From 501280f8aa2e8f6e107e0e7ab4c828f10e4af09b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miroslav=20=C5=A0ediv=C3=BD?= <sedivy.miro@gmail.com>
Date: Sun, 19 Nov 2023 14:35:19 +0100
Subject: [PATCH] server proxy, router opts and optional CORS.

---
 internal/config/server.go | 19 ++++++++++-
 internal/http/manager.go  | 36 +++++++++++---------
 internal/http/router.go   | 71 ++++++++++++++++++++++++++++++---------
 pkg/types/http.go         |  2 --
 4 files changed, 95 insertions(+), 33 deletions(-)

diff --git a/internal/config/server.go b/internal/config/server.go
index 44ba64ca..9ed30859 100644
--- a/internal/config/server.go
+++ b/internal/config/server.go
@@ -13,6 +13,7 @@ type Server struct {
 	Cert       string
 	Key        string
 	Bind       string
+	Proxy      bool
 	Static     string
 	PathPrefix string
 	PProf      bool
@@ -36,6 +37,11 @@ func (Server) Init(cmd *cobra.Command) error {
 		return err
 	}
 
+	cmd.PersistentFlags().Bool("server.proxy", false, "trust reverse proxy headers")
+	if err := viper.BindPFlag("server.proxy", cmd.PersistentFlags().Lookup("server.proxy")); err != nil {
+		return err
+	}
+
 	cmd.PersistentFlags().String("server.static", "", "path to neko client files to serve")
 	if err := viper.BindPFlag("server.static", cmd.PersistentFlags().Lookup("server.static")); err != nil {
 		return err
@@ -56,7 +62,7 @@ func (Server) Init(cmd *cobra.Command) error {
 		return err
 	}
 
-	cmd.PersistentFlags().StringSlice("server.cors", []string{"*"}, "list of allowed origins for CORS")
+	cmd.PersistentFlags().StringSlice("server.cors", []string{}, "list of allowed origins for CORS, if empty CORS is disabled, if '*' is present all origins are allowed")
 	if err := viper.BindPFlag("server.cors", cmd.PersistentFlags().Lookup("server.cors")); err != nil {
 		return err
 	}
@@ -68,6 +74,7 @@ func (s *Server) Set() {
 	s.Cert = viper.GetString("server.cert")
 	s.Key = viper.GetString("server.key")
 	s.Bind = viper.GetString("server.bind")
+	s.Proxy = viper.GetBool("server.proxy")
 	s.Static = viper.GetString("server.static")
 	s.PathPrefix = path.Join("/", path.Clean(viper.GetString("server.path_prefix")))
 	s.PProf = viper.GetBool("server.pprof")
@@ -80,7 +87,17 @@ func (s *Server) Set() {
 	}
 }
 
+func (s *Server) HasCors() bool {
+	return len(s.CORS) > 0
+}
+
 func (s *Server) AllowOrigin(origin string) bool {
+	// if CORS is disabled, allow all origins
+	if len(s.CORS) == 0 {
+		return true
+	}
+
+	// if CORS is enabled, allow only origins in the list
 	in, _ := utils.ArrayIn(origin, s.CORS)
 	return in || s.CORS[0] == "*"
 }
diff --git a/internal/http/manager.go b/internal/http/manager.go
index eb986f93..4a753314 100644
--- a/internal/http/manager.go
+++ b/internal/http/manager.go
@@ -5,7 +5,6 @@ import (
 	"net/http"
 	"os"
 
-	"github.com/go-chi/cors"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
@@ -24,24 +23,31 @@ type HttpManagerCtx struct {
 func New(WebSocketManager types.WebSocketManager, ApiManager types.ApiManager, config *config.Server) *HttpManagerCtx {
 	logger := log.With().Str("module", "http").Logger()
 
-	router := newRouter(logger)
-	router.UseBypass(cors.Handler(cors.Options{
-		AllowOriginFunc: func(r *http.Request, origin string) bool {
-			return config.AllowOrigin(origin)
-		},
-		AllowedMethods:   []string{"GET", "POST", "DELETE", "OPTIONS"},
-		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
-		ExposedHeaders:   []string{"Link"},
-		AllowCredentials: true,
-		MaxAge:           300, // Maximum value not ignored by any of major browsers
-	}))
+	opts := []RouterOption{
+		WithRequestID(), // create a request id for each request
+	}
+
+	// use real ip if behind proxy
+	// before logger so it can log the real ip
+	if config.Proxy {
+		opts = append(opts, WithRealIP())
+	}
+
+	opts = append(opts,
+		WithLogger(logger),
+		WithRecoverer(), // recover from panics without crashing server
+	)
+
+	if config.HasCors() {
+		opts = append(opts, WithCORS(config.AllowOrigin))
+	}
 
 	if config.PathPrefix != "/" {
-		router.UseBypass(func(h http.Handler) http.Handler {
-			return http.StripPrefix(config.PathPrefix, h)
-		})
+		opts = append(opts, WithPathPrefix(config.PathPrefix))
 	}
 
