photoview/api/routes/authenticate_media.go

package routes

import (
	"fmt"
	"net/http"

	"github.com/photoview/photoview/api/graphql/auth"
	"github.com/photoview/photoview/api/graphql/models"
	"golang.org/x/crypto/bcrypt"
	"gorm.io/gorm"
)

func authenticateMedia(media *models.Media, db *gorm.DB, r *http.Request) (success bool, responseMessage string, responseStatus int, errorMessage error) {
	user := auth.UserFromContext(r.Context())

	if user != nil {
		var album models.Album
		if err := db.First(&album, media.AlbumID).Error; err != nil {
			return false, "internal server error", http.StatusInternalServerError, err
		}

		ownsAlbum, err := user.OwnsAlbum(db, &album)
		if err != nil {
			return false, "internal server error", http.StatusInternalServerError, err
		}

		if !ownsAlbum {
			return false, "invalid credentials", http.StatusForbidden, nil
		}
	} else {
		// Check if photo is authorized with a share token
		token := r.URL.Query().Get("token")
		if token == "" {
			return false, "unauthorized", http.StatusForbidden, nil
		}

		var shareToken models.ShareToken
		if err := db.Where("value = ?", token).First(&shareToken).Error; err != nil {
			return false, "internal server error", http.StatusInternalServerError, err
		}

		// Validate share token password, if set
		if shareToken.Password != nil {
			tokenPasswordCookie, err := r.Cookie(fmt.Sprintf("share-token-pw-%s", shareToken.Value))
			if err != nil {
				return false, "unauthorized", http.StatusForbidden, nil
			}
			// tokenPassword := r.Header.Get("TokenPassword")
			tokenPassword := tokenPasswordCookie.Value

			if err := bcrypt.CompareHashAndPassword([]byte(*shareToken.Password), []byte(tokenPassword)); err != nil {
				if err == bcrypt.ErrMismatchedHashAndPassword {
					return false, "unauthorized", http.StatusForbidden, nil
				} else {
					return false, "internal server error", http.StatusInternalServerError, err
				}
			}
		}

		if shareToken.AlbumID != nil && media.AlbumID != *shareToken.AlbumID {
			// Check child albums

			result := db.Raw(`
					WITH recursive child_albums AS (
						SELECT * FROM album WHERE parent_album = ?
						UNION ALL
						SELECT child.* FROM album child JOIN child_albums parent ON parent.album_id = child.parent_album
					)
					SELECT * FROM child_albums WHERE album_id = ?
				`, *shareToken.AlbumID, media.AlbumID)

			if err := result.Error; err != nil {
				return false, "internal server error", http.StatusInternalServerError, err
			}

			if result.RowsAffected == 0 {
				return false, "unauthorized", http.StatusForbidden, nil
			}
		}

		if shareToken.MediaID != nil && media.ID != *shareToken.MediaID {
			return false, "unauthorized", http.StatusForbidden, nil
		}
	}

	return true, "success", http.StatusAccepted, nil
}
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`package routes`

			`import (`
Use cookie based auth for shares with password 2020-07-13 17:51:53 +02:00			`"fmt"`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`"net/http"`

Update gomod to reflect repo transfer 2020-12-17 22:51:43 +01:00			`"github.com/photoview/photoview/api/graphql/auth"`
			`"github.com/photoview/photoview/api/graphql/models"`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`"golang.org/x/crypto/bcrypt"`
Start on migrating database integration to gorm 2020-11-23 19:39:44 +01:00			`"gorm.io/gorm"`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`)`

Start on migrating database integration to gorm 2020-11-23 19:39:44 +01:00			`func authenticateMedia(media models.Media, db gorm.DB, r *http.Request) (success bool, responseMessage string, responseStatus int, errorMessage error) {`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`user := auth.UserFromContext(r.Context())`

			`if user != nil {`
Replace database, mostly media and video 2020-11-26 20:48:04 +01:00			`var album models.Album`
			`if err := db.First(&album, media.AlbumID).Error; err != nil {`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`return false, "internal server error", http.StatusInternalServerError, err`
			`}`

get initial scanner up and running 2020-12-22 01:14:43 +01:00			`ownsAlbum, err := user.OwnsAlbum(db, &album)`
			`if err != nil {`
			`return false, "internal server error", http.StatusInternalServerError, err`
			`}`

			`if !ownsAlbum {`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`return false, "invalid credentials", http.StatusForbidden, nil`
			`}`
			`} else {`
			`// Check if photo is authorized with a share token`
			`token := r.URL.Query().Get("token")`
			`if token == "" {`
			`return false, "unauthorized", http.StatusForbidden, nil`
			`}`

Replace database, mostly media and video 2020-11-26 20:48:04 +01:00			`var shareToken models.ShareToken`
			`if err := db.Where("value = ?", token).First(&shareToken).Error; err != nil {`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`return false, "internal server error", http.StatusInternalServerError, err`
			`}`

			`// Validate share token password, if set`
			`if shareToken.Password != nil {`
Use cookie based auth for shares with password 2020-07-13 17:51:53 +02:00			`tokenPasswordCookie, err := r.Cookie(fmt.Sprintf("share-token-pw-%s", shareToken.Value))`
			`if err != nil {`
			`return false, "unauthorized", http.StatusForbidden, nil`
			`}`
			`// tokenPassword := r.Header.Get("TokenPassword")`
			`tokenPassword := tokenPasswordCookie.Value`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00
			`if err := bcrypt.CompareHashAndPassword([]byte(*shareToken.Password), []byte(tokenPassword)); err != nil {`
			`if err == bcrypt.ErrMismatchedHashAndPassword {`
			`return false, "unauthorized", http.StatusForbidden, nil`
			`} else {`
			`return false, "internal server error", http.StatusInternalServerError, err`
			`}`
			`}`
			`}`

Migrate album and media sharing 2020-12-17 22:29:24 +01:00			`if shareToken.AlbumID != nil && media.AlbumID != *shareToken.AlbumID {`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`// Check child albums`
Replace database, mostly media and video 2020-11-26 20:48:04 +01:00
			result := db.Raw(`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`WITH recursive child_albums AS (`
			`SELECT * FROM album WHERE parent_album = ?`
			`UNION ALL`
			`SELECT child.* FROM album child JOIN child_albums parent ON parent.album_id = child.parent_album`
			`)`
			`SELECT * FROM child_albums WHERE album_id = ?`
Replace database, mostly media and video 2020-11-26 20:48:04 +01:00			`, *shareToken.AlbumID, media.AlbumID)
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00
Replace database, mostly media and video 2020-11-26 20:48:04 +01:00			`if err := result.Error; err != nil {`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`return false, "internal server error", http.StatusInternalServerError, err`
			`}`
Replace database, mostly media and video 2020-11-26 20:48:04 +01:00
			`if result.RowsAffected == 0 {`
			`return false, "unauthorized", http.StatusForbidden, nil`
			`}`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`}`

Replace database, mostly media and video 2020-11-26 20:48:04 +01:00			`if shareToken.MediaID != nil && media.ID != *shareToken.MediaID {`
Use cookies for authentication instead of header This replaces the current implementation where a bearer header holds the auth-token. Now the same token is being sent using a cookie instead. This greatly simplifies fetching resources (images and video), since the header is sent along implicitly with each request. 2020-07-12 18:52:48 +02:00			`return false, "unauthorized", http.StatusForbidden, nil`
			`}`
			`}`

			`return true, "success", http.StatusAccepted, nil`
			`}`