navidrome/server/server.go

package server

import (
	"fmt"
	"net/http"
	"path"
	"time"

	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware"
	"github.com/go-chi/httprate"
	"github.com/navidrome/navidrome/conf"
	"github.com/navidrome/navidrome/consts"
	"github.com/navidrome/navidrome/core/auth"
	"github.com/navidrome/navidrome/log"
	"github.com/navidrome/navidrome/model"
	"github.com/navidrome/navidrome/ui"
)

type Server struct {
	router  *chi.Mux
	ds      model.DataStore
	appRoot string
}

func New(ds model.DataStore) *Server {
	s := &Server{ds: ds}
	initialSetup(ds)
	s.initRoutes()
	checkFfmpegInstallation()
	checkExternalCredentials()
	return s
}

func (s *Server) MountRouter(description, urlPath string, subRouter http.Handler) {
	urlPath = path.Join(conf.Server.BaseURL, urlPath)
	log.Info(fmt.Sprintf("Mounting %s routes", description), "path", urlPath)
	s.router.Group(func(r chi.Router) {
		r.Mount(urlPath, subRouter)
	})
}

var startTime = time.Now()

func (s *Server) Run(addr string) error {
	s.MountRouter("WebUI", consts.URLPathUI, s.frontendAssetsHandler())
	log.Info("Navidrome server is ready!", "address", addr, "startupTime", time.Since(startTime))
	server := &http.Server{
		Addr:              addr,
		ReadHeaderTimeout: consts.ServerReadHeaderTimeout,
		Handler:           s.router,
	}

	return server.ListenAndServe()
}

func (s *Server) initRoutes() {
	auth.Init(s.ds)

	s.appRoot = path.Join(conf.Server.BaseURL, consts.URLPathUI)

	r := chi.NewRouter()

	r.Use(secureMiddleware())
	r.Use(corsHandler())
	r.Use(middleware.RequestID)
	if conf.Server.ReverseProxyWhitelist == "" {
		r.Use(middleware.RealIP)
	}
	r.Use(middleware.Recoverer)
	r.Use(middleware.Compress(5, "application/xml", "application/json", "application/javascript"))
	r.Use(middleware.Heartbeat("/ping"))
	r.Use(clientUniqueIdAdder)
	r.Use(loggerInjector)
	r.Use(requestLogger)
	r.Use(robotsTXT(ui.BuildAssets()))
	r.Use(authHeaderMapper)
	r.Use(jwtVerifier)

	r.Route(path.Join(conf.Server.BaseURL, "/auth"), func(r chi.Router) {
		if conf.Server.AuthRequestLimit > 0 {
			log.Info("Login rate limit set", "requestLimit", conf.Server.AuthRequestLimit,
				"windowLength", conf.Server.AuthWindowLength)

			rateLimiter := httprate.LimitByIP(conf.Server.AuthRequestLimit, conf.Server.AuthWindowLength)
			r.With(rateLimiter).Post("/login", login(s.ds))
		} else {
			log.Warn("Login rate limit is disabled! Consider enabling it to be protected against brute-force attacks")

			r.Post("/login", login(s.ds))
		}
		r.Post("/createAdmin", createAdmin(s.ds))
	})

	// Redirect root to UI URL
	r.Get("/*", func(w http.ResponseWriter, r *http.Request) {
		http.Redirect(w, r, s.appRoot+"/", http.StatusFound)
	})
	r.Get(s.appRoot, func(w http.ResponseWriter, r *http.Request) {
		http.Redirect(w, r, s.appRoot+"/", http.StatusFound)
	})

	s.router = r
}

// Serve UI app assets
func (s *Server) frontendAssetsHandler() http.Handler {
	r := chi.NewRouter()

