459 lines
16 KiB
Go
459 lines
16 KiB
Go
package api
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"crypto/tls"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"log"
|
|
"net"
|
|
"net/http"
|
|
"os"
|
|
"sort"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"greencoast/internal/index"
|
|
"greencoast/internal/storage"
|
|
)
|
|
|
|
// ----------- Auth Providers & config (SSO / 2FA stubs) ------------
|
|
|
|
type DiscordProvider struct {
|
|
Enabled bool
|
|
ClientID string
|
|
ClientSecret string
|
|
RedirectURI string
|
|
}
|
|
|
|
type AuthProviders struct {
|
|
SigningSecretHex string
|
|
Discord DiscordProvider
|
|
GoogleEnabled bool // placeholder
|
|
FacebookEnabled bool // placeholder
|
|
WebAuthnEnabled bool // placeholder
|
|
TOTPEnabled bool // placeholder
|
|
}
|
|
|
|
// ----------- SSE hub (live index) ------------
|
|
|
|
type sseEvent struct {
|
|
Event string `json:"event"` // "put" | "delete"
|
|
Data interface{} `json:"data"`
|
|
}
|
|
|
|
type hub struct {
|
|
mu sync.Mutex
|
|
subs map[chan []byte]struct{}
|
|
}
|
|
|
|
func newHub() *hub { return &hub{subs: make(map[chan []byte]struct{})} }
|
|
|
|
func (h *hub) subscribe() (ch chan []byte, cancel func()) {
|
|
ch = make(chan []byte, 16)
|
|
h.mu.Lock(); h.subs[ch] = struct{}{}; h.mu.Unlock()
|
|
cancel = func() { h.mu.Lock(); if _, ok := h.subs[ch]; ok { delete(h.subs, ch); close(ch) }; h.mu.Unlock() }
|
|
return ch, cancel
|
|
}
|
|
func (h *hub) broadcast(ev sseEvent) {
|
|
b, _ := json.Marshal(ev)
|
|
line := append([]byte("data: "), b...)
|
|
line = append(line, '\n', '\n')
|
|
h.mu.Lock()
|
|
for ch := range h.subs {
|
|
select { case ch <- line: default: }
|
|
}
|
|
h.mu.Unlock()
|
|
}
|
|
|
|
// ----------- Server ------------
|
|
|
|
type Server struct {
|
|
mux *http.ServeMux
|
|
store *storage.FSStore
|
|
idx *index.Index
|
|
coarseTS bool
|
|
zeroTrust bool
|
|
|
|
signingSecret []byte
|
|
discord DiscordProvider
|
|
|
|
devAllow bool
|
|
devToken string
|
|
|
|
live *hub
|
|
}
|
|
|
|
func New(store *storage.FSStore, idx *index.Index, coarseTimestamps bool, zeroTrust bool, auth AuthProviders) *Server {
|
|
devAllow := strings.ToLower(os.Getenv("GC_DEV_ALLOW_UNAUTH")) == "true"
|
|
devToken := os.Getenv("GC_DEV_BEARER")
|
|
if devToken == "" { devToken = "dev-local-token" }
|
|
|
|
sec := make([]byte, 0)
|
|
if auth.SigningSecretHex != "" {
|
|
if b, err := hex.DecodeString(auth.SigningSecretHex); err == nil { sec = b }
|
|
}
|
|
|
|
s := &Server{
|
|
mux: http.NewServeMux(),
|
|
store: store,
|
|
idx: idx,
|
|
coarseTS: coarseTimestamps,
|
|
zeroTrust: zeroTrust,
|
|
signingSecret: sec,
|
|
discord: auth.Discord,
|
|
devAllow: devAllow,
|
|
devToken: devToken,
|
|
live: newHub(),
|
|
}
|
|
s.routes()
|
|
return s
|
|
}
|
|
|
|
// ---------- middleware helpers (privacy, CORS, auth) ----------
|
|
|
|
func (s *Server) secureHeaders(w http.ResponseWriter) {
|
|
// Anti-fingerprinting posture: do not echo request details; set strict policies.
