2019-11-08 06:53:40 +01:00
|
|
|
package api
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
|
2022-04-15 09:42:07 +02:00
|
|
|
"github.com/photoprism/photoprism/pkg/clean"
|
2021-12-14 18:34:52 +01:00
|
|
|
|
2019-11-08 06:53:40 +01:00
|
|
|
"github.com/gin-gonic/gin"
|
2020-06-25 14:54:04 +02:00
|
|
|
"github.com/photoprism/photoprism/internal/acl"
|
2020-06-25 01:20:58 +02:00
|
|
|
"github.com/photoprism/photoprism/internal/entity"
|
2019-12-05 19:21:35 +01:00
|
|
|
"github.com/photoprism/photoprism/internal/form"
|
2020-09-21 09:40:35 +02:00
|
|
|
"github.com/photoprism/photoprism/internal/i18n"
|
2020-04-20 13:50:28 +02:00
|
|
|
"github.com/photoprism/photoprism/internal/service"
|
2020-06-25 01:20:58 +02:00
|
|
|
"github.com/photoprism/photoprism/internal/session"
|
2019-11-08 06:53:40 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// POST /api/v1/session
|
2020-06-25 14:54:04 +02:00
|
|
|
func CreateSession(router *gin.RouterGroup) {
|
2019-11-08 06:53:40 +01:00
|
|
|
router.POST("/session", func(c *gin.Context) {
|
2019-12-05 19:21:35 +01:00
|
|
|
var f form.Login
|
2019-11-08 06:53:40 +01:00
|
|
|
|
2019-12-05 19:21:35 +01:00
|
|
|
if err := c.BindJSON(&f); err != nil {
|
2020-07-04 12:54:35 +02:00
|
|
|
AbortBadRequest(c)
|
2019-11-08 06:53:40 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-06-25 14:54:04 +02:00
|
|
|
var data session.Data
|
|
|
|
|
|
|
|
id := SessionID(c)
|
|
|
|
|
|
|
|
if s := Session(id); s.Valid() {
|
|
|
|
data = s
|
|
|
|
} else {
|
|
|
|
data = session.Data{}
|
|
|
|
id = ""
|
|
|
|
}
|
|
|
|
|
|
|
|
conf := service.Config()
|
2020-06-25 01:20:58 +02:00
|
|
|
|
|
|
|
if f.HasToken() {
|
2020-06-26 12:16:13 +02:00
|
|
|
links := entity.FindValidLinks(f.Token, "")
|
2020-06-25 01:20:58 +02:00
|
|
|
|
|
|
|
if len(links) == 0 {
|
2020-09-21 09:40:35 +02:00
|
|
|
c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidLink)})
|
2020-06-25 01:20:58 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
data.Tokens = []string{f.Token}
|
|
|
|
|
|
|
|
for _, link := range links {
|
2020-06-25 14:54:04 +02:00
|
|
|
data.Shares = append(data.Shares, link.ShareUID)
|
2020-06-26 12:16:13 +02:00
|
|
|
link.Redeem()
|
2020-06-25 01:20:58 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 14:54:04 +02:00
|
|
|
// Upgrade from anonymous to guest. Don't downgrade.
