Improve caching, HTTP headers and URL handling (#3594)

* Fix relative URLs * Improve login base URL and redirects * Prevent duplicate customlocales requests * Improve UI base URL handling * Improve UI embedding * Improve CSP header * Add Cache-Control headers to all responses * Improve CORS responses * Improve authentication handler * Add back media timestamp suffixes * Fix default image handling * Add default param to other image URLs
2025-12-17 12:24:38 +03:00 · 2023-04-19 05:01:32 +02:00
parent 87abe8c38c
commit b4b7cf02b6
74 changed files with 808 additions and 782 deletions
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -27,17 +27,25 @@ import (
 	"github.com/gorilla/websocket"
 	"github.com/vearutop/statigz"

+	"github.com/go-chi/cors"
 	"github.com/go-chi/httplog"
-	"github.com/rs/cors"
 	"github.com/stashapp/stash/internal/api/loaders"
 	"github.com/stashapp/stash/internal/manager"
 	"github.com/stashapp/stash/internal/manager/config"
 	"github.com/stashapp/stash/pkg/fsutil"
 	"github.com/stashapp/stash/pkg/logger"
 	"github.com/stashapp/stash/pkg/plugin"
+	"github.com/stashapp/stash/pkg/utils"
 	"github.com/stashapp/stash/ui"
 )

+const (
+	loginEndpoint      = "/login"
+	logoutEndpoint     = "/logout"
+	gqlEndpoint        = "/graphql"
+	playgroundEndpoint = "/playground"
+)
+
 var version string
 var buildstamp string
 var githash string
@@ -51,6 +59,7 @@ func Start() error {
 	r := chi.NewRouter()

 	r.Use(middleware.Heartbeat("/healthz"))
+	r.Use(cors.AllowAll().Handler)
 	r.Use(authenticateHandler())
 	visitedPluginHandler := manager.GetInstance().SessionStore.VisitedPluginHandler()
 	r.Use(visitedPluginHandler)
@@ -67,7 +76,6 @@ func Start() error {
 	r.Use(SecurityHeadersMiddleware)
 	r.Use(middleware.DefaultCompress)
 	r.Use(middleware.StripSlashes)
-	r.Use(cors.AllowAll().Handler)
 	r.Use(BaseURLMiddleware)

 	recoverFunc := func(ctx context.Context, err interface{}) error {
@@ -123,6 +131,7 @@ func Start() error {
 	gqlSrv.SetErrorPresenter(gqlErrorHandler)

 	gqlHandlerFunc := func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Cache-Control", "no-store")
 		gqlSrv.ServeHTTP(w, r)
 	}

@@ -132,14 +141,12 @@ func Start() error {
 	gqlHandler := visitedPluginHandler(dataloaders.Middleware(http.HandlerFunc(gqlHandlerFunc)))
 	manager.GetInstance().PluginCache.RegisterGQLHandler(gqlHandler)

-	r.HandleFunc("/graphql", gqlHandlerFunc)
-	r.HandleFunc("/playground", gqlPlayground.Handler("GraphQL playground", "/graphql"))
-
-	// session handlers
-	r.Post(loginEndPoint, handleLogin(loginUIBox))
-	r.Get(logoutEndPoint, handleLogout(loginUIBox))
-
-	r.Get(loginEndPoint, getLoginHandler(loginUIBox))
+	r.HandleFunc(gqlEndpoint, gqlHandlerFunc)
+	r.HandleFunc(playgroundEndpoint, func(w http.ResponseWriter, r *http.Request) {
+		setPageSecurityHeaders(w, r)
+		endpoint := getProxyPrefix(r) + gqlEndpoint
+		gqlPlayground.Handler("GraphQL playground", endpoint)(w, r)
+	})

 	r.Mount("/performer", performerRoutes{
 		txnManager:      txnManager,
@@ -174,36 +181,17 @@ func Start() error {

 	r.HandleFunc("/css", cssHandler(c, pluginCache))
 	r.HandleFunc("/javascript", javascriptHandler(c, pluginCache))
-	r.HandleFunc("/customlocales", func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "application/json")
-		if c.GetCustomLocalesEnabled() {
-			// search for custom-locales.json in current directory, then $HOME/.stash
-			fn := c.GetCustomLocalesPath()
-			exists, _ := fsutil.FileExists(fn)
-			if exists {
-				http.ServeFile(w, r, fn)
-				return
-			}
-		}
-		_, _ = w.Write([]byte("{}"))
-	})
+	r.HandleFunc("/customlocales", customLocalesHandler(c))

