photoview/api/routes/photos.go

package routes

import (
	"database/sql"
	"fmt"
	"io"
	"log"
	"net/http"
	"os"

	"github.com/gorilla/mux"

	"github.com/viktorstrate/photoview/api/graphql/auth"
	"github.com/viktorstrate/photoview/api/graphql/models"
)

func RegisterPhotoRoutes(db *sql.DB, router *mux.Router) {

	router.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
		image_name := mux.Vars(r)["name"]

		row := db.QueryRow("SELECT photo_url.purpose, photo.path, photo.photo_id, photo.album_id, photo_url.content_type FROM photo_url, photo WHERE photo_url.photo_name = ? AND photo_url.photo_id = photo.photo_id", image_name)

		var purpose models.PhotoPurpose
		var path string
		var content_type string
		var album_id int
		var photo_id int

		if err := row.Scan(&purpose, &path, &photo_id, &album_id, &content_type); err != nil {
			w.WriteHeader(http.StatusNotFound)
			w.Write([]byte("404"))
			return
		}

		user := auth.UserFromContext(r.Context())
		if user != nil {
			row := db.QueryRow("SELECT owner_id FROM album WHERE album.album_id = ?", album_id)
			var owner_id int

			if err := row.Scan(&owner_id); err != nil {
				log.Printf("WARN: %s", err)
				w.WriteHeader(http.StatusInternalServerError)
				w.Write([]byte("internal server error"))
				return
			}

			if owner_id != user.UserID {
				w.WriteHeader(http.StatusForbidden)
				w.Write([]byte("invalid credentials"))
				return
			}
		} else {

			token := r.URL.Query().Get("token")
			if token == "" {
				w.WriteHeader(http.StatusForbidden)
				w.Write([]byte("unauthorized"))
				return
			}

			row := db.QueryRow("SELECT * FROM share_token WHERE value = ?", token)

			shareToken, err := models.NewShareTokenFromRow(row)
			if err != nil {
				log.Printf("WARN: %s", err)
				w.WriteHeader(http.StatusInternalServerError)
				w.Write([]byte("internal server error"))
				return
			}

			if shareToken.AlbumID != nil && album_id != *shareToken.AlbumID {
				// Check child albums
				row := db.QueryRow(`
					WITH recursive child_albums AS (
						SELECT * FROM album WHERE parent_album = ?
						UNION ALL
						SELECT child.* FROM album child JOIN child_albums parent ON parent.album_id = child.parent_album
					)
					SELECT * FROM child_albums WHERE album_id = ?
				`, *shareToken.AlbumID, album_id)

				_, err := models.NewAlbumFromRow(row)
				if err != nil {
					if err == sql.ErrNoRows {
						w.WriteHeader(http.StatusForbidden)
						w.Write([]byte("unauthorized"))
						return
					}
					log.Printf("WARN: %s", err)
					w.WriteHeader(http.StatusInternalServerError)
					w.Write([]byte("internal server error"))
					return
				}
			}

			if shareToken.PhotoID != nil && photo_id != *shareToken.PhotoID {
				w.WriteHeader(http.StatusForbidden)
				w.Write([]byte("unauthorized"))
				return
			}

		}

		w.Header().Set("Content-Type", content_type)

		var file *os.File

		if purpose == models.PhotoThumbnail || purpose == models.PhotoHighRes {
			var err error
			file, err = os.Open(fmt.Sprintf("./image-cache/%d/%d/%s", album_id, photo_id, image_name))
			if err != nil {
				w.Write([]byte("Error: " + err.Error()))
				return
			}
		}

		if purpose == models.PhotoOriginal {
			var err error
			file, err = os.Open(path)
			if err != nil {
				w.Write([]byte("Error: " + err.Error()))
				return
			}
		}

		if stats, err := file.Stat(); err == nil {
			w.Header().Set("Content-Length", fmt.Sprintf("%d", stats.Size()))
		}

		io.Copy(w, file)
	})
}
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`package routes`

			`import (`
			`"database/sql"`
			`"fmt"`
			`"io"`
Secure public photos with the "public token" 2020-02-21 12:05:28 +01:00			`"log"`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`"net/http"`
			`"os"`

Work towards subscriptions - Replace chi with gorilla/mux - Write custom CORS rules - Start on notification subscriptions 2020-02-21 16:50:50 +01:00			`"github.com/gorilla/mux"`

Protect photos from public access 2020-02-20 17:31:41 +01:00			`"github.com/viktorstrate/photoview/api/graphql/auth"`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`"github.com/viktorstrate/photoview/api/graphql/models"`
			`)`

Work towards subscriptions - Replace chi with gorilla/mux - Write custom CORS rules - Start on notification subscriptions 2020-02-21 16:50:50 +01:00			`func RegisterPhotoRoutes(db sql.DB, router mux.Router) {`

