Merge pull request 'feat(subsonic): getUser + envelope-shaped 404 for /rest/*' (#11) from dev into main
This commit was merged in pull request #11.
This commit is contained in:
@@ -36,6 +36,16 @@ func Mount(r chi.Router, pool *pgxpool.Pool, logger *slog.Logger, cfg Config) {
|
||||
register(sub, "/download", m.handleDownload)
|
||||
register(sub, "/getCoverArt", m.handleGetCoverArt)
|
||||
register(sub, "/scrobble", m.handleScrobble)
|
||||
register(sub, "/getUser", handleGetUser)
|
||||
|
||||
// Subsonic clients expect every /rest/* miss to come back as a
|
||||
// Subsonic-shaped error envelope, not chi's plain-text 404. Without
|
||||
// this, hitting an unimplemented method (Feishin's first-login probe
|
||||
// hits getUser, getPlaylists, etc.) breaks the client's parser and
|
||||
// surfaces as a generic "failed to log in".
|
||||
sub.NotFound(func(w http.ResponseWriter, r *http.Request) {
|
||||
WriteFail(w, r, ErrGeneric, "Method not implemented")
|
||||
})
|
||||
_ = logger
|
||||
})
|
||||
}
|
||||
|
||||
@@ -0,0 +1,80 @@
|
||||
package subsonic
|
||||
|
||||
import (
|
||||
"encoding/xml"
|
||||
"net/http"
|
||||
|
||||
"git.fabledsword.com/bvandeusen/minstrel/internal/db/dbq"
|
||||
)
|
||||
|
||||
// UserResponse wraps the User payload Subsonic clients fetch right after
|
||||
// login to discover what the authenticated identity can do. Feishin uses
|
||||
// this to gate UI affordances; without it the login flow stalls.
|
||||
type UserResponse struct {
|
||||
Envelope
|
||||
User User `json:"user" xml:"user"`
|
||||
}
|
||||
|
||||
// User mirrors the role-bag from the Subsonic spec. We expose the full set
|
||||
// even though Minstrel doesn't model fine-grained ACLs yet — admins get
|
||||
// every role, non-admins get the "play music" subset. This keeps clients
|
||||
// from disabling features they could otherwise use.
|
||||
type User struct {
|
||||
XMLName xml.Name `json:"-" xml:"user"`
|
||||
Username string `json:"username" xml:"username,attr"`
|
||||
Email string `json:"email,omitempty" xml:"email,attr,omitempty"`
|
||||
ScrobblingEnabled bool `json:"scrobblingEnabled" xml:"scrobblingEnabled,attr"`
|
||||
AdminRole bool `json:"adminRole" xml:"adminRole,attr"`
|
||||
SettingsRole bool `json:"settingsRole" xml:"settingsRole,attr"`
|
||||
DownloadRole bool `json:"downloadRole" xml:"downloadRole,attr"`
|
||||
UploadRole bool `json:"uploadRole" xml:"uploadRole,attr"`
|
||||
PlaylistRole bool `json:"playlistRole" xml:"playlistRole,attr"`
|
||||
CoverArtRole bool `json:"coverArtRole" xml:"coverArtRole,attr"`
|
||||
CommentRole bool `json:"commentRole" xml:"commentRole,attr"`
|
||||
PodcastRole bool `json:"podcastRole" xml:"podcastRole,attr"`
|
||||
StreamRole bool `json:"streamRole" xml:"streamRole,attr"`
|
||||
JukeboxRole bool `json:"jukeboxRole" xml:"jukeboxRole,attr"`
|
||||
ShareRole bool `json:"shareRole" xml:"shareRole,attr"`
|
||||
VideoConversionRole bool `json:"videoConversionRole" xml:"videoConversionRole,attr"`
|
||||
}
|
||||
|
||||
// handleGetUser returns the authenticated user when no username is provided
|
||||
// or when the requested username matches; admins may look up any user. Per
|
||||
// spec a non-admin asking about another user gets ErrNotAuthorized.
|
||||
func handleGetUser(w http.ResponseWriter, r *http.Request) {
|
||||
caller, ok := UserFromContext(r.Context())
|
||||
if !ok {
|
||||
WriteFail(w, r, ErrNotAuthorized, "Not authenticated")
|
||||
return
|
||||
}
|
||||
requested := r.URL.Query().Get("username")
|
||||
if requested != "" && requested != caller.Username && !caller.IsAdmin {
|
||||
WriteFail(w, r, ErrNotAuthorized, "Not authorized to view other users")
|
||||
return
|
||||
}
|
||||
// We don't have a per-user lookup wired up yet; until then admins asking
|
||||
// for another username see the caller's roles. Acceptable while M1 has a
|
||||
// single user; revisit once user management lands.
