2265 lines
76 KiB
Go
2265 lines
76 KiB
Go
package main
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"crypto/tls"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
"html/template"
|
|
"log"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
"net/smtp"
|
|
"os"
|
|
"path/filepath"
|
|
"strconv"
|
|
"sort"
|
|
"strings"
|
|
"time"
|
|
|
|
_ "github.com/mattn/go-sqlite3"
|
|
"inou/lib"
|
|
)
|
|
|
|
var (
|
|
Version string = "dev" // Set via ldflags at build time
|
|
templates *template.Template
|
|
translations map[string]map[string]string
|
|
langOptions []LangOption
|
|
smtpHost, smtpPort, smtpUser, smtpToken, smtpFrom string
|
|
accessLog *os.File
|
|
)
|
|
|
|
const (
|
|
langDir = "lang"
|
|
tmplDir = "templates"
|
|
staticDir = "static"
|
|
uploadsDir = "uploads"
|
|
demoDossierID = "1111111111111111"
|
|
dbPath = "data/inou.db"
|
|
authDBPath = "data/auth.db"
|
|
minAge = 18
|
|
)
|
|
|
|
type statusWriter struct {
|
|
http.ResponseWriter
|
|
status int
|
|
}
|
|
|
|
func (w *statusWriter) WriteHeader(code int) {
|
|
w.status = code
|
|
w.ResponseWriter.WriteHeader(code)
|
|
}
|
|
|
|
func (w *statusWriter) Flush() {
|
|
if f, ok := w.ResponseWriter.(http.Flusher); ok {
|
|
f.Flush()
|
|
}
|
|
}
|
|
|
|
func logMiddleware(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
start := time.Now()
|
|
sw := &statusWriter{ResponseWriter: w, status: 200}
|
|
next.ServeHTTP(sw, r)
|
|
|
|
ip := r.RemoteAddr
|
|
if fwd := r.Header.Get("X-Forwarded-For"); fwd != "" {
|
|
ip = fwd
|
|
}
|
|
ua := r.Header.Get("User-Agent")
|
|
if len(ua) > 100 {
|
|
ua = ua[:100]
|
|
}
|
|
colorStart, colorEnd := "", ""
|
|
if sw.status == 404 {
|
|
colorStart, colorEnd = "\033[31m", "\033[0m"
|
|
}
|
|
logAccess( colorStart+"%s %s %s %s %d %dms %s"+colorEnd,
|
|
time.Now().Format("2006-01-02 15:04:05"),
|
|
ip, r.Method, r.URL.RequestURI(), sw.status,
|
|
time.Since(start).Milliseconds(), ua)
|
|
})
|
|
}
|
|
|
|
|
|
type LangOption struct {
|
|
Code, Name, Flag string
|
|
}
|
|
|
|
type RelationTarget struct {
|
|
DossierID, Name string
|
|
}
|
|
|
|
type StatChip struct {
|
|
Icon string
|
|
Count int
|
|
Label string // "genome" for binary, empty for count-based
|
|
Color string // CSS color class for pill
|
|
}
|
|
|
|
type DossierStats struct {
|
|
Imaging, Documents, Labs, Genome, Vitals, Medications, Supplements int
|
|
Chips []StatChip // top 5 non-zero categories
|
|
OverflowCount int // how many more categories beyond the top 5
|
|
TotalCount int // total entries across all categories
|
|
}
|
|
|
|
type AccessEntry struct {
|
|
DossierID string
|
|
Name, Relation, DateOfBirth string
|
|
Context string // inter-dossier relationship, e.g. "Parent of Anastasiia"
|
|
Lang string // language code for flag display
|
|
Sex int
|
|
RelationInt int
|
|
NewGroup bool // true if this entry starts a new visual group
|
|
IsCareReceiver, CanEdit, IsSelf, IsPending bool
|
|
AccessedAt time.Time
|
|
Stats DossierStats
|
|
}
|
|
|
|
type AuditViewEntry struct {
|
|
ActorName string
|
|
Action string
|
|
Details string
|
|
CreatedAt time.Time
|
|
}
|
|
|
|
type PageData struct {
|
|
Page, Lang, Title, Error, Success, Email, Name, DOB, Sex, Relation, RecipientName, EmailLang string
|
|
RequestPath string
|
|
IsCareReceiver, CanEdit, ShowDetails, CanManageAccess, Uploads, HasImaging, ConfirmDuplicate, EditMode, IsSelf bool
|
|
EditDossier *lib.Dossier
|
|
UploadCount int
|
|
UploadSize string
|
|
T map[string]string
|
|
Dossier, TargetDossier *lib.Dossier
|
|
AccessibleDossiers, AccessList []AccessEntry
|
|
UploadList []Upload
|
|
Studies []Study
|
|
HasLabs, HasGenome, Embed bool
|
|
StudyCount, LabCount, TotalSlices int
|
|
AuditList []AuditViewEntry
|
|
APIToken string
|
|
TempToken string
|
|
TempTokenExpires string
|
|
Grantees []GranteeView
|
|
Roles []RoleView
|
|
// Edit access page
|
|
GranteeID string
|
|
GranteeName string
|
|
HasRead, HasWrite, HasDelete, HasManage bool
|
|
Categories []CategoryAccess
|
|
EntryGrants []EntryGrant
|
|
// RBAC edit page
|
|
CategoriesRBAC []CategoryRBACView
|
|
SelectedRole string
|
|
// Dossier: unified sections
|
|
Sections []DossierSection
|
|
Languages []LangOption
|
|
RelationTargets []RelationTarget
|
|
RelationTo string
|
|
// OAuth consent
|
|
ClientName string
|
|
ClientID string
|
|
RedirectURI string
|
|
ResponseType string
|
|
State string
|
|
CodeChallenge string
|
|
CodeChallengeMethod string
|
|
UserName string
|
|
Content template.HTML
|
|
}
|
|
|
|
type CategoryAccess struct {
|
|
ID int
|
|
Name string
|
|
Allowed bool
|
|
}
|
|
|
|
type EntryGrant struct {
|
|
EntryID string
|
|
Description string
|
|
CategoryName string
|
|
}
|
|
|
|
type Series struct {
|
|
ID, Description, Modality string
|
|
SliceCount int
|
|
}
|
|
|
|
type Study struct {
|
|
ID, Date, Description, Institution, Modality string
|
|
SeriesCount, SliceCount int
|
|
Series []Series
|
|
}
|
|
|
|
func initDB() {
|
|
// Rate limiting removed - handled differently now
|
|
}
|
|
|
|
// Native names for languages (used in language selector dropdowns).
|
|
|
|
func loadTranslations() {
|
|
translations = make(map[string]map[string]string)
|
|
files, _ := filepath.Glob(filepath.Join(langDir, "*.yaml"))
|
|
for _, f := range files {
|
|
lang := strings.TrimSuffix(filepath.Base(f), ".yaml")
|
|
translations[lang] = make(map[string]string)
|
|
file, _ := os.Open(f)
|
|
if file == nil { continue }
|
|
scanner := bufio.NewScanner(file)
|
|
for scanner.Scan() {
|
|
line := scanner.Text()
|
|
if idx := strings.Index(line, ": "); idx > 0 {
|
|
translations[lang][line[:idx]] = strings.Trim(line[idx+2:], "\"'")
|
|
}
|
|
}
|
|
file.Close()
|
|
}
|
|
// Build language options from lang_* keys in en.yaml, sorted by native name
|
|
en := translations["en"]
|
|
langOptions = nil
|
|
for k, name := range en {
|
|
if !strings.HasPrefix(k, "lang_") { continue }
|
|
code := strings.TrimPrefix(k, "lang_")
|
|
langOptions = append(langOptions, LangOption{Code: code, Name: name})
|
|
}
|
|
sort.Slice(langOptions, func(i, j int) bool { return langOptions[i].Name < langOptions[j].Name })
|
|
// Add flags
|
|
for i := range langOptions {
|
|
code := langOptions[i].Code
|
|
flags := map[string]string{
|
|
"en": "\U0001F1EC\U0001F1E7", "nl": "\U0001F1F3\U0001F1F1", "de": "\U0001F1E9\U0001F1EA",
|
|
"ru": "\U0001F1F7\U0001F1FA", "zh": "\U0001F1E8\U0001F1F3", "ja": "\U0001F1EF\U0001F1F5",
|
|
"ko": "\U0001F1F0\U0001F1F7", "fr": "\U0001F1EB\U0001F1F7", "es": "\U0001F1EA\U0001F1F8",
|
|
"pt": "\U0001F1E7\U0001F1F7", "it": "\U0001F1EE\U0001F1F9", "sv": "\U0001F1F8\U0001F1EA",
|
|
"no": "\U0001F1F3\U0001F1F4", "da": "\U0001F1E9\U0001F1F0", "fi": "\U0001F1EB\U0001F1EE",
|
|
"tr": "\U0001F1F9\U0001F1F7", "vi": "\U0001F1FB\U0001F1F3", "id": "\U0001F1EE\U0001F1E9",
|
|
"hi": "\U0001F1EE\U0001F1F3", "th": "\U0001F1F9\U0001F1ED", "pl": "\U0001F1F5\U0001F1F1",
|
|
"uk": "\U0001F1FA\U0001F1E6",
|
|
}
|
|
if f, ok := flags[code]; ok { langOptions[i].Flag = f }
|
|
}
|
|
}
|
|
|
|
func T(lang, key string) string {
|
|
if t, ok := translations[lang]; ok { if s, ok := t[key]; ok { return s } }
|
|
if t, ok := translations["en"]; ok { if s, ok := t[key]; ok { return s } }
|
|
return "[" + key + "]"
|
|
}
|
|
|
|
func getLang(r *http.Request) string {
|
|
// If logged in, use dossier language
|
|
if d := getLoggedInDossier(r); d != nil && d.Preferences.Language != "" {
|
|
if _, ok := translations[d.Preferences.Language]; ok { return d.Preferences.Language }
|
|
}
|
|
// Parse Accept-Language header
|
|
accept := r.Header.Get("Accept-Language")
|
|
if accept != "" {
|
|
for _, part := range strings.Split(accept, ",") {
|
|
lang := strings.TrimSpace(strings.Split(part, ";")[0])
|
|
lang = strings.Split(lang, "-")[0]
|
|
if _, ok := translations[lang]; ok { return lang }
|
|
}
|
|
}
|
|
return "en"
|
|
}
|
|
|
|
|
|
func isEmbed(r *http.Request) bool { return r.URL.Query().Get("embed") == "1" }
|
|
|
|
var funcs template.FuncMap
|
|
|
|
func loadTemplates() {
|
|
funcs = template.FuncMap{
|
|
