loop
/
alps
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
A webmail client. Forked from https://git.sr.ht/~migadu/alps
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
333 Commits
1 Branch
708 KiB
 
 
 
 
Tree: 1992880454
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1992880454'
${ noResults }
alps/server.go

461 lines
10 KiB
Raw Blame History 

  1. package alps

  2. 

  3. import (

  4. 	"encoding/json"

  5. 	"fmt"

  6. 	"log"

  7. 	"net/http"

  8. 	"net/url"

  9. 	"strings"

  10. 	"sync"

  11. 	"time"

  12. 

  13. 	"github.com/fernet/fernet-go"

  14. 	"github.com/labstack/echo/v4"

  15. )

  16. 

  17. const (

  18. 	cookieName           = "alps_session"

  19. 	loginTokenCookieName = "alps_login_token"

  20. )

  21. 

  22. // Server holds all the alps server state.

  23. type Server struct {

  24. 	e        *echo.Echo

  25. 	Sessions *SessionManager

  26. 	Options  *Options

  27. 

  28. 	mutex   sync.RWMutex // used for server reload

  29. 	plugins []Plugin

  30. 

  31. 	// maps protocols to URLs (protocol can be empty for auto-discovery)

  32. 	upstreams map[string]*url.URL

  33. 

  34. 	imap struct {

  35. 		host     string

  36. 		tls      bool

  37. 		insecure bool

  38. 	}

  39. 	smtp struct {

  40. 		host     string

  41. 		tls      bool

  42. 		insecure bool

  43. 	}

  44. }

  45. 

  46. func newServer(e *echo.Echo, options *Options) (*Server, error) {

  47. 	s := &Server{e: e, Options: options}

  48. 

  49. 	s.upstreams = make(map[string]*url.URL, len(options.Upstreams))

  50. 	for _, upstream := range options.Upstreams {

  51. 		u, err := parseUpstream(upstream)

  52. 		if err != nil {

  53. 			return nil, fmt.Errorf("failed to parse upstream %q: %v", upstream, err)

  54. 		}

  55. 		if _, ok := s.upstreams[u.Scheme]; ok {

  56. 			return nil, fmt.Errorf("found two upstream servers for scheme %q", u.Scheme)

  57. 		}

  58. 		s.upstreams[u.Scheme] = u

  59. 	}

  60. 

  61. 	if err := s.parseIMAPUpstream(); err != nil {

  62. 		return nil, err

  63. 	}

  64. 	if err := s.parseSMTPUpstream(); err != nil {

  65. 		return nil, err

  66. 	}

  67. 

  68. 	s.Sessions = newSessionManager(s.dialIMAP, s.dialSMTP, e.Logger, options.Debug)

  69. 	return s, nil

  70. }

  71. 

  72. func (s *Server) Close() {

  73. 	s.Sessions.Close()

  74. }

  75. 

  76. func parseUpstream(s string) (*url.URL, error) {

  77. 	if !strings.ContainsAny(s, ":/") {

  78. 		// This is a raw domain name, make it an URL with an empty scheme

  79. 		s = "//" + s

  80. 	}

  81. 	return url.Parse(s)

  82. }

  83. 

  84. type NoUpstreamError struct {

  85. 	schemes []string

  86. }

  87. 

  88. func (err *NoUpstreamError) Error() string {

  89. 	return fmt.Sprintf("no upstream server configured for schemes %v", err.schemes)

  90. }

  91. 

  92. // Upstream retrieves the configured upstream server URL for the provided

  93. // schemes. If no configured upstream server matches, a *NoUpstreamError is

  94. // returned. An empty URL.Scheme means that the caller needs to perform

  95. // auto-discovery with URL.Host.

  96. func (s *Server) Upstream(schemes ...string) (*url.URL, error) {

  97. 	var urls []*url.URL

  98. 	for _, scheme := range append(schemes, "") {

  99. 		u, ok := s.upstreams[scheme]

  100. 		if ok {

  101. 			urls = append(urls, u)

  102. 		}

  103. 	}

  104. 	if len(urls) == 0 {

  105. 		return nil, &NoUpstreamError{schemes}

  106. 	}

  107. 	if len(urls) > 1 {

  108. 		return nil, fmt.Errorf("multiple upstream servers are configured for schemes %v", schemes)

  109. 	}

  110. 	return urls[0], nil

  111. }

  112. 

