summaryrefslogtreecommitdiff
path: root/lib/pleroma/web.ex
blob: 8630f244b8505dc5bba489fa88f72061f1b65396 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
# Pleroma: A lightweight social networking server
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web do
  @moduledoc """
  A module that keeps using definitions for controllers,
  views and so on.

  This can be used in your application as:

      use Pleroma.Web, :controller
      use Pleroma.Web, :view

  The definitions below will be executed for every view,
  controller, etc, so keep them short and clean, focused
  on imports, uses and aliases.

  Do NOT define functions inside the quoted expressions
  below.
  """

  alias Pleroma.Helpers.AuthHelper
  alias Pleroma.Web.Plugs.EnsureAuthenticatedPlug
  alias Pleroma.Web.Plugs.EnsurePublicOrAuthenticatedPlug
  alias Pleroma.Web.Plugs.ExpectAuthenticatedCheckPlug
  alias Pleroma.Web.Plugs.ExpectPublicOrAuthenticatedCheckPlug
  alias Pleroma.Web.Plugs.OAuthScopesPlug
  alias Pleroma.Web.Plugs.PlugHelper

  def controller do
    quote do
      use Phoenix.Controller, namespace: Pleroma.Web

      import Plug.Conn

      import Pleroma.Web.Gettext
      import Pleroma.Web.Router.Helpers
      import Pleroma.Web.TranslationHelpers

      plug(:set_put_layout)

      defp set_put_layout(conn, _) do
        put_layout(conn, Pleroma.Config.get(:app_layout, "app.html"))
      end

      # Marks plugs intentionally skipped and blocks their execution if present in plugs chain
      defp skip_plug(conn, plug_modules) do
        plug_modules
        |> List.wrap()
        |> Enum.reduce(
          conn,
          fn plug_module, conn ->
            try do
              plug_module.skip_plug(conn)
            rescue
              UndefinedFunctionError ->
                raise "`#{plug_module}` is not skippable. Append `use Pleroma.Web, :plug` to its code."
            end
          end
        )
      end

      # Executed just before actual controller action, invokes before-action hooks (callbacks)
      defp action(conn, params) do
        with %{halted: false} = conn <-
               maybe_drop_authentication_if_oauth_check_ignored(conn),
             %{halted: false} = conn <- maybe_perform_public_or_authenticated_check(conn),
             %{halted: false} = conn <- maybe_perform_authenticated_check(conn),
             %{halted: false} = conn <- maybe_halt_on_missing_oauth_scopes_check(conn) do
          super(conn, params)
        end
      end

      # For non-authenticated API actions, drops auth info if OAuth scopes check was ignored
      #   (neither performed nor explicitly skipped)
      defp maybe_drop_authentication_if_oauth_check_ignored(conn) do
        if PlugHelper.plug_called?(conn, ExpectPublicOrAuthenticatedCheckPlug) and
             not PlugHelper.plug_called_or_skipped?(conn, OAuthScopesPlug) do
          AuthHelper.drop_auth_info(conn)
        else
          conn
        end
      end

      # Ensures instance is public -or- user is authenticated if such check was scheduled
      defp maybe_perform_public_or_authenticated_check(conn) do
        if PlugHelper.plug_called?(conn, ExpectPublicOrAuthenticatedCheckPlug) do
          EnsurePublicOrAuthenticatedPlug.call(conn, %{})
        else
          conn
        end
      end

      # Ensures user is authenticated if such check was scheduled
      # Note: runs prior to action even if it was already executed earlier in plug chain
      #   (since OAuthScopesPlug has option of proceeding unauthenticated)
      defp maybe_perform_authenticated_check(conn) do
        if PlugHelper.plug_called?(conn, ExpectAuthenticatedCheckPlug) do
          EnsureAuthenticatedPlug.call(conn, %{})
        else
          conn
        end
      end

