refactor: eliminate token usage in URL query

Author: bclswl0827

internal/server/middleware/auth_jwt/new.go

@@ -96,7 +96,7 @@ func New(timeSource *timesource.Source, actionHandler *action.Handler, expiratio
 		Timeout:     expiration,
 		MaxRefresh:  expiration,
 		TimeFunc:    timeSource.Now,
-		TokenLookup: "header: Authorization, query: token",
+		TokenLookup: "header: Authorization",
 	})
 	if err != nil {
 		return nil, err

internal/server/middleware/auth_jwt/websocket.go

@@ -0,0 +1,43 @@
+package auth_jwt
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+func NewWebsocketAuthAdapter() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		upgrade := strings.ToLower(c.GetHeader("Upgrade"))
+		connection := strings.ToLower(c.GetHeader("Connection"))
+
+		if upgrade != "websocket" || !strings.Contains(connection, "upgrade") {
+			c.Next()
+			return
+		}
+
+		protocol := c.GetHeader("Sec-WebSocket-Protocol")
+		if protocol == "" {
+			c.Next()
+			return
+		}
+
+		if token := extractBearerToken(protocol); token != "" {
+			c.Request.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+		}
+
+		c.Next()
+	}
+}
+
+func extractBearerToken(protocols string) string {
+	for _, p := range strings.Split(protocols, ",") {
+		p = strings.TrimSpace(p)
+		if strings.HasPrefix(p, "Bearer#") {
+			return strings.TrimPrefix(p, "Bearer#")
+		}
+	}
+
+	return ""
+}

internal/server/router/socket/setup.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/anyshake/observer/internal/hardware"
 	"github.com/anyshake/observer/internal/hardware/explorer"
+	"github.com/anyshake/observer/internal/server/middleware/auth_jwt"
 	"github.com/anyshake/observer/internal/server/response"
 	"github.com/anyshake/observer/pkg/logger"
 	"github.com/anyshake/observer/pkg/message"
@@ -25,7 +26,7 @@ func Setup(routerGroup *gin.RouterGroup, timeSource *timesource.Source, hardware
 		s.storeHistory(t, di, cd)
 	})
 
-	routerGroup.GET("/socket", jwtMiddleware, func(ctx *gin.Context) {
+	routerGroup.GET("/socket", auth_jwt.NewWebsocketAuthAdapter(), jwtMiddleware, func(ctx *gin.Context) {
 		upgrader := websocket.Upgrader{
 			ReadBufferSize:    1024,
 			WriteBufferSize:   1024,

internal/server/router/tiles/load.go

@@ -0,0 +1,52 @@
+package tiles
+
+import (
+	"encoding/binary"
+	"fmt"
+)
+
+func (h *mapTilesHandler) loadMapTile(z, x int) (*mapTileData, error) {
+	cacheKey := fmt.Sprintf("z%d/x%d", z, x)
+	if v, ok := h.cache.Get(cacheKey); ok {
+		return v, nil
+	}
+
+	data, err := h.tilesFs.ReadFile(fmt.Sprintf("%s/z%d/x%d.bin", h.baseDir, z, x))
+	if err != nil {
+		return nil, err
+	}
+
+	if len(data) < 4 {
+		return nil, fmt.Errorf("corrupt file")
+	}
+	count := binary.LittleEndian.Uint32(data[:4])
+	if len(data) < int(4+count*12) {
+		return nil, fmt.Errorf("corrupt header")
+	}
+	header := data[4 : 4+count*12]
+
+	objects := make([]mapTileDataObject, count)
+	for i := uint32(0); i < count; i++ {
+		base := i * 12
+		objects[i] = mapTileDataObject{
+			y:      binary.LittleEndian.Uint32(header[base:]),
+			offset: binary.LittleEndian.Uint32(header[base+4:]),
+			size:   binary.LittleEndian.Uint32(header[base+8:]),
+		}
+	}
+
+	for i := 1; i < len(objects); i++ {
+		if objects[i].y <= objects[i-1].y {
+			return nil, fmt.Errorf("bad index order: %d/%d", z, x)
+		}
+	}
+
+	tf := &mapTileData{
+		data:    data,
+		objects: objects,
+		base:    int64(4 + len(objects)*12),
+	}
+
+	h.cache.Add(cacheKey, tf)
+	return tf, nil
+}

