Improve accept header handling in runtime HTTP hooks (a36867cd) · Commits · public-projects / Nakama

CHANGELOG.md

+1 −0

Original line number	Diff line number	Diff line
		@@ -12,6 +12,7 @@ The format is based on [keep a changelog](http://keepachangelog.com/) and this p

		### Changed
		- Handle update now returns a bad input error code if handle is too long.
		- Improved handling of accept request headers in HTTP runtime script invocations.
		- Improved handling of content type request headers in HTTP runtime script invocations.
		- Increase default maximum length of user handle from 20 to 128 characters.
		- Increase default maximum length of device and custom IDs from 64 to 128 characters.

pkg/httputil/header.go

0 → 100644

+300 −0

Original line number	Diff line number	Diff line
		// Copyright 2013 The Go Authors. All rights reserved.
		//
		// Use of this source code is governed by a BSD-style
		// license that can be found in the LICENSE file or at
		// https://developers.google.com/open-source/licenses/bsd.

		// FROM https://github.com/golang/gddo/blob/master/httputil/header/header.go

		// Package header provides functions for parsing HTTP headers.
		package httputil

		import (
		"net/http"
		"strings"
		"time"
		)

		// Octet types from RFC 2616.
		var octetTypes [256]octetType

		type octetType byte

		const (
		isToken octetType = 1 << iota
		isSpace
		)

		func init() {
		// OCTET = <any 8-bit sequence of data>
		// CHAR = <any US-ASCII character (octets 0 - 127)>
		// CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
		// CR = <US-ASCII CR, carriage return (13)>
		// LF = <US-ASCII LF, linefeed (10)>
		// SP = <US-ASCII SP, space (32)>
		// HT = <US-ASCII HT, horizontal-tab (9)>
		// <"> = <US-ASCII double-quote mark (34)>
		// CRLF = CR LF
		// LWS = [CRLF] 1*( SP \| HT )
		// TEXT = <any OCTET except CTLs, but including LWS>
		// separators = "(" \| ")" \| "<" \| ">" \| "@" \| "," \| ";" \| ":" \| "\" \| <">
		// \| "/" \| "[" \| "]" \| "?" \| "=" \| "{" \| "}" \| SP \| HT
		// token = 1*<any CHAR except CTLs or separators>
		// qdtext = <any TEXT except <">>

		for c := 0; c < 256; c++ {
		var t octetType
		isCtl := c <= 31 \|\| c == 127
		isChar := 0 <= c && c <= 127
		isSeparator := strings.IndexRune(" \t\"(),/:;<=>?@[]\\{}", rune(c)) >= 0
		if strings.IndexRune(" \t\r\n", rune(c)) >= 0 {
		t \|= isSpace
		}
		if isChar && !isCtl && !isSeparator {
		t \|= isToken
		}
		octetTypes[c] = t
		}
		}

		// Copy returns a shallow copy of the header.
		func Copy(header http.Header) http.Header {
		h := make(http.Header)
		for k, vs := range header {
		h[k] = vs
		}
		return h
		}

		var timeLayouts = []string{"Mon, 02 Jan 2006 15:04:05 GMT", time.RFC850, time.ANSIC}

		// ParseTime parses the header as time. The zero value is returned if the
		// header is not present or there is an error parsing the
		// header.
		func ParseTime(header http.Header, key string) time.Time {
		if s := header.Get(key); s != "" {
		for _, layout := range timeLayouts {
		if t, err := time.Parse(layout, s); err == nil {
		return t.UTC()
		}
		}
		}
		return time.Time{}
		}

		// ParseList parses a comma separated list of values. Commas are ignored in
		// quoted strings. Quoted values are not unescaped or unquoted. Whitespace is
		// trimmed.
		func ParseList(header http.Header, key string) []string {
		var result []string
		for _, s := range header[http.CanonicalHeaderKey(key)] {
		begin := 0
		end := 0
		escape := false
		quote := false
		for i := 0; i < len(s); i++ {
		b := s[i]
		switch {
		case escape:
		escape = false
		end = i + 1
		case quote:
		switch b {
		case '\\':
		escape = true
		case '"':
		quote = false
		}
		end = i + 1
		case b == '"':
		quote = true
		end = i + 1
		case octetTypes[b]&isSpace != 0:
		if begin == end {
		begin = i + 1
		end = begin
		}
		case b == ',':
		if begin < end {
		result = append(result, s[begin:end])
		}
		begin = i + 1
		end = begin
		default:
		end = i + 1
		}
		}
		if begin < end {
		result = append(result, s[begin:end])
		}
		}
		return result
		}

