eod commit

added jwt, sqlite, build sh
updated .gitignore
2025-11-27 22:11:13 +01:00 · 2025-11-27 20:45:50 +01:00 · 2025-11-27 17:31:00 +01:00
12 changed files with 366 additions and 132 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,7 @@ main
 *.zst
 *.gzip
 *.env
+*.db

 bin/

--- a/app/build
+++ b/app/build
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+cd src
+v install fleximus.argon2
+v install thomaspeissl.dotenv
+v -prod -cflags "-static" -os linux -o ../../build/app/cdn .
--- a/app/src/crypto/crypto.v
+++ b/app/src/crypto/crypto.v
@@ -0,0 +1,16 @@
+module crypto
+
+import rand
+import fleximus.argon2
+
+pub struct Crypto {}
+
+pub fn Crypto.hash_password(password string) !string {
+	salt := rand.bytes(16) or { return error('failed to generate salt: ${err}') }
+	hash := argon2.hash(password.bytes(), salt) or { return error('argon2 hash failed: ${err}') }
+	return hash
+}
+
+pub fn Crypto.hash_verify(password string, hash string) !bool {
+	return argon2.verify(hash, password.bytes()) or { return error('argon2 verify failed: ${err}') }
+}
--- a/app/src/database/db.v
+++ b/app/src/database/db.v
@@ -1,22 +1,14 @@
 module database

 import os
-import rand
+import orm
 import util
-// import db.mysql
-// import db.redis
-import fleximus.argon2
+import db.sqlite

-pub struct Crypto {}
-
-pub fn Crypto.hash_password(password string) !string {
-	salt := rand.bytes(16) or { return error('failed to generate salt: ${err}') }
-	hash := argon2.hash(password.bytes(), salt) or { return error('argon2 hash failed: ${err}') }
-	return hash
-}
-
-pub fn Crypto.hash_verify(password string, hash string) !bool {
-	return argon2.verify(hash, password.bytes()) or { return error('argon2 verify failed: ${err}') }
+pub struct Database {
+	cfg util.Config
+mut:
+	conn sqlite.DB
 }

 pub fn get_dummy_exclusion_list(exe string, root string) []string {
@@ -26,42 +18,52 @@ pub fn get_dummy_exclusion_list(exe string, root string) []string {
 	]
 }

-// struct Database {
-// mut:
-// 	conn mysql.DB
-// }
-//
-// pub fn get_connection(cfg util.Config) !&Database {
-// 	// connection := mysql.connect(mysql.Config{
-// 	// 	host:     cfg.database.host
-// 	// 	// port:     u32(cfg.database.port)
-// 	// 	dbname:   'CDN_DATABASE'
-// 	// 	username: cfg.database.username
-// 	// 	password: cfg.database.password
-// 	// })!
-//
-// 	//return &Database{ conn: connection }
-// 	return &Database{}
-// }
-//
-// pub fn (mut db Database) query[T](query_fn fn(conn &mysql.Connection) ![]T) ![]T {
-// 	result := query_fn(db.conn) or {
-// 		// Connection died, reconnect
-// 		db.conn = mysql.connect(db.config)!
-// 		return query_fn(db.conn)!
-// 	}
-// 	return result
-// }
-//
-// pub fn Database.test() {}
+fn get_connection(cfg util.Config) !sqlite.DB {
+	conn := sqlite.connect(cfg.database)!