-	r.HandleFunc("/login*", func(w http.ResponseWriter, r *http.Request) {
-		ext := path.Ext(r.URL.Path)
-		if ext == ".html" || ext == "" {
-			prefix := getProxyPrefix(r.Header)
+	staticLoginUI := statigz.FileServer(loginUIBox.(fs.ReadDirFS))

-			data := getLoginPage(loginUIBox)
-			baseURLIndex := strings.Replace(string(data), "%BASE_URL%", prefix+"/", 2)
-			_, _ = w.Write([]byte(baseURLIndex))
-		} else {
-			r.URL.Path = strings.Replace(r.URL.Path, loginEndPoint, "", 1)
-			loginRoot, err := fs.Sub(loginUIBox, loginRootDir)
-			if err != nil {
-				panic(err)
-			}
-			http.FileServer(http.FS(loginRoot)).ServeHTTP(w, r)
-		}
+	r.Get(loginEndpoint, handleLogin(loginUIBox))
+	r.Post(loginEndpoint, handleLoginPost(loginUIBox))
+	r.Get(logoutEndpoint, handleLogout())
+	r.HandleFunc(loginEndpoint+"/*", func(w http.ResponseWriter, r *http.Request) {
+		r.URL.Path = strings.TrimPrefix(r.URL.Path, loginEndpoint)
+		w.Header().Set("Cache-Control", "no-cache")
+		staticLoginUI.ServeHTTP(w, r)
 	})

 	// Serve static folders
@@ -215,12 +203,10 @@ func Start() error {
 	}

 	customUILocation := c.GetCustomUILocation()
-	static := statigz.FileServer(uiBox)
+	staticUI := statigz.FileServer(uiBox.(fs.ReadDirFS))

 	// Serve the web app
 	r.HandleFunc("/*", func(w http.ResponseWriter, r *http.Request) {
-		const uiRootDir = "v2.5/build"
-
 		ext := path.Ext(r.URL.Path)

 		if customUILocation != "" {
@@ -234,29 +220,29 @@ func Start() error {

 		if ext == ".html" || ext == "" {
 			themeColor := c.GetThemeColor()
-			data, err := uiBox.ReadFile(uiRootDir + "/index.html")
+			data, err := fs.ReadFile(uiBox, "index.html")
 			if err != nil {
 				panic(err)
 			}
+			indexHtml := string(data)

-			prefix := getProxyPrefix(r.Header)
-			baseURLIndex := strings.ReplaceAll(string(data), "%COLOR%", themeColor)
-			baseURLIndex = strings.ReplaceAll(baseURLIndex, "/%BASE_URL%", prefix)
-			baseURLIndex = strings.Replace(baseURLIndex, "base href=\"/\"", fmt.Sprintf("base href=\"%s\"", prefix+"/"), 1)
-			_, _ = w.Write([]byte(baseURLIndex))
+			prefix := getProxyPrefix(r)
+			indexHtml = strings.ReplaceAll(indexHtml, "%COLOR%", themeColor)
+			indexHtml = strings.Replace(indexHtml, `<base href="/"`, fmt.Sprintf(`<base href="%s/"`, prefix), 1)
+
+			w.Header().Set("Content-Type", "text/html")
+			setPageSecurityHeaders(w, r)
+
+			utils.ServeStaticContent(w, r, []byte(indexHtml))
 		} else {
-			isStatic, _ := path.Match("/static/*/*", r.URL.Path)
+			isStatic, _ := path.Match("/assets/*", r.URL.Path)
 			if isStatic {
-				w.Header().Add("Cache-Control", "max-age=604800000")
+				w.Header().Set("Cache-Control", "public, max-age=31536000, immutable")
+			} else {
+				w.Header().Set("Cache-Control", "no-cache")
 			}

-			prefix := getProxyPrefix(r.Header)
-			if prefix != "" {
-				r.URL.Path = strings.TrimPrefix(r.URL.Path, prefix)
-			}
-			r.URL.Path = uiRootDir + r.URL.Path
-
-			static.ServeHTTP(w, r)
+			staticUI.ServeHTTP(w, r)
 		}
 	})

@@ -307,52 +293,34 @@ func Start() error {
 	return nil
 }

-func copyFile(w io.Writer, path string) (time.Time, error) {
+func copyFile(w io.Writer, path string) error {
 	f, err := os.Open(path)
 	if err != nil {
-		return time.Time{}, err
+		return err
 	}
 	defer f.Close()

-	info, err := f.Stat()
-	if err != nil {
-		return time.Time{}, err
-	}
-
 	_, err = io.Copy(w, f)

-	return info.ModTime(), err
+	return err
 }

-func serveFiles(w http.ResponseWriter, r *http.Request, name string, paths []string) {
+func serveFiles(w http.ResponseWriter, r *http.Request, paths []string) {
 	buffer := bytes.Buffer{}

-	latestModTime := time.Time{}
-
 	for _, path := range paths {
-		modTime, err := copyFile(&buffer, path)
+		err := copyFile(&buffer, path)
 		if err != nil {
 			logger.Errorf("error serving file %s: %v", path, err)
-		} else {
-			if modTime.After(latestModTime) {
-				latestModTime = modTime
-			}
-			buffer.Write([]byte("\n"))
 		}
+		buffer.Write([]byte("\n"))
 	}

-	// Always revalidate with server
-	w.Header().Set("Cache-Control", "no-cache")
-
-	bufferReader := bytes.NewReader(buffer.Bytes())
-	http.ServeContent(w, r, name, latestModTime, bufferReader)
+	utils.ServeStaticContent(w, r, buffer.Bytes())
 }

 func cssHandler(c *config.Instance, pluginCache *plugin.Cache) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// concatenate with plugin css files
-		w.Header().Set("Content-Type", "text/css")
-
 		// add plugin css files first
 		var paths []string

@@ -369,14 +337,13 @@ func cssHandler(c *config.Instance, pluginCache *plugin.Cache) func(w http.Respo
 			}
 		}

-		serveFiles(w, r, "custom.css", paths)
+		w.Header().Set("Content-Type", "text/css")
+		serveFiles(w, r, paths)
 	}
 }

 func javascriptHandler(c *config.Instance, pluginCache *plugin.Cache) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "text/javascript")
-
 		// add plugin javascript files first
 		var paths []string

@@ -393,7 +360,33 @@ func javascriptHandler(c *config.Instance, pluginCache *plugin.Cache) func(w htt
 			}
 		}

-		serveFiles(w, r, "custom.js", paths)
+		w.Header().Set("Content-Type", "text/javascript")
+		serveFiles(w, r, paths)
+	}
+}
+
+func customLocalesHandler(c *config.Instance) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		buffer := bytes.Buffer{}
+
+		if c.GetCustomLocalesEnabled() {
+			// search for custom-locales.json in current directory, then $HOME/.stash
+			path := c.GetCustomLocalesPath()
+			exists, _ := fsutil.FileExists(path)
+			if exists {
+				err := copyFile(&buffer, path)
+				if err != nil {
+					logger.Errorf("error serving file %s: %v", path, err)
+				}
+			}
+		}
+
+		if buffer.Len() == 0 {
+			buffer.Write([]byte("{}"))
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		utils.ServeStaticContent(w, r, buffer.Bytes())
 	}
 }

@@ -480,6 +473,47 @@ func makeTLSConfig(c *config.Instance) (*tls.Config, error) {
 	return tlsConfig, nil
 }

+func setPageSecurityHeaders(w http.ResponseWriter, r *http.Request) {
+	c := config.GetInstance()
+
+	defaultSrc := "data: 'self' 'unsafe-inline'"
+	connectSrc := "data: 'self'"
+	imageSrc := "data: *"
+	scriptSrc := "'self' 'unsafe-inline' 'unsafe-eval'"
+	styleSrc := "'self' 'unsafe-inline'"
+	mediaSrc := "blob: 'self'"
+
+	// Workaround Safari bug https://bugs.webkit.org/show_bug.cgi?id=201591
+	// Allows websocket requests to any origin
+	connectSrc += " ws: wss:"
+
+	// The graphql playground pulls its frontend from a cdn
+	if r.URL.Path == playgroundEndpoint {
+		connectSrc += " https://cdn.jsdelivr.net"
+		scriptSrc += " https://cdn.jsdelivr.net"
+		styleSrc += " https://cdn.jsdelivr.net"
+	}
+
+	if !c.IsNewSystem() && c.GetHandyKey() != "" {
+		connectSrc += " https://www.handyfeeling.com"
+	}
+
+	cspDirectives := fmt.Sprintf("default-src %s; connect-src %s; img-src %s; script-src %s; style-src %s; media-src %s;", defaultSrc, connectSrc, imageSrc, scriptSrc, styleSrc, mediaSrc)
+	cspDirectives += " worker-src blob:; child-src 'none'; object-src 'none'; form-action 'self';"
+
+	w.Header().Set("Referrer-Policy", "same-origin")
+	w.Header().Set("Content-Security-Policy", cspDirectives)
+}
+
+func SecurityHeadersMiddleware(next http.Handler) http.Handler {
+	fn := func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+
+		next.ServeHTTP(w, r)
+	}
+	return http.HandlerFunc(fn)
+}
+
 type contextKey struct {
 	name string
 }
@@ -488,35 +522,6 @@ var (
 	BaseURLCtxKey = &contextKey{"BaseURL"}
 )

-func SecurityHeadersMiddleware(next http.Handler) http.Handler {
-	fn := func(w http.ResponseWriter, r *http.Request) {
-		c := config.GetInstance()
-		connectableOrigins := "connect-src data: 'self'"
-
-		// Workaround Safari bug https://bugs.webkit.org/show_bug.cgi?id=201591
-		// Allows websocket requests to any origin
-		connectableOrigins += " ws: wss:"
-
-		// The graphql playground pulls its frontend from a cdn
-		connectableOrigins += " https://cdn.jsdelivr.net "
-
-		if !c.IsNewSystem() && c.GetHandyKey() != "" {
-			connectableOrigins += " https://www.handyfeeling.com"
-		}
-		connectableOrigins += "; "
-
-		cspDirectives := "default-src data: 'self' 'unsafe-inline';" + connectableOrigins + "img-src data: *; script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://cdn.jsdelivr.net 'unsafe-inline'; style-src-elem 'self' https://cdn.jsdelivr.net 'unsafe-inline'; media-src 'self' blob:; child-src 'none'; worker-src blob:; object-src 'none'; form-action 'self'"
-
-		w.Header().Set("Referrer-Policy", "same-origin")
-		w.Header().Set("X-Content-Type-Options", "nosniff")
-		w.Header().Set("X-XSS-Protection", "1")
-		w.Header().Set("Content-Security-Policy", cspDirectives)
-
-		next.ServeHTTP(w, r)
-	}
-	return http.HandlerFunc(fn)
-}
-
 func BaseURLMiddleware(next http.Handler) http.Handler {
 	fn := func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
@@ -525,7 +530,7 @@ func BaseURLMiddleware(next http.Handler) http.Handler {
 		if strings.Compare("https", r.URL.Scheme) == 0 || r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https" {
 			scheme = "https"
 		}
-		prefix := getProxyPrefix(r.Header)
+		prefix := getProxyPrefix(r)

 		baseURL := scheme + "://" + r.Host + prefix

@@ -541,11 +546,6 @@ func BaseURLMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(fn)
 }

-func getProxyPrefix(headers http.Header) string {
-	prefix := ""
-	if headers.Get("X-Forwarded-Prefix") != "" {
-		prefix = strings.TrimRight(headers.Get("X-Forwarded-Prefix"), "/")
-	}
-
-	return prefix
+func getProxyPrefix(r *http.Request) string {
+	return strings.TrimRight(r.Header.Get("X-Forwarded-Prefix"), "/")
 }