"hex": func(id int64) string { return fmt.Sprintf("%016x", id) },
|
|
"sexT": func(sex int, lang string) string {
|
|
return lib.SexTranslate(sex, lang)
|
|
},
|
|
"dict": func(values ...interface{}) map[string]interface{} {
|
|
d := make(map[string]interface{})
|
|
for i := 0; i < len(values); i += 2 {
|
|
if i+1 < len(values) {
|
|
d[values[i].(string)] = values[i+1]
|
|
}
|
|
}
|
|
return d
|
|
},
|
|
"age": func(dob string) string {
|
|
if len(dob) < 10 { return "" }
|
|
t, err := time.Parse("2006-01-02", dob[:10])
|
|
if err != nil { return "" }
|
|
years := int(time.Since(t).Hours() / 8766) // 365.25 * 24
|
|
return fmt.Sprintf("%dy", years)
|
|
},
|
|
"initials": func(name string) string {
|
|
parts := strings.Fields(name)
|
|
if len(parts) == 0 { return "?" }
|
|
first := string([]rune(parts[0])[:1])
|
|
if len(parts) == 1 { return strings.ToUpper(first) }
|
|
last := string([]rune(parts[len(parts)-1])[:1])
|
|
return strings.ToUpper(first + last)
|
|
},
|
|
"initialColor": func(id string) string {
|
|
// Muted versions of the dossier section colors, keyed by dossier ID (hex)
|
|
colors := []string{
|
|
"#C47A3D", // amber
|
|
"#5AAD8A", // green
|
|
"#7E8FC2", // blue
|
|
"#C26E6E", // red
|
|
"#9A82B8", // purple
|
|
"#C2963D", // gold
|
|
"#6BA0B8", // teal
|
|
"#B87898", // pink
|
|
"#7DAD6B", // olive
|
|
"#8B7D6B", // stone
|
|
}
|
|
if len(id) < 2 { return colors[0] }
|
|
// Use last 2 hex chars of ID for good distribution
|
|
b, _ := strconv.ParseUint(id[len(id)-2:], 16, 8)
|
|
return colors[b%uint64(len(colors))]
|
|
},
|
|
"langFlag": func(code string) string {
|
|
for _, opt := range langOptions {
|
|
if opt.Code == code { return opt.Flag }
|
|
}
|
|
// Flags for languages without portal translations
|
|
extra := map[string]string{
|
|
"ar": "\U0001F1F8\U0001F1E6", "hi": "\U0001F1EE\U0001F1F3",
|
|
"th": "\U0001F1F9\U0001F1ED", "tr": "\U0001F1F9\U0001F1F7",
|
|
"uk": "\U0001F1FA\U0001F1E6",
|
|
}
|
|
if f, ok := extra[code]; ok { return f }
|
|
return ""
|
|
},
|
|
"borderLevel": func(total int) string {
|
|
if total == 0 { return "" }
|
|
if total < 5 { return "border-sparse" }
|
|
if total < 20 { return "border-moderate" }
|
|
return "border-rich"
|
|
},
|
|
}
|
|
templates = template.Must(template.New("").Funcs(funcs).ParseGlob(filepath.Join(tmplDir, "*.tmpl")))
|
|
}
|
|
|
|
|
|
func loadSMTPConfig() {
|
|
data, _ := os.ReadFile("smtp.env")
|
|
for _, line := range strings.Split(string(data), "\n") {
|
|
parts := strings.SplitN(line, "=", 2)
|
|
if len(parts) != 2 { continue }
|
|
switch parts[0] {
|
|
case "SMTP_HOST": smtpHost = parts[1]
|
|
case "SMTP_PORT": smtpPort = parts[1]
|
|
case "SMTP_USER": smtpUser = parts[1]
|
|
case "SMTP_TOKEN": smtpToken = parts[1]
|
|
case "SMTP_FROM_NAME": smtpFrom = parts[1]
|
|
}
|
|
}
|
|
fmt.Println("SMTP loaded, host:", smtpHost)
|
|
}
|
|
func formatHexID(id string) string { return id }
|
|
|
|
func emailHash(email string) string {
|
|
h := sha256.Sum256([]byte(strings.ToLower(strings.TrimSpace(email))))
|
|
return base64.StdEncoding.EncodeToString(h[:])
|
|
}
|
|
|
|
func randomHash() string { b := make([]byte, 32); rand.Read(b); return base64.StdEncoding.EncodeToString(b) }
|
|
|
|
func parseID(s string) int64 { id, _ := strconv.ParseInt(s, 10, 64); return id }
|
|
|
|
|
|
func invertRelation(rel int) int {
|
|
switch rel {
|
|
case 1: return 2 // Parent → Child
|
|
case 2: return 1 // Child → Parent
|
|
default: return rel
|
|
}
|
|
}
|
|
|
|
func isMinor(dob string) bool {
|
|
// Try multiple formats
|
|
var t time.Time
|
|
var err error
|
|
for _, fmt := range []string{"2006-01-02", "2006-01-02T15:04:05Z", time.RFC3339} {
|
|
t, err = time.Parse(fmt, dob)
|
|
if err == nil { break }
|
|
}
|
|
if err != nil { return false } // Unknown format - don't block
|
|
age := time.Now().Year() - t.Year()
|
|
if time.Now().YearDay() < t.YearDay() { age-- }
|
|
return age < minAge
|
|
}
|
|
func getLoggedInDossier(r *http.Request) *lib.Dossier {
|
|
cookie, err := r.Cookie("login")
|
|
if err != nil || cookie.Value == "" { return nil }
|
|
d, err := lib.DossierGet(cookie.Value, cookie.Value)
|
|
if err != nil { return nil }
|
|
return d
|
|
}
|
|
|
|
|
|
func setLoginCookie(w http.ResponseWriter, dossierID string) {
|
|
http.SetCookie(w, &http.Cookie{Name: "login", Value: dossierID, Path: "/", MaxAge: 30*24*60*60, HttpOnly: true, Secure: true, SameSite: http.SameSiteLaxMode})
|
|
}
|
|
|
|
func clearLoginCookie(w http.ResponseWriter) {
|
|
http.SetCookie(w, &http.Cookie{Name: "login", Value: "", Path: "/", MaxAge: -1, HttpOnly: true, Secure: true})
|
|
}
|
|
|
|
|
|
func sendEmail(toEmail, subject, html string) error {
|
|
if smtpHost == "" { return nil }
|
|
conn, err := net.Dial("tcp", smtpHost+":"+smtpPort)
|
|
if err != nil { return err }
|
|
defer conn.Close()
|
|
client, err := smtp.NewClient(conn, smtpHost)
|
|
if err != nil { return err }
|
|
defer client.Close()
|
|
if err = client.StartTLS(&tls.Config{ServerName: smtpHost}); err != nil { return err }
|
|
if err = client.Auth(smtp.PlainAuth("", smtpUser, smtpToken, smtpHost)); err != nil { return err }
|
|
if err = client.Mail(smtpUser); err != nil { return err }
|
|
if err = client.Rcpt(toEmail); err != nil { return err }
|
|
w, err := client.Data()
|
|
if err != nil { return err }
|
|
msg := "From: " + smtpFrom + " <" + smtpUser + ">\r\nTo: " + toEmail + "\r\nSubject: " + subject + "\r\nMIME-Version: 1.0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n" + html
|
|
w.Write([]byte(msg))
|
|
return w.Close()
|
|
}
|
|
|
|
func sendEmailWithFrom(toEmail, fromName, subject, html string) error {
|
|
if smtpHost == "" { return nil }
|
|
conn, err := net.Dial("tcp", smtpHost+":"+smtpPort)
|
|
if err != nil { return err }
|
|
defer conn.Close()
|
|
client, err := smtp.NewClient(conn, smtpHost)
|
|
if err != nil { return err }
|
|
defer client.Close()
|
|
if err = client.StartTLS(&tls.Config{ServerName: smtpHost}); err != nil { return err }
|
|
if err = client.Auth(smtp.PlainAuth("", smtpUser, smtpToken, smtpHost)); err != nil { return err }
|
|
if err = client.Mail(smtpUser); err != nil { return err }
|
|
if err = client.Rcpt(toEmail); err != nil { return err }
|
|
w, err := client.Data()
|
|
if err != nil { return err }
|
|
displayFrom := fromName + " via inou"
|
|
msg := "From: " + displayFrom + " <" + smtpUser + ">\r\nTo: " + toEmail + "\r\nSubject: " + subject + "\r\nMIME-Version: 1.0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n" + html
|
|
w.Write([]byte(msg))
|
|
return w.Close()
|
|
}
|
|
|
|
func getFirstName(fullName string) string {
|
|
parts := strings.Fields(fullName)
|
|
if len(parts) > 0 { return parts[0] }
|
|
return fullName
|
|
}
|
|
|
|
func sendShareEmail(toEmail, recipientName, targetName, fromName string, canEdit bool, lang string) error {
|
|
if lang == "" { lang = "en" }
|
|
|
|
subject := targetName + "'s health dossier — " + fromName
|
|
canEditStr := "false"
|
|
if canEdit { canEditStr = "true" }
|
|
|
|
html, err := lib.RenderHTML("email_share", lang, map[string]string{
|
|
"FirstName": getFirstName(recipientName),
|
|
"TargetName": targetName,
|
|
"SenderName": fromName,
|
|
"CanEdit": canEditStr,
|
|
})
|
|
if err != nil { return err }
|
|
|
|
return sendEmailWithFrom(toEmail, fromName, subject, html)
|
|
}
|
|
|
|
func sendFriendInviteEmail(toEmail, recipientName, fromName, fromEmail, lang string) error {
|
|
if lang == "" { lang = "en" }
|
|
|
|
subject := T(lang, "email_invite_subject") + " — " + fromName
|
|
html, err := lib.RenderHTML("email_invite", lang, map[string]string{
|
|
"FirstName": getFirstName(recipientName),
|
|
"SenderName": fromName,
|
|
})
|
|
if err != nil { return err }
|
|
|
|
if err := sendEmailWithFrom(toEmail, fromName, subject, html); err != nil { return err }
|
|
|
|
copySubject := "Copy: Your invitation to " + recipientName
|
|
copyHtml, err := lib.RenderHTML("email_invite_copy", lang, map[string]string{
|
|
"SenderFirstName": getFirstName(fromName),
|
|
"RecipientName": recipientName,
|
|
