From 607cd6df091571a981bd37f4fa4623260f3ca3b7 Mon Sep 17 00:00:00 2001
From: Masahiko AMANO <hiko-19@ya.ru>
Date: Sat, 28 Jan 2023 19:18:11 +0300
Subject: [PATCH] perf(web): improve authentication

---
 web/public/auth.html        |  1 -
 web/public/index.html       |  3 --
 web/public/js/auth.js       |  2 --
 web/public/js/redirector.js |  1 -
 web/public/js/token.js      | 24 --------------
 web/server/web-server.go    | 62 ++++++++++++++++---------------------
 6 files changed, 26 insertions(+), 67 deletions(-)
 delete mode 100644 web/public/js/redirector.js
 delete mode 100644 web/public/js/token.js

diff --git a/web/public/auth.html b/web/public/auth.html
index 9c3c6fc..df8a17e 100644
--- a/web/public/auth.html
+++ b/web/public/auth.html
@@ -26,7 +26,6 @@
 	<link rel="stylesheet" href="/css/auth.css">
 	<script src="/js/jquery-3.6.0.min.js"></script>
 	<script src="/js/jquery.cookie.js"></script>
-	<script src="/js/token.js"></script>
 </head>
 <body>
 <header>
diff --git a/web/public/index.html b/web/public/index.html
index 3668a6c..678d548 100644
--- a/web/public/index.html
+++ b/web/public/index.html
@@ -24,9 +24,6 @@
 	<link rel="stylesheet" href="/css/bootstrap.min.css">
 	<link rel="stylesheet" href="/css/general.css">
 	<script src="/js/jquery-3.6.0.min.js"></script>
-	<script src="/js/jquery.cookie.js"></script>
-	<script src="/js/token.js"></script>
-	<script src="/js/redirector.js"></script>
 </head>
 <body>
 <h1>Welcome to Tanabata!</h1>
diff --git a/web/public/js/auth.js b/web/public/js/auth.js
index 0b75415..8cf2968 100644
--- a/web/public/js/auth.js
+++ b/web/public/js/auth.js
@@ -1,5 +1,3 @@
-$(window).on("load", validate(() => $(".btn-secondary").css("display", "block"), () => {}));
-
 $("#auth").on("submit", function submit(e) {
 	e.preventDefault();
 	var input_password = $("#password");
diff --git a/web/public/js/redirector.js b/web/public/js/redirector.js
deleted file mode 100644
index 5e9510a..0000000
--- a/web/public/js/redirector.js
+++ /dev/null
@@ -1 +0,0 @@
-$(window).on("load", validate(() => {}, () => $(location).attr("href", "/auth")));
diff --git a/web/public/js/token.js b/web/public/js/token.js
deleted file mode 100644
index 7c8acd0..0000000
--- a/web/public/js/token.js
+++ /dev/null
@@ -1,24 +0,0 @@
-function validate(onsuccess, onfailure) {
-	let authorized = true;
-	if ($.cookie("token") == null) {
-		authorized = false;
-	} else {
-		$.ajax({
-			url: "/token",
-			type: "POST",
-			contentType: "application/json",
-			data: `{"token":"${$.cookie("token")}"}`,
-			dataType: "json",
-			success: function (resp) {
-				authorized = resp.status;
-			},
-			failure: function (err) {
-				alert(err);
-			}
-		});
-	}
-	if (authorized) {
-		return onsuccess;
-	}
-	return onfailure;
-}
diff --git a/web/server/web-server.go b/web/server/web-server.go
index fa7e0e0..e55f1fa 100644
--- a/web/server/web-server.go
+++ b/web/server/web-server.go
@@ -38,11 +38,22 @@ func TokenGenerate(seed []byte) {
 	TOKEN = fmt.Sprintf("%x", sha256.Sum256([]byte(strconv.FormatInt(value, 16))))
 }
 
-func TokenValidate(token string) bool {
-	if time.Now().Unix()-SID >= TOKEN_VALIDTIME || token != TOKEN {
-		return false
-	}
-	return true
+func Auth(handler http.HandlerFunc) http.HandlerFunc {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		authorized := false
+		defer func() {
+			if authorized {
+				handler.ServeHTTP(w, r)
+			} else {
+				http.Redirect(w, r, "/auth", http.StatusSeeOther)
+			}
+		}()
+		token, err := r.Cookie("token")
+		if err == nil && time.Now().Unix()-SID < TOKEN_VALIDTIME && token.Value == TOKEN {
+			authorized = true
+			return
+		}
+	})
 }
 
 func HandlerAuth(w http.ResponseWriter, r *http.Request) {
@@ -84,6 +95,11 @@ func HandlerAuth(w http.ResponseWriter, r *http.Request) {
 		response.Status = true
 		response.Token = TOKEN
 	}
+	http.SetCookie(w, &http.Cookie{
+		Name:    "token",
+		Value:   TOKEN,
+		Expires: time.Now().Add(TOKEN_VALIDTIME * time.Second),
+	})
 	w.Header().Set("Content-Type", "application/json")
 	jsonData, err := json.Marshal(response)
 	if err != nil {
@@ -95,29 +111,6 @@ func HandlerAuth(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func HandlerToken(w http.ResponseWriter, r *http.Request) {
-	var request JSON
-	var response = JSON{Status: false}
-	var err error
-	r.Body = http.MaxBytesReader(w, r.Body, 1048576)
-	json_decoder := json.NewDecoder(r.Body)
-	json_decoder.DisallowUnknownFields()
-	err = json_decoder.Decode(&request)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusBadRequest)
-		return
-	}
-	if TokenValidate(request.Token) {
-		response.Status = true
-	}
-	jsonData, err := json.Marshal(response)
-	w.Header().Set("Content-Type", "application/json; charset=utf-8")
-	_, err = w.Write(jsonData)
-	if err != nil {
-		log.Println(err)
-	}
-}
-
 func HandlerTDBMS(w http.ResponseWriter, r *http.Request) {
 	var request JSON
 	var response []byte
@@ -130,10 +123,6 @@ func HandlerTDBMS(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	if !TokenValidate(request.Token) {
-		http.Error(w, "Invalid token", http.StatusBadRequest)
-		return
-	}
 	response = tdbms.Query(request.TRDB, request.TRC, request.TRB)
 	if response == nil {
 		http.Error(w, "Failed to execute request", http.StatusInternalServerError)
@@ -171,10 +160,11 @@ func main() {
 		public_fs.ServeHTTP(w, r)
 	})
 	http.HandleFunc("/AUTH", HandlerAuth)
-	http.HandleFunc("/token", HandlerToken)
-	http.HandleFunc("/TDBMS", HandlerTDBMS)
-	tfm_fs := http.FileServer(http.Dir("/srv/data/tfm"))
-	http.Handle("/tfm/", http.StripPrefix("/tfm", tfm_fs))
+	http.HandleFunc("/TDBMS", Auth(HandlerTDBMS))
+	tfm_fs := http.StripPrefix("/files", http.FileServer(http.Dir("/srv/data/tfm")))
+	http.Handle("/files/", Auth(func(w http.ResponseWriter, r *http.Request) {
+		tfm_fs.ServeHTTP(w, r)
+	}))
 	log.Println("Running...")
 	err = server.ListenAndServeTLS("/etc/ssl/certs/web-global.crt", "/etc/ssl/private/web-global.key")
 	if errors.Is(err, http.ErrServerClosed) {