verstak/cmd/verstak-server/handlers_api.go

package main

import (
	"crypto/rand"
	"encoding/hex"
	"encoding/json"
	"net/http"
	"strings"
	"time"

	"golang.org/x/crypto/bcrypt"
)

func (s *Server) handleNotFound(w http.ResponseWriter, r *http.Request) {
	if r.URL.Path == "/" {
		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
		w.Write([]byte("Verstak Sync Server\n"))
		return
	}
	jsonErr(w, 404, "not found")
}

func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
	jsonOK(w, map[string]interface{}{
		"status":  "ok",
		"version": "verstak-server/v1",
		"time":    time.Now().UTC().Format(time.RFC3339),
	})
}

func (s *Server) handleClientPair(w http.ResponseWriter, r *http.Request) {
	if r.Method != "POST" {
		jsonErr(w, 405, "POST required")
		return
	}
	ip := r.RemoteAddr
	if idx := strings.LastIndex(ip, ":"); idx >= 0 {
		ip = ip[:idx]
	}
	if !s.pairLimit.allow(ip) {
		s.auditLog("rate_limit_exceeded", "", "", ip, "pair rate limit exceeded")
		jsonErr(w, 429, "too many attempts")
		return
	}
	var req struct {
		Login         string `json:"login"`
		Password      string `json:"password"`
		DeviceName    string `json:"device_name"`
		ClientVersion string `json:"client_version"`
	}
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
		jsonErr(w, 400, "bad json")
		return
	}
	if req.Login == "" || req.Password == "" {
		jsonErr(w, 400, "login and password required")
		return
	}
	if req.DeviceName == "" {
		req.DeviceName = "unknown"
	}
	// Look up user.
	var userID, hash string
	var confirmed, blocked int
	err := s.db.QueryRow("SELECT id, password_hash, confirmed, blocked FROM server_users WHERE username=? OR email=?",
		req.Login, strings.ToLower(req.Login)).Scan(&userID, &hash, &confirmed, &blocked)
	if err != nil {
		s.auditLog("device_auth_failed", "", "", ip, "pair: user not found: "+req.Login)
		jsonErr(w, 401, "invalid credentials")
		return
	}
	if blocked != 0 {
		s.auditLog("device_auth_failed", userID, "", ip, "pair: user blocked")
		jsonErr(w, 403, "account blocked")
		return
	}
	if confirmed == 0 {
		s.auditLog("device_auth_failed", userID, "", ip, "pair: email not confirmed")
		jsonErr(w, 403, "email not confirmed")
		return
	}
	if bcrypt.CompareHashAndPassword([]byte(hash), []byte(req.Password)) != nil {
		s.auditLog("device_auth_failed", userID, "", ip, "pair: wrong password")
		jsonErr(w, 401, "invalid credentials")
		return
	}
	// Generate device.
	devID := make([]byte, 12)
	rand.Read(devID)
	deviceID := "dev_" + hex.EncodeToString(devID)
	token, prefix, suffix := genDeviceToken()
	tokenHash := sha256Hex(token)
	now := time.Now().UTC().Format(time.RFC3339)
	apiKey := make([]byte, 20)
	rand.Read(apiKey)
	_, err = s.db.Exec(`INSERT INTO server_devices
		(id, name, api_key, token_hash, token_prefix, token_suffix, user_id, client_version, last_ip, last_seen, created_at)
		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
		deviceID, req.DeviceName, hex.EncodeToString(apiKey), tokenHash, prefix, suffix,
		userID, req.ClientVersion, ip, now, now)
	if err != nil {
		jsonErr(w, 500, err.Error())
		return
	}
	s.db.Exec("INSERT OR IGNORE INTO server_user_devices (user_id, device_id) VALUES (?, ?)", userID, deviceID)
	s.db.Exec("UPDATE server_users SET last_seen=? WHERE id=?", now, userID)
	s.pairLimit.reset(ip)
	s.auditLog("device_paired", userID, deviceID, ip, "device paired: "+req.DeviceName)
	jsonOK(w, map[string]interface{}{
		"user_id":             userID,
		"device_id":           deviceID,
		"device_token":        token,
		"server_time":         now,
		"initial_sync_cursor": 0,
	})
}

func (s *Server) handleAuthTest(w http.ResponseWriter, r *http.Request) {
	if r.Method != "POST" {
		jsonErr(w, 405, "POST required")
		return
	}
	var req struct {
		Username string `json:"username"`
		Password string `json:"password"`
	}
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
		jsonErr(w, 400, "bad json")
		return
	}
	if req.Username == "" || req.Password == "" {
		jsonErr(w, 400, "username and password required")
		return
	}
	var hash string
	var confirmed, blocked int
	err := s.db.QueryRow("SELECT password_hash, confirmed, blocked FROM server_users WHERE username=? OR email=?",
		req.Username, strings.ToLower(req.Username)).Scan(&hash, &confirmed, &blocked)
	if err != nil {
		jsonErr(w, 401, "invalid credentials")
		return
	}
	if blocked != 0 {
		jsonErr(w, 403, "account blocked")
		return
	}
	if confirmed == 0 {
		jsonErr(w, 403, "email not confirmed")
		return
	}
	if bcrypt.CompareHashAndPassword([]byte(hash), []byte(req.Password)) != nil {
		jsonErr(w, 401, "invalid credentials")
		return
	}
	jsonOK(w, map[string]string{"status": "ok"})
}

