package main import ( "crypto/md5" "crypto/subtle" "encoding/json" "fmt" "io" "io/ioutil" "log" "net/http" "os" "path" "strings" "time" ) type AdminApi struct { mux *http.ServeMux } func NewAdminApi() (a *AdminApi) { a = &AdminApi{} a.mux = http.NewServeMux() a.mux.HandleFunc("/", a.adminHandler) a.mux.HandleFunc("/delete", a.deleteVideo) a.mux.HandleFunc("/upload", a.uploadVideo) a.mux.HandleFunc("/rename", a.renameVideo) return a } func (a *AdminApi) ServeHTTP(w http.ResponseWriter, r *http.Request) { if a.checkAuth(w, r) { a.mux.ServeHTTP(w, r) } } func (a *AdminApi) checkAuth(w http.ResponseWriter, r *http.Request) (success bool) { success = false user, password, ok := r.BasicAuth() if subtle.ConstantTimeCompare([]byte(user), []byte(config.AdminUser)) == 1 && subtle.ConstantTimeCompare([]byte(password), []byte(config.AdminPassword)) == 1 { success = true } if !success { if ok { time.Sleep(3 * time.Second) } w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=\"%s\"", config.ApplicationName)) http.Error(w, "Unauthorized", http.StatusUnauthorized) } return success } func (a *AdminApi) adminHandler(w http.ResponseWriter, r *http.Request) { var v struct { ApplicationName string Videos []Video } v.ApplicationName = config.ApplicationName dataDir := path.Join(config.DataDirectory, "video") dir, err := os.ReadDir(dataDir) if err != nil { log.Printf("admin: can't read data directory: %s", err.Error()) http.Error(w, "Internal server error", http.StatusInternalServerError) return } for _, entry := range dir { if entry.Type().IsRegular() && strings.HasSuffix(entry.Name(), ".json") && entry.Name() != "index.json" { video, err := readVideoInfo(path.Join(dataDir, entry.Name())) if err != nil { log.Printf("admin: can't read video info: %s", err.Error()) continue } v.Videos = append(v.Videos, video) } } err = executeTemplate(w, "admin.html", &v) if err != nil { log.Printf("Can't execute template \"admin.html\": %s", err.Error()) return } } func (a *AdminApi) deleteVideo(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodPost { http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed) return } err := r.ParseForm() referer := r.Header.Get("Referer") if err != nil { log.Printf("can't parse form: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } ID := r.Form.Get("fileid") ID = path.Clean(path.Base(ID)) rawInfo, err := ioutil.ReadFile(path.Join(config.DataDirectory, "video", ID+".json")) if err != nil { log.Printf("can't read info: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } var info Video err = json.Unmarshal(rawInfo, &info) if err != nil { log.Printf("can't read info: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } err = os.Remove(path.Join(config.DataDirectory, "video", info.Name)) if err != nil { log.Printf("can't remove video: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } err = os.Remove(path.Join(config.DataDirectory, "video", ID+".json")) if err != nil { log.Printf("can't remove info: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } http.Redirect(w, r, referer, http.StatusMovedPermanently) } func (a *AdminApi) uploadVideo(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodPost { http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed) return } err := r.ParseForm() if err != nil { log.Printf("can't parse form: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } referer := r.Header.Get("Referer") reader, err := r.MultipartReader() if err != nil { log.Printf("can't read multipart: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } for { header, err := reader.NextPart() if err == io.EOF { break } defer header.Close() if header.FormName() != "file" { break } filename := header.FileName() if len(filename) == 0 { http.Error(w, "Filename are empty", http.StatusBadRequest) return } tempFile, err := ioutil.TempFile(path.Join(config.DataDirectory, "tmp"), "upload-") if err != nil { log.Printf("can't create temp file: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } defer tempFile.Close() hashbucket := md5.New() fileWriter := io.MultiWriter(tempFile, hashbucket) written, err := io.Copy(fileWriter, header) if err != nil { log.Printf("can't write temp file: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } tmpName := path.Base(tempFile.Name()) err = tempFile.Close() if err != nil { log.Printf("can't close file: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } var video Video video.DisplayName = path.Base(path.Clean(filename)) video.ID = fmt.Sprintf("%x", hashbucket.Sum(nil)) video.Name = fmt.Sprintf("%s%s", video.ID, path.Ext(filename)) video.Size = written err = os.Rename(path.Join(config.DataDirectory, "tmp", tmpName), path.Join(config.DataDirectory, "video", video.Name)) if err != nil { log.Printf("can't rename file: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } infoRaw, err := json.Marshal(&video) if err != nil { log.Printf("can't marshal info: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } err = ioutil.WriteFile(path.Join(config.DataDirectory, "video", video.ID+".json"), infoRaw, os.ModePerm) if err != nil { log.Printf("can't write info: %s", err.Error()) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } } http.Redirect(w, r, referer, http.StatusMovedPermanently) } func (a *AdminApi) renameVideo(w http.ResponseWriter, r *http.Request) {}