Improve test suite (#628)

Signed-off-by: Thomas Miceli <tho.miceli@gmail.com>

internal/web/server/middlewares.go

@@ -28,7 +28,7 @@ import (
 func (s *Server) useCustomContext() {
 	s.echo.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
-			cc := context.NewContext(c, s.sessionsPath)
+			cc := context.NewContext(c, filepath.Join(config.GetHomeDir(), "sessions"))
 			return next(cc)
 		}
 	})
@@ -58,29 +58,27 @@ func (s *Server) registerMiddlewares() {
 	s.echo.Use(middleware.Recover())
 	s.echo.Use(middleware.Secure())
 	s.echo.Use(Middleware(sessionInit).toEcho())
+	s.echo.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
+		TokenLookup:    "form:_csrf,header:X-CSRF-Token",
+		CookiePath:     "/",
+		CookieHTTPOnly: true,
+		CookieSameSite: http.SameSiteStrictMode,
+		Skipper: func(ctx echo.Context) bool {
+			/* skip CSRF for embeds */
+			gistName := ctx.Param("gistname")
 
-	if !s.ignoreCsrf {
-		s.echo.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
-			TokenLookup:    "form:_csrf,header:X-CSRF-Token",
-			CookiePath:     "/",
-			CookieHTTPOnly: true,
-			CookieSameSite: http.SameSiteStrictMode,
-			Skipper: func(ctx echo.Context) bool {
-				/* skip CSRF for embeds */
-				gistName := ctx.Param("gistname")
+			/* skip CSRF for git clients */
+			matchUploadPack, _ := regexp.MatchString("(.*?)/git-upload-pack$", ctx.Request().URL.Path)
+			matchReceivePack, _ := regexp.MatchString("(.*?)/git-receive-pack$", ctx.Request().URL.Path)
+			return (filepath.Ext(gistName) == ".js" && ctx.Request().Method == "GET") || matchUploadPack || matchReceivePack
+		},
+		ErrorHandler: func(err error, c echo.Context) error {
+			log.Info().Err(err).Msg("CSRF error")
+			return err
+		},
+	}))
+	s.echo.Use(Middleware(csrfInit).toEcho())
 
-				/* skip CSRF for git clients */
-				matchUploadPack, _ := regexp.MatchString("(.*?)/git-upload-pack$", ctx.Request().URL.Path)
-				matchReceivePack, _ := regexp.MatchString("(.*?)/git-receive-pack$", ctx.Request().URL.Path)
-				return (filepath.Ext(gistName) == ".js" && ctx.Request().Method == "GET") || matchUploadPack || matchReceivePack
-			},
-			ErrorHandler: func(err error, c echo.Context) error {
-				log.Info().Err(err).Msg("CSRF error")
-				return err
-			},
-		}))
-		s.echo.Use(Middleware(csrfInit).toEcho())
-	}
 }
 
 func (s *Server) errorHandler(err error, ctx echo.Context) {
@@ -159,10 +157,10 @@ func dataInit(next Handler) Handler {
 
 func writePermission(next Handler) Handler {
 	return func(ctx *context.Context) error {
-		gist := ctx.GetData("gist")
+		gist := ctx.GetData("gist").(*db.Gist)
 		user := ctx.User
-		if !gist.(*db.Gist).CanWrite(user) {
-			return ctx.RedirectTo("/" + gist.(*db.Gist).User.Username + "/" + gist.(*db.Gist).Identifier())
+		if !gist.CanWrite(user) {
+			return ctx.ErrorRes(403, "You don't have permission to edit this gist", nil)
 		}
 		return next(ctx)
 	}

internal/web/server/server.go

@@ -2,7 +2,6 @@ package server
 
 import (
 	"fmt"
-	"github.com/thomiceli/opengist/internal/validator"
 	"net"
 	"net/http"
 	"os"
@@ -10,6 +9,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/thomiceli/opengist/internal/validator"
+
 	"github.com/labstack/echo/v4"
 	"github.com/rs/zerolog/log"
 	"github.com/thomiceli/opengist/internal/config"
@@ -18,19 +19,16 @@ import (
 
 type Server struct {
 	echo *echo.Echo
-
-	dev          bool
-	sessionsPath string
-	ignoreCsrf   bool
+	dev  bool
 }
 
-func NewServer(isDev bool, sessionsPath string, ignoreCsrf bool) *Server {
+func NewServer(isDev bool) *Server {
 	e := echo.New()
 	e.HideBanner = true
 	e.HidePort = true
 	e.Validator = validator.NewValidator()
 
-	s := &Server{echo: e, dev: isDev, sessionsPath: sessionsPath, ignoreCsrf: ignoreCsrf}
+	s := &Server{echo: e, dev: isDev}
 
 	s.useCustomContext()
 
@@ -175,3 +173,7 @@ func (s *Server) createPidFile(pidPath string) error {
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	s.echo.ServeHTTP(w, r)
 }
+
+func (s *Server) Use(middleware echo.MiddlewareFunc) {
+	s.echo.Use(middleware)
+}