Ailur-Archives
/
CTAMail
Archived
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-08-25. You can view files and clone it, but cannot push or open issues or pull requests.
CTAMail/main.go

373 lines
12 KiB
Go
Raw Permalink Blame History

package main
import (
"bytes"
"crypto/rand"
"database/sql"
"encoding/base64"
"errors"
"log"
"net/http"
"regexp"
"strconv"
"strings"
"time"
"centrifuge.hectabit.org/HectaBit/captcha"
"github.com/gin-contrib/sessions"
"github.com/gin-contrib/sessions/cookie"
"github.com/gin-gonic/gin"
_ "github.com/mattn/go-sqlite3"
"github.com/spf13/viper"
"golang.org/x/crypto/bcrypt"
)
const saltChars = "abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZ23456789"
var (
dbLocation = "/var/lib/maddy/credentials.db"
conn *sql.DB
)
func genSalt(length int) (string, error) {
if length <= 0 {
return "", errors.New("salt length must be greater than 0")
}
salt := make([]byte, length)
randomBytes := make([]byte, length)
_, err := rand.Read(randomBytes)
if err != nil {
return "", err
}
for i := range salt {
salt[i] = saltChars[int(randomBytes[i])%len(saltChars)]
}
return string(salt), nil
}
func computeBcrypt(cost int, pass string) (string, error) {
hash, err := bcrypt.GenerateFromPassword([]byte(pass), cost)
if err != nil {
return "", err
}
return "bcrypt:" + string(hash), nil
}
func verifyBcrypt(hash, pass string) error {
return bcrypt.CompareHashAndPassword([]byte(strings.TrimPrefix(hash, "bcrypt:")), []byte(pass))
}
func main() {
viper.SetConfigName("config")
viper.AddConfigPath("./")
viper.AutomaticEnv()
if err := viper.ReadInConfig(); err != nil {
log.Fatalln("[FATAL] Error in config file at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
}
secretKey := viper.GetString("Config.secretkey")
port := viper.GetString("Config.port")
host := viper.GetString("Config.host")
dbLocation = viper.GetString("Config.dblocation")
var err error
conn, err = sql.Open("sqlite3", dbLocation)
if err != nil {
log.Fatalln("[FATAL] Failed to open database at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
}
defer func(conn *sql.DB) {
err := conn.Close()
if err != nil {
log.Fatalln("[FATAL] Failed to defer database connection in main() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
}
}(conn)
if secretKey == "supersecretkey" {
log.Println("[WARNING] Secret key not set. Please set the secret key to a non-default value.")
}
gin.SetMode(gin.ReleaseMode)
router := gin.New()
router.LoadHTMLGlob("templates/*")
router.Static("/static", "./static")
store := cookie.NewStore([]byte(secretKey))
router.Use(sessions.Sessions("currentSession", store))
// Enable CORS
router.Use(func(c *gin.Context) {
c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
c.Writer.Header().Set("Access-Control-Allow-Headers", "*")
c.Writer.Header().Set("Access-Control-Allow-Methods", "*")
// Handle preflight requests
if c.Request.Method == "OPTIONS" {
c.AbortWithStatus(200)
return
}
c.Next()
})
router.GET("/signup", func(c *gin.Context) {
session := sessions.Default(c)
sessionId, err := genSalt(512)
if err != nil {
log.Println("[ERROR] Failed to generate session ID at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-SIGNUP-SESSIONIDGEN")
return
}
session.Options(sessions.Options{
SameSite: 3,
})
data, err := captcha.New(500, 100)
if err != nil {
log.Println("[ERROR] Failed to generate captcha at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-SIGNUP-CAPTCHAGEN")
return
}
session.Set("captcha", data.Text)
session.Set("id", sessionId)
err = session.Save()
if err != nil {
log.Println("[ERROR] Failed to save session in /login at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-SIGNUP-SESSIONSAVE")
return
}
var b64bytes bytes.Buffer
err = data.WriteImage(&b64bytes)
if err != nil {
log.Println("[ERROR] Failed to encode captcha at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-SIGNUP-CAPTCHAENCODE")
return
}
c.HTML(200, "signup.html", gin.H{
"captcha_image": base64.StdEncoding.EncodeToString(b64bytes.Bytes()),
"unique_token": sessionId,
})
})
router.GET("/account", func(c *gin.Context) {
loggedIn, err := c.Cookie("loggedin")
if errors.Is(err, http.ErrNoCookie) || loggedIn != "true" {
c.HTML(200, "login.html", gin.H{})
return
} else {
c.HTML(200, "dashboard.html", gin.H{})
}
})
router.POST("/api/signup", func(c *gin.Context) {
var data map[string]interface{}
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
session := sessions.Default(c)
if data["unique_token"].(string) != session.Get("id") {
c.HTML(403, "badtoken.html", gin.H{})
return
}
if data["captcha"].(string) != session.Get("captcha") {
c.HTML(400, "badcaptcha.html", gin.H{})
return
}
if !regexp.MustCompile(`^[a-zA-Z0-9.]+$`).MatchString(data["username"].(string)) {
c.String(402, "Invalid username")
return
}
session.Delete("captcha")
session.Delete("id")
err = session.Save()
if err != nil {
