add v2 API routes for admin and bug report management with rate limiting
All checks were successful
Build & Publish Docker Image / build-and-push (push) Successful in 43s
All checks were successful
Build & Publish Docker Image / build-and-push (push) Successful in 43s
This commit is contained in:
Flavio Fois
@@ -35,9 +35,10 @@ var fileRoles = []struct {
|
||||
role models.FileRole
|
||||
defaultMime string
|
||||
}{
|
||||
{"attachment", models.FileRoleAttachment, "application/octet-stream"},
|
||||
{"screenshot", models.FileRoleScreenshot, "image/png"},
|
||||
{"log", models.FileRoleLog, "text/plain"},
|
||||
{"mail_file", models.FileRoleMailFile, "message/rfc822"},
|
||||
{"localstorage", models.FileRoleLocalStorage, "application/json"},
|
||||
{"config", models.FileRoleConfig, "application/json"},
|
||||
}
|
||||
|
||||
func CreateBugReport(db *sqlx.DB) http.HandlerFunc {
|
||||
@@ -47,6 +48,8 @@ func CreateBugReport(db *sqlx.DB) http.HandlerFunc {
|
||||
return
|
||||
}
|
||||
|
||||
log.Println("Req form value", r.Form)
|
||||
|
||||
name := r.FormValue("name")
|
||||
email := r.FormValue("email")
|
||||
description := r.FormValue("description")
|
||||
@@ -91,7 +94,9 @@ func CreateBugReport(db *sqlx.DB) http.HandlerFunc {
|
||||
}
|
||||
|
||||
for _, fr := range fileRoles {
|
||||
log.Println("Processing file role", fr.field)
|
||||
file, header, err := r.FormFile(fr.field)
|
||||
log.Printf("FormFile for field %s returned error: %v", fr.field, err)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
@@ -153,17 +158,12 @@ func GetAllBugReports(db *sqlx.DB) http.HandlerFunc {
|
||||
}
|
||||
}
|
||||
|
||||
status := r.URL.Query().Get("status")
|
||||
search := r.URL.Query().Get("search")
|
||||
offset := (page - 1) * pageSize
|
||||
|
||||
var conditions []string
|
||||
var params []interface{}
|
||||
|
||||
if status != "" {
|
||||
conditions = append(conditions, "br.status = ?")
|
||||
params = append(params, status)
|
||||
}
|
||||
if search != "" {
|
||||
like := "%" + search + "%"
|
||||
conditions = append(conditions, "(br.hostname LIKE ? OR br.os_user LIKE ? OR br.name LIKE ? OR br.email LIKE ?)")
|
||||
@@ -176,20 +176,20 @@ func GetAllBugReports(db *sqlx.DB) http.HandlerFunc {
|
||||
}
|
||||
|
||||
var total int
|
||||
countQuery := fmt.Sprintf("SELECT COUNT(*) FROM emly_bugreports_dev.bug_reports br " + whereClause)
|
||||
countQuery := "SELECT COUNT(*) FROM emly_bugreports_dev.bug_reports br " + whereClause
|
||||
if err := db.GetContext(r.Context(), &total, countQuery, params...); err != nil {
|
||||
jsonError(w, http.StatusInternalServerError, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
mainQuery := fmt.Sprintf(`
|
||||
mainQuery := `
|
||||
SELECT br.*, COUNT(bf.id) as file_count
|
||||
FROM emly_bugreports_dev.bug_reports br
|
||||
LEFT JOIN emly_bugreports_dev.bug_report_files bf ON bf.report_id = br.id
|
||||
` + whereClause + `
|
||||
GROUP BY br.id
|
||||
ORDER BY br.created_at DESC
|
||||
LIMIT ? OFFSET ?`)
|
||||
LIMIT ? OFFSET ?`
|
||||
|
||||
listParams := append(params, pageSize, offset)
|
||||
var reports []models.BugReportListItem
|
||||
@@ -241,8 +241,23 @@ func GetBugReportByID(db *sqlx.DB) http.HandlerFunc {
|
||||
|
||||
func GetReportsCount(db *sqlx.DB) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
rawStatus := r.URL.Query().Get("status")
|
||||
|
||||
query := "SELECT COUNT(*) FROM emly_bugreports_dev.bug_reports"
|
||||
var args []interface{}
|
||||
|
||||
if strings.TrimSpace(rawStatus) != "" {
|
||||
status, ok := models.ParseBugReportStatus(rawStatus)
|
||||
if !ok {
|
||||
jsonError(w, http.StatusBadRequest, "invalid status. allowed values: new, in_review, resolved, closed")
|
||||
return
|
||||
}
|
||||
query += " WHERE status = ?"
