mod comment; pub use comment::*; mod database; pub use database::Database; mod error; pub use error::Error; use actix_cors::Cors; use actix_web::{get, post, web, App, HttpRequest, HttpResponse, HttpServer}; use clap::Parser; use sanitize_html::{errors::SanitizeError, rules::predefined::DEFAULT, sanitize_str}; use scraper::{Html, Selector}; use serde::Deserialize; use std::sync::Mutex; use std::{collections::HashMap, sync::MutexGuard}; use validator::Validate; struct AppState { databases: HashMap>, arguments: Arguments, } impl AppState { fn get_db<'a>(&'a self, origin: Option) -> Result, Error> { let origin = match origin { Some(origin) => origin, None => return Err(Error::InvalidOrigin), }; match self.databases.get(&origin) { Some(database) => Ok(match database.lock() { Ok(database) => database, Err(_) => return Err(Error::DatabaseAccessError), }), None => return Err(Error::InvalidOrigin), } } } fn get_request_origin(request: &HttpRequest) -> Option { match request.head().headers().get("Origin") { Some(origin) => match origin.to_str() { Ok(origin) => Some(origin.to_owned()), Err(_) => None, }, None => None, } } #[derive(Default, Parser)] #[clap(author, version, about)] struct Arguments { #[clap( short, long, default_value = "8080", help = "Set port where HTTP requests will be received" )] port: u16, #[clap( required = true, min_values = 1, help = "Set sites where comments will be posted" )] sites: Vec, #[clap( short, long, help = "Run in testing mode, with in-memory database(s) and permissive CORS policy" )] testing: bool, #[clap(short, long, help = "Require name for comment submissions")] name_required: bool, #[clap(short, long, help = "Require email for comment submissions")] email_required: bool, } async fn _get_comments( data: web::Data, request: HttpRequest, content_id: web::Path, ) -> Result, Error> { let origin = get_request_origin(&request); match web::block(move || { Ok( match match data.get_db(origin) { Ok(database) => database, Err(err) => return Err(err), } .get_comments(&content_id) { Ok(comments) => comments, Err(_) => return Err(Error::DatabaseInternalError), }, ) }) .await { Ok(result) => result, Err(_) => Err(Error::DatabaseAccessError), } } #[get("/{content_id}")] async fn get_comments( data: web::Data, request: HttpRequest, content_id: web::Path, ) -> HttpResponse { match _get_comments(data, request, content_id).await { Ok(comments) => HttpResponse::Ok().json(comments), Err(err) => err.to_http_response(), } } #[derive(Deserialize)] struct PostCommentsRequest { url: String, comment: Comment, } async fn _post_comment( data: web::Data, request: HttpRequest, bytes: web::Bytes, ) -> Result<(), Error> { match String::from_utf8(bytes.to_vec()) { Ok(text) => { let PostCommentsRequest { url, comment } = match serde_json::from_str::(&text) { Ok(mut req) => { let mut sanitize_req = || -> Result<(), SanitizeError> { req.comment.text = sanitize_str(&DEFAULT, &req.comment.text)?.replace(">", ">"); // required for markdown quotes if let Some(ref mut author) = req.comment.author { *author = sanitize_str(&DEFAULT, &author)?; } Ok(()) }; if let Err(_) = sanitize_req() { return Err(Error::SanitizationError); } req } Err(_) => { return Err(Error::InvalidBody); } }; if comment.validate().is_err() { return Err(Error::InvalidFields); } if comment.author.is_none() && data.arguments.name_required { return Err(Error::NameRequired); } if comment.email.is_none() && data.arguments.email_required { return Err(Error::EmailRequired); } let origin = match get_request_origin(&request) { Some(origin) => origin, None => return Err(Error::InvalidOrigin), }; // Check to see if provided URL is in scope. // This is to prevent malicious requests that try to get server to fetch external websites. // (requires loop because "labels on blocks are unstable") // https://github.com/rust-lang/rust/issues/48594 'outer: loop { for site_root in data.databases.keys() { if site_root.starts_with(&origin) && url.starts_with(site_root) { break 'outer; } } return Err(Error::InvalidUrl); } match get_page_data(&url).await { Ok(page_data_option) => match page_data_option { Some(page_data) => { if page_data.content_id != comment.content_id { return Err(Error::InvalidContentId); } } None => return Err(Error::InvalidUrl), // e.g. 404 }, Err(_) => { return Err(Error::PageFetchError); } }; match web::block(move || { let database = match data.get_db(Some(origin)) { Ok(database) => database, Err(err) => return Err(err), }; if let Some(parent) = comment.parent { 'outer2: loop { match database.get_comments(&comment.content_id) { Ok(comments) => { for other_comment in comments.iter() { if other_comment.id.unwrap() == parent { if other_comment.parent.is_none() { break 'outer2; } break; } } } Err(_) => { return Err(Error::DatabaseInternalError); } }; return Err(Error::InvalidParent); } } if let Err(_) = database.create_comment(&comment) { return Err(Error::DatabaseInternalError); } Ok(()) }) .await { Ok(result) => result, Err(_) => Err(Error::DatabaseAccessError), } } Err(_) => Err(Error::InvalidBody), } } #[post("/")] async fn post_comment( data: web::Data, request: HttpRequest, bytes: web::Bytes, ) -> HttpResponse { match _post_comment(data, request, bytes).await { Ok(_) => HttpResponse::Ok().finish(), Err(err) => err.to_http_response(), } } // Contains all page details stored in meta tags. // Currently, only content_id, but this is wrapped in this struct // to make adding other meta tags, such as locked comments, in the future struct PageData { content_id: String, } async fn get_page_data(url: &str) -> Result, reqwest::Error> { let response = reqwest::get(url).await?; if !response.status().is_success() { return Ok(None); } let content = response.text_with_charset("utf-8").await?; let document = Html::parse_document(&content); let get_meta = |name: &str| -> Option { let selector = Selector::parse(&format!("meta[name=\"{}\"]", name)).unwrap(); match document.select(&selector).next() { Some(element) => match element.value().attr("content") { Some(value) => Some(value.to_owned()), None => return None, }, None => return None, } }; return Ok(Some(PageData { content_id: match get_meta("soudan-content-id") { Some(id) => id, None => return Ok(None), }, })); } #[actix_web::main] async fn main() -> Result<(), std::io::Error> { let arguments = Arguments::parse(); let mut databases = HashMap::new(); for domain in arguments.sites.iter() { databases.insert( domain.to_owned(), Mutex::new(Database::new(arguments.testing, domain).unwrap()), ); } let port = arguments.port; let state = web::Data::new(AppState { databases, arguments, }); HttpServer::new(move || { App::new() .service(get_comments) .service(post_comment) .app_data(state.clone()) // Issue with CORS on POST requests, // keeping permissive for now .wrap( Cors::permissive(), /* if arguments.testing { Cors::permissive() } else { let mut cors = Cors::default() .allowed_methods(vec!["GET", "POST"]); for domain in arguments.sites.iter() { cors = cors.allowed_origin(domain); } cors } */ ) }) .bind(("127.0.0.1", port))? .run() .await }