		// ParseValueAndParams parses a comma separated list of values with optional
		// semicolon separated name-value pairs. Content-Type and Content-Disposition
		// headers are in this format.
		func ParseValueAndParams(header http.Header, key string) (value string, params map[string]string) {
		params = make(map[string]string)
		s := header.Get(key)
		value, s = expectTokenSlash(s)
		if value == "" {
		return
		}
		value = strings.ToLower(value)
		s = skipSpace(s)
		for strings.HasPrefix(s, ";") {
		var pkey string
		pkey, s = expectToken(skipSpace(s[1:]))
		if pkey == "" {
		return
		}
		if !strings.HasPrefix(s, "=") {
		return
		}
		var pvalue string
		pvalue, s = expectTokenOrQuoted(s[1:])
		if pvalue == "" {
		return
		}
		pkey = strings.ToLower(pkey)
		params[pkey] = pvalue
		s = skipSpace(s)
		}
		return
		}

		// AcceptSpec describes an Accept* header.
		type AcceptSpec struct {
		Value string
		Q float64
		}

		// ParseAccept parses Accept* headers.
		func ParseAccept(header http.Header, key string) (specs []AcceptSpec) {
		loop:
		for _, s := range header[key] {
		for {
		var spec AcceptSpec
		spec.Value, s = expectTokenSlash(s)
		if spec.Value == "" {
		continue loop
		}
		spec.Q = 1.0
		s = skipSpace(s)
		if strings.HasPrefix(s, ";") {
		s = skipSpace(s[1:])
		if !strings.HasPrefix(s, "q=") {
		continue loop
		}
		spec.Q, s = expectQuality(s[2:])
		if spec.Q < 0.0 {
		continue loop
		}
		}
		specs = append(specs, spec)
		s = skipSpace(s)
		if !strings.HasPrefix(s, ",") {
		continue loop
		}
		s = skipSpace(s[1:])
		}
		}
		return
		}

		func skipSpace(s string) (rest string) {
		i := 0
		for ; i < len(s); i++ {
		if octetTypes[s[i]]&isSpace == 0 {
		break
		}
		}
		return s[i:]
		}

		func expectToken(s string) (token, rest string) {
		i := 0
		for ; i < len(s); i++ {
		if octetTypes[s[i]]&isToken == 0 {
		break
		}
		}
		return s[:i], s[i:]
		}

		func expectTokenSlash(s string) (token, rest string) {
		i := 0
		for ; i < len(s); i++ {
		b := s[i]
		if (octetTypes[b]&isToken == 0) && b != '/' {
		break
		}
		}
		return s[:i], s[i:]
		}

		func expectQuality(s string) (q float64, rest string) {
		switch {
		case len(s) == 0:
		return -1, ""
		case s[0] == '0':
		q = 0
		case s[0] == '1':
		q = 1
		default:
		return -1, ""
		}
		s = s[1:]
		if !strings.HasPrefix(s, ".") {
		return q, s
		}
		s = s[1:]
		i := 0
		n := 0
		d := 1
		for ; i < len(s); i++ {
		b := s[i]
		if b < '0' \|\| b > '9' {
		break
		}
		n = n*10 + int(b) - '0'
		d *= 10
		}
		return q + float64(n)/float64(d), s[i:]
		}

		func expectTokenOrQuoted(s string) (value string, rest string) {
		if !strings.HasPrefix(s, "\"") {
		return expectToken(s)
		}
		s = s[1:]
		for i := 0; i < len(s); i++ {
		switch s[i] {
		case '"':
		return s[:i], s[i+1:]
		case '\\':
		p := make([]byte, len(s)-1)
		j := copy(p, s[:i])
		escape := true
		for i = i + 1; i < len(s); i++ {
		b := s[i]
		switch {
		case escape:
		escape = false
		p[j] = b
		j++
		case b == '\\':
		escape = true
		case b == '"':
		return string(p[:j]), s[i+1:]
		default:
		p[j] = b
		j++
		}
		}
		return "", ""
		}
		}
		return "", ""
		}

pkg/httputil/header_test.go

0 → 100644

+140 −0

Original line number	Diff line number	Diff line
		// Copyright 2013 The Go Authors. All rights reserved.
		//
		// Use of this source code is governed by a BSD-style
		// license that can be found in the LICENSE file or at
		// https://developers.google.com/open-source/licenses/bsd.