      # Halts if authenticated API action neither performs nor explicitly skips OAuth scopes check
      defp maybe_halt_on_missing_oauth_scopes_check(conn) do
        if PlugHelper.plug_called?(conn, ExpectAuthenticatedCheckPlug) and
             not PlugHelper.plug_called_or_skipped?(conn, OAuthScopesPlug) do
          conn
          |> render_error(
            :forbidden,
            "Security violation: OAuth scopes check was neither handled nor explicitly skipped."
          )
          |> halt()
        else
          conn
        end
      end
    end
  end

  def view do
    quote do
      use Phoenix.View,
        root: "lib/pleroma/web/templates",
        namespace: Pleroma.Web

      # Import convenience functions from controllers
      import Phoenix.Controller, only: [get_csrf_token: 0, get_flash: 2, view_module: 1]

      import Pleroma.Web.ErrorHelpers
      import Pleroma.Web.Gettext
      import Pleroma.Web.Router.Helpers

      require Logger

      @doc "Same as `render/3` but wrapped in a rescue block"
      def safe_render(view, template, assigns \\ %{}) do
        Phoenix.View.render(view, template, assigns)
      rescue
        error ->
          Logger.error(
            "#{__MODULE__} failed to render #{inspect({view, template})}\n" <>
              Exception.format(:error, error, __STACKTRACE__)
          )

          nil
      end

      @doc """
      Same as `render_many/4` but wrapped in rescue block.
      """
      def safe_render_many(collection, view, template, assigns \\ %{}) do
        Enum.map(collection, fn resource ->
          as = Map.get(assigns, :as) || view.__resource__
          assigns = Map.put(assigns, as, resource)
          safe_render(view, template, assigns)
        end)
        |> Enum.filter(& &1)
      end
    end
  end

  def router do
    quote do
      use Phoenix.Router
      # credo:disable-for-next-line Credo.Check.Consistency.MultiAliasImportRequireUse
      import Plug.Conn
      import Phoenix.Controller
    end
  end

  def channel do
    quote do
      # credo:disable-for-next-line Credo.Check.Consistency.MultiAliasImportRequireUse
      import Phoenix.Channel
      import Pleroma.Web.Gettext
    end
  end

  def plug do
    quote do
      @behaviour Pleroma.Web.Plug
      @behaviour Plug

      @doc """
      Marks a plug intentionally skipped and blocks its execution if it's present in plugs chain.
      """
      def skip_plug(conn) do
        PlugHelper.append_to_private_list(
          conn,
          PlugHelper.skipped_plugs_list_id(),
          __MODULE__
        )
      end

      @impl Plug
      @doc """
      Before-plug hook that
        * ensures the plug is not skipped
        * processes `:if_func` / `:unless_func` functional pre-run conditions
        * adds plug to the list of called plugs and calls `perform/2` if checks are passed

      Note: multiple invocations of the same plug (with different or same options) are allowed.
      """
      def call(%Plug.Conn{} = conn, options) do
        if PlugHelper.plug_skipped?(conn, __MODULE__) ||
             (options[:if_func] && !options[:if_func].(conn)) ||
             (options[:unless_func] && options[:unless_func].(conn)) do
          conn
        else
          conn =
            PlugHelper.append_to_private_list(
              conn,
              PlugHelper.called_plugs_list_id(),
              __MODULE__
            )

          apply(__MODULE__, :perform, [conn, options])
        end
      end
    end
  end

  @doc """
  When used, dispatch to the appropriate controller/view/etc.
  """
  defmacro __using__(which) when is_atom(which) do
    apply(__MODULE__, which, [])
  end

  def base_url do
    Pleroma.Web.Endpoint.url()
  end

  # TODO: Change to Phoenix.Router.routes/1 for Phoenix 1.6.0+
  def get_api_routes do
    Pleroma.Web.Router.__routes__()
    |> Enum.reject(fn r -> r.plug == Pleroma.Web.Fallback.RedirectController end)
    |> Enum.map(fn r ->
      r.path
      |> String.split("/", trim: true)
      |> List.first()
    end)
    |> Enum.uniq()
  end
end