"RecipientEmail": toEmail,
|
|
"FirstName": getFirstName(recipientName),
|
|
"SenderName": fromName,
|
|
})
|
|
if err == nil {
|
|
sendEmailWithFrom(fromEmail, "", copySubject, copyHtml)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
|
|
|
|
var devMode = true // reload templates on every request
|
|
|
|
func render(w http.ResponseWriter, r *http.Request, data PageData) {
|
|
if devMode {
|
|
loadTemplates()
|
|
}
|
|
data.T = translations[data.Lang]
|
|
if data.T == nil { data.T = translations["en"] }
|
|
data.RequestPath = r.URL.Path
|
|
if data.Languages == nil { data.Languages = langOptions }
|
|
// Pre-render page content — use localized template if available
|
|
page := data.Page
|
|
if data.Lang != "en" {
|
|
if templates.Lookup(data.Page + "_" + data.Lang) != nil {
|
|
page = data.Page + "_" + data.Lang
|
|
}
|
|
}
|
|
if t := templates.Lookup(page); t != nil {
|
|
var buf bytes.Buffer
|
|
if err := t.Execute(&buf, data); err != nil {
|
|
lib.SendSignal(fmt.Sprintf("**Template error**\nPage: %s\nLang: %s\nError: %v", page, data.Lang, err))
|
|
fmt.Fprintf(os.Stderr, "Page template %q error: %v\n", page, err)
|
|
http.Error(w, "Template error", 500)
|
|
return
|
|
}
|
|
data.Content = template.HTML(buf.String())
|
|
}
|
|
if err := templates.ExecuteTemplate(w, "base.tmpl", data); err != nil {
|
|
lib.SendSignal(fmt.Sprintf("**Template error**\nPage: %s (base)\nLang: %s\nError: %v", data.Page, data.Lang, err))
|
|
fmt.Fprintf(os.Stderr, "Template error: %v\n", err)
|
|
http.Error(w, "Template error", 500)
|
|
}
|
|
}
|
|
|
|
|
|
func handleLanding(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path != "/" { http.NotFound(w, r); return }
|
|
p := getLoggedInDossier(r)
|
|
lang := getLang(r)
|
|
render(w, r, PageData{Page: "landing", Lang: lang, Dossier: p})
|
|
}
|
|
|
|
func getClientIP(r *http.Request) string {
|
|
if fwd := r.Header.Get("X-Forwarded-For"); fwd != "" {
|
|
// Take first IP if multiple
|
|
if idx := strings.Index(fwd, ","); idx != -1 {
|
|
return strings.TrimSpace(fwd[:idx])
|
|
}
|
|
return strings.TrimSpace(fwd)
|
|
}
|
|
ip := r.RemoteAddr
|
|
if idx := strings.LastIndex(ip, ":"); idx != -1 {
|
|
ip = ip[:idx]
|
|
}
|
|
return strings.Trim(ip, "[]")
|
|
}
|
|
|
|
func handleSendCode(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "POST" { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
if n := r.FormValue("nonce"); n == "" { tarpit(w, r, "BOT"); return } else if ms, _ := strconv.Atoi(n); ms < 2000 { tarpit(w, r, "BOT"); return }
|
|
email := strings.ToLower(strings.TrimSpace(r.FormValue("email")))
|
|
lang := getLang(r)
|
|
if email == "" { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
|
|
if _, err := lib.DossierLogin(email, 0); err != nil {
|
|
log.Printf("DossierLogin(%s): %v", email, err)
|
|
render(w, r, PageData{Page: "landing", Lang: lang, Email: email, Error: "Database error. Please try again."})
|
|
return
|
|
}
|
|
|
|
render(w, r, PageData{Page: "verify", Lang: lang, Email: email})
|
|
}
|
|
|
|
|
|
func handleVerify(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "POST" { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
email := strings.ToLower(strings.TrimSpace(r.FormValue("email")))
|
|
codeStr := strings.TrimSpace(r.FormValue("code"))
|
|
lang := getLang(r)
|
|
|
|
code, _ := strconv.Atoi(codeStr)
|
|
id, err := lib.DossierLogin(email, code)
|
|
if err != nil {
|
|
render(w, r, PageData{Page: "verify", Lang: lang, Email: email, Error: T(lang, "invalid_code")})
|
|
return
|
|
}
|
|
|
|
setLoginCookie(w, id)
|
|
|
|
// Check for OAuth return URL
|
|
if cookie, err := r.Cookie("oauth_return"); err == nil && cookie.Value != "" {
|
|
http.SetCookie(w, &http.Cookie{Name: "oauth_return", Value: "", Path: "/", MaxAge: -1})
|
|
http.Redirect(w, r, cookie.Value, http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// Check if profile is complete (name set)
|
|
entries, _ := lib.EntryRead(id, id, &lib.Filter{Category: 0})
|
|
if len(entries) == 0 || entries[0].Summary == "" {
|
|
http.Redirect(w, r, "/onboard", http.StatusSeeOther)
|
|
return
|
|
}
|
|
lib.SendSignal(fmt.Sprintf("Login: %s at %s", entries[0].Summary, time.Now().Format("15:04")))
|
|
http.Redirect(w, r, "/dashboard", http.StatusSeeOther)
|
|
}
|
|
|
|
|
|
func handleOnboard(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
if p.Name != "" { http.Redirect(w, r, "/dashboard", http.StatusSeeOther); return }
|
|
lang := getLang(r)
|
|
|
|
if r.Method == "GET" { render(w, r, PageData{Page: "onboard", Lang: lang, Dossier: p}); return }
|
|
|
|
name := strings.TrimSpace(r.FormValue("name"))
|
|
dob := r.FormValue("dob")
|
|
sex := r.FormValue("sex")
|
|
if name == "" || dob == "" || sex == "" {
|
|
render(w, r, PageData{Page: "onboard", Lang: lang, Dossier: p, Name: name, DOB: dob, Sex: sex, Error: "All fields are required"})
|
|
return
|
|
}
|
|
if isMinor(dob) { render(w, r, PageData{Page: "minor_error", Lang: lang, Dossier: p}); return }
|
|
if dob < "1900-01-01" || dob > time.Now().Format("2006-01-02") {
|
|
render(w, r, PageData{Page: "onboard", Lang: lang, Dossier: p, Name: name, DOB: dob, Sex: sex, Error: "Invalid date of birth"})
|
|
return
|
|
}
|
|
|
|
// Read the cat-0 entry, update it with profile data
|
|
entries, _ := lib.EntryRead(p.DossierID, p.DossierID, &lib.Filter{Category: 0})
|
|
if len(entries) == 0 {
|
|
render(w, r, PageData{Page: "onboard", Lang: lang, Dossier: p, Name: name, DOB: dob, Sex: sex, Error: "Profile not found"})
|
|
return
|
|
}
|
|
e := entries[0]
|
|
e.Summary = name
|
|
sexInt := 0
|
|
if sex == "M" { sexInt = 1 } else if sex == "F" { sexInt = 2 }
|
|
dataJSON, _ := json.Marshal(map[string]any{"dob": dob, "sex": sexInt, "lang": lang})
|
|
e.Data = string(dataJSON)
|
|
if err := lib.EntryWrite(p.DossierID, e); err != nil {
|
|
log.Printf("Onboard EntryWrite failed for %s: %v", p.DossierID, err)
|
|
render(w, r, PageData{Page: "onboard", Lang: lang, Dossier: p, Name: name, DOB: dob, Sex: sex, Error: "Failed to save profile"})
|
|
return
|
|
}
|
|
// Grant read-only access to demo dossier
|
|
lib.GrantAccess(demoDossierID, p.DossierID, demoDossierID, lib.PermRead, 99)
|
|
lib.AuditLog(p.DossierID, "dossier_created", p.DossierID, "")
|
|
http.Redirect(w, r, "/dashboard", http.StatusSeeOther)
|
|
}
|
|
|
|
|
|
func handleLogout(w http.ResponseWriter, r *http.Request) {
|
|
clearLoginCookie(w)
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
}
|
|
|
|
func handleSetLang(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "POST" { http.Error(w, "Method not allowed", 405); return }
|
|
d := getLoggedInDossier(r)
|
|
if d == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
lang := r.FormValue("lang")
|
|
if len(lang) >= 2 && len(lang) <= 5 {
|
|
d.Preferences.Language = lang
|
|
lib.DossierWrite(d.DossierID, d)
|
|
}
|
|
// Redirect back to referrer or dashboard
|
|
ref := r.Header.Get("Referer")
|
|
if ref == "" { ref = "/dashboard" }
|
|
http.Redirect(w, r, ref, http.StatusSeeOther)
|
|
}
|
|
|
|
func handleLogin(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p != nil && p.Name != "" { http.Redirect(w, r, "/dashboard", http.StatusSeeOther); return }
|
|
render(w, r, PageData{Page: "login", Lang: getLang(r), Dossier: p})
|
|
}
|
|
|
|
func handleConnect(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
lang := getLang(r)
|
|
pageName := "connect"
|
|
var apiToken, tempToken, tempTokenExpires string
|
|
if p != nil {
|
|
// Get or create OAuth refresh token for bridge
|
|
if token, err := lib.OAuthRefreshTokenGetForClient("inou-bridge", p.DossierID); err == nil {
|
|
apiToken = token.TokenID
|
|
}
|
|
// Generate 4h temporary token for Grok
|
|
if apiToken != "" {
|
|
tempToken = lib.TokenCreate(p.DossierID, 4*time.Hour)
|
|
tempTokenExpires = time.Now().Add(4 * time.Hour).Format("15:04")
|
|
}
|
|
}
|
|
render(w, r, PageData{Page: pageName, Lang: lang, Dossier: p, APIToken: apiToken, TempToken: tempToken, TempTokenExpires: tempTokenExpires})
|
|
}
|
|
|
|
