feat(api/v2): expose notifications atom feed in the OpenAPI spec
Adds GET /api/v2/notifications.atom as a Huma operation producing application/atom+xml, so the feed shows in the v2 OpenAPI spec with an opaque XML body schema. It mirrors /feeds/notifications.atom on the wire. Feed readers can't carry a bearer header, so the op declares an HTTP Basic security scheme (BasicAuth) and authenticates inside the handler: it parses the Authorization: Basic header and validates the API token via the shared feeds.AuthenticateFeedToken, returning a 401 with a Basic challenge on failure, then streams feeds.BuildNotificationsAtomFeed. The path is in unauthenticatedAPIPaths so the JWT middleware lets it through.
This commit is contained in:
parent
be8a092fe3
commit
fbfea43f2b
|
|
@ -104,6 +104,14 @@ func NewAPI(e *echo.Echo, g *echo.Group) huma.API {
|
||||||
Scheme: "bearer",
|
Scheme: "bearer",
|
||||||
Description: "Vikunja API token (tk_ prefix) with scoped permissions. Created via /api/v1/tokens.",
|
Description: "Vikunja API token (tk_ prefix) with scoped permissions. Created via /api/v1/tokens.",
|
||||||
}
|
}
|
||||||
|
// HTTP Basic, used only by the notifications Atom feed: feed readers can't
|
||||||
|
// carry a bearer header, so the feed accepts the API token as the Basic
|
||||||
|
// password (username = token owner). See notifications_feed.go.
|
||||||
|
oapi.Components.SecuritySchemes["BasicAuth"] = &huma.SecurityScheme{
|
||||||
|
Type: "http",
|
||||||
|
Scheme: "basic",
|
||||||
|
Description: "HTTP Basic auth used by the notifications Atom feed: the username is the token owner and the password is a feeds-scoped Vikunja API token (tk_ prefix).",
|
||||||
|
}
|
||||||
// Applied globally; public endpoints (spec, docs) opt out with an empty Security list.
|
// Applied globally; public endpoints (spec, docs) opt out with an empty Security list.
|
||||||
oapi.Security = []map[string][]string{
|
oapi.Security = []map[string][]string{
|
||||||
{"JWTKeyAuth": {}},
|
{"JWTKeyAuth": {}},
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,103 @@
|
||||||
|
// Vikunja is a to-do list application to facilitate your life.
|
||||||
|
// Copyright 2018-present Vikunja and contributors. All rights reserved.
|
||||||
|
//
|
||||||
|
// This program is free software: you can redistribute it and/or modify
|
||||||
|
// it under the terms of the GNU Affero General Public License as published by
|
||||||
|
// the Free Software Foundation, either version 3 of the License, or
|
||||||
|
// (at your option) any later version.
|
||||||
|
//
|
||||||
|
// This program is distributed in the hope that it will be useful,
|
||||||
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
// GNU Affero General Public License for more details.
|
||||||
|
//
|
||||||
|
// You should have received a copy of the GNU Affero General Public License
|
||||||
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
package apiv2
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"net/http"
|
||||||
|
|
||||||
|
"code.vikunja.io/api/pkg/db"
|
||||||
|
"code.vikunja.io/api/pkg/modules/humaecho5"
|
||||||
|
"code.vikunja.io/api/pkg/routes/feeds"
|
||||||
|
|
||||||
|
"github.com/danielgtaylor/huma/v2"
|
||||||
|
"github.com/labstack/echo/v5"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RegisterNotificationsFeedRoutes wires the Atom notifications feed onto the
|
||||||
|
// Huma API. It documents HTTP Basic auth (a feeds-scoped API token) because
|
||||||
|
// feed readers can't carry a bearer header.
|
||||||
|
func RegisterNotificationsFeedRoutes(api huma.API) {
|
||||||
|
Register(api, huma.Operation{
|
||||||
|
OperationID: "notifications-atom-feed",
|
||||||
|
Summary: "Notifications Atom feed",
|
||||||
|
Description: "Returns the authenticated user's latest notifications as an Atom feed. Authenticated with HTTP Basic auth: the username is the token owner and the password is a feeds-scoped Vikunja API token (tk_ prefix) — password and LDAP credentials are rejected because feed URLs are commonly shared or cached. Fetching the feed does not mark notifications as read.",
|
||||||
|
Method: http.MethodGet,
|
||||||
|
Path: "/notifications.atom",
|
||||||
|
Tags: []string{"service"},
|
||||||
|
// This op carries its own HTTP Basic auth instead of the global bearer
|
||||||
|
// schemes; the path is in unauthenticatedAPIPaths so the JWT middleware
|
||||||
|
// lets it through and the handler authenticates itself.