+	router := newRouter(opts...)
+
 	router.Route("/api", ApiManager.Route)
 
 	router.Get("/api/ws", WebSocketManager.Upgrade(func(r *http.Request) bool {
diff --git a/internal/http/router.go b/internal/http/router.go
index ab7bd535..02196252 100644
--- a/internal/http/router.go
+++ b/internal/http/router.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/go-chi/chi"
 	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/cors"
 	"github.com/rs/zerolog"
 
 	"github.com/demodesk/neko/pkg/auth"
@@ -12,16 +13,65 @@ import (
 	"github.com/demodesk/neko/pkg/utils"
 )
 
+type RouterOption func(*router)
+
+func WithRequestID() RouterOption {
+	return func(r *router) {
+		r.chi.Use(middleware.RequestID)
+	}
+}
+
+func WithLogger(logger zerolog.Logger) RouterOption {
+	return func(r *router) {
+		r.chi.Use(middleware.RequestLogger(&logFormatter{logger}))
+	}
+}
+
+func WithRecoverer() RouterOption {
+	return func(r *router) {
+		r.chi.Use(middleware.Recoverer)
+	}
+}
+
+func WithCORS(allowOrigin func(origin string) bool) RouterOption {
+	return func(r *router) {
+		r.chi.Use(cors.Handler(cors.Options{
+			AllowOriginFunc: func(r *http.Request, origin string) bool {
+				return allowOrigin(origin)
+			},
+			AllowedMethods:   []string{"GET", "POST", "DELETE", "OPTIONS"},
+			AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
+			ExposedHeaders:   []string{"Link"},
+			AllowCredentials: true,
+			MaxAge:           300, // Maximum value not ignored by any of major browsers
+		}))
+	}
+}
+
+func WithPathPrefix(prefix string) RouterOption {
+	return func(r *router) {
+		r.chi.Use(func(h http.Handler) http.Handler {
+			return http.StripPrefix(prefix, h)
+		})
+	}
+}
+
+func WithRealIP() RouterOption {
+	return func(r *router) {
+		r.chi.Use(middleware.RealIP)
+	}
+}
+
 type router struct {
 	chi chi.Router
 }
 
-func newRouter(logger zerolog.Logger) *router {
-	r := chi.NewRouter()
-	r.Use(middleware.RequestID) // Create a request ID for each request
-	r.Use(middleware.RequestLogger(&logFormatter{logger}))
-	r.Use(middleware.Recoverer) // Recover from panics without crashing server
-	return &router{r}
+func newRouter(opts ...RouterOption) types.Router {
+	r := &router{chi.NewRouter()}
+	for _, opt := range opts {
+		opt(r)
+	}
+	return r
 }
 
 func (r *router) Group(fn func(types.Router)) {
@@ -61,19 +111,10 @@ func (r *router) With(fn types.MiddlewareHandler) types.Router {
 	return &router{c}
 }
 
-func (r *router) WithBypass(fn func(next http.Handler) http.Handler) types.Router {
-	c := r.chi.With(fn)
-	return &router{c}
-}
-
 func (r *router) Use(fn types.MiddlewareHandler) {
 	r.chi.Use(middlewareHandler(fn))
 }
 
-func (r *router) UseBypass(fn func(next http.Handler) http.Handler) {
-	r.chi.Use(fn)
-}
-
 func (r *router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	r.chi.ServeHTTP(w, req)
 }
diff --git a/pkg/types/http.go b/pkg/types/http.go
index c178b447..0eced458 100644
--- a/pkg/types/http.go
+++ b/pkg/types/http.go
@@ -17,9 +17,7 @@ type Router interface {
 	Patch(pattern string, fn RouterHandler)
 	Delete(pattern string, fn RouterHandler)
 	With(fn MiddlewareHandler) Router
-	WithBypass(fn func(next http.Handler) http.Handler) Router
 	Use(fn MiddlewareHandler)
-	UseBypass(fn func(next http.Handler) http.Handler)
 	ServeHTTP(w http.ResponseWriter, req *http.Request)
 }