mattermost/utils/api.go

// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See LICENSE.txt for license information.

package utils

import (
	"crypto"
	"crypto/rand"
	"encoding/base64"
	"fmt"
	"html/template"
	"net/http"
	"net/url"
	"path"
	"strings"

	"github.com/mattermost/mattermost-server/v5/model"
)

func CheckOrigin(r *http.Request, allowedOrigins string) bool {
	origin := r.Header.Get("Origin")
	if origin == "" {
		return true
	}

	if allowedOrigins == "*" {
		return true
	}
	for _, allowed := range strings.Split(allowedOrigins, " ") {
		if allowed == origin {
			return true
		}
	}
	return false
}

func OriginChecker(allowedOrigins string) func(*http.Request) bool {
	return func(r *http.Request) bool {
		return CheckOrigin(r, allowedOrigins)
	}
}

func RenderWebAppError(config *model.Config, w http.ResponseWriter, r *http.Request, err *model.AppError, s crypto.Signer) {
	RenderWebError(config, w, r, err.StatusCode, url.Values{
		"message": []string{err.Message},
	}, s)
}

func RenderWebError(config *model.Config, w http.ResponseWriter, r *http.Request, status int, params url.Values, s crypto.Signer) {
	queryString := params.Encode()

	subpath, _ := GetSubpathFromConfig(config)

	h := crypto.SHA256
	sum := h.New()
	sum.Write([]byte(path.Join(subpath, "error") + "?" + queryString))
	signature, err := s.Sign(rand.Reader, sum.Sum(nil), h)
	if err != nil {
		http.Error(w, "", http.StatusInternalServerError)
		return
	}
	destination := path.Join(subpath, "error") + "?" + queryString + "&s=" + base64.URLEncoding.EncodeToString(signature)

	if status >= 300 && status < 400 {
		http.Redirect(w, r, destination, status)
		return
	}

	w.Header().Set("Content-Type", "text/html")
	w.WriteHeader(status)
	fmt.Fprintln(w, `<!DOCTYPE html><html><head></head>`)
	fmt.Fprintln(w, `<body onload="window.location = '`+template.HTMLEscapeString(template.JSEscapeString(destination))+`'">`)
	fmt.Fprintln(w, `<noscript><meta http-equiv="refresh" content="0; url=`+template.HTMLEscapeString(destination)+`"></noscript>`)
	fmt.Fprintln(w, `<a href="`+template.HTMLEscapeString(destination)+`" style="color: #c0c0c0;">...</a>`)
	fmt.Fprintln(w, `</body></html>`)
}
Consistent license message for all the go files (#13235) * Consistent license message for all the go files * Fixing the last set of unconsistencies with the license headers * Addressing PR review comments * Fixing busy.go and busy_test.go license header 2019-11-29 12:59:40 +01:00			`// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.`
			`// See LICENSE.txt for license information.`
Move WebSocket API to it's own package and add websocket v4 endpoint (#5881) 2017-03-28 04:58:19 -04:00
			`package utils`