			`router.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {`
			`image_name := mux.Vars(r)["name"]`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00
Work on scanner + add launch.json for vscode 2020-02-11 23:35:35 +01:00			`row := db.QueryRow("SELECT photo_url.purpose, photo.path, photo.photo_id, photo.album_id, photo_url.content_type FROM photo_url, photo WHERE photo_url.photo_name = ? AND photo_url.photo_id = photo.photo_id", image_name)`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00
			`var purpose models.PhotoPurpose`
			`var path string`
			`var content_type string`
			`var album_id int`
Work on scanner + add launch.json for vscode 2020-02-11 23:35:35 +01:00			`var photo_id int`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00
Work on scanner + add launch.json for vscode 2020-02-11 23:35:35 +01:00			`if err := row.Scan(&purpose, &path, &photo_id, &album_id, &content_type); err != nil {`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`w.WriteHeader(http.StatusNotFound)`
			`w.Write([]byte("404"))`
			`return`
			`}`

Protect photos from public access 2020-02-20 17:31:41 +01:00			`user := auth.UserFromContext(r.Context())`
			`if user != nil {`
			`row := db.QueryRow("SELECT owner_id FROM album WHERE album.album_id = ?", album_id)`
			`var owner_id int`

			`if err := row.Scan(&owner_id); err != nil {`
Secure public photos with the "public token" 2020-02-21 12:05:28 +01:00			`log.Printf("WARN: %s", err)`
Protect photos from public access 2020-02-20 17:31:41 +01:00			`w.WriteHeader(http.StatusInternalServerError)`
			`w.Write([]byte("internal server error"))`
			`return`
			`}`

			`if owner_id != user.UserID {`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Write([]byte("invalid credentials"))`
			`return`
			`}`
			`} else {`
Secure public photos with the "public token" 2020-02-21 12:05:28 +01:00
			`token := r.URL.Query().Get("token")`
			`if token == "" {`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Write([]byte("unauthorized"))`
			`return`
			`}`

			`row := db.QueryRow("SELECT * FROM share_token WHERE value = ?", token)`

			`shareToken, err := models.NewShareTokenFromRow(row)`
			`if err != nil {`
			`log.Printf("WARN: %s", err)`
			`w.WriteHeader(http.StatusInternalServerError)`
			`w.Write([]byte("internal server error"))`
			`return`
			`}`

			`if shareToken.AlbumID != nil && album_id != *shareToken.AlbumID {`
			`// Check child albums`
			row := db.QueryRow(`
			`WITH recursive child_albums AS (`
			`SELECT * FROM album WHERE parent_album = ?`
			`UNION ALL`
			`SELECT child.* FROM album child JOIN child_albums parent ON parent.album_id = child.parent_album`
			`)`
			`SELECT * FROM child_albums WHERE album_id = ?`
			`, *shareToken.AlbumID, album_id)

			`_, err := models.NewAlbumFromRow(row)`
			`if err != nil {`
			`if err == sql.ErrNoRows {`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Write([]byte("unauthorized"))`
			`return`
			`}`
			`log.Printf("WARN: %s", err)`
			`w.WriteHeader(http.StatusInternalServerError)`
			`w.Write([]byte("internal server error"))`
			`return`
			`}`
			`}`

			`if shareToken.PhotoID != nil && photo_id != *shareToken.PhotoID {`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Write([]byte("unauthorized"))`
			`return`
			`}`

Protect photos from public access 2020-02-20 17:31:41 +01:00			`}`

Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`w.Header().Set("Content-Type", content_type)`

			`var file *os.File`

Make scanner generate high-res jpg If original image format is not supported in browser 2020-02-14 13:31:44 +01:00			`if purpose == models.PhotoThumbnail \|\| purpose == models.PhotoHighRes {`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`var err error`
Work on scanner + add launch.json for vscode 2020-02-11 23:35:35 +01:00			`file, err = os.Open(fmt.Sprintf("./image-cache/%d/%d/%s", album_id, photo_id, image_name))`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`if err != nil {`
			`w.Write([]byte("Error: " + err.Error()))`
			`return`
			`}`
			`}`

Make scanner generate high-res jpg If original image format is not supported in browser 2020-02-14 13:31:44 +01:00			`if purpose == models.PhotoOriginal {`
Work on photo serving and processing 2020-02-09 14:21:53 +01:00			`var err error`
			`file, err = os.Open(path)`
			`if err != nil {`
			`w.Write([]byte("Error: " + err.Error()))`
			`return`
			`}`
			`}`

			`if stats, err := file.Stat(); err == nil {`
			`w.Header().Set("Content-Length", fmt.Sprintf("%d", stats.Size()))`
			`}`

			`io.Copy(w, file)`
			`})`
			`}`