func handleSecurity(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
render(w, r, PageData{Page: "security", Lang: getLang(r), Dossier: p})
|
|
}
|
|
|
|
func handlePrivacy(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
render(w, r, PageData{Page: "privacy", Lang: getLang(r), Dossier: p})
|
|
}
|
|
|
|
func handleDocs(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
render(w, r, PageData{Page: "docs", Lang: getLang(r), Dossier: p})
|
|
}
|
|
|
|
func handlePricing(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
render(w, r, PageData{Page: "pricing", Lang: getLang(r), Dossier: p})
|
|
}
|
|
|
|
func handleFAQ(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
render(w, r, PageData{Page: "faq", Lang: getLang(r), Dossier: p})
|
|
}
|
|
|
|
func handleDPA(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
render(w, r, PageData{Page: "dpa", Lang: getLang(r), Dossier: p})
|
|
}
|
|
|
|
func handleTerms(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
render(w, r, PageData{Page: "terms", Lang: getLang(r), Dossier: p})
|
|
}
|
|
func handleStyleguide(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
render(w, r, PageData{Page: "styleguide", Lang: getLang(r), Embed: isEmbed(r), Dossier: p})
|
|
}
|
|
func handleAPI(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
var apiToken string
|
|
if p != nil {
|
|
apiToken = p.SessionToken
|
|
}
|
|
render(w, r, PageData{Page: "api", Lang: getLang(r), Dossier: p, APIToken: apiToken})
|
|
}
|
|
|
|
func handleAPITokenGenerate(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "POST" { http.Error(w, "Method not allowed", 405); return }
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/login", 302); return }
|
|
|
|
// Generate OAuth refresh token for bridge client
|
|
_, err := lib.OAuthRefreshTokenGetOrCreate("inou-bridge", p.DossierID)
|
|
if err != nil {
|
|
http.Error(w, "Failed to generate token", 500)
|
|
return
|
|
}
|
|
lib.AuditLog(p.DossierID, "bridge_token_generated", "", "")
|
|
|
|
// Redirect based on return parameter
|
|
if ret := r.URL.Query().Get("return"); ret != "" {
|
|
http.Redirect(w, r, "/connect?tab="+ret, 302)
|
|
} else {
|
|
http.Redirect(w, r, "/connect", 302)
|
|
}
|
|
}
|
|
|
|
func handleAPITokenRegenerate(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "POST" { http.Error(w, "Method not allowed", 405); return }
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/login", 302); return }
|
|
|
|
// Revoke existing bridge tokens and create new one
|
|
_, err := lib.OAuthRefreshTokenRegenerate("inou-bridge", p.DossierID)
|
|
if err != nil {
|
|
http.Error(w, "Failed to regenerate token", 500)
|
|
return
|
|
}
|
|
lib.AuditLog(p.DossierID, "bridge_token_regenerated", "", "")
|
|
|
|
// Redirect based on return parameter
|
|
if ret := r.URL.Query().Get("return"); ret != "" {
|
|
http.Redirect(w, r, "/connect?tab="+ret, 302)
|
|
} else {
|
|
http.Redirect(w, r, "/connect", 302)
|
|
}
|
|
}
|
|
|
|
func handleOpenAPI(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "text/yaml")
|
|
http.ServeFile(w, r, staticDir+"/openapi.yaml")
|
|
}
|
|
|
|
func handleAPIDocs(w http.ResponseWriter, r *http.Request) {
|
|
// Check if AI/bot wants plain text
|
|
accept := r.Header.Get("Accept")
|
|
if strings.Contains(accept, "text/plain") || r.URL.Query().Get("format") == "text" {
|
|
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
http.ServeFile(w, r, staticDir+"/api-docs.txt")
|
|
return
|
|
}
|
|
// Default: serve HTML for browsers and crawlers
|
|
data, err := os.ReadFile(staticDir + "/api-docs.txt")
|
|
if err != nil {
|
|
http.Error(w, "Not found", 404)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
fmt.Fprintf(w, `<!DOCTYPE html>
|
|
<html><head><title>inou API Documentation</title>
|
|
<style>body{font-family:monospace;max-width:800px;margin:40px auto;padding:0 20px;line-height:1.6;}</style>
|
|
</head><body><pre>%s</pre></body></html>`, template.HTMLEscapeString(string(data)))
|
|
}
|
|
|
|
|
|
func handleInvite(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
lang := getLang(r)
|
|
|
|
if r.Method == "GET" {
|
|
render(w, r, PageData{Page: "invite", Lang: lang, Dossier: p, EmailLang: lang})
|
|
return
|
|
}
|
|
|
|
recipientName := strings.TrimSpace(r.FormValue("recipient_name"))
|
|
email := strings.ToLower(strings.TrimSpace(r.FormValue("email")))
|
|
emailLang := r.FormValue("email_lang")
|
|
|
|
if recipientName == "" || email == "" {
|
|
render(w, r, PageData{Page: "invite", Lang: lang, Dossier: p, RecipientName: recipientName, EmailLang: emailLang, Email: email, Error: "Name and email are required"})
|
|
return
|
|
}
|
|
|
|
go sendFriendInviteEmail(email, recipientName, p.Name, p.Email, emailLang)
|
|
render(w, r, PageData{Page: "invite", Lang: lang, Dossier: p, EmailLang: lang, Success: "Invitation sent!"})
|
|
}
|
|
|
|
// categoryMeta maps category IDs to their dashboard icon, short label, and count type.
|
|
var categoryMeta = []struct {
|
|
Category int
|
|
Icon string
|
|
Short string // short label for chip display
|
|
TypeFilter string
|
|
Binary bool // show as label only (no count), e.g. genome
|
|
Color string // CSS class for pill color
|
|
}{
|
|
{lib.CategoryImaging, "📷", "imaging", "study", false, "chip-blue"},
|
|
{lib.CategoryLab, "🧪", "labs", "lab_order", false, "chip-emerald"},
|
|
{lib.CategoryGenome, "🧬", "genome", "tier", true, "chip-purple"},
|
|
{lib.CategoryDocument, "📄", "docs", "", false, "chip-stone"},
|
|
{lib.CategorySurgery, "🔪", "procedures", "", false, "chip-red"},
|
|
{lib.CategoryDiagnosis, "🏥", "diagnoses", "", false, "chip-amber"},
|
|
{lib.CategoryHospital, "🏨", "hospitals", "", false, "chip-red"},
|
|
{lib.CategoryMedication, "💊", "meds", "", false, "chip-pink"},
|
|
{lib.CategorySupplement, "🌿", "supps", "", false, "chip-green"},
|
|
{lib.CategoryVital, "❤️", "vitals", "", false, "chip-rose"},
|
|
{lib.CategoryExercise, "🏃", "exercise", "", false, "chip-cyan"},
|
|
{lib.CategoryTherapy, "🧠", "therapy", "", false, "chip-violet"},
|
|
{lib.CategoryDevice, "⚙️", "devices", "", false, "chip-slate"},
|
|
{lib.CategoryProvider, "👨⚕️", "providers", "", false, "chip-indigo"},
|
|
{lib.CategoryConsultation, "📋", "consults", "", false, "chip-amber"},
|
|
{lib.CategoryAssessment, "📊", "assessments", "", false, "chip-teal"},
|
|
}
|
|
|
|
func getDossierStats(dossierID string) DossierStats {
|
|
ctx := &lib.AccessContext{AccessorID: dossierID}
|
|
var stats DossierStats
|
|
|
|
// Count all categories, build chips for non-zero ones
|
|
var all []StatChip
|
|
for _, m := range categoryMeta {
|
|
n, _ := lib.EntryCount(ctx, dossierID, m.Category, m.TypeFilter)
|
|
if n == 0 {
|
|
continue
|
|
}
|
|
stats.TotalCount += n
|
|
chip := StatChip{Icon: m.Icon, Count: n, Label: m.Short, Color: m.Color}
|
|
if m.Binary {
|
|
chip.Count = 0
|
|
}
|
|
all = append(all, chip)
|
|
|
|
// Keep legacy fields for backward compat
|
|
switch m.Category {
|
|
case lib.CategoryImaging:
|
|
stats.Imaging = n
|
|
case lib.CategoryLab:
|
|
stats.Labs = n
|
|
case lib.CategoryGenome:
|
|
stats.Genome = n
|
|
case lib.CategoryDocument:
|
|
stats.Documents = n
|
|
case lib.CategoryVital:
|
|
stats.Vitals = n
|
|
case lib.CategoryMedication:
|
|
stats.Medications = n
|
|
case lib.CategorySupplement:
|
|
stats.Supplements = n
|
|
}
|
|
}
|
|
|
|
// Top 5 by count (binary items like genome sort last among equals)
|
|
sort.Slice(all, func(i, j int) bool {
|
|
ci, cj := all[i].Count, all[j].Count
|
|
if ci == 0 { ci = 1 } // binary items sort as 1
|
|
if cj == 0 { cj = 1 }
|
|
return ci > cj
|
|
})
|
|
if len(all) > 6 {
|
|
stats.OverflowCount = len(all) - 5
|
|
all = all[:5]
|
|
}
|
|
stats.Chips = all
|
|
return stats
|
|
}
|
|
|
|
func handleDashboard(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
if p.Name == "" { http.Redirect(w, r, "/onboard", http.StatusSeeOther); return }
|
|
lang := getLang(r)
|
|
|
|
// All cat-0 entries I can access (self + granted) — RBAC checked
|
|
allDossiers, _ := lib.EntryRead(p.DossierID, "", &lib.Filter{Category: 0})
