navidrome/server/app/app.go

package app

import (
	"context"
	"net/http"
	"net/url"
	"strings"

	"github.com/deluan/rest"
	"github.com/go-chi/chi"
	"github.com/go-chi/httprate"
	"github.com/go-chi/jwtauth"
	"github.com/navidrome/navidrome/assets"
	"github.com/navidrome/navidrome/conf"
	"github.com/navidrome/navidrome/core/auth"
	"github.com/navidrome/navidrome/log"
	"github.com/navidrome/navidrome/model"
	"github.com/navidrome/navidrome/server/events"
)

type Router struct {
	ds     model.DataStore
	mux    http.Handler
	broker events.Broker
}

func New(ds model.DataStore, broker events.Broker) *Router {
	return &Router{ds: ds, broker: broker}
}

func (app *Router) Setup(path string) {
	app.mux = app.routes(path)
}

func (app *Router) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	app.mux.ServeHTTP(w, r)
}

func (app *Router) routes(path string) http.Handler {
	r := chi.NewRouter()

	if conf.Server.AuthRequestLimit > 0 {
		log.Info("Login rate limit set", "requestLimit", conf.Server.AuthRequestLimit,
			"windowLength", conf.Server.AuthWindowLength)

		rateLimiter := httprate.LimitByIP(conf.Server.AuthRequestLimit, conf.Server.AuthWindowLength)
		r.With(rateLimiter).Post("/login", Login(app.ds))
	} else {
		log.Warn("Login rate limit is disabled! Consider enabling it to be protected against brute-force attacks")

		r.Post("/login", Login(app.ds))
	}

	r.Post("/createAdmin", CreateAdmin(app.ds))

	r.Route("/api", func(r chi.Router) {
		r.Use(mapAuthHeader())
		r.Use(jwtauth.Verifier(auth.TokenAuth))
		r.Use(authenticator(app.ds))
		app.R(r, "/user", model.User{}, true)
		app.R(r, "/song", model.MediaFile{}, true)
		app.R(r, "/album", model.Album{}, true)
		app.R(r, "/artist", model.Artist{}, true)
		app.R(r, "/player", model.Player{}, true)
		app.R(r, "/playlist", model.Playlist{}, true)
		app.R(r, "/transcoding", model.Transcoding{}, conf.Server.EnableTranscodingConfig)
		app.RX(r, "/translation", newTranslationRepository, false)

		app.addPlaylistTrackRoute(r)

		// Keepalive endpoint to be used to keep the session valid (ex: while playing songs)
		r.Get("/keepalive/*", func(w http.ResponseWriter, r *http.Request) { _, _ = w.Write([]byte(`{"response":"ok"}`)) })

		if conf.Server.DevActivityPanel {
			r.Handle("/events", app.broker)
		}
	})

	// Serve UI app assets
	r.Handle("/", serveIndex(app.ds, assets.AssetFile()))
	r.Handle("/*", http.StripPrefix(path, http.FileServer(assets.AssetFile())))

	return r
}

func (app *Router) R(r chi.Router, pathPrefix string, model interface{}, persistable bool) {
	constructor := func(ctx context.Context) rest.Repository {
		return app.ds.Resource(ctx, model)
	}
	app.RX(r, pathPrefix, constructor, persistable)
}

func (app *Router) RX(r chi.Router, pathPrefix string, constructor rest.RepositoryConstructor, persistable bool) {
	r.Route(pathPrefix, func(r chi.Router) {
		r.Get("/", rest.GetAll(constructor))
		if persistable {
			r.Post("/", rest.Post(constructor))
		}
		r.Route("/{id}", func(r chi.Router) {
			r.Use(UrlParams)
			r.Get("/", rest.Get(constructor))
			if persistable {
				r.Put("/", rest.Put(constructor))
				r.Delete("/", rest.Delete(constructor))
			}
		})
	})
}

type restHandler = func(rest.RepositoryConstructor, ...rest.Logger) http.HandlerFunc

func (app *Router) addPlaylistTrackRoute(r chi.Router) {
	r.Route("/playlist/{playlistId}/tracks", func(r chi.Router) {
		r.Get("/", func(w http.ResponseWriter, r *http.Request) {
			getPlaylist(app.ds)(w, r)
		})
		r.Route("/{id}", func(r chi.Router) {
			r.Use(UrlParams)
			r.Put("/", func(w http.ResponseWriter, r *http.Request) {
				reorderItem(app.ds)(w, r)
			})
			r.Delete("/", func(w http.ResponseWriter, r *http.Request) {
				deleteFromPlaylist(app.ds)(w, r)
			})
		})
		r.With(UrlParams).Post("/", func(w http.ResponseWriter, r *http.Request) {
			addToPlaylist(app.ds)(w, r)
		})
	})
}

// Middleware to convert Chi URL params (from Context) to query params, as expected by our REST package
func UrlParams(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		ctx := chi.RouteContext(r.Context())
		parts := make([]string, 0)
		for i, key := range ctx.URLParams.Keys {
			value := ctx.URLParams.Values[i]
			if key == "*" {
				continue
			}
			parts = append(parts, url.QueryEscape(":"+key)+"="+url.QueryEscape(value))
		}
		q := strings.Join(parts, "&")
		if r.URL.RawQuery == "" {
			r.URL.RawQuery = q
		} else {
			r.URL.RawQuery += "&" + q
		}

		next.ServeHTTP(w, r)
	})
}