#include "httpd.js.h" #include "http.h" #include "log.h" #include "mem.h" #include "sha1.h" #include "ssb.db.h" #include "ssb.h" #include "task.h" #include "taskstub.js.h" #include "util.js.h" #include "picohttpparser.h" #include "uv.h" #include #if !defined(__APPLE__) && !defined(__OpenBSD__) && !defined(_WIN32) #include #endif typedef struct _app_blob_t { tf_http_request_t* request; bool found; bool not_modified; bool use_handler; bool use_static; void* data; size_t size; char app_blob_id[k_blob_id_len]; const char* file; tf_httpd_user_app_t* user_app; char etag[256]; } app_blob_t; static void _httpd_endpoint_app_blob_work(tf_ssb_t* ssb, void* user_data) { app_blob_t* data = user_data; tf_http_request_t* request = data->request; if (request->path[0] == '/' && request->path[1] == '~') { const char* last_slash = strchr(request->path + 1, '/'); if (last_slash) { last_slash = strchr(last_slash + 1, '/'); } data->user_app = last_slash ? tf_httpd_parse_user_app_from_path(request->path, last_slash) : NULL; if (data->user_app) { size_t path_length = strlen("path:") + strlen(data->user_app->app) + 1; char* app_path = tf_malloc(path_length); snprintf(app_path, path_length, "path:%s", data->user_app->app); const char* value = tf_ssb_db_get_property(ssb, data->user_app->user, app_path); tf_string_set(data->app_blob_id, sizeof(data->app_blob_id), value); tf_free(app_path); tf_free((void*)value); data->file = last_slash + 1; } } else if (request->path[0] == '/' && request->path[1] == '&') { const char* end = strstr(request->path, ".sha256/"); if (end) { snprintf(data->app_blob_id, sizeof(data->app_blob_id), "%.*s", (int)(end + strlen(".sha256") - request->path - 1), request->path + 1); data->file = end + strlen(".sha256/"); } } char* app_blob = NULL; size_t app_blob_size = 0; if (*data->app_blob_id && tf_ssb_db_blob_get(ssb, data->app_blob_id, (uint8_t**)&app_blob, &app_blob_size)) { JSMallocFunctions funcs = { 0 }; tf_get_js_malloc_functions(&funcs); JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL); JSContext* context = JS_NewContext(runtime); JSValue app_object = JS_ParseJSON(context, app_blob, app_blob_size, NULL); JSValue files = JS_GetPropertyStr(context, app_object, "files"); JSValue blob_id = JS_GetPropertyStr(context, files, data->file); if (JS_IsUndefined(blob_id)) { blob_id = JS_GetPropertyStr(context, files, "handler.js"); if (!JS_IsUndefined(blob_id)) { data->use_handler = true; } } else { const char* blob_id_str = JS_ToCString(context, blob_id); if (blob_id_str) { snprintf(data->etag, sizeof(data->etag), "\"%s\"", blob_id_str); const char* match = tf_http_request_get_header(data->request, "if-none-match"); if (match && strcmp(match, data->etag) == 0) { data->not_modified = true; } else { data->found = tf_ssb_db_blob_get(ssb, blob_id_str, (uint8_t**)&data->data, &data->size); } } JS_FreeCString(context, blob_id_str); } JS_FreeValue(context, blob_id); JS_FreeValue(context, files); JS_FreeValue(context, app_object); JS_FreeContext(context); JS_FreeRuntime(runtime); tf_free(app_blob); } } static void _httpd_call_app_handler(tf_ssb_t* ssb, tf_http_request_t* request, const char* app_blob_id, const char* path, const char* package_owner, const char* app) { JSContext* context = tf_ssb_get_context(ssb); JSValue global = JS_GetGlobalObject(context); JSValue exports = JS_GetPropertyStr(context, global, "exports"); JSValue call_app_handler = JS_GetPropertyStr(context, exports, "callAppHandler"); JSValue response = tf_httpd_make_response_object(context, request); tf_http_request_ref(request); JSValue handler_blob_id = JS_NewString(context, app_blob_id); JSValue path_value = JS_NewString(context, path); JSValue package_owner_value = JS_NewString(context, package_owner); JSValue app_value = JS_NewString(context, app); JSValue query_value = request->query ? JS_NewString(context, request->query) : JS_UNDEFINED; JSValue headers = JS_NewObject(context); for (int i = 0; i < request->headers_count; i++) { char name[256] = ""; snprintf(name, sizeof(name), "%.