refactor, implement link sharing/revoking

Author: reflog

auth/middleware.go

@@ -0,0 +1,68 @@
+package auth
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/charmbracelet/log"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type ctxUserKey struct{}
+
+func GetRequestUsername(r *http.Request) string {
+	if claims, ok := r.Context().Value(ctxUserKey{}).(string); ok {
+		return claims
+	}
+	return ""
+}
+
+func AdminOnly(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if username := GetRequestUsername(r); username != "admin" {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+func Middleware(hmacSecret []byte, next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Check for the presence of the Authorization header
+		authHeader := r.Header.Get("Authorization")
+		var tokenStr string
+		if authHeader == "" {
+			// try getting from query
+			tokenStr = r.URL.Query().Get("token")
+		} else {
+			// Split the header into "Bearer" and the token
+			tokenStr = authHeader[len("Bearer "):]
+		}
+
+		if tokenStr == "" {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		// Check if the token is valid
+		token, err := jwt.Parse(tokenStr, func(token *jwt.Token) (interface{}, error) {
+			return hmacSecret, nil
+		}, jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Alg()}))
+		if err != nil {
+			log.Errorf("Error parsing token: %v", err)
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		if claims, err := token.Claims.GetSubject(); err != nil {
+			log.Errorf("Error parsing token: %v", err)
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		} else {
+			// Store the claims in the request context
+			ctx := context.WithValue(r.Context(), ctxUserKey{}, claims)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		}
+	})
+}

auth/tokens.go

@@ -0,0 +1,16 @@
+package auth
+
+import (
+	"github.com/golang-jwt/jwt/v5"
+	"time"
+)
+
+func GenerateAccessToken(hmacSecret []byte, username string, expiration time.Time) (string, error) {
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		"sub": username,
+		"exp": expiration.Unix(), // Set the expiration time
+	})
+
+	// Sign and get the complete encoded token as a string using the secret
+	return token.SignedString(hmacSecret)
+}

cmd/cmd_init.go

@@ -1,234 +1,17 @@
 package main
 
 import (
-	"bytes"
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"github.com/mdp/qrterminal/v3"
-	box "github.com/sagernet/sing-box"
-	"github.com/sagernet/sing-box/include"
+	"github.com/getlantern/lantern-server-manager/common"
 	"io"
-	"math/rand/v2"
 	"net/http"
-	"net/netip"
-	"os"
 	"strings"
 
 	"github.com/charmbracelet/log"
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	singJson "github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/json/badjson"
-	"github.com/sagernet/sing/common/json/badoption"
 )
 
