114 lines
3.2 KiB
Go
114 lines
3.2 KiB
Go
// SPDX-License-Identifier: AGPL-3.0-or-later
|
|
package handlers
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/subtle"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"errors"
|
|
"log/slog"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/cyrilinait/birdwatch-relay/internal/config"
|
|
"github.com/cyrilinait/birdwatch-relay/internal/storage"
|
|
)
|
|
|
|
type Handlers struct {
|
|
store *storage.Store
|
|
cfg *config.Config
|
|
}
|
|
|
|
func Register(mux *http.ServeMux, store *storage.Store, cfg *config.Config) {
|
|
h := &Handlers{store: store, cfg: cfg}
|
|
mux.HandleFunc("/v1/devices", h.registerDevice)
|
|
mux.HandleFunc("/v1/health", h.health)
|
|
}
|
|
|
|
// --- /v1/health -----------------------------------------------------------
|
|
|
|
func (h *Handlers) health(w http.ResponseWriter, _ *http.Request) {
|
|
w.Header().Set("Content-Type", "text/plain")
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte("ok"))
|
|
}
|
|
|
|
// --- /v1/devices ----------------------------------------------------------
|
|
|
|
type registerRequest struct {
|
|
DeviceID string `json:"device_id"`
|
|
FCMToken string `json:"fcm_token"`
|
|
PublicKey string `json:"public_key"` // base64 X25519, 32 bytes raw
|
|
}
|
|
|
|
func (h *Handlers) registerDevice(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
if !h.checkBearer(r, h.cfg.PairingCode) {
|
|
http.Error(w, "unauthorized — invalid pairing code", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
var req registerRequest
|
|
if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 4096)).Decode(&req); err != nil {
|
|
http.Error(w, "invalid json", http.StatusBadRequest)
|
|
return
|
|
}
|
|
if req.DeviceID == "" || req.FCMToken == "" || req.PublicKey == "" {
|
|
http.Error(w, "missing fields", http.StatusBadRequest)
|
|
return
|
|
}
|
|
pub, err := base64.StdEncoding.DecodeString(req.PublicKey)
|
|
if err != nil || len(pub) != 32 {
|
|
http.Error(w, "public_key must be base64-encoded 32-byte X25519", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Anti-hijack: existing device_id must keep the same public key.
|
|
existing, getErr := h.store.Get(req.DeviceID)
|
|
switch {
|
|
case getErr == nil:
|
|
if !bytes.Equal(existing.PublicKey, pub) {
|
|
http.Error(w,
|
|
"device_id already registered with a different public key — operator must delete the existing record to allow re-registration",
|
|
http.StatusConflict)
|
|
return
|
|
}
|
|
case errors.Is(getErr, storage.ErrNotFound):
|
|
// fall through; new device.
|
|
default:
|
|
slog.Error("store get failed", "err", getErr, "device_id", req.DeviceID)
|
|
http.Error(w, "storage error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
now := time.Now().UTC()
|
|
if err := h.store.Upsert(storage.Device{
|
|
ID: req.DeviceID,
|
|
FCMToken: req.FCMToken,
|
|
PublicKey: pub,
|
|
CreatedAt: now,
|
|
LastSeenAt: now,
|
|
}); err != nil {
|
|
slog.Error("device upsert failed", "err", err, "device_id", req.DeviceID)
|
|
http.Error(w, "storage error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
func (h *Handlers) checkBearer(r *http.Request, want string) bool {
|
|
got := r.Header.Get("Authorization")
|
|
const prefix = "Bearer "
|
|
if !strings.HasPrefix(got, prefix) {
|
|
return false
|
|
}
|
|
have := strings.TrimPrefix(got, prefix)
|
|
if len(have) != len(want) {
|
|
return false
|
|
}
|
|
return subtle.ConstantTimeCompare([]byte(have), []byte(want)) == 1
|
|
}
|