#include "httpd.js.h" #include "file.js.h" #include "http.h" #include "log.h" #include "mem.h" #include "ssb.db.h" #include "ssb.h" #include "task.h" #include "tlscontext.js.h" #include "trace.h" #include "util.js.h" #include "ow-crypt.h" #include "picohttpparser.h" #include "sodium/crypto_sign.h" #include "sodium/utils.h" #include #include #include #include #include #if !defined(__APPLE__) && !defined(__OpenBSD__) && !defined(_WIN32) #include #endif #define tf_countof(a) ((int)(sizeof((a)) / sizeof(*(a)))) #define CYAN "\e[1;36m" #define MAGENTA "\e[1;35m" #define RESET "\e[0m" const int64_t k_refresh_interval = 1ULL * 7 * 24 * 60 * 60 * 1000; static JSValue _authenticate_jwt(tf_ssb_t* ssb, JSContext* context, const char* jwt); static JSValue _httpd_websocket_upgrade(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv); static bool _is_name_valid(const char* name); static const char* _make_session_jwt(JSContext* context, tf_ssb_t* ssb, const char* name); static const char* _make_set_session_cookie_header(tf_http_request_t* request, const char* session_cookie); const char** _form_data_decode(const char* data, int length); const char* _form_data_get(const char** form_data, const char* key); static JSClassID _httpd_class_id; static JSClassID _httpd_request_class_id; typedef struct _http_user_data_t { char redirect[1024]; } http_user_data_t; typedef struct _http_handler_data_t { JSContext* context; JSValue callback; } http_handler_data_t; static JSValue _httpd_response_write_head(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv) { JS_SetPropertyStr(context, this_val, "response_status", JS_DupValue(context, argv[0])); JS_SetPropertyStr(context, this_val, "response_headers", JS_DupValue(context, argv[1])); return JS_UNDEFINED; } static int _object_to_headers(JSContext* context, JSValue object, const char** headers, int headers_length) { int count = 0; JSPropertyEnum* ptab = NULL; uint32_t plen = 0; JS_GetOwnPropertyNames(context, &ptab, &plen, object, JS_GPN_STRING_MASK); for (; count < (int)plen && count < headers_length / 2; ++count) { JSValue key = JS_AtomToString(context, ptab[count].atom); JSPropertyDescriptor desc; JSValue key_value = JS_NULL; if (JS_GetOwnProperty(context, &desc, object, ptab[count].atom) == 1) { key_value = desc.value; JS_FreeValue(context, desc.setter); JS_FreeValue(context, desc.getter); } headers[count * 2 + 0] = JS_ToCString(context, key); headers[count * 2 + 1] = JS_ToCString(context, key_value); JS_FreeValue(context, key); JS_FreeValue(context, key_value); } for (uint32_t i = 0; i < plen; ++i) { JS_FreeAtom(context, ptab[i].atom); } js_free(context, ptab); return count; } static JSValue _httpd_response_end(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv) { tf_http_request_t* request = JS_GetOpaque(this_val, _httpd_request_class_id); size_t length = 0; const char* cstring = NULL; const void* data = NULL; JSValue buffer = JS_UNDEFINED; if (JS_IsString(argv[0])) { cstring = JS_ToCStringLen(context, &length, argv[0]); data = cstring; } else if ((data = tf_util_try_get_array_buffer(context, &length, argv[0])) != 0) { } else { size_t offset; size_t size; size_t element_size; buffer = tf_util_try_get_typed_array_buffer(context, argv[0], &offset, &size, &element_size); if (!JS_IsException(buffer)) { data = tf_util_try_get_array_buffer(context, &length, buffer); } } JSValue response_status = JS_GetPropertyStr(context, this_val, "response_status"); int status = 0; JS_ToInt32(context, &status, response_status); JS_FreeValue(context, response_status); const char* headers[64] = { 0 }; JSValue response_headers = JS_GetPropertyStr(context, this_val, "response_headers"); int headers_count = _object_to_headers(context, response_headers, headers, tf_countof(headers)); JS_FreeValue(context, response_headers); tf_http_respond(request, status, headers, headers_count, data, length); for (int i = 0; i < headers_count * 2; i++) { JS_FreeCString(context, headers[i]); } JS_FreeValue(context, buffer); if (cstring) { JS_FreeCString(context, cstring); } return JS_UNDEFINED; } static JSValue _httpd_response_send(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv) { tf_http_request_t* request = JS_GetOpaque(this_val, _httpd_request_class_id); int opcode = 0x1; JS_ToInt32(context, &opcode, argv[1]); uint64_t length = 0; size_t length_size = 0; const char* message = JS_ToCStringLen(context, &length_size, argv[0]); length = length_size; uint8_t* copy = tf_malloc(length + 16); bool fin = true; size_t header = 1; copy[0] = (fin ? (1 << 7) : 0) | (opcode & 0xf); if (length < 126) { copy[1] = length; header += 1; } else if (length < (1 << 16)) { copy[1] = 126; copy[2] = (length >> 8) & 0xff; copy[3] = (length >> 0) & 0xff; header += 3; } else { uint32_t high = (length >> 32) & 0xffffffff; uint32_t low = (length >> 0) & 0xffffffff; copy[1] = 127; copy[2] = (high >> 24) & 0xff; copy[3] = (high >> 16) & 0xff; copy[4] = (high >> 8) & 0xff; copy[5] = (high >> 0) & 0xff; copy[6] = (low >> 24) & 0xff; copy[7] = (low >> 16) & 0xff; copy[8] = (low >> 8) & 0xff; copy[9] = (low >> 0) & 0xff; header += 9; } memcpy(copy + header, message, length); tf_http_request_send(request, copy, header + length); tf_free(copy); JS_FreeCString(context, message); return JS_UNDEFINED; } static void _httpd_websocket_close_callback(tf_http_request_t* request) { JSContext* context = request->context; JSValue response_object = JS_MKPTR(JS_TAG_OBJECT, request->user_data); JSValue on_close = JS_GetPropertyStr(context, response_object, "onClose"); JSValue response = JS_Call(context, on_close, JS_UNDEFINED, 0, NULL); tf_util_report_error(context, response); JS_FreeValue(context, response); JS_FreeValue(context, on_close); JS_SetPropertyStr(context, response_object, "onMessage", JS_UNDEFINED); JS_SetPropertyStr(context, response_object, "onClose", JS_UNDEFINED); JS_FreeValue(context, response_object); } static void _httpd_message_callback(tf_http_request_t* request, int op_code, const void* data, size_t size) { JSContext* context = request->context; JSValue response_object = JS_MKPTR(JS_TAG_OBJECT, request->user_data); JSValue on_message = JS_GetPropertyStr(context, response_object, "onMessage"); JSValue event = JS_NewObject(context); JS_SetPropertyStr(context, event, "opCode", JS_NewInt32(context, op_code)); JS_SetPropertyStr(context, event, "data", JS_NewStringLen(context, data, size)); JSValue response = JS_Call(context, on_message, JS_UNDEFINED, 1, &event); tf_util_report_error(context, response); JS_FreeValue(context, response); JS_FreeValue(context, event); JS_FreeValue(context, on_message); } static void _httpd_callback_internal(tf_http_request_t* request, bool is_websocket) { http_handler_data_t* data = request->user_data; JSContext* context = data->context; JSValue request_object = JS_NewObject(context); JS_SetPropertyStr(context, request_object, "method", JS_NewString(context, request->method)); JS_SetPropertyStr(context, request_object, "uri", JS_NewString(context, request->path)); JSValue headers = JS_NewObject(context); for (int i = 0; i < request->headers_count; i++) { JS_SetPropertyStr(context, headers, request->headers[i].name, JS_NewString(context, request->headers[i].value)); } JS_SetPropertyStr(context, request_object, "headers", headers); if (request->query) { JS_SetPropertyStr(context, request_object, "query", JS_NewString(context, request->query)); } if (request->body) { JS_SetPropertyStr(context, request_object, "body", tf_util_new_uint8_array(context, request->body, request->content_length)); } JSValue client = JS_NewObject(context); JS_SetPropertyStr(context, client, "tls", request->is_tls ? JS_TRUE : JS_FALSE); JS_SetPropertyStr(context, request_object, "client", client); JSValue response_object = JS_NewObjectClass(context, _httpd_request_class_id); /* The ref is owned by the JS object and will be released by the finalizer. */ tf_http_request_ref(request); JS_SetOpaque(response_object, request); JS_SetPropertyStr(context, response_object, "writeHead", JS_NewCFunction(context, _httpd_response_write_head, "writeHead", 2)); JS_SetPropertyStr(context, response_object, "end", JS_NewCFunction(context, _httpd_response_end, "end", 1)); JS_SetPropertyStr(context, response_object, "send", JS_NewCFunction(context, _httpd_response_send, "send", 2)); JS_SetPropertyStr(context, response_object, "upgrade", JS_NewCFunction(context, _httpd_websocket_upgrade, "upgrade", 2)); JSValue args[] = { request_object, response_object, }; JSValue response = JS_Call(context, data->callback, JS_UNDEFINED, 2, args); tf_util_report_error(context, response); JS_FreeValue(context, request_object); JS_FreeValue(context, response); JS_FreeValue(context, response_object); } static bool _httpd_redirect(tf_http_request_t* request) { if (request->is_tls) { return false; } http_user_data_t* user_data = tf_http_get_user_data(request->http); if (!user_data || !*user_data->redirect) { return false; } char redirect[1024]; snprintf(redirect, sizeof(redirect), "%s%s", user_data->redirect, request->path); tf_http_respond(request, 303, (const char*[]) { "Location", redirect }, 1, NULL, 0); return true; } static void _httpd_callback(tf_http_request_t* request) { if (_httpd_redirect(request)) { return; } _httpd_callback_internal(request, false); } static JSValue _httpd_websocket_upgrade(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv) { tf_http_request_t* request = JS_GetOpaque(this_val, _httpd_request_class_id); tf_http_request_ref(request); const char* header_connection = tf_http_request_get_header(request, "connection"); const char* header_upgrade = tf_http_request_get_header(request, "upgrade"); const char* header_sec_websocket_key = tf_http_request_get_header(request, "sec-websocket-key"); if (header_connection && header_upgrade && header_sec_websocket_key && strstr(header_connection, "Upgrade") && strcasecmp(header_upgrade, "websocket") == 0) { static const char* k_magic = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; size_t key_length = strlen(header_sec_websocket_key); size_t size = key_length + 36; uint8_t* key_magic = alloca(size); memcpy(key_magic, header_sec_websocket_key, key_length); memcpy(key_magic + key_length, k_magic, 36); uint8_t digest[20]; SHA1(key_magic, size, digest); char key[41] = { 0 }; tf_base64_encode(digest, sizeof(digest), key, sizeof(key)); const char* headers[64] = { 0 }; int headers_count = 0; headers[headers_count * 2 + 0] = "Upgrade"; headers[headers_count * 2 + 1] = "websocket"; headers_count++; headers[headers_count * 2 + 0] = "Connection"; headers[headers_count * 2 + 1] = "Upgrade"; headers_count++; headers[headers_count * 2 + 0] = "Sec-WebSocket-Accept"; headers[headers_count * 2 + 1] = key; headers_count++; tf_ssb_t* ssb = tf_task_get_ssb(tf_task_get(context)); const char* session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session"); JSValue jwt = _authenticate_jwt(ssb, context, session); tf_free((void*)session); JSValue name = !JS_IsUndefined(jwt) ? JS_GetPropertyStr(context, jwt, "name") : JS_UNDEFINED; const char* name_string = !JS_IsUndefined(name) ? JS_ToCString(context, name) : NULL; const char* session_token = _make_session_jwt(tf_ssb_get_context(ssb), ssb, name_string); const char* cookie = _make_set_session_cookie_header(request, session_token); tf_free((void*)session_token); JS_FreeCString(context, name_string); JS_FreeValue(context, name); JS_FreeValue(context, jwt); headers[headers_count * 2 + 0] = "Set-Cookie"; headers[headers_count * 2 + 1] = cookie ? cookie : ""; headers_count++; bool send_version = !tf_http_request_get_header(request, "sec-websocket-version") || strcmp(tf_http_request_get_header(request, "sec-websocket-version"), "13") != 0; if (send_version) { headers[headers_count * 2 + 0] = "Sec-WebSocket-Accept"; headers[headers_count * 2 + 1] = key; headers_count++; } int js_headers_count = _object_to_headers(context, argv[1], headers + headers_count * 2, tf_countof(headers) - headers_count * 2); headers_count += js_headers_count; tf_http_request_websocket_upgrade(request); tf_http_respond(request, 101, headers, headers_count, NULL, 0); for (int i = headers_count - js_headers_count; i < headers_count * 2; i++) { JS_FreeCString(context, headers[i * 2 + 0]); JS_FreeCString(context, headers[i * 2 + 1]); } tf_free((void*)cookie); request->on_message = _httpd_message_callback; request->on_close = _httpd_websocket_close_callback; request->context = context; request->user_data = JS_VALUE_GET_PTR(JS_DupValue(context, this_val)); } else { tf_http_respond(request, 400, NULL, 0, NULL, 0); } tf_http_request_unref(request); return JS_UNDEFINED; } static void _httpd_cleanup_callback(void* user_data) { http_handler_data_t* data = user_data; JS_FreeValue(data->context, data->callback); tf_free(data); } static JSValue _httpd_endpoint_all(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv) { tf_http_t* http = JS_GetOpaque(this_val, _httpd_class_id); const char* pattern = JS_ToCString(context, argv[0]); http_handler_data_t* data = tf_malloc(sizeof(http_handler_data_t)); *data = (http_handler_data_t) { .context = context, .callback = JS_DupValue(context, argv[1]) }; tf_http_add_handler(http, pattern, _httpd_callback, _httpd_cleanup_callback, data); JS_FreeCString(context, pattern); return JS_UNDEFINED; } typedef struct _httpd_listener_t { JSContext* context; JSValue tls; } httpd_listener_t; static void _httpd_listener_cleanup(void* user_data) { httpd_listener_t* listener = user_data; JS_FreeValue(listener->context, listener->tls); tf_free(listener); } static JSValue _httpd_endpoint_start(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv) { tf_http_t* http = JS_GetOpaque(this_val, _httpd_class_id); int port = 0; JS_ToInt32(context, &port, argv[0]); httpd_listener_t* listener = tf_malloc(sizeof(httpd_listener_t)); *listener = (httpd_listener_t) { .context = context, .tls = JS_DupValue(context, argv[1]) }; tf_tls_context_t* tls = tf_tls_context_get(listener->tls); int assigned_port = tf_http_listen(http, port, tls, _httpd_listener_cleanup, listener); tf_printf(CYAN "~😎 Tilde Friends" RESET " is now up at " MAGENTA "http%s://127.0.0.1:%d/" RESET ".