photoview/api/routes/photos.go

package routes

import (
	"database/sql"
	"fmt"
	"io"
	"log"
	"net/http"
	"os"
	"path"
	"strconv"

	"github.com/gorilla/mux"
	"golang.org/x/crypto/bcrypt"

	"github.com/viktorstrate/photoview/api/graphql/auth"
	"github.com/viktorstrate/photoview/api/graphql/models"
	"github.com/viktorstrate/photoview/api/scanner"
)

func RegisterPhotoRoutes(db *sql.DB, router *mux.Router) {

	router.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
		media_name := mux.Vars(r)["name"]

		row := db.QueryRow("SELECT media_url.purpose, media_url.content_type, media_url.media_id FROM media_url, media WHERE media_url.media_name = ? AND media_url.media_id = media.media_id", media_name)

		var purpose models.MediaPurpose
		var content_type string
		var media_id int

		if err := row.Scan(&purpose, &content_type, &media_id); err != nil {
			w.WriteHeader(http.StatusNotFound)
			w.Write([]byte("404"))
			return
		}

		row = db.QueryRow("SELECT * FROM media WHERE media_id = ?", media_id)
		media, err := models.NewMediaFromRow(row)
		if err != nil {
			log.Printf("WARN: %s", err)
			w.WriteHeader(http.StatusInternalServerError)
			w.Write([]byte("internal server error"))
		}

		user := auth.UserFromContext(r.Context())
		if user != nil {
			row := db.QueryRow("SELECT owner_id FROM album WHERE album.album_id = ?", media.AlbumId)
			var owner_id int

			if err := row.Scan(&owner_id); err != nil {
				log.Printf("WARN: %s", err)
				w.WriteHeader(http.StatusInternalServerError)
				w.Write([]byte("internal server error"))
				return
			}

			if owner_id != user.UserID {
				w.WriteHeader(http.StatusForbidden)
				w.Write([]byte("invalid credentials"))
				return
			}
		} else {
			// Check if photo is authorized with a share token
			token := r.URL.Query().Get("token")
			if token == "" {
				w.WriteHeader(http.StatusForbidden)
				w.Write([]byte("unauthorized"))
				return
			}

			row := db.QueryRow("SELECT * FROM share_token WHERE value = ?", token)

			shareToken, err := models.NewShareTokenFromRow(row)
			if err != nil {
				log.Printf("WARN: %s", err)
				w.WriteHeader(http.StatusInternalServerError)
				w.Write([]byte("internal server error"))
				return
			}

			// Validate share token password, if set
			if shareToken.Password != nil {
				tokenPassword := r.Header.Get("TokenPassword")

				if err := bcrypt.CompareHashAndPassword([]byte(*shareToken.Password), []byte(tokenPassword)); err != nil {
					if err == bcrypt.ErrMismatchedHashAndPassword {
						w.WriteHeader(http.StatusForbidden)
						w.Write([]byte("unauthorized"))
						return
					} else {
						w.WriteHeader(http.StatusInternalServerError)
						w.Write([]byte("internal server error"))
						return
					}
				}
			}

			if shareToken.AlbumID != nil && media.AlbumId != *shareToken.AlbumID {
				// Check child albums
				row := db.QueryRow(`
					WITH recursive child_albums AS (
						SELECT * FROM album WHERE parent_album = ?
						UNION ALL
						SELECT child.* FROM album child JOIN child_albums parent ON parent.album_id = child.parent_album
					)
					SELECT * FROM child_albums WHERE album_id = ?
				`, *shareToken.AlbumID, media.AlbumId)

				_, err := models.NewAlbumFromRow(row)
				if err != nil {
					if err == sql.ErrNoRows {
						w.WriteHeader(http.StatusForbidden)
						w.Write([]byte("unauthorized"))
						return
					}
					log.Printf("WARN: %s", err)
					w.WriteHeader(http.StatusInternalServerError)
					w.Write([]byte("internal server error"))
					return
				}
			}

			if shareToken.MediaID != nil && media_id != *shareToken.MediaID {
				w.WriteHeader(http.StatusForbidden)
				w.Write([]byte("unauthorized"))
				return
			}

		}

		var cachedPath string
		var file *os.File = nil

		if purpose == models.PhotoThumbnail || purpose == models.PhotoHighRes {
			cachedPath = path.Join(scanner.PhotoCache(), strconv.Itoa(media.AlbumId), strconv.Itoa(media_id), media_name)
		}

		if purpose == models.MediaOriginal {
			cachedPath = media.Path
		}

		file, err = os.Open(cachedPath)
		if err != nil {
			if os.IsNotExist(err) {
				tx, err := db.Begin()
				if err != nil {
					log.Printf("ERROR: %s\n", err)
					w.WriteHeader(http.StatusInternalServerError)
					w.Write([]byte("internal server error"))
					return
				}

