Merge pull request #336 from DefangLabs/linda-nounly-go

Nounly Sample

Author: commit111

.github/workflows/deploy-changed-samples.yml

@@ -92,12 +92,14 @@ jobs:
           TEST_NC_S3_ACCESS_SECRET: ${{ secrets.TEST_NC_S3_ACCESS_SECRET }}
           TEST_OPENAI_KEY: ${{ secrets.TEST_OPENAI_KEY }}
           TEST_POSTGRES_PASSWORD: ${{ secrets.TEST_POSTGRES_PASSWORD }}
+          TEST_PROJECT_HONEYPOT_KEY: ${{ secrets.TEST_PROJECT_HONEYPOT_KEY}}
           TEST_QUEUE: ${{ secrets.TEST_QUEUE }}
           TEST_SECRET_KEY: ${{ secrets.TEST_SECRET_KEY }}
           TEST_SECRET_KEY_BASE: ${{ secrets.TEST_SECRET_KEY_BASE }}
           TEST_SESSION_SECRET: ${{ secrets.TEST_SESSION_SECRET }}
           TEST_SLACK_CHANNEL_ID: ${{ secrets.TEST_SLACK_CHANNEL_ID }}
           TEST_SLACK_TOKEN: ${{ secrets.TEST_SLACK_TOKEN }}
+          TEST_SHARED_SECRETS: ${{ secrets.TEST_SHARED_SECRETS}}
           TEST_ALLOWED_HOSTS: ${{ secrets.TEST_ALLOWED_HOSTS }}
         run: |
           SAMPLES=$(sed 's|^samples/||' changed_samples.txt | paste -s -d ',' -)

samples/nounly/.dockerignore

@@ -0,0 +1,27 @@
+# Default .dockerignore file for Defang
+**/__pycache__
+**/.direnv
+**/.DS_Store
+**/.envrc
+**/.git
+**/.github
+**/.idea
+**/.next
+**/.vscode
+**/compose.*.yaml
+**/compose.*.yml
+**/compose.yaml
+**/compose.yml
+**/docker-compose.*.yaml
+**/docker-compose.*.yml
+**/docker-compose.yaml
+**/docker-compose.yml
+**/node_modules
+**/Thumbs.db
+Dockerfile
+*.Dockerfile
+# Ignore our own binary, but only in the root to avoid ignoring subfolders
+defang
+defang.exe
+# Ignore our project-level state
+.defang

samples/nounly/.github/workflows/deploy.yaml

@@ -0,0 +1,26 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  deploy:
+    environment: playground
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@v4
+
+    - name: Deploy
+      uses: DefangLabs/[email protected]
+      with:
+        config-env-vars: PROJECT_HONEYPOT_KEY SHARED_SECRETS
+      env:
+        PROJECT_HONEYPOT_KEY: ${{ secrets.PROJECT_HONEYPOT_KEY }}
+        SHARED_SECRETS: ${{ secrets.SHARED_SECRETS }}

samples/nounly/.gitignore

@@ -0,0 +1 @@
+dump.rdb

samples/nounly/Dockerfile

@@ -0,0 +1,28 @@
+# syntax=docker/dockerfile:1.4
+ARG GOVERSION=1.22
+ARG BASE=busybox # for wget healtcheck
+
+FROM --platform=${BUILDPLATFORM} golang:${GOVERSION} AS build
+# These two are automatically set by docker buildx
+ARG TARGETARCH
+ARG TARGETOS
+WORKDIR /src
+COPY --link go.mod go.sum* ./
+ARG GOPRIVATE=github.com/lionello/nounly-go
+RUN go mod download
+ARG GOSRC=.
+COPY --link ${GOSRC} ./
+# RUN go test -v ./... FIXME: "no required module provides package github.com/defang-io/defang-mvp/fabric/internal/util_test"
+ARG BUILD=./cmd/server
+ARG VERSION
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -trimpath -buildvcs=false -ldflags="-w -s -X \"main.version=${VERSION}\"" -o /server "${BUILD}"
+
+FROM --platform=${TARGETPLATFORM} ${BASE}
+# RUN apk add --update curl ca-certificates && rm -rf /var/cache/apk* # Certificates for SSL
+ARG PORT=80
+ENV PORT=$PORT
+COPY --link --from=build /server /server
+COPY --link ./public /public
+ENTRYPOINT [ "/server" ]
+EXPOSE $PORT
+# USER nobody

