feat: actually glue it together

userstyles-world · May 25, 2021 · 8868ade · 8868ade
1 parent ed0bcb7
commit 8868ade
Show file tree

Hide file tree

Showing 7 changed files with 98 additions and 21 deletions.
diff --git a/handlers/api/jwt.go b/handlers/api/jwt.go
@@ -2,6 +2,7 @@ package api
 
 import (
 	"fmt"
+	"strconv"
 	"strings"
 
 	"github.com/form3tech-oss/jwt-go"
@@ -40,26 +41,42 @@ func MapClaim(c *fiber.Ctx) jwt.MapClaims {
 	return claims
 }
 
-func APIUser(c *fiber.Ctx) (*models.APIUser, bool) {
+type JWTAPIUser struct {
+	models.APIUser
+	StyleID uint
+}
+
+func APIUser(c *fiber.Ctx) (*JWTAPIUser, bool) {
 	s := MapClaim(c)
-	u := &models.APIUser{}
+	u := &JWTAPIUser{}
 
 	if s == nil {
 		return u, false
 	}
 
-	user, err := models.FindUserByID(database.DB, fmt.Sprintf("%d", uint(s["userID"].(float64))))
+	// Just make sure it's the real deal.
+	fUserID, ok := s["userID"].(float64)
+	if !ok {
+		return u, false
+	}
+	userID := strconv.Itoa(int(fUserID))
 
+	user, err := models.FindUserByID(database.DB, userID)
 	if err != nil || user.ID == 0 {
 		return u, false
 	}
 
-	// Type assertion will convert interface{} to other types.
 	u.Username = user.Username
 	u.Email = user.Email
-	u.ID = user.ID
+	u.ID = uint(fUserID)
 	u.Role = user.Role
-	u.Scopes = strings.Split(s["scopes"].(string), ",")
 
+	// As these are "optional" we need to check them first.
+	if Scopes, ok := s["scopes"].(string); ok {
+		u.Scopes = strings.Split(Scopes, ",")
+	}
+	if StyleID, ok := s["styleID"].(float64); ok {
+		u.StyleID = uint(StyleID)
+	}
 	return u, true
 }
diff --git a/handlers/api/styles.go b/handlers/api/styles.go
@@ -2,6 +2,7 @@ package api
 
 import (
 	"fmt"
+	"strconv"
 
 	"github.com/gofiber/fiber/v2"
 	"github.com/ohler55/ojg/oj"
@@ -35,20 +36,36 @@ func StylesGet(c *fiber.Ctx) error {
 
 }
 
-var JsonParser = &oj.Parser{Reuse: true}
+// JSONParser defined options.
+var JSONParser = &oj.Parser{Reuse: true}
 
 func StylePost(c *fiber.Ctx) error {
 	u, _ := APIUser(c)
-	styleID := c.Params("id")
+	sStyleID := c.Params("id")
 
-	if !utils.Contains(u.Scopes, "style") {
+	styleID, err := strconv.Atoi(sStyleID)
+	if err != nil {
+		return c.Status(403).
+			JSON(fiber.Map{
+				"data": "Couldn't parse param \"id\"",
+			})
+	}
+
+	if u.StyleID == 0 && !utils.Contains(u.Scopes, "style") {
 		return c.Status(403).
 			JSON(fiber.Map{
 				"data": "You need the \"style\" scope to do this.",
 			})
 	}
 
-	style, err := models.GetStyleByID(database.DB, styleID)
+	if u.StyleID != 0 && uint(styleID) != u.StyleID {
+		return c.Status(403).
+			JSON(fiber.Map{
+				"data": "This style doesn't belong to you! ╰༼⇀︿⇀༽つ-]═──",
+			})
+	}
+
+	style, err := models.GetStyleByID(database.DB, sStyleID)
 	if err != nil {
 		return c.Status(500).
 			JSON(fiber.Map{
@@ -62,7 +79,7 @@ func StylePost(c *fiber.Ctx) error {
 			})
 	}
 	var postStyle models.Style
-	err = JsonParser.Unmarshal(c.Body(), &postStyle)
+	err = JSONParser.Unmarshal(c.Body(), &postStyle)
 	if err != nil {
 		return c.Status(500).
 			JSON(fiber.Map{
@@ -91,15 +108,31 @@ func StylePost(c *fiber.Ctx) error {
 
 func DeleteStyle(c *fiber.Ctx) error {
 	u, _ := APIUser(c)
-	styleID := c.Params("id")
+	sStyleID := c.Params("id")
 
-	style, err := models.GetStyleByID(database.DB, styleID)
+	styleID, err := strconv.Atoi(sStyleID)
+	if err != nil {
+		return c.Status(403).
+			JSON(fiber.Map{
+				"data": "Couldn't parse param \"id\"",
+			})
+	}
+
+	style, err := models.GetStyleByID(database.DB, sStyleID)
 	if err != nil {
 		return c.Status(500).
 			JSON(fiber.Map{
 				"data": "Error: Couldn't find style with ID.",
 			})
 	}
+
+	if u.StyleID != 0 && uint(styleID) != u.StyleID {
+		return c.Status(403).
+			JSON(fiber.Map{
+				"data": "This style doesn't belong to you! ╰༼⇀︿⇀༽つ-]═──",
+			})
+	}
+
 	if style.UserID != u.ID {
 		return c.Status(403).
 			JSON(fiber.Map{
@@ -110,7 +143,7 @@ func DeleteStyle(c *fiber.Ctx) error {
 	styleModel := new(models.Style)
 	err = database.DB.
 		Debug().
-		Delete(styleModel, "styles.id = ?", styleID).
+		Delete(styleModel, "styles.id = ?", sStyleID).
 		Error
 
 	if err != nil {
@@ -137,7 +170,7 @@ func NewStyle(c *fiber.Ctx) error {
 	}
 
 	var postStyle models.Style
-	err := JsonParser.Unmarshal(c.Body(), &postStyle)
+	err := JSONParser.Unmarshal(c.Body(), &postStyle)
 	if err != nil {
 		fmt.Println(err)
 		return c.Status(500).

