WhisperMaPhone/thoughts/views.py

import os.path
import uuid
import subprocess
import base64

import magic

from django import forms
from django.shortcuts import render, redirect
from django.utils.crypto import constant_time_compare

from haystack.views import SearchView, search_view_factory
from haystack.query import SearchQuerySet
from haystack.forms import SearchForm

from whispermaphone import settings
from .models import Thought, ThoughtForm, ALLOWED_MEDIA_TYPES
from .pagination import get_all_pages, get_page_slug, get_page

def check_authenticated(request):
    authenticated = False
    try:
        if constant_time_compare(request.COOKIES["password"], settings.PASSWORD):
            authenticated = True
    except KeyError:
        pass
    return authenticated


def index(request):
    authenticated = check_authenticated(request)

    try:
        highlighted_uuid = uuid.UUID(request.GET.get("show", ""))
    except ValueError:
        highlighted_uuid = ""

    ## Figure out what page we're viewing
    pages = get_all_pages()

    requested_slug = request.GET.get("page", default="")
    requested_page = get_page(requested_slug, highlighted_uuid)

    thoughts = requested_page.get_all_entries()

    return render(request, "thoughts/index.html", {
        "thoughts": thoughts,
        "highlighted": highlighted_uuid,
        "authenticated": authenticated,
        "pages": pages,
        "current_page_slug": requested_page.slug,
        "first_page": requested_page.slug == pages[0].slug # if you're viewing the first page
    })


def login(request):
    if check_authenticated(request):
        return redirect("post")

    if request.method == "POST":
        if constant_time_compare(request.POST["password"], settings.PASSWORD):
            res = redirect("post")
            res.set_cookie("password", request.POST["password"], max_age=60*60*24*365) # 1 year
            return res

    # Returning 401 here causes `links` to always prompt for HTTP basic auth, which is annoying.
    # But the alternative is not following the HTTP spec, so I think this is fine.
    return render(request, "thoughts/login.html", status=401)


def post(request):
    if not check_authenticated(request):
        return redirect("login")

    editing = request.GET.get("editing", None)
    try:
        editing_thought = Thought.objects.get(uuid=editing)
        editing_thought.timezone_offset = - editing_thought.timezone_offset / 60
    except Thought.DoesNotExist:
        editing_thought = None

    if request.method == "POST":
        # We post in hours, so we need to convert back to minutes for saving
        # We can pass errors since form.is_valid catches most of them
        # We just need to convert hours to minutes first, because otherwise it errors on non-integer values
        values = request.POST.copy()
        try:
            values["timezone_offset"] = - float(values["timezone_offset"]) * 60
        except (ValueError, KeyError):
            pass

        thought_form = ThoughtForm(values, request.FILES, instance=editing_thought or Thought())

        if not thought_form.is_valid():
            errors = thought_form.errors.as_data()
            # Media formatting errors
            try:
                problem_field = list(errors.keys())[0]
                message = list(errors.values())[0][0].messages[0]
                error_line = f"{problem_field[0].upper()}{problem_field[1:]}: {message}"
            except:
                error_line = f"An unknown error occurred processing your request: {errors}"

            return render(request, "thoughts/post.html", {
                "form": thought_form,
                "form_error": error_line
            }, status=400)

        if editing_thought:
            thought = editing_thought
        else:
            # Create a thought object we can work with
            # But don't save it the DB yet
            thought = thought_form.save(commit=False)

        # Do media processing (already validated)
        if "media" in request.FILES:
            chunk = next(thought.media.chunks(chunk_size=2048))
            media_type = magic.from_buffer(chunk, mime="True")

            thought.media.name = f"{thought.uuid}.{ALLOWED_MEDIA_TYPES[media_type]}"

            if media_type == "audio/x-m4a" or media_type == "audio/x-hx-aac-adts":
                # This is a hack-fix because I want to be able to upload audio
                # In the future, this should be refactored to convert file types
                #   using ffmpeg.js on the client side (so there are 0 security concerns)
                #   and then the backend just has to check a 3 item whitelist
                thought.save()  # Save so that we have a file to work with
                subprocess.run(["ffmpeg",
                                "-i", thought.media.path,
                                "-codec:a", "mp3", "-vn",
                                os.path.join(settings.MEDIA_ROOT, f"{thought.uuid}.mp3")
                                ], check=True)
                os.remove(os.path.join(settings.MEDIA_ROOT, thought.media.name))  # Remove the original file
                thought.media.name = f"{thought.uuid}.mp3"  # Update the file in the DB