|
|
|
|
if data.User.Anonymous() {
|
|
|
|
data.User = entity.Guest
|
|
|
|
}
|
2020-06-25 01:20:58 +02:00
|
|
|
} else if f.HasCredentials() {
|
2020-10-03 13:50:30 +02:00
|
|
|
user := entity.FindUserByName(f.UserName)
|
2020-06-25 01:20:58 +02:00
|
|
|
|
|
|
|
if user == nil {
|
2020-09-21 09:40:35 +02:00
|
|
|
c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidCredentials)})
|
2020-06-25 01:20:58 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if user.InvalidPassword(f.Password) {
|
2020-09-21 09:40:35 +02:00
|
|
|
c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidCredentials)})
|
2020-06-25 01:20:58 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
data.User = *user
|
|
|
|
} else {
|
2020-09-21 09:40:35 +02:00
|
|
|
c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidPassword)})
|
2019-11-08 06:53:40 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-06-25 14:54:04 +02:00
|
|
|
if err := service.Session().Update(id, data); err != nil {
|
|
|
|
id = service.Session().Create(data)
|
|
|
|
}
|
2019-11-08 06:53:40 +01:00
|
|
|
|
2021-01-08 09:02:30 +01:00
|
|
|
AddSessionHeader(c, id)
|
2019-11-08 06:53:40 +01:00
|
|
|
|
2020-06-25 01:20:58 +02:00
|
|
|
if data.User.Anonymous() {
|
2020-06-25 14:54:04 +02:00
|
|
|
c.JSON(http.StatusOK, gin.H{"status": "ok", "id": id, "data": data, "config": conf.GuestConfig()})
|
2020-06-25 01:20:58 +02:00
|
|
|
} else {
|
2020-06-25 14:54:04 +02:00
|
|
|
c.JSON(http.StatusOK, gin.H{"status": "ok", "id": id, "data": data, "config": conf.UserConfig()})
|
2020-06-25 01:20:58 +02:00
|
|
|
}
|
2019-11-08 06:53:40 +01:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2020-06-26 12:16:13 +02:00
|
|
|
// DELETE /api/v1/session/:id
|
2020-06-25 14:54:04 +02:00
|
|
|
func DeleteSession(router *gin.RouterGroup) {
|
|
|
|
router.DELETE("/session/:id", func(c *gin.Context) {
|
2022-04-15 09:42:07 +02:00
|
|
|
id := clean.Token(c.Param("id"))
|
2019-11-08 06:53:40 +01:00
|
|
|
|
2020-06-25 14:54:04 +02:00
|
|
|
service.Session().Delete(id)
|
2019-11-08 06:53:40 +01:00
|
|
|
|
2020-06-25 14:54:04 +02:00
|
|
|
c.JSON(http.StatusOK, gin.H{"status": "ok", "id": id})
|
2019-11-08 06:53:40 +01:00
|
|
|
})
|
|
|
|
}
|
2019-11-11 21:10:41 +01:00
|
|
|
|
2020-06-25 14:54:04 +02:00
|
|
|
// Gets session id from HTTP header.
|
|
|
|
func SessionID(c *gin.Context) string {
|
|
|
|
return c.GetHeader("X-Session-ID")
|
2020-06-25 01:20:58 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Session returns the current session data.
|
2020-06-25 14:54:04 +02:00
|
|
|
func Session(id string) session.Data {
|
|
|
|
// Return fake admin session if site is public.
|
|
|
|
if service.Config().Public() {
|
|
|
|
return session.Data{User: entity.Admin}
|
2020-06-25 01:20:58 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 14:54:04 +02:00
|
|
|
// Check if session id is valid.
|
|
|
|
return service.Session().Get(id)
|
|
|
|
}
|
2020-06-25 01:20:58 +02:00
|
|
|
|
2020-06-25 14:54:04 +02:00
|
|
|
// Auth returns the session if user is authorized for the current action.
|
|
|
|
func Auth(id string, resource acl.Resource, action acl.Action) session.Data {
|
|
|
|
sess := Session(id)
|
2020-06-25 01:20:58 +02:00
|
|
|
|
2020-06-25 14:54:04 +02:00
|
|
|
if acl.Permissions.Deny(resource, sess.User.Role(), action) {
|
|
|
|
return session.Data{}
|
2020-06-25 01:20:58 +02:00
|
|
|
}
|
|
|
|
|
2020-06-25 14:54:04 +02:00
|
|
|
return sess
|
2020-06-25 01:20:58 +02:00
|
|
|
}
|
|
|
|
|
2020-06-26 16:11:56 +02:00
|
|
|
// InvalidPreviewToken returns true if the token is invalid.
|
|
|
|
func InvalidPreviewToken(c *gin.Context) bool {
|
2022-04-15 09:42:07 +02:00
|
|
|
token := clean.Token(c.Param("token"))
|
2020-05-27 19:38:40 +02:00
|
|
|
|
|
|
|
if token == "" {
|
2022-04-15 09:42:07 +02:00
|
|
|
token = clean.Token(c.Query("t"))
|
2020-05-27 19:38:40 +02:00
|
|
|
}
|
|
|
|
|
2020-06-26 16:11:56 +02:00
|
|
|
return service.Config().InvalidPreviewToken(token)
|
2020-05-27 19:38:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// InvalidDownloadToken returns true if the token is invalid.
|
2020-06-25 14:54:04 +02:00
|
|
|
func InvalidDownloadToken(c *gin.Context) bool {
|
2022-04-15 09:42:07 +02:00
|
|
|
return service.Config().InvalidDownloadToken(clean.Token(c.Query("t")))
|
2020-05-27 19:38:40 +02:00
|
|
|
}
|