dendrite/common/httpapi.go

package common

import (
	"net/http"
	"time"

	"github.com/matrix-org/dendrite/clientapi/auth"
	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
	"github.com/matrix-org/gomatrixserverlib"
	"github.com/matrix-org/util"
	opentracing "github.com/opentracing/opentracing-go"
	"github.com/opentracing/opentracing-go/ext"
	"github.com/prometheus/client_golang/prometheus"
	"github.com/prometheus/client_golang/prometheus/promauto"
	"github.com/prometheus/client_golang/prometheus/promhttp"
)

// MakeAuthAPI turns a util.JSONRequestHandler function into an http.Handler which authenticates the request.
func MakeAuthAPI(
	metricsName string, data auth.Data,
	f func(*http.Request, *authtypes.Device) util.JSONResponse,
) http.Handler {
	h := func(req *http.Request) util.JSONResponse {
		device, err := auth.VerifyUserFromRequest(req, data)
		if err != nil {
			return *err
		}
		// add the user ID to the logger
		logger := util.GetLogger((req.Context()))
		logger = logger.WithField("user_id", device.UserID)
		req = req.WithContext(util.ContextWithLogger(req.Context(), logger))

		return f(req, device)
	}
	return MakeExternalAPI(metricsName, h)
}

// MakeExternalAPI turns a util.JSONRequestHandler function into an http.Handler.
// This is used for APIs that are called from the internet.
func MakeExternalAPI(metricsName string, f func(*http.Request) util.JSONResponse) http.Handler {
	h := util.MakeJSONAPI(util.NewJSONRequestHandler(f))
	withSpan := func(w http.ResponseWriter, req *http.Request) {
		span := opentracing.StartSpan(metricsName)
		defer span.Finish()
		req = req.WithContext(opentracing.ContextWithSpan(req.Context(), span))
		h.ServeHTTP(w, req)
	}

	return http.HandlerFunc(withSpan)
}

// MakeHTMLAPI adds Span metrics to the HTML Handler function
// This is used to serve HTML alongside JSON error messages
func MakeHTMLAPI(metricsName string, f func(http.ResponseWriter, *http.Request) *util.JSONResponse) http.Handler {
	withSpan := func(w http.ResponseWriter, req *http.Request) {
		span := opentracing.StartSpan(metricsName)
		defer span.Finish()
		req = req.WithContext(opentracing.ContextWithSpan(req.Context(), span))
		if err := f(w, req); err != nil {
			h := util.MakeJSONAPI(util.NewJSONRequestHandler(func(req *http.Request) util.JSONResponse {
				return *err
			}))
			h.ServeHTTP(w, req)
		}
	}

	return promhttp.InstrumentHandlerCounter(
		promauto.NewCounterVec(
			prometheus.CounterOpts{
				Name: metricsName,
				Help: "Total number of http requests for HTML resources",
			},
			[]string{"code"},
		),
		http.HandlerFunc(withSpan),
	)
}

// MakeInternalAPI turns a util.JSONRequestHandler function into an http.Handler.
// This is used for APIs that are internal to dendrite.
// If we are passed a tracing context in the request headers then we use that
// as the parent of any tracing spans we create.
func MakeInternalAPI(metricsName string, f func(*http.Request) util.JSONResponse) http.Handler {
	h := util.MakeJSONAPI(util.NewJSONRequestHandler(f))
	withSpan := func(w http.ResponseWriter, req *http.Request) {
		carrier := opentracing.HTTPHeadersCarrier(req.Header)
		tracer := opentracing.GlobalTracer()
		clientContext, err := tracer.Extract(opentracing.HTTPHeaders, carrier)
		var span opentracing.Span
		if err == nil {
			// Default to a span without RPC context.
			span = tracer.StartSpan(metricsName)
		} else {
			// Set the RPC context.
			span = tracer.StartSpan(metricsName, ext.RPCServerOption(clientContext))
		}
		defer span.Finish()
		req = req.WithContext(opentracing.ContextWithSpan(req.Context(), span))
		h.ServeHTTP(w, req)
	}

	return http.HandlerFunc(withSpan)
}

// MakeFedAPI makes an http.Handler that checks matrix federation authentication.
func MakeFedAPI(
	metricsName string,
	serverName gomatrixserverlib.ServerName,
	keyRing gomatrixserverlib.KeyRing,
	f func(*http.Request, *gomatrixserverlib.FederationRequest) util.JSONResponse,
) http.Handler {
	h := func(req *http.Request) util.JSONResponse {
		fedReq, errResp := gomatrixserverlib.VerifyHTTPRequest(
			req, time.Now(), serverName, keyRing,
		)
		if fedReq == nil {
			return errResp
		}
		return f(req, fedReq)
	}
	return MakeExternalAPI(metricsName, h)
}

