Feature: Improve config for http server (#67)

* feat: improve config for http server * Feature: Support multiple action status per release (#69) * feat: move release actions to separate table * chore: update sqlite driver * fix(indexers): btn api client (#71) What: * Api key and torrentId in wrong order * Set hardcoded ID in jsonrpc request object * ParsetorrentId from url Fixes #68 * feat: show irc network status in settings list * feat: show irc channel status * chore: go mod tidy * feat: improve config for http server * feat: add context to user repo * feat: only set secure cookie if https
2025-07-23 08:49:13 +00:00 · 2022-01-09 14:41:48 +01:00 · 2022-01-09 14:41:48 +01:00 · efa84fee8b
commit efa84fee8b
parent 3475dddec7
9 changed files with 74 additions and 56 deletions
--- a/internal/http/auth.go
+++ b/internal/http/auth.go
@ -1,38 +1,37 @@
 package http

 import (
+	"context"
 	"encoding/json"
 	"net/http"

 	"github.com/go-chi/chi"
 	"github.com/gorilla/sessions"

-	"github.com/autobrr/autobrr/internal/config"
 	"github.com/autobrr/autobrr/internal/domain"
 )

 type authService interface {
-	Login(username, password string) (*domain.User, error)
+	Login(ctx context.Context, username, password string) (*domain.User, error)
 }

 type authHandler struct {
 	encoder encoder
+	config  domain.Config
 	service authService
+
+	cookieStore *sessions.CookieStore
 }

-func newAuthHandler(encoder encoder, service authService) *authHandler {
+func newAuthHandler(encoder encoder, config domain.Config, cookieStore *sessions.CookieStore, service authService) *authHandler {
 	return &authHandler{
-		encoder: encoder,
-		service: service,
+		encoder:     encoder,
+		config:      config,
+		service:     service,
+		cookieStore: cookieStore,
 	}
 }

-var (
-	// key will only be valid as long as it's running.
-	key   = []byte(config.Config.SessionSecret)
-	store = sessions.NewCookieStore(key)
-)
-
 func (h authHandler) Routes(r chi.Router) {
 	r.Post("/login", h.login)
 	r.Post("/logout", h.logout)
@ -51,12 +50,23 @@ func (h authHandler) login(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	store.Options.Secure = true
-	store.Options.HttpOnly = true
-	store.Options.SameSite = http.SameSiteStrictMode
-	session, _ := store.Get(r, "user_session")
+	h.cookieStore.Options.HttpOnly = true
+	h.cookieStore.Options.SameSite = http.SameSiteLaxMode
+	h.cookieStore.Options.Path = h.config.BaseURL

-	_, err := h.service.Login(data.Username, data.Password)
+	// autobrr does not support serving on TLS / https, so this is only available behind reverse proxy
+	// if forwarded protocol is https then set cookie secure
+	// SameSite Strict can only be set with a secure cookie. So we overwrite it here if possible.
+	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+	fwdProto := r.Header.Get("X-Forwarded-Proto")
+	if fwdProto == "https" {
+		h.cookieStore.Options.Secure = true
+		h.cookieStore.Options.SameSite = http.SameSiteStrictMode
+	}
+
+	session, _ := h.cookieStore.Get(r, "user_session")
+
+	_, err := h.service.Login(ctx, data.Username, data.Password)
 	if err != nil {
 		h.encoder.StatusResponse(ctx, w, nil, http.StatusUnauthorized)
 		return
@ -72,7 +82,7 @@ func (h authHandler) login(w http.ResponseWriter, r *http.Request) {
 func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

-	session, _ := store.Get(r, "user_session")
+	session, _ := h.cookieStore.Get(r, "user_session")

 	// Revoke users authentication
 	session.Values["authenticated"] = false
@ -83,7 +93,7 @@ func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {

 func (h authHandler) test(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
-	session, _ := store.Get(r, "user_session")
+	session, _ := h.cookieStore.Get(r, "user_session")

