miniflux/ui/proxy.go

97 lines
2.4 KiB
Go
Raw Normal View History

2017-11-20 06:10:04 +01:00
// Copyright 2017 Frédéric Guillot. All rights reserved.
// Use of this source code is governed by the Apache 2.0
// license that can be found in the LICENSE file.
2018-10-08 03:42:43 +02:00
package ui // import "miniflux.app/ui"
2017-11-20 06:10:04 +01:00
import (
2022-10-15 08:17:17 +02:00
"crypto/hmac"
"crypto/sha256"
2017-11-20 06:10:04 +01:00
"encoding/base64"
"errors"
"net/http"
2017-11-20 06:10:04 +01:00
"time"
2017-11-22 08:09:01 +01:00
"miniflux.app/config"
2018-08-25 06:51:50 +02:00
"miniflux.app/crypto"
"miniflux.app/http/request"
"miniflux.app/http/response"
"miniflux.app/http/response/html"
2019-09-22 20:17:15 +02:00
"miniflux.app/logger"
2017-11-20 06:10:04 +01:00
)
func (h *handler) imageProxy(w http.ResponseWriter, r *http.Request) {
2018-10-08 03:42:43 +02:00
// If we receive a "If-None-Match" header, we assume the image is already stored in browser cache.
if r.Header.Get("If-None-Match") != "" {
2018-10-08 03:42:43 +02:00
w.WriteHeader(http.StatusNotModified)
2017-11-22 08:09:01 +01:00
return
}
2022-10-15 08:17:17 +02:00
encodedDigest := request.RouteStringParam(r, "encodedDigest")
encodedURL := request.RouteStringParam(r, "encodedURL")
2017-11-20 06:10:04 +01:00
if encodedURL == "" {
2018-10-08 03:42:43 +02:00
html.BadRequest(w, r, errors.New("No URL provided"))
2017-11-20 06:10:04 +01:00
return
}
2022-10-15 08:17:17 +02:00
decodedDigest, err := base64.URLEncoding.DecodeString(encodedDigest)
if err != nil {
html.BadRequest(w, r, errors.New("Unable to decode this Digest"))
return
}
decodedURL, err := base64.URLEncoding.DecodeString(encodedURL)
2017-11-20 06:10:04 +01:00
if err != nil {
2018-10-08 03:42:43 +02:00
html.BadRequest(w, r, errors.New("Unable to decode this URL"))
2017-11-20 06:10:04 +01:00
return
2022-10-15 08:17:17 +02:00
}
mac := hmac.New(sha256.New, config.Opts.ProxyPrivateKey())
mac.Write(decodedURL)
expectedMAC := mac.Sum(nil)
if !hmac.Equal(decodedDigest, expectedMAC) {
html.Forbidden(w, r)
return
2017-11-20 06:10:04 +01:00
}
2019-09-22 20:17:15 +02:00
imageURL := string(decodedURL)
logger.Debug(`[Proxy] Fetching %q`, imageURL)
req, err := http.NewRequest("GET", imageURL, nil)
2017-11-20 06:10:04 +01:00
if err != nil {
2018-10-08 03:42:43 +02:00
html.ServerError(w, r, err)
2017-11-20 06:10:04 +01:00
return
}
// Note: User-Agent HTTP header is omitted to avoid being blocked by bot protection mechanisms.
req.Header.Add("Connection", "close")
2017-11-20 06:10:04 +01:00
clt := &http.Client{
Timeout: time.Duration(config.Opts.HTTPClientTimeout()) * time.Second,
}
resp, err := clt.Do(req)
if err != nil {
html.ServerError(w, r, err)
return
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
logger.Error(`[Proxy] Status Code is %d for URL %q`, resp.StatusCode, imageURL)
2018-10-08 03:42:43 +02:00
html.NotFound(w, r)
2017-11-20 06:10:04 +01:00
return
}
etag := crypto.HashFromBytes(decodedURL)
2017-11-20 06:10:04 +01:00
response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) {
b.WithHeader("Content-Security-Policy", `default-src 'self'`)
b.WithHeader("Content-Type", resp.Header.Get("Content-Type"))
b.WithBody(resp.Body)
2018-10-08 03:42:43 +02:00
b.WithoutCompression()
b.Write()
})
2017-11-20 06:10:04 +01:00
}