	r.Handle("/", serveIndex(s.ds, ui.BuildAssets()))
	r.Handle("/*", http.StripPrefix(s.appRoot, http.FileServer(http.FS(ui.BuildAssets()))))
	return r
}
Move App to server package 2020-01-13 23:06:47 +01:00			`package server`
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00
			`import (`
Show name of router in log 2021-05-24 17:55:39 +02:00			`"fmt"`
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00			`"net/http"`
Add BaseURL configuration (fixes #103) 2020-04-03 23:50:42 +02:00			`"path"`
Show in the logs how long it took to startup 2021-11-04 18:48:38 +01:00			`"time"`
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00
Upgrade to go-chi 5 2021-05-11 23:21:18 +02:00			`"github.com/go-chi/chi/v5"`
			`"github.com/go-chi/chi/v5/middleware"`
Refactor routing, changes API URLs (#1171) * Make authentication part of the server, so it can be reused outside the Native API This commit has broken tests after a rebase * Serve frontend assets from `server`, and not from Native API * Change Native API URL * Fix auth tests * Refactor server authentication * Simplify authProvider, now subsonic token+salt comes from the server * Don't send JWT token to UI when authenticated via Request Header * Enable ReverseProxyWhitelist to be read from environment 2021-06-13 18:46:36 +02:00			`"github.com/go-chi/httprate"`
Rename project to Navidrome 2020-01-24 01:44:08 +01:00			`"github.com/navidrome/navidrome/conf"`
Add BaseURL configuration (fixes #103) 2020-04-03 23:50:42 +02:00			`"github.com/navidrome/navidrome/consts"`
Refactor routing, changes API URLs (#1171) * Make authentication part of the server, so it can be reused outside the Native API This commit has broken tests after a rebase * Serve frontend assets from `server`, and not from Native API * Change Native API URL * Fix auth tests * Refactor server authentication * Simplify authProvider, now subsonic token+salt comes from the server * Don't send JWT token to UI when authenticated via Request Header * Enable ReverseProxyWhitelist to be read from environment 2021-06-13 18:46:36 +02:00			`"github.com/navidrome/navidrome/core/auth"`
Rename project to Navidrome 2020-01-24 01:44:08 +01:00			`"github.com/navidrome/navidrome/log"`
			`"github.com/navidrome/navidrome/model"`
Remove dependency of go-bindata (#818) * Use new embed functionality for serving UI assets * Use new embed functionality for serving resources. Remove dependency on go-bindata * Remove Go 1.15 2021-03-12 17:06:51 +01:00			`"github.com/navidrome/navidrome/ui"`
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00			`)`

Move App to server package 2020-01-13 23:06:47 +01:00			`type Server struct {`
Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`router *chi.Mux`
			`ds model.DataStore`
			`appRoot string`
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00			`}`

Add better process lifecycle management 2020-10-25 03:43:59 +01:00			`func New(ds model.DataStore) *Server {`
Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`s := &Server{ds: ds}`
Created InitialSetup method that handles all steps required for starting the server for the first time 2020-01-20 21:17:43 +01:00			`initialSetup(ds)`
Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`s.initRoutes()`
Add `ffmpeg` detection at start-up 2020-10-06 23:24:16 +02:00			`checkFfmpegInstallation()`
Check for Last.FM and Spotify configuration at startup 2020-10-21 23:10:06 +02:00			`checkExternalCredentials()`
Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`return s`
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00			`}`

Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`func (s *Server) MountRouter(description, urlPath string, subRouter http.Handler) {`
Add BaseURL configuration (fixes #103) 2020-04-03 23:50:42 +02:00			`urlPath = path.Join(conf.Server.BaseURL, urlPath)`
Show name of router in log 2021-05-24 17:55:39 +02:00			`log.Info(fmt.Sprintf("Mounting %s routes", description), "path", urlPath)`
Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`s.router.Group(func(r chi.Router) {`
Add BaseURL configuration (fixes #103) 2020-04-03 23:50:42 +02:00			`r.Mount(urlPath, subRouter)`
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00			`})`
			`}`

Show in the logs how long it took to startup 2021-11-04 18:48:38 +01:00			`var startTime = time.Now()`

Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`func (s *Server) Run(addr string) error {`
			`s.MountRouter("WebUI", consts.URLPathUI, s.frontendAssetsHandler())`
Show in the logs how long it took to startup 2021-11-04 18:48:38 +01:00			`log.Info("Navidrome server is ready!", "address", addr, "startupTime", time.Since(startTime))`
Fix GO-S2114 security issue See https://deepsource.io/directory/analyzers/go/issues/GO-S2114 2022-09-27 04:33:42 +02:00			`server := &http.Server{`
			`Addr: addr,`
			`ReadHeaderTimeout: consts.ServerReadHeaderTimeout,`
Fix creating server (#1894) 2022-09-27 22:53:40 +02:00			`Handler: s.router,`
Fix GO-S2114 security issue See https://deepsource.io/directory/analyzers/go/issues/GO-S2114 2022-09-27 04:33:42 +02:00			`}`

			`return server.ListenAndServe()`
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00			`}`

Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`func (s *Server) initRoutes() {`
			`auth.Init(s.ds)`

			`s.appRoot = path.Join(conf.Server.BaseURL, consts.URLPathUI)`
Refactor routing, changes API URLs (#1171) * Make authentication part of the server, so it can be reused outside the Native API This commit has broken tests after a rebase * Serve frontend assets from `server`, and not from Native API * Change Native API URL * Fix auth tests * Refactor server authentication * Simplify authProvider, now subsonic token+salt comes from the server * Don't send JWT token to UI when authenticated via Request Header * Enable ReverseProxyWhitelist to be read from environment 2021-06-13 18:46:36 +02:00
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00			`r := chi.NewRouter()`

Add `secure` middleware, with sensible values 2020-10-04 20:29:33 +02:00			`r.Use(secureMiddleware())`
Allowing 3rd party UIs to access `x-total-count` http header (#1470) * Adding 'x-content-duratin' and 'x-total-count' to CORS exposed headers * Moving cors setup to middlewares.go * adding x-nd-authorization to exposed headers 2021-11-19 16:07:54 +01:00			`r.Use(corsHandler())`
Remove Beego tasks, make Importer available through DI 2020-01-08 15:39:58 +01:00			`r.Use(middleware.RequestID)`
Disable `realip` middleware when using the reverse proxy authentication feature Should fix https://github.com/navidrome/navidrome/pull/1152#issuecomment-862306847 2021-06-16 15:43:57 +02:00			`if conf.Server.ReverseProxyWhitelist == "" {`
			`r.Use(middleware.RealIP)`
			`}`
Remove Beego tasks, make Importer available through DI 2020-01-08 15:39:58 +01:00			`r.Use(middleware.Recoverer)`
Setting correct content-type for JSONP 2020-01-09 06:18:55 +01:00			`r.Use(middleware.Compress(5, "application/xml", "application/json", "application/javascript"))`
Remove Beego tasks, make Importer available through DI 2020-01-08 15:39:58 +01:00			`r.Use(middleware.Heartbeat("/ping"))`
Only send events to clients who need it - User events (star, rating, plays) only sent to same user - Don't send to the client (browser window) that originated the event 2021-06-16 00:35:08 +02:00			`r.Use(clientUniqueIdAdder)`
			`r.Use(loggerInjector)`
Move logger middleware to capture routing errors (ex: 405). (#877) * Fix #836 * Remove requestLogger middleware from MountRouter 2021-03-25 04:17:36 +01:00			`r.Use(requestLogger)`
Small refactorings 2021-07-21 00:43:15 +02:00			`r.Use(robotsTXT(ui.BuildAssets()))`
Refactor routing, changes API URLs (#1171) * Make authentication part of the server, so it can be reused outside the Native API This commit has broken tests after a rebase * Serve frontend assets from `server`, and not from Native API * Change Native API URL * Fix auth tests * Refactor server authentication * Simplify authProvider, now subsonic token+salt comes from the server * Don't send JWT token to UI when authenticated via Request Header * Enable ReverseProxyWhitelist to be read from environment 2021-06-13 18:46:36 +02:00			`r.Use(authHeaderMapper)`
			`r.Use(jwtVerifier)`