// SetupHTTPAPI registers an HTTP API mux under /api and sets up a metrics
// listener.
func SetupHTTPAPI(servMux *http.ServeMux, apiMux http.Handler) {
	servMux.Handle("/metrics", promhttp.Handler())
	servMux.Handle("/api/", http.StripPrefix("/api", apiMux))
}

// WrapHandlerInCORS adds CORS headers to all responses, including all error
// responses.
// Handles OPTIONS requests directly.
func WrapHandlerInCORS(h http.Handler) http.HandlerFunc {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Access-Control-Allow-Origin", "*")
		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
		w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")

		if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" {
			// Its easiest just to always return a 200 OK for everything. Whether
			// this is technically correct or not is a question, but in the end this
			// is what a lot of other people do (including synapse) and the clients
			// are perfectly happy with it.
			w.WriteHeader(http.StatusOK)
		} else {
			h.ServeHTTP(w, r)
		}
	})
}
Glue together devices and auth with the current HTTP code (#117) - Renamed `clientapi/auth/types` to `clientapi/auth/authtypes` for the same horrible namespace clashing reasons as `storage`. - Factored out `makeAPI` to `common`. - Added in `makeAuthAPI`. 2017-05-23 18:43:05 +02:00			`package common`

			`import (`
Factor out runTransaction to common code (#162) 2017-07-17 18:20:57 +02:00			`"net/http"`
Add function for making authed federation APIs (#208) 2017-09-04 14:14:01 +02:00			`"time"`
Factor out runTransaction to common code (#162) 2017-07-17 18:20:57 +02:00
Glue together devices and auth with the current HTTP code (#117) - Renamed `clientapi/auth/types` to `clientapi/auth/authtypes` for the same horrible namespace clashing reasons as `storage`. - Factored out `makeAPI` to `common`. - Added in `makeAuthAPI`. 2017-05-23 18:43:05 +02:00			`"github.com/matrix-org/dendrite/clientapi/auth"`
			`"github.com/matrix-org/dendrite/clientapi/auth/authtypes"`
Add function for making authed federation APIs (#208) 2017-09-04 14:14:01 +02:00			`"github.com/matrix-org/gomatrixserverlib"`
Glue together devices and auth with the current HTTP code (#117) - Renamed `clientapi/auth/types` to `clientapi/auth/authtypes` for the same horrible namespace clashing reasons as `storage`. - Factored out `makeAPI` to `common`. - Added in `makeAuthAPI`. 2017-05-23 18:43:05 +02:00			`"github.com/matrix-org/util"`
Add opentracing Spans to the HTTP APIs (#270) * Add opentracing Spans to the HTTP APIs * Add opentracing spans to the HTTP RPC clients * Set the span in the request context * More docstring 2017-09-28 15:50:40 +02:00			`opentracing "github.com/opentracing/opentracing-go"`
			`"github.com/opentracing/opentracing-go/ext"`
Add auth fallback endpoint (#405) Also adds support for the recaptcha auth type. 2019-08-14 19:34:49 +02:00			`"github.com/prometheus/client_golang/prometheus"`
Replace deprecated prometheus.InstrumentHandler and unsafe time.Ticker 2019-12-17 17:47:45 +01:00			`"github.com/prometheus/client_golang/prometheus/promauto"`
Update Prometheus metrics tracking (#459) Signed-off-by: Andrew Morgan <andrewm@matrix.org> 2018-05-23 16:42:08 +02:00			`"github.com/prometheus/client_golang/prometheus/promhttp"`
Glue together devices and auth with the current HTTP code (#117) - Renamed `clientapi/auth/types` to `clientapi/auth/authtypes` for the same horrible namespace clashing reasons as `storage`. - Factored out `makeAPI` to `common`. - Added in `makeAuthAPI`. 2017-05-23 18:43:05 +02:00			`)`

Add AS support to common.MakeAuthAPI (#427) * Add AS support to MakeAuthAPI Make clientapi utilize the same Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Add user parameter support to MakeAuthAPI * Make VerifyAccessToken private, let VerifyUserFromRequest return the device if present * Make a dummy device for AS users * Refactor arguments into auth.Data * Update routing of all components * Update code comment * Use const AppServiceDeviceID * Handle cases when AS is not masquerading 2018-07-17 00:17:03 +02:00			`// MakeAuthAPI turns a util.JSONRequestHandler function into an http.Handler which authenticates the request.`
			`func MakeAuthAPI(`
			`metricsName string, data auth.Data,`
			`f func(http.Request, authtypes.Device) util.JSONResponse,`
			`) http.Handler {`
Add function for making authed federation APIs (#208) 2017-09-04 14:14:01 +02:00			`h := func(req *http.Request) util.JSONResponse {`
Add AS support to common.MakeAuthAPI (#427) * Add AS support to MakeAuthAPI Make clientapi utilize the same Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Add user parameter support to MakeAuthAPI * Make VerifyAccessToken private, let VerifyUserFromRequest return the device if present * Make a dummy device for AS users * Refactor arguments into auth.Data * Update routing of all components * Update code comment * Use const AppServiceDeviceID * Handle cases when AS is not masquerading 2018-07-17 00:17:03 +02:00			`device, err := auth.VerifyUserFromRequest(req, data)`
			`if err != nil {`
			`return *err`
Glue together devices and auth with the current HTTP code (#117) - Renamed `clientapi/auth/types` to `clientapi/auth/authtypes` for the same horrible namespace clashing reasons as `storage`. - Factored out `makeAPI` to `common`. - Added in `makeAuthAPI`. 2017-05-23 18:43:05 +02:00			`}`
Improve logging when sending events (#883) We have some failing sytests on sqlite but it's very difficult to debug due to lack of useful logging. This adds a log line for when a new event is sent (incl. logging the event ID) as well as adding a user_id field for all contextual logs so we know who initiated certain actions. 2020-03-09 15:37:51 +01:00			`// add the user ID to the logger`
			`logger := util.GetLogger((req.Context()))`
			`logger = logger.WithField("user_id", device.UserID)`
			`req = req.WithContext(util.ContextWithLogger(req.Context(), logger))`
Add AS support to common.MakeAuthAPI (#427) * Add AS support to MakeAuthAPI Make clientapi utilize the same Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Add user parameter support to MakeAuthAPI * Make VerifyAccessToken private, let VerifyUserFromRequest return the device if present * Make a dummy device for AS users * Refactor arguments into auth.Data * Update routing of all components * Update code comment * Use const AppServiceDeviceID * Handle cases when AS is not masquerading 2018-07-17 00:17:03 +02:00
Glue together devices and auth with the current HTTP code (#117) - Renamed `clientapi/auth/types` to `clientapi/auth/authtypes` for the same horrible namespace clashing reasons as `storage`. - Factored out `makeAPI` to `common`. - Added in `makeAuthAPI`. 2017-05-23 18:43:05 +02:00			`return f(req, device)`
Add function for making authed federation APIs (#208) 2017-09-04 14:14:01 +02:00			`}`
Add opentracing Spans to the HTTP APIs (#270) * Add opentracing Spans to the HTTP APIs * Add opentracing spans to the HTTP RPC clients * Set the span in the request context * More docstring 2017-09-28 15:50:40 +02:00			`return MakeExternalAPI(metricsName, h)`
Glue together devices and auth with the current HTTP code (#117) - Renamed `clientapi/auth/types` to `clientapi/auth/authtypes` for the same horrible namespace clashing reasons as `storage`. - Factored out `makeAPI` to `common`. - Added in `makeAuthAPI`. 2017-05-23 18:43:05 +02:00			`}`