  113. func (s *Server) parseIMAPUpstream() error {

  114. 	u, err := s.Upstream("imap", "imaps", "imap+insecure")

  115. 	if err != nil {

  116. 		return fmt.Errorf("failed to parse upstream IMAP server: %v", err)

  117. 	}

  118. 

  119. 	if u.Scheme == "" {

  120. 		u, err = discoverIMAP(u.Host)

  121. 		if err != nil {

  122. 			return fmt.Errorf("failed to discover IMAP server: %v", err)

  123. 		}

  124. 	}

  125. 

  126. 	switch u.Scheme {

  127. 	case "imaps":

  128. 		s.imap.tls = true

  129. 	case "imap+insecure":

  130. 		s.imap.insecure = true

  131. 	}

  132. 

  133. 	s.imap.host = u.Host

  134. 	if !strings.ContainsRune(s.imap.host, ':') {

  135. 		if u.Scheme == "imaps" {

  136. 			s.imap.host += ":993"

  137. 		} else {

  138. 			s.imap.host += ":143"

  139. 		}

  140. 	}

  141. 

  142. 	c, err := s.dialIMAP()

  143. 	if err != nil {

  144. 		return fmt.Errorf("failed to connect to IMAP server: %v", err)

  145. 	}

  146. 	c.Close()

  147. 

  148. 	s.e.Logger.Printf("Configured upstream IMAP server: %v", u)

  149. 	return nil

  150. }

  151. 

  152. func (s *Server) parseSMTPUpstream() error {

  153. 	u, err := s.Upstream("smtp", "smtps", "smtp+insecure")

  154. 	if _, ok := err.(*NoUpstreamError); ok {

  155. 		return nil

  156. 	} else if err != nil {

  157. 		return fmt.Errorf("failed to parse upstream SMTP server: %v", err)

  158. 	}

  159. 

  160. 	if u.Scheme == "" {

  161. 		u, err = discoverSMTP(u.Host)

  162. 		if err != nil {

  163. 			s.e.Logger.Printf("Failed to discover SMTP server: %v", err)

  164. 			return nil

  165. 		}

  166. 	}

  167. 

  168. 	switch u.Scheme {

  169. 	case "smtps":

  170. 		s.smtp.tls = true

  171. 	case "smtp+insecure":

  172. 		s.smtp.insecure = true

  173. 	}

  174. 

  175. 	s.smtp.host = u.Host

  176. 	if !strings.ContainsRune(s.smtp.host, ':') {

  177. 		if u.Scheme == "smtps" {

  178. 			s.smtp.host += ":465"

  179. 		} else {

  180. 			s.smtp.host += ":587"

  181. 		}

  182. 	}

  183. 

  184. 	c, err := s.dialSMTP()

  185. 	if err != nil {

  186. 		return fmt.Errorf("failed to connect to SMTP server: %v", err)

  187. 	}

  188. 	c.Close()

  189. 

  190. 	s.e.Logger.Printf("Configured upstream SMTP server: %v", u)

  191. 	return nil

  192. }

  193. 

  194. func (s *Server) load() error {

  195. 	var plugins []Plugin

  196. 	for _, load := range pluginLoaders {

  197. 		l, err := load(s)

  198. 		if err != nil {

  199. 			return fmt.Errorf("failed to load plugins: %v", err)

  200. 		}

  201. 		for _, p := range l {

  202. 			s.e.Logger.Printf("Loaded plugin %q", p.Name())

  203. 		}

  204. 		plugins = append(plugins, l...)

  205. 	}

  206. 

  207. 	renderer := newRenderer(s.e.Logger, s.Options.Theme)

  208. 	if err := renderer.Load(plugins); err != nil {

  209. 		return fmt.Errorf("failed to load templates: %v", err)

  210. 	}

  211. 

  212. 	// Once we've loaded plugins and templates from disk (which can take time),

  213. 	// swap them in the Server struct

  214. 	s.mutex.Lock()

  215. 	defer s.mutex.Unlock()

  216. 

  217. 	// Close previous plugins

  218. 	for _, p := range s.plugins {

  219. 		if err := p.Close(); err != nil {

  220. 			s.e.Logger.Printf("Failed to unload plugin %q: %v", p.Name(), err)

  221. 		}

  222. 	}

  223. 

