logging out & fix state (?)

2025-07-31 10:58:25 +01:00 · 2025-07-31 10:58:25 +01:00 · b906736af8
commit b906736af8
parent 96320c3cc4
2 changed files with 61 additions and 21 deletions
--- a/internal/api/routes/auth.go
+++ b/internal/api/routes/auth.go
@ -23,6 +23,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"sync"
 	"time"

 	"github.com/gin-gonic/gin"
@ -33,6 +34,9 @@ import (
 	"stereo.cat/backend/internal/types"
 )

+var oauthStates = make(map[string]struct{})
+var oauthStatesMu sync.Mutex
+
 func generateState(length int) (string, error) {
 	b := make([]byte, length)
 	_, err := rand.Read(b)
@ -50,7 +54,9 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
 			return
 		}

-		c.SetCookie("oauth_state", state, 300, "", cfg.Domain, true, true)
+		oauthStatesMu.Lock()
+		oauthStates[state] = struct{}{}
+		oauthStatesMu.Unlock()

 		discordURL := fmt.Sprintf(
 			"https://discord.com/oauth2/authorize?client_id=%s&response_type=code&redirect_uri=%s&scope=identify%%20email&state=%s",
@ -62,16 +68,25 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
 		c.Redirect(http.StatusTemporaryRedirect, discordURL)
 	})

+	api.GET("/auth/logout", session.SessionMiddleware(cfg.JWTSecret), func(c *gin.Context) {
+		c.SetCookie("jwt", "", -1, "", cfg.Domain, true, true)
+		c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri)
+	})
+
 	api.GET("/auth/callback", func(c *gin.Context) {
 		code := c.Query("code")
 		state := c.Query("state")

-		cookieState, err := c.Cookie("oauth_state")
-		if err != nil || state != cookieState {
+		oauthStatesMu.Lock()
+		_, ok := oauthStates[state]
+		if ok {
+			delete(oauthStates, state)
+		}
+		oauthStatesMu.Unlock()
+		if !ok {
 			c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "Invalid state"})
 			return
 		}
-		c.SetCookie("oauth_state", "", -1, "", cfg.Domain, true, true)

 		t, err := cfg.Client.ExchangeCode(code)
 		if err != nil {
@ -93,12 +108,6 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
 			panic(res.Error)
 		}

-		// TODO: redirect to dashboard
-		/*c.JSON(http.StatusOK, gin.H{
-			"jwt":   jwt,
-			"known": res.RowsAffected == 0,
-		})
-		*/
 		c.SetCookie("jwt", jwt, int(t.ExpiresIn), "", cfg.Domain, true, true)
 		c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri+"/dashboard")
 	})
--- a/internal/api/routes/files.go
+++ b/internal/api/routes/files.go
@ -1,18 +1,18 @@
 /*
 	Copyright (C) 2025  hexlocation (hex@iwakura.rip) & grngxd (grng@iwakura.rip)

-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.

-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.

-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+	You should have received a copy of the GNU General Public License
+	along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

 package routes
@ -20,6 +20,7 @@ package routes
 import (
 	"bytes"
 	"io"
+	"strconv"
 	"strings"
 	"time"

@ -179,8 +180,38 @@ func RegisterFileRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
 		claims := c.MustGet("claims").(jwt.MapClaims)
 		user := claims["user"].(auth.User)

+		if c.Query("page") == "" || c.Query("size") == "" {
+			var files []types.File
+			if err := cfg.Database.Where("owner = ?", user.ID).Find(&files).Error; err != nil {
+				types.ErrorDatabase.Throw(c, err)
+				return
+			}
+
+			c.JSON(200, files)
+			return
+		}
+
+		page := c.Query("page")
+		size := c.Query("size")
+
+		pageNum, err := strconv.Atoi(page)
+		if err != nil || pageNum < 0 {
+			types.ErrorInvalidParams.Throw(c, err)
+			return
+		}
+
+		sizeNum, err := strconv.Atoi(size)
+		if err != nil || sizeNum <= 0 {
+			types.ErrorInvalidParams.Throw(c, err)
+			return
+		}
+
 		var files []types.File
-		if err := cfg.Database.Where("owner = ?", user.ID).Find(&files).Error; err != nil {
+		offset := (pageNum - 1) * sizeNum
+		if offset < 0 {
+			offset = 0
+		}
+		if err := cfg.Database.Where("owner = ?", user.ID).Offset(offset).Limit(sizeNum).Find(&files).Error; err != nil {
 			types.ErrorDatabase.Throw(c, err)
 			return
 		}