Correctly handle user cookies + support CloudLinux PHP Selector plugin

Author: wolveix

README.md

@@ -1,13 +1,18 @@
 # DirectAdmin Go SDK
+
 Interface with a DirectAdmin installation using Go.
 
-This library supports both the legacy/default DirectAdmin API, as well as their new modern API that's still in active development.
+This library supports both the legacy/default DirectAdmin API, and their new modern API still in active development.
 
-**Note: This is in an experimental state. While it's being used in production, the library is very likely to change (especially in-line with DA's own changes). DA features are being added as needed on our end, but PRs are always welcome!**
+**Note: This is in an experimental state. While it's being used in production, the library is very likely to change (
+especially in-line with DA's own changes). DA features are being added as needed on our end, but PRs are always welcome!
+**
 
-**If you wonder why something has been handled in an unusual way, it's most likely a workaround required by one of DA's many quirks.**
+**If you wonder why something has been handled unusually, it's most likely a workaround required by one of DA's many 
+quirks.**
 
 ## Login as Admin / Reseller / User
+
 To open a session as an admin/reseller/user, follow the following code block:
 
 ```go
@@ -16,7 +21,6 @@ package main
 import (
 	"time"
 
-	"github.com/goccy/go-json"
 	"github.com/levelzerotechnology/directadmin-go"
 )
 
@@ -43,20 +47,22 @@ func main() {
 From here, you can call user functions via `userCtx`.
 
 For example, if you wanted to print each of your databases to your terminal:
+
 ```go
 dbs, err := userCtx.GetDatabases()
 if err != nil {
-	log.Fatalln(err)
+log.Fatalln(err)
 }
 
 for _, db := range dbs {
-	fmt.Println(db.Name)
+fmt.Println(db.Name)
 }
 ```
 
 ## Roadmap
 
-- [ ] Cleanup repo structure (e.g. redis actions being within `admin.go` could go into a dedicated `redis.go` file perhaps)
+- [ ] Cleanup repo structure (e.g. redis actions being within `admin.go` could go into a dedicated `redis.go` file
+  perhaps)
 - [ ] Explore DA's new API's update versions of old functions (e.g. user config/usage)
 - [ ] Implement testing for all functions
 - [ ] Reach stable v1.0

admin.go

@@ -35,7 +35,7 @@ func (c *AdminContext) ConvertUserToReseller(username string) error {
 }
 
 func (c *AdminContext) DisableRedis() error {
-	var response apiGenericResponseN
+	var response apiGenericResponseNew
 
 	if _, err := c.makeRequestNew(http.MethodPost, "redis/disable", nil, &response); err != nil {
 		return err
@@ -45,7 +45,7 @@ func (c *AdminContext) DisableRedis() error {
 }
 
 func (c *AdminContext) EnableRedis() error {
-	var response apiGenericResponseN
+	var response apiGenericResponseNew
 
 	if _, err := c.makeRequestNew(http.MethodPost, "redis/enable", nil, &response); err != nil {
 		return err
@@ -85,7 +85,7 @@ func (c *AdminContext) MoveUserToReseller(username string, reseller string) erro
 }
 
 func (c *AdminContext) RestartDirectAdmin() error {
-	var response apiGenericResponseN
+	var response apiGenericResponseNew
 
 	if _, err := c.makeRequestNew(http.MethodPost, "restart", nil, &response); err != nil {
 		return err
@@ -95,7 +95,7 @@ func (c *AdminContext) RestartDirectAdmin() error {
 }
 
 func (c *AdminContext) UpdateDirectAdmin() error {
-	var response apiGenericResponseN
+	var response apiGenericResponseNew
 
 	if _, err := c.makeRequestNew(http.MethodPost, "version/update", nil, &response); err != nil {
 		return err

auth.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/http/cookiejar"
 	"strings"
 	"time"
 )
@@ -43,16 +44,6 @@ func (c *UserContext) CreateLoginURL(loginKeyURL *LoginKeyURL) error {
 	return nil
 }
 
-func (c *UserContext) GetLoginURLs() ([]*LoginKeyURL, error) {
-	var loginKeyURLs []*LoginKeyURL
-
-	if _, err := c.makeRequestNew(http.MethodGet, "login-keys/urls", nil, &loginKeyURLs); err != nil {
-		return nil, fmt.Errorf("failed to get login URLs: %w", err)
-	}
-
-	return loginKeyURLs, nil
-}
-
 func (c *AdminContext) GetLoginHistory() ([]*LoginHistory, error) {
 	var loginHistory []*LoginHistory
 
@@ -67,10 +58,20 @@ func (c *AdminContext) GetLoginHistory() ([]*LoginHistory, error) {
 	return loginHistory, nil
 }
 
+func (c *UserContext) GetLoginURLs() ([]*LoginKeyURL, error) {
+	var loginKeyURLs []*LoginKeyURL
+
+	if _, err := c.makeRequestNew(http.MethodGet, "login-keys/urls", nil, &loginKeyURLs); err != nil {
+		return nil, fmt.Errorf("failed to get login URLs: %w", err)
+	}
+
+	return loginKeyURLs, nil
+}
+
 // GetMyUsername returns the current user's username. This is particularly useful when logging in as another user, as it
 // trims the admin/reseller username automatically
 func (c *UserContext) GetMyUsername() string {
-	// if user is logged in via reseller, we need to remove the reseller username from the context's username
+	// If the user is logged in via reseller, we need to remove the reseller username from the context's username.
 	if strings.Contains(c.credentials.username, "|") {
 		return strings.Split(c.credentials.username, "|")[1]
 	}
@@ -156,15 +157,21 @@ func (c *ResellerContext) LoginAsMyUser(username string) (*UserContext, error) {
 }
 
 func (a *API) login(username string, passkey string) (*UserContext, error) {
+	jar, err := cookiejar.New(nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cookie jar: %w", err)
+	}
+
 	userCtx := UserContext{
-		api: a,
+		api:       a,
+		cookieJar: jar,
 		credentials: credentials{
 			username: username,
 			passkey:  passkey,
 		},
 	}
 
-	if err := userCtx.Login(); err != nil {
+	if err = userCtx.Login(); err != nil {
 		return nil, err
 	}
 

directadmin.go

@@ -16,53 +16,55 @@ const (
 
 type API struct {
 	cache struct {
-		domains            map[string]Domain // domain name is key
+		domains            map[string]Domain // Domain name is key.
 		domainsMutex       *sync.Mutex
-		emailAccounts      map[string]EmailAccount // domain name is key
+		emailAccounts      map[string]EmailAccount // Domain name is key.
 		emailAccountsMutex *sync.Mutex
