gitea-github-proxy/api/middleware.go

package api

import (
	"code.gitea.io/sdk/gitea"
	"context"
	"crypto/x509"
	"encoding/json"
	"encoding/pem"
	"fmt"
	"git.lumeweb.com/LumeWeb/gitea-github-proxy/config"
	"git.lumeweb.com/LumeWeb/gitea-github-proxy/db/model"
	"github.com/golang-jwt/jwt"
	"github.com/gorilla/mux"
	"go.uber.org/zap"
	"gorm.io/gorm"
	"io"
	"net/http"
	"strconv"
	"strings"
)

const AUTHED_CONTEXT_KEY = "authed"
const REDIRECT_AFTER_AUTH = "redirect-after-auth"
const WEBHOOK_CONTEXT_KEY = "webhook"

const AuthCookieName = "auth-token"

type standardClaims struct {
	Issuer any `json:"iss,omitempty"`
	jwt.StandardClaims
}

func findAuthToken(r *http.Request) string {
	authHeader := parseAuthTokenHeader(r.Header)

	if authHeader != "" {
		return authHeader
	}

	cookie := getCookie(r, AuthCookieName)
	if cookie != "" {
		return cookie
	}

	return r.FormValue(AuthCookieName)
}

func giteaOauthVerifyMiddleware(cfg *config.Config) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			token := findAuthToken(r)
			if token == "" {
				addAuthStatusToRequestServ(false, r, w, next)
				return
			}

			client, err := getClient(ClientParams{
				Config:    cfg,
				AuthToken: token,
			})

			if err != nil {
				http.Error(w, err.Error(), http.StatusInternalServerError)
				return
			}

			_, _, err = client.AdminListUsers(gitea.AdminListUsersOptions{})
			if err != nil {
				addAuthStatusToRequestServ(false, r, w, next)
				return
			}

			addAuthStatusToRequestServ(true, r, w, next)
		})
	}
}
func githubRestVerifyMiddleware(db *gorm.DB) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			token := findAuthToken(r)

			if token != "" {
				parseToken, _, err := new(jwt.Parser).ParseUnverified(token, jwt.MapClaims{})
				if err != nil {
					http.Error(w, "Invalid JWT", http.StatusUnauthorized)
					return
				}

				claims, ok := parseToken.Claims.(jwt.MapClaims)
				if !ok {
					http.Error(w, "Invalid JWT", http.StatusUnauthorized)
					return
				}

				var appId string

				switch v := claims["iss"].(type) {
				case string:
					appId = v
				case float64:
					appId = strconv.FormatFloat(v, 'f', -1, 64)
				default:
					http.Error(w, "Invalid JWT", http.StatusUnauthorized)
					return
				}

				appIdInt, err := strconv.Atoi(appId)
				if err != nil {
					http.Error(w, "Invalid JWT", http.StatusUnauthorized)
					return
				}

				appRecord := &model.Apps{}
				appRecord.ID = uint(appIdInt)

				if err := db.First(appRecord).Error; err != nil {
					http.Error(w, "Invalid JWT", http.StatusUnauthorized)
					return
				}

				block, _ := pem.Decode([]byte(appRecord.PrivateKey))
				if block == nil {
					// Handle error
					http.Error(w, "Invalid Private Key", http.StatusInternalServerError)
					return
				}

				privateKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
				if err != nil {
					// Handle error
					http.Error(w, "Failed to parse Private Key", http.StatusInternalServerError)
					return
				}

				publicKey := &privateKey.PublicKey

				parseToken, err = jwt.ParseWithClaims(token, &standardClaims{}, func(token *jwt.Token) (interface{}, error) {
					if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
						return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
					}

					// Return the RSA public key
					return publicKey, nil
				})
				if err != nil {
					http.Error(w, err.Error(), http.StatusBadRequest)
					return
				}

				if mux.CurrentRoute(r).GetName() == "app-install-get-access-token" {
					installId := mux.Vars(r)["installation_id"]

					installIdInt, err := strconv.Atoi(installId)
					if err != nil {
						http.Error(w, "Invalid Install", http.StatusUnauthorized)
						return
					}

					if appIdInt != installIdInt {
						http.Error(w, "Invalid Install", http.StatusUnauthorized)
						return
					}
				}
			}

			addAuthStatusToRequestServ(true, r, w, next)
		})
	}
}

func storeWebhookDataMiddleware(logger *zap.Logger) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			var webhook map[string]interface{}
			body, err := io.ReadAll(r.Body)
			if err != nil {
				logger.Error("Failed to read request body", zap.Error(err))
				w.WriteHeader(http.StatusInternalServerError)
				return
			}

