photoprism/internal/api/session.go

package api

import (
	"net/http"

	"github.com/gin-gonic/gin"
	"github.com/photoprism/photoprism/internal/acl"
	"github.com/photoprism/photoprism/internal/entity"
	"github.com/photoprism/photoprism/internal/form"
	"github.com/photoprism/photoprism/internal/i18n"
	"github.com/photoprism/photoprism/internal/service"
	"github.com/photoprism/photoprism/internal/session"
)

// POST /api/v1/session
func CreateSession(router *gin.RouterGroup) {
	router.POST("/session", func(c *gin.Context) {
		var f form.Login

		if err := c.BindJSON(&f); err != nil {
			AbortBadRequest(c)
			return
		}

		var data session.Data

		id := SessionID(c)

		if s := Session(id); s.Valid() {
			data = s
		} else {
			data = session.Data{}
			id = ""
		}

		conf := service.Config()

		if f.HasToken() {
			links := entity.FindValidLinks(f.Token, "")

			if len(links) == 0 {
				c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidLink)})
			}

			data.Tokens = []string{f.Token}

			for _, link := range links {
				data.Shares = append(data.Shares, link.ShareUID)
				link.Redeem()
			}

			// Upgrade from anonymous to guest. Don't downgrade.
			if data.User.Anonymous() {
				data.User = entity.Guest
			}
		} else if f.HasCredentials() {
			user := entity.FindUserByName(f.UserName)

			if user == nil {
				c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidCredentials)})
				return
			}

			if user.InvalidPassword(f.Password) {
				c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidCredentials)})
				return
			}

			data.User = *user
		} else {
			c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidPassword)})
			return
		}

		if err := service.Session().Update(id, data); err != nil {
			id = service.Session().Create(data)
		}

		c.Header("X-Session-ID", id)

		if data.User.Anonymous() {
			c.JSON(http.StatusOK, gin.H{"status": "ok", "id": id, "data": data, "config": conf.GuestConfig()})
		} else {
			c.JSON(http.StatusOK, gin.H{"status": "ok", "id": id, "data": data, "config": conf.UserConfig()})
		}
	})
}

// DELETE /api/v1/session/:id
func DeleteSession(router *gin.RouterGroup) {
	router.DELETE("/session/:id", func(c *gin.Context) {
		id := c.Param("id")

		service.Session().Delete(id)

		c.JSON(http.StatusOK, gin.H{"status": "ok", "id": id})
	})
}

// Gets session id from HTTP header.
func SessionID(c *gin.Context) string {
	return c.GetHeader("X-Session-ID")
}

// Session returns the current session data.
func Session(id string) session.Data {
	// Return fake admin session if site is public.
	if service.Config().Public() {
		return session.Data{User: entity.Admin}
	}

	// Check if session id is valid.
	return service.Session().Get(id)
}

// Auth returns the session if user is authorized for the current action.
func Auth(id string, resource acl.Resource, action acl.Action) session.Data {
	sess := Session(id)

	if acl.Permissions.Deny(resource, sess.User.Role(), action) {
		return session.Data{}
	}

	return sess
}

// InvalidPreviewToken returns true if the token is invalid.
func InvalidPreviewToken(c *gin.Context) bool {
	token := c.Param("token")

	if token == "" {
		token = c.Query("t")
	}

	return service.Config().InvalidPreviewToken(token)
}

// InvalidDownloadToken returns true if the token is invalid.
func InvalidDownloadToken(c *gin.Context) bool {
	return service.Config().InvalidDownloadToken(c.Query("t"))
}
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00			`package api`

			`import (`
			`"net/http"`

			`"github.com/gin-gonic/gin"`
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`"github.com/photoprism/photoprism/internal/acl"`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`"github.com/photoprism/photoprism/internal/entity"`
Albums: Zip download #15 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-12-05 19:21:35 +01:00			`"github.com/photoprism/photoprism/internal/form"`
Backend: Count login attempts and localize error messages Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-09-21 09:40:35 +02:00			`"github.com/photoprism/photoprism/internal/i18n"`
Keep sessions for 7 days Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-04-20 13:50:28 +02:00			`"github.com/photoprism/photoprism/internal/service"`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`"github.com/photoprism/photoprism/internal/session"`
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00			`)`

			`// POST /api/v1/session`
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`func CreateSession(router *gin.RouterGroup) {`
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00			`router.POST("/session", func(c *gin.Context) {`
Albums: Zip download #15 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-12-05 19:21:35 +01:00			`var f form.Login`
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00
Albums: Zip download #15 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-12-05 19:21:35 +01:00			`if err := c.BindJSON(&f); err != nil {`
Backend: Add translations for API messages Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-07-04 12:54:35 +02:00			`AbortBadRequest(c)`
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00			`return`
			`}`

Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`var data session.Data`

			`id := SessionID(c)`

			`if s := Session(id); s.Valid() {`
			`data = s`
			`} else {`
			`data = session.Data{}`
			`id = ""`
			`}`

			`conf := service.Config()`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00
			`if f.HasToken() {`
Sharing: Link expiration, view counter and permissions #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-26 12:16:13 +02:00			`links := entity.FindValidLinks(f.Token, "")`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00
			`if len(links) == 0 {`
Backend: Count login attempts and localize error messages Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-09-21 09:40:35 +02:00			`c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidLink)})`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`}`

			`data.Tokens = []string{f.Token}`

			`for _, link := range links {`
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`data.Shares = append(data.Shares, link.ShareUID)`
Sharing: Link expiration, view counter and permissions #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-26 12:16:13 +02:00			`link.Redeem()`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`}`

Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`// Upgrade from anonymous to guest. Don't downgrade.`
			`if data.User.Anonymous() {`
			`data.User = entity.Guest`
			`}`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`} else if f.HasCredentials() {`
Backend: Refactor user entity and add pro package Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-10-03 13:50:30 +02:00			`user := entity.FindUserByName(f.UserName)`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00
			`if user == nil {`
Backend: Count login attempts and localize error messages Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-09-21 09:40:35 +02:00			`c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidCredentials)})`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`return`
			`}`

			`if user.InvalidPassword(f.Password) {`
Backend: Count login attempts and localize error messages Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-09-21 09:40:35 +02:00			`c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidCredentials)})`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`return`
			`}`

			`data.User = *user`
			`} else {`
Backend: Count login attempts and localize error messages Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-09-21 09:40:35 +02:00			`c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidPassword)})`
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00			`return`
			`}`

Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`if err := service.Session().Update(id, data); err != nil {`
			`id = service.Session().Create(data)`
			`}`
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`c.Header("X-Session-ID", id)`
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`if data.User.Anonymous() {`
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`c.JSON(http.StatusOK, gin.H{"status": "ok", "id": id, "data": data, "config": conf.GuestConfig()})`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`} else {`
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`c.JSON(http.StatusOK, gin.H{"status": "ok", "id": id, "data": data, "config": conf.UserConfig()})`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`}`
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00			`})`
			`}`

Sharing: Link expiration, view counter and permissions #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-26 12:16:13 +02:00			`// DELETE /api/v1/session/:id`
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`func DeleteSession(router *gin.RouterGroup) {`
			`router.DELETE("/session/:id", func(c *gin.Context) {`
			`id := c.Param("id")`
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`service.Session().Delete(id)`
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`c.JSON(http.StatusOK, gin.H{"status": "ok", "id": id})`
Basic login for admin #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-08 06:53:40 +01:00			`})`
			`}`
Config: Add public flag to disable auth #16 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2019-11-11 21:10:41 +01:00
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`// Gets session id from HTTP header.`
			`func SessionID(c *gin.Context) string {`
			`return c.GetHeader("X-Session-ID")`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`}`

			`// Session returns the current session data.`
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`func Session(id string) session.Data {`
			`// Return fake admin session if site is public.`
			`if service.Config().Public() {`
			`return session.Data{User: entity.Admin}`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`}`

Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`// Check if session id is valid.`
			`return service.Session().Get(id)`
			`}`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`// Auth returns the session if user is authorized for the current action.`
			`func Auth(id string, resource acl.Resource, action acl.Action) session.Data {`
			`sess := Session(id)`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`if acl.Permissions.Deny(resource, sess.User.Role(), action) {`
			`return session.Data{}`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`}`

Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`return sess`
Sharing: Token authentication #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 01:20:58 +02:00			`}`

Use static logo in sidebar navigation Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-26 16:11:56 +02:00			`// InvalidPreviewToken returns true if the token is invalid.`
			`func InvalidPreviewToken(c *gin.Context) bool {`
Refactor download urls and client config Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 19:38:40 +02:00			`token := c.Param("token")`

			`if token == "" {`
			`token = c.Query("t")`
			`}`

Use static logo in sidebar navigation Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-26 16:11:56 +02:00			`return service.Config().InvalidPreviewToken(token)`
Refactor download urls and client config Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 19:38:40 +02:00			`}`

			`// InvalidDownloadToken returns true if the token is invalid.`
Sharing: ACL authorization for REST API #18 Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-25 14:54:04 +02:00			`func InvalidDownloadToken(c *gin.Context) bool {`
			`return service.Config().InvalidDownloadToken(c.Query("t"))`
Refactor download urls and client config Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 19:38:40 +02:00			`}`