Add opentracing Spans to the HTTP APIs (#270) * Add opentracing Spans to the HTTP APIs * Add opentracing spans to the HTTP RPC clients * Set the span in the request context * More docstring 2017-09-28 15:50:40 +02:00			`// MakeExternalAPI turns a util.JSONRequestHandler function into an http.Handler.`
			`// This is used for APIs that are called from the internet.`
			`func MakeExternalAPI(metricsName string, f func(*http.Request) util.JSONResponse) http.Handler {`
			`h := util.MakeJSONAPI(util.NewJSONRequestHandler(f))`
			`withSpan := func(w http.ResponseWriter, req *http.Request) {`
			`span := opentracing.StartSpan(metricsName)`
			`defer span.Finish()`
			`req = req.WithContext(opentracing.ContextWithSpan(req.Context(), span))`
			`h.ServeHTTP(w, req)`
			`}`

Update Prometheus metrics tracking (#459) Signed-off-by: Andrew Morgan <andrewm@matrix.org> 2018-05-23 16:42:08 +02:00			`return http.HandlerFunc(withSpan)`
Add opentracing Spans to the HTTP APIs (#270) * Add opentracing Spans to the HTTP APIs * Add opentracing spans to the HTTP RPC clients * Set the span in the request context * More docstring 2017-09-28 15:50:40 +02:00			`}`

Add auth fallback endpoint (#405) Also adds support for the recaptcha auth type. 2019-08-14 19:34:49 +02:00			`// MakeHTMLAPI adds Span metrics to the HTML Handler function`
			`// This is used to serve HTML alongside JSON error messages`
			`func MakeHTMLAPI(metricsName string, f func(http.ResponseWriter, http.Request) util.JSONResponse) http.Handler {`
			`withSpan := func(w http.ResponseWriter, req *http.Request) {`
			`span := opentracing.StartSpan(metricsName)`
			`defer span.Finish()`
			`req = req.WithContext(opentracing.ContextWithSpan(req.Context(), span))`
			`if err := f(w, req); err != nil {`
			`h := util.MakeJSONAPI(util.NewJSONRequestHandler(func(req *http.Request) util.JSONResponse {`
			`return *err`
			`}))`
			`h.ServeHTTP(w, req)`
			`}`
			`}`

Replace deprecated prometheus.InstrumentHandler and unsafe time.Ticker 2019-12-17 17:47:45 +01:00			`return promhttp.InstrumentHandlerCounter(`
			`promauto.NewCounterVec(`
			`prometheus.CounterOpts{`
			`Name: metricsName,`
			`Help: "Total number of http requests for HTML resources",`
			`},`
			`[]string{"code"},`
			`),`
			`http.HandlerFunc(withSpan),`
			`)`
Add auth fallback endpoint (#405) Also adds support for the recaptcha auth type. 2019-08-14 19:34:49 +02:00			`}`

Add opentracing Spans to the HTTP APIs (#270) * Add opentracing Spans to the HTTP APIs * Add opentracing spans to the HTTP RPC clients * Set the span in the request context * More docstring 2017-09-28 15:50:40 +02:00			`// MakeInternalAPI turns a util.JSONRequestHandler function into an http.Handler.`
			`// This is used for APIs that are internal to dendrite.`
			`// If we are passed a tracing context in the request headers then we use that`
			`// as the parent of any tracing spans we create.`
			`func MakeInternalAPI(metricsName string, f func(*http.Request) util.JSONResponse) http.Handler {`
			`h := util.MakeJSONAPI(util.NewJSONRequestHandler(f))`
			`withSpan := func(w http.ResponseWriter, req *http.Request) {`
			`carrier := opentracing.HTTPHeadersCarrier(req.Header)`
			`tracer := opentracing.GlobalTracer()`
			`clientContext, err := tracer.Extract(opentracing.HTTPHeaders, carrier)`
			`var span opentracing.Span`
			`if err == nil {`
			`// Default to a span without RPC context.`
			`span = tracer.StartSpan(metricsName)`
			`} else {`
			`// Set the RPC context.`
			`span = tracer.StartSpan(metricsName, ext.RPCServerOption(clientContext))`
			`}`
			`defer span.Finish()`
			`req = req.WithContext(opentracing.ContextWithSpan(req.Context(), span))`
			`h.ServeHTTP(w, req)`
			`}`

