Certificates Renewal + SSE

- Certificate renewal is just a re-request as it's forced already
- Rejig the routes for readability
- Added Server Side Events so that the UI would invalidate the
cache when changes happen on the backend, such as certs being
provided or failing
- Added a SSE Token, which has the same shelf life as normal token
but can't be used interchangeably. The reason for this is, the
SSE endpoint needs a token for auth as a Query param, so it would
be stored in log files. If someone where to get a hold of that,
it's pretty useless as it can't be used to change anything, only
to listen for events until it expires
- Added test endpoint for SSE testing only availabe in debug mode

Author: jc21

backend/embed/api_docs/api.swagger.json

@@ -163,6 +163,11 @@
 				"$ref": "file://./paths/tokens/post.json"
 			}
 		},
+		"/tokens/sse": {
+			"post": {
+				"$ref": "file://./paths/tokens/sse/post.json"
+			}
+		},
 		"/upstreams": {
 			"get": {
 				"$ref": "file://./paths/upstreams/get.json"

backend/embed/api_docs/paths/tokens/get.json

@@ -1,21 +1,17 @@
 {
 	"operationId": "refreshToken",
 	"summary": "Refresh your access token",
-	"tags": [
-		"Tokens"
-	],
+	"tags": ["Tokens"],
 	"responses": {
 		"200": {
 			"description": "200 response",
 			"content": {
 				"application/json": {
 					"schema": {
-						"required": [
-							"result"
-						],
+						"required": ["result"],
 						"properties": {
 							"result": {
-								"$ref": "#/components/schemas/StreamObject"
+								"$ref": "#/components/schemas/TokenObject"
 							}
 						}
 					},
@@ -34,4 +30,4 @@
 			}
 		}
 	}
-}
+}

backend/embed/api_docs/paths/tokens/post.json

@@ -1,9 +1,7 @@
 {
 	"operationId": "requestToken",
 	"summary": "Request a new access token from credentials",
-	"tags": [
-		"Tokens"
-	],
+	"tags": ["Tokens"],
 	"requestBody": {
 		"description": "Credentials Payload",
 		"required": true,
@@ -19,12 +17,10 @@
 			"content": {
 				"application/json": {
 					"schema": {
-						"required": [
-							"result"
-						],
+						"required": ["result"],
 						"properties": {
 							"result": {
-								"$ref": "#/components/schemas/StreamObject"
+								"$ref": "#/components/schemas/TokenObject"
 							}
 						}
 					},
@@ -49,9 +45,7 @@
 					"schema": {
 						"type": "object",
 						"additionalProperties": false,
-						"required": [
-							"error"
-						],
+						"required": ["error"],
 						"properties": {
 							"result": {
 								"nullable": true
@@ -76,4 +70,4 @@
 			}
 		}
 	}
-}
+}

backend/embed/api_docs/paths/tokens/sse/post.json

@@ -0,0 +1,33 @@
+{
+	"operationId": "requestSSEToken",
+	"summary": "Request a new SSE token",
+	"tags": ["Tokens"],
+	"responses": {
+		"200": {
+			"description": "200 response",
+			"content": {
+				"application/json": {
+					"schema": {
+						"required": ["result"],
+						"properties": {
+							"result": {
+								"$ref": "#/components/schemas/TokenObject"
+							}
+						}
+					},
+					"examples": {
+						"default": {
+							"value": {
+								"result": {
+									"expires": 1566540510,
+									"token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4",
+									"scope": "user"
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+}

backend/go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/jwtauth v4.0.4+incompatible
+	github.com/jc21/go-sse v0.0.0-20230307041911-8ea9bdc44a58
 	github.com/jc21/jsref v0.0.0-20210608024405-a97debfc4760
 	github.com/jmoiron/sqlx v1.3.5
 	github.com/mattn/go-sqlite3 v1.14.16

backend/go.sum

@@ -27,6 +27,12 @@ github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxI
 github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/jc21/go-sse v0.0.0-20230307004720-e0a2266806a8 h1:3zrxixsRpzrMXd/c6vUHaoIi9OqirEPxPe4Ydxn3jNU=
+github.com/jc21/go-sse v0.0.0-20230307004720-e0a2266806a8/go.mod h1:4v5Xmm0eYuaWqKJ63XUV5YfQPoxtId3DgDytbnWhi+s=
+github.com/jc21/go-sse v0.0.0-20230307015818-b2783ddda573 h1:aaRu9mFSjxNfbXWVe7MlarmuB0vcdTShXFbxjzHAseA=
+github.com/jc21/go-sse v0.0.0-20230307015818-b2783ddda573/go.mod h1:4v5Xmm0eYuaWqKJ63XUV5YfQPoxtId3DgDytbnWhi+s=
+github.com/jc21/go-sse v0.0.0-20230307041911-8ea9bdc44a58 h1:WSD0YdEuFPZHIe8hkAjxoAEWZnzieAiLg3zw28EVf80=
+github.com/jc21/go-sse v0.0.0-20230307041911-8ea9bdc44a58/go.mod h1:4v5Xmm0eYuaWqKJ63XUV5YfQPoxtId3DgDytbnWhi+s=
 github.com/jc21/jsref v0.0.0-20210608024405-a97debfc4760 h1:7wxq2DIgtO36KLrFz1RldysO0WVvcYsD49G9tyAs01k=
 github.com/jc21/jsref v0.0.0-20210608024405-a97debfc4760/go.mod h1:yIq2t51OJgVsdRlPY68NAnyVdBH0kYXxDTFtUxOap80=
 github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=