 	// Check if user is authenticated
 	if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
--- a/internal/http/middleware.go
+++ b/internal/http/middleware.go
@ -2,10 +2,10 @@ package http

 import "net/http"

-func IsAuthenticated(next http.Handler) http.Handler {
+func (s Server) IsAuthenticated(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// check session
-		session, _ := store.Get(r, "user_session")
+		session, _ := s.cookieStore.Get(r, "user_session")

 		// Check if user is authenticated
 		if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
--- a/internal/http/server.go
+++ b/internal/http/server.go
@ -1,14 +1,16 @@
 package http

 import (
+	"fmt"
 	"io/fs"
 	"net"
 	"net/http"

-	"github.com/autobrr/autobrr/internal/config"
+	"github.com/autobrr/autobrr/internal/domain"
 	"github.com/autobrr/autobrr/web"

 	"github.com/go-chi/chi"
+	"github.com/gorilla/sessions"
 	"github.com/r3labs/sse/v2"
 	"github.com/rs/cors"
 )
@ -16,8 +18,8 @@ import (
 type Server struct {
 	sse *sse.Server

-	address string
-	baseUrl string
+	config      domain.Config
+	cookieStore *sessions.CookieStore

 	version string
 	commit  string
@ -32,15 +34,16 @@ type Server struct {
 	releaseService        releaseService
 }

-func NewServer(sse *sse.Server, address string, baseUrl string, version string, commit string, date string, actionService actionService, authService authService, downloadClientSvc downloadClientService, filterSvc filterService, indexerSvc indexerService, ircSvc ircService, releaseSvc releaseService) Server {
+func NewServer(config domain.Config, sse *sse.Server, version string, commit string, date string, actionService actionService, authService authService, downloadClientSvc downloadClientService, filterSvc filterService, indexerSvc indexerService, ircSvc ircService, releaseSvc releaseService) Server {
 	return Server{
+		config:  config,
 		sse:     sse,
-		address: address,
-		baseUrl: baseUrl,
 		version: version,
 		commit:  commit,
 		date:    date,

+		cookieStore: sessions.NewCookieStore([]byte(config.SessionSecret)),
+
 		actionService:         actionService,
 		authService:           authService,
 		downloadClientService: downloadClientSvc,
@ -52,7 +55,8 @@ func NewServer(sse *sse.Server, address string, baseUrl string, version string,
 }

 func (s Server) Open() error {
-	listener, err := net.Listen("tcp", s.address)
+	addr := fmt.Sprintf("%v:%v", s.config.Host, s.config.Port)
+	listener, err := net.Listen("tcp", addr)
 	if err != nil {
 		return err
 	}
@ -91,10 +95,10 @@ func (s Server) Handler() http.Handler {
 		fileSystem.ServeHTTP(w, r)
 	})

-	r.Route("/api/auth", newAuthHandler(encoder, s.authService).Routes)
+	r.Route("/api/auth", newAuthHandler(encoder, s.config, s.cookieStore, s.authService).Routes)

 	r.Group(func(r chi.Router) {
-		r.Use(IsAuthenticated)
+		r.Use(s.IsAuthenticated)

 		r.Route("/api", func(r chi.Router) {
 			r.Route("/actions", newActionHandler(encoder, s.actionService).Routes)
@ -121,17 +125,17 @@ func (s Server) Handler() http.Handler {
 	})

 	//r.HandleFunc("/*", handler.ServeHTTP)
-	r.Get("/", index)
-	r.Get("/*", index)
+	r.Get("/", s.index)
+	r.Get("/*", s.index)

 	return r
 }

-func index(w http.ResponseWriter, r *http.Request) {
+func (s Server) index(w http.ResponseWriter, r *http.Request) {
 	p := web.IndexParams{
 		Title:   "Dashboard",
-		Version: "thisistheversion",
-		BaseUrl: config.Config.BaseURL,
+		Version: s.version,
+		BaseUrl: s.config.BaseURL,
 	}
 	web.Index(w, p)
 }