			err = json.Unmarshal(body, &webhook)
			if err != nil {
				logger.Error("Failed to unmarshal webhook", zap.Error(err))
				w.WriteHeader(http.StatusInternalServerError)
				return
			}

			if len(webhook) == 0 {
				logger.Error("Webhook data is empty")
				w.WriteHeader(http.StatusBadRequest)
				return
			}

			ctx := context.WithValue(r.Context(), WEBHOOK_CONTEXT_KEY, body)
			r = r.WithContext(ctx)

			r.Body = io.NopCloser(strings.NewReader(string(body)))

			next.ServeHTTP(w, r)
		})
	}
}

func requireAuthMiddleware(cfg *config.Config) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			status := getAuthedStatusFromRequest(r)

			if !status {
				setCookie(w, REDIRECT_AFTER_AUTH, cfg.Domain, r.Referer(), 0, http.SameSiteLaxMode)
				http.Redirect(w, r, "/setup", http.StatusFound)
				return
			}

			next.ServeHTTP(w, r)
		})
	}
}

func githubRestRequireAuthMiddleware(cfg *config.Config) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			status := getAuthedStatusFromRequest(r)

			if !status {
				http.Error(w, "Unauthorized", http.StatusUnauthorized)
				return
			}

			next.ServeHTTP(w, r)
		})
	}
}

func loggingMiddleware(logger *zap.Logger) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			// Do stuff here
			logger.Debug("Request", zap.String("method", r.Method), zap.String("url", r.RequestURI))
			// Call the next handler, which can be another middleware in the chain, or the final handler.
			next.ServeHTTP(w, r)
		})
	}
}
func addAuthStatusToRequestServ(status bool, r *http.Request, w http.ResponseWriter, next http.Handler) {
	ctx := context.WithValue(r.Context(), AUTHED_CONTEXT_KEY, status)
	r = r.WithContext(ctx)

	next.ServeHTTP(w, r)
}

func parseAuthTokenHeader(headers http.Header) string {
	authHeader := headers.Get("Authorization")
	if authHeader == "" {
		return ""
	}

	authHeader = strings.TrimPrefix(authHeader, "Bearer ")
	authHeader = strings.TrimPrefix(authHeader, "bearer ")

	return authHeader
}

func getAuthedStatusFromRequest(r *http.Request) bool {
	authed, ok := r.Context().Value(AUTHED_CONTEXT_KEY).(bool)
	if !ok {
		return false
	}

	return authed
}
feat: server bones and initial github apps setup support 2024-02-11 04:50:46 +00:00			`package api`

			`import (`
			`"code.gitea.io/sdk/gitea"`
			`"context"`
feat: implement github jwt verification via middleware 2024-02-12 04:55:02 +00:00			`"crypto/x509"`
feat: add webhooks manager and switch to using dedicated pull_request webhook endpoint. Also add iniyial pull_request support 2024-02-11 08:56:32 +00:00			`"encoding/json"`
feat: implement github jwt verification via middleware 2024-02-12 04:55:02 +00:00			`"encoding/pem"`
			`"fmt"`
feat: server bones and initial github apps setup support 2024-02-11 04:50:46 +00:00			`"git.lumeweb.com/LumeWeb/gitea-github-proxy/config"`
feat: implement github jwt verification via middleware 2024-02-12 04:55:02 +00:00			`"git.lumeweb.com/LumeWeb/gitea-github-proxy/db/model"`
			`"github.com/golang-jwt/jwt"`
feat: server bones and initial github apps setup support 2024-02-11 04:50:46 +00:00			`"github.com/gorilla/mux"`
			`"go.uber.org/zap"`
feat: implement github jwt verification via middleware 2024-02-12 04:55:02 +00:00			`"gorm.io/gorm"`
feat: add webhooks manager and switch to using dedicated pull_request webhook endpoint. Also add iniyial pull_request support 2024-02-11 08:56:32 +00:00			`"io"`
feat: server bones and initial github apps setup support 2024-02-11 04:50:46 +00:00			`"net/http"`
refactor: ensure only a given install can access its access tokens with the app-install-get-access-token route 2024-02-12 05:18:52 +00:00			`"strconv"`
feat: server bones and initial github apps setup support 2024-02-11 04:50:46 +00:00			`"strings"`
			`)`