				_, err = scanner.ProcessMedia(tx, media)
				if err != nil {
					log.Printf("ERROR: processing image not found in cache: %s\n", err)
					w.WriteHeader(http.StatusInternalServerError)
					w.Write([]byte("internal server error"))
					tx.Rollback()
					return
				}

				file, err = os.Open(cachedPath)
				if err != nil {
					log.Printf("ERROR: after reprocessing image not found in cache: %s\n", err)
					w.WriteHeader(http.StatusInternalServerError)
					w.Write([]byte("internal server error"))
					tx.Rollback()
					return
				}

				tx.Commit()
			}
		}

		w.Header().Set("Content-Type", content_type)
		if stats, err := file.Stat(); err == nil {
			w.Header().Set("Content-Length", fmt.Sprintf("%d", stats.Size()))
		}

		io.Copy(w, file)
	})
}
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`package routes`

			`import (`
			`"database/sql"`
			`"fmt"`
			`"io"`
Secure public photos with the "public token" 2020-02-21 12:05:28 +01:00			`"log"`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`"net/http"`
			`"os"`
Support PHOTO_CACHE env variable 2020-02-23 12:43:45 +01:00			`"path"`
			`"strconv"`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00
Work towards subscriptions - Replace chi with gorilla/mux - Write custom CORS rules - Start on notification subscriptions 2020-02-21 16:50:50 +01:00			`"github.com/gorilla/mux"`
Prepare back-end for token password 2020-06-14 17:58:50 +02:00			`"golang.org/x/crypto/bcrypt"`
Work towards subscriptions - Replace chi with gorilla/mux - Write custom CORS rules - Start on notification subscriptions 2020-02-21 16:50:50 +01:00
Protect photos from public access 2020-02-20 17:31:41 +01:00			`"github.com/viktorstrate/photoview/api/graphql/auth"`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`"github.com/viktorstrate/photoview/api/graphql/models"`
Support PHOTO_CACHE env variable 2020-02-23 12:43:45 +01:00			`"github.com/viktorstrate/photoview/api/scanner"`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`)`

Work towards subscriptions - Replace chi with gorilla/mux - Write custom CORS rules - Start on notification subscriptions 2020-02-21 16:50:50 +01:00			`func RegisterPhotoRoutes(db sql.DB, router mux.Router) {`

			`router.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {`
Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`media_name := mux.Vars(r)["name"]`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00
Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`row := db.QueryRow("SELECT media_url.purpose, media_url.content_type, media_url.media_id FROM media_url, media WHERE media_url.media_name = ? AND media_url.media_id = media.media_id", media_name)`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00
Start on video processing 2020-07-10 12:58:11 +02:00			`var purpose models.MediaPurpose`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`var content_type string`
Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`var media_id int`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00
Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`if err := row.Scan(&purpose, &content_type, &media_id); err != nil {`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`w.WriteHeader(http.StatusNotFound)`
			`w.Write([]byte("404"))`
			`return`
			`}`

Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`row = db.QueryRow("SELECT * FROM media WHERE media_id = ?", media_id)`
			`media, err := models.NewMediaFromRow(row)`
Improve stability of scanner 2020-02-23 18:00:08 +01:00			`if err != nil {`
			`log.Printf("WARN: %s", err)`
			`w.WriteHeader(http.StatusInternalServerError)`
			`w.Write([]byte("internal server error"))`
			`}`

Protect photos from public access 2020-02-20 17:31:41 +01:00			`user := auth.UserFromContext(r.Context())`
			`if user != nil {`
Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`row := db.QueryRow("SELECT owner_id FROM album WHERE album.album_id = ?", media.AlbumId)`
Protect photos from public access 2020-02-20 17:31:41 +01:00			`var owner_id int`

			`if err := row.Scan(&owner_id); err != nil {`
Secure public photos with the "public token" 2020-02-21 12:05:28 +01:00			`log.Printf("WARN: %s", err)`
Protect photos from public access 2020-02-20 17:31:41 +01:00			`w.WriteHeader(http.StatusInternalServerError)`
			`w.Write([]byte("internal server error"))`
			`return`
			`}`

			`if owner_id != user.UserID {`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Write([]byte("invalid credentials"))`
			`return`
			`}`
			`} else {`
Prepare back-end for token password 2020-06-14 17:58:50 +02:00			`// Check if photo is authorized with a share token`
Secure public photos with the "public token" 2020-02-21 12:05:28 +01:00			`token := r.URL.Query().Get("token")`
			`if token == "" {`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Write([]byte("unauthorized"))`
			`return`
			`}`