Update Prometheus metrics tracking (#459) Signed-off-by: Andrew Morgan <andrewm@matrix.org> 2018-05-23 16:42:08 +02:00			`return http.HandlerFunc(withSpan)`
Glue together devices and auth with the current HTTP code (#117) - Renamed `clientapi/auth/types` to `clientapi/auth/authtypes` for the same horrible namespace clashing reasons as `storage`. - Factored out `makeAPI` to `common`. - Added in `makeAuthAPI`. 2017-05-23 18:43:05 +02:00			`}`
Move setting up the api mux to outside the routing.Setup functions. (#173) This makes it possible to setup all the component APIs on a single http listener which is necessary if we want to combine all the components into a single monolith. 2017-08-03 16:10:39 +02:00
Add function for making authed federation APIs (#208) 2017-09-04 14:14:01 +02:00			`// MakeFedAPI makes an http.Handler that checks matrix federation authentication.`
			`func MakeFedAPI(`
			`metricsName string,`
			`serverName gomatrixserverlib.ServerName,`
			`keyRing gomatrixserverlib.KeyRing,`
			`f func(http.Request, gomatrixserverlib.FederationRequest) util.JSONResponse,`
			`) http.Handler {`
			`h := func(req *http.Request) util.JSONResponse {`
			`fedReq, errResp := gomatrixserverlib.VerifyHTTPRequest(`
			`req, time.Now(), serverName, keyRing,`
			`)`
			`if fedReq == nil {`
			`return errResp`
			`}`
			`return f(req, fedReq)`
			`}`
Add opentracing Spans to the HTTP APIs (#270) * Add opentracing Spans to the HTTP APIs * Add opentracing spans to the HTTP RPC clients * Set the span in the request context * More docstring 2017-09-28 15:50:40 +02:00			`return MakeExternalAPI(metricsName, h)`
Add function for making authed federation APIs (#208) 2017-09-04 14:14:01 +02:00			`}`

Move setting up the api mux to outside the routing.Setup functions. (#173) This makes it possible to setup all the component APIs on a single http listener which is necessary if we want to combine all the components into a single monolith. 2017-08-03 16:10:39 +02:00			`// SetupHTTPAPI registers an HTTP API mux under /api and sets up a metrics`
			`// listener.`
Add CORS headers to all responses including errors (#364) 2017-12-06 10:36:50 +01:00			`func SetupHTTPAPI(servMux *http.ServeMux, apiMux http.Handler) {`
Update Prometheus metrics tracking (#459) Signed-off-by: Andrew Morgan <andrewm@matrix.org> 2018-05-23 16:42:08 +02:00			`servMux.Handle("/metrics", promhttp.Handler())`
Move setting up the api mux to outside the routing.Setup functions. (#173) This makes it possible to setup all the component APIs on a single http listener which is necessary if we want to combine all the components into a single monolith. 2017-08-03 16:10:39 +02:00			`servMux.Handle("/api/", http.StripPrefix("/api", apiMux))`
			`}`
Add CORS headers to all responses including errors (#364) 2017-12-06 10:36:50 +01:00
			`// WrapHandlerInCORS adds CORS headers to all responses, including all error`
			`// responses.`
			`// Handles OPTIONS requests directly.`
			`func WrapHandlerInCORS(h http.Handler) http.HandlerFunc {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`w.Header().Set("Access-Control-Allow-Origin", "*")`
			`w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")`
			`w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")`

Use http.Status* and http.Method* where appropriate (#417) Signed-off-by: Scott Raine <me@nylar.io> 2018-03-13 16:55:45 +01:00			`if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" {`
Add CORS headers to all responses including errors (#364) 2017-12-06 10:36:50 +01:00			`// Its easiest just to always return a 200 OK for everything. Whether`
			`// this is technically correct or not is a question, but in the end this`
			`// is what a lot of other people do (including synapse) and the clients`
			`// are perfectly happy with it.`
			`w.WriteHeader(http.StatusOK)`
			`} else {`
			`h.ServeHTTP(w, r)`
			`}`
			`})`
			`}`