Add HTTP API server for file downloads from Telegram links

Co-authored-by: krau <71133316+krau@users.noreply.github.com>

api/middleware.go

@@ -0,0 +1,116 @@
+package api
+
+import (
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/charmbracelet/log"
+	"github.com/krau/SaveAny-Bot/config"
+)
+
+// authMiddleware validates API token and IP restrictions
+func authMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Skip auth for health check
+		if r.URL.Path == "/health" {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		cfg := config.C()
+
+		// Check IP whitelist if configured
+		if len(cfg.API.TrustedIPs) > 0 {
+			clientIP := getClientIP(r)
+			if !isIPAllowed(clientIP, cfg.API.TrustedIPs) {
+				http.Error(w, `{"error":"forbidden: IP not allowed"}`, http.StatusForbidden)
+				return
+			}
+		}
+
+		// Check token if configured
+		if cfg.API.Token != "" {
+			authHeader := r.Header.Get("Authorization")
+			if authHeader == "" {
+				http.Error(w, `{"error":"unauthorized: missing token"}`, http.StatusUnauthorized)
+				return
+			}
+
+			token := strings.TrimPrefix(authHeader, "Bearer ")
+			if token != cfg.API.Token {
+				http.Error(w, `{"error":"unauthorized: invalid token"}`, http.StatusUnauthorized)
+				return
+			}
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+// loggingMiddleware logs HTTP requests
+func loggingMiddleware(logger *log.Logger) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			start := time.Now()
+			
+			// Wrap response writer to capture status code
+			wrapper := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
+			
+			next.ServeHTTP(wrapper, r)
+			
+			logger.Infof("%s %s %d %s", r.Method, r.URL.Path, wrapper.statusCode, time.Since(start))
+		})
+	}
+}
+
+type responseWriter struct {
+	http.ResponseWriter
+	statusCode int
+}
+
+func (rw *responseWriter) WriteHeader(code int) {
+	rw.statusCode = code
+	rw.ResponseWriter.WriteHeader(code)
+}
+
+// getClientIP extracts the real client IP from the request
+func getClientIP(r *http.Request) string {
+	// Check X-Forwarded-For header
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+		ips := strings.Split(xff, ",")
+		if len(ips) > 0 {
+			return strings.TrimSpace(ips[0])
+		}
+	}
+
+	// Check X-Real-IP header
+	if xri := r.Header.Get("X-Real-IP"); xri != "" {
+		return xri
+	}
+
+	// Fall back to RemoteAddr
+	ip, _, _ := net.SplitHostPort(r.RemoteAddr)
+	return ip
+}
+
+// isIPAllowed checks if the client IP is in the allowed list
+func isIPAllowed(clientIP string, allowedIPs []string) bool {
+	for _, allowedIP := range allowedIPs {
+		if clientIP == allowedIP || allowedIP == "*" {
+			return true
+		}
+		// Support CIDR notation
+		if strings.Contains(allowedIP, "/") {
+			_, ipNet, err := net.ParseCIDR(allowedIP)
+			if err != nil {
+				continue
+			}
+			if ipNet.Contains(net.ParseIP(clientIP)) {
+				return true
+			}
+		}
+	}
+	return false
+}