			`const AUTHED_CONTEXT_KEY = "authed"`
			`const REDIRECT_AFTER_AUTH = "redirect-after-auth"`
feat: add webhooks manager and switch to using dedicated pull_request webhook endpoint. Also add iniyial pull_request support 2024-02-11 08:56:32 +00:00			`const WEBHOOK_CONTEXT_KEY = "webhook"`
feat: server bones and initial github apps setup support 2024-02-11 04:50:46 +00:00
			`const AuthCookieName = "auth-token"`

fix: need to subclass StandardClaims to make Issuer any 2024-02-12 06:01:58 +00:00			`type standardClaims struct {`
			Issuer any `json:"iss,omitempty"`
			`jwt.StandardClaims`
			`}`

feat: server bones and initial github apps setup support 2024-02-11 04:50:46 +00:00			`func findAuthToken(r *http.Request) string {`
			`authHeader := parseAuthTokenHeader(r.Header)`

			`if authHeader != "" {`
			`return authHeader`
			`}`

			`cookie := getCookie(r, AuthCookieName)`
			`if cookie != "" {`
			`return cookie`
			`}`

			`return r.FormValue(AuthCookieName)`
			`}`

			`func giteaOauthVerifyMiddleware(cfg *config.Config) mux.MiddlewareFunc {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`token := findAuthToken(r)`
			`if token == "" {`
			`addAuthStatusToRequestServ(false, r, w, next)`
			`return`
			`}`

			`client, err := getClient(ClientParams{`
			`Config: cfg,`
			`AuthToken: token,`
			`})`

			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`

			`_, _, err = client.AdminListUsers(gitea.AdminListUsersOptions{})`
			`if err != nil {`
			`addAuthStatusToRequestServ(false, r, w, next)`
			`return`
			`}`

			`addAuthStatusToRequestServ(true, r, w, next)`
			`})`
			`}`
			`}`
feat: implement github jwt verification via middleware 2024-02-12 04:55:02 +00:00			`func githubRestVerifyMiddleware(db *gorm.DB) mux.MiddlewareFunc {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`token := findAuthToken(r)`

			`if token != "" {`
			`parseToken, _, err := new(jwt.Parser).ParseUnverified(token, jwt.MapClaims{})`
			`if err != nil {`
			`http.Error(w, "Invalid JWT", http.StatusUnauthorized)`
			`return`
			`}`

			`claims, ok := parseToken.Claims.(jwt.MapClaims)`
			`if !ok {`
			`http.Error(w, "Invalid JWT", http.StatusUnauthorized)`
			`return`
			`}`

fix: string/number hacks 2024-02-12 05:47:29 +00:00			`var appId string`

			`switch v := claims["iss"].(type) {`
			`case string:`
			`appId = v`
			`case float64:`
			`appId = strconv.FormatFloat(v, 'f', -1, 64)`
			`default:`
feat: implement github jwt verification via middleware 2024-02-12 04:55:02 +00:00			`http.Error(w, "Invalid JWT", http.StatusUnauthorized)`
			`return`
			`}`

fix: need to cast appId as string,then parse to int 2024-02-12 05:43:04 +00:00			`appIdInt, err := strconv.Atoi(appId)`
			`if err != nil {`
			`http.Error(w, "Invalid JWT", http.StatusUnauthorized)`
			`return`
			`}`

feat: implement github jwt verification via middleware 2024-02-12 04:55:02 +00:00			`appRecord := &model.Apps{}`
fix: need to cast appId as string,then parse to int 2024-02-12 05:43:04 +00:00			`appRecord.ID = uint(appIdInt)`
feat: implement github jwt verification via middleware 2024-02-12 04:55:02 +00:00
			`if err := db.First(appRecord).Error; err != nil {`
			`http.Error(w, "Invalid JWT", http.StatusUnauthorized)`
			`return`
			`}`

			`block, _ := pem.Decode([]byte(appRecord.PrivateKey))`
			`if block == nil {`
			`// Handle error`
			`http.Error(w, "Invalid Private Key", http.StatusInternalServerError)`
			`return`
			`}`

			`privateKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)`
			`if err != nil {`
			`// Handle error`
			`http.Error(w, "Failed to parse Private Key", http.StatusInternalServerError)`
			`return`
			`}`

			`publicKey := &privateKey.PublicKey`

fix: need to subclass StandardClaims to make Issuer any 2024-02-12 06:01:58 +00:00			`parseToken, err = jwt.ParseWithClaims(token, &standardClaims{}, func(token *jwt.Token) (interface{}, error) {`
feat: implement github jwt verification via middleware 2024-02-12 04:55:02 +00:00			`if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {`
			`return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])`
			`}`

			`// Return the RSA public key`
			`return publicKey, nil`
			`})`
			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusBadRequest)`
			`return`
			`}`
refactor: ensure only a given install can access its access tokens with the app-install-get-access-token route 2024-02-12 05:18:52 +00:00
			`if mux.CurrentRoute(r).GetName() == "app-install-get-access-token" {`
			`installId := mux.Vars(r)["installation_id"]`

			`installIdInt, err := strconv.Atoi(installId)`
			`if err != nil {`
			`http.Error(w, "Invalid Install", http.StatusUnauthorized)`
			`return`
			`}`

fix: need to cast appId as string,then parse to int 2024-02-12 05:43:04 +00:00			`if appIdInt != installIdInt {`
refactor: ensure only a given install can access its access tokens with the app-install-get-access-token route 2024-02-12 05:18:52 +00:00			`http.Error(w, "Invalid Install", http.StatusUnauthorized)`
			`return`
			`}`
			`}`
feat: implement github jwt verification via middleware 2024-02-12 04:55:02 +00:00			`}`

			`addAuthStatusToRequestServ(true, r, w, next)`
			`})`
			`}`
			`}`
feat: server bones and initial github apps setup support 2024-02-11 04:50:46 +00:00
refactor: verifyWebhookDataMiddleware just need to store the wehbook data in context 2024-02-11 09:25:52 +00:00			`func storeWebhookDataMiddleware(logger *zap.Logger) mux.MiddlewareFunc {`
feat: add webhooks manager and switch to using dedicated pull_request webhook endpoint. Also add iniyial pull_request support 2024-02-11 08:56:32 +00:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`var webhook map[string]interface{}`
			`body, err := io.ReadAll(r.Body)`
			`if err != nil {`
			`logger.Error("Failed to read request body", zap.Error(err))`
			`w.WriteHeader(http.StatusInternalServerError)`
			`return`
			`}`

			`err = json.Unmarshal(body, &webhook)`
			`if err != nil {`
			`logger.Error("Failed to unmarshal webhook", zap.Error(err))`
			`w.WriteHeader(http.StatusInternalServerError)`
			`return`
			`}`

			`if len(webhook) == 0 {`
			`logger.Error("Webhook data is empty")`
			`w.WriteHeader(http.StatusBadRequest)`
			`return`
			`}`

			`ctx := context.WithValue(r.Context(), WEBHOOK_CONTEXT_KEY, body)`
			`r = r.WithContext(ctx)`

			`r.Body = io.NopCloser(strings.NewReader(string(body)))`

			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`

feat: server bones and initial github apps setup support 2024-02-11 04:50:46 +00:00			`func requireAuthMiddleware(cfg *config.Config) mux.MiddlewareFunc {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`status := getAuthedStatusFromRequest(r)`

			`if !status {`
			`setCookie(w, REDIRECT_AFTER_AUTH, cfg.Domain, r.Referer(), 0, http.SameSiteLaxMode)`
			`http.Redirect(w, r, "/setup", http.StatusFound)`
			`return`
			`}`

			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`
feat: implement github jwt verification via middleware 2024-02-12 04:55:02 +00:00
			`func githubRestRequireAuthMiddleware(cfg *config.Config) mux.MiddlewareFunc {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`status := getAuthedStatusFromRequest(r)`

			`if !status {`
			`http.Error(w, "Unauthorized", http.StatusUnauthorized)`
			`return`
			`}`

			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`

feat: server bones and initial github apps setup support 2024-02-11 04:50:46 +00:00			`func loggingMiddleware(logger *zap.Logger) mux.MiddlewareFunc {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// Do stuff here`
			`logger.Debug("Request", zap.String("method", r.Method), zap.String("url", r.RequestURI))`
			`// Call the next handler, which can be another middleware in the chain, or the final handler.`
			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`
			`func addAuthStatusToRequestServ(status bool, r *http.Request, w http.ResponseWriter, next http.Handler) {`
			`ctx := context.WithValue(r.Context(), AUTHED_CONTEXT_KEY, status)`
			`r = r.WithContext(ctx)`

			`next.ServeHTTP(w, r)`
			`}`

			`func parseAuthTokenHeader(headers http.Header) string {`
			`authHeader := headers.Get("Authorization")`
			`if authHeader == "" {`
			`return ""`
			`}`

			`authHeader = strings.TrimPrefix(authHeader, "Bearer ")`
fix: need to trim upper and lower case 2024-02-12 05:39:58 +00:00			`authHeader = strings.TrimPrefix(authHeader, "bearer ")`
feat: server bones and initial github apps setup support 2024-02-11 04:50:46 +00:00
			`return authHeader`
			`}`

			`func getAuthedStatusFromRequest(r *http.Request) bool {`
			`authed, ok := r.Context().Value(AUTHED_CONTEXT_KEY).(bool)`
			`if !ok {`
			`return false`
			`}`

			`return authed`
			`}`