1// Package webapisrv implements the server-side of the webapi.

2package webapisrv

4// In a separate package from webapi, so webapi.Client can be used and imported

5// without including all mox internals. Documentation for the functions is in

6// ../webapi/client.go.

8import (

9 "bytes"

10 "context"

11 cryptorand "crypto/rand"

12 "encoding/base64"

13 "encoding/json"

14 "errors"

15 "fmt"

16 htmltemplate "html/template"

17 "io"

18 "log/slog"

19 "mime"

20 "mime/multipart"

21 "net/http"

22 "net/textproto"

23 "os"

24 "reflect"

25 "runtime/debug"

26 "slices"

27 "strings"

28 "time"

30 "github.com/prometheus/client_golang/prometheus"

31 "github.com/prometheus/client_golang/prometheus/promauto"

33 "github.com/mjl-/bstore"

35 "github.com/mjl-/mox/dkim"

36 "github.com/mjl-/mox/dns"

37 "github.com/mjl-/mox/message"

38 "github.com/mjl-/mox/metrics"

39 "github.com/mjl-/mox/mlog"

40 "github.com/mjl-/mox/mox-"

41 "github.com/mjl-/mox/moxio"

42 "github.com/mjl-/mox/moxvar"

43 "github.com/mjl-/mox/queue"

44 "github.com/mjl-/mox/smtp"

45 "github.com/mjl-/mox/store"

46 "github.com/mjl-/mox/webapi"

47 "github.com/mjl-/mox/webauth"

48 "github.com/mjl-/mox/webops"

49)

51var pkglog = mlog.New("webapi", nil)

53var (

54 // Similar between ../webmail/webmail.go:/metricSubmission and ../smtpserver/server.go:/metricSubmission and ../webapisrv/server.go:/metricSubmission

55 metricSubmission = promauto.NewCounterVec(

56 prometheus.CounterOpts{

57 Name: "mox_webapi_submission_total",

58 Help: "Webapi message submission results, known values (those ending with error are server errors): ok, badfrom, messagelimiterror, recipientlimiterror, queueerror, storesenterror, domaindisabled.",

59 },

60 []string{

61 "result",

62 },

63 )

64 metricServerErrors = promauto.NewCounterVec(

65 prometheus.CounterOpts{

66 Name: "mox_webapi_errors_total",

67 Help: "Webapi server errors, known values: dkimsign, submit.",

68 },

69 []string{

70 "error",

71 },

72 )

73 metricResults = promauto.NewCounterVec(

74 prometheus.CounterOpts{

75 Name: "mox_webapi_results_total",

76 Help: "HTTP webapi results by method and result.",

77 },

78 []string{"method", "result"}, // result: "badauth", "ok", or error code

79 )

80 metricDuration = promauto.NewHistogramVec(

81 prometheus.HistogramOpts{

82 Name: "mox_webapi_duration_seconds",

83 Help: "HTTP webhook call duration.",

84 Buckets: []float64{0.01, 0.05, 0.1, 0.5, 1, 5, 10, 20, 30},

85 },

86 []string{"method"},

87 )

88)

90// We pass the request to the handler so the TLS info can be used for

91// the Received header in submitted messages. Most API calls need just the

92// account name.

93type ctxKey string

95var requestInfoCtxKey ctxKey = "requestInfo"

97type requestInfo struct {

98 Log mlog.Log

99 LoginAddress string

100 Account *store.Account

101 Response http.ResponseWriter // For setting headers for non-JSON responses.

102 Request *http.Request // For Proto and TLS connection state during message submit.

103}

104

105// todo: show a curl invocation on the method pages

106

107var docsMethodTemplate = htmltemplate.Must(htmltemplate.New("method").Parse(`<!doctype html>

108 <head>

109 <meta charset="utf-8" />

110 <meta name="robots" content="noindex,nofollow" />

111 <title>Method {{ .Method }} - WebAPI - Mox</title>

112 <style>

113body, html { padding: 1em; font-size: 16px; }

114* { font-size: inherit; font-family: ubuntu, lato, sans-serif; margin: 0; padding: 0; box-sizing: border-box; }