|
|
// Access grants for relation/ops metadata
|
|
grants, _ := lib.AccessList(&lib.AccessFilter{AccessorID: p.DossierID})
|
|
grantMap := map[string]*lib.Access{}
|
|
for _, g := range grants { grantMap[g.DossierID] = g }
|
|
|
|
// Build accessible dossier list — self first, then others
|
|
nameMap := map[string]string{} // dossierID → name
|
|
self := AccessEntry{
|
|
DossierID: p.DossierID, Name: p.Name, DateOfBirth: p.DateOfBirth,
|
|
Sex: p.Sex, Lang: p.Preferences.Language,
|
|
Relation: T(lang, "you"), CanEdit: true, IsSelf: true,
|
|
Stats: getDossierStats(p.DossierID),
|
|
}
|
|
var accessible []AccessEntry
|
|
for _, entry := range allDossiers {
|
|
if entry.DossierID == p.DossierID { continue }
|
|
d := lib.DossierFromEntry(entry)
|
|
nameMap[d.DossierID] = d.Name
|
|
e := AccessEntry{
|
|
DossierID: d.DossierID,
|
|
Name: d.Name,
|
|
DateOfBirth: d.DateOfBirth,
|
|
Sex: d.Sex,
|
|
Lang: d.Preferences.Language,
|
|
Stats: getDossierStats(d.DossierID),
|
|
}
|
|
if g := grantMap[d.DossierID]; g != nil {
|
|
e.Relation = T(lang, "rel_"+fmt.Sprintf("%d", g.Relation))
|
|
e.RelationInt = g.Relation
|
|
e.CanEdit = (g.Ops & lib.PermWrite) != 0
|
|
e.AccessedAt = time.Unix(g.CreatedAt, 0)
|
|
}
|
|
accessible = append(accessible, e)
|
|
}
|
|
|
|
// Find inter-dossier relationships (scan all accessible dossiers)
|
|
idSet := map[string]bool{}
|
|
relOfMe := map[string]int{} // dossierID → my relation to them
|
|
for _, e := range accessible {
|
|
idSet[e.DossierID] = true
|
|
relOfMe[e.DossierID] = e.RelationInt
|
|
}
|
|
groupOf := map[string]string{} // dossierID → group anchor ID
|
|
contextMap := map[string]string{} // dossierID → "Parent · Name"
|
|
isParent := map[string]bool{} // dossierID → true if they're a parent in their group
|
|
familyLinked := map[string]bool{} // "other" dossierID → true if linked to a family member
|
|
// relNames: grantee's role → label. inverseRel: target's role (opposite direction)
|
|
relNames := map[int]string{1: "Parent", 2: "Child", 3: "Spouse"}
|
|
inverseRel := map[int]string{1: "Child", 2: "Parent", 3: "Spouse"}
|
|
isFamily := func(rel int) bool { return rel >= 1 && rel <= 4 }
|
|
for _, e := range accessible {
|
|
grants, _ := lib.AccessList(&lib.AccessFilter{TargetID: e.DossierID})
|
|
for _, g := range grants {
|
|
if g.GranteeID == p.DossierID { continue }
|
|
if !idSet[g.GranteeID] { continue }
|
|
// g.GranteeID has relation g.Relation to e.DossierID
|
|
groupOf[g.GranteeID] = e.DossierID
|
|
groupOf[e.DossierID] = e.DossierID
|
|
if g.Relation == 1 { isParent[g.GranteeID] = true }
|
|
// Context: grantee gets their role label, target gets the inverse
|
|
if rn, ok := relNames[g.Relation]; ok {
|
|
contextMap[g.GranteeID] = rn + " · " + nameMap[e.DossierID]
|
|
}
|
|
if rn, ok := inverseRel[g.Relation]; ok {
|
|
if _, exists := contextMap[e.DossierID]; !exists {
|
|
contextMap[e.DossierID] = rn + " · " + nameMap[g.GranteeID]
|
|
}
|
|
}
|
|
// If an "other" is connected to a family member, promote to family
|
|
gRel, eRel := relOfMe[g.GranteeID], relOfMe[e.DossierID]
|
|
if !isFamily(gRel) && isFamily(eRel) { familyLinked[g.GranteeID] = true }
|
|
if !isFamily(eRel) && isFamily(gRel) { familyLinked[e.DossierID] = true }
|
|
}
|
|
}
|
|
|
|
// Tier: 0=family (rel 1-4 or linked to family), 1=connected others, 2=ungrouped others, 3=demo
|
|
tier := func(e *AccessEntry) int {
|
|
switch {
|
|
case e.RelationInt >= 1 && e.RelationInt <= 4: return 0
|
|
case familyLinked[e.DossierID]: return 0
|
|
case e.RelationInt == 99: return 3
|
|
case groupOf[e.DossierID] != "": return 1
|
|
default: return 2
|
|
}
|
|
}
|
|
// Within family: spouse first, then children by name
|
|
famOrder := map[int]int{3: 0, 2: 1, 1: 2, 4: 3}
|
|
sort.SliceStable(accessible, func(i, j int) bool {
|
|
ti, tj := tier(&accessible[i]), tier(&accessible[j])
|
|
if ti != tj { return ti < tj }
|
|
if ti == 0 { // family: spouse → child → parent → sibling
|
|
fi, fj := famOrder[accessible[i].RelationInt], famOrder[accessible[j].RelationInt]
|
|
if fi != fj { return fi < fj }
|
|
return accessible[i].Name < accessible[j].Name
|
|
}
|
|
if ti == 1 { // connected others: group together, parent before child
|
|
gi, gj := groupOf[accessible[i].DossierID], groupOf[accessible[j].DossierID]
|
|
if gi != gj { return gi < gj }
|
|
// Within same group: parent first
|
|
pi, pj := isParent[accessible[i].DossierID], isParent[accessible[j].DossierID]
|
|
if pi != pj { return pi }
|
|
return accessible[i].Name < accessible[j].Name
|
|
}
|
|
return accessible[i].Name < accessible[j].Name
|
|
})
|
|
|
|
// Set context strings + detect group breaks
|
|
prevTier, prevGroup := -1, ""
|
|
for i := range accessible {
|
|
// Only show inter-dossier context on "other" dossiers, not direct family
|
|
if ctx, ok := contextMap[accessible[i].DossierID]; ok && !isFamily(accessible[i].RelationInt) {
|
|
accessible[i].Context = ctx
|
|
}
|
|
t := tier(&accessible[i])
|
|
g := groupOf[accessible[i].DossierID]
|
|
if i > 0 && (t != prevTier || (t == 1 && g != prevGroup)) {
|
|
accessible[i].NewGroup = true
|
|
}
|
|
prevTier, prevGroup = t, g
|
|
}
|
|
|
|
accessible = append([]AccessEntry{self}, accessible...)
|
|
render(w, r, PageData{Page: "dashboard", Lang: lang, Embed: isEmbed(r), Dossier: p, AccessibleDossiers: accessible})
|
|
}
|
|
|
|
func handleDemo(w http.ResponseWriter, r *http.Request) {
|
|
lang := getLang(r)
|
|
target, err := lib.DossierGet("", demoDossierID) // nil ctx - demo lookup
|
|
if err != nil {
|
|
http.Error(w, "Demo account not found", http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
// Create a fake logged-in dossier for the template (the demo user viewing themselves)
|
|
p := target
|
|
|
|
studies, _ := fetchStudiesWithSeries(demoDossierID)
|
|
hasImaging := len(studies) > 0
|
|
var totalSlices int
|
|
for _, s := range studies {
|
|
totalSlices += s.SliceCount
|
|
}
|
|
genomeEntries, _ := lib.EntryList(lib.SystemAccessorID, "", lib.CategoryGenome, &lib.EntryFilter{DossierID: demoDossierID, Limit: 1}) // nil ctx - demo lookup
|
|
hasGenome := len(genomeEntries) > 0
|
|
|
|
// Build sections for demo dossier
|
|
sections := BuildDossierSections(demoDossierID, formatHexID(demoDossierID), target, p, lang, false)
|
|
|
|
render(w, r, PageData{
|
|
Page: "dossier",
|
|
Lang: lang,
|
|
Embed: isEmbed(r),
|
|
Dossier: p,
|
|
TargetDossier: target,
|
|
ShowDetails: true,
|
|
HasImaging: hasImaging,
|
|
Studies: studies,
|
|
StudyCount: len(studies),
|
|
TotalSlices: totalSlices,
|
|
HasGenome: hasGenome,
|
|
Sections: sections,
|
|
})
|
|
}
|
|
|
|
func loadRelationTargets(accessorID string) []RelationTarget {
|
|
allDossiers, _ := lib.EntryRead(accessorID, "", &lib.Filter{Category: 0})
|
|
var targets []RelationTarget
|
|
for _, e := range allDossiers {
|
|
if e.DossierID == accessorID { continue }
|
|
d := lib.DossierFromEntry(e)
|
|
targets = append(targets, RelationTarget{d.DossierID, d.Name})
|
|
}
|
|
return targets
|
|
}
|
|
|
|
func handleAddDossier(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
lang := getLang(r)
|
|
targets := loadRelationTargets(p.DossierID)
|
|
|
|
if r.Method == "GET" {
|
|
render(w, r, PageData{Page: "add_dossier", Lang: lang, Dossier: p, Languages: langOptions, RelationTargets: targets})
|
|
return
|
|
}
|
|
|
|
name := strings.TrimSpace(r.FormValue("name"))
|
|
dob := r.FormValue("dob")
|
|
sex := r.FormValue("sex")
|
|
email := strings.ToLower(strings.TrimSpace(r.FormValue("email")))
|
|
emailLang := r.FormValue("lang")
|
|
relation := r.FormValue("relation")
|
|
relationTo := r.FormValue("relation_to")
|
|
isCareReceiver := r.FormValue("is_care_receiver") == "1"
|
|
canEdit := r.FormValue("can_edit") == "1"
|
|
|
|
renderErr := func(msg string) {
|
|
render(w, r, PageData{Page: "add_dossier", Lang: lang, Dossier: p, Name: name, DOB: dob, Sex: sex, Email: email, EmailLang: emailLang, Relation: relation, RelationTo: relationTo, IsCareReceiver: isCareReceiver, CanEdit: canEdit, Languages: langOptions, RelationTargets: targets, Error: msg})
