pronounss/backend/server/server.go

package server

import (
	"net/http"
	"os"
	"strconv"
	"time"

	"codeberg.org/u1f320/pronouns.cc/backend/db"
	"codeberg.org/u1f320/pronouns.cc/backend/server/auth"
	"codeberg.org/u1f320/pronouns.cc/backend/server/rate"
	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware"
	"github.com/go-chi/cors"
	"github.com/go-chi/httprate"
	"github.com/go-chi/render"
)

// Revision is the git commit, filled at build time
var (
	Revision = "[unknown]"
	Tag      = "[unknown]"
)

// Repository is the URL of the git repository
const Repository = "https://codeberg.org/u1f320/pronouns.cc"

type Server struct {
	Router *chi.Mux

	DB   *db.DB
	Auth *auth.Verifier
}

func New() (*Server, error) {
	db, err := db.New()
	if err != nil {
		return nil, err
	}

	s := &Server{
		Router: chi.NewMux(),

		DB:   db,
		Auth: auth.New(),
	}

	if os.Getenv("DEBUG") == "true" {
		s.Router.Use(middleware.Logger)
	}
	s.Router.Use(middleware.Recoverer)
	// add CORS
	s.Router.Use(cors.Handler(cors.Options{
		AllowedOrigins:   []string{"https://*", "http://*"},
		AllowedMethods:   []string{"HEAD", "GET"},
		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type"},
		AllowCredentials: false,
		MaxAge:           300,
	}))

	// enable authentication for all routes (but don't require it)
	s.Router.Use(s.maybeAuth)

	// rate limit handling
	// - base is 120 req/minute (2/s)
	// - keyed by Authorization header if valid token is provided, otherwise by IP
	// - returns rate limit reset info in error
	rateLimiter := rate.NewLimiter(120, time.Minute,
		httprate.WithKeyFuncs(func(r *http.Request) (string, error) {
			_, ok := ClaimsFromContext(r.Context())
			if token := r.Header.Get("Authorization"); ok && token != "" {
				return token, nil
			}

			ip, err := httprate.KeyByIP(r)
			return ip, err
		}),
		httprate.WithLimitHandler(func(w http.ResponseWriter, r *http.Request) {
			reset, _ := strconv.Atoi(w.Header().Get("X-RateLimit-Reset"))

			render.Status(r, http.StatusTooManyRequests)
			render.JSON(w, r, APIError{
				Code:           ErrTooManyRequests,
				Message:        errCodeMessages[ErrTooManyRequests],
				RatelimitReset: &reset,
			})
		}),
	)

	// set scopes
	// users
	rateLimiter.Scope("GET", "/users/*", 60)
	rateLimiter.Scope("PATCH", "/users/@me", 10)

	// members
	rateLimiter.Scope("GET", "/users/*/members", 60)
	rateLimiter.Scope("GET", "/users/*/members/*", 60)

	rateLimiter.Scope("POST", "/members", 10)
	rateLimiter.Scope("GET", "/members/*", 60)
	rateLimiter.Scope("PATCH", "/members/*", 20)
	rateLimiter.Scope("DELETE", "/members/*", 5)

	// auth
	rateLimiter.Scope("*", "/auth/*", 20)
	rateLimiter.Scope("*", "/auth/tokens", 10)
	rateLimiter.Scope("*", "/auth/invites", 10)
	rateLimiter.Scope("POST", "/auth/discord/*", 10)

	// rate limit handling
	// - 120 req/minute (2/s)
	// - keyed by Authorization header if valid token is provided, otherwise by IP
	// - returns rate limit reset info in error
	s.Router.Use(rateLimiter.Handler())

	// return an API error for not found + method not allowed
	s.Router.NotFound(func(w http.ResponseWriter, r *http.Request) {
		render.Status(r, errCodeStatuses[ErrNotFound])
		render.JSON(w, r, APIError{
			Code:    ErrNotFound,
			Message: errCodeMessages[ErrNotFound],
		})
	})

	s.Router.MethodNotAllowed(func(w http.ResponseWriter, r *http.Request) {
		render.Status(r, errCodeStatuses[ErrMethodNotAllowed])
		render.JSON(w, r, APIError{
			Code:    ErrMethodNotAllowed,
			Message: errCodeMessages[ErrMethodNotAllowed],
		})
	})

	return s, nil
}

type ctxKey int

const (
	ctxKeyClaims ctxKey = 1
)
initial commit 2022-05-02 17:19:37 +02:00			`package server`