115h1, h2, h3, h4 { margin-bottom: 1ex; }

116h1 { font-size: 1.2rem; }

117h2 { font-size: 1.1rem; }

118h3, h4 { font-size: 1rem; }

119ul { padding-left: 1rem; }

120p { margin-bottom: 1em; max-width: 50em; }

121[title] { text-decoration: underline; text-decoration-style: dotted; }

122fieldset { border: 0; }

123textarea { width: 100%; max-width: 50em; }

124 </style>

125 </head>

126 <body>

127 <h1><a href="../">WebAPI</a> - Method {{ .Method }}</h1>

128 <form id="webapicall" method="POST">

129 <fieldset id="webapifieldset">

130 <h2>Request JSON</h2>

131 <div><textarea id="webapirequest" name="request" required rows="20">{{ .Request }}</textarea></div>

132 <br/>

133 <div>

134 <button type="reset">Reset</button>

135 <button type="submit">Call</button>

136 </div>

137 <br/>

138{{ if .ReturnsBytes }}

139 <p>Method has a non-JSON response.</p>

140{{ else }}

141 <h2>Response JSON</h2>

142 <div><textarea id="webapiresponse" rows="20">{{ .Response }}</textarea></div>

143{{ end }}

144 </fieldset>

145 </form>

146 <script>

147window.addEventListener('load', () => {

148 window.webapicall.addEventListener('submit', async (e) => {

149 const stop = () => {

150 e.stopPropagation()

151 e.preventDefault()

152 }

153

154 let req

155 try {

156 req = JSON.parse(window.webapirequest.value)

157 } catch (err) {

158 window.alert('Error parsing request: ' + err.message)

159 stop()

160 return

161 }

162 if (!req) {

163 window.alert('Empty request')

164 stop()

165 return

166 }

167

168 if ({{ .ReturnsBytes }}) {

169 // Just POST to this URL.

170 return

171 }

172

173 stop()

174 // Do call ourselves, get response and put it in the response textarea.

175 window.webapifieldset.disabled = true

176 let data = new window.FormData()

177 data.append("request", window.webapirequest.value)

178 try {

179 const response = await fetch("{{ .Method }}", {body: data, method: "POST"})

180 const text = await response.text()

181 try {

182 window.webapiresponse.value = JSON.stringify(JSON.parse(text), undefined, '\t')

183 } catch (err) {

184 window.webapiresponse.value = text

185 }

186 } catch (err) {

187 window.alert('Error: ' + err.message)

188 } finally {

189 window.webapifieldset.disabled = false

190 }

191 })

192})

193 </script>

194 </body>

195</html>

196`))

197

198var docsIndex []byte

199

200func init() {

201 var methods []string

202 mt := reflect.TypeFor[webapi.Methods]()

203 n := mt.NumMethod()

204 for i := range n {

205 methods = append(methods, mt.Method(i).Name)

206 }

207 docsIndexTmpl := htmltemplate.Must(htmltemplate.New("index").Parse(`<!doctype html>

208<html>

209 <head>

210 <meta charset="utf-8" />

211 <meta name="robots" content="noindex,nofollow" />

212 <title>Webapi - Mox</title>

213 <style>

214body, html { padding: 1em; font-size: 16px; }

215* { font-size: inherit; font-family: ubuntu, lato, sans-serif; margin: 0; padding: 0; box-sizing: border-box; }

216h1, h2, h3, h4 { margin-bottom: 1ex; }

217h1 { font-size: 1.2rem; }

218h2 { font-size: 1.1rem; }

219h3, h4 { font-size: 1rem; }

220ul { padding-left: 1rem; }

221p { margin-bottom: 1em; max-width: 50em; }

222[title] { text-decoration: underline; text-decoration-style: dotted; }

223fieldset { border: 0; }

224 </style>

225 </head>

226 <body>

227 <h1>Webapi and webhooks</h1>

228 <p>The mox webapi is a simple HTTP/JSON-based API for sending messages and processing incoming messages.</p>

229 <p>Configure webhooks in mox to receive notifications about outgoing delivery event, and/or incoming deliveries of messages.</p>

230 <p>Documentation and examples:</p>

231 <p><a href="{{ .WebapiDocsURL }}">{{ .WebapiDocsURL }}</a></p>

232 <h2>Methods</h2>

233 <p>The methods below are available in this version of mox. Follow a link for an example request/response JSON, and a button to make an API call.</p>

234 <ul>

235{{ range $i, $method := .Methods }}

236 <li><a href="{{ $method }}">{{ $method }}</a></li>

237{{ end }}

238 </ul>

239 </body>

240</html>

241`))

242 webapiDocsURL := "https://pkg.go.dev/github.com/mjl-/mox@" + moxvar.VersionBare + "/webapi/"

