ExecuteTemplate(w, "password-collection", p) if err != nil { log.Error("Unable to render password-collection: %v", err) return nil, err } return nil, nil } } } return c, nil } func checkUserForCollection(app *App, cr *collectionReq, r *http.Request, isPostReq bool) (*User, error) { u := getUserSession(app, r) return u, nil } func newDisplayCollection(c *Collection, cr *collectionReq, page int) *DisplayCollection { coll := &DisplayCollection{ CollectionObj: &CollectionObj{Collection: *c}, CurrentPage: page, Prefix: cr.prefix, IsTopLevel: isSingleUser, Format: c.NewFormat(), } c.db.GetPostsCount(coll.CollectionObj, cr.isCollOwner) return coll } func getCollectionPage(vars map[string]string) int { page := 1 var p int p, _ = strconv.Atoi(vars["page"]) if p > 0 { page = p } return page } // handleViewCollection displays the requested Collection func handleViewCollection(app *App, w http.ResponseWriter, r *http.Request) error { vars := mux.Vars(r) cr := &collectionReq{} err := processCollectionRequest(cr, vars, w, r) if err != nil { return err } u, err := checkUserForCollection(app, cr, r, false) if err != nil { return err } page := getCollectionPage(vars) c, err := processCollectionPermissions(app, cr, u, w, r) if c == nil || err != nil { return err } c.hostName = app.cfg.App.Host // Serve ActivityStreams data now, if requested if strings.Contains(r.Header.Get("Accept"), "application/activity+json") { ac := c.PersonObject() ac.Context = []interface{}{activitystreams.Namespace} return impart.RenderActivityJSON(w, ac, http.StatusOK) } // Fetch extra data about the Collection // TODO: refactor out this logic, shared in collection.go:fetchCollection() coll := newDisplayCollection(c, cr, page) coll.TotalPages = int(math.Ceil(float64(coll.TotalPosts) / float64(coll.Format.PostsPerPage()))) if coll.TotalPages > 0 && page > coll.TotalPages { redirURL := fmt.Sprintf("/page/%d", coll.TotalPages) if !app.cfg.App.SingleUser { redirURL = fmt.Sprintf("/%s%s%s", cr.prefix, coll.Alias, redirURL) } return impart.HTTPError{http.StatusFound, redirURL} } coll.Posts, _ = app.db.GetPosts(app.cfg, c, page, cr.isCollOwner, false, false) // Serve collection displayPage := CollectionPage{ DisplayCollection: coll, StaticPage: pageForReq(app, r), IsCustomDomain: cr.isCustomDomain, IsWelcome: r.FormValue("greeting") != "", } displayPage.IsAdmin = u != nil && u.IsAdmin() displayPage.CanInvite = canUserInvite(app.cfg, displayPage.IsAdmin) var owner *User if u != nil { displayPage.Username = u.Username displayPage.IsOwner = u.ID == coll.OwnerID if displayPage.IsOwner { // Add in needed information for users viewing their own collection owner = u displayPage.CanPin = true pubColls, err := app.db.GetPublishableCollections(owner, app.cfg.App.Host) if err != nil { log.Error("unable to fetch collections: %v", err) } displayPage.Collections = pubColls } } isOwner := owner != nil if !isOwner { // Current user doesn't own collection; retrieve owner information owner, err = app.db.GetUserByID(coll.OwnerID) if err != nil { // Log the error and just continue log.Error("Error getting user for collection: %v", err) } } displayPage.Owner = owner coll.Owner = displayPage.Owner // Add more data // TODO: fix this mess of collections inside collections displayPage.PinnedPosts, _ = app.db.GetPinnedPosts(coll.CollectionObj, isOwner) collTmpl := "collection" if app.cfg.App.Chorus { collTmpl = "chorus-collection" } err = templates[collTmpl].ExecuteTemplate(w, "collection", displayPage) if err != nil { log.Error("Unable to render collection index: %v", err) } // Update collection view count go func() { // Don't update if owner is viewing the collection. if u != nil && u.ID == coll.OwnerID { return } // Only update for human views if r.Method == "HEAD" || bots.IsBot(r.UserAgent()) { return } _, err := app.db.Exec("UPDATE collections SET view_count = view_count + 1 WHERE id = ?", coll.ID) if err != nil { log.Error("Unable to update collections count: %v", err) } }() return err } func handleViewMention(app *App, w http.ResponseWriter, r *http.Request) error { vars := mux.Vars(r) handle := vars["handle"] remoteUser, err := app.db.getProfilePageFromHandle(app, handle) if err != nil { log.Error("Couldn't find this user "+handle, err) return nil } - http.Redirect(w, r, remoteUser, http.StatusSeeOther) - w.Write([]byte("go to " + remoteUser)) - - return nil + return impart.HTTPError{Status: http.StatusFound, Message: remoteUser} } func handleViewCollectionTag(app *App, w http.ResponseWriter, r *http.Request) error { vars := mux.Vars(r) tag := vars["tag"] cr := &collectionReq{} err := processCollectionRequest(cr, vars, w, r) if err != nil { return err } u, err := checkUserForCollection(app, cr, r, false) if err != nil { return err } page := getCollectionPage(vars) c, err := processCollectionPermissions(app, cr, u, w, r) if c == nil || err != nil { return err } coll := newDisplayCollection(c, cr, page) coll.Posts, _ = app.db.GetPostsTagged(app.cfg, c, tag, page, cr.isCollOwner) if coll.Posts != nil && len(*coll.Posts) == 0 { return ErrCollectionPageNotFound } // Serve collection displayPage := struct { CollectionPage Tag string }{ CollectionPage: CollectionPage{ DisplayCollection: coll, StaticPage: pageForReq(app, r), IsCustomDomain: cr.isCustomDomain, }, Tag: tag, } var owner *User if u != nil { displayPage.Username = u.Username displayPage.IsOwner = u.ID == coll.OwnerID if displayPage.IsOwner { // Add in needed information for users viewing their own collection owner = u displayPage.CanPin = true pubColls, err := app.db.GetPublishableCollections(owner, app.cfg.App.Host) if err != nil { log.Error("unable to fetch collections: %v", err) } displayPage.Collections = pubColls } } isOwner := owner != nil if !isOwner { // Current user doesn't own collection; retrieve owner information owner, err = app.db.GetUserByID(coll.OwnerID) if err != nil { // Log the error and just continue log.Error("Error getting user for collection: %v", err) } } displayPage.Owner = owner coll.Owner = displayPage.Owner // Add more data // TODO: fix this mess of collections inside collections displayPage.PinnedPosts, _ = app.db.GetPinnedPosts(coll.CollectionObj, isOwner) err = templates["collection-tags"].ExecuteTemplate(w, "collection-tags", displayPage) if err != nil { log.Error("Unable to render collection tag page: %v", err) } return nil } func handleCollectionPostRedirect(app *App, w http.ResponseWriter, r *http.Request) error { vars := mux.Vars(r) slug := vars["slug"] cr := &collectionReq{} err := processCollectionRequest(cr, vars, w, r) if err != nil { return err } // Normalize the URL, redirecting user to consistent post URL loc := fmt.Sprintf("/%s", slug) if !app.cfg.App.SingleUser { loc = fmt.Sprintf("/%s/%s", cr.alias, slug) } return impart.HTTPError{http.StatusFound, loc} } func existingCollection(app *App, w http.ResponseWriter, r *http.Request) error { reqJSON := IsJSON(r.Header.Get("Content-Type")) vars := mux.Vars(r) collAlias := vars["alias"] isWeb := r.FormValue("web") == "1" var u *User if reqJSON && !isWeb { // Ensure an access token was given accessToken := r.Header.Get("Authorization") u = &User{} u.ID = app.db.GetUserID(accessToken) if u.ID == -1 { return ErrBadAccessToken } } else { u = getUserSession(app, r) if u == nil { return ErrNotLoggedIn } } if r.Method == "DELETE" { err := app.db.DeleteCollection(collAlias, u.ID) if err != nil { // TODO: if not HTTPError, report error to admin log.Error("Unable to delete collection: %s", err) return err } addSessionFlash(app, w, r, "Deleted your blog, "+collAlias+".", nil) return impart.HTTPError{Status: http.StatusNoContent} } c := SubmittedCollection{OwnerID: uint64(u.ID)} var err error if reqJSON { // Decode JSON request decoder := json.NewDecoder(r.Body) err = decoder.Decode(&c) if err != nil { log.Error("Couldn't parse collection update JSON request: %v\n", err) return ErrBadJSON } } else { err = r.ParseForm() if err != nil { log.Error("Couldn't parse collection update form request: %v\n", err) return ErrBadFormData } err = app.formDecoder.Decode(&c, r.PostForm) if err != nil { log.Error("Couldn't decode collection update form request: %v\n", err) return ErrBadFormData } } err = app.db.UpdateCollection(&c, collAlias) if err != nil { if err, ok := err.(impart.HTTPError); ok { if reqJSON { return err } addSessionFlash(app, w, r, err.Message, nil) return impart.HTTPError{http.StatusFound, "/me/c/" + collAlias} } else { log.Error("Couldn't update collection: %v\n", err) return err } } if reqJSON { return impart.WriteSuccess(w, struct { }{}, http.StatusOK) } addSessionFlash(app, w, r, "Blog updated!", nil) return impart.HTTPError{http.StatusFound, "/me/c/" + collAlias} } // collectionAliasFromReq takes a request and returns the collection alias // if it can be ascertained, as well as whether or not the collection uses a // custom domain. func collectionAliasFromReq(r *http.Request) string { vars := mux.Vars(r) alias := vars["subdomain"] isSubdomain := alias != "" if !isSubdomain { // Fall back to write.as/{collection} since this isn't a custom domain