122 lines
2.9 KiB
Go
122 lines
2.9 KiB
Go
package api
|
|
|
|
import (
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/charmbracelet/log"
|
|
"github.com/krau/SaveAny-Bot/config"
|
|
)
|
|
|
|
// authMiddleware validates API token and IP restrictions
|
|
func authMiddleware(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// Skip auth for health check
|
|
if r.URL.Path == "/health" {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
cfg := config.C()
|
|
|
|
// Check IP whitelist if configured
|
|
if len(cfg.API.TrustedIPs) > 0 {
|
|
clientIP := getClientIP(r)
|
|
if !isIPAllowed(clientIP, cfg.API.TrustedIPs) {
|
|
http.Error(w, `{"error":"forbidden: IP not allowed"}`, http.StatusForbidden)
|
|
return
|
|
}
|
|
}
|
|
|
|
// Check token if configured
|
|
if cfg.API.Token != "" {
|
|
authHeader := r.Header.Get("Authorization")
|
|
if authHeader == "" {
|
|
http.Error(w, `{"error":"unauthorized: missing token"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
token := strings.TrimPrefix(authHeader, "Bearer ")
|
|
if token != cfg.API.Token {
|
|
http.Error(w, `{"error":"unauthorized: invalid token"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
// loggingMiddleware logs HTTP requests
|
|
func loggingMiddleware(logger *log.Logger) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
start := time.Now()
|
|
|
|
// Wrap response writer to capture status code
|
|
wrapper := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
|
|
|
|
next.ServeHTTP(wrapper, r)
|
|
|
|
logger.Infof("%s %s %d %s", r.Method, r.URL.Path, wrapper.statusCode, time.Since(start))
|
|
})
|
|
}
|
|
}
|
|
|
|
type responseWriter struct {
|
|
http.ResponseWriter
|
|
statusCode int
|
|
}
|
|
|
|
func (rw *responseWriter) WriteHeader(code int) {
|
|
rw.statusCode = code
|
|
rw.ResponseWriter.WriteHeader(code)
|
|
}
|
|
|
|
// getClientIP extracts the real client IP from the request
|
|
func getClientIP(r *http.Request) string {
|
|
// Check X-Forwarded-For header
|
|
if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
|
|
ips := strings.Split(xff, ",")
|
|
if len(ips) > 0 {
|
|
return strings.TrimSpace(ips[0])
|
|
}
|
|
}
|
|
|
|
// Check X-Real-IP header
|
|
if xri := r.Header.Get("X-Real-IP"); xri != "" {
|
|
return xri
|
|
}
|
|
|
|
// Fall back to RemoteAddr
|
|
ip, _, err := net.SplitHostPort(r.RemoteAddr)
|
|
if err != nil {
|
|
// If SplitHostPort fails, RemoteAddr might not have a port
|
|
// In this case, just return RemoteAddr as is
|
|
return r.RemoteAddr
|
|
}
|
|
return ip
|
|
}
|
|
|
|
// isIPAllowed checks if the client IP is in the allowed list
|
|
func isIPAllowed(clientIP string, allowedIPs []string) bool {
|
|
for _, allowedIP := range allowedIPs {
|
|
if clientIP == allowedIP || allowedIP == "*" {
|
|
return true
|
|
}
|
|
// Support CIDR notation
|
|
if strings.Contains(allowedIP, "/") {
|
|
_, ipNet, err := net.ParseCIDR(allowedIP)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
if ipNet.Contains(net.ParseIP(clientIP)) {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
return false
|
|
}
|