add short lived token support in case of query security (event source…

… not supporting header nor post)

#165

src/clj/swarmpit/authorization.clj

@@ -59,9 +59,8 @@
              :handler {:and [authenticated-access admin-access]}}
             {:pattern #"^/login$"
              :handler any-access}
-            {:pattern        #"^/events"
-             :request-method :post
-             :handler        any-access}
+            {:pattern #"^/events"
+             :handler any-access}
             {:pattern #"^/version$"
              :handler any-access}
             {:pattern #"^/$"

src/clj/swarmpit/handler.clj

@@ -3,6 +3,7 @@
             [clojure.java.io :as io]
             [swarmpit.version :refer [version]]
             [swarmpit.api :as api]
+            [swarmpit.slt :as slt]
             [swarmpit.token :as token]))
 
 (defn resp-error
@@ -48,6 +49,12 @@
   (fn [_]
     (resp-ok version)))
 
+;; SLT handler
+
+(defmethod dispatch :slt [_]
+  (fn [_]
+    (resp-ok {:slt (slt/create)})))
+
 ;; Login handler
 
 (defmethod dispatch :login [_]

src/clj/swarmpit/handler_events.clj

@@ -1,8 +1,10 @@
 (ns swarmpit.handler-events
   (:require [org.httpkit.server :refer [run-server with-channel on-close send! close]]
-            [immutant.scheduling :refer :all]
+            [clojure.walk :refer [keywordize-keys]]
             [cheshire.core :refer [generate-string]]
-            [swarmpit.handler :refer [dispatch resp-accepted resp-error]]))
+            [immutant.scheduling :refer :all]
+            [swarmpit.slt :as slt]
+            [swarmpit.handler :refer [dispatch resp-accepted resp-error resp-unauthorized]]))
 
 (def channel-hub (atom {}))
 
@@ -12,16 +14,19 @@
       (send! channel message false))))
 
 (defmethod dispatch :events [_]
-  (fn [request]
-    (with-channel request channel
-                  (send! channel {:status  200
-                                  :headers {"Content-Type"  "text/event-stream"
-                                            "Cache-Control" "no-cache"
-                                            "Connection"    "keep-alive"}
-                                  :body    ":ok\n\n"} false)
-                  (swap! channel-hub assoc channel request)
-                  (on-close channel (fn [_]
-                                      (swap! channel-hub dissoc channel))))))
+  (fn [{:keys [query-params] :as request}]
+    (let [slt (-> (keywordize-keys query-params) :slt)]
+      (if (slt/valid? slt)
+        (with-channel request channel
+                      (send! channel {:status  200
+                                      :headers {"Content-Type"  "text/event-stream"
+                                                "Cache-Control" "no-cache"
+                                                "Connection"    "keep-alive"}
+                                      :body    ":ok\n\n"} false)
+                      (swap! channel-hub assoc channel request)
+                      (on-close channel (fn [_]
+                                          (swap! channel-hub dissoc channel))))
+        (resp-unauthorized "Invalid slt")))))
 
 (defmethod dispatch :event-push [_]
   (fn [{:keys [params]}]

src/clj/swarmpit/slt.clj

@@ -0,0 +1,25 @@
+(ns swarmpit.slt
+  (:require [clojure.core.cache :as cache]
+            [swarmpit.uuid :refer [uuid]]
+            [swarmpit.base64 :as base64]))
+
+(def cache (atom (cache/ttl-cache-factory {} :ttl 10000)))
+
+(defn- generate
+  []
+  (->> (uuid)
+       (base64/encode)))
+
+(defn create
+  []
+  (let [slt (generate)]
+    (swap! cache assoc slt "slt")
+    slt))
+
+(defn valid?
+  [slt]
+  (if (cache/has? @cache slt)
+    true
+    false))
+
+

src/cljc/swarmpit/routes.cljc

@@ -8,6 +8,7 @@
                          :post :event-push}
        "/version"       {:get :version}
        "/login"         {:post :login}
+       "/slt"           {:get :slt}
        "/password"      {:post :password}
        "/distribution/" {"public"     {:get {"/repositories" :public-repositories
                                              "/tags"         :public-repository-tags