-// pub fn test() ! {
-// 	mut r := redis.connect(redis.Config{
-// 		host:     'vpn.security-command.org'
-// 		port:     6767
-// 		password: 'SuperSecretPassword123'
-// 	})!
-//
-// 	pong := r.ping() or { panic(err) }
-// 	println(pong)
-// }
+	if cfg.debug {
+		conn.synchronization_mode(.off)!
+		conn.journal_mode(.memory)!
+	}
+
+	sql conn {
+		create table Users
+		create table Files
+		create table Logins
+	}!
+
+	return conn
+}
+
+pub fn get_database(cfg util.Config) !&Database {
+	return &Database{
+		cfg:  cfg
+		conn: get_connection(cfg)!
+	}
+}
+
+pub fn (mut db Database) query[T](statement orm.QueryBuilder[T]) ![]T {
+	if !db.conn.validate() or { false } {
+		db.conn = get_connection(db.cfg)!
+	}
+
+	return statement.query()!
+}
+
+pub fn (db Database) get_query_builder[T]() &orm.QueryBuilder[T] {
+	return orm.new_query[T](db.conn)
+}
+
+pub fn test(cfg util.Config) !bool {
+	mut db := get_database(cfg)!
+
+	db.conn.validate()!
+	db.conn.close()!
+
+	mut qb := orm.new_query[Users](db.conn)
+
+	result := db.query[Users](qb)!
+	println(result.str())
+
+	return true
+}
--- a/app/src/database/tables.v
+++ b/app/src/database/tables.v
@@ -1,23 +1,24 @@
 module database