		// FROM https://github.com/golang/gddo/blob/master/httputil/header/header_test.go

		package httputil

		import (
		"net/http"
		"reflect"
		"testing"
		"time"
		)

		var getHeaderListTests = []struct {
		s string
		l []string
		}{
		{s: `a`, l: []string{`a`}},
		{s: `a, b , c `, l: []string{`a`, `b`, `c`}},
		{s: `a,, b , , c `, l: []string{`a`, `b`, `c`}},
		{s: `a,b,c`, l: []string{`a`, `b`, `c`}},
		{s: ` a b, c d `, l: []string{`a b`, `c d`}},
		{s: `"a, b, c", d `, l: []string{`"a, b, c"`, "d"}},
		{s: `","`, l: []string{`","`}},
		{s: `"\""`, l: []string{`"\""`}},
		{s: `" "`, l: []string{`" "`}},
		}

		func TestGetHeaderList(t *testing.T) {
		for _, tt := range getHeaderListTests {
		header := http.Header{"Foo": {tt.s}}
		if l := ParseList(header, "foo"); !reflect.DeepEqual(tt.l, l) {
		t.Errorf("ParseList for %q = %q, want %q", tt.s, l, tt.l)
		}
		}
		}

		var parseValueAndParamsTests = []struct {
		s string
		value string
		params map[string]string
		}{
		{`text/html`, "text/html", map[string]string{}},
		{`text/html `, "text/html", map[string]string{}},
		{`text/html ; `, "text/html", map[string]string{}},
		{`tExt/htMl`, "text/html", map[string]string{}},
		{`tExt/htMl; fOO=";"; hellO=world`, "text/html", map[string]string{
		"hello": "world",
		"foo": `;`,
		}},
		{`text/html; foo=bar, hello=world`, "text/html", map[string]string{"foo": "bar"}},
		{`text/html ; foo=bar `, "text/html", map[string]string{"foo": "bar"}},
		{`text/html ;foo=bar `, "text/html", map[string]string{"foo": "bar"}},
		{`text/html; foo="b\ar"`, "text/html", map[string]string{"foo": "bar"}},
		{`text/html; foo="bar\"baz\"qux"`, "text/html", map[string]string{"foo": `bar"baz"qux`}},
		{`text/html; foo="b,ar"`, "text/html", map[string]string{"foo": "b,ar"}},
		{`text/html; foo="b;ar"`, "text/html", map[string]string{"foo": "b;ar"}},
		{`text/html; FOO="bar"`, "text/html", map[string]string{"foo": "bar"}},
		{`form-data; filename="file.txt"; name=file`, "form-data", map[string]string{"filename": "file.txt", "name": "file"}},
		}

		func TestParseValueAndParams(t *testing.T) {
		for _, tt := range parseValueAndParamsTests {
		header := http.Header{"Content-Type": {tt.s}}
		value, params := ParseValueAndParams(header, "Content-Type")
		if value != tt.value {
		t.Errorf("%q, value=%q, want %q", tt.s, value, tt.value)
		}
		if !reflect.DeepEqual(params, tt.params) {
		t.Errorf("%q, param=%#v, want %#v", tt.s, params, tt.params)
		}
		}
		}

		var parseTimeValidTests = []string{
		"Sun, 06 Nov 1994 08:49:37 GMT",
		"Sunday, 06-Nov-94 08:49:37 GMT",
		"Sun Nov 6 08:49:37 1994",
		}

		var parseTimeInvalidTests = []string{
		"junk",
		}

		func TestParseTime(t *testing.T) {
		expected := time.Date(1994, 11, 6, 8, 49, 37, 0, time.UTC)
		for _, s := range parseTimeValidTests {
		header := http.Header{"Date": {s}}
		actual := ParseTime(header, "Date")
		if actual != expected {
		t.Errorf("GetTime(%q)=%v, want %v", s, actual, expected)
		}
		}
		for _, s := range parseTimeInvalidTests {
		header := http.Header{"Date": {s}}
		actual := ParseTime(header, "Date")
		if !actual.IsZero() {
		t.Errorf("GetTime(%q) did not return zero", s)
		}
		}
		}

		var parseAcceptTests = []struct {
		s string
		expected []AcceptSpec
		}{
		{"text/html", []AcceptSpec{{"text/html", 1}}},
		{"text/html; q=0", []AcceptSpec{{"text/html", 0}}},
		{"text/html; q=0.0", []AcceptSpec{{"text/html", 0}}},
		{"text/html; q=1", []AcceptSpec{{"text/html", 1}}},
		{"text/html; q=1.0", []AcceptSpec{{"text/html", 1}}},
		{"text/html; q=0.1", []AcceptSpec{{"text/html", 0.1}}},
		{"text/html;q=0.1", []AcceptSpec{{"text/html", 0.1}}},
		{"text/html, text/plain", []AcceptSpec{{"text/html", 1}, {"text/plain", 1}}},
		{"text/html; q=0.1, text/plain", []AcceptSpec{{"text/html", 0.1}, {"text/plain", 1}}},
		{"iso-8859-5, unicode-1-1;q=0.8,iso-8859-1", []AcceptSpec{{"iso-8859-5", 1}, {"unicode-1-1", 0.8}, {"iso-8859-1", 1}}},
		{"iso-8859-1", []AcceptSpec{{"iso-8859-1", 1}}},
		{"", []AcceptSpec{{"", 1}}},
		{"da, en-gb;q=0.8, en;q=0.7", []AcceptSpec{{"da", 1}, {"en-gb", 0.8}, {"en", 0.7}}},
		{"da, q, en-gb;q=0.8", []AcceptSpec{{"da", 1}, {"q", 1}, {"en-gb", 0.8}}},
		{"image/png, image/;q=0.5", []AcceptSpec{{"image/png", 1}, {"image/", 0.5}}},

		// bad cases
		{"value1; q=0.1.2", []AcceptSpec{{"value1", 0.1}}},
		{"da, en-gb;q=foo", []AcceptSpec{{"da", 1}}},
		}

		func TestParseAccept(t *testing.T) {
		for _, tt := range parseAcceptTests {
		header := http.Header{"Accept": {tt.s}}
		actual := ParseAccept(header, "Accept")
		if !reflect.DeepEqual(actual, tt.expected) {
		t.Errorf("ParseAccept(h, %q)=%v, want %v", tt.s, actual, tt.expected)
		}
		}
		}

server/dashboard_accepter.go

+7 −7

Original line number	Diff line number	Diff line
		@@ -26,6 +26,7 @@ import (
		"github.com/gorilla/handlers"
		"github.com/gorilla/mux"
		"go.uber.org/zap"
		"os"
		)

		// DashboardService is responsible for serving the dashboard and all of its required resources
		@@ -56,8 +57,7 @@ func NewDashboardService(logger zap.Logger, multiLogger zap.Logger, version st
		service.mux.HandleFunc("/v0/cluster/stats", service.statusHandler).Methods("GET")
		service.mux.HandleFunc("/v0/config", service.configHandler).Methods("GET")
		service.mux.HandleFunc("/v0/info", service.infoHandler).Methods("GET")
		// TODO coming soon
		// service.mux.PathPrefix("/").Handler(http.FileServer(service.dashboardFilesystem)).Methods("GET") // Needs to be last.
		service.mux.PathPrefix("/").Handler(http.FileServer(service.dashboardFilesystem)).Methods("GET") // Needs to be last.

		go func() {
		bindAddr := fmt.Sprintf(":%d", config.GetDashboard().Port)
		@@ -67,11 +67,11 @@ func NewDashboardService(logger zap.Logger, multiLogger zap.Logger, version st
		multiLogger.Fatal("Dashboard listener failed", zap.Error(err))
		}
		}()
		// hostname, err := os.Hostname()
		// if err != nil {
		// hostname = "127.0.0.1"
		// }
		// multiLogger.Info("Dashboard", zap.String("address", fmt.Sprintf("http://%s:%d", hostname, config.GetDashboard().Port)))
		hostname, err := os.Hostname()
		if err != nil {
		hostname = "127.0.0.1"
		}
		multiLogger.Info("Dashboard", zap.String("address", fmt.Sprintf("http://%s:%d", hostname, config.GetDashboard().Port)))

		return service
		}

server/session_auth.go

+13 −10

Original line number	Diff line number	Diff line
		@@ -40,6 +40,7 @@ import (
		"github.com/satori/go.uuid"
		"go.uber.org/zap"
		"golang.org/x/crypto/bcrypt"
		"nakama/pkg/httputil"
		)

		const (
		@@ -163,18 +164,20 @@ func (a *authenticationService) configure() {
		}).Methods("GET", "OPTIONS")

		a.mux.HandleFunc("/runtime/{path}", func(w http.ResponseWriter, r *http.Request) {
		accept := r.Header.Get("accept")
		if accept == "" {
		accept = "application/json"
		if r.Header.Get("accept") == "" {
		// If no Accept header is provided, assume the client can handle application/json.
		r.Header.Add("accept", "application/json")
		}
		acceptSpecs := httputil.ParseAccept(r.Header, "Accept")
		acceptable := false
		for _, acceptSpec := range acceptSpecs {
		if acceptSpec.Value == "application/json" \|\| acceptSpec.Value == "/" {
		acceptable = true
		break
		}
		acceptMediaType, _, err := mime.ParseMediaType(accept)
		if err != nil {
		a.logger.Warn("Could not decode accept header", zap.Error(err))
		http.Error(w, fmt.Sprintf("Runtime function handler was unable to parse accept header: %s", accept), 400)
		return
		}
		if acceptMediaType != "application/json" {
		http.Error(w, fmt.Sprintf("Runtime function received invalid accept header: \"%s\", expected:\"application/json\"", accept), 400)
		if !acceptable {
		http.Error(w, fmt.Sprintf("Runtime function received invalid accept header: \"%s\", expected at least: \"application/json\"", r.Header.Get("accept")), 400)
		return
		}