Redo File structure

src/main/config.go

@@ -0,0 +1,41 @@
+package main
+
+import (
+	"encoding/json"
+	"os"
+)
+
+type LDAPConfig struct {
+	LDAPURL           string `json:"ldap_url"`
+	BaseDN            string `json:"base_dn"`
+	BindDN            string `json:"bind_dn"`
+	BindPassword      string `json:"bind_password"`
+	Security          string `json:"security"`
+	IgnoreInvalidCert bool   `json:"ignore_invalid_cert"`
+}
+
+type StyleConfig struct {
+	FaviconPath string `json:"favicon_path"`
+	LogoPath    string `json:"logo_path"`
+}
+
+type WebserverConfig struct {
+	Port int `json:"port"`
+}
+
+type ServerConfig struct {
+	LDAPConfig      LDAPConfig      `json:"ldap_config"`
+	StyleConfig     StyleConfig     `json:"style_config"`
+	WebserverConfig WebserverConfig `json:"server_config"`
+}
+
+func loadServerConfig(path string) (*ServerConfig, error) {
+	file, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	var cfg ServerConfig
+	err = json.Unmarshal(file, &cfg)
+	return &cfg, err
+}

src/main/email.go

@@ -0,0 +1,52 @@
+package main
+
+import (
+	"log"
+	"net/smtp"
+	"strconv"
+)
+
+type EmailAccount struct {
+	auth     smtp.Auth
+	email    string
+	smtpHost string
+	smtpPort string
+}
+
+type EmailAccountData struct {
+	username string
+	password string
+	email    string
+}
+
+func createEmailAccount(accountData EmailAccountData, smtpHost string, smtpPort int) EmailAccount {
+	account := EmailAccount{
+		email:    accountData.email,
+		smtpHost: smtpHost,
+		smtpPort: strconv.Itoa(smtpPort),
+	}
+	account.auth = smtp.PlainAuth("", accountData.username, accountData.password, smtpHost)
+	return account
+}
+
+func sendEmail(account EmailAccount, toEmail []string, subject string, message string) {
+	ToEmailList := ""
+	for i := 0; i < len(toEmail); i++ {
+		ToEmailList += toEmail[i]
+		if i+1 < len(toEmail) {
+			ToEmailList += ", "
+		}
+	}
+
+	messageData := []byte(
+		"From: " + account.email + "\r\n" +
+			"To: " + ToEmailList + "\r\n" +
+			"Subject: " + subject + "\r\n" +
+			"\r\n" +
+			message,
+	)
+	err := smtp.SendMail(account.smtpHost+":"+account.smtpPort, account.auth, account.email, toEmail, messageData)
+	if err != nil {
+		log.Print(err)
+	}
+}