-//
-// @[table: 'users']
-// struct Users {
-// 	id            int    @[primary; serial]
-// 	name          string @[nonnull; unique]
-// 	password_hash string @[nonnull]
-// }
-//
-// @[table: 'login_attempts']
-// struct Logins {
-// 	ip           string @[primary]
-// 	attempts     int    @[nonnull]
-// 	attempt_time string @[default: 'CURRENT_TIMESTAMP'; nonnull]
-// }
-//
-// @[table: 'files']
-// struct Files {
-// 	id      int    @[primary; serial]
-// 	path    string @[nonnull; unique]
-// 	visible bool   @[default: false; nonnull]
-// }
+import time
+
+@[table: 'users']
+pub struct Users {
+	id       int    @[primary; serial]
+	username string @[nonnull; unique]
+	password string @[nonnull]
+}
+
+@[table: 'login_attempts']
+pub struct Logins {
+	ip           string    @[primary]
+	attempts     int       @[nonnull]
+	attempt_time time.Time @[nonnull]
+}
+
+@[table: 'files']
+pub struct Files {
+	id      int    @[primary; serial]
+	path    string @[nonnull; unique]
+	visible bool   @[default: false; nonnull]
+}
--- a/app/src/jwt/algoritm.v
+++ b/app/src/jwt/algoritm.v
@@ -0,0 +1,19 @@
+module jwt
+
+pub interface Algorithm {
+	name string
+	sign(contents string, secretOrKey string) !string
+	verify(token string, secretOrKey string) !Token
+}
+
+pub enum AlgorithmType {
+	hs256
+}
+
+pub fn new_algorithm(algorithmType AlgorithmType) Algorithm {
+	match algorithmType {
+		.hs256 {
+			return HS256{}
+		}
+	}
+}
--- a/app/src/jwt/hs256.v
+++ b/app/src/jwt/hs256.v
@@ -0,0 +1,33 @@
+module jwt
+
+import crypto.hmac
+import crypto.sha256
+import encoding.base64
+
+pub struct HS256 {
+pub:
+	name string = 'HS256'
+}
+
+pub fn (algorithm HS256) sign(content string, secret string) !string {
+	signature := base64.url_encode(hmac.new(secret.bytes(), content.bytes(), sha256.sum,
+		sha256.block_size))
+	return signature
+}
+
+pub fn (algorithm HS256) verify(token_raw string, secret string) !Token {
+	token := parse_token(token_raw)!
+	parts := token_raw.split('.')
+	header := parts[0]
+	claims := parts[1]
+	signed := algorithm.sign('${header}.${claims}', secret)!
+
+	if signed != token.signature {
+		return error('Invalid token')
+	}
+	if token.is_expired() {
+		return error('Token already expired')
+	}
+
+	return token
+}
--- a/app/src/jwt/jwt.v
+++ b/app/src/jwt/jwt.v
@@ -0,0 +1,40 @@
+module jwt
+
+import json
+import time
+import x.json2
+import encoding.base64
+
+pub fn encode[T](claims T, algorithm Algorithm, secretOrKey string, exp int) !string {
+	header := new_header(algorithm)
+	header_b64 := base64.url_encode(json.encode(header).bytes())
+
+	mut claims_final := json2.decode[json2.Any](json.encode(claims))!.as_map()
+
+	if exp != 0 {
+		claims_final['exp'] = time.now().unix() + exp
+	}
+
+	claims_b64 := base64.url_encode(claims_final.str().bytes())
+	contents := '${header_b64}.${claims_b64}'
+	signature := algorithm.sign(contents, secretOrKey)!
+
+	return '${contents}.${signature}'
+}
+
+pub fn verify[T](token string, algorithm Algorithm, secretOrKey string) !T {
+	return algorithm.verify(token, secretOrKey)!.parse_claims[T]()
+}
+
+pub struct UserJwt {
+pub:
+	id string
+}
+
+pub fn create(user_id string, secret string) !string {
+	return encode[UserJwt](UserJwt{ id: user_id }, new_algorithm(.hs256), secret, 7 * 24 * 60 * 60)!
+}
+
+pub fn decode(token string, secret string) !string {
+	return verify[UserJwt](token, new_algorithm(.hs256), secret)!.id
+}
--- a/app/src/jwt/structs.v
+++ b/app/src/jwt/structs.v
@@ -0,0 +1,65 @@
+module jwt
+
+import json
+import time
+import x.json2
+import encoding.base64
+
+pub struct JWTHeader {
+pub:
+	alg string
+	typ string = 'JWT'
+}
+
+fn new_header(algorithm Algorithm) JWTHeader {
+	return JWTHeader{
+		alg: algorithm.name.str().to_upper()
+	}
+}
+
+struct Token {
+pub:
+	header     JWTHeader
+	claims     string
+	signature  string
+	expiration int
+}
+
+pub fn (t Token) parse_claims[T]() !T {
+	return json.decode(T, t.claims)
+}
+
+pub fn (t Token) is_expired() bool {
+	return t.expiration == -1 || time.unix(t.expiration) < time.now()
+}
+
+pub fn parse_token(token_raw string) !Token {
+	parts := token_raw.split('.')
+	if parts.len != 3 {
+		return error('Invalid token')
+	}
+
+	header_raw := if parts[0].len % 4 == 0 { parts[0] } else { parts[0] + '==' }
+	claims_raw := if parts[1].len % 4 == 0 { parts[1] } else { parts[1] + '==' }
+
+	decoded_header := base64.decode_str(header_raw)
+	decoded_claims := base64.decode_str(claims_raw)
+
+	claims := json2.decode[json2.Any](decoded_claims)!.as_map()
+
+	mut expiration_given := true
+
+	expiration_unix := claims['exp'] or {
+		expiration_given = false
+		json2.Null{}
+	}
+
+	token := Token{
+		header:     json.decode(JWTHeader, decoded_header)!
+		claims:     decoded_claims
+		signature:  parts[2]
+		expiration: if expiration_given { expiration_unix.int() } else { -1 }
+	}
+
+	return token
+}
--- a/app/src/main.v
+++ b/app/src/main.v
@@ -2,9 +2,13 @@ module main

 import os
 import veb
+import jwt
 import util
 import database
 import thomaspeissl.dotenv
+import sync
+import orm
+import time

 // structs

@@ -14,12 +18,16 @@ pub mut:
 	id   int
 }

+pub struct CachedUser {
+pub:
+	user      User
+	expires   int // unix seconds
+}
+
 pub struct Context {
 	veb.Context
 pub mut:
-	embed      util.Embedded
 	user  User
-	session_id string
 }

 pub struct App {
@@ -27,8 +35,12 @@ pub struct App {
 	veb.StaticHandler
 	veb.Middleware[Context]
 pub:
-	cfg   &util.Config
+	cfg   	   util.Config
 	embed 	   util.Embedded
+	cache_lock sync.RwMutex
+	user_cache map[string]CachedUser
+pub mut:
+	database database.Database
 }

 pub struct Auth {
@@ -40,8 +52,8 @@ pub:

@['/:path...']
 pub fn (app &App) root(mut ctx Context, path string) veb.Result {
-	abs_root := util.Utility.normalize_path(os.abs_path(app.cfg.root))
-	abs_path := util.Utility.normalize_path(abs_root + os.abs_path(path))
+	abs_root := util.Utility.normalize_path(os.real_path(app.cfg.root))
+	abs_path := util.Utility.normalize_path(os.real_path(os.join_path(abs_root, path)))

 	if !abs_path.starts_with(abs_root) && abs_path != abs_root {
 		return ctx.forbidden()
@@ -82,10 +94,77 @@ pub fn (auth &Auth) register(mut ctx Context) veb.Result {
 	return ctx.text('register')
 }

+// middleware
+
+fn (mut app &App) prepare() fn (mut Context) bool {
+	return fn [mut app] (mut ctx Context) bool {
+		ctx.app = &app
+		return true
+	}
+}
+
+pub fn session(mut ctx Context) bool {
+	token := ctx.get_cookie('veb_session') or { '' }
+	if token == '' {
+		return true
+	}
+
+	if id := jwt.decode(token, ctx.app.cfg.jwt_key)  {
+		query := ctx.app.database.get_query_builder[database.Users]().where('id = ?', id) or { return true }
+		result := ctx.app.database.query[database.Users](query)  or { return true }
+
+		ctx.user = result.first()
+	}
+
+	return true
+}
+
+// fn (mut app App) get_user_by_id_cached(id int) ?User {
+// 	key := id.str()
+// 	now := time.now().unix()
+//
+// 	// read lock -> quick path
+// 	app.cache_lock.rlock()
+// 	if cu := app.user_cache[key] {
+// 		if cu.expires > int(now) {
+// 			app.cache_lock.runlock()
+// 			return cu.user
+// 		}
+// 	}
+// 	app.cache_lock.runlock()
+//
+// 	// miss or expired -> fetch from DB
+// 	// assume you have a DB pool on app or ctx.db gives you a connection
+// 	// This example uses app-level DB access via a helper; adapt if your DB is on ctx.
+// 	row := app.get_db().exec_param('SELECT id, name FROM users WHERE id = $1', key) or {
+// 		return error('db error')
+// 	}
+// 	if row.len == 0 {
+// 		return error('not found')
+// 	}
+//
+// 	fetched := User{
+// 		id: row[0].valint(0)
+// 		name: row[0].vals[1]
+// 	}
+//
+// 	// write lock -> populate cache
+// 	app.cache_lock.lock()
+// 	app.user_cache[key] = CachedUser{
+// 		user: fetched
+// 		expires: int(now) + 60 // TTL = 60s, tune to taste
+// 	}
+// 	app.cache_lock.unlock()
+//
+// 	return fetched
+// }
+
+
+
 // utility

 fn (mut ctx Context) error_page(code int, short string, long string) string {
-	style := ctx.embed.error_css.clone()
+	style := ctx.app.embed.error_css.clone()
 	return $tmpl('template/error.html')
 }

@@ -111,65 +190,42 @@ pub fn (mut ctx Context) server_error(msg string) veb.Result {

 // main

-fn populate() (&util.Config, &util.Embedded) {
+fn populate() (util.Config, util.Embedded) {
 	dotenv.load()
-	dotenv.require('CDN_DB_HOST', 'CDN_DB_PORT')

 	executable := os.executable()
 	def_root := os.dir(executable)
 	def_port := int($d('port', 6767))
-	def_user := $d('username', 'cdn')
-	def_pass := $d('password', 'totallySafeCdnDatabasePassword1235')
+	def_sqlt := $d('database', 'cdn_web.db')
+	def_jwt := $d('jwt', 'supersecurejwttokenkey')