|
|
}
|
|
|
|
if name == "" || dob == "" || sex == "" || relation == "" {
|
|
renderErr("Name, date of birth, sex, and relation are required")
|
|
return
|
|
}
|
|
|
|
// Convert sex string to int (ISO 5218)
|
|
sexInt := 0
|
|
switch sex {
|
|
case "1", "male", "M": sexInt = 1
|
|
case "2", "female", "F": sexInt = 2
|
|
case "9", "other": sexInt = 9
|
|
}
|
|
|
|
relationInt, _ := strconv.Atoi(relation)
|
|
|
|
// Check duplicate: same email already exists
|
|
if email != "" {
|
|
if _, exists := lib.DossierExists(email); exists {
|
|
renderErr("A dossier with this email already exists")
|
|
return
|
|
}
|
|
}
|
|
|
|
// Create cat-0 entry for the new dossier
|
|
newID := lib.NewID()
|
|
dossierLang := emailLang
|
|
if dossierLang == "" { dossierLang = lang }
|
|
dataJSON, _ := json.Marshal(map[string]any{"dob": dob, "sex": sexInt, "lang": dossierLang})
|
|
newEntry := &lib.Entry{
|
|
EntryID: newID,
|
|
DossierID: newID,
|
|
Category: 0,
|
|
Type: "dossier",
|
|
Summary: name,
|
|
SearchKey: email,
|
|
Data: string(dataJSON),
|
|
Timestamp: time.Now().Unix(),
|
|
}
|
|
if err := lib.EntryWrite("", newEntry); err != nil {
|
|
renderErr("Failed to create dossier")
|
|
return
|
|
}
|
|
|
|
// Grant access
|
|
isMe := relationTo == "" || relationTo == p.DossierID
|
|
if isMe {
|
|
// "Child of Me" → I am their Parent → invert relation for grant
|
|
ops := lib.PermRead | lib.PermWrite
|
|
inverted := invertRelation(relationInt)
|
|
if inverted == 1 || inverted == 5 { // I am parent or guardian
|
|
ops = lib.PermRead | lib.PermWrite | lib.PermDelete | lib.PermManage
|
|
}
|
|
lib.GrantAccess(newID, p.DossierID, newID, ops, inverted)
|
|
} else {
|
|
// "Parent of Tanya" → Tanya is their Child → invert for Tanya's grant
|
|
lib.GrantAccess(newID, relationTo, newID, lib.PermRead, invertRelation(relationInt))
|
|
// Creator gets access as Other with read+write
|
|
ops := lib.PermRead | lib.PermWrite
|
|
lib.GrantAccess(newID, p.DossierID, newID, ops, 10)
|
|
}
|
|
|
|
lib.AuditLogFull(p.DossierID, "", newID, "dossier_added", "", relationInt)
|
|
|
|
if email != "" && !isMinor(dob) { sendShareEmail(email, name, name, p.Name, true, emailLang) }
|
|
http.Redirect(w, r, fmt.Sprintf("/dossier/%s", formatHexID(newID)), http.StatusSeeOther)
|
|
}
|
|
|
|
func handleEditDossier(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
lang := getLang(r)
|
|
|
|
parts := strings.Split(r.URL.Path, "/")
|
|
if len(parts) < 3 { http.NotFound(w, r); return }
|
|
targetID := parts[2]
|
|
|
|
// Check access - must be self or have edit access
|
|
isSelf := targetID == p.DossierID
|
|
var access AccessRecord
|
|
if !isSelf {
|
|
var found bool
|
|
access, found = getAccess(p.DossierID, targetID)
|
|
if !found || !access.CanEdit {
|
|
http.Error(w, "Forbidden", http.StatusForbidden)
|
|
return
|
|
}
|
|
}
|
|
|
|
target, err := lib.DossierGet(p.DossierID, targetID)
|
|
if err != nil {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
|
|
relationStr := "0" // Relation removed from RBAC
|
|
canEdit := access.CanEdit
|
|
|
|
if r.Method == "GET" {
|
|
// Convert sex int to string for form
|
|
sexStr := ""
|
|
errMsg := ""
|
|
switch target.Sex {
|
|
case 1: sexStr = "M"
|
|
case 2: sexStr = "F"
|
|
case 9: sexStr = "other"
|
|
default: errMsg = "Sex is not set. Please select one."
|
|
}
|
|
render(w, r, PageData{
|
|
Page: "add_dossier", Lang: lang, Dossier: p,
|
|
EditMode: true, EditDossier: target, IsSelf: isSelf,
|
|
Name: target.Name, DOB: target.DateOfBirth, Sex: sexStr, Email: target.Email,
|
|
EmailLang: target.Preferences.Language,
|
|
Relation: relationStr, IsCareReceiver: false, CanEdit: canEdit,
|
|
Languages: langOptions, Error: errMsg,
|
|
})
|
|
return
|
|
}
|
|
|
|
// POST - update dossier
|
|
name := strings.TrimSpace(r.FormValue("name"))
|
|
dob := r.FormValue("dob")
|
|
sex := r.FormValue("sex")
|
|
email := strings.ToLower(strings.TrimSpace(r.FormValue("email")))
|
|
relation := r.FormValue("relation")
|
|
canEdit = r.FormValue("can_edit") == "1"
|
|
isCareReceiver := r.FormValue("is_care_receiver") == "1"
|
|
|
|
renderErr := func(msg string) {
|
|
render(w, r, PageData{
|
|
Page: "add_dossier", Lang: lang, Dossier: p,
|
|
EditMode: true, EditDossier: target, IsSelf: isSelf,
|
|
Name: name, DOB: dob, Sex: sex, Email: email,
|
|
EmailLang: r.FormValue("lang"),
|
|
Relation: relation, IsCareReceiver: isCareReceiver, CanEdit: canEdit,
|
|
Languages: langOptions, Error: msg,
|
|
})
|
|
}
|
|
|
|
if name == "" || dob == "" || sex == "" {
|
|
renderErr("Name, date of birth, and sex are required")
|
|
return
|
|
}
|
|
|
|
// Check email uniqueness if changed
|
|
if email != "" && email != target.Email {
|
|
if existingID, ok := lib.DossierExists(email); ok && existingID != targetID {
|
|
renderErr("This email is already in use by another dossier")
|
|
return
|
|
}
|
|
}
|
|
|
|
// Convert sex string to int
|
|
sexInt := 0
|
|
switch sex {
|
|
case "1", "male", "M": sexInt = 1
|
|
case "2", "female", "F": sexInt = 2
|
|
case "9", "other": sexInt = 9
|
|
}
|
|
|
|
// Update dossier
|
|
target.Name = name
|
|
if dobTime, err := time.Parse("2006-01-02", dob); err == nil {
|
|
target.DOB = dobTime
|
|
}
|
|
target.Sex = sexInt
|
|
target.Email = email
|
|
target.Preferences.Language = r.FormValue("lang")
|
|
|
|
if err := lib.DossierWrite(p.DossierID, target); err != nil {
|
|
renderErr("Failed to update dossier")
|
|
return
|
|
}
|
|
|
|
// Update access record if editing someone else's dossier
|
|
if !isSelf {
|
|
// Revoke existing access and re-grant with new permissions
|
|
lib.RevokeAccess(targetID, p.DossierID, targetID)
|
|
ops := lib.PermRead
|
|
if canEdit {
|
|
ops |= lib.PermWrite
|
|
}
|
|
// Preserve existing relation if not provided in form
|
|
relationInt := access.Relation
|
|
if relation != "" {
|
|
relationInt, _ = strconv.Atoi(relation)
|
|
}
|
|
lib.GrantAccess(targetID, p.DossierID, targetID, ops, relationInt)
|
|
}
|
|
|
|
lib.AuditLogFull(p.DossierID, "", targetID, "dossier_edited", "", 0)
|
|
http.Redirect(w, r, "/dashboard", http.StatusSeeOther)
|
|
}
|
|
|
|
func handleExportData(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Error(w, "Unauthorized", http.StatusUnauthorized); return }
|
|
|
|
parts := strings.Split(r.URL.Path, "/")
|
|
if len(parts) < 3 { http.NotFound(w, r); return }
|
|
targetID := parts[2]
|
|
|
|
// Allow export of own dossier or if care receiver
|
|
isSelf := targetID == p.DossierID
|
|
canExport := isSelf
|
|
if !isSelf {
|
|
if access, found := getAccess(p.DossierID, targetID); found && access.IsCareReceiver {
|
|
canExport = true
|
|
}
|
|
}
|
|
if !canExport {
|
|
http.Error(w, "Forbidden", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
dossier, err := lib.DossierGet(p.DossierID, targetID)
|
|
if err != nil || dossier == nil { http.NotFound(w, r); return }
|
|
|
|
// Get ALL entries for this dossier (including nested)
|
|
entries, _ := lib.EntryQuery(&lib.AccessContext{AccessorID: p.DossierID}, targetID, 0, "", "*")
|
|
|
|
// Build clean export structure (no IDs)
|
|
type ExportDossier struct {
|
|
Name string `json:"name"`
|
|
Email string `json:"email,omitempty"`
|
|
DateOfBirth string `json:"date_of_birth"`
|
|
Sex string `json:"sex"`
|
|
CreatedAt string `json:"created_at"`
|
|
}
|
|
type ExportEntry struct {
|
|
Category string `json:"category"`
|
|
Type string `json:"type"`
|
|
Value string `json:"value,omitempty"`
|
|
Summary string `json:"summary,omitempty"`
|
|
Timestamp string `json:"timestamp"`
|
|
Tags string `json:"tags,omitempty"`
|
|
Data string `json:"data,omitempty"`
|
|
}
|
|
type Export struct {
|
|
ExportedAt string `json:"exported_at"`
|
|
Dossier ExportDossier `json:"dossier"`
|
|
Entries []ExportEntry `json:"entries"`
|
|
}
|
|
|
|
sexStr := map[int]string{1: "male", 2: "female", 9: "other"}[dossier.Sex]
|
|
categoryStr := func(c int) string {
|
|
for k, v := range lib.CategoryFromString { if v == c { return k } }
|
|
return fmt.Sprintf("unknown_%d", c)
|
|
}
|
|
|
|
export := Export{
|
|
ExportedAt: time.Now().UTC().Format(time.RFC3339),
|
|
Dossier: ExportDossier{
|
|
Name: dossier.Name,
|
|
Email: dossier.Email,
|
|
DateOfBirth: dossier.DateOfBirth,
|
|
Sex: sexStr,
|
|
CreatedAt: time.Unix(dossier.CreatedAt, 0).UTC().Format(time.RFC3339),
|
|
},
|
|
Entries: make([]ExportEntry, 0, len(entries)),
|
|
}
|
|
|
|
for _, e := range entries {
|
|
export.Entries = append(export.Entries, ExportEntry{
|
|
Category: categoryStr(e.Category),
|
|
Type: e.Type,
|
|
Value: e.Value,
|
|
Summary: e.Summary,
|
|
Timestamp: time.Unix(e.Timestamp, 0).UTC().Format(time.RFC3339),
|
|
Tags: e.Tags,
|
|
Data: e.Data,
|
|
})
|
|
}
|
|
|
|
jsonData, err := json.MarshalIndent(export, "", " ")
|
|
if err != nil { http.Error(w, "Export failed", http.StatusInternalServerError); return }
|
|
|
|
filename := fmt.Sprintf("inou-export-%s-%s.json", dossier.Name, time.Now().Format("2006-01-02"))
|
|
filename = strings.ReplaceAll(filename, " ", "-")
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
|
|
w.Write(jsonData)
|
|
|
|
lib.AuditLog(p.DossierID, "data_export", targetID, "")
|
|
}
|
|
|
|
func handleShareAccess(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
parts := strings.Split(r.URL.Path, "/")
|
|
if len(parts) < 4 { http.NotFound(w, r); return }
|
|
targetID := parts[2]
|
|
|
|
isSelf := targetID == p.DossierID
|
|
if !isSelf {
|
|
if access, found := getAccess(formatHexID(p.DossierID), formatHexID(targetID)); !found || !access.IsCareReceiver {
|
|
http.Error(w, "Forbidden", http.StatusForbidden); return
|
|
}
|
|
}
|
|
|
|
target, _ := lib.DossierGet(p.DossierID, targetID)
|
|
if target == nil { http.NotFound(w, r); return }
|
|
lang := getLang(r)
|
|
|
|
if r.Method == "GET" {
|
|
render(w, r, PageData{Page: "share", Lang: lang, Dossier: p, TargetDossier: target})
|
|
return
|
|
}
|
|
|
|
recipientName := strings.TrimSpace(r.FormValue("recipient_name"))
|
|
email := strings.ToLower(strings.TrimSpace(r.FormValue("email")))
|
|
emailLang := r.FormValue("email_lang")
|
|
relation := r.FormValue("relation")
|
|
canEdit := r.FormValue("can_edit") == "1"
|
|
|
|
if recipientName == "" || email == "" || relation == "" {
|
|
render(w, r, PageData{Page: "share", Lang: lang, Dossier: p, TargetDossier: target, RecipientName: recipientName, EmailLang: emailLang, Email: email, Relation: relation, CanEdit: canEdit, Error: "Email and relation are required"})
|
|
return
|
|
}
|
|
|
|
// Find or create accessor dossier by email
|
|
var accessor *lib.Dossier
|
|
if id, ok := lib.DossierExists(email); ok {
|
|
accessor, _ = lib.DossierGet("", id)
|
|
}
|
|
if accessor == nil {
|
|
accessor = &lib.Dossier{
|
|
Email: email,
|
|
InvitedByDossierID: p.DossierID,
|
|
}
|
|
if err := lib.DossierWrite("", accessor); err != nil {
|
|
render(w, r, PageData{Page: "share", Lang: lang, Dossier: p, TargetDossier: target, RecipientName: recipientName, EmailLang: emailLang, Email: email, Relation: relation, CanEdit: canEdit, Error: "Failed to create invitation"})
|
|
return
|
|
}
|
|
}
|
|
accessorHex := accessor.DossierID
|
|
|
|
relationInt, _ := strconv.Atoi(relation)
|
|
|
|
// Check if already has access
|
|
if _, found := getAccess(accessorHex, formatHexID(targetID)); found {
|
|
render(w, r, PageData{Page: "share", Lang: lang, Dossier: p, TargetDossier: target, RecipientName: recipientName, EmailLang: emailLang, Email: email, Relation: relation, CanEdit: canEdit, Error: "This person already has access"})
|
|
return
|
|
}
|
|
|
|
grantAccess(accessorHex, formatHexID(targetID), relationInt, false, canEdit)
|
|
|
|
// Create RBAC grant
|
|
ops := lib.PermRead
|
|
if canEdit { ops = lib.PermRead | lib.PermWrite }
|
|
lib.GrantAccess(targetID, accessorHex, targetID, ops, relationInt)
|
|
|
|
lib.AuditLogFull(p.DossierID, accessorHex, targetID, "access_granted", "", relationInt)
|
|
sendShareEmail(email, recipientName, target.Name, p.Name, canEdit, emailLang)
|
|
http.Redirect(w, r, fmt.Sprintf("/dossier/%s", formatHexID(targetID)), http.StatusSeeOther)
|
|
}
|
|
|
|
func handleAuditLog(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
lang := getLang(r)
|
|
parts := strings.Split(r.URL.Path, "/")
|
|
if len(parts) < 3 { http.Redirect(w, r, "/dashboard", http.StatusSeeOther); return }
|
|
targetID := parts[2]
|
|
|
|
target, err := lib.DossierGet(p.DossierID, targetID)
|
|
if err != nil { http.Redirect(w, r, "/dashboard", http.StatusSeeOther); return }
|
|
|
|
// Fetch audit entries for this dossier
|
|
entries, _ := lib.AuditList(&lib.AuditFilter{TargetID: targetID})
|
|
var auditList []AuditViewEntry
|
|
for _, e := range entries {
|
|
actor1Name := "Unknown"
|
|
if actor, err := lib.DossierGet(p.DossierID, e.Actor1ID); err == nil {
|
|
actor1Name = actor.Name
|
|
}
|
|
actor2Name := ""
|
|
if e.Actor2ID != "" {
|
|
if actor2, err := lib.DossierGet(p.DossierID, e.Actor2ID); err == nil {
|
|
actor2Name = actor2.Name
|
|
}
|
|
}
|
|
targetName := "Unknown"
|
|
if t, err := lib.DossierGet(p.DossierID, e.TargetID); err == nil {
|
|
targetName = t.Name
|
|
}
|
|
|
|
// Format details based on action type
|
|
details := e.Details
|
|
switch e.Action {
|
|
case "dossier_created":
|
|
details = fmt.Sprintf(T(lang, "audit_dossier_created"), actor1Name)
|
|
case "dossier_added":
|
|
details = fmt.Sprintf(T(lang, "audit_dossier_added"), targetName, actor1Name)
|
|
case "dossier_edited":
|
|
details = fmt.Sprintf(T(lang, "audit_dossier_edited"), targetName, actor1Name)
|
|
case "access_granted":
|
|
details = fmt.Sprintf(T(lang, "audit_access_granted"), actor2Name, targetName)
|
|
case "access_revoked":
|
|
details = fmt.Sprintf(T(lang, "audit_access_revoked"), actor2Name, targetName)
|
|
case "file_upload":
|
|
details = fmt.Sprintf(T(lang, "audit_file_upload"), e.Details, actor1Name)
|
|
case "file_delete":
|
|
details = fmt.Sprintf(T(lang, "audit_file_delete"), e.Details, actor1Name)
|
|
case "file_category_change":
|
|
details = fmt.Sprintf(T(lang, "audit_file_category_change"), e.Details, actor1Name)
|
|
case "genome_import":
|
|
details = fmt.Sprintf(T(lang, "audit_genome_import"), e.Details)
|
|
}
|
|
|
|
actionLabels := map[string]string{
|
|
"dossier_created": "Account created", "dossier_added": "Dossier added", "dossier_edited": "Dossier edited",
|
|
"access_granted": "Access granted", "access_revoked": "Access revoked",
|
|
"file_upload": "File uploaded", "file_delete": "File deleted", "file_category_change": "Category changed",
|
|
"genome_import": "Genome imported", "doc_import": "Document imported",
|
|
"json_import": "Data imported", "json_import_file": "Data imported",
|
|
"imaging_import": "Imaging imported", "undo_import": "Import undone",
|
|
"mcp_connect": "AI connected", "viewer_access": "Viewer accessed",
|
|
"bridge_token_generated": "API token created", "bridge_token_regenerated": "API token regenerated",
|
|
"data_export": "Data exported",
|
|
"rbac_grant": "Permissions granted", "rbac_revoke": "Permissions revoked", "rbac_update": "Permissions updated",
|
|
}
|
|
actionLabel := e.Action
|
|
if label, ok := actionLabels[e.Action]; ok { actionLabel = label }
|
|
|
|
auditList = append(auditList, AuditViewEntry{
|
|
ActorName: actor1Name,
|
|
Action: actionLabel,
|
|
Details: details,
|
|
CreatedAt: time.Unix(e.Timestamp, 0),
|
|
})
|
|
}
|
|
|
|
render(w, r, PageData{Page: "audit", Lang: lang, Dossier: p, TargetDossier: target, AuditList: auditList})
|
|
}
|
|
|
|
func handleRevokeAccess(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "POST" { http.Error(w, "Method not allowed", http.StatusMethodNotAllowed); return }
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
parts := strings.Split(r.URL.Path, "/")
|
|
if len(parts) < 4 { http.NotFound(w, r); return }
|
|
targetID := parts[2]
|
|
accessorID := r.FormValue("accessor_id")
|
|
|
|
isSelf := targetID == p.DossierID
|
|
var isCareReceiver bool
|
|
if !isSelf { if access, found := getAccess(formatHexID(p.DossierID), formatHexID(targetID)); found { isCareReceiver = access.IsCareReceiver } }