src/main/ldap.go

@@ -0,0 +1,119 @@
+package main
+
+import (
+	"crypto/tls"
+	"errors"
+	"log"
+
+	"github.com/go-ldap/ldap/v3"
+)
+
+type LDAPServer struct {
+	URL                string
+	StartTLS           bool
+	IgnoreInsecureCert bool
+	Connection         *ldap.Conn
+}
+
+type LDAPSearch struct {
+	Succeeded  bool
+	LDAPSearch *ldap.SearchResult
+}
+
+func connectToLDAPServer(URL string, starttls bool, ignore_cert bool) (*LDAPServer, error) {
+	l, err := ldap.DialURL(URL)
+	if err != nil {
+		return nil, err
+	}
+
+	if starttls {
+		if err := l.StartTLS(&tls.Config{InsecureSkipVerify: ignore_cert}); err != nil {
+			log.Println("StartTLS failed:", err)
+		}
+	}
+
+	return &LDAPServer{
+		Connection:         l,
+		URL:                URL,
+		StartTLS:           starttls,
+		IgnoreInsecureCert: ignore_cert,
+	}, nil
+}
+
+func reconnectToLDAPServer(server *LDAPServer) {
+	if server == nil {
+		log.Println("Cannot reconnect: server is nil")
+		return
+	}
+
+	l, err := ldap.DialURL(server.URL)
+	if err != nil {
+		log.Print(err)
+		return
+	}
+
+	if server.StartTLS {
+		if err := l.StartTLS(&tls.Config{InsecureSkipVerify: server.IgnoreInsecureCert}); err != nil {
+			log.Println("StartTLS failed:", err)
+		}
+	}
+
+	server.Connection = l
+}
+
+func connectAsLDAPUser(server *LDAPServer, bindDN, password string) error {
+	if server == nil {
+		return errors.New("LDAP server is nil")
+	}
+
+	// Reconnect if needed
+	if server.Connection == nil || server.Connection.IsClosing() {
+		reconnectToLDAPServer(server)
+	}
+	return server.Connection.Bind(bindDN, password)
+}
+
+func searchLDAPServer(server *LDAPServer, baseDN string, searchFilter string, attributes []string) LDAPSearch {
+	if server == nil {
+		return LDAPSearch{false, nil}
+	}
+
+	if server.Connection == nil {
+		reconnectToLDAPServer(server)
+		if server.Connection == nil {
+			return LDAPSearch{false, nil}
+		}
+	}
+
+	searchRequest := ldap.NewSearchRequest(
+		baseDN,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		searchFilter, attributes,
+		nil,
+	)
+
+	sr, err := server.Connection.Search(searchRequest)
+	if err != nil {
+		return LDAPSearch{false, nil}
+	}
+
+	return LDAPSearch{true, sr}
+}
+
+func modifyLDAPAttribute(server *LDAPServer, userDN string, attribute string, data []string) error {
+	modify := ldap.NewModifyRequest(userDN, nil)
+	modify.Replace(attribute, data)
+	err := server.Connection.Modify(modify)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func closeLDAPServer(server *LDAPServer) {
+	if server != nil && server.Connection != nil {
+		server.Connection.Close()
+	}
+}
+
+func ldapEscapeFilter(input string) string { return ldap.EscapeFilter(input) }