backend/internal/api/handler/certificates.go

@@ -39,23 +39,11 @@ func GetCertificates() func(http.ResponseWriter, *http.Request) {
 // Route: GET /certificates/{certificateID}
 func GetCertificate() func(http.ResponseWriter, *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		var err error
-		var certificateID int
-		if certificateID, err = getURLParamInt(r, "certificateID"); err != nil {
-			h.ResultErrorJSON(w, r, http.StatusBadRequest, err.Error(), nil)
-			return
-		}
-
-		item, err := certificate.GetByID(certificateID)
-		switch err {
-		case sql.ErrNoRows:
-			h.NotFound(w, r)
-		case nil:
+		logger.Debug("here")
+		if item := getCertificateFromRequest(w, r); item != nil {
 			// nolint: errcheck,gosec
 			item.Expand(getExpandFromContext(r))
 			h.ResultResponseJSON(w, r, http.StatusOK, item)
-		default:
-			h.ResultErrorJSON(w, r, http.StatusBadRequest, err.Error(), nil)
 		}
 	}
 }
@@ -64,77 +52,40 @@ func GetCertificate() func(http.ResponseWriter, *http.Request) {
 // Route: POST /certificates
 func CreateCertificate() func(http.ResponseWriter, *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		bodyBytes, _ := r.Context().Value(c.BodyCtxKey).([]byte)
-
-		var newCertificate certificate.Model
-		err := json.Unmarshal(bodyBytes, &newCertificate)
-		if err != nil {
-			h.ResultErrorJSON(w, r, http.StatusBadRequest, h.ErrInvalidPayload.Error(), nil)
-			return
-		}
-
-		// Get userID from token
-		userID, _ := r.Context().Value(c.UserIDCtxKey).(int)
-		newCertificate.UserID = userID
+		var item certificate.Model
+		if fillObjectFromBody(w, r, "", &item) {
+			// Get userID from token
+			userID, _ := r.Context().Value(c.UserIDCtxKey).(int)
+			item.UserID = userID
+
+			if err := item.Save(); err != nil {
+				h.ResultErrorJSON(w, r, http.StatusBadRequest, fmt.Sprintf("Unable to save Certificate: %s", err.Error()), nil)
+				return
+			}
 
-		if err = newCertificate.Save(); err != nil {
-			h.ResultErrorJSON(w, r, http.StatusBadRequest, fmt.Sprintf("Unable to save Certificate: %s", err.Error()), nil)
-			return
+			configureCertificate(item)
+			h.ResultResponseJSON(w, r, http.StatusOK, item)
 		}
-
-		configureCertificate(newCertificate)
-
-		h.ResultResponseJSON(w, r, http.StatusOK, newCertificate)
 	}
 }
 