|
||||||
|
Security: []map[string][]string{{"BasicAuth": {}}},
|
||||||
|
Responses: map[string]*huma.Response{
|
||||||
|
"200": {
|
||||||
|
Description: "The notifications Atom feed.",
|
||||||
|
Content: map[string]*huma.MediaType{
|
||||||
|
"application/atom+xml": {
|
||||||
|
Schema: &huma.Schema{Type: huma.TypeString, Format: "binary"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, notificationsAtomFeed)
|
||||||
|
}
|
||||||
|
|
||||||
|
func init() { AddRouteRegistrar(RegisterNotificationsFeedRoutes) }
|
||||||
|
|
||||||
|
// notificationsAtomFeed authenticates with HTTP Basic (sharing the feeds
|
||||||
|
// validator) and streams the Atom feed; there is no handler.Do* for a non-JSON
|
||||||
|
// body and the auth can't ride the group's JWT middleware.
|
||||||
|
func notificationsAtomFeed(ctx context.Context, _ *struct{}) (*huma.StreamResponse, error) {
|
||||||
|
c, ok := ctx.Value(humaecho5.EchoContextKey).(*echo.Context)
|
||||||
|
if !ok {
|
||||||
|
return nil, huma.Error500InternalServerError("could not resolve request context")
|
||||||
|
}
|
||||||
|
|
||||||
|
username, password, ok := (*c).Request().BasicAuth()
|
||||||
|
if !ok {
|
||||||
|
return nil, basicAuthChallenge(c)
|
||||||
|
}
|
||||||
|
|
||||||
|
s := db.NewSession()
|
||||||
|
defer s.Close()
|
||||||
|
|
||||||
|
u, err := feeds.AuthenticateFeedToken(s, username, password)
|
||||||
|
if err != nil {
|
||||||
|
return nil, translateDomainError(err)
|
||||||
|
}
|
||||||
|
if u == nil {
|
||||||
|
return nil, basicAuthChallenge(c)
|
||||||
|
}
|
||||||
|
|
||||||
|
atom, err := feeds.BuildNotificationsAtomFeed(s, u)
|
||||||
|
if err != nil {
|
||||||
|
return nil, translateDomainError(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return &huma.StreamResponse{Body: func(hctx huma.Context) {
|
||||||
|
ec := humaecho5.Unwrap(hctx)
|
||||||
|
(*ec).Response().Header().Set(echo.HeaderContentType, feeds.AtomContentType)
|
||||||
|
_, _ = (*ec).Response().Write([]byte(atom))
|
||||||
|
}}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// basicAuthChallenge returns a 401 carrying a WWW-Authenticate Basic challenge,
|
||||||
|
// mirroring v1's BasicAuth middleware so feed readers prompt for credentials.
|
||||||
|
func basicAuthChallenge(c *echo.Context) error {
|
||||||
|
(*c).Response().Header().Set(echo.HeaderWWWAuthenticate, `Basic realm="Restricted"`)
|
||||||
|
return huma.Error401Unauthorized(http.StatusText(http.StatusUnauthorized))
|
||||||
|
}
|
||||||
|
|
@ -368,6 +368,10 @@ var unauthenticatedAPIPaths = map[string]bool{
|
||||||
|
|
||||||
// Public infra healthcheck (a Huma op that opts out of the global auth).
|
// Public infra healthcheck (a Huma op that opts out of the global auth).
|
||||||
"/api/v2/health": true,
|
"/api/v2/health": true,
|
||||||
|
|
||||||
|
// Atom feed (a Huma op) authenticates itself with HTTP Basic auth (a
|
||||||
|
// feeds-scoped API token), like its /feeds counterpart, not a JWT.
|
||||||
|
"/api/v2/notifications.atom": true,
|
||||||
}
|
}
|
||||||
|
|
||||||
// collectRoutesForAPITokens collects all routes for API token permission checking.
|
// collectRoutesForAPITokens collects all routes for API token permission checking.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue