From 2b6de1ed5966a209c29496f5fefb62bccc6760c0 Mon Sep 17 00:00:00 2001
From: Hongbo Wu <hongbo@omnivore.app>
Date: Thu, 9 Feb 2023 18:35:23 +0800
Subject: [PATCH] Add JWT authortization verification

---
 go.mod  |  1 +
 go.sum  |  2 ++
 main.go | 25 ++++++++++++++++++++++++-
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 67812a1..94e5366 100644
--- a/go.mod
+++ b/go.mod
@@ -4,6 +4,7 @@ go 1.15
 
 require (
 	github.com/go-shiori/dom v0.0.0-20210627111528-4e4722cd0d65
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/sirupsen/logrus v1.8.1
diff --git a/go.sum b/go.sum
index 3f6c675..af9cec4 100644
--- a/go.sum
+++ b/go.sum
@@ -9,6 +9,8 @@ github.com/go-shiori/dom v0.0.0-20210627111528-4e4722cd0d65 h1:zx4B0AiwqKDQq+Agq
 github.com/go-shiori/dom v0.0.0-20210627111528-4e4722cd0d65/go.mod h1:NPO1+buE6TYOWhUI98/hXLHHJhunIpXRuvDN4xjkCoE=
 github.com/gogs/chardet v0.0.0-20191104214054-4b6791f73a28 h1:gBeyun7mySAKWg7Fb0GOcv0upX9bdaZScs8QcRo8mEY=
 github.com/gogs/chardet v0.0.0-20191104214054-4b6791f73a28/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
diff --git a/main.go b/main.go
index 52ef61d..6fb20d9 100644
--- a/main.go
+++ b/main.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/go-shiori/dom"
 	"github.com/omnivore-app/go-domdistiller/distiller"
+	"github.com/golang-jwt/jwt"
 )
 
 func main() {
@@ -31,10 +32,30 @@ func main() {
 }
 
 func handler(w http.ResponseWriter, r *http.Request) {
+	// decode JWT token and check if it's valid
+	token, err := jwt.Parse(r.Header.Get("Authorization"), func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return []byte(os.Getenv("JWT_SECRET")), nil
+	})
+	if err != nil {
+		w.WriteHeader(http.StatusUnauthorized)
+		fmt.Fprint(w, "Unauthorized")
+		return
+	}
+	if !token.Valid {
+		w.WriteHeader(http.StatusUnauthorized)
+		fmt.Fprint(w, "Unauthorized")
+		return
+	}
+
 	// Parse request body
 	body, err := ioutil.ReadAll(r.Body)
 	if err != nil {
-		fmt.Println("Failed to read request body:", err)
+		log.Println("Failed to read request body:", err)
+		w.WriteHeader(http.StatusBadRequest)
+		fmt.Fprint(w, "Failed to read request body")
 		return
 	}
 
@@ -42,6 +63,8 @@ func handler(w http.ResponseWriter, r *http.Request) {
 	result, err := distiller.ApplyForReader(strings.NewReader(string(body)), nil)
 	if err != nil {
 		fmt.Println("Failed to apply distiller:", err)
+		w.WriteHeader(http.StatusInternalServerError)
+		fmt.Fprint(w, "Failed to apply distiller")
 		return
 	}