2023-06-19 23:42:47 +02:00
|
|
|
// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
2017-11-20 06:10:04 +01:00
|
|
|
|
2023-08-11 04:46:45 +02:00
|
|
|
package ui // import "miniflux.app/v2/internal/ui"
|
2017-11-20 06:10:04 +01:00
|
|
|
|
|
|
|
import (
|
2022-10-15 08:17:17 +02:00
|
|
|
"crypto/hmac"
|
|
|
|
"crypto/sha256"
|
2017-11-20 06:10:04 +01:00
|
|
|
"encoding/base64"
|
|
|
|
"errors"
|
2023-09-25 01:32:09 +02:00
|
|
|
"log/slog"
|
2018-04-30 01:35:04 +02:00
|
|
|
"net/http"
|
2024-02-27 05:08:10 +01:00
|
|
|
"net/url"
|
2017-11-20 06:10:04 +01:00
|
|
|
"time"
|
2017-11-22 08:09:01 +01:00
|
|
|
|
2023-08-11 04:46:45 +02:00
|
|
|
"miniflux.app/v2/internal/config"
|
|
|
|
"miniflux.app/v2/internal/crypto"
|
|
|
|
"miniflux.app/v2/internal/http/request"
|
|
|
|
"miniflux.app/v2/internal/http/response"
|
|
|
|
"miniflux.app/v2/internal/http/response/html"
|
2017-11-20 06:10:04 +01:00
|
|
|
)
|
|
|
|
|
2023-02-25 09:36:19 +01:00
|
|
|
func (h *handler) mediaProxy(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// If we receive a "If-None-Match" header, we assume the media is already stored in browser cache.
|
2018-04-30 01:35:04 +02:00
|
|
|
if r.Header.Get("If-None-Match") != "" {
|
2018-10-08 03:42:43 +02:00
|
|
|
w.WriteHeader(http.StatusNotModified)
|
2017-11-22 08:09:01 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-10-15 08:17:17 +02:00
|
|
|
encodedDigest := request.RouteStringParam(r, "encodedDigest")
|
2018-09-24 06:02:26 +02:00
|
|
|
encodedURL := request.RouteStringParam(r, "encodedURL")
|
2024-07-23 10:08:18 +02:00
|
|
|
encodedReferer := request.RouteStringParam(r, "encodedReferer")
|
2017-11-20 06:10:04 +01:00
|
|
|
if encodedURL == "" {
|
2023-09-25 01:32:09 +02:00
|
|
|
html.BadRequest(w, r, errors.New("no URL provided"))
|
2017-11-20 06:10:04 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-10-15 08:17:17 +02:00
|
|
|
decodedDigest, err := base64.URLEncoding.DecodeString(encodedDigest)
|
|
|
|
if err != nil {
|
2023-09-25 01:32:09 +02:00
|
|
|
html.BadRequest(w, r, errors.New("unable to decode this digest"))
|
2022-10-15 08:17:17 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2017-12-19 03:06:53 +01:00
|
|
|
decodedURL, err := base64.URLEncoding.DecodeString(encodedURL)
|
2017-11-20 06:10:04 +01:00
|
|
|
if err != nil {
|
2023-09-25 01:32:09 +02:00
|
|
|
html.BadRequest(w, r, errors.New("unable to decode this URL"))
|
2017-11-20 06:10:04 +01:00
|
|
|
return
|
2022-10-15 08:17:17 +02:00
|
|
|
}
|
|
|
|
|
2024-07-23 10:08:18 +02:00
|
|
|
decodeReferer, _ := base64.URLEncoding.DecodeString(encodedReferer)
|
|
|
|
|
2024-03-21 04:59:09 +01:00
|
|
|
mac := hmac.New(sha256.New, config.Opts.MediaProxyPrivateKey())
|
2022-10-15 08:17:17 +02:00
|
|
|
mac.Write(decodedURL)
|
|
|
|
expectedMAC := mac.Sum(nil)
|
|
|
|
|
|
|
|
if !hmac.Equal(decodedDigest, expectedMAC) {
|
|
|
|
html.Forbidden(w, r)
|
|
|
|
return
|
2017-11-20 06:10:04 +01:00
|
|
|
}
|
|
|
|
|
2024-02-27 05:08:10 +01:00
|
|
|
u, err := url.Parse(string(decodedURL))
|
|
|
|
if err != nil {
|
|
|
|
html.BadRequest(w, r, errors.New("invalid URL provided"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if u.Scheme != "http" && u.Scheme != "https" {
|
|
|
|
html.BadRequest(w, r, errors.New("invalid URL provided"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if u.Host == "" {
|
|
|
|
html.BadRequest(w, r, errors.New("invalid URL provided"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if !u.IsAbs() {
|
|
|
|
html.BadRequest(w, r, errors.New("invalid URL provided"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-02-25 09:36:19 +01:00
|
|
|
mediaURL := string(decodedURL)
|
2023-09-25 01:32:09 +02:00
|
|
|
slog.Debug("MediaProxy: Fetching remote resource",
|
|
|
|
slog.String("media_url", mediaURL),
|
|
|
|
)
|
2019-09-22 20:17:15 +02:00
|
|
|
|
2023-02-25 09:36:19 +01:00
|
|
|
req, err := http.NewRequest("GET", mediaURL, nil)
|
2017-11-20 06:10:04 +01:00
|
|
|
if err != nil {
|
2018-10-08 03:42:43 +02:00
|
|
|
html.ServerError(w, r, err)
|
2017-11-20 06:10:04 +01:00
|
|
|
return
|
|
|
|
}
|
2022-01-10 05:18:08 +01:00
|
|
|
|
2024-07-23 10:08:18 +02:00
|
|
|
if decodeReferer != nil {
|
|
|
|
req.Header.Add("Referer", string(decodeReferer))
|
|
|
|
}
|
|
|
|
|
2022-01-10 05:18:08 +01:00
|
|
|
// Note: User-Agent HTTP header is omitted to avoid being blocked by bot protection mechanisms.
