package serv import ( "encoding/json" "errors" "io" "io/ioutil" "net/http" "github.com/dosco/super-graph/internal/serv/internal/auth" "github.com/rs/cors" "go.uber.org/zap" ) const ( maxReadBytes = 100000 // 100Kb introspectionQuery = "IntrospectionQuery" ) var ( errUnauthorized = errors.New("not authorized") ) type gqlReq struct { OpName string `json:"operationName"` Query string `json:"query"` Vars json.RawMessage `json:"variables"` } type errorResp struct { Error string `json:"error"` } func apiV1Handler() http.Handler { h, err := auth.WithAuth(http.HandlerFunc(apiV1), &conf.Auth) if err != nil { log.Fatalf("ERR %s", err) } if len(conf.AllowedOrigins) != 0 { c := cors.New(cors.Options{ AllowedOrigins: conf.AllowedOrigins, AllowCredentials: true, Debug: conf.DebugCORS, }) h = c.Handler(h) } return h } func apiV1(w http.ResponseWriter, r *http.Request) { ct := r.Context() //nolint: errcheck if conf.AuthFailBlock && !auth.IsAuth(ct) { renderErr(w, errUnauthorized) return } b, err := ioutil.ReadAll(io.LimitReader(r.Body, maxReadBytes)) if err != nil { renderErr(w, err) return } defer r.Body.Close() req := gqlReq{} err = json.Unmarshal(b, &req) if err != nil { renderErr(w, err) return } doLog := true res, err := sg.GraphQL(ct, req.Query, req.Vars) if !conf.Production && res.QueryName() == "IntrospectionQuery" { doLog = false } if doLog && logLevel >= LogLevelDebug { log.Printf("DBG query %s: %s", res.QueryName(), res.SQL()) } if err != nil { renderErr(w, err) } else { json.NewEncoder(w).Encode(res) } if doLog && logLevel >= LogLevelInfo { zlog.Info("success", zap.String("op", res.Operation()), zap.String("name", res.QueryName()), zap.String("role", res.Role()), ) } } //nolint: errcheck func renderErr(w http.ResponseWriter, err error) { if err == errUnauthorized { w.WriteHeader(http.StatusUnauthorized) } json.NewEncoder(w).Encode(errorResp{err.Error()}) }