alias = vars["collection"] } return alias } func handleWebCollectionUnlock(app *App, w http.ResponseWriter, r *http.Request) error { var readReq struct { Alias string `schema:"alias" json:"alias"` Pass string `schema:"password" json:"password"` Next string `schema:"to" json:"to"` } // Get params if impart.ReqJSON(r) { decoder := json.NewDecoder(r.Body) err := decoder.Decode(&readReq) if err != nil { log.Error("Couldn't parse readReq JSON request: %v\n", err) return ErrBadJSON } } else { err := r.ParseForm() if err != nil { log.Error("Couldn't parse readReq form request: %v\n", err) return ErrBadFormData } err = app.formDecoder.Decode(&readReq, r.PostForm) if err != nil { log.Error("Couldn't decode readReq form request: %v\n", err) return ErrBadFormData } } if readReq.Alias == "" { return impart.HTTPError{http.StatusBadRequest, "Need a collection `alias` to read."} } if readReq.Pass == "" { return impart.HTTPError{http.StatusBadRequest, "Please supply a password."} } var collHashedPass []byte err := app.db.QueryRow("SELECT password FROM collectionpasswords INNER JOIN collections ON id = collection_id WHERE alias = ?", readReq.Alias).Scan(&collHashedPass) if err != nil { if err == sql.ErrNoRows { log.Error("No collectionpassword found when trying to read collection %s", readReq.Alias) return impart.HTTPError{http.StatusInternalServerError, "Something went very wrong. The humans have been alerted."} } return err } if !auth.Authenticated(collHashedPass, []byte(readReq.Pass)) { return impart.HTTPError{http.StatusUnauthorized, "Incorrect password."} } // Success; set cookie session, err := app.sessionStore.Get(r, blogPassCookieName) if err == nil { session.Values[readReq.Alias] = true err = session.Save(r, w) if err != nil { log.Error("Didn't save unlocked blog '%s': %v", readReq.Alias, err) } } next := "/" + readReq.Next if !app.cfg.App.SingleUser { next = "/" + readReq.Alias + next } return impart.HTTPError{http.StatusFound, next} } func isAuthorizedForCollection(app *App, alias string, r *http.Request) bool { authd := false session, err := app.sessionStore.Get(r, blogPassCookieName) if err == nil { _, authd = session.Values[alias] } return authd } diff --git a/routes.go b/routes.go index 4c26f47..6f6bd58 100644 --- a/routes.go +++ b/routes.go @@ -1,207 +1,209 @@ /* * Copyright © 2018-2019 A Bunch Tell LLC. * * This file is part of WriteFreely. * * WriteFreely is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, included * in the LICENSE file in this source code package. */ package writefreely import ( "net/http" "path/filepath" "strings" "github.com/gorilla/mux" "github.com/writeas/go-webfinger" "github.com/writeas/web-core/log" "github.com/writefreely/go-nodeinfo" ) // InitStaticRoutes adds routes for serving static files. // TODO: this should just be a func, not method func (app *App) InitStaticRoutes(r *mux.Router) { // Handle static files fs := http.FileServer(http.Dir(filepath.Join(app.cfg.Server.StaticParentDir, staticDir))) app.shttp = http.NewServeMux() app.shttp.Handle("/", fs) r.PathPrefix("/").Handler(fs) } // InitRoutes adds dynamic routes for the given mux.Router. func InitRoutes(apper Apper, r *mux.Router) *mux.Router { // Create handler handler := NewWFHandler(apper) // Set up routes hostSubroute := apper.App().cfg.App.Host[strings.Index(apper.App().cfg.App.Host, "://")+3:] if apper.App().cfg.App.SingleUser { hostSubroute = "{domain}" } else { if strings.HasPrefix(hostSubroute, "localhost") { hostSubroute = "localhost" } } if apper.App().cfg.App.SingleUser { log.Info("Adding %s routes (single user)...", hostSubroute) } else { log.Info("Adding %s routes (multi-user)...", hostSubroute) } // Primary app routes write := r.PathPrefix("/").Subrouter() // Federation endpoint configurations wf := webfinger.Default(wfResolver{apper.App().db, apper.App().cfg}) wf.NoTLSHandler = nil // Federation endpoints // host-meta write.HandleFunc("/.well-known/host-meta", handler.Web(handleViewHostMeta, UserLevelReader)) // webfinger write.HandleFunc(webfinger.WebFingerPath, handler.LogHandlerFunc(http.HandlerFunc(wf.Webfinger))) // nodeinfo niCfg := nodeInfoConfig(apper.App().db, apper.App().cfg) ni := nodeinfo.NewService(*niCfg, nodeInfoResolver{apper.App().cfg, apper.App().db}) write.HandleFunc(nodeinfo.NodeInfoPath, handler.LogHandlerFunc(http.HandlerFunc(ni.NodeInfoDiscover))) write.HandleFunc(niCfg.InfoURL, handler.LogHandlerFunc(http.HandlerFunc(ni.NodeInfo))) + // handle mentions + write.HandleFunc("/mention:{handle}", handler.Web(handleViewMention, UserLevelReader)) + // Set