|
2019-08-14 17:54:02 +02:00
|
|
|
req.Header.Add("Connection", "close")
|
2017-11-20 06:10:04 +01:00
|
|
|
|
2023-02-25 09:36:19 +01:00
|
|
|
forwardedRequestHeader := []string{"Range", "Accept", "Accept-Encoding"}
|
|
|
|
for _, requestHeaderName := range forwardedRequestHeader {
|
|
|
|
if r.Header.Get(requestHeaderName) != "" {
|
|
|
|
req.Header.Add(requestHeaderName, r.Header.Get(requestHeaderName))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-08-14 17:54:02 +02:00
|
|
|
clt := &http.Client{
|
2023-02-25 09:36:19 +01:00
|
|
|
Transport: &http.Transport{
|
2024-03-21 04:59:09 +01:00
|
|
|
IdleConnTimeout: time.Duration(config.Opts.MediaProxyHTTPClientTimeout()) * time.Second,
|
2023-02-25 09:36:19 +01:00
|
|
|
},
|
2024-03-21 04:59:09 +01:00
|
|
|
Timeout: time.Duration(config.Opts.MediaProxyHTTPClientTimeout()) * time.Second,
|
2019-08-14 17:54:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := clt.Do(req)
|
|
|
|
if err != nil {
|
2023-09-25 01:32:09 +02:00
|
|
|
slog.Error("MediaProxy: Unable to initialize HTTP client",
|
|
|
|
slog.String("media_url", mediaURL),
|
|
|
|
slog.Any("error", err),
|
|
|
|
)
|
2023-03-13 06:15:43 +01:00
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
2019-08-14 17:54:02 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
2023-02-25 09:36:19 +01:00
|
|
|
if resp.StatusCode == http.StatusRequestedRangeNotSatisfiable {
|
2023-09-25 01:32:09 +02:00
|
|
|
slog.Warn("MediaProxy: "+http.StatusText(http.StatusRequestedRangeNotSatisfiable),
|
|
|
|
slog.String("media_url", mediaURL),
|
|
|
|
slog.Int("status_code", resp.StatusCode),
|
|
|
|
)
|
2023-02-25 09:36:19 +01:00
|
|
|
html.RequestedRangeNotSatisfiable(w, r, resp.Header.Get("Content-Range"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusPartialContent {
|
2023-09-25 01:32:09 +02:00
|
|
|
slog.Warn("MediaProxy: Unexpected response status code",
|
|
|
|
slog.String("media_url", mediaURL),
|
|
|
|
slog.Int("status_code", resp.StatusCode),
|
|
|
|
)
|
2018-10-08 03:42:43 +02:00
|
|
|
html.NotFound(w, r)
|
2017-11-20 06:10:04 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2019-08-14 17:54:02 +02:00
|
|
|
etag := crypto.HashFromBytes(decodedURL)
|
2017-11-20 06:10:04 +01:00
|
|
|
|
2019-08-14 17:54:02 +02:00
|
|
|
response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) {
|
2023-02-25 09:36:19 +01:00
|
|
|
b.WithStatus(resp.StatusCode)
|
2022-01-03 02:24:49 +01:00
|
|
|
b.WithHeader("Content-Security-Policy", `default-src 'self'`)
|
2019-08-14 17:54:02 +02:00
|
|
|
b.WithHeader("Content-Type", resp.Header.Get("Content-Type"))
|
2023-02-25 09:36:19 +01:00
|
|
|
forwardedResponseHeader := []string{"Content-Encoding", "Content-Type", "Content-Length", "Accept-Ranges", "Content-Range"}
|
|
|
|
for _, responseHeaderName := range forwardedResponseHeader {
|
|
|
|
if resp.Header.Get(responseHeaderName) != "" {
|
|
|
|
b.WithHeader(responseHeaderName, resp.Header.Get(responseHeaderName))
|
|
|
|
}
|
|
|
|
}
|
2019-08-14 17:54:02 +02:00
|
|
|
b.WithBody(resp.Body)
|
2018-10-08 03:42:43 +02:00
|
|
|
b.WithoutCompression()
|
|
|
|
b.Write()
|
|
|
|
})
|
2017-11-20 06:10:04 +01:00
|
|
|
}
|