-		packages           map[string]Package // package name is key
+		packages           map[string]Package // Package name is key.
 		packagesMutex      *sync.Mutex
-		users              map[string]User // username is key
+		users              map[string]User // Username is key.
 		usersMutex         *sync.Mutex
 	}
 	cacheEnabled bool
 	debug        bool
 	httpClient   *http.Client
+	parsedURL    *url.URL
 	timeout      time.Duration
 	url          string
 }
 
-type apiGenericResponse struct {
-	Error   string `json:"error,omitempty"`
-	Result  string `json:"result,omitempty"`
-	Success string `json:"success,omitempty"`
-}
+type (
+	apiGenericResponse struct {
+		Error   string `json:"error,omitempty"`
+		Result  string `json:"result,omitempty"`
+		Success string `json:"success,omitempty"`
+	}
 
-type apiGenericResponseN struct {
-	Message string `json:"message"`
-	Type    string `json:"type"`
-}
+	apiGenericResponseNew struct {
+		Message string `json:"message"`
+		Type    string `json:"type"`
+	}
+)
 
-// TODO: implement caching layer which can be enabled/disabled on New()
-// essentially, for domains it'd have map[string]Domain at the API level
-// then if any user called from the API, it would check the cache first
-// would either need a cache lifetime field added to domains, or
-// add an additional map for lifetime checks
+// TODO: implement caching layer which can be enabled/disabled on New() essentially, for domains it'd have
+// map[string]Domain at the API level then if any user called from the API, it would check the cache first would either
+// need a cache lifetime field added to domains, or add an additional map for lifetime checks.
 
 func New(serverUrl string, timeout time.Duration, cacheEnabled bool, debug bool) (*API, error) {
-	parsedUrl, err := url.ParseRequestURI(serverUrl)
+	parsedURL, err := url.ParseRequestURI(serverUrl)
 	if err != nil {
 		return nil, err
 	}
 
-	if parsedUrl.Host == "" {
+	if parsedURL.Host == "" {
 		return nil, errors.New("invalid host provided, ensure that the host is a full URL e.g. https://your-ip-address:2222")
 	}
 
 	api := API{
 		cacheEnabled: cacheEnabled,
 		debug:        debug,
-		url:          parsedUrl.String(),
+		parsedURL:    parsedURL,
+		url:          parsedURL.String(),
 	}
 
 	if cacheEnabled {

domain.go

@@ -20,7 +20,7 @@ type Domain struct {
 	DiskQuota          int      `json:"diskQuota" yaml:"diskQuota"`
 	DiskUsage          int      `json:"diskUsage" yaml:"diskUsage"`
 	Domain             string   `json:"domain" yaml:"domain"`
-	IpAddresses        []string `json:"ipAddresses" yaml:"ipAddresses"`
+	IPAddresses        []string `json:"ipAddresses" yaml:"ipAddresses"`
 	ModSecurityEnabled bool     `json:"modSecurityEnabled" yaml:"modSecurityEnabled"`
 	OpenBaseDirEnabled bool     `json:"openBaseDirEnabled" yaml:"openBaseDirEnabled"`
 	PhpEnabled         bool     `json:"phpEnabled" yaml:"phpEnabled"`

domain_raw.go

@@ -46,7 +46,7 @@ func (d *Domain) translate() (domain rawDomain) {
 		DiskQuota:          reverseParseNum(d.DiskQuota, false),
 		DiskUsage:          reverseParseNum(d.DiskUsage, true),
 		Domain:             d.Domain,
-		IpAddresses:        d.IpAddresses,
+		IpAddresses:        d.IPAddresses,
 		OpenBaseDirEnabled: reverseParseOnOff(d.OpenBaseDirEnabled, false),
 		PhpEnabled:         reverseParseOnOff(d.PhpEnabled, false),
 		SafeMode:           reverseParseOnOff(d.SafeMode, false),
@@ -83,7 +83,7 @@ func (d *rawDomain) translate() (domain Domain) {
 		DiskQuota:          parseNum(d.DiskQuota),
 		DiskUsage:          parseNum(d.DiskUsage),
 		Domain:             d.Domain,
-		IpAddresses:        d.IpAddresses,
+		IPAddresses:        d.IpAddresses,
 		ModSecurityEnabled: parseOnOff(d.ExtraData.ModSecurityEnabled),
 		OpenBaseDirEnabled: parseOnOff(d.OpenBaseDirEnabled),
 		PhpEnabled:         parseOnOff(d.PhpEnabled),

http.go

@@ -17,18 +17,52 @@ type httpDebug struct {
 	Body          string
 	BodyTruncated bool
 	Code          int
+	Cookies       []string
 	Endpoint      string
+	Method        string
 	Start         time.Time
 }
 
+func (c *UserContext) getRequestURLNew(endpoint string) string {
+	return fmt.Sprintf("%s/api/%s", c.api.url, endpoint)
+}
+
+func (c *UserContext) getRequestURLOld(endpoint string) string {
+	return fmt.Sprintf("%s/CMD_%s", c.api.url, endpoint)
+}
+