internal/server/router/tiles/read.go

@@ -0,0 +1,31 @@
+package tiles
+
+import (
+	"fmt"
+	"sort"
+)
+
+func (h *mapTilesHandler) readMapTile(z, x, y int) ([]byte, error) {
+	tf, err := h.loadMapTile(z, x)
+	if err != nil {
+		return nil, err
+	}
+
+	i := sort.Search(len(tf.objects), func(i int) bool {
+		return tf.objects[i].y >= uint32(y)
+	})
+
+	if i >= len(tf.objects) || tf.objects[i].y != uint32(y) {
+		return nil, fmt.Errorf("tile not found")
+	}
+
+	e := tf.objects[i]
+	offset := tf.base + int64(e.offset)
+	end := offset + int64(e.size)
+
+	if end > int64(len(tf.data)) {
+		return nil, fmt.Errorf("data out of range")
+	}
+
+	return tf.data[offset:end], nil
+}

internal/server/router/tiles/setup.go

@@ -0,0 +1,54 @@
+package tiles
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+
+	"github.com/anyshake/observer/internal/server/response"
+	"github.com/anyshake/observer/web"
+	"github.com/gin-gonic/gin"
+	lru "github.com/hashicorp/golang-lru/v2"
+)
+
+func Setup(routerGroup *gin.RouterGroup, version string, jwtMiddleware gin.HandlerFunc) {
+	lruCache, _ := lru.New[string, *mapTileData](256)
+	fs, baseDir := web.NewMapTiles()
+	h := &mapTilesHandler{
+		tilesFs: fs,
+		baseDir: baseDir,
+		version: version,
+		cache:   lruCache,
+	}
+
+	routerGroup.GET("/tiles", jwtMiddleware, func(ctx *gin.Context) {
+		z, err := strconv.Atoi(ctx.Query("z"))
+		if err != nil || z < 0 {
+			response.Error(ctx, http.StatusBadRequest, "invalid Z index")
+			return
+		}
+		x, err := strconv.Atoi(ctx.Query("x"))
+		if err != nil || x < 0 {
+			response.Error(ctx, http.StatusBadRequest, "invalid X index")
+			return
+		}
+		y, err := strconv.Atoi(ctx.Query("y"))
+		if err != nil || y < 0 {
+			response.Error(ctx, http.StatusBadRequest, "invalid Y index")
+			return
+		}
+
+		data, err := h.readMapTile(z, x, y)
+		if err != nil {
+			response.Error(ctx, http.StatusNotFound, "tile not found")
+			return
+		}
+
+		if len(data) > 2 && data[0] == 0x1f && data[1] == 0x8b {
+			ctx.Header("Content-Encoding", "gzip")
+		}
+		ctx.Header("Cache-Control", "public, max-age=31536000, immutable")
+		ctx.Header("ETag", h.version)
+		response.Blob(ctx, fmt.Sprintf("maptile-z%d-x%d-y%d", z, x, y), "application/vnd.mapbox-vector-tile", data)
+	})
+}

internal/server/router/tiles/types.go

@@ -0,0 +1,26 @@
+package tiles
+
+import (
+	"embed"
+
+	lru "github.com/hashicorp/golang-lru/v2"
+)
+
+type mapTileDataObject struct {
+	y      uint32
+	offset uint32
+	size   uint32
+}
+
+type mapTileData struct {
+	objects []mapTileDataObject
+	data    []byte
+	base    int64
+}
+
+type mapTilesHandler struct {
+	tilesFs embed.FS
+	baseDir string
+	version string // for http cache invalidation
+	cache   *lru.Cache[string, *mapTileData]
+}