			`import (`
feat(api): add PATCH /users/@me/fields, finish POST /auth/discord/callback 2022-05-17 22:35:26 +02:00			`"net/http"`
initial commit 2022-05-02 17:19:37 +02:00			`"os"`
feat(api): add rate limiting 2022-05-26 00:41:06 +02:00			`"strconv"`
			`"time"`
initial commit 2022-05-02 17:19:37 +02:00
chore: update import url (sorry gitlab, codeberg is just better) 2022-05-14 16:52:08 +02:00			`"codeberg.org/u1f320/pronouns.cc/backend/db"`
			`"codeberg.org/u1f320/pronouns.cc/backend/server/auth"`
feat(backend): separate rate limits into buckets 2023-02-24 15:53:35 +01:00			`"codeberg.org/u1f320/pronouns.cc/backend/server/rate"`
initial commit 2022-05-02 17:19:37 +02:00			`"github.com/go-chi/chi/v5"`
			`"github.com/go-chi/chi/v5/middleware"`
feat(backend): add cors 2023-04-13 23:33:48 +02:00			`"github.com/go-chi/cors"`
feat(api): add rate limiting 2022-05-26 00:41:06 +02:00			`"github.com/go-chi/httprate"`
feat(api): add PATCH /users/@me/fields, finish POST /auth/discord/callback 2022-05-17 22:35:26 +02:00			`"github.com/go-chi/render"`
initial commit 2022-05-02 17:19:37 +02:00			`)`

			`// Revision is the git commit, filled at build time`
feat: build entire backend into single executable (including migrations etc) 2023-03-15 10:04:48 +01:00			`var (`
			`Revision = "[unknown]"`
			`Tag = "[unknown]"`
			`)`
initial commit 2022-05-02 17:19:37 +02:00
feat(backend): add /api/v1/meta endpoint 2023-03-08 14:13:04 +01:00			`// Repository is the URL of the git repository`
			`const Repository = "https://codeberg.org/u1f320/pronouns.cc"`

initial commit 2022-05-02 17:19:37 +02:00			`type Server struct {`
			`Router *chi.Mux`

			`DB *db.DB`
			`Auth *auth.Verifier`
			`}`

			`func New() (*Server, error) {`
feat(backend): working avatar uploading 2022-09-20 13:02:48 +02:00			`db, err := db.New()`
initial commit 2022-05-02 17:19:37 +02:00			`if err != nil {`
			`return nil, err`
			`}`

			`s := &Server{`
			`Router: chi.NewMux(),`

			`DB: db,`
			`Auth: auth.New(),`
			`}`

			`if os.Getenv("DEBUG") == "true" {`
			`s.Router.Use(middleware.Logger)`
			`}`
			`s.Router.Use(middleware.Recoverer)`
feat(backend): add cors 2023-04-13 23:33:48 +02:00			`// add CORS`
			`s.Router.Use(cors.Handler(cors.Options{`
			`AllowedOrigins: []string{"https://", "http://"},`
			`AllowedMethods: []string{"HEAD", "GET"},`
			`AllowedHeaders: []string{"Accept", "Authorization", "Content-Type"},`
			`AllowCredentials: false,`
			`MaxAge: 300,`
			`}))`

initial commit 2022-05-02 17:19:37 +02:00			`// enable authentication for all routes (but don't require it)`
			`s.Router.Use(s.maybeAuth)`

feat(api): add rate limiting 2022-05-26 00:41:06 +02:00			`// rate limit handling`
feat(backend): separate rate limits into buckets 2023-02-24 15:53:35 +01:00			`// - base is 120 req/minute (2/s)`
feat(api): add rate limiting 2022-05-26 00:41:06 +02:00			`// - keyed by Authorization header if valid token is provided, otherwise by IP`
			`// - returns rate limit reset info in error`
feat(backend): separate rate limits into buckets 2023-02-24 15:53:35 +01:00			`rateLimiter := rate.NewLimiter(120, time.Minute,`
feat(api): add rate limiting 2022-05-26 00:41:06 +02:00			`httprate.WithKeyFuncs(func(r *http.Request) (string, error) {`
			`_, ok := ClaimsFromContext(r.Context())`
			`if token := r.Header.Get("Authorization"); ok && token != "" {`
			`return token, nil`
			`}`

			`ip, err := httprate.KeyByIP(r)`
			`return ip, err`
			`}),`
			`httprate.WithLimitHandler(func(w http.ResponseWriter, r *http.Request) {`
			`reset, _ := strconv.Atoi(w.Header().Get("X-RateLimit-Reset"))`

			`render.Status(r, http.StatusTooManyRequests)`
			`render.JSON(w, r, APIError{`
			`Code: ErrTooManyRequests,`
			`Message: errCodeMessages[ErrTooManyRequests],`
			`RatelimitReset: &reset,`
			`})`
			`}),`
feat(backend): separate rate limits into buckets 2023-02-24 15:53:35 +01:00			`)`

			`// set scopes`
			`// users`
			`rateLimiter.Scope("GET", "/users/*", 60)`
feat: cancel user deletion 2023-03-14 16:16:07 +01:00			`rateLimiter.Scope("PATCH", "/users/@me", 10)`
feat(backend): separate rate limits into buckets 2023-02-24 15:53:35 +01:00
			`// members`
			`rateLimiter.Scope("GET", "/users/*/members", 60)`
			`rateLimiter.Scope("GET", "/users//members/", 60)`

feat: cancel user deletion 2023-03-14 16:16:07 +01:00			`rateLimiter.Scope("POST", "/members", 10)`
feat(backend): separate rate limits into buckets 2023-02-24 15:53:35 +01:00			`rateLimiter.Scope("GET", "/members/*", 60)`
feat: cancel user deletion 2023-03-14 16:16:07 +01:00			`rateLimiter.Scope("PATCH", "/members/*", 20)`
feat(backend): separate rate limits into buckets 2023-02-24 15:53:35 +01:00			`rateLimiter.Scope("DELETE", "/members/*", 5)`

			`// auth`
			`rateLimiter.Scope("", "/auth/", 20)`
			`rateLimiter.Scope("*", "/auth/tokens", 10)`
			`rateLimiter.Scope("*", "/auth/invites", 10)`
			`rateLimiter.Scope("POST", "/auth/discord/*", 10)`

			`// rate limit handling`
			`// - 120 req/minute (2/s)`
			`// - keyed by Authorization header if valid token is provided, otherwise by IP`
			`// - returns rate limit reset info in error`
			`s.Router.Use(rateLimiter.Handler())`
feat(api): add rate limiting 2022-05-26 00:41:06 +02:00
feat(api): add PATCH /users/@me/fields, finish POST /auth/discord/callback 2022-05-17 22:35:26 +02:00			`// return an API error for not found + method not allowed`
			`s.Router.NotFound(func(w http.ResponseWriter, r *http.Request) {`
			`render.Status(r, errCodeStatuses[ErrNotFound])`
			`render.JSON(w, r, APIError{`
			`Code: ErrNotFound,`
			`Message: errCodeMessages[ErrNotFound],`
			`})`
			`})`

			`s.Router.MethodNotAllowed(func(w http.ResponseWriter, r *http.Request) {`
			`render.Status(r, errCodeStatuses[ErrMethodNotAllowed])`
			`render.JSON(w, r, APIError{`
			`Code: ErrMethodNotAllowed,`
			`Message: errCodeMessages[ErrMethodNotAllowed],`
			`})`
			`})`

initial commit 2022-05-02 17:19:37 +02:00			`return s, nil`
			`}`

			`type ctxKey int`

			`const (`
			`ctxKeyClaims ctxKey = 1`
			`)`