*s", (int)request->headers[i].name_len, request->headers[i].name); JS_SetPropertyStr(context, headers, name, JS_NewStringLen(context, request->headers[i].value, request->headers[i].value_len)); } JSValue args[] = { response, handler_blob_id, path_value, query_value, headers, package_owner_value, app_value, }; JSValue result = JS_Call(context, call_app_handler, JS_NULL, tf_countof(args), args); tf_util_report_error(context, result); JS_FreeValue(context, result); JS_FreeValue(context, headers); JS_FreeValue(context, query_value); JS_FreeValue(context, app_value); JS_FreeValue(context, package_owner_value); JS_FreeValue(context, handler_blob_id); JS_FreeValue(context, path_value); JS_FreeValue(context, response); JS_FreeValue(context, call_app_handler); JS_FreeValue(context, exports); JS_FreeValue(context, global); } static void _httpd_endpoint_app_blob_after_work(tf_ssb_t* ssb, int status, void* user_data) { app_blob_t* data = user_data; if (data->not_modified) { tf_http_respond(data->request, 304, NULL, 0, NULL, 0); } else if (data->use_static) { tf_httpd_endpoint_static(data->request); } else if (data->use_handler) { _httpd_call_app_handler(ssb, data->request, data->app_blob_id, data->file, data->user_app->user, data->user_app->app); } else if (data->found) { const char* mime_type = tf_httpd_ext_to_content_type(strrchr(data->request->path, '.'), false); if (!mime_type) { mime_type = tf_httpd_magic_bytes_to_content_type(data->data, data->size); } const char* headers[] = { "Access-Control-Allow-Origin", "*", "Content-Security-Policy", "sandbox allow-downloads allow-top-navigation-by-user-activation", "Content-Type", mime_type ? mime_type : "application/binary", "etag", data->etag, }; tf_http_respond(data->request, 200, headers, tf_countof(headers) / 2, data->data, data->size); } tf_free(data->user_app); tf_free(data->data); tf_http_request_unref(data->request); tf_free(data); } void tf_httpd_endpoint_app(tf_http_request_t* request) { tf_http_request_ref(request); tf_task_t* task = request->user_data; tf_ssb_t* ssb = tf_task_get_ssb(task); app_blob_t* data = tf_malloc(sizeof(app_blob_t)); *data = (app_blob_t) { .request = request }; tf_ssb_run_work(ssb, _httpd_endpoint_app_blob_work, _httpd_endpoint_app_blob_after_work, data); } typedef struct _app_t { tf_http_request_t* request; const char* settings; JSValue credentials; tf_taskstub_t* taskstub; } app_t; static void _httpd_auth_query_work(tf_ssb_t* ssb, void* user_data) { app_t* work = user_data; work->settings = tf_ssb_db_get_property(ssb, "core", "settings"); } static void _httpd_app_on_message(tf_http_request_t* request, int op_code, const void* data, size_t size) { tf_printf("REQUEST MESSAGE %.*s\n", (int)size, (const char*)data); app_t* work = request->user_data; JSContext* context = request->context; switch (op_code) { case 0x1: case 0x2: break; /* CLOSE */ case 0x8: if (work->taskstub) { JSValue result = tf_taskstub_kill(work->taskstub); tf_util_report_error(context, result); JS_FreeValue(context, result); work->taskstub = NULL; } break; /* PONG */ case 0xa: break; } } static void _httpd_app_on_close(tf_http_request_t* request) { tf_printf("REQUEST CLOSE\n"); JSContext* context = request->context; app_t* work = request->user_data; JS_FreeValue(context, work->credentials); tf_free(work); tf_http_request_unref(request); } static void _httpd_auth_query_after_work(tf_ssb_t* ssb, int status, void* user_data) { app_t* work = user_data; JSContext* context = tf_ssb_get_context(ssb); JSValue session = JS_GetPropertyStr(context, work->credentials, "session"); JSValue name = JS_GetPropertyStr(context, session, "name"); JS_FreeValue(context, session); const char* name_string = JS_ToCString(context, name); JSValue settings_value = work->settings ? JS_ParseJSON(context, work->settings, strlen(work->settings), NULL) : JS_UNDEFINED; tf_free((void*)work->settings); work->settings = NULL; JSValue out_permissions = JS_NewObject(context); JS_SetPropertyStr(context, work->credentials, "permissions", out_permissions); JSValue permissions = !JS_IsUndefined(settings_value) ? JS_GetPropertyStr(context, settings_value, "permissions") : JS_UNDEFINED; JSValue user_permissions = !JS_IsUndefined(permissions) ? JS_GetPropertyStr(context, permissions, name_string) : JS_UNDEFINED; int length = !JS_IsUndefined(user_permissions) ? tf_util_get_length(context, user_permissions) : 0; for (int i = 0; i < length; i++) { JSValue permission = JS_GetPropertyUint32(context, user_permissions, i); const char* permission_string = JS_ToCString(context, permission); JS_SetPropertyStr(context, out_permissions, permission_string, JS_TRUE); JS_FreeCString(context, permission_string); JS_FreeValue(context, permission); } JS_FreeValue(context, user_permissions); JS_FreeValue(context, permissions); JS_FreeValue(context, settings_value); JS_FreeValue(context, name); tf_http_request_t* request = work->request; const char* header_sec_websocket_key = tf_http_request_get_header(request, "sec-websocket-key"); static const char* k_magic = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; size_t key_length = strlen(header_sec_websocket_key); size_t size = key_length + 36; uint8_t* key_magic = alloca(size); memcpy(key_magic, header_sec_websocket_key, key_length); memcpy(key_magic + key_length, k_magic, 36); uint8_t digest[20]; SHA1_CTX sha1 = { 0 }; SHA1Init(&sha1); SHA1Update(&sha1, key_magic, size); SHA1Final(digest, &sha1); char key[41] = { 0 }; tf_base64_encode(digest, sizeof(digest), key, sizeof(key)); const char* headers[64] = { 0 }; int headers_count = 0; headers[headers_count * 2 + 0] = "Upgrade"; headers[headers_count * 2 + 1] = "websocket"; headers_count++; headers[headers_count * 2 + 0] = "Connection"; headers[headers_count * 2 + 1] = "Upgrade"; headers_count++; headers[headers_count * 2 + 0] = "Sec-WebSocket-Accept"; headers[headers_count * 2 + 1] = key; headers_count++; const char* session_token = tf_httpd_make_session_jwt(tf_ssb_get_context(ssb), ssb, name_string); const char* cookie = tf_httpd_make_set_session_cookie_header(request, session_token); tf_free((void*)session_token); headers[headers_count * 2 + 0] = "Set-Cookie"; headers[headers_count * 2 + 1] = cookie ? cookie : ""; headers_count++; bool send_version = !tf_http_request_get_header(request, "sec-websocket-version") || strcmp(tf_http_request_get_header(request, "sec-websocket-version"), "13") != 0; if (send_version) { headers[headers_count * 2 + 0] = "Sec-WebSocket-Accept"; headers[headers_count * 2 + 1] = key; headers_count++; } tf_http_request_websocket_upgrade(request); tf_http_respond(request, 101, headers, headers_count, NULL, 0); /* What now? */ tf_free((void*)cookie); JS_FreeCString(context, name_string); // tf_http_request_unref(request); request->on_message = _httpd_app_on_message; request->on_close = _httpd_app_on_close; request->context = context; request->user_data = work; } static void _tf_httpd_endpoint_app_socket_c(tf_http_request_t* request) { const char* header_connection = tf_http_request_get_header(request, "connection"); const char* header_upgrade = tf_http_request_get_header(request, "upgrade"); const char* header_sec_websocket_key = tf_http_request_get_header(request, "sec-websocket-key"); if (!header_connection || !header_upgrade || !header_sec_websocket_key || !strstr(header_connection, "Upgrade") || strcasecmp(header_upgrade, "websocket")) { tf_http_respond(request, 500, NULL, 0, NULL, 0); return; } tf_task_t* task = request->user_data; tf_ssb_t* ssb = tf_task_get_ssb(task); JSContext* context = tf_task_get_context(task); const char* session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session"); JSValue jwt = tf_httpd_authenticate_jwt(ssb, context, session); tf_free((void*)session); if (!JS_IsUndefined(jwt)) { JSValue credentials = JS_NewObject(context); JS_SetPropertyStr(context, credentials, "session", jwt); tf_http_request_ref(request); app_t* work = tf_malloc(sizeof(app_t)); *work = (app_t) { .request = request, .credentials = credentials, }; tf_ssb_run_work(ssb, _httpd_auth_query_work, _httpd_auth_query_after_work, work); } } static void _tf_httpd_endpoint_app_socket_js(tf_http_request_t* request) { tf_task_t* task = request->user_data; tf_ssb_t* ssb = tf_task_get_ssb(task); JSContext* context = tf_ssb_get_context(ssb); JSValue global = JS_GetGlobalObject(context); JSValue exports = JS_GetPropertyStr(context, global, "exports"); JSValue app_socket = JS_GetPropertyStr(context, exports, "app_socket"); JSValue request_object = JS_NewObject(context); JSValue headers = JS_NewObject(context); for (int i = 0; i < request->headers_count; i++) { JS_SetPropertyStr(context, headers, request->headers[i].name, JS_NewString(context, request->headers[i].value)); } JS_SetPropertyStr(context, request_object, "headers", headers); JSValue response = tf_httpd_make_response_object(context, request); tf_http_request_ref(request); JSValue args[] = { request_object, response, }; JSValue result = JS_Call(context, app_socket, JS_NULL, tf_countof(args), args); tf_util_report_error(context, result); JS_FreeValue(context, result); for (int i = 0; i < tf_countof(args); i++) { JS_FreeValue(context, args[i]); } JS_FreeValue(context, app_socket); JS_FreeValue(context, exports); JS_FreeValue(context, global); } void tf_httpd_endpoint_app_socket(tf_http_request_t* request) { static bool checked_env; static bool use_c; if (!checked_env) { char buffer[8] = { 0 }; size_t buffer_size = sizeof(buffer); use_c = uv_os_getenv("TF_APP_C", buffer, &buffer_size) == 0 && strcmp(buffer, "1") == 0; checked_env = true; } if (use_c) { _tf_httpd_endpoint_app_socket_c(request); } else { _tf_httpd_endpoint_app_socket_js(request); } }