			`row := db.QueryRow("SELECT * FROM share_token WHERE value = ?", token)`

			`shareToken, err := models.NewShareTokenFromRow(row)`
			`if err != nil {`
			`log.Printf("WARN: %s", err)`
			`w.WriteHeader(http.StatusInternalServerError)`
			`w.Write([]byte("internal server error"))`
			`return`
			`}`

Prepare back-end for token password 2020-06-14 17:58:50 +02:00			`// Validate share token password, if set`
			`if shareToken.Password != nil {`
			`tokenPassword := r.Header.Get("TokenPassword")`

			`if err := bcrypt.CompareHashAndPassword([]byte(*shareToken.Password), []byte(tokenPassword)); err != nil {`
			`if err == bcrypt.ErrMismatchedHashAndPassword {`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Write([]byte("unauthorized"))`
			`return`
			`} else {`
			`w.WriteHeader(http.StatusInternalServerError)`
			`w.Write([]byte("internal server error"))`
			`return`
			`}`
			`}`
			`}`

Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`if shareToken.AlbumID != nil && media.AlbumId != *shareToken.AlbumID {`
Secure public photos with the "public token" 2020-02-21 12:05:28 +01:00			`// Check child albums`
			row := db.QueryRow(`
			`WITH recursive child_albums AS (`
			`SELECT * FROM album WHERE parent_album = ?`
			`UNION ALL`
			`SELECT child.* FROM album child JOIN child_albums parent ON parent.album_id = child.parent_album`
			`)`
			`SELECT * FROM child_albums WHERE album_id = ?`
Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`, *shareToken.AlbumID, media.AlbumId)
Secure public photos with the "public token" 2020-02-21 12:05:28 +01:00
			`_, err := models.NewAlbumFromRow(row)`
			`if err != nil {`
			`if err == sql.ErrNoRows {`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Write([]byte("unauthorized"))`
			`return`
			`}`
			`log.Printf("WARN: %s", err)`
			`w.WriteHeader(http.StatusInternalServerError)`
			`w.Write([]byte("internal server error"))`
			`return`
			`}`
			`}`

Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`if shareToken.MediaID != nil && media_id != *shareToken.MediaID {`
Secure public photos with the "public token" 2020-02-21 12:05:28 +01:00			`w.WriteHeader(http.StatusForbidden)`
			`w.Write([]byte("unauthorized"))`
			`return`
			`}`

Protect photos from public access 2020-02-20 17:31:41 +01:00			`}`

Improve stability of scanner 2020-02-23 18:00:08 +01:00			`var cachedPath string`
			`var file *os.File = nil`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00
Make scanner generate high-res jpg If original image format is not supported in browser 2020-02-14 13:31:44 +01:00			`if purpose == models.PhotoThumbnail \|\| purpose == models.PhotoHighRes {`
Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`cachedPath = path.Join(scanner.PhotoCache(), strconv.Itoa(media.AlbumId), strconv.Itoa(media_id), media_name)`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`}`

Start on video processing 2020-07-10 12:58:11 +02:00			`if purpose == models.MediaOriginal {`
Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`cachedPath = media.Path`
Improve stability of scanner 2020-02-23 18:00:08 +01:00			`}`

			`file, err = os.Open(cachedPath)`
			`if err != nil {`
			`if os.IsNotExist(err) {`
			`tx, err := db.Begin()`
			`if err != nil {`
			`log.Printf("ERROR: %s\n", err)`
			`w.WriteHeader(http.StatusInternalServerError)`
			`w.Write([]byte("internal server error"))`
			`return`
			`}`

Huge refactor: rename photo to media To prepare for video support Migrate database rename tables and columns: - photo to media - photo_url to media_url - photo_exif to media_exif - Update api accordingly 2020-07-10 14:26:19 +02:00			`_, err = scanner.ProcessMedia(tx, media)`
Improve stability of scanner 2020-02-23 18:00:08 +01:00			`if err != nil {`
			`log.Printf("ERROR: processing image not found in cache: %s\n", err)`
			`w.WriteHeader(http.StatusInternalServerError)`
			`w.Write([]byte("internal server error"))`
			`tx.Rollback()`
			`return`
			`}`

			`file, err = os.Open(cachedPath)`
			`if err != nil {`
			`log.Printf("ERROR: after reprocessing image not found in cache: %s\n", err)`
			`w.WriteHeader(http.StatusInternalServerError)`
			`w.Write([]byte("internal server error"))`
			`tx.Rollback()`
			`return`
			`}`

			`tx.Commit()`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`}`
			`}`

Support PHOTO_CACHE env variable 2020-02-23 12:43:45 +01:00			`w.Header().Set("Content-Type", content_type)`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`if stats, err := file.Stat(); err == nil {`
			`w.Header().Set("Content-Length", fmt.Sprintf("%d", stats.Size()))`
			`}`

			`io.Copy(w, file)`
			`})`
			`}`