243 webhookDocsURL := "https://pkg.go.dev/github.com/mjl-/mox@" + moxvar.VersionBare + "/webhook/"

244 indexArgs := struct {

245 WebapiDocsURL string

246 WebhookDocsURL string

247 Methods []string

248 }{webapiDocsURL, webhookDocsURL, methods}

249 var b bytes.Buffer

250 err := docsIndexTmpl.Execute(&b, indexArgs)

251 if err != nil {

252 panic("executing api docs index template: " + err.Error())

253 }

254 docsIndex = b.Bytes()

255

256 mox.NewWebapiHandler = func(maxMsgSize int64, basePath string, isForwarded bool) http.Handler {

257 return NewServer(maxMsgSize, basePath, isForwarded)

258 }

259}

260

261// NewServer returns a new http.Handler for a webapi server.

262func NewServer(maxMsgSize int64, path string, isForwarded bool) http.Handler {

263 return server{maxMsgSize, path, isForwarded}

264}

265

266// server implements the webapi methods.

267type server struct {

268 maxMsgSize int64 // Of outgoing messages.

269 path string // Path webapi is configured under, typically /webapi/, with methods at /webapi/v0/<method>.

270 isForwarded bool // Whether incoming requests are reverse-proxied. Used for getting remote IPs for rate limiting.

271}

272

273var _ webapi.Methods = server{}

274

275// ServeHTTP implements http.Handler.

276func (s server) ServeHTTP(w http.ResponseWriter, r *http.Request) {

277 log := pkglog.WithContext(r.Context()) // Take cid from webserver.

278

279 // Send requests to /webapi/ to /webapi/v0/.

280 if r.URL.Path == "/" {

281 if r.Method != "GET" {

282 http.Error(w, "405 - method not allow", http.StatusMethodNotAllowed)

283 return

284 }

285 http.Redirect(w, r, s.path+"v0/", http.StatusSeeOther)

286 return

287 }

288 // Serve short introduction and list to methods at /webapi/v0/.

289 if r.URL.Path == "/v0/" {

290 w.Header().Set("Content-Type", "text/html; charset=utf-8")

291 w.Write(docsIndex)

292 return

293 }

294

295 // Anything else must be a method endpoint.

296 if !strings.HasPrefix(r.URL.Path, "/v0/") {

297 http.NotFound(w, r)

298 return

299 }

300 fn := r.URL.Path[len("/v0/"):]

301 log = log.With(slog.String("method", fn))

302 rfn := reflect.ValueOf(s).MethodByName(fn)

303 var zero reflect.Value

304 if rfn == zero || rfn.Type().NumIn() != 2 || rfn.Type().NumOut() != 2 {

305 log.Debug("unknown webapi method")

306 http.NotFound(w, r)

307 return

308 }

309

310 // GET on method returns an example request JSON, a button to call the method,

311 // which either fills a textarea with the response (in case of JSON) or posts to

312 // the URL letting the browser handle the response (e.g. raw message or part).

313 if r.Method == "GET" {

314 formatJSON := func(v any) (string, error) {

315 var b bytes.Buffer

316 enc := json.NewEncoder(&b)

317 enc.SetIndent("", "\t")

318 enc.SetEscapeHTML(false)

319 err := enc.Encode(v)

320 return string(b.String()), err

321 }

322

323 req, err := formatJSON(mox.FillExample(nil, reflect.New(rfn.Type().In(1))).Interface())

324 if err != nil {

325 log.Errorx("formatting request as json", err)

326 http.Error(w, "500 - internal server error - marshal request: "+err.Error(), http.StatusInternalServerError)

327 return

328 }

329 // todo: could check for io.ReadCloser, but we don't return other interfaces than that one.

330 returnsBytes := rfn.Type().Out(0).Kind() == reflect.Interface

331 var resp string

332 if !returnsBytes {

333 resp, err = formatJSON(mox.FillExample(nil, reflect.New(rfn.Type().Out(0))).Interface())

334 if err != nil {

335 log.Errorx("formatting response as json", err)

336 http.Error(w, "500 - internal server error - marshal response: "+err.Error(), http.StatusInternalServerError)

337 return

338 }

339 }

340 args := struct {

341 Method string

342 Request string

343 Response string

344 ReturnsBytes bool

345 }{fn, req, resp, returnsBytes}

346 w.Header().Set("Content-Type", "text/html; charset=utf-8")

347 err = docsMethodTemplate.Execute(w, args)

348 log.Check(err, "executing webapi method template")

349 return

350 } else if r.Method != "POST" {

351 http.Error(w, "405 - method not allowed - use get or post", http.StatusMethodNotAllowed)

352 return

353 }

354

355 // Account is available during call, but we close it before we start writing a

356 // response, to prevent slow readers from holding a reference for a long time.

357 var acc *store.Account

358 closeAccount := func() {

359 if acc != nil {

360 err := acc.Close()

361 log.Check(err, "closing account")

362 acc = nil

363 }

364 }

365 defer closeAccount()

366

367 email, password, aok := r.BasicAuth()

368 if !aok {

369 metricResults.WithLabelValues(fn, "badauth").Inc()

370 log.Debug("missing http basic authentication credentials")

371 w.Header().Set("WWW-Authenticate", "Basic realm=webapi")

372 http.Error(w, "401 - unauthorized - use http basic auth with email address as username", http.StatusUnauthorized)

373 return

374 }

375 log = log.With(slog.String("username", email))

376

377 t0 := time.Now()

378

379 // If remote IP/network resulted in too many authentication failures, refuse to serve.

380 remoteIP := webauth.RemoteIP(log, s.isForwarded, r)

381 if remoteIP == nil {

382 metricResults.WithLabelValues(fn, "internal").Inc()

383 log.Debug("cannot find remote ip for rate limiter")

384 http.Error(w, "500 - internal server error - cannot find remote ip", http.StatusInternalServerError)

385 return

386 }

387 if !mox.LimiterFailedAuth.CanAdd(remoteIP, t0, 1) {

388 metrics.AuthenticationRatelimitedInc("webapi")

389 log.Debug("refusing connection due to many auth failures", slog.Any("remoteip", remoteIP))

390 http.Error(w, "429 - too many auth attempts", http.StatusTooManyRequests)

391 return

392 }

393

394 writeError := func(err webapi.Error) {

395 closeAccount()

396 metricResults.WithLabelValues(fn, err.Code).Inc()

397

398 if err.Code == "server" {

399 log.Errorx("webapi call result", err, slog.String("resultcode", err.Code))

400 } else {

401 log.Infox("webapi call result", err, slog.String("resultcode", err.Code))

402 }

403

404 w.Header().Set("Content-Type", "application/json; charset=utf-8")

405 w.WriteHeader(http.StatusBadRequest)

406 enc := json.NewEncoder(w)

407 enc.SetEscapeHTML(false)

408 werr := enc.Encode(err)

409 log.Check(werr, "writing error response")

410 }

411

412 // Called for all successful JSON responses, not non-JSON responses.

413 writeResponse := func(resp any) {

414 closeAccount()

415 metricResults.WithLabelValues(fn, "ok").Inc()

416 log.Debug("webapi call result", slog.String("resultcode", "ok"))

417 w.Header().Set("Content-Type", "application/json; charset=utf-8")

418 enc := json.NewEncoder(w)

419 enc.SetEscapeHTML(false)

420 werr := enc.Encode(resp)

421 log.Check(werr, "writing error response")

422 }

423

424 la := loginAttempt(remoteIP.String(), r, "webapi", "httpbasic")

425 la.LoginAddress = email

426 defer func() {

427 store.LoginAttemptAdd(context.Background(), log, la)

428 metricDuration.WithLabelValues(fn).Observe(float64(time.Since(t0)) / float64(time.Second))

429 }()

430

431 var err error

432 acc, la.AccountName, err = store.OpenEmailAuth(log, email, password, true)

433 if err != nil {

434 mox.LimiterFailedAuth.Add(remoteIP, t0, 1)

435 if errors.Is(err, mox.ErrDomainNotFound) || errors.Is(err, mox.ErrAddressNotFound) || errors.Is(err, store.ErrUnknownCredentials) || errors.Is(err, store.ErrLoginDisabled) {

436 log.Debug("bad http basic authentication credentials")

437 metricResults.WithLabelValues(fn, "badauth").Inc()

438 la.Result = store.AuthBadCredentials

439 msg := "use http basic auth with email address as username"

440 if errors.Is(err, store.ErrLoginDisabled) {

441 la.Result = store.AuthLoginDisabled

442 msg = "login is disabled for this account"

443 }

444 w.Header().Set("WWW-Authenticate", "Basic realm=webapi")

445 http.Error(w, "401 - unauthorized - "+msg, http.StatusUnauthorized)

446 return

447 }