internal/server/setup.go

@@ -21,6 +21,7 @@ import (
 	"github.com/anyshake/observer/internal/server/router/files"
 	graph_resolver "github.com/anyshake/observer/internal/server/router/graph"
 	"github.com/anyshake/observer/internal/server/router/socket"
+	"github.com/anyshake/observer/internal/server/router/tiles"
 	"github.com/anyshake/observer/web"
 	"github.com/gin-contrib/cors"
 	gzipHandler "github.com/gin-contrib/gzip"
@@ -38,14 +39,14 @@ func (s *HttpServer) Setup(listen string) error {
 	s.engine.Use(gzipHandler.Gzip(
 		gzip.BestCompression,
 		gzipHandler.WithExcludedPaths([]string{
-			"/tiles", // Map tiles are already compressed
+			"/api/tiles", // Map tiles are already compressed
 		}),
 	))
 	s.engine.Use(secure.Secure(secure.Options{
 		FrameDeny:             true,
 		BrowserXssFilter:      true,
 		ContentTypeNosniff:    true,
-		ContentSecurityPolicy: "default-src 'self'; connect-src 'self' https://anyshake.org; style-src 'self' https://cdn.jsdelivr.net 'unsafe-inline'; script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline' 'wasm-unsafe-eval'; font-src 'self' data:; img-src 'self' data: blob:;",
+		ContentSecurityPolicy: "default-src 'self'; connect-src 'self' https://anyshake.org; style-src 'self' https://cdn.jsdelivr.net 'unsafe-inline'; script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline' 'wasm-unsafe-eval'; font-src 'self' data:; img-src 'self' data: blob:;worker-src 'self' blob:;",
 	}))
 	if s.cors {
 		s.engine.Use(cors.New(cors.Config{
@@ -74,6 +75,7 @@ func (s *HttpServer) Setup(listen string) error {
 	export.Setup(api, s.resolver.ActionHandler, s.resolver.HardwareDev, jwtMiddlewareFn)
 	socket.Setup(api, s.resolver.TimeSource, s.resolver.HardwareDev, jwtMiddlewareFn)
 	files.Setup(api, s.resolver.ServiceMap, jwtMiddlewareFn)
+	tiles.Setup(api, s.resolver.CurrentVersion.String(), jwtMiddlewareFn)
 
 	graphql := handler.NewDefaultServer(graph_resolver.NewExecutableSchema(graph_resolver.Config{Resolvers: s.resolver}))
 	graphql.SetRecoverFunc(func(ctx context.Context, err any) (userMessage error) {
@@ -96,12 +98,6 @@ func (s *HttpServer) Setup(listen string) error {
 		})
 	}
 
-	mapTileHandler, err := web.NewMapTilesHandler(128)
-	if err != nil {
-		return fmt.Errorf("failed to create map tile handler: %w", err)
-	}
-	s.engine.GET("/tiles", mapTileHandler)
-
 	webFs, webPath := web.NewWebDist()
 	s.engine.Use(static.Serve("/", static.EmbedFolder(webFs, webPath)))
 

web/dist.go web/new.goweb/dist.go renamed to web/new.go

@@ -10,3 +10,10 @@ var dist embed.FS
 func NewWebDist() (embed.FS, string) {
 	return dist, "dist"
 }
+
+//go:embed tiles
+var tiles embed.FS
+
+func NewMapTiles() (embed.FS, string) {
+	return tiles, "tiles"
+}

web/src/.env.development

@@ -4,5 +4,5 @@ VITE_APP_BACKEND_BASE_HOST=http://127.0.0.1:8073
 VITE_APP_RESTFUL_API_BASE_PATH=/api
 VITE_APP_WEBSOCKET_API_ENDPOINT=/api/socket
 VITE_APP_GRAPHQL_API_ENDPOINT=/api/graphql
-VITE_APP_MAPTILES_API_ENDPOINT=/tiles
+VITE_APP_MAPTILES_API_ENDPOINT=/api/tiles
 VITE_APP_CTA_MESSAGE_DATA_BASE_URL=http://127.0.0.1:8000/cta-messages