        # We need to make sure that if we remove an image, the alt text is removed with it
        if not thought.media:
            thought.media_alt = ""

        # Save for real
        thought.save()

        # Redirect to the same page, so that we make a GET request to /post
        if editing_thought:
            return redirect(editing_thought)
        return redirect("post")

    return render(request, "thoughts/post.html", {
        "form": ThoughtForm(instance=editing_thought) if editing_thought else ThoughtForm(),
        "editing": not not editing_thought,
    })


def about(request):
    return render(request, "thoughts/about.html", {
        "authenticated": check_authenticated(request)
    })

class ThoughtsSearchForm(SearchForm):
    q = forms.CharField(
        required=False,
        widget=forms.TextInput(attrs={"type": "search", "placeholder": "Search query"}),
    )

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)

search = search_view_factory(
    template="thoughts/search/search.html",
    view_class=SearchView,
    form_class=ThoughtsSearchForm,
    searchqueryset=SearchQuerySet().order_by("-posted")
)
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`import os.path`
			`import uuid`
			`import subprocess`
			`import base64`

			`import magic`

Search CSS tweaks * A couple of other minor things 2022-05-16 18:28:47 +00:00			`from django import forms`
Remove JS from login page * Okay so we're not doing HTTP Basic Auth, that was an awful experience with those pop-ups. * But we set the cookie with Django on the server-side, instead of needing JS * So this should improve browser compatibility. No promises. 2022-01-06 20:05:18 +00:00			`from django.shortcuts import render, redirect`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`from django.utils.crypto import constant_time_compare`

Move search templates 2022-05-03 17:31:01 +00:00			`from haystack.views import SearchView, search_view_factory`
			`from haystack.query import SearchQuerySet`
			`from haystack.forms import SearchForm`

Search CSS tweaks * A couple of other minor things 2022-05-16 18:28:47 +00:00			`from whispermaphone import settings`
			`from .models import Thought, ThoughtForm, ALLOWED_MEDIA_TYPES`
Paginate Gemini index page 2022-09-11 01:35:07 +00:00			`from .pagination import get_all_pages, get_page_slug, get_page`
Search CSS tweaks * A couple of other minor things 2022-05-16 18:28:47 +00:00
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`def check_authenticated(request):`
			`authenticated = False`
			`try:`
			`if constant_time_compare(request.COOKIES["password"], settings.PASSWORD):`
			`authenticated = True`
			`except KeyError:`
			`pass`
			`return authenticated`

Change Gemini port to 1973 * I use it behind a reverse proxy. I would be suprised if this was the only Gemini server someone was running. 1973 is the first prime after 1965. * Remove unused important * Add Secure Cookie option, in-line with Django recommendations 2021-10-03 23:42:52 +00:00
Refactor password validation * Just removes the plaintext password from the source code, instead reading it from an enviroment file. No password hashing here. No-JS login is still on the timeline 2021-10-03 04:25:17 +00:00			`def index(request):`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`authenticated = check_authenticated(request)`

			`try:`
			`highlighted_uuid = uuid.UUID(request.GET.get("show", ""))`
			`except ValueError:`
			`highlighted_uuid = ""`

Current page tweaks * Add link rel canonical to all pages (/ points itself instead of /?page=current-season because Google crawls duplicate versions of pages less often. I want / to be crawled frequently, so it has to be the canonical version of the content it holds) * Fix a bug where passing an invald page slug would mean that no page was highlighted as current in the footer 2022-05-12 13:16:44 +00:00			`## Figure out what page we're viewing`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`pages = get_all_pages()`

Current page tweaks * Add link rel canonical to all pages (/ points itself instead of /?page=current-season because Google crawls duplicate versions of pages less often. I want / to be crawled frequently, so it has to be the canonical version of the content it holds) * Fix a bug where passing an invald page slug would mean that no page was highlighted as current in the footer 2022-05-12 13:16:44 +00:00			`requested_slug = request.GET.get("page", default="")`
Paginate Gemini index page 2022-09-11 01:35:07 +00:00			`requested_page = get_page(requested_slug, highlighted_uuid)`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00
			`thoughts = requested_page.get_all_entries()`

Rename 'main' to 'thoughts' SQL to migrate the DB. Create migrations, migrate `DELETE FROM django_content_type WHERE app_label='thoughts';` `UPDATE django_content_type SET app_label='thoughts' WHERE app_label='main';` `DROP TABLE thoughts_thought;` `ALTER TABLE main_thought RENAME TO thoughts_thought;` `DELETE FROM django_migrations WHERE app='main';` Hopefully that's right, I'm not going to double check it or anything. 2022-04-30 17:33:57 +00:00			`return render(request, "thoughts/index.html", {`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`"thoughts": thoughts,`
			`"highlighted": highlighted_uuid,`
			`"authenticated": authenticated,`
			`"pages": pages,`
Current page tweaks * Add link rel canonical to all pages (/ points itself instead of /?page=current-season because Google crawls duplicate versions of pages less often. I want / to be crawled frequently, so it has to be the canonical version of the content it holds) * Fix a bug where passing an invald page slug would mean that no page was highlighted as current in the footer 2022-05-12 13:16:44 +00:00			`"current_page_slug": requested_page.slug,`
Bug fixes from previous commit 2022-09-11 01:54:46 +00:00			`"first_page": requested_page.slug == pages[0].slug # if you're viewing the first page`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`})`


Remove JS from login page * Okay so we're not doing HTTP Basic Auth, that was an awful experience with those pop-ups. * But we set the cookie with Django on the server-side, instead of needing JS * So this should improve browser compatibility. No promises. 2022-01-06 20:05:18 +00:00			`def login(request):`
			`if check_authenticated(request):`
			`return redirect("post")`

			`if request.method == "POST":`
			`if constant_time_compare(request.POST["password"], settings.PASSWORD):`
			`res = redirect("post")`
Add max_age of 1 year to password cookie 2022-03-27 02:44:02 +00:00			`res.set_cookie("password", request.POST["password"], max_age=606024*365) # 1 year`
Remove JS from login page * Okay so we're not doing HTTP Basic Auth, that was an awful experience with those pop-ups. * But we set the cookie with Django on the server-side, instead of needing JS * So this should improve browser compatibility. No promises. 2022-01-06 20:05:18 +00:00			`return res`

			# Returning 401 here causes `links` to always prompt for HTTP basic auth, which is annoying.
			`# But the alternative is not following the HTTP spec, so I think this is fine.`
Rename 'main' to 'thoughts' SQL to migrate the DB. Create migrations, migrate `DELETE FROM django_content_type WHERE app_label='thoughts';` `UPDATE django_content_type SET app_label='thoughts' WHERE app_label='main';` `DROP TABLE thoughts_thought;` `ALTER TABLE main_thought RENAME TO thoughts_thought;` `DELETE FROM django_migrations WHERE app='main';` Hopefully that's right, I'm not going to double check it or anything. 2022-04-30 17:33:57 +00:00			`return render(request, "thoughts/login.html", status=401)`
Remove JS from login page * Okay so we're not doing HTTP Basic Auth, that was an awful experience with those pop-ups. * But we set the cookie with Django on the server-side, instead of needing JS * So this should improve browser compatibility. No promises. 2022-01-06 20:05:18 +00:00

Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`def post(request):`
			`if not check_authenticated(request):`
Remove JS from login page * Okay so we're not doing HTTP Basic Auth, that was an awful experience with those pop-ups. * But we set the cookie with Django on the server-side, instead of needing JS * So this should improve browser compatibility. No promises. 2022-01-06 20:05:18 +00:00			`return redirect("login")`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00
Ability to edit Thoughts 2022-01-09 23:57:37 +00:00			`editing = request.GET.get("editing", None)`
Add max_age of 1 year to password cookie 2022-03-27 02:44:02 +00:00			`try:`
Ability to edit Thoughts 2022-01-09 23:57:37 +00:00			`editing_thought = Thought.objects.get(uuid=editing)`
Fix bugs around editing and time * Pre-fill the timezone with the offset in hours (correct), instead of minutes, like the DB stores * Only change the timezone in JS if you're not editing * Redirect back to a Thought after editing it 2022-01-12 16:08:56 +00:00			`editing_thought.timezone_offset = - editing_thought.timezone_offset / 60`
Ability to edit Thoughts 2022-01-09 23:57:37 +00:00			`except Thought.DoesNotExist:`
			`editing_thought = None`

Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`if request.method == "POST":`
			`# We post in hours, so we need to convert back to minutes for saving`
			`# We can pass errors since form.is_valid catches most of them`
			`# We just need to convert hours to minutes first, because otherwise it errors on non-integer values`
Ability to edit Thoughts 2022-01-09 23:57:37 +00:00			`values = request.POST.copy()`
			`try:`
			`values["timezone_offset"] = - float(values["timezone_offset"]) * 60`
			`except (ValueError, KeyError):`
			`pass`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00
Ability to edit Thoughts 2022-01-09 23:57:37 +00:00			`thought_form = ThoughtForm(values, request.FILES, instance=editing_thought or Thought())`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00
			`if not thought_form.is_valid():`
			`errors = thought_form.errors.as_data()`
			`# Media formatting errors`
			`try:`
			`problem_field = list(errors.keys())[0]`
			`message = list(errors.values())[0][0].messages[0]`
Ability to edit Thoughts 2022-01-09 23:57:37 +00:00			`error_line = f"{problem_field[0].upper()}{problem_field[1:]}: {message}"`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`except:`
			`error_line = f"An unknown error occurred processing your request: {errors}"`

Rename 'main' to 'thoughts' SQL to migrate the DB. Create migrations, migrate `DELETE FROM django_content_type WHERE app_label='thoughts';` `UPDATE django_content_type SET app_label='thoughts' WHERE app_label='main';` `DROP TABLE thoughts_thought;` `ALTER TABLE main_thought RENAME TO thoughts_thought;` `DELETE FROM django_migrations WHERE app='main';` Hopefully that's right, I'm not going to double check it or anything. 2022-04-30 17:33:57 +00:00			`return render(request, "thoughts/post.html", {`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`"form": thought_form,`
			`"form_error": error_line`
			`}, status=400)`

Ability to edit Thoughts 2022-01-09 23:57:37 +00:00			`if editing_thought:`
			`thought = editing_thought`
			`else:`
			`# Create a thought object we can work with`
			`# But don't save it the DB yet`
			`thought = thought_form.save(commit=False)`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00
			`# Do media processing (already validated)`
			`if "media" in request.FILES:`
			`chunk = next(thought.media.chunks(chunk_size=2048))`
			`media_type = magic.from_buffer(chunk, mime="True")`

			`thought.media.name = f"{thought.uuid}.{ALLOWED_MEDIA_TYPES[media_type]}"`

Move to mp3 as the default audio type * Also adds aac as an allowed audio type, fixing a bug where I could edit those posts * To convert old audio to mp3, the following commands were used: ls *.aac \| xargs -I {} bash -c 'ffmpeg -y -i {} -acodec mp3 $(echo {} \| sed s/aac/mp3/)' for t in Thought.objects.filter(media__endswith=".aac"): t.file.name = f"{t.uuid}.mp3" t.save() And ditto with m4a. 2022-05-07 20:46:16 +00:00			`if media_type == "audio/x-m4a" or media_type == "audio/x-hx-aac-adts":`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`# This is a hack-fix because I want to be able to upload audio`
			`# In the future, this should be refactored to convert file types`
			`# using ffmpeg.js on the client side (so there are 0 security concerns)`
			`# and then the backend just has to check a 3 item whitelist`
			`thought.save() # Save so that we have a file to work with`
			`subprocess.run(["ffmpeg",`
			`"-i", thought.media.path,`
Move to mp3 as the default audio type * Also adds aac as an allowed audio type, fixing a bug where I could edit those posts * To convert old audio to mp3, the following commands were used: ls *.aac \| xargs -I {} bash -c 'ffmpeg -y -i {} -acodec mp3 $(echo {} \| sed s/aac/mp3/)' for t in Thought.objects.filter(media__endswith=".aac"): t.file.name = f"{t.uuid}.mp3" t.save() And ditto with m4a. 2022-05-07 20:46:16 +00:00			`"-codec:a", "mp3", "-vn",`
			`os.path.join(settings.MEDIA_ROOT, f"{thought.uuid}.mp3")`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`], check=True)`
Move to mp3 as the default audio type * Also adds aac as an allowed audio type, fixing a bug where I could edit those posts * To convert old audio to mp3, the following commands were used: ls *.aac \| xargs -I {} bash -c 'ffmpeg -y -i {} -acodec mp3 $(echo {} \| sed s/aac/mp3/)' for t in Thought.objects.filter(media__endswith=".aac"): t.file.name = f"{t.uuid}.mp3" t.save() And ditto with m4a. 2022-05-07 20:46:16 +00:00			`os.remove(os.path.join(settings.MEDIA_ROOT, thought.media.name)) # Remove the original file`
			`thought.media.name = f"{thought.uuid}.mp3" # Update the file in the DB`
Fix bug that prevented editing alt-text * If there was already an uploaded file, it doesn't get re-uploaded when editing, and doesn't show up in request.FILES. The file name is still in thought.media so we can use that to tell if there's a image and if we should allow media_alt 2022-03-29 17:27:49 +00:00
			`# We need to make sure that if we remove an image, the alt text is removed with it`
			`if not thought.media:`
Ability to edit Thoughts 2022-01-09 23:57:37 +00:00			`thought.media_alt = ""`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00
			`# Save for real`
			`thought.save()`

Ability to edit Thoughts 2022-01-09 23:57:37 +00:00			`# Redirect to the same page, so that we make a GET request to /post`
Fix bugs around editing and time * Pre-fill the timezone with the offset in hours (correct), instead of minutes, like the DB stores * Only change the timezone in JS if you're not editing * Redirect back to a Thought after editing it 2022-01-12 16:08:56 +00:00			`if editing_thought:`
			`return redirect(editing_thought)`
Ability to edit Thoughts 2022-01-09 23:57:37 +00:00			`return redirect("post")`

Rename 'main' to 'thoughts' SQL to migrate the DB. Create migrations, migrate `DELETE FROM django_content_type WHERE app_label='thoughts';` `UPDATE django_content_type SET app_label='thoughts' WHERE app_label='main';` `DROP TABLE thoughts_thought;` `ALTER TABLE main_thought RENAME TO thoughts_thought;` `DELETE FROM django_migrations WHERE app='main';` Hopefully that's right, I'm not going to double check it or anything. 2022-04-30 17:33:57 +00:00			`return render(request, "thoughts/post.html", {`
Ability to edit Thoughts 2022-01-09 23:57:37 +00:00			`"form": ThoughtForm(instance=editing_thought) if editing_thought else ThoughtForm(),`
			`"editing": not not editing_thought,`
			`})`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00

			`def about(request):`
Rename 'main' to 'thoughts' SQL to migrate the DB. Create migrations, migrate `DELETE FROM django_content_type WHERE app_label='thoughts';` `UPDATE django_content_type SET app_label='thoughts' WHERE app_label='main';` `DROP TABLE thoughts_thought;` `ALTER TABLE main_thought RENAME TO thoughts_thought;` `DELETE FROM django_migrations WHERE app='main';` Hopefully that's right, I'm not going to double check it or anything. 2022-04-30 17:33:57 +00:00			`return render(request, "thoughts/about.html", {`
Revert to working * Remove HTTP Basic auth * Keep changes to timezone input * Re-add all views 2022-01-06 19:20:47 +00:00			`"authenticated": check_authenticated(request)`
			`})`
Move search templates 2022-05-03 17:31:01 +00:00
Search CSS tweaks * A couple of other minor things 2022-05-16 18:28:47 +00:00			`class ThoughtsSearchForm(SearchForm):`
			`q = forms.CharField(`
			`required=False,`
			`widget=forms.TextInput(attrs={"type": "search", "placeholder": "Search query"}),`
			`)`

			`def __init__(self, args, *kwargs):`
			`super().__init__(args, *kwargs)`

Move search templates 2022-05-03 17:31:01 +00:00			`search = search_view_factory(`
			`template="thoughts/search/search.html",`
			`view_class=SearchView,`
Search CSS tweaks * A couple of other minor things 2022-05-16 18:28:47 +00:00			`form_class=ThoughtsSearchForm,`
Move search templates 2022-05-03 17:31:01 +00:00			`searchqueryset=SearchQuerySet().order_by("-posted")`
			`)`