diff --git a/handlers/oauth_provider/access_token.go b/handlers/oauth_provider/access_token.go
@@ -49,10 +49,11 @@ func AccessTokenPost(c *fiber.Ctx) error {
 
 	state, userID := claims["state"].(string), uint(claims["userID"].(float64))
 
-	styleID, ok := claims["styleID"].(string)
+	fStyleID, ok := claims["styleID"].(float64)
 	if !ok {
-		styleID = ""
+		fStyleID = 0
 	}
+	styleID := uint(fStyleID)
 
 	if stateQuery != state {
 		return errorMessage(c, 500, "State doesn't match.")
@@ -65,7 +66,7 @@ func AccessTokenPost(c *fiber.Ctx) error {
 
 	var jwt string
 
-	if styleID != "" {
+	if styleID != 0 {
 		jwt, err = utils.NewJWTToken().
 			SetClaim("styleID", styleID).
 			SetClaim("userID", user.ID).

diff --git a/handlers/oauth_provider/authorize_style.go b/handlers/oauth_provider/authorize_style.go
@@ -45,8 +45,15 @@ func AuthorizeStyleGet(c *fiber.Ctx) error {
 		return errorMessage(c, 500, "Couldn't make JWT Token, please notify the admins.")
 	}
 
+	styles, err := models.GetStylesByUser(database.DB, u.Username)
+	if err != nil {
+		fmt.Println("Error: Mo styles find for user", err.Error())
+		return errorMessage(c, 500, "Couldn't retrieve styles of user")
+	}
+
 	arguments := fiber.Map{
 		"User":        u,
+		"Styles":      styles,
 		"OAuth":       OAuth,
 		"SecureToken": utils.PrepareText(jwt, utils.AEAD_OAUTHP),
 	}
@@ -91,10 +98,16 @@ func AuthorizeStylePost(c *fiber.Ctx) error {
 		return errorMessage(c, 500, "JWT Token error, please notify the admins.")
 	}
 
+	style, err := models.GetStyleByID(database.DB, styleID)
+	if err != nil {
+		fmt.Println("Error: Style wasn't found, due to: ", err.Error())
+		return errorMessage(c, 500, "Couldn't retrieve style of user")
+	}
+
 	jwt, err := utils.NewJWTToken().
 		SetClaim("state", state).
 		SetClaim("userID", u.ID).
-		SetClaim("styleID", styleID).
+		SetClaim("styleID", style.ID).
 		SetExpiration(time.Now().Add(time.Minute * 10)).
 		GetSignedString(utils.OAuthPSigningKey)
 

diff --git a/handlers/server.go b/handlers/server.go
@@ -144,6 +144,8 @@ func Initialize() {
 
 	oauthV1 := app.Group("/oauth")
 	oauthV1.Get("/authorize", jwtware.Protected, oauth_provider.AuthorizeGet)
+	oauthV1.Get("/authorize_style", jwtware.Protected, oauth_provider.AuthorizeStyleGet)
+	oauthV1.Post("/authorize_style", jwtware.Protected, oauth_provider.AuthorizeStylePost)
 	oauthV1.Post("/authorize/:id/:token", jwtware.Protected, oauth_provider.AuthorizePost)
 	oauthV1.Post("/access_token", oauth_provider.AccessTokenPost)
 

diff --git a/views/authorize_style.html b/views/authorize_style.html
@@ -16,7 +16,18 @@ <h2 class="sub-title td:d">Userstyles</h2>
                         <p class="description">Please pick an existing style or a new style, that you'd like to link.</p>
                         <div class="grid  flex rwrap mx:r mt:m">
                             {{ range .Styles }}
-                                {{ template "partials/link_style" . }}
+                                {{- $method := printf "oauth/authorize_style?styleID=%d&token=%s&oauthID=%d" .ID $.SecureToken $.OAuth.ID -}}
+                                <div class="card col gap animate bd:o">
+                                    <div class="thumbnail">
+                                        {{ template "partials/preview_image" . }}
+                                    </div>
+                                    <div class="flex cwrap px:m bd:t fg:1 py:m">
+                                        <span class="f:h3 f:b my:0">{{- .Name -}}</span>
+                                    </div>
+                                    <form method="post" action="/{{ $method }}">
+                                        <button class="flex btn primary" type="submit">Link style</button>
+                                    </form>
+                                </div>
                             {{ end }}
                         </div>
                     {{ else }}

diff --git a/views/partials/link_style.html b/views/partials/link_style.html
@@ -1,4 +1,4 @@
-{{- $method :=  printf "oauth/authorize_style?styleID=%d&token=%s&oauthID=%d" .ID .SecureToken .OAuth.ID -}}
+{{- $method := printf "oauth/authorize_style?styleID=%d&token=%s&oauthID=%d" .ID $.SecureToken $.OAuth.ID -}}
 <a class="card col gap animate bd:o" href="{{ $method }}">
     <div class="thumbnail">
         {{ template "partials/preview_image" . }}