			`import (`
ABC-132: sign error page parameters (#8197) * sign error page parameters * add comments 2018-02-07 11:05:46 -06:00			`"crypto"`
			`"crypto/rand"`
			`"encoding/base64"`
ABC-153: don't use http redirects with 4xx/5xx status codes (#8178) * don't use http redirects with 4xx/5xx status codes * minor html syntax fix 2018-02-02 07:29:11 -06:00			`"fmt"`
			`"html/template"`
Move WebSocket API to it's own package and add websocket v4 endpoint (#5881) 2017-03-28 04:58:19 -04:00			`"net/http"`
Implement v4 endpoints for OAuth (#6040) * Implement POST /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps/{app_id} and /oauth/apps/{app_id}/info endpoints for APIv4 * Refactor API version independent oauth endpoints * Implement DELETE /oauth/apps/{app_id} endpoint for APIv4 * Implement /oauth/apps/{app_id}/regen_secret endpoint for APIv4 * Implement GET /user/{user_id}/oauth/apps/authorized endpoint for APIv4 * Implement POST /oauth/deauthorize endpoint 2017-04-20 09:55:02 -04:00			`"net/url"`
MM-10370: serve subpath (#8968) * factor out GetSubpathFromConfig * mv web/subpath.go to utils/subpath.go * serve up web, api and ws on /subpath if configured * pass config to utils.RenderWeb(App)?Error This allows the methods to extract the configured subpath and redirect to the appropriate `/subpath/error` handler. * ensure GetSubpathFromConfig returns trailing slashes deterministically * fix error 404 handling * redirect /subpath to /subpath/ This is necessary for the static handler to match, otherwise none of the registered routes find anything. This also makes it no longer necessary to add trailing slashes in the root router. 2018-06-21 14:31:51 -04:00			`"path"`
Move WebSocket API to it's own package and add websocket v4 endpoint (#5881) 2017-03-28 04:58:19 -04:00			`"strings"`
Implement v4 endpoints for OAuth (#6040) * Implement POST /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps/{app_id} and /oauth/apps/{app_id}/info endpoints for APIv4 * Refactor API version independent oauth endpoints * Implement DELETE /oauth/apps/{app_id} endpoint for APIv4 * Implement /oauth/apps/{app_id}/regen_secret endpoint for APIv4 * Implement GET /user/{user_id}/oauth/apps/authorized endpoint for APIv4 * Implement POST /oauth/deauthorize endpoint 2017-04-20 09:55:02 -04:00
[MM-19948] Set version on module file and internal paths (#13186) * [MM-19948] Set version on module file and internal paths * Fixes after merge * Fix i18n checker error 2019-11-28 14:39:38 +01:00			`"github.com/mattermost/mattermost-server/v5/model"`
Move WebSocket API to it's own package and add websocket v4 endpoint (#5881) 2017-03-28 04:58:19 -04:00			`)`

origin checker refactor (#7889) 2017-11-22 15:58:03 -06:00			`func CheckOrigin(r *http.Request, allowedOrigins string) bool {`
Move WebSocket API to it's own package and add websocket v4 endpoint (#5881) 2017-03-28 04:58:19 -04:00			`origin := r.Header.Get("Origin")`
If no origin header is set for WebSocket, do not fail upgrade (#9287) 2018-08-24 06:09:48 -04:00			`if origin == "" {`
			`return true`
			`}`

origin checker refactor (#7889) 2017-11-22 15:58:03 -06:00			`if allowedOrigins == "*" {`
Tweak WebSocket header-processing (#6929) * fix * consolidate code 2017-07-13 14:02:33 -07:00			`return true`
			`}`
origin checker refactor (#7889) 2017-11-22 15:58:03 -06:00			`for _, allowed := range strings.Split(allowedOrigins, " ") {`
Tweak WebSocket header-processing (#6929) * fix * consolidate code 2017-07-13 14:02:33 -07:00			`if allowed == origin {`
			`return true`
			`}`
			`}`
			`return false`
Move WebSocket API to it's own package and add websocket v4 endpoint (#5881) 2017-03-28 04:58:19 -04:00			`}`