|
||||
Write(w, r, UserResponse{
|
||||
Envelope: NewEnvelope("ok"),
|
||||
User: userPayload(caller),
|
||||
})
|
||||
}
|
||||
|
||||
func userPayload(u dbq.User) User {
|
||||
return User{
|
||||
Username: u.Username,
|
||||
ScrobblingEnabled: true,
|
||||
AdminRole: u.IsAdmin,
|
||||
SettingsRole: u.IsAdmin,
|
||||
DownloadRole: true,
|
||||
UploadRole: false,
|
||||
PlaylistRole: true,
|
||||
CoverArtRole: true,
|
||||
CommentRole: false,
|
||||
PodcastRole: false,
|
||||
StreamRole: true,
|
||||
JukeboxRole: false,
|
||||
ShareRole: false,
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,78 @@
|
||||
package subsonic
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.fabledsword.com/bvandeusen/minstrel/internal/db/dbq"
|
||||
)
|
||||
|
||||
func TestHandleGetUser_Self(t *testing.T) {
|
||||
user := dbq.User{Username: "alice", IsAdmin: false}
|
||||
w, body := callGetUser(t, user, "")
|
||||
|
||||
if w.Code != http.StatusOK {
|
||||
t.Fatalf("status = %d, want 200", w.Code)
|
||||
}
|
||||
if body.Resp.Status != "ok" {
|
||||
t.Errorf("status = %q, want ok", body.Resp.Status)
|
||||
}
|
||||
if body.Resp.User.Username != "alice" {
|
||||
t.Errorf("username = %q, want alice", body.Resp.User.Username)
|
||||
}
|
||||
if body.Resp.User.AdminRole {
|
||||
t.Error("non-admin should not have admin role")
|
||||
}
|
||||
if !body.Resp.User.StreamRole {
|
||||
t.Error("stream role must be on so clients enable playback")
|
||||
}
|
||||
}
|
||||
|
||||
func TestHandleGetUser_AdminGetsAdminRole(t *testing.T) {
|
||||
admin := dbq.User{Username: "admin", IsAdmin: true}
|
||||
_, body := callGetUser(t, admin, "")
|
||||
if !body.Resp.User.AdminRole || !body.Resp.User.SettingsRole {
|
||||
t.Errorf("admin/settings roles = %v/%v, want true/true",
|
||||
body.Resp.User.AdminRole, body.Resp.User.SettingsRole)
|
||||
}
|
||||
}
|
||||
|
||||
func TestHandleGetUser_NonAdminCannotLookupOthers(t *testing.T) {
|
||||
user := dbq.User{Username: "alice", IsAdmin: false}
|
||||
_, body := callGetUser(t, user, "bob")
|
||||
if body.Resp.Status != "failed" || body.Resp.Error == nil ||
|
||||
body.Resp.Error.Code != ErrNotAuthorized {
|
||||
t.Errorf("expected ErrNotAuthorized, got status=%q err=%+v",
|
||||
body.Resp.Status, body.Resp.Error)
|
||||
}
|
||||
}
|
||||
|
||||
type getUserPayload struct {
|
||||
Resp struct {
|
||||
Status string `json:"status"`
|
||||
Error *Error `json:"error"`
|
||||
User User `json:"user"`
|
||||
} `json:"subsonic-response"`
|
||||
}
|
||||
|
||||
func callGetUser(t *testing.T, user dbq.User, requestedUsername string) (*httptest.ResponseRecorder, getUserPayload) {
|
||||
t.Helper()
|
||||
url := "/rest/getUser.view?f=json"
|
||||
if requestedUsername != "" {
|
||||
url += "&username=" + requestedUsername
|
||||
}
|
||||
req := httptest.NewRequest("GET", url, nil)
|
||||
req = req.WithContext(context.WithValue(req.Context(), userCtxKey, user))
|
||||
w := httptest.NewRecorder()
|
||||
handleGetUser(w, req)
|
||||
|
||||
var body getUserPayload
|
||||
if err := json.NewDecoder(strings.NewReader(w.Body.String())).Decode(&body); err != nil {
|
||||
t.Fatalf("decode response: %v\nbody=%s", err, w.Body.String())
|
||||
}
|
||||
return w, body
|
||||
}
|
||||
Reference in New Issue
Block a user