 type InitCmd struct {
 }
 
-func GenerateAccessToken(hmacSecret []byte) (string, error) {
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
-		"sub": "admin",
-		// no expiration
-	})
-
-	// Sign and get the complete encoded token as a string using the secret
-	return token.SignedString(hmacSecret)
-}
-
-func PasswordGenerator(passwordLength int) string {
-	lowerCase := "abcdefghijklmnopqrstuvwxyz" // lowercase
-	upperCase := "ABCDEFGHIJKLMNOPQRSTUVWXYZ" // uppercase
-	Numbers := "0123456789"                   // numbers
-	specialChar := "!@#$%^&*()_-+={}[/?]"     // specialchar
-
-	// variable for storing password
-	password := ""
-
-	for n := 0; n < passwordLength; n++ {
-		// NOW RANDOM CHARACTER
-		randNum := rand.N(4)
-
-		switch randNum {
-		case 0:
-			randCharNum := rand.N(len(lowerCase))
-			password += string(lowerCase[randCharNum])
-		case 1:
-			randCharNum := rand.N(len(upperCase))
-			password += string(upperCase[randCharNum])
-		case 2:
-			randCharNum := rand.N(len(Numbers))
-			password += string(Numbers[randCharNum])
-		case 3:
-			randCharNum := rand.N(len(specialChar))
-			password += string(specialChar[randCharNum])
-		}
-	}
-
-	return password
-}
-
-type ServerConfig struct {
-	Port        int    `json:"port"`
-	AccessToken string `json:"access_token"`
-	HMACSecret  string `json:"hmac_secret"`
-}
-
-func (c *ServerConfig) GetNewServerURL(publicIP string) string {
-	return fmt.Sprintf("lantern://new-private-server?ip=%s&port=%d&token=%s", publicIP, c.Port, c.AccessToken)
-}
-func (c *ServerConfig) GetQR(publicIP string) string {
-	qrCode := bytes.NewBufferString("")
-	qrterminal.Generate(c.GetNewServerURL(publicIP), qrterminal.L, qrCode)
-
-	return qrCode.String()
-}
-func readServerConfig() (*ServerConfig, error) {
-	data, err := os.ReadFile("server.json")
-	if err != nil {
-		return nil, err
-	}
-	var config ServerConfig
-	if err := json.Unmarshal(data, &config); err != nil {
-		return nil, err
-	}
-	if config.Port == 0 {
-		return nil, fmt.Errorf("port not set")
-	}
-	if config.AccessToken == "" {
-		return nil, fmt.Errorf("access token not set")
-	}
-	if config.HMACSecret == "" {
-		return nil, fmt.Errorf("hmac secret not set")
-	}
-	return &config, nil
-}
-
-func generateServerConfig() (*ServerConfig, error) {
-	// generate a number that is a valid non-privileged port
-	port := rand.N(65535-1024) + 1024
-	// generate hmac secret
-	hmacSecret := PasswordGenerator(32)
-	// generate an access token
-	accessToken, err := GenerateAccessToken([]byte(hmacSecret))
-	if err != nil {
-		return nil, err
-	}
-	conf := &ServerConfig{
-		Port:        port,
-		AccessToken: accessToken,
-		HMACSecret:  hmacSecret,
-	}
-	// write the config to a file
-	data, err := json.Marshal(conf)
-	if err != nil {
-		return nil, err
-	}
-	log.Infof("Writing intial config to server.json")
-	return conf, os.WriteFile("server.json", data, 0600)
-}
-
-func readSingBoxServerConfig() (*option.Options, error) {
-	data, err := os.ReadFile("sing-box-config.json")
-	if err != nil {
-		return nil, err
-	}
-	globalCtx := box.Context(context.Background(), include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), include.DNSTransportRegistry())
-
-	opt, err := singJson.UnmarshalExtendedContext[option.Options](globalCtx, data)
-	if err != nil {
-		return nil, err
-	}
-	return &opt, nil
-}
-
-func generateSingboxConnectConfig(publicIP, username string) ([]byte, error) {
-	singBoxServerConfig, err := readSingBoxServerConfig()
-	if err != nil {
-		return nil, err
-	}
-	if len(singBoxServerConfig.Inbounds) == 0 {
-		return nil, fmt.Errorf("no inbounds found, invalid config")
-	}
-	inboundOptions, ok := singBoxServerConfig.Inbounds[0].Options.(*option.ShadowsocksInboundOptions)
-	if !ok {
-		return nil, fmt.Errorf("inbound is not shadowsocks")
-	}
-	var password string
-	if username == "admin" {
-		password = inboundOptions.Password
-	} else {
-		for _, u := range inboundOptions.Users {
-			if u.Name == username {
-				password = u.Password
-				break
-			}
-		}
-	}
-	if password == "" {
-		return nil, fmt.Errorf("user not found")
-	}
-	opt := option.Options{
-		Log: &option.LogOptions{
-			Level:  "debug",
-			Output: "stdout",
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: "shadowsocks",
-				Tag:  "ss-outbound",
-				Options: &option.ShadowsocksOutboundOptions{
-					DialerOptions: option.DialerOptions{},
-					ServerOptions: option.ServerOptions{
-						Server:     publicIP,
-						ServerPort: inboundOptions.ListenPort,
-					},
-					Method:   "2022-blake3-aes-128-gcm",
-					Password: password,
-				},
-			},
-		},
-	}
-	return badjson.MarshallObjects(opt)
-}
-
-func generateBasicSingboxServerConfig() error {
-	// generate a number that is a valid non-privileged port
-	port := rand.N(65535-1024) + 1024
-	// generate a password. we are using 2022-blake3-aes-128-gcm so length must be 16
-	password := base64.StdEncoding.EncodeToString([]byte(PasswordGenerator(16)))
-	// generate basic shadowsocks config
-	opt := option.Options{
-		Log: &option.LogOptions{
-			Level:  "debug",
-			Output: "stdout",
-		},
-		Inbounds: []option.Inbound{
-			{
-				Type: "shadowsocks",
-				Tag:  "ss-inbound",
-
-				Options: &option.ShadowsocksInboundOptions{
-					Method: "2022-blake3-aes-128-gcm",
-					ListenOptions: option.ListenOptions{
-						ListenPort: uint16(port),
-						Listen:     common.Ptr(badoption.Addr(netip.AddrFrom4([4]byte{0, 0, 0, 0}))),
-					},
-					Password: password,
-				},
-			},
-		},
-	}
-	data, err := badjson.MarshallObjects(opt)
-	if err != nil {
-		return err
-	}
-	log.Infof("Writing intial vpn config to sing-box-config.json")
-	return os.WriteFile("sing-box-config.json", data, 0644)
-}
-
 func getPublicIP() (string, error) {
 	resp, err := http.Get("https://ifconfig.io")
 	if err != nil {
@@ -244,22 +27,28 @@ func getPublicIP() (string, error) {
 	return strings.TrimSpace(string(body)), nil
 }
 
-func (c InitCmd) Run() error {
-	var err error
-	var config *ServerConfig
-	if config, err = generateServerConfig(); err != nil {
-		return err
+func InitializeConfigs() (*common.ServerConfig, error) {
+	config, err := common.GenerateServerConfig()
+	if err != nil {
+		return nil, err
 	}
-	if err = generateBasicSingboxServerConfig(); err != nil {
-		return err
+	if err = common.GenerateBasicSingboxServerConfig(); err != nil {
+		return nil, err
 	}
+	return config, nil
+}
 
-	printRootToken(config)
+func (c InitCmd) Run() error {
+	if config, err := InitializeConfigs(); err != nil {
+		return err
+	} else {
+		printRootToken(config)
+	}
 
 	return nil
 }
 
-func printRootToken(config *ServerConfig) {
+func printRootToken(config *common.ServerConfig) {
 	publicIP, err := getPublicIP()
 	if err != nil {
 		log.Error("Cannot detect your public IP, please get if from your host provider")