\n", tls ? "s" : "", assigned_port); return JS_NewInt32(context, assigned_port); } static void _httpd_free_user_data(void* user_data) { tf_free(user_data); } static JSValue _httpd_set_http_redirect(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv) { tf_http_t* http = JS_GetOpaque(this_val, _httpd_class_id); http_user_data_t* user_data = tf_http_get_user_data(http); if (!user_data) { user_data = tf_malloc(sizeof(http_user_data_t)); memset(user_data, 0, sizeof(http_user_data_t)); tf_http_set_user_data(http, user_data, _httpd_free_user_data); } const char* redirect = JS_ToCString(context, argv[0]); snprintf(user_data->redirect, sizeof(user_data->redirect), "%s", redirect ? redirect : ""); JS_FreeCString(context, redirect); return JS_UNDEFINED; } typedef struct _auth_query_work_t { const char* settings; JSValue entry; JSValue result; JSValue promise[2]; } auth_query_work_t; static void _httpd_auth_query_work(tf_ssb_t* ssb, void* user_data) { auth_query_work_t* work = user_data; work->settings = tf_ssb_db_get_property(ssb, "core", "settings"); } static void _httpd_auth_query_after_work(tf_ssb_t* ssb, int status, void* user_data) { auth_query_work_t* work = user_data; JSContext* context = tf_ssb_get_context(ssb); JSValue name = JS_GetPropertyStr(context, work->entry, "name"); const char* name_string = JS_ToCString(context, name); JSValue settings_value = work->settings ? JS_ParseJSON(context, work->settings, strlen(work->settings), NULL) : JS_UNDEFINED; JSValue out_permissions = JS_NewObject(context); JS_SetPropertyStr(context, work->result, "permissions", out_permissions); JSValue permissions = !JS_IsUndefined(settings_value) ? JS_GetPropertyStr(context, settings_value, "permissions") : JS_UNDEFINED; JSValue user_permissions = !JS_IsUndefined(permissions) ? JS_GetPropertyStr(context, permissions, name_string) : JS_UNDEFINED; int length = !JS_IsUndefined(user_permissions) ? tf_util_get_length(context, user_permissions) : 0; for (int i = 0; i < length; i++) { JSValue permission = JS_GetPropertyUint32(context, user_permissions, i); const char* permission_string = JS_ToCString(context, permission); JS_SetPropertyStr(context, out_permissions, permission_string, JS_TRUE); JS_FreeCString(context, permission_string); JS_FreeValue(context, permission); } JSValue error = JS_Call(context, work->promise[0], JS_UNDEFINED, 1, &work->result); JS_FreeValue(context, work->result); tf_util_report_error(context, error); JS_FreeValue(context, error); JS_FreeValue(context, work->promise[0]); JS_FreeValue(context, work->promise[1]); JS_FreeValue(context, user_permissions); JS_FreeValue(context, permissions); JS_FreeValue(context, settings_value); tf_free((void*)work->settings); JS_FreeCString(context, name_string); JS_FreeValue(context, name); tf_free(work); } static JSValue _httpd_auth_query(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv) { tf_task_t* task = tf_task_get(context); tf_ssb_t* ssb = tf_task_get_ssb(task); JSValue headers = argv[0]; if (JS_IsUndefined(headers)) { return JS_UNDEFINED; } JSValue cookie = JS_GetPropertyStr(context, headers, "cookie"); const char* cookie_string = JS_ToCString(context, cookie); const char* session = tf_http_get_cookie(cookie_string, "session"); JSValue entry = _authenticate_jwt(ssb, context, session); tf_free((void*)session); JS_FreeCString(context, cookie_string); JS_FreeValue(context, cookie); JSValue result = JS_UNDEFINED; if (!JS_IsUndefined(entry)) { JSValue value = JS_NewObject(context); JS_SetPropertyStr(context, value, "session", entry); auth_query_work_t* work = tf_malloc(sizeof(auth_query_work_t)); *work = (auth_query_work_t) { .entry = entry, .result = value, }; result = JS_NewPromiseCapability(context, work->promise); tf_ssb_run_work(ssb, _httpd_auth_query_work, _httpd_auth_query_after_work, work); } return result; } typedef struct _magic_bytes_t { const char* type; uint8_t bytes[12]; uint8_t ignore[12]; } magic_bytes_t; static bool _magic_bytes_match(const magic_bytes_t* magic, const uint8_t* actual, size_t size) { if (size < sizeof(magic->bytes)) { return false; } int length = (int)tf_min(sizeof(magic->bytes), size); for (int i = 0; i < length; i++) { if ((magic->bytes[i] & ~magic->ignore[i]) != (actual[i] & ~magic->ignore[i])) { return false; } } return true; } static const char* _httpd_mime_type_from_magic_bytes_internal(const uint8_t* bytes, size_t size) { const char* type = "application/binary"; if (bytes) { const magic_bytes_t k_magic_bytes[] = { { .type = "image/jpeg", .bytes = { 0xff, 0xd8, 0xff, 0xdb }, }, { .type = "image/jpeg", .bytes = { 0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46, 0x00, 0x01 }, }, { .type = "image/jpeg", .bytes = { 0xff, 0xd8, 0xff, 0xee }, }, { .type = "image/jpeg", .bytes = { 0xff, 0xd8, 0xff, 0xe1, 0x00, 0x00, 0x45, 0x78, 0x69, 0x66, 0x00, 0x00 }, .ignore = { 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, }, { .type = "image/png", .bytes = { 0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a }, }, { .type = "image/gif", .bytes = { 0x47, 0x49, 0x46, 0x38, 0x37, 0x61 }, }, { .type = "image/gif", .bytes = { 0x47, 0x49, 0x46, 0x38, 0x39, 0x61 }, }, { .type = "image/webp", .bytes = { 0x52, 0x49, 0x46, 0x46, 0x00, 0x00, 0x00, 0x00, 0x57, 0x45, 0x42, 0x50 }, .ignore = { 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00 }, }, { .type = "image/svg+xml", .bytes = { 0x3c, 0x73, 0x76, 0x67 }, }, { .type = "audio/mpeg", .bytes = { 0x00, 0x00, 0x00, 0x00, 0x66, 0x74, 0x79, 0x70, 0x6d, 0x70, 0x34, 0x32 }, .ignore = { 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, }, { .type = "video/mp4", .bytes = { 0x00, 0x00, 0x00, 0x00, 0x66, 0x74, 0x79, 0x70, 0x69, 0x73, 0x6f, 0x6d }, .ignore = { 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, }, { .type = "video/mp4", .bytes = { 0x00, 0x00, 0x00, 0x00, 0x66, 0x74, 0x79, 0x70, 0x6d, 0x70, 0x34, 0x32 }, .ignore = { 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, }, { .type = "audio/midi", .bytes = { 0x4d, 0x54, 0x68, 0x64 }, }, }; for (int i = 0; i < tf_countof(k_magic_bytes); i++) { if (_magic_bytes_match(&k_magic_bytes[i], bytes, size)) { type = k_magic_bytes[i].type; break; } } } return type; } static JSValue _httpd_mime_type_from_magic_bytes(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv) { size_t size = 0; uint8_t* bytes = tf_util_try_get_array_buffer(context, &size, argv[0]); return JS_NewString(context, _httpd_mime_type_from_magic_bytes_internal(bytes, size)); } static const char* _ext_to_content_type(const char* ext, bool use_fallback) { if (ext) { typedef struct _ext_type_t { const char* ext; const char* type; } ext_type_t; const ext_type_t k_types[] = { { .ext = ".html", .type = "text/html; charset=UTF-8" }, { .ext = ".js", .type = "text/javascript; charset=UTF-8" }, { .ext = ".mjs", .type = "text/javascript; charset=UTF-8" }, { .ext = ".css", .type = "text/css; charset=UTF-8" }, { .ext = ".png", .type = "image/png" }, { .ext = ".json", .type = "application/json" }, { .ext = ".map", .type = "application/json" }, { .ext = ".svg", .type = "image/svg+xml" }, }; for (int i = 0; i < tf_countof(k_types); i++) { if (strcmp(ext, k_types[i].ext) == 0) { return k_types[i].type; } } } return use_fallback ? "application/binary" : NULL; } static JSValue _httpd_mime_type_from_extension(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv) { const char* name = JS_ToCString(context, argv[0]); const char* type = _ext_to_content_type(strrchr(name, '.'), false); JS_FreeCString(context, name); return type ? JS_NewString(context, type) : JS_UNDEFINED; } static void _httpd_finalizer(JSRuntime* runtime, JSValue value) { tf_http_t* http = JS_GetOpaque(value, _httpd_class_id); tf_http_destroy(http); } static void _httpd_request_finalizer(JSRuntime* runtime, JSValue value) { tf_http_request_t* request = JS_GetOpaque(value, _httpd_request_class_id); tf_http_request_unref(request); } static void _httpd_endpoint_trace(tf_http_request_t* request) { if (_httpd_redirect(request)) { return; } tf_task_t* task = request->user_data; tf_trace_t* trace = tf_task_get_trace(task); char* json = tf_trace_export(trace); const char* headers[] = { "Content-Type", "application/json; charset=utf-8", "Access-Control-Allow-Origin", "*", }; tf_http_respond(request, 200, headers, tf_countof(headers) / 2, json, json ? strlen(json) : 0); tf_free(json); } static void _httpd_endpoint_mem(tf_http_request_t* request) { if (_httpd_redirect(request)) { return; } char* response = NULL; size_t length = 0; int count = 0; tf_mem_allocation_t* alloc = tf_mem_summarize_allocations(&count); for (int i = 0; i < count; i++) { const char* stack = tf_util_backtrace_to_string(alloc[i].frames, alloc[i].frames_count); int line = snprintf(NULL, 0, "%zd bytes in %d allocations\n%s\n\n", alloc[i].size, alloc[i].count, stack); response = tf_resize_vec(response, length + line); snprintf(response + length, line, "%zd bytes in %d allocations\n%s\n\n", alloc[i].size, alloc[i].count, stack); length += line - 1; tf_free((void*)stack); } tf_free(alloc); const char* headers[] = { "Content-Type", "text/plain; charset=utf-8", "Access-Control-Allow-Origin", "*", }; tf_http_respond(request, 200, headers, tf_countof(headers) / 2, response, length); tf_free(response); } static void _httpd_endpoint_disconnections(tf_http_request_t* request) { if (_httpd_redirect(request)) { return; } tf_task_t* task = request->user_data; char* response = tf_task_get_disconnections(task); const char* headers[] = { "Content-Type", "application/json; charset=utf-8", "Access-Control-Allow-Origin", "*", }; tf_http_respond(request, 200, headers, tf_countof(headers) / 2, response, response ? strlen(response) : 0); tf_free(response); } static void _httpd_endpoint_hitches(tf_http_request_t* request) { if (_httpd_redirect(request)) { return; } tf_task_t* task = request->user_data; char* response = tf_task_get_hitches(task); const char* headers[] = { "Content-Type", "application/json; charset=utf-8", "Access-Control-Allow-Origin", "*", }; tf_http_respond(request, 200, headers, tf_countof(headers) / 2, response, response ? strlen(response) : 0); tf_free(response); } static const char* _after(const char* text, const char* prefix) { if (!text || !prefix) { return NULL; } size_t prefix_length = strlen(prefix); if (strncmp(text, prefix, prefix_length) == 0) { return text + prefix_length; } return NULL; } static double _time_spec_to_double(const uv_timespec_t* time_spec) { return (double)time_spec->tv_sec + (double)(time_spec->tv_nsec) / 1e9; } typedef struct _http_file_t { tf_http_request_t* request; char etag[512]; } http_file_t; static void _httpd_endpoint_static_read(tf_task_t* task, const char* path, int result, const void* data, void* user_data) { http_file_t* file = user_data; tf_http_request_t* request = file->request; if (result >= 0) { if (strcmp(path, "core/tfrpc.js") == 0) { const char* content_type = _ext_to_content_type(strrchr(path, '.'), true); const char* headers[] = { "Content-Type", content_type, "etag", file->etag, "Access-Control-Allow-Origin", "null", }; tf_http_respond(request, 200, headers, tf_countof(headers) / 2, data, result); } else { const char* content_type = _ext_to_content_type(strrchr(path, '.'), true); const char* headers[] = { "Content-Type", content_type, "etag", file->etag, }; tf_http_respond(request, 200, headers, tf_countof(headers) / 2, data, result); } } else { const char* k_payload = tf_http_status_text(404); tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload)); } tf_http_request_unref(request); tf_free(file); } static void _httpd_endpoint_static_stat(tf_task_t* task, const char* path, int result, const uv_stat_t* stat, void* user_data) { tf_http_request_t* request = user_data; const char* match = tf_http_request_get_header(request, "if-none-match"); if (result != 0) { const char* k_payload = tf_http_status_text(404); tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload)); tf_http_request_unref(request); } else { char etag[512]; snprintf(etag, sizeof(etag), "\"%f_%zd\"", _time_spec_to_double(&stat->st_mtim), (size_t)stat->st_size); if (match && strcmp(match, etag) == 0) { tf_http_respond(request, 304, NULL, 0, NULL, 0); tf_http_request_unref(request); } else { http_file_t* file = tf_malloc(sizeof(http_file_t)); *file = (http_file_t) { .request = request }; static_assert(sizeof(file->etag) == sizeof(etag), "Size mismatch"); memcpy(file->etag, etag, sizeof(etag)); tf_file_read(task, path, _httpd_endpoint_static_read, file); } } } static void _httpd_endpoint_static(tf_http_request_t* request) { if (strncmp(request->path, "/.well-known/", strlen("/.well-known/")) && _httpd_redirect(request)) { return; } const char* k_static_files[] = { "index.html", "client.js", "tildefriends.svg", "jszip.min.js", "style.css", "tfrpc.js", "w3.css", }; const char* k_map[][2] = { { "/static/", "core/" }, { "/lit/", "deps/lit/" }, { "/codemirror/", "deps/codemirror/" }, { "/prettier/", "deps/prettier/" }, { "/speedscope/", "deps/speedscope/" }, { "/.well-known/", "data/global/.well-known/" }, }; bool is_core = false; const char* after = NULL; const char* file_path = NULL; for (int i = 0; i < tf_countof(k_map) && !after; i++) { const char* next_after = _after(request->path, k_map[i][0]); if (next_after) { after = next_after; file_path = k_map[i][1]; is_core = after && i == 0; } } if ((!after || !*after) && request->path[strlen(request->path) - 1] == '/') { after = "index.html"; if (!file_path) { file_path = "core/"; is_core = true; } } if (!after || strstr(after, "..")) { const char* k_payload = tf_http_status_text(404); tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload)); return; } if (is_core) { bool found = false; for (int i = 0; i < tf_countof(k_static_files); i++) { if (strcmp(after, k_static_files[i]) == 0) { found = true; break; } } if (!found) { const char* k_payload = tf_http_status_text(404); tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload)); return; } } tf_task_t* task = request->user_data; size_t size = strlen(file_path) + strlen(after) + 1; char* path = alloca(size); snprintf(path, size, "%s%s", file_path, after); tf_http_request_ref(request); tf_file_stat(task, path, _httpd_endpoint_static_stat, request); } typedef struct _view_t { tf_http_request_t* request; const char** form_data; void* data; size_t size; bool not_modified; } view_t; static bool _is_filename_safe(const char* filename) { if (!filename) { return NULL; } for (const char* p = filename; *p; p++) { if ((*p <= 'a' && *p >= 'z') && (*p <= 'A' && *p >= 'Z') && (*p <= '0' && *p >= '9') && *p != '.' && *p != '-' && *p != '_') { return false; } } return strlen(filename) < 256; } static void _httpd_endpoint_view_work(tf_ssb_t* ssb, void* user_data) { view_t* view = user_data; tf_http_request_t* request = view->request; char blob_id[256] = ""; if (request->path[0] == '/' && request->path[1] == '~') { char user[256] = ""; char path[1024] = ""; const char* slash = strchr(request->path + 2, '/'); if (slash) { snprintf(user, sizeof(user), "%.