up dyamic page handlers // Handle auth auth := write.PathPrefix("/api/auth/").Subrouter() if apper.App().cfg.App.OpenRegistration { auth.HandleFunc("/signup", handler.All(apiSignup)).Methods("POST") } auth.HandleFunc("/login", handler.All(login)).Methods("POST") auth.HandleFunc("/read", handler.WebErrors(handleWebCollectionUnlock, UserLevelNone)).Methods("POST") auth.HandleFunc("/me", handler.All(handleAPILogout)).Methods("DELETE") // Handle logged in user sections me := write.PathPrefix("/me").Subrouter() me.HandleFunc("/", handler.Redirect("/me", UserLevelUser)) me.HandleFunc("/c", handler.Redirect("/me/c/", UserLevelUser)).Methods("GET") me.HandleFunc("/c/", handler.User(viewCollections)).Methods("GET") me.HandleFunc("/c/{collection}", handler.User(viewEditCollection)).Methods("GET") me.HandleFunc("/c/{collection}/stats", handler.User(viewStats)).Methods("GET") me.HandleFunc("/posts", handler.Redirect("/me/posts/", UserLevelUser)).Methods("GET") me.HandleFunc("/posts/", handler.User(viewArticles)).Methods("GET") me.HandleFunc("/posts/export.csv", handler.Download(viewExportPosts, UserLevelUser)).Methods("GET") me.HandleFunc("/posts/export.zip", handler.Download(viewExportPosts, UserLevelUser)).Methods("GET") me.HandleFunc("/posts/export.json", handler.Download(viewExportPosts, UserLevelUser)).Methods("GET") me.HandleFunc("/export", handler.User(viewExportOptions)).Methods("GET") me.HandleFunc("/export.json", handler.Download(viewExportFull, UserLevelUser)).Methods("GET") me.HandleFunc("/settings", handler.User(viewSettings)).Methods("GET") me.HandleFunc("/invites", handler.User(handleViewUserInvites)).Methods("GET") me.HandleFunc("/logout", handler.Web(viewLogout, UserLevelNone)).Methods("GET") write.HandleFunc("/api/me", handler.All(viewMeAPI)).Methods("GET") apiMe := write.PathPrefix("/api/me/").Subrouter() apiMe.HandleFunc("/", handler.All(viewMeAPI)).Methods("GET") apiMe.HandleFunc("/posts", handler.UserAPI(viewMyPostsAPI)).Methods("GET") apiMe.HandleFunc("/collections", handler.UserAPI(viewMyCollectionsAPI)).Methods("GET") apiMe.HandleFunc("/password", handler.All(updatePassphrase)).Methods("POST") apiMe.HandleFunc("/self", handler.All(updateSettings)).Methods("POST") apiMe.HandleFunc("/invites", handler.User(handleCreateUserInvite)).Methods("POST") // Sign up validation write.HandleFunc("/api/alias", handler.All(handleUsernameCheck)).Methods("POST") // Handle collections write.HandleFunc("/api/collections", handler.All(newCollection)).Methods("POST") apiColls := write.PathPrefix("/api/collections/").Subrouter() apiColls.HandleFunc("/{alias:[0-9a-zA-Z\\-]+}", handler.AllReader(fetchCollection)).Methods("GET") apiColls.HandleFunc("/{alias:[0-9a-zA-Z\\-]+}", handler.All(existingCollection)).Methods("POST", "DELETE") apiColls.HandleFunc("/{alias}/posts", handler.AllReader(fetchCollectionPosts)).Methods("GET") apiColls.HandleFunc("/{alias}/posts", handler.All(newPost)).Methods("POST") apiColls.HandleFunc("/{alias}/posts/{post}", handler.AllReader(fetchPost)).Methods("GET") apiColls.HandleFunc("/{alias}/posts/{post:[a-zA-Z0-9]{10}}", handler.All(existingPost)).Methods("POST") apiColls.HandleFunc("/{alias}/posts/{post}/{property}", handler.AllReader(fetchPostProperty)).Methods("GET") apiColls.HandleFunc("/{alias}/collect", handler.All(addPost)).Methods("POST") apiColls.HandleFunc("/{alias}/pin", handler.All(pinPost)).Methods("POST") apiColls.HandleFunc("/{alias}/unpin", handler.All(pinPost)).Methods("POST") apiColls.HandleFunc("/{alias}/inbox", handler.All(handleFetchCollectionInbox)).Methods("POST") apiColls.HandleFunc("/{alias}/outbox", handler.AllReader(handleFetchCollectionOutbox)).Methods("GET") apiColls.HandleFunc("/{alias}/following", handler.AllReader(handleFetchCollectionFollowing)).Methods("GET") apiColls.HandleFunc("/{alias}/followers", handler.AllReader(handleFetchCollectionFollowers)).Methods("GET") // Handle posts write.HandleFunc("/api/posts", handler.All(newPost)).Methods("POST") posts := write.PathPrefix("/api/posts/").Subrouter() posts.HandleFunc("/{post:[a-zA-Z0-9]{10}}", handler.AllReader(fetchPost)).Methods("GET") posts.HandleFunc("/{post:[a-zA-Z0-9]{10}}", handler.All(existingPost)).Methods("POST", "PUT") posts.HandleFunc("/{post:[a-zA-Z0-9]{10}}", handler.All(deletePost)).Methods("DELETE") posts.HandleFunc("/{post:[a-zA-Z0-9]{10}}/{property}", handler.AllReader(fetchPostProperty)).Methods("GET") posts.HandleFunc("/claim", handler.All(addPost)).Methods("POST") posts.HandleFunc("/disperse", handler.All(dispersePost)).Methods("POST") write.HandleFunc("/auth/signup", handler.Web(handleWebSignup, UserLevelNoneRequired)).Methods("POST") write.HandleFunc("/auth/login", handler.Web(webLogin, UserLevelNoneRequired)).Methods("POST") write.HandleFunc("/admin", handler.Admin(handleViewAdminDash)).Methods("GET") write.HandleFunc("/admin/users", handler.Admin(handleViewAdminUsers)).Methods("GET") write.HandleFunc("/admin/user/{username}", handler.Admin(handleViewAdminUser)).Methods("GET") write.HandleFunc("/admin/pages", handler.Admin(handleViewAdminPages)).Methods("GET") write.HandleFunc("/admin/page/{slug}", handler.Admin(handleViewAdminPage)).Methods("GET") write.HandleFunc("/admin/update/config", handler.AdminApper(handleAdminUpdateConfig)).Methods("POST") write.HandleFunc("/admin/update/{page}", handler.Admin(handleAdminUpdateSite)).Methods("POST") // Handle special pages first write.HandleFunc("/login", handler.Web(viewLogin, UserLevelNoneRequired)) write.HandleFunc("/signup", handler.Web(handleViewLanding, UserLevelNoneRequired)) write.HandleFunc("/invite/{code}", handler.Web(handleViewInvite, UserLevelOptional)).Methods("GET") // TODO: show a reader-specific 404 page if the function is disabled write.HandleFunc("/read", handler.Web(viewLocalTimeline, UserLevelReader)) RouteRead(handler, UserLevelReader, write.PathPrefix("/read").Subrouter()) draftEditPrefix := "" if apper.App().cfg.App.SingleUser { draftEditPrefix = "/d" write.HandleFunc("/me/new", handler.Web(handleViewPad, UserLevelOptional)).Methods("GET") } else { write.HandleFunc("/new", handler.Web(handleViewPad, UserLevelOptional)).Methods("GET") } // All the existing stuff write.HandleFunc(draftEditPrefix+"/{action}/edit", handler.Web(handleViewPad, UserLevelOptional)).Methods("GET") write.HandleFunc(draftEditPrefix+"/{action}/meta", handler.Web(handleViewMeta, UserLevelOptional)).Methods("GET") // Collections if apper.App().cfg.App.SingleUser { RouteCollections(handler, write.PathPrefix("/").Subrouter()) } else { write.HandleFunc("/{prefix:[@~$!\\-+]}{collection}", handler.Web(handleViewCollection, UserLevelReader)) write.HandleFunc("/{collection}/", handler.Web(handleViewCollection, UserLevelReader)) RouteCollections(handler, write.PathPrefix("/{prefix:[@~$!\\-+]?}{collection}").Subrouter()) // Posts } write.HandleFunc(draftEditPrefix+"/{post}", handler.Web(handleViewPost, UserLevelOptional)) write.HandleFunc("/", handler.Web(handleViewHome, UserLevelOptional)) return r } func RouteCollections(handler *Handler, r *mux.Router) { r.HandleFunc("/page/{page:[0-9]+}", handler.Web(handleViewCollection, UserLevelReader)) - r.HandleFunc("/mention:{handle}", handler.Web(handleViewMention, UserLevelReader)) r.HandleFunc("/tag:{tag}", handler.Web(handleViewCollectionTag, UserLevelReader)) r.HandleFunc("/tag:{tag}/feed/", handler.Web(ViewFeed, UserLevelReader)) r.HandleFunc("/tags/{tag}", handler.Web(handleViewCollectionTag, UserLevelReader)) r.HandleFunc("/sitemap.xml", handler.AllReader(handleViewSitemap)) r.HandleFunc("/feed/", handler.AllReader(ViewFeed)) r.HandleFunc("/{slug}", handler.CollectionPostOrStatic) r.HandleFunc("/{slug}/edit", handler.Web(handleViewPad, UserLevelUser)) r.HandleFunc("/{slug}/edit/meta", handler.Web(handleViewMeta, UserLevelUser)) r.HandleFunc("/{slug}/", handler.Web(handleCollectionPostRedirect, UserLevelReader)).Methods("GET") } func RouteRead(handler *Handler, readPerm UserLevelFunc, r *mux.Router) { r.HandleFunc("/api/posts", handler.Web(viewLocalTimelineAPI, readPerm)) r.HandleFunc("/p/{page}", handler.Web(viewLocalTimeline, readPerm)) r.HandleFunc("/feed/", handler.Web(viewLocalTimelineFeed, readPerm)) r.HandleFunc("/t/{tag}", handler.Web(viewLocalTimeline, readPerm)) r.HandleFunc("/a/{post}", handler.Web(handlePostIDRedirect, readPerm)) r.HandleFunc("/{author}", handler.Web(viewLocalTimeline, readPerm)) r.HandleFunc("/", handler.Web(viewLocalTimeline, readPerm)) } diff --git a/schema.sql b/schema.sql index ca8ec71..b3fae97 100644 --- a/schema.sql +++ b/schema.sql @@ -1,242 +1,241 @@ -- -- Database: `writefreely` -- -- -------------------------------------------------------- -- -- Table structure for table `accesstokens` -- CREATE TABLE IF NOT EXISTS `accesstokens` ( `token` binary(16) NOT NULL, `user_id` int(6) NOT NULL, `sudo` tinyint(1) NOT NULL DEFAULT '0', `one_time` tinyint(1) NOT NULL DEFAULT '0', `created` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP, `expires` datetime DEFAULT NULL, `user_agent` varchar(255) DEFAULT NULL, PRIMARY KEY (`token`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `appcontent` -- CREATE TABLE IF NOT EXISTS `appcontent` ( `id` varchar(36) NOT NULL, `content` mediumtext CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, `updated` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `appmigrations` -- CREATE TABLE `appmigrations` ( `version` int(11) NOT NULL, `migrated` datetime NOT NULL, `result` text NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `collectionattributes` -- CREATE TABLE IF NOT EXISTS `collectionattributes` ( `collection_id` int(6) NOT NULL, `attribute` varchar(128) NOT NULL, `value` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL, PRIMARY KEY (`collection_id`,`attribute`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `collectionkeys` -- CREATE TABLE IF NOT EXISTS `collectionkeys` ( `collection_id` int(6) NOT NULL, `public_key` blob NOT NULL, `private_key` blob NOT NULL, PRIMARY KEY (`collection_id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `collectionpasswords` -- CREATE TABLE IF NOT EXISTS `collectionpasswords` ( `collection_id` int(6) NOT NULL, `password` char(60) NOT NULL, PRIMARY KEY (`collection_id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `collectionredirects` -- CREATE TABLE IF NOT EXISTS `collectionredirects` ( `prev_alias` varchar(100) NOT NULL, `new_alias` varchar(100) NOT NULL, PRIMARY KEY (`prev_alias`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `collections` -- CREATE TABLE IF NOT EXISTS `collections` ( `id` int(6) NOT NULL AUTO_INCREMENT, `alias` varchar(100) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL, `title` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL, `description` varchar(160) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL, `style_sheet` text, `script` text CHARACTER SET utf8mb4 COLLATE utf8mb4_bin, `format` varchar(8) DEFAULT NULL, `privacy` tinyint(1) NOT NULL, `owner_id` int(6) NOT NULL, `view_count` int(6) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `alias` (`alias`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `posts` -- CREATE TABLE IF NOT EXISTS `posts` ( `id` char(16) NOT NULL, `slug` varchar(100) DEFAULT NULL, `modify_token` char(32) DEFAULT NULL, `text_appearance` char(4) NOT NULL DEFAULT 'norm', `language` char(2) DEFAULT NULL, `rtl` tinyint(1) DEFAULT NULL, `privacy` tinyint(1) NOT NULL, `owner_id` int(6) DEFAULT NULL, `collection_id` int(6) DEFAULT NULL, `pinned_position` tinyint(1) UNSIGNED DEFAULT NULL, `created` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, `updated` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, `view_count` int(6) NOT NULL, `title` varchar(160) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL, `content` text CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `id_slug` (`collection_id`,`slug`), UNIQUE KEY `owner_id` (`owner_id`,`id`), KEY `privacy_id` (`privacy`,`id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `remotefollows` -- CREATE TABLE IF NOT EXISTS `remotefollows` ( `collection_id` int(11) NOT NULL, `remote_user_id` int(11) NOT NULL, `created` datetime NOT NULL, PRIMARY KEY (`collection_id`,`remote_user_id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `remoteuserkeys` -- CREATE TABLE IF NOT EXISTS `remoteuserkeys` ( `id` varchar(255) NOT NULL, `remote_user_id` int(11) NOT NULL, `public_key` blob NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `follower_id` (`remote_user_id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `remoteusers` -- CREATE TABLE IF NOT EXISTS `remoteusers` ( `id` int(11) NOT NULL AUTO_INCREMENT, `actor_id` varchar(255) NOT NULL, `inbox` varchar(255) NOT NULL, `shared_inbox` varchar(255) NOT NULL, - `handle` varchar(255) DEFAULT '' NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `collection_id` (`actor_id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `userattributes` -- CREATE TABLE IF NOT EXISTS `userattributes` ( `user_id` int(6) NOT NULL, `attribute` varchar(64) NOT NULL, `value` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL, PRIMARY KEY (`user_id`,`attribute`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `userinvites` -- CREATE TABLE `userinvites` ( `id` char(6) NOT NULL, `owner_id` int(11) NOT NULL, `max_uses` smallint(6) DEFAULT NULL, `created` datetime NOT NULL, `expires` datetime DEFAULT NULL, `inactive` tinyint(1) NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `users` -- CREATE TABLE IF NOT EXISTS `users` ( `id` int(6) NOT NULL AUTO_INCREMENT, `username` varchar(100) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL, `password` char(60) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, `email` varbinary(255) DEFAULT