fix: hotfix for invalid api base url prefix (#203)

routes/api/heartbeat.go

@@ -6,6 +6,7 @@ import (
 	conf "github.com/muety/wakapi/config"
 	"github.com/muety/wakapi/middlewares"
 	customMiddleware "github.com/muety/wakapi/middlewares/custom"
+	routeutils "github.com/muety/wakapi/routes/utils"
 	"github.com/muety/wakapi/services"
 	"github.com/muety/wakapi/utils"
 	"net/http"
@@ -34,12 +35,14 @@ type heartbeatResponseVm struct {
 }
 
 func (h *HeartbeatApiHandler) RegisterRoutes(router *mux.Router) {
-	r := router.PathPrefix("/heartbeat").Subrouter()
+	r := router.PathPrefix("").Subrouter()
 	r.Use(
 		middlewares.NewAuthenticateMiddleware(h.userSrvc).Handler,
 		customMiddleware.NewWakatimeRelayMiddleware().Handler,
 	)
-	r.Methods(http.MethodPost).HandlerFunc(h.Post)
+	r.PathPrefix("/heartbeat").Methods(http.MethodPost).HandlerFunc(h.Post)
+	r.PathPrefix("/v1/users/{user}/heartbeats").Methods(http.MethodPost).HandlerFunc(h.Post)
+	r.PathPrefix("/compat/wakatime/v1/users/{user}/heartbeats").Methods(http.MethodPost).HandlerFunc(h.Post)
 }
 
 // @Summary Push a new heartbeat
@@ -51,8 +54,12 @@ func (h *HeartbeatApiHandler) RegisterRoutes(router *mux.Router) {
 // @Success 201
 // @Router /heartbeat [post]
 func (h *HeartbeatApiHandler) Post(w http.ResponseWriter, r *http.Request) {
+	user, err := routeutils.CheckEffectiveUser(w, r, h.userSrvc, "current")
+	if err != nil {
+		return // response was already sent by util function
+	}
+
 	var heartbeats []*models.Heartbeat
-	user := middlewares.GetPrincipal(r)
 	opSys, editor, _ := utils.ParseUserAgent(r.Header.Get("User-Agent"))
 	machineName := r.Header.Get("X-Machine-Name")
 

routes/compat/wakatime/v1/all_time.go

@@ -6,6 +6,7 @@ import (
 	"github.com/muety/wakapi/middlewares"
 	"github.com/muety/wakapi/models"
 	v1 "github.com/muety/wakapi/models/compat/wakatime/v1"
+	routeutils "github.com/muety/wakapi/routes/utils"
 	"github.com/muety/wakapi/services"
 	"github.com/muety/wakapi/utils"
 	"net/http"
@@ -45,18 +46,14 @@ func (h *AllTimeHandler) RegisterRoutes(router *mux.Router) {
 // @Success 200 {object} v1.AllTimeViewModel
 // @Router /compat/wakatime/v1/users/{user}/all_time_since_today [get]
 func (h *AllTimeHandler) Get(w http.ResponseWriter, r *http.Request) {
-	vars := mux.Vars(r)
 	values, _ := url.ParseQuery(r.URL.RawQuery)
 
-	requestedUser := vars["user"]
-	authorizedUser := middlewares.GetPrincipal(r)
-
-	if requestedUser != authorizedUser.ID && requestedUser != "current" {
-		w.WriteHeader(http.StatusForbidden)
-		return
+	user, err := routeutils.CheckEffectiveUser(w, r, h.userSrvc, "current")
+	if err != nil {
+		return // response was already sent by util function
 	}
 
-	summary, err, status := h.loadUserSummary(authorizedUser)
+	summary, err, status := h.loadUserSummary(user)
 	if err != nil {
 		w.WriteHeader(status)
 		w.Write([]byte(err.Error()))

routes/compat/wakatime/v1/projects.go

@@ -6,6 +6,7 @@ import (
 	"github.com/muety/wakapi/middlewares"
 	"github.com/muety/wakapi/models"
 	v1 "github.com/muety/wakapi/models/compat/wakatime/v1"
+	routeutils "github.com/muety/wakapi/routes/utils"
 	"github.com/muety/wakapi/services"
 	"github.com/muety/wakapi/utils"
 	"net/http"
@@ -45,16 +46,12 @@ func (h *ProjectsHandler) RegisterRoutes(router *mux.Router) {
 // @Success 200 {object} v1.ProjectsViewModel
 // @Router /compat/wakatime/v1/users/{user}/projects [get]
 func (h *ProjectsHandler) Get(w http.ResponseWriter, r *http.Request) {
-	var vars = mux.Vars(r)
-	requestedUser := vars["user"]
-	authorizedUser := middlewares.GetPrincipal(r)
-
-	if requestedUser != authorizedUser.ID && requestedUser != "current" {
-		w.WriteHeader(http.StatusForbidden)
-		return
+	user, err := routeutils.CheckEffectiveUser(w, r, h.userSrvc, "current")
+	if err != nil {
+		return // response was already sent by util function
 	}
 