func (s *Server) handleClientRevoke(w http.ResponseWriter, r *http.Request) {
	if r.Method != "POST" {
		jsonErr(w, 405, "POST required")
		return
	}
	tok := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
	if tok == "" {
		jsonErr(w, 401, "token required")
		return
	}
	hash := sha256Hex(tok)
	var deviceID, userID string
	err := s.db.QueryRow("SELECT id, user_id FROM server_devices WHERE token_hash=?", hash).Scan(&deviceID, &userID)
	if err != nil {
		jsonErr(w, 401, "invalid token")
		return
	}
	now := time.Now().UTC().Format(time.RFC3339)
	s.db.Exec("UPDATE server_devices SET revoked_at=? WHERE id=?", now, deviceID)
	s.auditLog("device_revoked", userID, deviceID, r.RemoteAddr, "device revoked by user")
	jsonOK(w, map[string]string{"status": "revoked"})
}

func (s *Server) handleClientRevokeDevice(w http.ResponseWriter, r *http.Request) {
	if r.Method != "POST" {
		jsonErr(w, 405, "POST required")
		return
	}
	userID, ok := s.requireUserWeb(w, r)
	if !ok {
		return
	}
	var req struct {
		DeviceID string `json:"device_id"`
		Password string `json:"password"`
	}
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
		jsonErr(w, 400, "invalid JSON")
		return
	}
	if req.DeviceID == "" || req.Password == "" {
		jsonErr(w, 400, "device_id and password required")
		return
	}
	// Verify password.
	var pwHash string
	err := s.db.QueryRow("SELECT password_hash FROM server_users WHERE id=?", userID).Scan(&pwHash)
	if err != nil {
		jsonErr(w, 403, "access denied")
		return
	}
	if bcrypt.CompareHashAndPassword([]byte(pwHash), []byte(req.Password)) != nil {
		jsonErr(w, 403, "wrong password")
		return
	}
	// Verify device belongs to user.
	var devUserID string
	err = s.db.QueryRow("SELECT user_id FROM server_devices WHERE id=?", req.DeviceID).Scan(&devUserID)
	if err != nil {
		jsonErr(w, 404, "device not found")
		return
	}
	if devUserID != userID {
		jsonErr(w, 403, "device does not belong to you")
		return
	}
	now := time.Now().UTC().Format(time.RFC3339)
	s.db.Exec("UPDATE server_devices SET revoked_at=? WHERE id=?", now, req.DeviceID)
	s.auditLog("device_revoked", userID, req.DeviceID, r.RemoteAddr, "device revoked via web dashboard")
	jsonOK(w, map[string]string{"status": "revoked"})
}

func (s *Server) handleClientMe(w http.ResponseWriter, r *http.Request) {
	tok := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
	if tok == "" {
		jsonErr(w, 401, "token required")
		return
	}
	hash := sha256Hex(tok)
	var deviceID, userID, name, clientVer, lastSeen, revokedAt, createdAt string
	err := s.db.QueryRow(`SELECT d.id, d.user_id, d.name, COALESCE(d.client_version,''), COALESCE(d.last_seen,''), COALESCE(d.revoked_at,''), d.created_at
		FROM server_devices d WHERE d.token_hash=?`, hash).
		Scan(&deviceID, &userID, &name, &clientVer, &lastSeen, &revokedAt, &createdAt)
	if err != nil {
		jsonErr(w, 401, "invalid token")
		return
	}
	var username string
	s.db.QueryRow("SELECT username FROM server_users WHERE id=?", userID).Scan(&username)
	jsonOK(w, map[string]interface{}{
		"device_id":      deviceID,
		"user_id":        userID,
		"username":       username,
		"device_name":    name,
		"client_version": clientVer,
		"last_seen":      lastSeen,
		"revoked_at":     revokedAt,
		"created_at":     createdAt,
	})
}

func (s *Server) handleDeviceRegister(w http.ResponseWriter, r *http.Request) {
	if r.Method != "POST" {
		jsonErr(w, 405, "POST required")
		return
	}
	var req struct {
		Name     string `json:"name"`
		Username string `json:"username"`
		Password string `json:"password"`
	}
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
		jsonErr(w, 400, "invalid JSON")
		return
	}
	if req.Name == "" {
		jsonErr(w, 400, "name required")
		return
	}
	if req.Username == "" || req.Password == "" {
		jsonErr(w, 401, "username and password required")
		return
	}

	// Look up user by username or email.
	var userID, hash string
	var confirmed, blocked int
	err := s.db.QueryRow("SELECT id, password_hash, confirmed, blocked FROM server_users WHERE username=? OR email=?",
		req.Username, strings.ToLower(req.Username)).Scan(&userID, &hash, &confirmed, &blocked)
	if err != nil {
		jsonErr(w, 401, "invalid credentials")
		return
	}
	if blocked != 0 {
		jsonErr(w, 403, "account blocked")
		return
	}
	if confirmed == 0 {
		jsonErr(w, 403, "email not confirmed")
		return
	}
	if bcrypt.CompareHashAndPassword([]byte(hash), []byte(req.Password)) != nil {
		jsonErr(w, 401, "invalid credentials")
		return
	}

	b := make([]byte, 20)
	rand.Read(b)
	apiKey := hex.EncodeToString(b)
	deviceID := apiKey[:12]
	now := time.Now().UTC().Format(time.RFC3339)

	_, err = s.db.Exec(
		"INSERT INTO server_devices (id, name, api_key, last_seen, created_at) VALUES (?, ?, ?, ?, ?)",
		deviceID, req.Name, apiKey, now, now,
	)
	if err != nil {
		jsonErr(w, 500, err.Error())
		return
	}
	// Link device to user.
	s.db.Exec("INSERT OR IGNORE INTO server_user_devices (user_id, device_id) VALUES (?, ?)", userID, deviceID)

	jsonOK(w, map[string]interface{}{
		"device_id": deviceID,
		"api_key":   apiKey,
	})
}