add maintenance note

.gitignore

@@ -1,2 +1,3 @@
 redis
+sus
 .env

docker-compose.yml

@@ -6,6 +6,10 @@ services:
     ports: [ "8430:80" ]
     environment:
       - SECRET=${SECRET}
+      - MAX_AGE_MS=${MAX_AGE_MS}
+    restart: unless-stopped
   redis:
+    hostname: sus-redis
     image: redis:7
     volumes: [ "./redis:/data" ]
+    restart: unless-stopped

go.mod

@@ -1,15 +1,15 @@
 module git.alv.cx/alvierahman90/sus
 
-go 1.18
+go 1.25.0
 
 require (
 	github.com/go-redis/redis/v8 v8.11.5
-	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/mux v1.8.1
-	golang.org/x/net v0.0.0-20220225172249-27dd8689420f
+	golang.org/x/net v0.54.0
 )
 
 require (
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/onsi/gomega v1.19.0 // indirect
 )

go.sum

@@ -1,5 +1,7 @@
 github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
@@ -7,13 +9,19 @@ github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC
 github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
 github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw=
 github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
 golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

main.go

@@ -24,6 +24,8 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"strconv"
+	"time"
 
 	"github.com/go-redis/redis/v8"
 	"github.com/gorilla/mux"
@@ -31,17 +33,19 @@ import (
 )
 
 var client = redis.NewClient(&redis.Options{
-	Addr:     "redis:6379",
+	Addr:     "sus-redis:6379",
 	Password: "",
 	DB:       0,
 })
 
 var SECRET string
 var INDEX_GET_REDIRECT = "http://alv.cx"
+var MAX_AGE_MS int64 = 500
 
 func main() {
 	r := mux.NewRouter()
 	r.HandleFunc("/{shortlink}", shortlinkHandler)
+	r.HandleFunc("/{shortlink}/", shortlinkHandler)
 	r.HandleFunc("/", indexHandler)
 
 	listenAddress := "0.0.0.0:80"
@@ -58,6 +62,14 @@ func main() {
 		INDEX_GET_REDIRECT = p
 	}
 
+	if p, ok := os.LookupEnv("MAX_AGE_MS"); ok {
+		if v, err := strconv.ParseInt(p, 10, 64); err != nil {
+			fmt.Printf("Unable to parse environment variable MAX_AGE_MS: %v\n", p)
+		} else {
+			MAX_AGE_MS = v
+		}
+	}
+
 	log.Fatal(http.ListenAndServe(listenAddress, r))
 }
 
@@ -73,16 +85,29 @@ func indexHandler(w http.ResponseWriter, r *http.Request) {
 	command := r.PostForm.Get("Command")
 	shortlink := r.PostForm.Get("Shortlink")
 	value := r.PostForm.Get("Value")
-	fmt.Printf("command: %v, shortlink: %v, value: %v\n", command, shortlink, value)
+	req_timestamp := r.PostForm.Get("Timestamp")
-	fmt.Println(shortlink)
+	req_timestamp_int, err := strconv.ParseInt(req_timestamp, 10, 64)
-	fmt.Println(value)
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		w.Write([]byte("Bad request"))
+		return
+	}
+
+	cur_timestamp := time.Now().UnixNano()
+	if req_timestamp_int+MAX_AGE_MS*1000*1000 < cur_timestamp {
+		w.WriteHeader(http.StatusBadRequest)
+		w.Write([]byte("Bad request"))
+		return
+	}
+
+	fmt.Printf("req_timestamp: %v, command: %v, shortlink: %v, value: %v\n", req_timestamp, command, shortlink, value)
 
 	signature := r.Header.Get("Signature")
 	calculatedSignature := fmt.Sprintf(
 		"SUS-SIGNATURE-%v",
 		getSha256HMACSignature(
 			[]byte(SECRET),
-			command+":"+shortlink+":"+value,
+			req_timestamp+":"+command+":"+shortlink+":"+value,
 		),
 	)
 

readme.md

@@ -2,6 +2,22 @@
 
 sus URL shortener
 
+## maintenance notice
+
+for my personal use i have replaced sus with the simpler [urls-txt](https://pls.cx/urls-txt).
+
+i likely won't be updating sus anymore,
+but this program is simple so i doubt it'll stop working
+and i haven't really updated it much anyway,
+since it did everything i wanted.
+
+i'll update the dependencies every now and then but i have forgotten golang in the four years
+between writing it and now.
+
+if you want to use it instead of [urls-txt](https://pls.cx/urls-txt),
+go ahead.
+i'll update the dependencies every now and then.
+
 
 ## `susmng` usage (managing shortlinks)
 
@@ -33,12 +49,14 @@ flag is not provided.
 
         docker-compose up -d --build
 
-#### server environment variables
+### server environment variables
 
-- `SECRET`---the secret used for signature verification
+| Variable             | Default         | Description                                                                            |
-- `LISTEN_ADDRESS`---the address the server is listening on (default is `0.0.0.0:80`)
+|----------------------|-----------------|----------------------------------------------------------------------------------------|
-- `INDEX_GET_REDIRECT`---the URL the user should be redirected to if they try to access `/` on the
+| `SECRET`             | N/A             | the secret used for signature verification                                             |
-   server (default is `http://alv.cx`)
+| `LISTEN_ADDRESS`     | `0.0.0.0:80`    | the address the server is listening on                                                 |
+| `INDEX_GET_REDIRECT` | `http://alv.cx` | the URL the user should be redirected to if they try to access `/` on the server       |
+| `MAX_AGE_MS`         | 500             | how old a request can be (in milliseconds) before the server will refuse to process it |
 
 ### setting up susmng
 

susmng.py

@@ -8,6 +8,7 @@ import pathlib
 import os
 import json
 import sys
+import time
 
 
 def get_args():
@@ -51,20 +52,34 @@ def main(args):
     if args.command == "delete" and args.value != "confirm":
         print("--value not set to 'confirm'... delete operation may fail")
 
-    r = requests.post(f"{'http' if args.http else 'https'}://{server}",
+    # accoring to python documentation (https://docs.python.org/3/library/time.html#time.time)
-            data = {
+    # this function does not explicitly have to use unix time, and implementation is dependent
-                'Command': args.command,
+    # platform.
-                'Shortlink': args.shortlink,
+    # most platforms (windows, unix) will probably give unix time though.
-                'Value': args.value,
+    #
-                },
+    # the server side (main.go file) does explicitly use unix time (time.Now().UnixNano()) to get
-            headers = {
+    # this number, but hopefully there should be no issues on most platforms.
-                'Signature': 'SUS-SIGNATURE-' + hmac.new(
+    timestamp = str(time.time_ns())
-                    secret.encode("UTF-8"),
+
-                    (args.command+":"+args.shortlink+":"+args.value).encode("UTF-8"),
+    data = {
-                    hashlib.sha256
+        'Command': args.command,
-                    ).hexdigest()
+        'Shortlink': args.shortlink,
-                }
+        'Value': args.value,
-            )
+        'Timestamp': timestamp,
+        }
+
+    headers = {
+        'Signature': 'SUS-SIGNATURE-' + hmac.new(
+            secret.encode("UTF-8"),
+            (timestamp + ":" + args.command + ":" + args.shortlink + ":" + args.value).encode("UTF-8"),
+            hashlib.sha256
+            ).hexdigest()
+        }
+
+    print(f"{data=}")
+    print(f"{headers=}")
+
+    r = requests.post(f"{'http' if args.http else 'https'}://{server}", data=data, headers=headers)
     print(r, file=sys.stderr)
     print(r.content.decode().strip())
     return 0