samples/nounly/README.md

@@ -0,0 +1,72 @@
+# Nounly
+
+[![1-click-deploy](https://defang.io/deploy-with-defang.png)](https://portal.defang.dev/redirect?url=https%3A%2F%2Fgithub.com%2Fnew%3Ftemplate_name%3Dsample-nounly-template%26template_owner%3DDefangSamples)
+
+Nounly (also known as Noun.ly) is a URL shortener website built with Go, JavaScript and Redis, and can be deployed with Defang as a sample.
+
+The URL shortener appends a noun to the end of a Defang-deployed URL to create the new shortened URL. For reference, you can view the real [Noun.ly](https://noun.ly/) website here.
+
+_"Share the web through words."_ - Creator of Nounly
+
+## Prerequisites
+
+1. Download [Defang CLI](https://github.com/DefangLabs/defang)
+2. (Optional) If you are using [Defang BYOC](https://docs.defang.io/docs/concepts/defang-byoc) authenticate with your cloud provider account
+3. (Optional for local development) [Docker CLI](https://docs.docker.com/engine/install/)
+
+## Development
+
+To run the application locally, you can use the following command:
+
+```bash
+docker compose up --build
+```
+
+## Configuration
+
+For this sample, you will need to provide the following [configuration](https://docs.defang.io/docs/concepts/configuration):
+
+> Note that if you are using the 1-click deploy option, you can set these values as secrets in your GitHub repository and the action will automatically deploy them for you.
+
+### `PROJECT_HONEYPOT_KEY`
+
+A [Project Honey Pot API](https://www.projecthoneypot.org/index.php) key that is used for anti-spamming. It is optional, but please include a non-empty string value.
+
+```bash
+defang config set PROJECT_HONEYPOT_KEY
+```
+
+### `SHARED_SECRETS`
+
+A JSON object string of shared secrets that are used for API clients. It is optional, and the default value is `{}` if you do not have any shared secrets.
+
+```bash
+defang config set SHARED_SECRETS
+```
+
+## Deployment
+
+> [!NOTE]
+> Download [Defang CLI](https://github.com/DefangLabs/defang)
+
+### Defang Playground
+
+Deploy your application to the Defang Playground by opening up your terminal and typing:
+
+```bash
+defang compose up
+```
+
+### BYOC
+
+If you want to deploy to your own cloud account, you can [use Defang BYOC](https://docs.defang.io/docs/tutorials/deploy-to-your-cloud).
+
+---
+
+Title: Nounly
+
+Short Description: A URL shortener website built with Go, JavaScript, and Redis.
+
+Tags: Go, JavaScript, Redis, URL shortener
+
+Languages: golang, javascript