-	return &util.Config{
+	// vfmt off
+	return util.Config{
 		exe:      util.Utility.normalize_path(executable)
-		root:     util.Utility.normalize_path(if os.getenv('CDN_ROOT') != '' {
-			util.Utility.resolve_path(def_root, os.getenv('CDN_ROOT').str())
-		} else {
-			def_root
-		})
+		root:     util.Utility.normalize_path(if os.getenv('CDN_ROOT') != '' { util.Utility.resolve_path(def_root, os.getenv('CDN_ROOT').str()) } else { def_root })
 		port:     if os.getenv('CDN_PORT')    != '' { os.getenv('CDN_PORT').int()    } else { def_port }
-		database: &util.Database{
-			host:     os.getenv('CDN_DB_HOST').str()
-			port:     os.getenv('CDN_DB_PORT').int()
-			username: if os.getenv('CDN_DB_USERNAME') != '' {
-				os.getenv('CDN_DB_USERNAME').str()
-			} else {
-				def_user
-			}
-			password: if os.getenv('CDN_DB_PASSWORD') != '' {
-				os.getenv('CDN_DB_PASSWORD').str()
-			} else {
-				def_pass
-			}
-		}
-	}, &util.Embedded{
+		jwt_key:  if os.getenv('CDN_JWT_KEY') != '' { os.getenv('CDN_JWT_KEY').str() } else { def_jwt  }
+		database: if os.getenv('CDN_SQL_DSN') != '' { os.getenv('CDN_SQL_DSN').str() } else { def_sqlt }
+	}, util.Embedded{
 		style_css: $embed_file('template/assets/style.css', .zlib).to_string()
 		error_css: $embed_file('template/assets/error.css', .zlib).to_string()
 	}
+	// vfmt on
 }

 fn main() {
-	cfg, mut embed := populate()
-	mut app := &App{
-		cfg:   cfg
-		embed: embed
-	}
-	mut auth := &Auth{
-		app: &app
-	}
+	// vfmt off
+	mut cfg, mut embed := populate()
+	mut app := &App{ cfg: cfg, embed: embed, database: database.get_database(cfg)! }
+	mut auth := &Auth{ app: &app }
+	// vfmt on

 	app.register_controller[Auth, Context]('/auth', mut auth)!

 	app.enable_static_compression = true
 	app.use(veb.encode_auto[Context]())
-
-	app.use(veb.MiddlewareOptions[Context]{
-		handler: fn [mut embed] (mut ctx Context) bool {
-			ctx.embed = embed
-			return true
-		}
-	})
+	app.use(handler: app.prepare())
+	app.use(handler: session)

 	veb.run[App, Context](mut app, app.cfg.port)
 }
--- a/app/src/util/http.v
+++ b/app/src/util/http.v
@@ -0,0 +1 @@
+module util
--- a/app/src/util/structs.v
+++ b/app/src/util/structs.v
@@ -5,20 +5,14 @@ import os
 import time
 import encoding.base64

-pub struct Database {
-pub:
-	host     string
-	port     int
-	username string
-	password string
-}
-
 pub struct Config {
 pub:
 	exe      string
 	root     string
 	port     int
-	database Database
+	debug    bool
+	jwt_key  string
+	database string
 }

 pub struct Embedded {
@@ -159,7 +153,7 @@ pub fn Utility.list_files(dir_path string, relative string, exclude []string) ![
 }

 pub fn Utility.normalize_path(path string) string {
-	return path.replace('\\', '/')
+	return path.replace('\\', '/').replace('//', '/')
 }

 pub struct HtmlBuilder {}
Author	SHA1	Message	Date
Overlord	58849118d8	eod commit	2025-11-27 22:11:13 +01:00
Overlord	09539a9cd0	added jwt, sqlite, build sh	2025-11-27 20:45:50 +01:00
Overlord	6c6dfade42	updated .gitignore	2025-11-27 17:31:00 +01:00