*s", (int)(slash - (request->path + 2)), request->path + 2); snprintf(path, sizeof(path), "path:%.*s", (int)(strlen(slash + 1) - strlen("/view")), slash + 1); const char* value = tf_ssb_db_get_property(ssb, user, path); snprintf(blob_id, sizeof(blob_id), "%s", value); tf_free((void*)value); } } else if (request->path[0] == '/' && request->path[1] == '&') { snprintf(blob_id, sizeof(blob_id), "%.*s", (int)(strlen(request->path) - strlen("/view") - 1), request->path + 1); } if (*blob_id) { const char* if_none_match = tf_http_request_get_header(request, "if-none-match"); char match[258]; snprintf(match, sizeof(match), "\"%s\"", blob_id); if (if_none_match && strcmp(if_none_match, match)) { view->not_modified = true; } else { tf_ssb_db_blob_get(ssb, blob_id, (uint8_t**)&view->data, &view->size); } } } static void _httpd_endpoint_view_after_work(tf_ssb_t* ssb, int status, void* user_data) { view_t* view = user_data; const char* filename = _form_data_get(view->form_data, "filename"); if (!_is_filename_safe(filename)) { filename = NULL; } char content_disposition[512] = ""; if (filename) { snprintf(content_disposition, sizeof(content_disposition), "attachment; filename=%s", filename); } const char* headers[] = { "Content-Security-Policy", "sandbox allow-downloads allow-top-navigation-by-user-activation", "Content-Type", view->data ? _httpd_mime_type_from_magic_bytes_internal(view->data, view->size) : "text/plain", filename ? "Content-Disposition" : NULL, filename ? content_disposition : NULL, }; int count = filename ? tf_countof(headers) / 2 : (tf_countof(headers) / 2 - 1); if (view->not_modified) { tf_http_respond(view->request, 304, headers, count, NULL, 0); } else if (view->data) { tf_http_respond(view->request, 200, headers, count, view->data, view->size); tf_free(view->data); } else { const char* k_payload = tf_http_status_text(404); tf_http_respond(view->request, 404, NULL, 0, k_payload, strlen(k_payload)); } tf_free(view->form_data); tf_http_request_unref(view->request); tf_free(view); } static void _httpd_endpoint_view(tf_http_request_t* request) { tf_http_request_ref(request); tf_task_t* task = request->user_data; tf_ssb_t* ssb = tf_task_get_ssb(task); view_t* view = tf_malloc(sizeof(view_t)); *view = (view_t) { .request = request, .form_data = _form_data_decode(request->query, request->query ? strlen(request->query) : 0) }; tf_ssb_run_work(ssb, _httpd_endpoint_view_work, _httpd_endpoint_view_after_work, view); } typedef struct _delete_t { tf_http_request_t* request; const char* session; int response; } delete_t; static void _httpd_endpoint_delete_work(tf_ssb_t* ssb, void* user_data) { delete_t* delete = user_data; tf_http_request_t* request = delete->request; JSMallocFunctions funcs = { 0 }; tf_get_js_malloc_functions(&funcs); JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL); JSContext* context = JS_NewContext(runtime); JSValue jwt = _authenticate_jwt(ssb, context, delete->session); JSValue user = JS_GetPropertyStr(context, jwt, "name"); const char* user_string = JS_ToCString(context, user); if (user_string && _is_name_valid(user_string)) { size_t length = strlen(user_string); if (request->path && request->path[0] == '/' && request->path[1] == '~' && /* TODO: admin users used to be able to delete core apps */ strncmp(request->path + 2, user_string, length) == 0 && request->path[2 + length] == '/') { char* app_name = tf_strdup(request->path + 2 + length + 1); if (app_name) { if (strlen(app_name) > strlen("/delete") && strcmp(app_name + strlen(app_name) - strlen("/delete"), "/delete") == 0) { app_name[strlen(app_name) - strlen("/delete")] = '\0'; } } size_t path_length = strlen("path:") + strlen(app_name) + 1; char* app_path = tf_malloc(path_length); snprintf(app_path, path_length, "path:%s", app_name); bool changed = false; changed = tf_ssb_db_remove_value_from_array_property(ssb, user_string, "apps", app_name) || changed; changed = tf_ssb_db_remove_property(ssb, user_string, app_path) || changed; delete->response = changed ? 200 : 404; tf_free(app_name); tf_free(app_path); } } else { delete->response = 401; } JS_FreeCString(context, user_string); JS_FreeValue(context, user); JS_FreeValue(context, jwt); JS_FreeContext(context); JS_FreeRuntime(runtime); } static void _httpd_endpoint_delete_after_work(tf_ssb_t* ssb, int status, void* user_data) { delete_t* delete = user_data; const char* k_payload = tf_http_status_text(delete->response ? delete->response : 404); tf_http_respond(delete->request, delete->response ? delete->response : 404, NULL, 0, k_payload, strlen(k_payload)); tf_http_request_unref(delete->request); tf_free((void*)delete->session); tf_free(delete); } static void _httpd_endpoint_delete(tf_http_request_t* request) { tf_http_request_ref(request); tf_task_t* task = request->user_data; tf_ssb_t* ssb = tf_task_get_ssb(task); delete_t* delete = tf_malloc(sizeof(delete_t)); *delete = (delete_t) { .request = request, .session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session"), }; tf_ssb_run_work(ssb, _httpd_endpoint_delete_work, _httpd_endpoint_delete_after_work, delete); } static void _httpd_endpoint_root_callback(const char* path, void* user_data) { tf_http_request_t* request = user_data; const char* host = tf_http_request_get_header(request, "x-forwarded-host"); if (!host) { host = tf_http_request_get_header(request, "host"); } char url[1024]; snprintf(url, sizeof(url), "%s%s%s", request->is_tls ? "https://" : "http://", host, path ? path : "/~core/apps/"); const char* headers[] = { "Location", url, }; tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0); tf_http_request_unref(request); } static void _httpd_endpoint_root(tf_http_request_t* request) { const char* host = tf_http_request_get_header(request, "x-forwarded-host"); if (!host) { host = tf_http_request_get_header(request, "host"); } tf_task_t* task = request->user_data; tf_ssb_t* ssb = tf_task_get_ssb(task); tf_http_request_ref(request); tf_ssb_db_resolve_index_async(ssb, host, _httpd_endpoint_root_callback, request); } static void _httpd_endpoint_robots_txt(tf_http_request_t* request) { if (_httpd_redirect(request)) { return; } char* response = "User-Agent: *\n" "Disallow: /*/*/edit\n" "Allow: /\n"; const char* headers[] = { "Content-Type", "text/plain; charset=utf-8" }; tf_http_respond(request, 200, headers, tf_countof(headers) / 2, response, response ? strlen(response) : 0); } static void _httpd_endpoint_debug(tf_http_request_t* request) { if (_httpd_redirect(request)) { return; } tf_task_t* task = request->user_data; char* response = tf_task_get_debug(task); const char* headers[] = { "Content-Type", "application/json; charset=utf-8", "Access-Control-Allow-Origin", "*", }; tf_http_respond(request, 200, headers, tf_countof(headers) / 2, response, response ? strlen(response) : 0); tf_free(response); } const char** _form_data_decode(const char* data, int length) { int key_max = 1; for (int i = 0; i < length; i++) { if (data[i] == '&') { key_max++; } } int write_length = length + 1; char** result = tf_malloc(sizeof(const char*) * (key_max + 1) * 2 + write_length); char* result_buffer = ((char*)result) + sizeof(const char*) * (key_max + 1) * 2; char* write_pos = result_buffer; int count = 0; int i = 0; while (i < length) { result[count++] = write_pos; while (i < length) { if (data[i] == '+') { *write_pos++ = ' '; i++; } else if (data[i] == '%' && i + 2 < length) { *write_pos++ = (char)strtoul((const char[]) { data[i + 1], data[i + 2], 0 }, NULL, 16); i += 3; } else if (data[i] == '=') { if (count % 2 == 0) { result[count++] = ""; } i++; break; } else if (data[i] == '&') { if (count % 2 != 0) { result[count++] = ""; } i++; break; } else { *write_pos++ = data[i++]; } } *write_pos++ = '\0'; } result[count++] = NULL; result[count++] = NULL; return (const char**)result; } const char* _form_data_get(const char** form_data, const char* key) { for (int i = 0; form_data[i]; i += 2) { if (form_data[i] && strcmp(form_data[i], key) == 0) { return form_data[i + 1]; } } return NULL; } typedef struct _login_request_t { tf_http_request_t* request; const char* name; const char* error; const char* settings; const char* code_of_conduct; bool have_administrator; bool session_is_new; char location_header[1024]; const char* set_cookie_header; int pending; } login_request_t; static const char* _make_set_session_cookie_header(tf_http_request_t* request, const char* session_cookie) { const char* k_pattern = "session=%s; path=/; Max-Age=%" PRId64 "; %sSameSite=Strict; HttpOnly"; int length = session_cookie ? snprintf(NULL, 0, k_pattern, session_cookie, k_refresh_interval, request->is_tls ? "Secure; " : "") : 0; char* cookie = length ? tf_malloc(length + 1) : NULL; if (cookie) { snprintf(cookie, length + 1, k_pattern, session_cookie, k_refresh_interval, request->is_tls ? "Secure; " : ""); } return cookie; } static void _login_release(login_request_t* login) { int ref_count = --login->pending; if (ref_count == 0) { tf_free((void*)login->name); tf_free((void*)login->code_of_conduct); tf_free((void*)login->set_cookie_header); tf_free(login); } } static void _httpd_endpoint_login_file_read_callback(tf_task_t* task, const char* path, int result, const void* data, void* user_data) { login_request_t* login = user_data; tf_http_request_t* request = login->request; if (result >= 0) { const char* headers[] = { "Content-Type", "text/html; charset=utf-8", "Set-Cookie", login->set_cookie_header ? login->set_cookie_header : "", }; const char* replace_me = "$AUTH_DATA"; const char* auth = strstr(data, replace_me); if (auth) { JSContext* context = tf_task_get_context(task); JSValue object = JS_NewObject(context); JS_SetPropertyStr(context, object, "session_is_new", JS_NewBool(context, login->session_is_new)); JS_SetPropertyStr(context, object, "name", login->name ? JS_NewString(context, login->name) : JS_UNDEFINED); JS_SetPropertyStr(context, object, "error", login->error ? JS_NewString(context, login->error) : JS_UNDEFINED); JS_SetPropertyStr(context, object, "code_of_conduct", login->code_of_conduct ? JS_NewString(context, login->code_of_conduct) : JS_UNDEFINED); JS_SetPropertyStr(context, object, "have_administrator", JS_NewBool(context, login->have_administrator)); JSValue object_json = JS_JSONStringify(context, object, JS_NULL, JS_NULL); size_t json_length = 0; const char* json = JS_ToCStringLen(context, &json_length, object_json); char* copy = tf_malloc(result + json_length); int replace_start = (auth - (const char*)data); int replace_end = (auth - (const char*)data) + (int)strlen(replace_me); memcpy(copy, data, replace_start); memcpy(copy + replace_start, json, json_length); memcpy(copy + replace_start + json_length, ((const char*)data) + replace_end, result - replace_end); tf_http_respond(request, 200, headers, tf_countof(headers) / 2, copy, replace_start + json_length + (result - replace_end)); tf_free(copy); JS_FreeCString(context, json); JS_FreeValue(context, object_json); JS_FreeValue(context, object); } else { tf_http_respond(request, 200, headers, tf_countof(headers) / 2, data, result); } } else { const char* k_payload = tf_http_status_text(404); tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload)); } tf_http_request_unref(request); _login_release(login); } static bool _string_property_equals(JSContext* context, JSValue object, const char* name, const char* value) { JSValue object_value = JS_GetPropertyStr(context, object, name); const char* object_value_string = JS_ToCString(context, object_value); bool equals = object_value_string && strcmp(object_value_string, value) == 0; JS_FreeCString(context, object_value_string); JS_FreeValue(context, object_value); return equals; } static JSValue _authenticate_jwt(tf_ssb_t* ssb, JSContext* context, const char* jwt) { if (!jwt) { return JS_UNDEFINED; } int dot[2] = { 0 }; int dot_count = 0; for (int i = 0; jwt[i]; i++) { if (jwt[i] == '.') { if (dot_count >= tf_countof(dot)) { return JS_UNDEFINED; } dot[dot_count++] = i; } } if (dot_count != 2) { return JS_UNDEFINED; } uint8_t header[256] = { 0 }; size_t actual_length = 0; if (sodium_base642bin(header, sizeof(header), jwt, dot[0], NULL, &actual_length, NULL, sodium_base64_VARIANT_URLSAFE_NO_PADDING) != 0 || actual_length >= sizeof(header)) { return JS_UNDEFINED; } header[actual_length] = '\0'; JSValue header_value = JS_ParseJSON(context, (const char*)header, actual_length, NULL); bool header_valid = _string_property_equals(context, header_value, "typ", "JWT") && _string_property_equals(context, header_value, "alg", "HS256"); JS_FreeValue(context, header_value); if (!header_valid) { return JS_UNDEFINED; } char public_key_b64[k_id_base64_len] = { 0 }; tf_ssb_whoami(ssb, public_key_b64, sizeof(public_key_b64)); const char* payload = jwt + dot[0] + 1; size_t payload_length = dot[1] - dot[0] - 1; if (!tf_ssb_hmacsha256_verify(public_key_b64, payload, payload_length, jwt + dot[1] + 1, true)) { return JS_UNDEFINED; } uint8_t payload_bin[256]; size_t actual_payload_length = 0; if (sodium_base642bin(payload_bin, sizeof(payload_bin), payload, payload_length, NULL, &actual_payload_length, NULL, sodium_base64_VARIANT_URLSAFE_NO_PADDING) != 0 || actual_payload_length >= sizeof(payload_bin)) { return JS_UNDEFINED; } payload_bin[actual_payload_length] = '\0'; JSValue parsed = JS_ParseJSON(context, (const char*)payload_bin, actual_payload_length, NULL); JSValue exp = JS_GetPropertyStr(context, parsed, "exp"); int64_t exp_value = 0; JS_ToInt64(context, &exp_value, exp); if (time(NULL) >= exp_value) { JS_FreeValue(context, parsed); return JS_UNDEFINED; } return parsed; } static bool _session_is_authenticated_as_user(JSContext* context, JSValue session) { bool result = false; JSValue user = JS_GetPropertyStr(context, session, "name"); const char* user_string = JS_ToCString(context, user); result = user_string && strcmp(user_string, "guest") != 0; JS_FreeCString(context, user_string); JS_FreeValue(context, user); return result; } static bool _is_name_valid(const char* name) { if (!name || !((*name >= 'a' && *name <= 'z') || (*name >= 'A' && *name <= 'Z'))) { return false; } for (const char* p = name; *p; p++) { bool in_range = (*p >= 'a' && *p <= 'z') || (*p >= 'A' && *p <= 'Z') || (*p >= '0' && *p <= '9'); if (!in_range) { return false; } } return true; } static const char* _make_session_jwt(JSContext* context, tf_ssb_t* ssb, const char* name) { if (!name || !