 // makeRequest is the underlying function for HTTP requests. It handles debugging statements, and simple error handling
 func (c *UserContext) makeRequest(req *http.Request) ([]byte, error) {
+	var debugCookies []string
+
+	cookiesToSet := c.cookieJar.Cookies(req.URL)
+	sessionCookieSet := false
+	for _, cookie := range cookiesToSet {
+		req.AddCookie(cookie)
+
+		if cookie.Name == "csrftoken" {
+			req.Header.Set("X-CSRFToken", cookie.Value)
+		} else if cookie.Name == "session" {
+			sessionCookieSet = true
+		}
+
+		if c.api.debug {
+			debugCookies = append(debugCookies, cookie.String())
+		}
+	}
+
 	debug := httpDebug{
+		Cookies:  debugCookies,
 		Endpoint: getPathWithQuery(req),
+		Method:   req.Method,
 		Start:    time.Now(),
 	}
 	defer c.api.printDebugHTTP(&debug)
 
+	if !sessionCookieSet {
+		req.SetBasicAuth(c.credentials.username, c.credentials.passkey)
+	}
+
 	resp, err := c.api.httpClient.Do(req)
 	if err != nil {
 		return nil, err
@@ -39,12 +73,9 @@ func (c *UserContext) makeRequest(req *http.Request) ([]byte, error) {
 		debug.Code = resp.StatusCode
 	}
 
-	// exists solely for user session switching when logging in as a user under a reseller
+	// Required for plugin usage in particular (session and csrf token cookies).
 	for _, cookie := range resp.Cookies() {
-		if cookie.Name == "session" {
-			c.sessionID = cookie.Value
-			break
-		}
+		c.cookieJar.SetCookies(req.URL, []*http.Cookie{cookie})
 	}
 
 	var responseBytes []byte
@@ -85,7 +116,7 @@ func (c *UserContext) makeRequestNew(method string, endpoint string, body any, o
 		}
 	}
 
-	req, err := http.NewRequest(strings.ToUpper(method), c.api.url+"/api/"+endpoint, bytes.NewBuffer(bodyBytes))
+	req, err := http.NewRequest(strings.ToUpper(method), c.getRequestURLNew(endpoint), bytes.NewBuffer(bodyBytes))
 	if err != nil {
 		return nil, fmt.Errorf("error creating request: %w", err)
 	}
@@ -96,12 +127,6 @@ func (c *UserContext) makeRequestNew(method string, endpoint string, body any, o
 	req.Header.Set("Referer", c.api.url)
 	req.URL.RawQuery = query.Encode()
 
-	if c.sessionID != "" {
-		req.AddCookie(&http.Cookie{Name: "session", Value: c.sessionID})
-	} else {
-		req.SetBasicAuth(c.credentials.username, c.credentials.passkey)
-	}
-
 	resp, err := c.makeRequest(req)
 	if err != nil {
 		return nil, fmt.Errorf("error making request: %w", err)
@@ -118,7 +143,7 @@ func (c *UserContext) makeRequestNew(method string, endpoint string, body any, o
 
 // makeRequestOld supports DirectAdmin's old API
 func (c *UserContext) makeRequestOld(method string, endpoint string, body url.Values, object any) ([]byte, error) {
-	req, err := http.NewRequest(strings.ToUpper(method), c.api.url+"/CMD_"+endpoint, strings.NewReader(body.Encode()))
+	req, err := http.NewRequest(strings.ToUpper(method), c.getRequestURLOld(endpoint), strings.NewReader(body.Encode()))
 	if err != nil {
 		return nil, fmt.Errorf("error creating request: %w", err)
 	}
@@ -130,12 +155,6 @@ func (c *UserContext) makeRequestOld(method string, endpoint string, body url.Va
 	req.Header.Set("Referer", c.api.url)
 	req.URL.RawQuery = query.Encode()
 
-	if c.sessionID != "" {
-		req.AddCookie(&http.Cookie{Name: "session", Value: c.sessionID})
-	} else {
-		req.SetBasicAuth(c.credentials.username, c.credentials.passkey)
-	}
-
 	var genericResponse apiGenericResponse
 
 	resp, err := c.makeRequest(req)
@@ -172,7 +191,6 @@ func (c *UserContext) uploadFile(method string, endpoint string, data []byte, ob
 	req.Header.Set("Accept", "application/json")
 	req.Header.Set("Content-Type", contentType)
 	req.Header.Set("Referer", c.api.url)
-	req.SetBasicAuth(c.credentials.username, c.credentials.passkey)
 	req.URL.RawQuery = query.Encode()
 
 	resp, err := c.makeRequest(req)
@@ -196,7 +214,7 @@ func (a *API) printDebugHTTP(debug *httpDebug) {
 			bodyTruncated = " (truncated)"
 		}
 
-		fmt.Printf("\nENDPOINT: %v\nSTATUS CODE: %v\nTIME STARTED: %v\nTIME ENDED: %v\nTIME TAKEN: %v\nBODY%s: %v\n", debug.Endpoint, debug.Code, debug.Start, time.Now(), time.Since(debug.Start), bodyTruncated, debug.Body)
+		fmt.Printf("\nENDPOINT: %v %v\nSTATUS CODE: %v\nTIME STARTED: %v\nTIME ENDED: %v\nTIME TAKEN: %v\nCOOKIES: %s\nRESP BODY%s: %v\n", debug.Method, debug.Endpoint, debug.Code, debug.Start, time.Now(), time.Since(debug.Start), strings.Join(debug.Cookies, ";"), bodyTruncated, debug.Body)
 	}
 }