-	results, err := h.heartbeatSrvc.GetEntitySetByUser(models.SummaryProject, authorizedUser)
+	results, err := h.heartbeatSrvc.GetEntitySetByUser(models.SummaryProject, user)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		w.Write([]byte("something went wrong"))

routes/compat/wakatime/v1/summaries.go

@@ -7,6 +7,7 @@ import (
 	"github.com/muety/wakapi/middlewares"
 	"github.com/muety/wakapi/models"
 	v1 "github.com/muety/wakapi/models/compat/wakatime/v1"
+	routeutils "github.com/muety/wakapi/routes/utils"
 	"github.com/muety/wakapi/services"
 	"github.com/muety/wakapi/utils"
 	"net/http"
@@ -54,13 +55,9 @@ func (h *SummariesHandler) RegisterRoutes(router *mux.Router) {
 // @Success 200 {object} v1.SummariesViewModel
 // @Router /compat/wakatime/v1/users/{user}/summaries [get]
 func (h *SummariesHandler) Get(w http.ResponseWriter, r *http.Request) {
-	vars := mux.Vars(r)
-	requestedUser := vars["user"]
-	authorizedUser := middlewares.GetPrincipal(r)
-
-	if requestedUser != authorizedUser.ID && requestedUser != "current" {
-		w.WriteHeader(http.StatusForbidden)
-		return
+	_, err := routeutils.CheckEffectiveUser(w, r, h.userSrvc, "current")
+	if err != nil {
+		return // response was already sent by util function
 	}
 
 	summaries, err, status := h.loadUserSummaries(r)

routes/compat/wakatime/v1/users.go

@@ -5,6 +5,7 @@ import (
 	conf "github.com/muety/wakapi/config"
 	"github.com/muety/wakapi/middlewares"
 	v1 "github.com/muety/wakapi/models/compat/wakatime/v1"
+	routeutils "github.com/muety/wakapi/routes/utils"
 	"github.com/muety/wakapi/services"
 	"github.com/muety/wakapi/utils"
 	"net/http"
@@ -42,18 +43,13 @@ func (h *UsersHandler) RegisterRoutes(router *mux.Router) {
 // @Success 200 {object} v1.UserViewModel
 // @Router /compat/wakatime/v1/users/{user} [get]
 func (h *UsersHandler) Get(w http.ResponseWriter, r *http.Request) {
-	vars := mux.Vars(r)
-
-	requestedUser := vars["user"]
-	authorizedUser := middlewares.GetPrincipal(r)
-
-	if requestedUser != authorizedUser.ID && requestedUser != "current" {
-		w.WriteHeader(http.StatusForbidden)
-		return
+	wakapiUser, err := routeutils.CheckEffectiveUser(w, r, h.userSrvc, "current")
+	if err != nil {
+		return // response was already sent by util function
 	}
 
-	user := v1.NewFromUser(authorizedUser)
-	if hb, err := h.heartbeatSrvc.GetLatestByUser(authorizedUser); err == nil {
+	user := v1.NewFromUser(wakapiUser)
+	if hb, err := h.heartbeatSrvc.GetLatestByUser(wakapiUser); err == nil {
 		user = user.WithLatestHeartbeat(hb)
 	} else {
 		conf.Log().Request(r).Error("%v", err)

routes/utils/user_utils.go

@@ -0,0 +1,46 @@
+package utils
+
+import (
+	"errors"
+	"github.com/gorilla/mux"
+	conf "github.com/muety/wakapi/config"
+	"github.com/muety/wakapi/middlewares"
+	"github.com/muety/wakapi/models"
+	"github.com/muety/wakapi/services"
+	"net/http"
+)
+
+// CheckEffectiveUser extracts the requested user from a URL (like '/users/{user}'), compares it with the currently authorized user and writes an HTTP error if they differ.
+// Fallback can be used to manually set a value for '{user}' if none is present.
+func CheckEffectiveUser(w http.ResponseWriter, r *http.Request, userService services.IUserService, fallback string) (*models.User, error) {
+	var vars = mux.Vars(r)
+	var authorizedUser, requestedUser *models.User
+
+	if vars["user"] == "" {
+		vars["user"] = fallback
+	}
+
+	authorizedUser = middlewares.GetPrincipal(r)
+	if authorizedUser != nil {
+		if vars["user"] == "current" {
+			vars["user"] = authorizedUser.ID
+		}
+	}
+
+	requestedUser, err := userService.GetUserById(vars["user"])
+	if err != nil {
+		err := errors.New("user not found")
+		w.WriteHeader(http.StatusNotFound)
+		w.Write([]byte(err.Error()))
+		return nil, err
+	}
+
+	if authorizedUser == nil || authorizedUser.ID != requestedUser.ID {
+		err := errors.New(conf.ErrUnauthorized)
+		w.WriteHeader(http.StatusUnauthorized)
+		w.Write([]byte(err.Error()))
+		return nil, err
+	}
+
+	return authorizedUser, nil
+}