			`r.Route(path.Join(conf.Server.BaseURL, "/auth"), func(r chi.Router) {`
			`if conf.Server.AuthRequestLimit > 0 {`
			`log.Info("Login rate limit set", "requestLimit", conf.Server.AuthRequestLimit,`
			`"windowLength", conf.Server.AuthWindowLength)`
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00
Refactor routing, changes API URLs (#1171) * Make authentication part of the server, so it can be reused outside the Native API This commit has broken tests after a rebase * Serve frontend assets from `server`, and not from Native API * Change Native API URL * Fix auth tests * Refactor server authentication * Simplify authProvider, now subsonic token+salt comes from the server * Don't send JWT token to UI when authenticated via Request Header * Enable ReverseProxyWhitelist to be read from environment 2021-06-13 18:46:36 +02:00			`rateLimiter := httprate.LimitByIP(conf.Server.AuthRequestLimit, conf.Server.AuthWindowLength)`
Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`r.With(rateLimiter).Post("/login", login(s.ds))`
Refactor routing, changes API URLs (#1171) * Make authentication part of the server, so it can be reused outside the Native API This commit has broken tests after a rebase * Serve frontend assets from `server`, and not from Native API * Change Native API URL * Fix auth tests * Refactor server authentication * Simplify authProvider, now subsonic token+salt comes from the server * Don't send JWT token to UI when authenticated via Request Header * Enable ReverseProxyWhitelist to be read from environment 2021-06-13 18:46:36 +02:00			`} else {`
			`log.Warn("Login rate limit is disabled! Consider enabling it to be protected against brute-force attacks")`

Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`r.Post("/login", login(s.ds))`
Refactor routing, changes API URLs (#1171) * Make authentication part of the server, so it can be reused outside the Native API This commit has broken tests after a rebase * Serve frontend assets from `server`, and not from Native API * Change Native API URL * Fix auth tests * Refactor server authentication * Simplify authProvider, now subsonic token+salt comes from the server * Don't send JWT token to UI when authenticated via Request Header * Enable ReverseProxyWhitelist to be read from environment 2021-06-13 18:46:36 +02:00			`}`
Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`r.Post("/createAdmin", createAdmin(s.ds))`
Refactor routing, changes API URLs (#1171) * Make authentication part of the server, so it can be reused outside the Native API This commit has broken tests after a rebase * Serve frontend assets from `server`, and not from Native API * Change Native API URL * Fix auth tests * Refactor server authentication * Simplify authProvider, now subsonic token+salt comes from the server * Don't send JWT token to UI when authenticated via Request Header * Enable ReverseProxyWhitelist to be read from environment 2021-06-13 18:46:36 +02:00			`})`

Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`// Redirect root to UI URL`
Add a catchall route to redirect everything to app/index.html 2020-04-04 01:45:35 +02:00			`r.Get("/", func(w http.ResponseWriter, r http.Request) {`
Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`http.Redirect(w, r, s.appRoot+"/", http.StatusFound)`
Refactor routing, changes API URLs (#1171) * Make authentication part of the server, so it can be reused outside the Native API This commit has broken tests after a rebase * Serve frontend assets from `server`, and not from Native API * Change Native API URL * Fix auth tests * Refactor server authentication * Simplify authProvider, now subsonic token+salt comes from the server * Don't send JWT token to UI when authenticated via Request Header * Enable ReverseProxyWhitelist to be read from environment 2021-06-13 18:46:36 +02:00			`})`
Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`r.Get(s.appRoot, func(w http.ResponseWriter, r *http.Request) {`
			`http.Redirect(w, r, s.appRoot+"/", http.StatusFound)`
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00			`})`
Add routing for basic web ui 2020-01-20 01:34:54 +01:00
Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`s.router = r`
			`}`

			`// Serve UI app assets`
			`func (s *Server) frontendAssetsHandler() http.Handler {`
			`r := chi.NewRouter()`

Small refactorings 2021-07-21 00:43:15 +02:00			`r.Handle("/", serveIndex(s.ds, ui.BuildAssets()))`
			`r.Handle("/*", http.StripPrefix(s.appRoot, http.FileServer(http.FS(ui.BuildAssets()))))`
Rename `app` package to `nativeapi` 2021-06-14 01:15:41 +02:00			`return r`
Removed Beego routing/controllers, converted to Chi. Also introduced Wire for dependency injection 2020-01-07 20:56:26 +01:00			`}`