Merge pull request #45 from factorysh/features/badge-referer

athoune · web-flow · commit 55475c0c8ed0 · 2022-02-16T14:46:50.000+01:00
Badge checking for referer
diff --git a/application/application.go b/application/application.go
@@ -30,7 +30,7 @@ type Application struct {
 	Services      map[string]service.Service
 	serviceFolder string
 	Domain        string
-	GitlabDomain  string
+	GitlabURL     string
 	Router        http.Handler
 	storage       storage.Storage
 	volumes       *volumes.Volumes
@@ -103,7 +103,7 @@ func New(cfg *conf.Conf) (*Application, error) {
 		Services: svcs,
 		Domain:   cfg.OAuth.AppURL,
 		// FIXME: use dedicated variable
-		GitlabDomain:  cfg.OAuth.ProviderURL,
+		GitlabURL:     cfg.OAuth.ProviderURL,
 		serviceFolder: cfg.Services,
 		storage:       s,
 		Router:        MagicPathHandler(r),
@@ -131,22 +131,33 @@ func New(cfg *conf.Conf) (*Application, error) {
 	r.Get("/services", a.ServicesHandler)
 	r.Get("/service/{serviceID}", a.ReadmeHandler)
 	r.Route("/service/{serviceID}/{project}", func(r chi.Router) {
-		r.Use(authMiddleware.Middleware())
 		r.Use(a.ServiceMiddleware)
 		r.Route("/", func(r chi.Router) {
 			r.Route("/{branch}", func(r chi.Router) {
 				r.Route("/{commit}", func(r chi.Router) {
-					r.Post("/", a.PostTaskHandler)
-					r.Get("/", a.TaskHandler(false))
-					r.Get("/status", badge.StatusBadge(a.storage, false))
-					r.Get("/badge/{badge}", a.BadgeMyTaskHandler(false))
-					r.Get("/volumes/*", a.VolumesHandler(6, false))
+					r.Group(func(r chi.Router) {
+						r.Use(authMiddleware.Middleware())
+						r.Post("/", a.PostTaskHandler)
+						r.Get("/", a.TaskHandler(false))
+						r.Get("/volumes/*", a.VolumesHandler(6, false))
+					})
+					r.Group(func(r chi.Router) {
+						r.Use(a.RefererMiddleware)
+						r.Get("/status", badge.StatusBadge(a.storage, false))
+						r.Get("/badge/{badge}", a.BadgeMyTaskHandler(false))
+					})
 				})
 				r.Route("/latest", func(r chi.Router) {
-					r.Get("/", a.TaskHandler(true))
-					r.Get("/status", badge.StatusBadge(a.storage, true))
-					r.Get("/badge/{badge}", a.BadgeMyTaskHandler(true))
-					r.Get("/volumes/*", a.VolumesHandler(6, true))
+					r.Group(func(r chi.Router) {
+						r.Use(authMiddleware.Middleware())
+						r.Get("/", a.TaskHandler(true))
+						r.Get("/volumes/*", a.VolumesHandler(6, true))
+					})
+					r.Group(func(r chi.Router) {
+						r.Use(a.RefererMiddleware)
+						r.Get("/status", badge.StatusBadge(a.storage, true))
+						r.Get("/badge/{badge}", a.BadgeMyTaskHandler(true))
+					})
 				})
 			})
 		})
diff --git a/application/referer.go b/application/referer.go
@@ -0,0 +1,16 @@
+package application
+
+import "net/http"
+
+// RefererMiddleware ensure that requests comes from the gitlab domain
+func (a *Application) RefererMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		referer := r.Referer()
+		if referer != a.GitlabURL {
+			http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
diff --git a/application/volume.go b/application/volume.go
@@ -65,7 +65,7 @@ func (a *Application) VolumesHandler(basePathLen int, latest bool) http.HandlerF
 		if _, err := os.Stat(fullPath); os.IsNotExist(err) {
 			l.Warn("Path not found", zap.Error(err))
 
-			data, err := NewResultFromTask(t, "No result for this task", a.GitlabDomain)
+			data, err := NewResultFromTask(t, "No result for this task", a.GitlabURL)
 			if err != nil {
 				l.Error("when creating result from a task", zap.Error(err))
 				w.WriteHeader(http.StatusInternalServerError)
@@ -128,7 +128,7 @@ func (a *Application) renderResultPageForTask(t *task.Task, filePath string, w h
 		return err
 	}
 
-	data, err := NewResultFromTask(t, template.HTML(content), a.GitlabDomain)
+	data, err := NewResultFromTask(t, template.HTML(content), a.GitlabURL)
 	// create the page
 	p := html.Page{
 		Domain: a.Domain,