origin checker refactor (#7889) 2017-11-22 15:58:03 -06:00			`func OriginChecker(allowedOrigins string) func(*http.Request) bool {`
			`return func(r *http.Request) bool {`
			`return CheckOrigin(r, allowedOrigins)`
Move WebSocket API to it's own package and add websocket v4 endpoint (#5881) 2017-03-28 04:58:19 -04:00			`}`
			`}`
Implement v4 endpoints for OAuth (#6040) * Implement POST /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps/{app_id} and /oauth/apps/{app_id}/info endpoints for APIv4 * Refactor API version independent oauth endpoints * Implement DELETE /oauth/apps/{app_id} endpoint for APIv4 * Implement /oauth/apps/{app_id}/regen_secret endpoint for APIv4 * Implement GET /user/{user_id}/oauth/apps/authorized endpoint for APIv4 * Implement POST /oauth/deauthorize endpoint 2017-04-20 09:55:02 -04:00
MM-10370: serve subpath (#8968) * factor out GetSubpathFromConfig * mv web/subpath.go to utils/subpath.go * serve up web, api and ws on /subpath if configured * pass config to utils.RenderWeb(App)?Error This allows the methods to extract the configured subpath and redirect to the appropriate `/subpath/error` handler. * ensure GetSubpathFromConfig returns trailing slashes deterministically * fix error 404 handling * redirect /subpath to /subpath/ This is necessary for the static handler to match, otherwise none of the registered routes find anything. This also makes it no longer necessary to add trailing slashes in the root router. 2018-06-21 14:31:51 -04:00			`func RenderWebAppError(config model.Config, w http.ResponseWriter, r http.Request, err *model.AppError, s crypto.Signer) {`
			`RenderWebError(config, w, r, err.StatusCode, url.Values{`
ABC-132: sign error page parameters (#8197) * sign error page parameters * add comments 2018-02-07 11:05:46 -06:00			`"message": []string{err.Message},`
			`}, s)`
			`}`

MM-10370: serve subpath (#8968) * factor out GetSubpathFromConfig * mv web/subpath.go to utils/subpath.go * serve up web, api and ws on /subpath if configured * pass config to utils.RenderWeb(App)?Error This allows the methods to extract the configured subpath and redirect to the appropriate `/subpath/error` handler. * ensure GetSubpathFromConfig returns trailing slashes deterministically * fix error 404 handling * redirect /subpath to /subpath/ This is necessary for the static handler to match, otherwise none of the registered routes find anything. This also makes it no longer necessary to add trailing slashes in the root router. 2018-06-21 14:31:51 -04:00			`func RenderWebError(config model.Config, w http.ResponseWriter, r http.Request, status int, params url.Values, s crypto.Signer) {`
ABC-132: sign error page parameters (#8197) * sign error page parameters * add comments 2018-02-07 11:05:46 -06:00			`queryString := params.Encode()`

MM-10370: serve subpath (#8968) * factor out GetSubpathFromConfig * mv web/subpath.go to utils/subpath.go * serve up web, api and ws on /subpath if configured * pass config to utils.RenderWeb(App)?Error This allows the methods to extract the configured subpath and redirect to the appropriate `/subpath/error` handler. * ensure GetSubpathFromConfig returns trailing slashes deterministically * fix error 404 handling * redirect /subpath to /subpath/ This is necessary for the static handler to match, otherwise none of the registered routes find anything. This also makes it no longer necessary to add trailing slashes in the root router. 2018-06-21 14:31:51 -04:00			`subpath, _ := GetSubpathFromConfig(config)`