|
|
w.Header().Set("Referrer-Policy", "no-referrer")
|
|
w.Header().Set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=(), browsing-topics=()")
|
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
|
w.Header().Set("X-Frame-Options", "DENY")
|
|
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
|
|
w.Header().Set("Cross-Origin-Resource-Policy", "same-site")
|
|
// CORS: allow simple cross-origin usage without credentials (we do not use cookies).
|
|
w.Header().Set("Access-Control-Allow-Origin", "*")
|
|
w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, X-GC-Private, X-GC-3P-Assent")
|
|
w.Header().Set("Access-Control-Allow-Methods", "GET, PUT, DELETE, OPTIONS")
|
|
// No-store by default (content blobs may be large but not user-identifying)
|
|
w.Header().Set("Cache-Control", "no-store")
|
|
// HSTS is meaningful over HTTPS; harmless otherwise.
|
|
w.Header().Set("Strict-Transport-Security", "max-age=15552000; includeSubDomains; preload")
|
|
}
|
|
|
|
func (s *Server) with(w http.ResponseWriter, r *http.Request, handler func(http.ResponseWriter, *http.Request)) {
|
|
s.secureHeaders(w)
|
|
// Handle CORS preflight
|
|
if r.Method == http.MethodOptions {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
handler(w, r)
|
|
}
|
|
|
|
func (s *Server) auth(next http.HandlerFunc) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
s.secureHeaders(w)
|
|
if !s.zeroTrust {
|
|
next.ServeHTTP(w, r); return
|
|
}
|
|
authz := r.Header.Get("Authorization")
|
|
|
|
// Dev bypass if explicitly enabled
|
|
if s.devAllow {
|
|
if authz == "" || authz == "Bearer "+s.devToken {
|
|
next.ServeHTTP(w, r); return
|
|
}
|
|
}
|
|
if !strings.HasPrefix(authz, "Bearer ") {
|
|
http.Error(w, "unauthorized", http.StatusUnauthorized); return
|
|
}
|
|
if len(s.signingSecret) == 0 {
|
|
// If no signing secret configured, accept presence only (dev posture).
|
|
next.ServeHTTP(w, r); return
|
|
}
|
|
token := strings.TrimPrefix(authz, "Bearer ")
|
|
if ok := s.verifyShardToken(token); !ok {
|
|
http.Error(w, "unauthorized", http.StatusUnauthorized); return
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
}
|
|
}
|
|
|
|
// ---------- shard token (HMAC, short-lived) ----------
|
|
|
|
// Format: gc|prov|sub|expEpoch|hex(hmacSHA256(secret, prov+'|'+sub+'|'+exp))
|
|
func (s *Server) signShardToken(provider, subject string, exp time.Time) (string, error) {
|
|
if len(s.signingSecret) == 0 {
|
|
return "", errors.New("signing disabled (missing auth.signing_secret)")
|
|
}
|
|
msg := provider + "|" + subject + "|" + fmt.Sprint(exp.Unix())
|
|
mac := hmac.New(sha256.New, s.signingSecret)
|
|
_, _ = mac.Write([]byte(msg))
|
|
sig := hex.EncodeToString(mac.Sum(nil))
|
|
return "gc|" + msg + "|" + sig, nil
|
|
}
|
|
func (s *Server) verifyShardToken(tok string) bool {
|
|
parts := strings.Split(tok, "|")
|
|
if len(parts) != 5 || parts[0] != "gc" { return false }
|
|
prov, sub, expStr, sig := parts[1], parts[2], parts[3], parts[4]
|
|
msg := prov + "|" + sub + "|" + expStr
|
|
mac := hmac.New(sha256.New, s.signingSecret)
|
|
_, _ = mac.Write([]byte(msg))
|
|
want := hex.EncodeToString(mac.Sum(nil))
|
|
if !hmac.Equal([]byte(want), []byte(sig)) { return false }
|
|
// expiry
|
|
secs, err := time.ParseDuration(expStr + "s")
|
|
if err != nil {
|
|
// expStr is epoch; parse manually
|
|
epoch, e2 := time.ParseDuration("0s"); _ = epoch; _ = e2
|
|
}
|
|
// treat expStr as epoch seconds
|
|
var expUnix int64
|
|
fmt.Sscan(expStr, &expUnix)
|
|
return time.Now().UTC().Unix() < expUnix
|
|
}
|
|
|
|
// ---------- routes ----------
|
|
|
|
func (s *Server) routes() {
|
|
s.mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
|
|
s.with(w, r, func(w http.ResponseWriter, _ *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte("ok"))
|
|
})
|
|
})
|
|
|
|
// PUT object (opaque). Client may flag privacy in index via X-GC-Private: 1.
