package api import ( "encoding/json" "io/fs" "net/http" "net/http/httputil" "net/url" "github.com/go-chi/chi/v5" chimiddleware "github.com/go-chi/chi/v5/middleware" "github.com/go-chi/cors" "github.com/gorilla/sessions" "xorm.io/xorm" "github.com/forgeo/forgebucket/internal/api/handlers" "github.com/forgeo/forgebucket/internal/api/middleware" "github.com/forgeo/forgebucket/internal/config" ) func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFiles fs.FS) http.Handler { r := chi.NewRouter() r.Use(chimiddleware.Logger) r.Use(chimiddleware.RealIP) r.Use(chimiddleware.Recoverer) r.Use(cors.Handler(cors.Options{ AllowedOrigins: []string{"http://localhost:5173", cfg.InstanceURL}, AllowedMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"}, AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"}, AllowCredentials: true, MaxAge: 300, })) csrf := middleware.CSRF(!cfg.Debug) auth := middleware.NewAuth(store) repoH := handlers.NewRepoHandler(engine, cfg) userH := handlers.NewUserHandler(engine, store) prH := handlers.NewPRHandler(engine) pipeH := handlers.NewPipelineHandler(engine) wsH := handlers.NewWSHandler() r.Route("/api/v1", func(r chi.Router) { // ── Public ──────────────────────────────────────────────────────────── r.Get("/health", func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") w.Write([]byte(`{"status":"ok"}`)) }) // Generates a CSRF token + cookie. SPA calls this once on load. r.Get("/csrf", func(w http.ResponseWriter, r *http.Request) { token, err := middleware.NewCSRFToken(w, !cfg.Debug) if err != nil { http.Error(w, `{"error":"could not generate CSRF token"}`, http.StatusInternalServerError) return } w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(map[string]string{"token": token}) }) // ── Auth (CSRF validated, no session required) ───────────────────────── r.With(csrf).Post("/auth/register", userH.Register) r.With(csrf).Post("/auth/login", userH.Login) r.With(csrf).Post("/auth/logout", userH.Logout) // ── Protected (session + CSRF for mutations) ────────────────────────── r.Group(func(r chi.Router) { r.Use(auth.Require) r.Get("/me", userH.Me) r.Route("/repos", func(r chi.Router) { r.Get("/", repoH.List) r.With(csrf).Post("/", repoH.Create) r.Route("/{owner}/{repo}", func(r chi.Router) { r.Get("/", repoH.Get) r.Get("/tree", repoH.Tree) r.Get("/blob", repoH.Blob) r.Get("/commits", repoH.Commits) r.Get("/diff", repoH.Diff) r.Route("/pulls", func(r chi.Router) { r.Get("/", prH.List) r.With(csrf).Post("/", prH.Create) r.Get("/{prID}", prH.Get) r.With(csrf).Post("/{prID}/merge", prH.Merge) r.With(csrf).Post("/{prID}/close", prH.Close) }) r.Route("/pipelines", func(r chi.Router) { r.Get("/", pipeH.List) r.Get("/{runID}", pipeH.Get) }) }) }) }) }) r.With(auth.Optional).Get("/ws", wsH.Hub) // In debug mode proxy non-API routes to the Vite dev server so :8080 works too. // In production the built React app is embedded and served from staticFiles. if cfg.Debug { r.Handle("/*", viteProxy("http://localhost:5173")) } else { r.Handle("/*", spaHandler(staticFiles)) } return r } func viteProxy(target string) http.Handler { proxy := &httputil.ReverseProxy{ Rewrite: func(r *httputil.ProxyRequest) { r.SetURL(mustParseURL(target)) r.Out.Host = r.In.Host }, } return proxy } func mustParseURL(raw string) *url.URL { u, err := url.Parse(raw) if err != nil { panic(err) } return u } func spaHandler(staticFiles fs.FS) http.Handler { fileServer := http.FileServer(http.FS(staticFiles)) return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { _, err := staticFiles.Open(r.URL.Path) if err != nil { r.URL.Path = "/" } fileServer.ServeHTTP(w, r) }) }