src/main/main.go

@@ -0,0 +1,348 @@
+package main
+
+import (
+	"fmt"
+	"html/template"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+)
+
+var (
+	ldapServer      *LDAPServer
+	ldapServerMutex sync.Mutex
+	serverConfig    *ServerConfig
+)
+
+type UserData struct {
+	isAuth      bool
+	Username    string
+	DisplayName string
+	Email       string
+}
+
+var (
+	photoCreatedTimestamp = make(map[string]time.Time)
+	photoCreatedMutex     sync.Mutex
+	blankPhotoData        []byte
+)
+
+func createUserPhoto(username string, photoData []byte) error {
+	os.Mkdir("./avatars", os.ModePerm)
+
+	path := fmt.Sprintf("./avatars/%s.jpeg", username)
+	cleaned := filepath.Clean(path)
+	dst, err := os.Create(cleaned)
+
+	if err != nil {
+		fmt.Printf("Not saving file\n")
+		return fmt.Errorf("Could not save file")
+	}
+	photoCreatedMutex.Lock()
+	photoCreatedTimestamp[username] = time.Now()
+	photoCreatedMutex.Unlock()
+	defer dst.Close()
+	_, err = dst.Write(photoData)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func authenticateUser(username, password string) (UserData, error) {
+	ldapServerMutex.Lock()
+	defer ldapServerMutex.Unlock()
+	if ldapServer.Connection == nil {
+		return UserData{isAuth: false}, fmt.Errorf("LDAP server not connected")
+	}
+	userDN := fmt.Sprintf("uid=%s,cn=users,cn=accounts,%s", username, serverConfig.LDAPConfig.BaseDN)
+	connected := connectAsLDAPUser(ldapServer, userDN, password)
+	if connected != nil {
+		return UserData{isAuth: false}, connected
+	}
+
+	userSearch := searchLDAPServer(
+		ldapServer,
+		serverConfig.LDAPConfig.BaseDN,
+		fmt.Sprintf("(&(objectClass=inetOrgPerson)(uid=%s))", ldapEscapeFilter(username)),
+		[]string{"displayName", "mail", "jpegphoto"},
+	)
+	if !userSearch.Succeeded {
+		return UserData{isAuth: false}, fmt.Errorf("user metadata not found")
+	}
+
+	entry := userSearch.LDAPSearch.Entries[0]
+	user := UserData{
+		isAuth:      true,
+		Username:    username,
+		DisplayName: entry.GetAttributeValue("displayName"),
+		Email:       entry.GetAttributeValue("mail"),
+	}
+
+	photoData := entry.GetRawAttributeValue("jpegphoto")
+	if len(photoData) > 0 {
+		createUserPhoto(user.Username, photoData)
+	}
+	return user, nil
+}
+
+type LoginPageData struct {
+	IsHiddenClassList string
+}
+
+func loginHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	tmpl := template.Must(template.ParseFiles("src/pages/login_page.html"))
+	if r.Method == http.MethodGet {
+		tmpl.Execute(w, LoginPageData{IsHiddenClassList: "hidden"})
+		return
+	}
+
+	// 2. Logic for processing the form
+	if r.Method == http.MethodPost {
+		username := r.FormValue("username")
+		if strings.Contains(username, "/") {
+			tmpl.Execute(w, LoginPageData{IsHiddenClassList: ""})
+		}
+
+		password := r.FormValue("password")
+
+		log.Printf("New Login request for %s\n", username)
+		userData, err := authenticateUser(username, password)
+		if err != nil {
+			log.Print(err)
+			tmpl.Execute(w, LoginPageData{IsHiddenClassList: ""})
+		} else {
+			if userData.isAuth == true {
+				cookie := createSession(&userData)
+				if cookie == nil {
+					http.Error(w, "Session error", 500)
+					return
+				}
+				http.SetCookie(w, cookie)
+				http.Redirect(w, r, "/profile", http.StatusFound)
+			} else {
+				tmpl.Execute(w, LoginPageData{IsHiddenClassList: ""})
+			}
+		}
+	}
+}
+
+type ProfileData struct {
+	Username    string
+	Email       string
+	DisplayName string
+	CSRFToken   string
+}
+
+func profileHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	exist, sessionData := validateSession(r)
+	if !exist {
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
+		return
+	}
+
+	if r.Method == http.MethodGet {
+		tmpl := template.Must(template.ParseFiles("src/pages/profile_page.html"))
+		tmpl.Execute(w, ProfileData{
+			Username:    sessionData.data.Username,
+			Email:       sessionData.data.Email,
+			DisplayName: sessionData.data.DisplayName,
+			CSRFToken:   sessionData.CSRFToken,
+		})
+		return
+	}
+}
+
+func avatarHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "image/jpeg")
+	username := r.URL.Query().Get("user")
+	if strings.Contains(username, "/") {
+		w.Write(blankPhotoData)
+		return
+	}
+
+	filePath := fmt.Sprintf("./avatars/%s.jpeg", username)
+	cleaned := filepath.Clean(filePath)
+	value, err := os.ReadFile(cleaned)
+
+	if err == nil {
+		photoCreatedMutex.Lock()
+		if time.Since(photoCreatedTimestamp[username]) <= 5*time.Minute {
+			photoCreatedMutex.Unlock()
+			w.Write(value)
+			return
+		}
+		photoCreatedMutex.Unlock()
+	}
+
+	ldapServerMutex.Lock()
+	defer ldapServerMutex.Unlock()
+	connected := connectAsLDAPUser(ldapServer, serverConfig.LDAPConfig.BindDN, serverConfig.LDAPConfig.BindPassword)
+	if connected != nil {
+		w.Write(blankPhotoData)
