From d9c45316379bad042427b858f4f5d8f9e39bda93 Mon Sep 17 00:00:00 2001
From: Kaitlyn Parkhurst <symkat@symkat.com>
Date: Sun, 11 Jul 2021 00:16:27 -0700
Subject: [PATCH] Downloads with authentication now.

---
 Web/cpanfile                        |  1 +
 Web/files/secure_download/README.md |  2 ++
 Web/lib/MeshMage/Web.pm             | 28 ++++++++++++++++++++++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 Web/files/secure_download/README.md

diff --git a/Web/cpanfile b/Web/cpanfile
index 2e06200..86e2097 100644
--- a/Web/cpanfile
+++ b/Web/cpanfile
@@ -1,5 +1,6 @@
 requires 'Minion';
 requires 'Mojolicious::Plugin::XslateRenderer';
+requires 'Mojolicious::Plugin::RenderFile';
 requires 'Mojo::Pg';
 requires 'MeshMage::DB';
 requires 'Net::Subnet';
diff --git a/Web/files/secure_download/README.md b/Web/files/secure_download/README.md
new file mode 100644
index 0000000..010232c
--- /dev/null
+++ b/Web/files/secure_download/README.md
@@ -0,0 +1,2 @@
+This directory contains static files for download, but require an
+auth token or a logged in user account to access.
diff --git a/Web/lib/MeshMage/Web.pm b/Web/lib/MeshMage/Web.pm
index 73a8aaf..2f96a2d 100644
--- a/Web/lib/MeshMage/Web.pm
+++ b/Web/lib/MeshMage/Web.pm
@@ -40,8 +40,10 @@ sub startup ($self) {
 
     # Setup Plugins
     $self->plugin( Minion => { Pg => 'postgresql://minion:minion@localhost:5433/minion' } );
+    $self->plugin( 'RenderFile' );
     $self->plugin( 'MeshMage::Web::Plugin::MinionTasks' );
     $self->plugin( 'MeshMage::Web::Plugin::Helpers' );
+
     
     # Standard router.
     my $r = $self->routes;
@@ -50,6 +52,15 @@ sub startup ($self) {
     # user.
     my $auth = $r->under( '/' => sub ($c) {
 
+        # Hax: by-pass authentication with an X-Auth header.
+        #
+        # TODO: Add a bit to the DB so we can make values for
+        # an X-Auth when users are given the chance to download
+        # things with keys and such.
+        if ( $c->req->headers->header('X-Auth') ) {
+            return 1;
+        }
+
         # Login via session cookie.
         if ( $c->session('uid') ) {
             my $person = $c->db->resultset('Person')->find( $c->session('uid') );
@@ -76,6 +87,23 @@ sub startup ($self) {
     # The /minion stuff is handled here because we needed to place it under $auth.
     $self->plugin( 'Minion::Admin' => { route => $auth->under( '/minion' ) } );
     
+    # A secure static file area, the user will need to be authenticated.
+    $auth->get('/secure/#filename')->to( cb => sub ($c) {
+
+        my $filepath = sprintf( "%s/secure_download/%s", $c->files_dir, $c->param('filename') );
+
+        if ( ! -e $filepath ) {
+            $c->res->code( 404 );
+            $c->render( text => "No such file or directory.\n" );
+            return;
+        }
+
+        $c->render_file(
+            filepath => $filepath,
+            filename => $c->param('filename'),
+        );
+    });
+
     # Send requests for / to the dashboard.
     $auth->get('/')->to(cb => sub ($c) {
         $c->redirect_to( $c->url_for('dashboard') )