ABC-132: sign error page parameters (#8197) * sign error page parameters * add comments 2018-02-07 11:05:46 -06:00			`h := crypto.SHA256`
			`sum := h.New()`
MM-10370: serve subpath (#8968) * factor out GetSubpathFromConfig * mv web/subpath.go to utils/subpath.go * serve up web, api and ws on /subpath if configured * pass config to utils.RenderWeb(App)?Error This allows the methods to extract the configured subpath and redirect to the appropriate `/subpath/error` handler. * ensure GetSubpathFromConfig returns trailing slashes deterministically * fix error 404 handling * redirect /subpath to /subpath/ This is necessary for the static handler to match, otherwise none of the registered routes find anything. This also makes it no longer necessary to add trailing slashes in the root router. 2018-06-21 14:31:51 -04:00			`sum.Write([]byte(path.Join(subpath, "error") + "?" + queryString))`
ABC-132: sign error page parameters (#8197) * sign error page parameters * add comments 2018-02-07 11:05:46 -06:00			`signature, err := s.Sign(rand.Reader, sum.Sum(nil), h)`
			`if err != nil {`
			`http.Error(w, "", http.StatusInternalServerError)`
			`return`
Implement v4 endpoints for OAuth (#6040) * Implement POST /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps/{app_id} and /oauth/apps/{app_id}/info endpoints for APIv4 * Refactor API version independent oauth endpoints * Implement DELETE /oauth/apps/{app_id} endpoint for APIv4 * Implement /oauth/apps/{app_id}/regen_secret endpoint for APIv4 * Implement GET /user/{user_id}/oauth/apps/authorized endpoint for APIv4 * Implement POST /oauth/deauthorize endpoint 2017-04-20 09:55:02 -04:00			`}`
MM-10370: serve subpath (#8968) * factor out GetSubpathFromConfig * mv web/subpath.go to utils/subpath.go * serve up web, api and ws on /subpath if configured * pass config to utils.RenderWeb(App)?Error This allows the methods to extract the configured subpath and redirect to the appropriate `/subpath/error` handler. * ensure GetSubpathFromConfig returns trailing slashes deterministically * fix error 404 handling * redirect /subpath to /subpath/ This is necessary for the static handler to match, otherwise none of the registered routes find anything. This also makes it no longer necessary to add trailing slashes in the root router. 2018-06-21 14:31:51 -04:00			`destination := path.Join(subpath, "error") + "?" + queryString + "&s=" + base64.URLEncoding.EncodeToString(signature)`
Implement v4 endpoints for OAuth (#6040) * Implement POST /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps/{app_id} and /oauth/apps/{app_id}/info endpoints for APIv4 * Refactor API version independent oauth endpoints * Implement DELETE /oauth/apps/{app_id} endpoint for APIv4 * Implement /oauth/apps/{app_id}/regen_secret endpoint for APIv4 * Implement GET /user/{user_id}/oauth/apps/authorized endpoint for APIv4 * Implement POST /oauth/deauthorize endpoint 2017-04-20 09:55:02 -04:00
ABC-153: don't use http redirects with 4xx/5xx status codes (#8178) * don't use http redirects with 4xx/5xx status codes * minor html syntax fix 2018-02-02 07:29:11 -06:00			`if status >= 300 && status < 400 {`
			`http.Redirect(w, r, destination, status)`
			`return`
			`}`

Add content type to API error response (#8460) 2018-03-14 18:09:04 -04:00			`w.Header().Set("Content-Type", "text/html")`
ABC-153: don't use http redirects with 4xx/5xx status codes (#8178) * don't use http redirects with 4xx/5xx status codes * minor html syntax fix 2018-02-02 07:29:11 -06:00			`w.WriteHeader(status)`
			fmt.Fprintln(w, `<!DOCTYPE html><html><head></head>`)
			fmt.Fprintln(w, `<body onload="window.location = '`+template.HTMLEscapeString(template.JSEscapeString(destination))+`'">`)
			fmt.Fprintln(w, `<noscript><meta http-equiv="refresh" content="0; url=`+template.HTMLEscapeString(destination)+`"></noscript>`)
			fmt.Fprintln(w, `<a href="`+template.HTMLEscapeString(destination)+`" style="color: #c0c0c0;">...</a>`)
			fmt.Fprintln(w, `</body></html>`)
Implement v4 endpoints for OAuth (#6040) * Implement POST /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps/{app_id} and /oauth/apps/{app_id}/info endpoints for APIv4 * Refactor API version independent oauth endpoints * Implement DELETE /oauth/apps/{app_id} endpoint for APIv4 * Implement /oauth/apps/{app_id}/regen_secret endpoint for APIv4 * Implement GET /user/{user_id}/oauth/apps/authorized endpoint for APIv4 * Implement POST /oauth/deauthorize endpoint 2017-04-20 09:55:02 -04:00			`}`