NULL, `created` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (`id`), UNIQUE KEY `username` (`username`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; -- -------------------------------------------------------- -- -- Table structure for table `usersinvited` -- CREATE TABLE `usersinvited` ( `invite_id` char(6) NOT NULL, `user_id` int(11) NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=latin1; diff --git a/sqlite.sql b/sqlite.sql index e1a6b96..90989ed 100644 --- a/sqlite.sql +++ b/sqlite.sql @@ -1,230 +1,229 @@ -- -- Database: writefreely -- -- -------------------------------------------------------- -- -- Table structure for table accesstokens -- CREATE TABLE IF NOT EXISTS `accesstokens` ( token TEXT NOT NULL PRIMARY KEY, user_id INTEGER NOT NULL, sudo INTEGER NOT NULL DEFAULT '0', one_time INTEGER NOT NULL DEFAULT '0', created DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, expires DATETIME DEFAULT NULL, user_agent TEXT DEFAULT NULL ); -- -------------------------------------------------------- -- -- Table structure for table appcontent -- CREATE TABLE IF NOT EXISTS `appcontent` ( id TEXT NOT NULL PRIMARY KEY, content TEXT NOT NULL, updated DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ); -- -------------------------------------------------------- -- -- Table structure for table appmigrations -- CREATE TABLE `appmigrations` ( `version` INT NOT NULL, `migrated` DATETIME NOT NULL, `result` TEXT NOT NULL ); -- -------------------------------------------------------- -- -- Table structure for table collectionattributes -- CREATE TABLE IF NOT EXISTS `collectionattributes` ( collection_id INTEGER NOT NULL, attribute TEXT NOT NULL, value TEXT NOT NULL, PRIMARY KEY (collection_id, attribute) ); -- -------------------------------------------------------- -- -- Table structure for table collectionkeys -- CREATE TABLE IF NOT EXISTS `collectionkeys` ( collection_id INTEGER PRIMARY KEY, public_key blob NOT NULL, private_key blob NOT NULL ); -- -------------------------------------------------------- -- -- Table structure for table collectionpasswords -- CREATE TABLE IF NOT EXISTS `collectionpasswords` ( collection_id INTEGER PRIMARY KEY, password TEXT NOT NULL ); -- -------------------------------------------------------- -- -- Table structure for table collectionredirects -- CREATE TABLE IF NOT EXISTS `collectionredirects` ( prev_alias TEXT NOT NULL PRIMARY KEY, new_alias TEXT NOT NULL ); -- -------------------------------------------------------- -- -- Table structure for table collections -- CREATE TABLE IF NOT EXISTS `collections` ( id INTEGER PRIMARY KEY AUTOINCREMENT, alias TEXT DEFAULT NULL UNIQUE, title TEXT NOT NULL, description TEXT NOT NULL, style_sheet TEXT, script TEXT, format TEXT DEFAULT NULL, privacy INTEGER NOT NULL, owner_id INTEGER NOT NULL, view_count INTEGER NOT NULL ); -- -------------------------------------------------------- -- -- Table structure for table posts -- CREATE TABLE IF NOT EXISTS `posts` ( id TEXT NOT NULL, slug TEXT DEFAULT NULL, modify_token TEXT DEFAULT NULL, text_appearance TEXT NOT NULL DEFAULT 'norm', language TEXT DEFAULT NULL, rtl INTEGER DEFAULT NULL, privacy INTEGER NOT NULL, owner_id INTEGER DEFAULT NULL, collection_id INTEGER DEFAULT NULL, pinned_position INTEGER UNSIGNED DEFAULT NULL, created DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, updated DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, view_count INTEGER NOT NULL, title TEXT NOT NULL, content TEXT NOT NULL, CONSTRAINT id_slug UNIQUE (collection_id, slug), CONSTRAINT owner_id UNIQUE (owner_id, id), CONSTRAINT privacy_id UNIQUE (privacy, id) ); -- -------------------------------------------------------- -- -- Table structure for table remotefollows -- CREATE TABLE IF NOT EXISTS `remotefollows` ( collection_id INTEGER NOT NULL, remote_user_id INTEGER NOT NULL, created DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (collection_id,remote_user_id) ); -- -------------------------------------------------------- -- -- Table structure for table remoteuserkeys -- CREATE TABLE IF NOT EXISTS `remoteuserkeys` ( id TEXT NOT NULL, remote_user_id INTEGER NOT NULL, public_key blob NOT NULL, CONSTRAINT follower_id UNIQUE (remote_user_id) ); -- -------------------------------------------------------- -- -- Table structure for table remoteusers -- CREATE TABLE IF NOT EXISTS `remoteusers` ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, actor_id TEXT NOT NULL, inbox TEXT NOT NULL, shared_inbox TEXT NOT NULL, - handle TEXT DEFAULT '' NOT NULL, CONSTRAINT collection_id UNIQUE (actor_id) ); -- -------------------------------------------------------- -- -- Table structure for table userattributes -- CREATE TABLE IF NOT EXISTS `userattributes` ( user_id INTEGER NOT NULL, attribute TEXT NOT NULL, value TEXT NOT NULL, PRIMARY KEY (user_id, attribute) ); -- -------------------------------------------------------- -- -- Table structure for table `userinvites` -- CREATE TABLE `userinvites` ( `id` TEXT NOT NULL, `owner_id` INTEGER NOT NULL, `max_uses` INTEGER DEFAULT NULL, `created` DATETIME NOT NULL, `expires` DATETIME DEFAULT NULL, `inactive` INTEGER NOT NULL ); -- -------------------------------------------------------- -- -- Table structure for table users -- CREATE TABLE IF NOT EXISTS `users` ( id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL UNIQUE, password TEXT NOT NULL, email TEXT DEFAULT NULL, created DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ); -- -------------------------------------------------------- -- -- Table structure for table `usersinvited` -- CREATE TABLE `usersinvited` ( `invite_id` TEXT NOT NULL, `user_id` INTEGER NOT NULL ); diff --git a/webfinger.go b/webfinger.go index 715e1cf..72c3f95 100644 --- a/webfinger.go +++ b/webfinger.go @@ -1,112 +1,127 @@ /* * Copyright © 2018 A Bunch Tell LLC. * * This file is part of WriteFreely. * * WriteFreely is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, included * in the LICENSE file in this source code package. */ package writefreely import ( "encoding/json" "io/ioutil" "net/http" "strings" "github.com/writeas/go-webfinger" "github.com/writeas/impart" "github.com/writeas/web-core/log" "github.com/writeas/writefreely/config" ) type wfResolver struct { db *datastore cfg *config.Config } var wfUserNotFoundErr = impart.HTTPError{http.StatusNotFound, "User not found."} func (wfr wfResolver) FindUser(username string, host, requestHost string, r []webfinger.Rel) (*webfinger.Resource, error) { var c *Collection var err error if wfr.cfg.App.SingleUser { c, err = wfr.db.GetCollectionByID(1) } else { c, err = wfr.db.GetCollection(username) } if err != nil { log.Error("Unable to get blog: %v", err) return nil, err } c.hostName = wfr.cfg.App.Host if wfr.cfg.App.SingleUser { // Ensure handle matches user-chosen one on single-user blogs if username != c.Alias { log.Info("Username '%s' is not handle '%s'", username, c.Alias) return nil, wfUserNotFoundErr } } // Only return information if site has federation enabled. // TODO: enable two levels of federation? Unlisted or Public on timelines? if !wfr.cfg.App.Federation { return nil, wfUserNotFoundErr } res := webfinger.Resource{ Subject: "acct:" + username + "@" + host, Aliases: []string{ c.CanonicalURL(), c.FederatedAccount(), }, Links: []webfinger.Link{ { HRef: c.CanonicalURL(), Type: "text/html", Rel: "https://webfinger.net/rel/profile-page", }, { HRef: c.FederatedAccount(), Type: "application/activity+json", Rel: "self", }, }, } return &res, nil } func (wfr wfResolver) DummyUser(username string, hostname string, r []webfinger.Rel) (*webfinger.Resource, error) { return nil, wfUserNotFoundErr } func (wfr wfResolver) IsNotFoundError(err error) bool { return err == wfUserNotFoundErr } // RemoteLookup looks up a user by handle at a remote server // and returns the actor URL func RemoteLookup(handle string) string { handle = strings.TrimLeft(handle, "@") // let's take the server part of the handle parts := strings.Split(handle, "@") resp, err := http.Get("https://" + parts[1] + "/.well-known/webfinger?resource=acct:" + handle) if err != nil { log.Error("Error performing webfinger request", err) return "" } body, err := ioutil.ReadAll(resp.Body) if err != nil { log.Error("Error reading webfinger response", err) return "" } var result map[string]interface{} json.Unmarshal(body, &result) - aliases := result["aliases"].([]interface{}) + var href string + for _, link := range result["links"].([]interface{}) { + if link.(map[string]interface{})["rel"] == "self" { + href = link.(map[string]interface{})["href"].(string) + } + } + + // if we didn't find it with the above then + // try using aliases + if href == "" { + aliases := result["aliases"].([]interface{}) + // take the last alias because mastodon has the + // https://instance.tld/@user first which + // doesn't work as an href + href = aliases[len(aliases)-1].(string) + } - return aliases[len(aliases)-1].(string) + return href }