|
||||
args = append(args, status)
|
||||
}
|
||||
|
||||
var count int
|
||||
if err := db.GetContext(r.Context(), &count, "SELECT COUNT(*) FROM emly_bugreports_dev.bug_reports"); err != nil {
|
||||
if err := db.GetContext(r.Context(), &count, query, args...); err != nil {
|
||||
jsonError(w, http.StatusInternalServerError, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
@@ -2,6 +2,7 @@ package models
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
@@ -14,6 +15,23 @@ const (
|
||||
BugReportStatusClosed BugReportStatus = "closed"
|
||||
)
|
||||
|
||||
func (s BugReportStatus) IsValid() bool {
|
||||
switch s {
|
||||
case BugReportStatusNew, BugReportStatusInReview, BugReportStatusResolved, BugReportStatusClosed:
|
||||
return true
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
func ParseBugReportStatus(value string) (BugReportStatus, bool) {
|
||||
status := BugReportStatus(strings.ToLower(strings.TrimSpace(value)))
|
||||
if status == "" {
|
||||
return "", false
|
||||
}
|
||||
return status, status.IsValid()
|
||||
}
|
||||
|
||||
type BugReportListItem struct {
|
||||
BugReport
|
||||
FileCount int `db:"file_count" json:"file_count"`
|
||||
|
||||
@@ -5,9 +5,10 @@ import "time"
|
||||
type FileRole string
|
||||
|
||||
const (
|
||||
FileRoleAttachment FileRole = "attachment"
|
||||
FileRoleScreenshot FileRole = "screenshot"
|
||||
FileRoleLog FileRole = "log"
|
||||
FileRoleScreenshot FileRole = "screenshot"
|
||||
FileRoleMailFile FileRole = "mail_file"
|
||||
FileRoleLocalStorage FileRole = "localstorage"
|
||||
FileRoleConfig FileRole = "config"
|
||||
)
|
||||
|
||||
type BugReportFile struct {
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
package routes
|
||||
|
||||
import (
|
||||
v2 "emly-api-go/internal/routes/v2"
|
||||
"net/http"
|
||||
|
||||
v1 "emly-api-go/internal/routes/v1"
|
||||
@@ -22,4 +23,5 @@ func RegisterAll(r chi.Router, db *sqlx.DB) {
|
||||
})
|
||||
|
||||
r.Mount("/v1", v1.NewRouter(db))
|
||||
r.Mount("/v2", v2.NewRouter(db))
|
||||
}
|
||||
|
||||
@@ -13,17 +13,24 @@ import (
|
||||
|
||||
func registerAdmin(r chi.Router, db *sqlx.DB) {
|
||||
r.Route("/admin", func(r chi.Router) {
|
||||
r.Use(httprate.LimitByIP(30, time.Minute))
|
||||
|
||||
// Auth — public, handles its own credential checks
|
||||
// Auth — public, handles its own credential checks.
|
||||
// Only /login is rate-limited: it is the only endpoint vulnerable to
|
||||
// brute-force. /validate and /logout require a 256-bit session token
|
||||
// and are called frequently by authenticated clients, so no limit is
|
||||
// applied there.
|
||||
r.Route("/auth", func(r chi.Router) {
|
||||
r.Post("/login", handlers.LoginUser(db))
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(httprate.LimitByIP(30, time.Minute))
|
||||
r.Post("/login", handlers.LoginUser(db))
|
||||
})
|
||||
r.Get("/validate", handlers.ValidateSession(db))
|
||||
r.Post("/logout", handlers.LogoutSession(db))
|
||||
})
|
||||
|
||||
// User management — protected via Admin Key
|
||||
r.Route("/users", func(r chi.Router) {
|
||||
r.Use(httprate.LimitByIP(30, time.Minute))
|
||||
r.Use(apimw.AdminKeyAuth(db))
|
||||
|
||||
r.Get("/", handlers.ListUsers(db))
|
||||
|
||||
@@ -1,7 +1,9 @@
|
||||
package v1
|
||||
|
||||
import (
|
||||
emlyMiddleware "emly-api-go/internal/middleware"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"emly-api-go/internal/handlers"
|
||||
|
||||
@@ -15,6 +17,15 @@ import (
|
||||
func NewRouter(db *sqlx.DB) http.Handler {
|
||||
r := chi.NewRouter()
|
||||
|
||||
rl := emlyMiddleware.NewRateLimiter(
|
||||
5, // 5 req/sec per IP
|
||||
10, // burst fino a 10
|
||||
20, // ban dopo 20 violazioni
|
||||
15*time.Minute, // ban di 15 minuti
|
||||
)
|
||||
|
||||
r.Use(rl.Handler)
|
||||
|
||||
r.Use(func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("X-Server", "emly-api-go")
|
||||
|
||||
37
internal/routes/v2/admin.go
Normal file
37
internal/routes/v2/admin.go
Normal file
@@ -0,0 +1,37 @@
|
||||
package v2
|
||||
|
||||
import (
|
||||