  224. 	s.plugins = plugins

  225. 	s.e.Renderer = renderer

  226. 

  227. 	for _, p := range plugins {

  228. 		p.SetRoutes(s.e.Group(""))

  229. 	}

  230. 

  231. 	return nil

  232. }

  233. 

  234. // Reload loads Lua plugins and templates from disk.

  235. func (s *Server) Reload() error {

  236. 	s.e.Logger.Printf("Reloading server")

  237. 	return s.load()

  238. }

  239. 

  240. // Logger returns this server's logger.

  241. func (s *Server) Logger() echo.Logger {

  242. 	return s.e.Logger

  243. }

  244. 

  245. // Context is the context used by HTTP handlers.

  246. //

  247. // Use a type assertion to get it from a echo.Context:

  248. //

  249. //     ctx := ectx.(*alps.Context)

  250. type Context struct {

  251. 	echo.Context

  252. 	Server  *Server

  253. 	Session *Session // nil if user isn't logged in

  254. }

  255. 

  256. var aLongTimeAgo = time.Unix(233431200, 0)

  257. 

  258. // SetSession sets a cookie for the provided session. Passing a nil session

  259. // unsets the cookie.

  260. func (ctx *Context) SetSession(s *Session) {

  261. 	cookie := http.Cookie{

  262. 		Name:     cookieName,

  263. 		HttpOnly: true,

  264. 		SameSite: http.SameSiteStrictMode,

  265. 		Secure:   ctx.IsTLS(),

  266. 	}

  267. 	if s != nil {

  268. 		cookie.Value = s.token

  269. 	} else {

  270. 		cookie.Expires = aLongTimeAgo // unset the cookie

  271. 	}

  272. 	ctx.SetCookie(&cookie)

  273. }

  274. 

  275. type loginToken struct {

  276. 	Username string

  277. 	Password string

  278. }

  279. 

  280. func (ctx *Context) SetLoginToken(username, password string) {

  281. 	cookie := http.Cookie{

  282. 		Expires:  time.Now().Add(30 * 24 * time.Hour),

  283. 		Name:     loginTokenCookieName,

  284. 		HttpOnly: true,

  285. 		SameSite: http.SameSiteStrictMode,

  286. 		Secure:   ctx.IsTLS(),

  287. 		Path:     "/login",

  288. 	}

  289. 	if username == "" {

  290. 		cookie.Expires = aLongTimeAgo // unset the cookie

  291. 		ctx.SetCookie(&cookie)

  292. 		return

  293. 	}

  294. 

  295. 	loginToken := loginToken{username, password}

  296. 	payload, err := json.Marshal(loginToken)

  297. 	if err != nil {

  298. 		panic(err) // Should never happen

  299. 	}

  300. 	fkey := ctx.Server.Options.LoginKey

  301. 	if fkey == nil {

  302. 		return

  303. 	}

  304. 

  305. 	bytes, err := fernet.EncryptAndSign(payload, fkey)

  306. 	if err != nil {

  307. 		log.Printf("Warning: login token encryption failed: %v", err)

  308. 		return

  309. 	}

  310. 

  311. 	cookie.Value = string(bytes)

  312. 	ctx.SetCookie(&cookie)

  313. }

  314. 

  315. func (ctx *Context) GetLoginToken() (string, string) {

  316. 	cookie, err := ctx.Cookie(loginTokenCookieName)

  317. 	if err != nil || cookie == nil {

  318. 		return "", ""

  319. 	}

  320. 

  321. 	fkey := ctx.Server.Options.LoginKey

  322. 	if fkey == nil {

  323. 		return "", ""

  324. 	}

  325. 

  326. 	bytes := fernet.VerifyAndDecrypt([]byte(cookie.Value),

  327. 		24*time.Hour*30, []*fernet.Key{fkey})

  328. 	if bytes == nil {

  329. 		return "", ""

  330. 	}

  331. 

  332. 	var token loginToken

  333. 	err = json.Unmarshal(bytes, &token)

  334. 	if err != nil {

  335. 		panic(err) // Should never happen

  336. 	}

  337. 

  338. 	return token.Username, token.Password

  339. }

  340. 