log.Println("[ERROR] Failed to save session in /api/signup at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SESSIONSAVE")
return
}
hashedPassword, err := computeBcrypt(10, data["password"].(string))
if err != nil {
log.Println("[ERROR] Failed to hash password in /api/signup at", time.Now().Unix(), err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-PASSHASH")
return
}
_, err = conn.Exec("INSERT INTO passwords (key, value) VALUES (?, ?)", data["username"].(string), hashedPassword)
if err != nil {
c.String(501, "Username taken")
return
}
c.String(200, "Success")
})
router.POST("/api/login", func(c *gin.Context) {
var data map[string]interface{}
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
var rows string
err = conn.QueryRow("SELECT value FROM passwords WHERE key = ?", data["username"].(string)).Scan(&rows)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
c.String(401, "Invalid username")
return
} else {
log.Println("[ERROR] Failed to query database in /api/login at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-DBQUERY")
return
}
}
err = verifyBcrypt(rows, data["password"].(string))
if err != nil {
c.String(403, "Password is incorrect")
return
}
c.JSON(200, gin.H{"password": rows})
})
router.POST("/api/deleteacct", func(c *gin.Context) {
var data map[string]interface{}
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
result, err := conn.Exec("DELETE FROM passwords WHERE key = ? AND value = ?", data["username"].(string), data["password"].(string))
if err != nil {
log.Println("[ERROR] Failed to query database in /api/deleteacct at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEACCT-DBQUERY")
} else {
rowsAffected, err := result.RowsAffected()
if err != nil {
log.Println("[ERROR] Failed to get rows affected in /api/deleteacct at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEACCT-ROWSAFFECTED")
} else {
if rowsAffected == int64(0) {
c.String(401, "Invalid username or password")
} else {
c.String(200, "Success")
}
}
}
})
router.POST("/api/changepass", func(c *gin.Context) {
var data map[string]interface{}
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
newHash, err := computeBcrypt(10, data["newpass"].(string))
if err != nil {
log.Println("[ERROR] Failed to hash password in /api/changepass at", time.Now().Unix(), err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-API-CHANGEPASS-PASSHASH")
return
}
result, err := conn.Exec("UPDATE passwords SET value = ? WHERE key = ? AND value = ?", newHash, data["username"].(string), data["password"].(string))
if err != nil {
log.Println("[ERROR] Failed to query database in /api/changepass at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-API-CHANGEPASS-DBQUERY")
} else {
rowsAffected, err := result.RowsAffected()
if err != nil {
log.Println("[ERROR] Failed to get rows affected in /api/changepass at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/ctamail and refer to the docs for more info. Your error code is: UNKNOWN-API-CHANGEPASS-ROWSAFFECTED")
} else {
if rowsAffected == int64(0) {
c.String(401, "Invalid username or password")
} else {
c.JSON(200, gin.H{"password": newHash})
}
}
}
})
router.GET("/account/logout", func(c *gin.Context) {
c.HTML(200, "logout.html", gin.H{})
})
router.GET("/account/deleteacct", func(c *gin.Context) {
c.HTML(200, "deleteacct.html", gin.H{})
})
router.GET("/account/changepass", func(c *gin.Context) {
c.HTML(200, "changepass.html", gin.H{})
})
router.GET("/usererror", func(c *gin.Context) {
c.HTML(200, "usererror.html", gin.H{})
})
router.GET("/accounterror", func(c *gin.Context) {
c.HTML(200, "accounterror.html", gin.H{})
})
router.GET("/badcaptcha", func(c *gin.Context) {
c.HTML(200, "badcaptcha.html", gin.H{})
})
router.GET("/signuperror", func(c *gin.Context) {
c.HTML(200, "signuperror.html", gin.H{})
})
router.GET("/loginerror", func(c *gin.Context) {
c.HTML(200, "loginerror.html", gin.H{})
})
router.GET("/invalidtoken", func(c *gin.Context) {
c.HTML(200, "invalidtoken.html", gin.H{})
})
router.GET("/invaliduser", func(c *gin.Context) {
c.HTML(200, "invaliduser.html", gin.H{})
})
router.GET("/badpassword", func(c *gin.Context) {
c.HTML(200, "badpassword.html", gin.H{})
})
router.GET("/baduser", func(c *gin.Context) {
c.HTML(200, "baduser.html", gin.H{})
})
router.GET("/success", func(c *gin.Context) {
c.HTML(200, "success.html", gin.H{})
})
router.GET("/taken", func(c *gin.Context) {
c.HTML(200, "taken.html", gin.H{})
})
router.GET("/", func(c *gin.Context) {
c.HTML(200, "index.html", gin.H{})
})
router.GET("/cta", func(c *gin.Context) {
c.HTML(200, "cta.html", gin.H{})
})
log.Println("[INFO] Server started at", time.Now().Unix())
log.Println("[INFO] Welcome to CTAMail! Today we are running on IP " + host + " on port " + port + ".")
err = router.Run(host + ":" + port)
if err != nil {
log.Fatalln("[FATAL] Server failed begin operations at", time.Now().Unix(), err)
}
}
Reference in New Issue View Git Blame Copy Permalink