apimw "emly-api-go/internal/middleware"
|
||||
"time"
|
||||
|
||||
"emly-api-go/internal/handlers"
|
||||
|
||||
"github.com/go-chi/chi/v5"
|
||||
"github.com/go-chi/httprate"
|
||||
"github.com/jmoiron/sqlx"
|
||||
)
|
||||
|
||||
func registerAdmin(r chi.Router, db *sqlx.DB) {
|
||||
r.Route("/admin", func(r chi.Router) {
|
||||
r.Use(httprate.LimitByIP(30, time.Minute))
|
||||
|
||||
// Auth — public, handles its own credential checks
|
||||
r.Route("/auth", func(r chi.Router) {
|
||||
r.Post("/login", handlers.LoginUser(db))
|
||||
r.Get("/validate", handlers.ValidateSession(db))
|
||||
r.Post("/logout", handlers.LogoutSession(db))
|
||||
})
|
||||
|
||||
// User management — protected via Admin Key
|
||||
r.Route("/users", func(r chi.Router) {
|
||||
r.Use(apimw.AdminKeyAuth(db))
|
||||
|
||||
r.Get("/", handlers.ListUsers(db))
|
||||
r.Post("/", handlers.CreateUser(db))
|
||||
r.Get("/{id}", handlers.GetUserByID(db))
|
||||
r.Patch("/{id}", handlers.UpdateUser(db))
|
||||
r.Post("/{id}/reset-password", handlers.ResetPassword(db))
|
||||
r.Delete("/{id}", handlers.DeleteUser(db))
|
||||
})
|
||||
})
|
||||
}
|
||||
41
internal/routes/v2/bug_reports.go
Normal file
41
internal/routes/v2/bug_reports.go
Normal file
@@ -0,0 +1,41 @@
|
||||
package v2
|
||||
|
||||
import (
|
||||
apimw "emly-api-go/internal/middleware"
|
||||
"time"
|
||||
|
||||
"emly-api-go/internal/handlers"
|
||||
|
||||
"github.com/go-chi/chi/v5"
|
||||
"github.com/go-chi/httprate"
|
||||
"github.com/jmoiron/sqlx"
|
||||
)
|
||||
|
||||
func registerBugReports(r chi.Router, db *sqlx.DB) {
|
||||
r.Route("/bug-report", func(r chi.Router) {
|
||||
// API key only: submit a report and check count
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(apimw.APIKeyAuth(db))
|
||||
r.Use(httprate.LimitByIP(30, time.Minute))
|
||||
|
||||
r.Get("/count", handlers.GetReportsCount(db))
|
||||
r.Post("/", handlers.CreateBugReport(db))
|
||||
})
|
||||
|
||||
// API key + admin key: full read/write access
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(apimw.APIKeyAuth(db))
|
||||
r.Use(apimw.AdminKeyAuth(db))
|
||||
r.Use(httprate.LimitByIP(30, time.Minute))
|
||||
|
||||
r.Get("/", handlers.GetAllBugReports(db))
|
||||
r.Get("/{id}", handlers.GetBugReportByID(db))
|
||||
r.Get("/{id}/status", handlers.GetReportStatusByID(db))
|
||||
r.Get("/{id}/files", handlers.GetReportFilesByReportID(db))
|
||||
r.Get("/{id}/files/{file_id}", handlers.GetReportFileByFileID(db))
|
||||
r.Get("/{id}/download", handlers.GetBugReportZipById(db))
|
||||
r.Patch("/{id}/status", handlers.PatchBugReportStatus(db))
|
||||
r.Delete("/{id}", handlers.DeleteBugReportByID(db))
|
||||
})
|
||||
})
|
||||
}
|
||||
45
internal/routes/v2/v2.go
Normal file
45
internal/routes/v2/v2.go
Normal file
@@ -0,0 +1,45 @@
|
||||
package v2
|
||||
|
||||
import (
|
||||
emlyMiddleware "emly-api-go/internal/middleware"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"emly-api-go/internal/handlers"
|
||||
|
||||
"github.com/go-chi/chi/v5"
|
||||
"github.com/jmoiron/sqlx"
|
||||
)
|
||||
|
||||
// NewRouter returns a chi.Router with all /v1 routes mounted.
|
||||
// Add new API versions by creating an analogous package (e.g. v2) and
|
||||
// mounting it alongside this one in internal/routes/routes.go.
|
||||
func NewRouter(db *sqlx.DB) http.Handler {
|
||||
r := chi.NewRouter()
|
||||
|
||||
rl := emlyMiddleware.NewRateLimiter(
|
||||
5, // 5 req/sec per IP
|
||||
10, // burst fino a 10
|
||||
20, // ban dopo 20 violazioni
|
||||
15*time.Minute, // ban di 15 minuti
|
||||
)
|
||||
|
||||
r.Use(rl.Handler)
|
||||
|
||||
r.Use(func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("X-Server", "emly-api-go")
|
||||
w.Header().Set("X-Powered-By", "Rexouium in a suit")
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
})
|
||||
|
||||
r.Get("/health", handlers.Health(db))
|
||||
|
||||
r.Route("/api", func(r chi.Router) {
|
||||
registerAdmin(r, db)
|
||||
registerBugReports(r, db)
|
||||
})
|
||||
|
||||
return r
|
||||
}
|
||||
Reference in New Issue
Block a user