  341. func isPublic(path string) bool {

  342. 	if strings.HasPrefix(path, "/plugins/") {

  343. 		parts := strings.Split(path, "/")

  344. 		return len(parts) >= 4 && parts[3] == "assets"

  345. 	}

  346. 	return path == "/login" || strings.HasPrefix(path, "/themes/")

  347. }

  348. 

  349. func redirectToLogin(ctx *Context) error {

  350. 	path := ctx.Request().URL.Path

  351. 	to := "/login"

  352. 	if path != "/" && path != "/login" {

  353. 		to += "?next=" + url.QueryEscape(ctx.Request().URL.String())

  354. 	}

  355. 	return ctx.Redirect(http.StatusFound, to)

  356. }

  357. 

  358. func handleUnauthenticated(next echo.HandlerFunc, ctx *Context) error {

  359. 	// Require auth for all requests except /login and assets

  360. 	if isPublic(ctx.Request().URL.Path) {

  361. 		return next(ctx)

  362. 	} else {

  363. 		return redirectToLogin(ctx)

  364. 	}

  365. }

  366. 

  367. type Options struct {

  368. 	Upstreams []string

  369. 	Theme     string

  370. 	Debug     bool

  371. 	LoginKey  *fernet.Key

  372. }

  373. 

  374. // New creates a new server.

  375. func New(e *echo.Echo, options *Options) (*Server, error) {

  376. 	s, err := newServer(e, options)

  377. 	if err != nil {

  378. 		return nil, err

  379. 	}

  380. 

  381. 	if err := s.load(); err != nil {

  382. 		return nil, err

  383. 	}

  384. 

  385. 	e.HTTPErrorHandler = func(err error, ctx echo.Context) {

  386. 		code := http.StatusInternalServerError

  387. 		if he, ok := err.(*echo.HTTPError); ok {

  388. 			code = he.Code

  389. 		}

  390. 

  391. 		type ErrorRenderData struct {

  392. 			BaseRenderData

  393. 			Code   int

  394. 			Err    error

  395. 			Status string

  396. 		}

  397. 		rdata := ErrorRenderData{

  398. 			BaseRenderData: *NewBaseRenderData(ctx),

  399. 			Err:    err,

  400. 			Code:   code,

  401. 			Status: http.StatusText(code),

  402. 		}

  403. 

  404. 		if err := ctx.Render(code, "error.html", &rdata); err != nil {

  405. 			ctx.Logger().Error(fmt.Errorf(

  406. 				"Error occured rendering error page: %w. How meta.", err))

  407. 		}

  408. 

  409. 		ctx.Logger().Error(err)

  410. 	}

  411. 

  412. 	e.Pre(func(next echo.HandlerFunc) echo.HandlerFunc {

  413. 		return func(ectx echo.Context) error {

  414. 			s.mutex.RLock()

  415. 			err := next(ectx)

  416. 			s.mutex.RUnlock()

  417. 			return err

  418. 		}

  419. 	})

  420. 

  421. 	e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {

  422. 		return func(ectx echo.Context) error {

  423. 			// `style-src 'unsafe-inline'` is required for e-mails with

  424. 			// embedded stylesheets

  425. 			ectx.Response().Header().Set("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'")

  426. 			// DNS prefetching has privacy implications

  427. 			ectx.Response().Header().Set("X-DNS-Prefetch-Control", "off")

  428. 			return next(ectx)

  429. 		}

  430. 	})

  431. 

  432. 	e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {

  433. 		return func(ectx echo.Context) error {

  434. 			ctx := &Context{Context: ectx, Server: s}

  435. 			ctx.Set("context", ctx)

  436. 

  437. 			cookie, err := ctx.Cookie(cookieName)

  438. 			if err == http.ErrNoCookie {

  439. 				return handleUnauthenticated(next, ctx)

  440. 			} else if err != nil {

  441. 				return err

  442. 			}

  443. 

  444. 			ctx.Session, err = ctx.Server.Sessions.get(cookie.Value)

  445. 			if err == ErrSessionExpired {

  446. 				ctx.SetSession(nil)

  447. 				return handleUnauthenticated(next, ctx)

  448. 			} else if err != nil {

  449. 				return err

  450. 			}

  451. 			ctx.Session.ping()

  452. 

  453. 			return next(ctx)

  454. 		}

  455. 	})

  456. 

  457. 	e.Static("/themes", "themes")

  458. 

  459. 	return s, nil

  460. }