samples/nounly/cmd/server/api/auth.go

@@ -0,0 +1,65 @@
+package api
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+)
+
+// TODO: store these in a key-value store (redis)
+var sharedSecrets = map[string][]byte{}
+
+func init() {
+	if val := os.Getenv("SHARED_SECRETS"); val != "" {
+		if err := json.Unmarshal([]byte(val), &sharedSecrets); err != nil {
+			panic(err)
+		}
+	}
+}
+
+func checkAuth(r *http.Request) bool {
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		return false
+	}
+
+	token, ok := strings.CutPrefix(authHeader, "SharedKey ")
+	if !ok {
+		return false
+	}
+
+	parts := strings.SplitN(token, ":", 2)
+	sharedSecret := sharedSecrets[parts[0]]
+	if len(parts) != 2 || sharedSecret == nil {
+		return false
+	}
+
+	date := r.Header.Get("x-date")
+	if date == "" {
+		date = r.Header.Get("Date")
+	}
+	if !VerifyDate(date, time.Now()) {
+		return false
+	}
+
+	if sign(sharedSecret, r.Method, date, r.RequestURI) != parts[1] {
+		return false
+	}
+
+	// TODO: set CORS headers to allow authorized access from anywhere
+	return true
+}
+
+func signRaw(secret, fields []byte) string {
+	hmac := hmac.New(sha256.New, secret)
+	return base64.StdEncoding.EncodeToString(hmac.Sum(fields))
+}
+
+func sign(secret []byte, fields ...string) string {
+	return signRaw(secret, []byte(strings.Join(fields, "\n")))
+}

samples/nounly/cmd/server/api/utils.go

@@ -0,0 +1,36 @@
+package api
+
+import (
+	"net"
+	"net/http"
+	"strings"
+	"time"
+)
+
+const clockSkew = 5 * time.Minute
+
+func GetClientIP(req *http.Request) string {
+	// get the client IP from the proxy (if any); TODO: prevent spoofing
+	xff := req.Header.Get("x-forwarded-for")
+	if xff != "" {
+		comma := strings.Index(xff, ",")
+		if comma == -1 {
+			return canonicalIP(xff)
+		}
+		return canonicalIP(xff[:comma])
+	}
+	return canonicalIP(strings.SplitN(req.RemoteAddr, ":", 2)[0])
+}
+
+func canonicalIP(ip string) string {
+	return net.ParseIP(ip).String()
+}
+
+func VerifyDate(dateHeader string, now time.Time) bool {
+	date, err := time.Parse(time.RFC3339, dateHeader)
+	if err != nil {
+		return false
+	}
+	diff := now.Sub(date)
+	return diff > -clockSkew && diff < clockSkew
+}

samples/nounly/cmd/server/api/utils_test.go

@@ -0,0 +1,66 @@
+package api
+
+import (
+	"testing"
+	"time"
+)
+
+func TestCanonicalIP(t *testing.T) {
+	tests := []struct {
+		ip   string
+		want string
+	}{
+		{"::ffff:83.90.47.30", "83.90.47.30"},
+		{"83.90.47.30", "83.90.47.30"},
+		{"fe80::676d:489:1f16:2c1", "fe80::676d:489:1f16:2c1"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.ip, func(t *testing.T) {
+			if got := canonicalIP(tt.ip); got != tt.want {
+				t.Errorf("canonicalIP() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestVerifyDate(t *testing.T) {
+	now := time.Date(2023, 1, 13, 17, 51, 0, 0, time.UTC)
+	tests := []struct {
+		date string
+		now  time.Time
+		want bool
+	}{
+		{
+			date: "2023-01-13T17:51:09.583Z",
+			want: true,
+		},
+		{
+			date: "2023-01-13T17:59:09.583Z",
+			want: false,
+		},
+		{
+			date: "2020-01-01T17:59:09.583Z",
+			want: false,
+		},
+		{
+			date: "invalid date",
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.date, func(t *testing.T) {
+			if got := VerifyDate(tt.date, now); got != tt.want {
+				t.Errorf("verifyDate() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestSign(t *testing.T) {
+	secret := []byte("secret")
+	fields := []string{"GET", "2023-01-13T17:51:09.583Z", "/api/v1/urls"}
+	want := "R0VUCjIwMjMtMDEtMTNUMTc6NTE6MDkuNTgzWgovYXBpL3YxL3VybHP55m4Xm2dHrlQQj4L4reizwl12/TCv3mw5WCLFMBlhaQ=="
+	if got := sign(secret, fields...); got != want {
+		t.Errorf("sign() = %v, want %v", got, want)
+	}
+}