+		fmt.Println("Returned blank avatar because couldnt connect as user")
+		return
+	}
+
+	userSearch := searchLDAPServer(
+		ldapServer,
+		serverConfig.LDAPConfig.BaseDN,
+		fmt.Sprintf("(&(objectClass=inetOrgPerson)(uid=%s))", ldapEscapeFilter(username)),
+		[]string{"jpegphoto"},
+	)
+	if !userSearch.Succeeded || len(userSearch.LDAPSearch.Entries) == 0 {
+		w.Write(blankPhotoData)
+		fmt.Println("Returned blank avatar because we couldnt find the user")
+		return
+	}
+	entry := userSearch.LDAPSearch.Entries[0]
+	bytes := entry.GetRawAttributeValue("jpegphoto")
+	if len(bytes) == 0 {
+		fmt.Println("Returned blank avatar because we just don't have an avatar")
+		w.Write(blankPhotoData)
+		return
+	} else {
+		w.Write(bytes)
+		createUserPhoto(username, bytes)
+	}
+}
+
+func logoutHandler(w http.ResponseWriter, r *http.Request) {
+	cookie, err := r.Cookie("session_token")
+	if err != nil {
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
+		return
+	}
+	token := cookie.Value
+
+	exist, sessionData := validateSession(r)
+	if exist {
+		if r.FormValue("csrf_token") != sessionData.CSRFToken {
+			http.Error(w, "Unable to log user out", http.StatusForbidden)
+			log.Printf("%s attempted to logout with invalid csrf token", sessionData.data.Username)
+			return
+		}
+	}
+
+	sessionMutex.Lock()
+	delete(sessions, token)
+	sessionMutex.Unlock()
+	http.Redirect(w, r, "/login", http.StatusSeeOther)
+}
+
+func uploadPhotoHandler(w http.ResponseWriter, r *http.Request) {
+	exist, sessionData := validateSession(r)
+	if !exist {
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
+		return
+	}
+	err := r.ParseMultipartForm(10 << 20) // 10MB limit
+	if err != nil {
+		http.Error(w, "Bad request", http.StatusBadRequest)
+		return
+	}
+
+	if r.FormValue("csrf_token") != sessionData.CSRFToken {
+		http.Error(w, "CSRF Forbidden", http.StatusForbidden)
+		return
+	}
+
+	file, header, err := r.FormFile("photo")
+	if err != nil {
+		http.Error(w, "File not found", http.StatusBadRequest)
+		return
+	}
+	defer file.Close()
+	if header.Size > (10 * 1024 * 1024) {
+		http.Error(w, "File is to large (limit is 10 MB)", http.StatusBadRequest)
+		return
+	}
+
+	// 3. Read file into memory
+	data, err := io.ReadAll(file)
+	if err != nil {
+		http.Error(w, "Failed to read file", http.StatusInternalServerError)
+		return
+	}
+	userDN := fmt.Sprintf("uid=%s,cn=users,cn=accounts,%s", sessionData.data.Username, serverConfig.LDAPConfig.BaseDN)
+	ldapServerMutex.Lock()
+	defer ldapServerMutex.Unlock()
+	modifyLDAPAttribute(ldapServer, userDN, "jpegphoto", []string{string(data)})
+	createUserPhoto(sessionData.data.Username, data)
+}
+
+func faviconHandler(w http.ResponseWriter, r *http.Request) {
+	http.ServeFile(w, r, serverConfig.StyleConfig.FaviconPath)
+}
+
+func logoHandler(w http.ResponseWriter, r *http.Request) {
+	http.ServeFile(w, r, serverConfig.StyleConfig.LogoPath)
+}
+
+func cleanupSessions() {
+	sessionMutex.Lock()
+	defer sessionMutex.Unlock()
+
+	sessions_to_delete := []string{}
+	for session_token, session_data := range sessions {
+		timeUntilRemoval := time.Minute * 5
+		if session_data.loggedIn {
+			timeUntilRemoval = time.Hour
+		}
+		if time.Since(session_data.timeCreated) > timeUntilRemoval {
+			sessions_to_delete = append(sessions_to_delete, session_token)
+		}
+	}
+	for _, session_id := range sessions_to_delete {
+		delete(sessions, session_id)
+	}
+}
+
+func main() {
+	var err error = nil
+
+	blankPhotoData, err = os.ReadFile("static/blank_profile.jpg")
+	if err != nil {
+		log.Fatal("Could not load blank profile image")
+	}
+	serverConfig, err = loadServerConfig("./data/config.json")
+	if err != nil {
+		log.Fatal("Could not load server config")
+	}
+
+	ldapServerMutex.Lock()
+	server, err := connectToLDAPServer(serverConfig.LDAPConfig.LDAPURL, serverConfig.LDAPConfig.Security == "tls", serverConfig.LDAPConfig.IgnoreInvalidCert)
+	ldapServer = server
+	ldapServerMutex.Unlock()
+	if err != nil {
+		log.Fatal(err)
+		return
+	}
+	defer closeLDAPServer(ldapServer)
+
+	createWorker(time.Minute*5, cleanupSessions)
+	http.HandleFunc("/favicon.ico", faviconHandler)
+	http.HandleFunc("/logo", logoHandler)
+
+	http.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("static"))))
+	http.HandleFunc("/login", loginHandler)
+	http.HandleFunc("/profile", profileHandler)
+	http.HandleFunc("/logout", logoutHandler)
+
+	http.HandleFunc("/avatar", avatarHandler)
+	http.HandleFunc("/change-photo", uploadPhotoHandler)
+
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		http.Redirect(w, r, "/profile", http.StatusFound) // 302 redirect
+	})
+
+	serverAddress := fmt.Sprintf(":%d", serverConfig.WebserverConfig.Port)
+	log.Fatal(http.ListenAndServe(serverAddress, nil))
+}

