fgm
/
go__socialnetwork


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206
							/*
Available routes:

/api/users			OPTIONS	Expose available actions
/api/users			GET			Return user list, possibly filtered
/api/users			POST		Create user
/api/users/123	GET			Return user 123 -> not listed in book
/api/users/123	PUT			Update user 123
/api/users/123	DELETE	Delete user 123

POST fields:
	"user" -> name
	"mail" -> email
	"first"
	"last"
*/

package main

import (
	"database/sql"
	"encoding/json"
	"fmt"
	"log"
	"net/http"

	_ "github.com/go-sql-driver/mysql"

	"github.com/gorilla/mux"
)

var database *sql.DB

type Users struct {
	Users []User `json:"users"`
}

type User struct {
	ID    int    `json:"id"`
	Name  string `json:"username"`
	Email string `json:"mail"`
	First string `json:"first"`
	Last  string `json:"last"`
}

type CreateResponse struct {
	Error string `json:"error"`
}

/*
UserCreate creates a new user and stores it.

The SQL query is vulnerable to injection, so the route matching needs be safe.
*/
func UserCreate(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Access-Control-Allow-Origin", "http://localhost:8000")

	NewUser := User{
		Name:  r.FormValue("user"),
		Email: r.FormValue("mail"),
		First: r.FormValue("first"),
		Last:  r.FormValue("last"),
	}

	output, err := json.MarshalIndent(NewUser, "", "  ")
	fmt.Println(string(output))
	if err != nil {
		fmt.Println("Something went wrong!")
	}

	Response := CreateResponse{}
	sql := "INSERT INTO users SET user_name='" + NewUser.Name +
		"', user_first='" + NewUser.First +
		"', user_last='" + NewUser.Last +
		"', user_email='" + NewUser.Email + "'"
	result, err := database.Exec(sql)
	if err != nil {
		Response.Error = err.Error()
	}

	var id int64
	var rows int64
	createOutput, err := json.MarshalIndent(Response, "", "  ")
	if result != nil {
		id, _ = result.LastInsertId()
		rows, _ = result.RowsAffected()
	} else {
		id = 0
		rows = 0
		fmt.Println(w, string(createOutput))
	}
	fmt.Printf("Id: %d, Rows affected: %d\n", id, rows)

//	createOutput, err := json.MarshalIndent(Response, "", "  ")
	fmt.Fprintln(w, string(createOutput))
}

func UsersRetrieve(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Pragma", "no-cache")
	rows, err := database.Query(`
SELECT  u.user_id, u.user_name, u.user_email, u.user_first, u.user_last
FROM users u
LIMIT 10
	`)
	if err != nil {
		fmt.Fprintln(w, "Something went wrong!")
		log.Fatal(err)
	}
	Response := Users{}
	for rows.Next() {
		user := User{}
		rows.Scan(&user.ID, &user.Name, &user.Email, &user.First, &user.Last)
		Response.Users = append(Response.Users, user)
	}

	output, _ := json.MarshalIndent(Response, "", "  ")
	fmt.Fprintln(w, string(output))
}

type API struct {
	Message string `json:"message"`
}

func UserMethods(w http.ResponseWriter, r *http.Request) {

}

func UserReplace(w http.ResponseWriter, r *http.Request) {

}

func UserDelete(w http.ResponseWriter, r *http.Request) {

}

func UserRetrieve(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Pragma", "no-cache")

	vars := mux.Vars(r)
	id := vars["id"]
	user := User{}
	var result API

	sqlQuery := `
SELECT u.user_id, u.user_name, u.user_first, u.user_last, u.user_email
FROM users u
WHERE u.user_id = ?
`
	stmt, err := database.Prepare(sqlQuery)
	if err != nil {
		log.Fatal(err.Error())
	}

	row := stmt.QueryRow(id)
	scanErr := row.Scan(&user.ID, &user.Name, &user.First, &user.Last, &user.Email)
	switch {
	case scanErr == sql.ErrNoRows:
		// FIXME XSS
		result = API{Message: fmt.Sprintf("No such user: %s", id)}
		json, err := json.MarshalIndent(result, "", "  ")
		if err != nil {
			log.Fatal(err.Error())
		}
		w.Write(json)
	case err != nil:
		// FIXME XSS
		result = API{Message: fmt.Sprintf("Error reading user: %s", id)}
		json, errIndent := json.MarshalIndent(result, "", "  ")
		if errIndent != nil {
			log.Fatal(errIndent.Error())
		}
		w.Write(json)
		log.Fatal(err.Error())
	case err == nil:
		json, errIndent := json.MarshalIndent(user, "", "  ")
		if errIndent != nil {
			log.Fatal(errIndent.Error())
		}
		w.Write(json)
	}
}

func main() {
	var err error

	db, err := sql.Open("mysql", "goroot:gopass@/goweb_social_network")
	if err != nil {
		log.Fatal(err.Error())
	}

	database = db

	routes := mux.NewRouter()
	routes.HandleFunc("/api/users", UserCreate).Methods("POST")
	routes.HandleFunc(`/api/users`, UsersRetrieve).Methods("GET")

	// Not yet implemented.
	routes.HandleFunc(`/api/users`, UserMethods).Methods("OPTIONS")
	routes.HandleFunc(`/api/users/{id:[\d]+}`, UserRetrieve).Methods("GET")
	routes.HandleFunc(`/api/users/{id:[\d]+}`, UserReplace).Methods("PUT")
	routes.HandleFunc(`/api/users/{id:[\d]+}`, UserDelete).Methods("DELETE")
	// --------------------

	http.Handle("/", routes)
	http.ListenAndServe(":8080", nil)
}