*name) { return NULL; } uv_timespec64_t now = { 0 }; uv_clock_gettime(UV_CLOCK_REALTIME, &now); const char* header_json = "{\"alg\":\"HS256\",\"typ\":\"JWT\"}"; char header_base64[256]; sodium_bin2base64(header_base64, sizeof(header_base64), (uint8_t*)header_json, strlen(header_json), sodium_base64_VARIANT_URLSAFE_NO_PADDING); JSValue payload = JS_NewObject(context); JS_SetPropertyStr(context, payload, "name", JS_NewString(context, name)); JS_SetPropertyStr(context, payload, "exp", JS_NewInt64(context, now.tv_sec * 1000 + now.tv_nsec / 1000000LL + k_refresh_interval)); JSValue payload_json = JS_JSONStringify(context, payload, JS_NULL, JS_NULL); size_t payload_length = 0; const char* payload_string = JS_ToCStringLen(context, &payload_length, payload_json); char payload_base64[256]; sodium_bin2base64(payload_base64, sizeof(payload_base64), (uint8_t*)payload_string, payload_length, sodium_base64_VARIANT_URLSAFE_NO_PADDING); char* result = NULL; uint8_t signature[crypto_sign_BYTES]; unsigned long long signature_length = 0; char signature_base64[256] = { 0 }; uint8_t private_key[crypto_sign_SECRETKEYBYTES] = { 0 }; tf_ssb_get_private_key(ssb, private_key, sizeof(private_key)); if (crypto_sign_detached(signature, &signature_length, (const uint8_t*)payload_base64, strlen(payload_base64), private_key) == 0) { sodium_bin2base64(signature_base64, sizeof(signature_base64), signature, sizeof(signature), sodium_base64_VARIANT_URLSAFE_NO_PADDING); size_t size = strlen(header_base64) + 1 + strlen(payload_base64) + 1 + strlen(signature_base64) + 1; result = tf_malloc(size); snprintf(result, size, "%s.%s.%s", header_base64, payload_base64, signature_base64); } sodium_memzero(private_key, sizeof(private_key)); JS_FreeCString(context, payload_string); JS_FreeValue(context, payload_json); JS_FreeValue(context, payload); return result; } static bool _verify_password(const char* password, const char* hash) { char buffer[7 + 22 + 31 + 1]; const char* out_hash = crypt_rn(password, hash, buffer, sizeof(buffer)); return out_hash && strcmp(hash, out_hash) == 0; } static bool _make_administrator_if_first(tf_ssb_t* ssb, JSContext* context, const char* account_name_copy, bool may_become_first_admin) { const char* settings = tf_ssb_db_get_property(ssb, "core", "settings"); JSValue settings_value = settings && *settings ? JS_ParseJSON(context, settings, strlen(settings), NULL) : JS_UNDEFINED; if (JS_IsUndefined(settings_value)) { settings_value = JS_NewObject(context); } bool have_administrator = false; JSValue permissions = JS_GetPropertyStr(context, settings_value, "permissions"); JSPropertyEnum* ptab = NULL; uint32_t plen = 0; JS_GetOwnPropertyNames(context, &ptab, &plen, permissions, JS_GPN_STRING_MASK); for (int i = 0; i < (int)plen; i++) { JSPropertyDescriptor desc = { 0 }; if (JS_GetOwnProperty(context, &desc, permissions, ptab[i].atom) == 1) { int permission_length = tf_util_get_length(context, desc.value); for (int i = 0; i < permission_length; i++) { JSValue entry = JS_GetPropertyUint32(context, desc.value, i); const char* permission = JS_ToCString(context, entry); if (permission && strcmp(permission, "administration") == 0) { have_administrator = true; } JS_FreeCString(context, permission); JS_FreeValue(context, entry); } JS_FreeValue(context, desc.setter); JS_FreeValue(context, desc.getter); JS_FreeValue(context, desc.value); } } for (uint32_t i = 0; i < plen; ++i) { JS_FreeAtom(context, ptab[i].atom); } js_free(context, ptab); if (!have_administrator && may_become_first_admin) { if (JS_IsUndefined(permissions)) { permissions = JS_NewObject(context); JS_SetPropertyStr(context, settings_value, "permissions", JS_DupValue(context, permissions)); } JSValue user = JS_GetPropertyStr(context, permissions, account_name_copy); if (JS_IsUndefined(user)) { user = JS_NewArray(context); JS_SetPropertyStr(context, permissions, account_name_copy, JS_DupValue(context, user)); } JS_SetPropertyUint32(context, user, tf_util_get_length(context, user), JS_NewString(context, "administration")); JS_FreeValue(context, user); JSValue settings_json = JS_JSONStringify(context, settings_value, JS_NULL, JS_NULL); const char* settings_string = JS_ToCString(context, settings_json); tf_ssb_db_set_property(ssb, "core", "settings", settings_string); JS_FreeCString(context, settings_string); JS_FreeValue(context, settings_json); } JS_FreeValue(context, permissions); JS_FreeValue(context, settings_value); tf_free((void*)settings); return have_administrator; } static void _httpd_endpoint_login_work(tf_ssb_t* ssb, void* user_data) { login_request_t* login = user_data; tf_http_request_t* request = login->request; JSMallocFunctions funcs = { 0 }; tf_get_js_malloc_functions(&funcs); JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL); JSContext* context = JS_NewContext(runtime); const char* session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session"); const char** form_data = _form_data_decode(request->query, request->query ? strlen(request->query) : 0); const char* account_name_copy = NULL; JSValue jwt = _authenticate_jwt(ssb, context, session); if (_session_is_authenticated_as_user(context, jwt)) { const char* return_url = _form_data_get(form_data, "return"); if (return_url) { snprintf(login->location_header, sizeof(login->location_header), "%s", return_url); } else { snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host")); } goto done; } const char* send_session = tf_strdup(session); bool session_is_new = false; const char* login_error = NULL; bool may_become_first_admin = false; if (strcmp(request->method, "POST") == 0) { session_is_new = true; const char** post_form_data = _form_data_decode(request->body, request->content_length); const char* submit = _form_data_get(post_form_data, "submit"); if (submit && strcmp(submit, "Login") == 0) { const char* account_name = _form_data_get(post_form_data, "name"); account_name_copy = tf_strdup(account_name); const char* password = _form_data_get(post_form_data, "password"); const char* new_password = _form_data_get(post_form_data, "new_password"); const char* confirm = _form_data_get(post_form_data, "confirm"); const char* change = _form_data_get(post_form_data, "change"); const char* form_register = _form_data_get(post_form_data, "register"); char account_passwd[256] = { 0 }; bool have_account = tf_ssb_db_get_account_password_hash(ssb, _form_data_get(post_form_data, "name"), account_passwd, sizeof(account_passwd)); if (form_register && strcmp(form_register, "1") == 0) { bool registered = false; if (!have_account && _is_name_valid(account_name) && password && confirm && strcmp(password, confirm) == 0) { sqlite3* db = tf_ssb_acquire_db_writer(ssb); registered = tf_ssb_db_register_account(tf_ssb_get_loop(ssb), db, context, account_name, password); tf_ssb_release_db_writer(ssb, db); if (registered) { tf_free((void*)send_session); send_session = _make_session_jwt(context, ssb, account_name); may_become_first_admin = true; } } if (!registered) { login_error = "Error registering account."; } } else if (change && strcmp(change, "1") == 0) { bool set = false; if (have_account && _is_name_valid(account_name) && new_password && confirm && strcmp(new_password, confirm) == 0 && _verify_password(password, account_passwd)) { sqlite3* db = tf_ssb_acquire_db_writer(ssb); set = tf_ssb_db_set_account_password(tf_ssb_get_loop(ssb), db, context, account_name, new_password); tf_ssb_release_db_writer(ssb, db); if (set) { tf_free((void*)send_session); send_session = _make_session_jwt(context, ssb, account_name); } } if (!set) { login_error = "Error changing password."; } } else { if (have_account && *account_passwd && _verify_password(password, account_passwd)) { tf_free((void*)send_session); send_session = _make_session_jwt(context, ssb, account_name); may_become_first_admin = true; } else { login_error = "Invalid username or password."; } } } else { tf_free((void*)send_session); send_session = _make_session_jwt(context, ssb, "guest"); } tf_free(post_form_data); } bool have_administrator = _make_administrator_if_first(ssb, context, account_name_copy, may_become_first_admin); if (session_is_new && _form_data_get(form_data, "return") && !login_error) { const char* return_url = _form_data_get(form_data, "return"); if (return_url) { snprintf(login->location_header, sizeof(login->location_header), "%s", return_url); } else { snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host")); } login->set_cookie_header = _make_set_session_cookie_header(request, send_session); tf_free((void*)send_session); } else { login->name = account_name_copy; login->error = login_error; login->set_cookie_header = _make_set_session_cookie_header(request, send_session); tf_free((void*)send_session); login->session_is_new = session_is_new; login->have_administrator = have_administrator; login->settings = tf_ssb_db_get_property(ssb, "core", "settings"); if (login->settings) { JSValue settings_value = JS_ParseJSON(context, login->settings, strlen(login->settings), NULL); JSValue code_of_conduct_value = JS_GetPropertyStr(context, settings_value, "code_of_conduct"); const char* code_of_conduct = JS_ToCString(context, code_of_conduct_value); const char* result = tf_strdup(code_of_conduct); JS_FreeCString(context, code_of_conduct); JS_FreeValue(context, code_of_conduct_value); JS_FreeValue(context, settings_value); tf_free((void*)login->settings); login->settings = NULL; login->code_of_conduct = result; } login->pending++; tf_http_request_ref(request); tf_file_read(login->request->user_data, "core/auth.html", _httpd_endpoint_login_file_read_callback, login); account_name_copy = NULL; } done: tf_free((void*)session); tf_free(form_data); tf_free((void*)account_name_copy); JS_FreeValue(context, jwt); JS_FreeContext(context); JS_FreeRuntime(runtime); } static void _httpd_endpoint_login_after_work(tf_ssb_t* ssb, int status, void* user_data) { login_request_t* login = user_data; tf_http_request_t* request = login->request; if (login->pending == 1) { if (*login->location_header) { const char* headers[] = { "Location", login->location_header, "Set-Cookie", login->set_cookie_header ? login->set_cookie_header : "", }; tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0); } } tf_http_request_unref(request); _login_release(login); } static void _httpd_endpoint_login(tf_http_request_t* request) { tf_task_t* task = request->user_data; tf_http_request_ref(request); tf_ssb_t* ssb = tf_task_get_ssb(task); login_request_t* login = tf_malloc(sizeof(login_request_t)); *login = (login_request_t) { .request = request, }; login->pending++; tf_ssb_run_work(ssb, _httpd_endpoint_login_work, _httpd_endpoint_login_after_work, login); } static void _httpd_endpoint_logout(tf_http_request_t* request) { const char* k_set_cookie = request->is_tls ? "session=; path=/; Secure; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly" : "session=; path=/; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly"; const char* k_location_format = "/login%s%s"; int length = snprintf(NULL, 0, k_location_format, request->query ? "?" : "", request->query); char* location = alloca(length + 1); snprintf(location, length + 1, k_location_format, request->query ? "?" : "", request->query ? request->query : ""); const char* headers[] = { "Set-Cookie", k_set_cookie, "Location", location, }; tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0); } void tf_httpd_register(JSContext* context) { JS_NewClassID(&_httpd_class_id); JS_NewClassID(&_httpd_request_class_id); JSClassDef httpd_def = { .class_name = "Httpd", .finalizer = &_httpd_finalizer, }; if (JS_NewClass(JS_GetRuntime(context), _httpd_class_id, &httpd_def) != 0) { fprintf(stderr, "Failed to register Httpd.\n"); } JSClassDef request_def = { .class_name = "Request", .finalizer = &_httpd_request_finalizer, }; if (JS_NewClass(JS_GetRuntime(context), _httpd_request_class_id, &request_def) != 0) { fprintf(stderr, "Failed to register Request.\n"); } JSValue global = JS_GetGlobalObject(context); JSValue httpd = JS_NewObjectClass(context, _httpd_class_id); tf_task_t* task = tf_task_get(context); uv_loop_t* loop = tf_task_get_loop(task); tf_http_t* http = tf_http_create(loop); tf_http_set_trace(http, tf_task_get_trace(task)); JS_SetOpaque(httpd, http); tf_http_add_handler(http, "/", _httpd_endpoint_root, NULL, task); tf_http_add_handler(http, "/codemirror/*", _httpd_endpoint_static, NULL, task); tf_http_add_handler(http, "/lit/*", _httpd_endpoint_static, NULL, task); tf_http_add_handler(http, "/prettier/*", _httpd_endpoint_static, NULL, task); tf_http_add_handler(http, "/speedscope/*", _httpd_endpoint_static, NULL, task); tf_http_add_handler(http, "/static/*", _httpd_endpoint_static, NULL, task); tf_http_add_handler(http, "/.well-known/*", _httpd_endpoint_static, NULL, task); tf_http_add_handler(http, "/~*/*/", _httpd_endpoint_static, NULL, task); tf_http_add_handler(http, "/&*.sha256/", _httpd_endpoint_static, NULL, task); tf_http_add_handler(http, "/*/view", _httpd_endpoint_view, NULL, task); tf_http_add_handler(http, "/~*/*/delete", _httpd_endpoint_delete, NULL, task); tf_http_add_handler(http, "/robots.txt", _httpd_endpoint_robots_txt, NULL, NULL); tf_http_add_handler(http, "/debug", _httpd_endpoint_debug, NULL, task); tf_http_add_handler(http, "/disconnections", _httpd_endpoint_disconnections, NULL, task); tf_http_add_handler(http, "/hitches", _httpd_endpoint_hitches, NULL, task); tf_http_add_handler(http, "/mem", _httpd_endpoint_mem, NULL, task); tf_http_add_handler(http, "/trace", _httpd_endpoint_trace, NULL, task); tf_http_add_handler(http, "/login/logout", _httpd_endpoint_logout, NULL, task); tf_http_add_handler(http, "/login", _httpd_endpoint_login, NULL, task); JS_SetPropertyStr(context, httpd, "handlers", JS_NewObject(context)); JS_SetPropertyStr(context, httpd, "all", JS_NewCFunction(context, _httpd_endpoint_all, "all", 2)); JS_SetPropertyStr(context, httpd, "start", JS_NewCFunction(context, _httpd_endpoint_start, "start", 2)); JS_SetPropertyStr(context, httpd, "set_http_redirect", JS_NewCFunction(context, _httpd_set_http_redirect, "set_http_redirect", 1)); JS_SetPropertyStr(context, httpd, "auth_query", JS_NewCFunction(context, _httpd_auth_query, "auth_query", 1)); JS_SetPropertyStr(context, httpd, "mime_type_from_magic_bytes", JS_NewCFunction(context, _httpd_mime_type_from_magic_bytes, "mime_type_from_magic_bytes", 1)); JS_SetPropertyStr(context, httpd, "mime_type_from_extension", JS_NewCFunction(context, _httpd_mime_type_from_extension, "mime_type_from_extension", 1)); JS_SetPropertyStr(context, global, "httpd", httpd); JS_FreeValue(context, global); }