src/main/session.go

@@ -0,0 +1,91 @@
+package main
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"log"
+	"net/http"
+	"sync"
+	"time"
+)
+
+type SessionData struct {
+	loggedIn    bool
+	data        *UserData
+	timeCreated time.Time
+	CSRFToken   string
+}
+
+var (
+	sessions     = make(map[string]SessionData)
+	sessionMutex sync.Mutex
+)
+
+func GenerateSessionToken(length int) (string, error) {
+	b := make([]byte, length)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+	token := base64.RawURLEncoding.EncodeToString(b)
+	return token, nil
+}
+
+func createSession(userData *UserData) *http.Cookie {
+	token, err := GenerateSessionToken(32) // Use crypto/rand for this
+	if err != nil {
+		log.Print(err)
+		return nil
+	}
+	CSRFToken, err := GenerateSessionToken(32)
+	if err != nil {
+		log.Print(err)
+		return nil
+	}
+
+	tokenEncoded := sha256.Sum256([]byte(token))
+	tokenEncodedString := string(tokenEncoded[:])
+
+	sessionMutex.Lock()
+	defer sessionMutex.Unlock()
+	loggedIn := false
+	if userData != nil {
+		loggedIn = true
+	}
+	sessions[tokenEncodedString] = SessionData{
+		data:        userData,
+		timeCreated: time.Now(),
+		CSRFToken:   CSRFToken,
+		loggedIn:    loggedIn,
+	}
+	cookie := &http.Cookie{
+		Name:     "session_token",
+		Value:    token,
+		Path:     "/",
+		HttpOnly: true, // Essential: prevents JS access
+		Secure:   true, // Set to TRUE in production (HTTPS)
+		SameSite: http.SameSiteLaxMode,
+		MaxAge:   3600, // 1 hour
+	}
+	return cookie
+}
+
+func validateSession(r *http.Request) (bool, *SessionData) {
+	cookie, err := r.Cookie("session_token")
+	if err != nil {
+		return false, &SessionData{}
+	}
+	token := cookie.Value
+
+	tokenEncoded := sha256.Sum256([]byte(token))
+	tokenEncodedString := string(tokenEncoded[:])
+
+	sessionMutex.Lock()
+	sessionData, exists := sessions[tokenEncodedString]
+	sessionMutex.Unlock()
+	if !exists || !sessionData.loggedIn {
+		return false, &SessionData{}
+	}
+	return true, &sessionData
+}

src/main/worker.go

@@ -0,0 +1,16 @@
+package main
+
+import (
+	"time"
+)
+
+func createWorker(interval time.Duration, task func()) {
+	go func() {
+		ticker := time.NewTicker(interval)
+		defer ticker.Stop()
+
+		for range ticker.C {
+			task()
+		}
+	}()
+}