|
|
s.mux.HandleFunc("/v1/object", s.auth(func(w http.ResponseWriter, r *http.Request) {
|
|
s.with(w, r, func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPut {
|
|
http.Error(w, "method not allowed", http.StatusMethodNotAllowed); return
|
|
}
|
|
isPrivate := strings.TrimSpace(r.Header.Get("X-GC-Private")) == "1"
|
|
hash, n, err := s.store.Put(r.Body)
|
|
if err != nil { http.Error(w, err.Error(), http.StatusBadRequest); return }
|
|
ts := s.nowCoarse()
|
|
_ = s.idx.AppendPut(index.Entry{
|
|
Hash: hash, Bytes: n, StoredAt: s.parseRFC3339(ts), Private: isPrivate,
|
|
})
|
|
s.live.broadcast(sseEvent{Event: "put", Data: map[string]any{
|
|
"hash": hash, "bytes": n, "stored_at": ts, "private": isPrivate,
|
|
}})
|
|
w.Header().Set("Content-Type", "application/json")
|
|
fmt.Fprintf(w, `{"ok":true,"hash":"%s","bytes":%d,"stored_at":"%s"}`, hash, n, ts)
|
|
})
|
|
}))
|
|
|
|
// GET/DELETE object by hash
|
|
s.mux.HandleFunc("/v1/object/", s.auth(func(w http.ResponseWriter, r *http.Request) {
|
|
s.with(w, r, func(w http.ResponseWriter, r *http.Request) {
|
|
switch r.Method {
|
|
case http.MethodGet:
|
|
hash := strings.TrimPrefix(r.URL.Path, "/v1/object/")
|
|
p, err := s.store.Get(hash)
|
|
if err != nil { http.NotFound(w, r); return }
|
|
f, err := os.Open(p)
|
|
if err != nil { http.Error(w, "open error", http.StatusInternalServerError); return }
|
|
defer f.Close()
|
|
w.Header().Set("Content-Type", "application/octet-stream")
|
|
_, _ = io.Copy(w, f)
|
|
case http.MethodDelete:
|
|
hash := strings.TrimPrefix(r.URL.Path, "/v1/object/")
|
|
if err := s.store.Delete(hash); err != nil { http.NotFound(w, r); return }
|
|
_ = s.idx.AppendDelete(hash)
|
|
s.live.broadcast(sseEvent{Event: "delete", Data: map[string]any{"hash": hash}})
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_, _ = w.Write([]byte(`{"ok":true,"deleted":true}`))
|
|
default:
|
|
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
|
|
}
|
|
})
|
|
}))
|
|
|
|
// Index snapshot
|
|
s.mux.HandleFunc("/v1/index", s.auth(func(w http.ResponseWriter, r *http.Request) {
|
|
s.with(w, r, func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet { http.Error(w, "method not allowed", http.StatusMethodNotAllowed); return }
|
|
entries, err := s.idx.Snapshot()
|
|
if err != nil { http.Error(w, err.Error(), 500); return }
|
|
sort.Slice(entries, func(i, j int) bool { return entries[i].StoredAt.After(entries[j].StoredAt) })
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(entries)
|
|
})
|
|
}))
|
|
|
|
// Index live (SSE)
|
|
s.mux.HandleFunc("/v1/index/stream", s.auth(func(w http.ResponseWriter, r *http.Request) {
|
|
s.secureHeaders(w)
|
|
flusher, ok := w.(http.Flusher)
|
|
if !ok { http.Error(w, "stream unsupported", http.StatusInternalServerError); return }
|
|
w.Header().Set("Content-Type", "text/event-stream")
|
|
w.Header().Set("Cache-Control", "no-store")
|
|
w.Header().Set("Connection", "keep-alive")
|
|
|
|
ch, cancel := s.live.subscribe()
|
|
defer cancel()
|
|
|
|
_, _ = w.Write([]byte(": ok\n\n")); flusher.Flush()
|
|
ticker := time.NewTicker(25 * time.Second); defer ticker.Stop()
|
|
notify := r.Context().Done()
|
|
for {
|
|
select {
|
|
case <-notify: return
|
|
case <-ticker.C:
|
|
_, _ = w.Write([]byte(": ping\n\n")); flusher.Flush()