 // UpdateCertificate updates a cert
 // Route: PUT /certificates/{certificateID}
 func UpdateCertificate() func(http.ResponseWriter, *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		var err error
-		var certificateID int
-		if certificateID, err = getURLParamInt(r, "certificateID"); err != nil {
-			h.ResultErrorJSON(w, r, http.StatusBadRequest, err.Error(), nil)
-			return
-		}
-
-		certificateObject, err := certificate.GetByID(certificateID)
-		switch err {
-		case sql.ErrNoRows:
-			h.NotFound(w, r)
-		case nil:
+		if item := getCertificateFromRequest(w, r); item != nil {
 			// This is a special endpoint, as it needs to verify the schema payload
 			// based on the certificate type, without being given a type in the payload.
 			// The middleware would normally handle this.
-			bodyBytes, _ := r.Context().Value(c.BodyCtxKey).([]byte)
-			schemaErrors, jsonErr := middleware.CheckRequestSchema(r.Context(), schema.UpdateCertificate(certificateObject.Type), bodyBytes)
-			if jsonErr != nil {
-				h.ResultErrorJSON(w, r, http.StatusInternalServerError, fmt.Sprintf("Schema Fatal: %v", jsonErr), nil)
-				return
-			}
-
-			if len(schemaErrors) > 0 {
-				h.ResultSchemaErrorJSON(w, r, schemaErrors)
-				return
+			if fillObjectFromBody(w, r, schema.UpdateCertificate(item.Type), item) {
+				if err := item.Save(); err != nil {
+					h.ResultErrorJSON(w, r, http.StatusBadRequest, err.Error(), nil)
+					return
+				}
+
+				// configureCertificate(*item, item.Request)
+				h.ResultResponseJSON(w, r, http.StatusOK, item)
 			}
-
-			err := json.Unmarshal(bodyBytes, &certificateObject)
-			if err != nil {
-				h.ResultErrorJSON(w, r, http.StatusBadRequest, h.ErrInvalidPayload.Error(), nil)
-				return
-			}
-
-			if err = certificateObject.Save(); err != nil {
-				h.ResultErrorJSON(w, r, http.StatusBadRequest, err.Error(), nil)
-				return
-			}
-
-			configureCertificate(certificateObject)
-
-			h.ResultResponseJSON(w, r, http.StatusOK, certificateObject)
-		default:
-			h.ResultErrorJSON(w, r, http.StatusBadRequest, err.Error(), nil)
 		}
 	}
 }
@@ -143,31 +94,87 @@ func UpdateCertificate() func(http.ResponseWriter, *http.Request) {
 // Route: DELETE /certificates/{certificateID}
 func DeleteCertificate() func(http.ResponseWriter, *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		var err error
-		var certificateID int
-		if certificateID, err = getURLParamInt(r, "certificateID"); err != nil {
-			h.ResultErrorJSON(w, r, http.StatusBadRequest, err.Error(), nil)
-			return
-		}
-
-		item, err := certificate.GetByID(certificateID)
-		switch err {
-		case sql.ErrNoRows:
-			h.NotFound(w, r)
-		case nil:
-			// Ensure that this upstream isn't in use by a host
-			cnt := host.GetCertificateUseCount(certificateID)
+		if item := getCertificateFromRequest(w, r); item != nil {
+			cnt := host.GetCertificateUseCount(item.ID)
 			if cnt > 0 {
 				h.ResultErrorJSON(w, r, http.StatusBadRequest, "Cannot delete certificate that is in use by at least 1 host", nil)
 				return
 			}
 			h.ResultResponseJSON(w, r, http.StatusOK, item.Delete())
-		default:
-			h.ResultErrorJSON(w, r, http.StatusBadRequest, err.Error(), nil)
 		}
 	}
 }
 
+// RenewCertificate is self explanatory
+// Route: PUT /certificates/{certificateID}/renew
+func RenewCertificate() func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if item := getCertificateFromRequest(w, r); item != nil {
+			configureCertificate(*item)
+			h.ResultResponseJSON(w, r, http.StatusOK, true)
+		}
+	}
+}
+
+// DownloadCertificate is self explanatory
+// Route: PUT /certificates/{certificateID}/download
+func DownloadCertificate() func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if item := getCertificateFromRequest(w, r); item != nil {
+			// todo
+			h.ResultResponseJSON(w, r, http.StatusOK, "ok")
+		}
+	}
+}
+
+// getCertificateFromRequest has some reusable code for all endpoints that
+// have a certificate id in the url. it will write errors to the output.
+func getCertificateFromRequest(w http.ResponseWriter, r *http.Request) *certificate.Model {
+	var err error
+	var certificateID int
+	if certificateID, err = getURLParamInt(r, "certificateID"); err != nil {
+		h.ResultErrorJSON(w, r, http.StatusBadRequest, err.Error(), nil)
+		return nil
+	}
+
+	certificateObject, err := certificate.GetByID(certificateID)
+	switch err {
+	case sql.ErrNoRows:
+		h.NotFound(w, r)
+	case nil:
+		return &certificateObject
+	default:
+		h.ResultErrorJSON(w, r, http.StatusBadRequest, err.Error(), nil)
+	}
+	return nil
+}
+
+// getCertificateFromRequest has some reusable code for all endpoints that
+// have a certificate id in the url. it will write errors to the output.
+func fillObjectFromBody(w http.ResponseWriter, r *http.Request, validationSchema string, o interface{}) bool {
+	bodyBytes, _ := r.Context().Value(c.BodyCtxKey).([]byte)
+
+	if validationSchema != "" {
+		schemaErrors, jsonErr := middleware.CheckRequestSchema(r.Context(), validationSchema, bodyBytes)
+		if jsonErr != nil {
+			h.ResultErrorJSON(w, r, http.StatusInternalServerError, fmt.Sprintf("Schema Fatal: %v", jsonErr), nil)
+			return false
+		}
+		if len(schemaErrors) > 0 {
+			h.ResultSchemaErrorJSON(w, r, schemaErrors)
+			return false
+		}
+	}
+
+	err := json.Unmarshal(bodyBytes, o)
+	if err != nil {
+		h.ResultErrorJSON(w, r, http.StatusBadRequest, h.ErrInvalidPayload.Error(), nil)
+		return false
+	}
+
+	return true
+}
+
 func configureCertificate(c certificate.Model) {
 	err := jobqueue.AddJob(jobqueue.Job{
 		Name:   "RequestCertificate",