|
|
case msg, ok := <-ch:
|
|
if !ok { return }
|
|
_, _ = w.Write(msg); flusher.Flush()
|
|
}
|
|
}
|
|
}))
|
|
|
|
// GDPR policy + Third-party disclaimer
|
|
s.mux.HandleFunc("/v1/gdpr/policy", func(w http.ResponseWriter, r *http.Request) {
|
|
s.with(w, r, func(w http.ResponseWriter, _ *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(map[string]any{
|
|
"collect_ip": false,
|
|
"collect_useragent": false,
|
|
"timestamp_policy": s.ternary(s.coarseTS, "coarse-hour", "exact"),
|
|
"stores_pii": false,
|
|
"erasure": "DELETE /v1/object/{hash}",
|
|
"portability": "GET /v1/object/{hash}",
|
|
"third_party_auth": "Using external SSO providers is optional. We cannot vouch for their security; proceed only if you trust the provider.",
|
|
})
|
|
})
|
|
})
|
|
|
|
// ---------- Discord SSO (first provider) ----------
|
|
|
|
// Start: returns authorization URL. Requires explicit assent.
|
|
s.mux.HandleFunc("/v1/auth/discord/start", func(w http.ResponseWriter, r *http.Request) {
|
|
s.with(w, r, func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
if !s.discord.Enabled {
|
|
http.Error(w, "discord SSO disabled", http.StatusNotImplemented); return
|
|
}
|
|
if !assented(r) {
|
|
http.Error(w, "third-party assent required (set header X-GC-3P-Assent: 1)", http.StatusPreconditionFailed); return
|
|
}
|
|
state := randHex(24)
|
|
url := "https://discord.com/api/oauth2/authorize" +
|
|
"?response_type=code" +
|
|
"&client_id=" + urlq(s.discord.ClientID) +
|
|
"&scope=" + urlq("identify") +
|
|
"&redirect_uri=" + urlq(s.discord.RedirectURI) +
|
|
"&prompt=consent" +
|
|
"&state=" + urlq(state)
|
|
_ = state // stateless; client returns same state to callback; you can verify in client
|
|
_ = json.NewEncoder(w).Encode(map[string]any{"url": url, "note": "We cannot vouch for external IdP security."})
|
|
})
|
|
})
|
|
|
|
// Callback: exchanges code for Discord access_token, fetches @me to get subject id
|
|
// then issues a short-lived shard token (HMAC). No data persisted.
|
|
s.mux.HandleFunc("/v1/auth/discord/callback", func(w http.ResponseWriter, r *http.Request) {
|
|
s.with(w, r, func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
if !s.discord.Enabled {
|
|
http.Error(w, "discord SSO disabled", http.StatusNotImplemented); return
|
|
}
|
|
if !assented(r) {
|
|
http.Error(w, "third-party assent required (set header X-GC-3P-Assent: 1)", http.StatusPreconditionFailed); return
|
|
}
|
|
code := r.URL.Query().Get("code")
|
|
if code == "" { http.Error(w, "missing code", 400); return }
|
|
|
|
// Exchange code -> access_token
|
|
form := "client_id=" + urlq(s.discord.ClientID) +
|
|
"&client_secret=" + urlq(s.discord.ClientSecret) +
|
|
"&grant_type=authorization_code" +
|
|
"&code=" + urlq(code) +
|
|
"&redirect_uri=" + urlq(s.discord.RedirectURI)
|
|
req, _ := http.NewRequest(http.MethodPost, "https://discord.com/api/oauth2/token", strings.NewReader(form))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
resp, err := http.DefaultClient.Do(req)
|
|
if err != nil { http.Error(w, "token exchange failed", 502); return }
|
|
defer resp.Body.Close()
|
|
var tok struct{ AccessToken, TokenType string `json:"access_token","token_type"` }
|
|
if err := json.NewDecoder(resp.Body).Decode(&tok); err != nil || tok.AccessToken == "" {
|
|
http.Error(w, "invalid token response", 502); return
|
|
}
|
|
|
|
// Fetch user id (PII seen in transit only; not stored)
|
|
uReq, _ := http.NewRequest(http.MethodGet, "https://discord.com/api/users/@me", nil)
|
|
uReq.Header.Set("Authorization", tok.TokenType+" "+tok.AccessToken)
|
|
uResp, err := http.DefaultClient.Do(uReq)
|
|
if err != nil { http.Error(w, "userinfo failed", 502); return }
|
|
defer uResp.Body.Close()
|
|
var me struct{ ID string `json:"id"` }
|
|
if err := json.NewDecoder(uResp.Body).Decode(&me); err != nil || me.ID == "" {
|
|
http.Error(w, "userinfo parse failed", 502); return
|
|
}
|
|
|
|
// Issue shard token
|
|
exp := time.Now().UTC().Add(30 * time.Minute)
|
|
gcTok, err := s.signShardToken("discord", me.ID, exp)
|
|
if err != nil { http.Error(w, err.Error(), 500); return }
|
|
|
|
_ = json.NewEncoder(w).Encode(map[string]any{
|
|
"ok": true,
|
|
"token": gcTok,
|
|
"expires_at": exp.Format(time.RFC3339),
|
|
"disclaimer": "This token is issued after authenticating with a third-party provider (Discord). We cannot vouch for third-party security.",
|
|
})
|
|
})
|
|
})
|
|
}
|
|
|
|
// ---------- helpers ----------
|
|
|
|
func (s *Server) nowCoarse() string {
|
|
ts := time.Now().UTC()
|
|
if s.coarseTS { ts = ts.Truncate(time.Hour) }
|
|
return ts.Format(time.RFC3339)
|
|
}
|
|
func (s *Server) parseRFC3339(v string) time.Time { t, _ := time.Parse(time.RFC3339, v); return t }
|
|
|
|
func (s *Server) ternary[T any](cond bool, a, b T) T { if cond { return a }; return b }
|
|
|
|
func assented(r *http.Request) bool {
|
|
if r.Header.Get("X-GC-3P-Assent") == "1" { return true }
|
|
if r.URL.Query().Get("assent") == "1" { return true }
|
|
return false
|
|
}
|
|
|
|
func randHex(n int) string {
|
|
b := make([]byte, n)
|
|
if _, err := rand.Read(b); err != nil {
|
|
// very unlikely; fall back to timestamp bytes
|
|
ts := time.Now().UnixNano()
|
|
for i := 0; i < n; i++ { b[i] = byte(ts >> (8 * (i % 8))) }
|
|
}
|
|
return hex.EncodeToString(b)
|
|
}
|
|
|
|
// randReader uses crypto/rand without importing directly to keep imports tidy here.
|
|
type randReader struct{}
|
|
func (randReader) Read(p []byte) (int, error) { return io.ReadFull(os.OpenFile("/dev/urandom", os.O_RDONLY, 0), p) } // fallback if needed (linux-only)
|
|
|
|
// ----- listeners -----
|
|
|
|
func (s *Server) ListenHTTP(addr string) error {
|
|
log.Printf("http listening on %s", addr)
|
|
server := &http.Server{ Addr: addr, Handler: s.mux, ReadHeaderTimeout: 5 * time.Second }
|
|
ln, err := net.Listen("tcp", addr)
|
|
if err != nil { return err }
|
|
return server.Serve(ln)
|
|
}
|
|
|
|
func (s *Server) ListenHTTPS(addr, certFile, keyFile string) error {
|
|
log.Printf("https listening on %s", addr)
|
|
server := &http.Server{ Addr: addr, Handler: s.mux, ReadHeaderTimeout: 5 * time.Second }
|
|
return server.ListenAndServeTLS(certFile, keyFile)
|
|
}
|
|
|
|
func (s *Server) ListenMTLS(addr string, tlsCfg *tls.Config) error {
|
|
log.Printf("federation mTLS listening on %s", addr)
|
|
server := &http.Server{ Addr: addr, Handler: s.mux, ReadHeaderTimeout: 5 * time.Second, TLSConfig: tlsCfg }
|
|
ln, err := tls.Listen("tcp", addr, tlsCfg)
|
|
if err != nil { return err }
|
|
return server.Serve(ln)
|
|
}
|