|
|
if !isSelf && !isCareReceiver { http.Error(w, "Forbidden", http.StatusForbidden); return }
|
|
|
|
revokeAccess(accessorID, formatHexID(targetID))
|
|
|
|
// Also revoke RBAC grants
|
|
lib.RevokeAllAccess(targetID, accessorID)
|
|
lib.InvalidateCacheForAccessor(accessorID)
|
|
|
|
lib.AuditLogFull(p.DossierID, accessorID, targetID, "access_revoked", "", 0)
|
|
http.Redirect(w, r, fmt.Sprintf("/dossier/%s", formatHexID(targetID)), http.StatusSeeOther)
|
|
}
|
|
|
|
// GranteeView is a grantee summary for the template
|
|
type GranteeView struct {
|
|
GranteeID string
|
|
Name string
|
|
Role string
|
|
Ops string
|
|
}
|
|
|
|
// RoleView is a role template for the template
|
|
type RoleView struct {
|
|
Name string
|
|
Description string
|
|
Ops string
|
|
GrantsJSON string // JSON-encoded grants for JavaScript
|
|
}
|
|
|
|
// CategoryRBACView represents a category with per-operation permissions
|
|
type CategoryRBACView struct {
|
|
ID int
|
|
Name string
|
|
CanRead bool
|
|
CanWrite bool
|
|
CanDelete bool
|
|
CanManage bool
|
|
}
|
|
|
|
func handlePermissions(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
lang := getLang(r)
|
|
|
|
parts := strings.Split(r.URL.Path, "/")
|
|
if len(parts) < 3 { http.NotFound(w, r); return }
|
|
targetID := parts[2]
|
|
|
|
target, err := lib.DossierGet(p.DossierID, targetID)
|
|
if err != nil { http.NotFound(w, r); return }
|
|
|
|
// Check manage permission
|
|
if !lib.CanManageDossier(p.DossierID, targetID) {
|
|
http.Error(w, "Forbidden: manage permission required", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
// Handle POST actions
|
|
if r.Method == "POST" {
|
|
action := r.FormValue("action")
|
|
|
|
if action == "grant" {
|
|
email := strings.ToLower(strings.TrimSpace(r.FormValue("email")))
|
|
name := strings.TrimSpace(r.FormValue("name"))
|
|
role := r.FormValue("role")
|
|
|
|
// Find or create grantee by email
|
|
var grantee *lib.Dossier
|
|
if id, ok := lib.DossierExists(email); ok {
|
|
grantee, _ = lib.DossierGet("", id)
|
|
}
|
|
if grantee == nil {
|
|
grantee = &lib.Dossier{
|
|
Email: email,
|
|
Name: name,
|
|
InvitedByDossierID: p.DossierID,
|
|
}
|
|
if err := lib.DossierWrite("", grantee); err != nil {
|
|
renderPermissions(w, r, p, target, lang, "Failed to create user", "")
|
|
return
|
|
}
|
|
}
|
|
|
|
// Determine ops (convert to int bitmask)
|
|
ops := lib.PermRead
|
|
if role == "custom" {
|
|
if r.FormValue("op_w") == "1" { ops |= lib.PermWrite }
|
|
if r.FormValue("op_d") == "1" { ops |= lib.PermDelete }
|
|
if r.FormValue("op_m") == "1" { ops |= lib.PermManage }
|
|
} else if role == "parent" || role == "guardian" {
|
|
ops = lib.PermRead | lib.PermWrite | lib.PermManage
|
|
} else if role == "caregiver" || role == "medical" {
|
|
ops = lib.PermRead | lib.PermWrite
|
|
}
|
|
|
|
// Create grant (RBAC already checked via CanManageDossier)
|
|
// Map role to relation
|
|
relationInt := 0
|
|
if role == "parent" { relationInt = 1 }
|
|
if role == "guardian" { relationInt = 4 }
|
|
if role == "caregiver" { relationInt = 5 }
|
|
if role == "medical" { relationInt = 7 }
|
|
if err := lib.GrantAccess(targetID, grantee.DossierID, targetID, ops, relationInt); err != nil {
|
|
renderPermissions(w, r, p, target, lang, "Failed to grant access: "+err.Error(), "")
|
|
return
|
|
}
|
|
lib.AuditLogFull(p.DossierID, grantee.DossierID, targetID, "rbac_grant", role, 0)
|
|
http.Redirect(w, r, "/dossier/"+targetID+"/permissions?success=1", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
if action == "revoke" {
|
|
granteeID := r.FormValue("grantee_id")
|
|
if err := lib.RevokeAllAccess(targetID, granteeID); err != nil {
|
|
renderPermissions(w, r, p, target, lang, "Failed to revoke access: "+err.Error(), "")
|
|
return
|
|
}
|
|
lib.InvalidateCacheForAccessor(granteeID)
|
|
lib.AuditLogFull(p.DossierID, granteeID, targetID, "rbac_revoke", "", 0)
|
|
http.Redirect(w, r, "/dossier/"+targetID+"/permissions?success=1", http.StatusSeeOther)
|
|
return
|
|
}
|
|
}
|
|
|
|
// GET: show permissions page
|
|
successMsg := ""
|
|
if r.URL.Query().Get("success") == "1" {
|
|
successMsg = T(lang, "permissions_updated")
|
|
}
|
|
renderPermissions(w, r, p, target, lang, "", successMsg)
|
|
}
|
|
|
|
func renderPermissions(w http.ResponseWriter, r *http.Request, p, target *lib.Dossier, lang, errMsg, successMsg string) {
|
|
// Get grantees
|
|
grants, _ := lib.ListGrantees(target.DossierID)
|
|
granteeMap := make(map[string]int) // granteeID -> ops
|
|
for _, g := range grants {
|
|
if g.GranteeID != target.DossierID { // Skip self-access
|
|
granteeMap[g.GranteeID] |= g.Ops
|
|
}
|
|
}
|
|
|
|
var granteeViews []GranteeView
|
|
for granteeID, ops := range granteeMap {
|
|
grantee, _ := lib.DossierGet(p.DossierID, granteeID)
|
|
if grantee == nil {
|
|
continue
|
|
}
|
|
opsStr := lib.OpsToString(ops)
|
|
granteeViews = append(granteeViews, GranteeView{
|
|
GranteeID: granteeID,
|
|
Name: grantee.Name,
|
|
Role: "", // Role system removed
|
|
Ops: opsStr,
|
|
})
|
|
}
|
|
|
|
// System roles removed - using direct permission management now
|
|
var roleViews []RoleView
|
|
|
|
data := PageData{
|
|
Page: "permissions",
|
|
Lang: lang,
|
|
Dossier: p,
|
|
TargetDossier: target,
|
|
Error: errMsg,
|
|
Success: successMsg,
|
|
Grantees: granteeViews,
|
|
Roles: roleViews,
|
|
}
|
|
|
|
if devMode { loadTemplates() }
|
|
data.T = translations[lang]
|
|
if data.T == nil { data.T = translations["en"] }
|
|
data.RequestPath = r.URL.Path
|
|
|
|
if err := templates.ExecuteTemplate(w, "base.tmpl", data); err != nil {
|
|
lib.SendSignal(fmt.Sprintf("**Template error**\nPage: %s (base)\nLang: %s\nError: %v", data.Page, data.Lang, err))
|
|
fmt.Fprintf(os.Stderr, "Template error: %v\n", err)
|
|
http.Error(w, "Template error", 500)
|
|
}
|
|
}
|
|
|
|
// Main categories for access control (subset of all categories)
|
|
var accessCategories = []struct {
|
|
ID int
|
|
Name string
|
|
}{
|
|
{lib.CategoryImaging, "Imaging"},
|
|
{lib.CategoryLab, "Labs"},
|
|
{lib.CategoryGenome, "Genetics"},
|
|
{lib.CategoryDocument, "Documents"},
|
|
{lib.CategoryFertility, "Fertility"},
|
|
{lib.CategoryMedication, "Medications"},
|
|
{lib.CategoryVital, "Vitals"},
|
|
{lib.CategoryNote, "Notes"},
|
|
}
|
|
|
|
func handleEditRBAC(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
lang := getLang(r)
|
|
|
|
// Parse path: /dossier/{id}/rbac/{grantee_id}
|
|
parts := strings.Split(r.URL.Path, "/")
|
|
if len(parts) < 5 { http.NotFound(w, r); return }
|
|
targetID := parts[2]
|
|
granteeID := parts[4]
|
|
|
|
target, err := lib.DossierGet(p.DossierID, targetID)
|
|
if err != nil { http.NotFound(w, r); return }
|
|
|
|
grantee, err := lib.DossierGet(p.DossierID, granteeID)
|
|
if err != nil { http.NotFound(w, r); return }
|
|
|
|
// Check manage permission
|
|
if !lib.CanManageDossier(p.DossierID, targetID) {
|
|
http.Error(w, "Forbidden", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
// Handle POST
|
|
if r.Method == "POST" {
|
|
action := r.FormValue("action")
|
|
|
|
if action == "revoke" {
|
|
lib.RevokeAllAccess(targetID, granteeID)
|
|
lib.InvalidateCacheForAccessor(granteeID)
|
|
lib.AuditLogFull(p.DossierID, granteeID, targetID, "rbac_revoke", "", 0)
|
|
http.Redirect(w, r, "/dossier/"+targetID, http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
if action == "update" {
|
|
roleName := r.FormValue("role")
|
|
if roleName == "" { roleName = "Custom" }
|
|
|
|
// Clear existing grants
|
|
lib.RevokeAllAccess(targetID, granteeID)
|
|
|
|
// Create per-category grants (all categories except All=0 and Upload=5)
|
|
for _, cat := range lib.Categories() {
|
|
if cat.ID == lib.CategoryUpload {
|
|
continue
|
|
}
|
|
catID := cat.ID
|
|
catOps := 0
|
|
if r.FormValue(fmt.Sprintf("cat_%d_r", catID)) == "1" { catOps |= lib.PermRead }
|
|
if r.FormValue(fmt.Sprintf("cat_%d_w", catID)) == "1" { catOps |= lib.PermWrite }
|
|
if r.FormValue(fmt.Sprintf("cat_%d_d", catID)) == "1" { catOps |= lib.PermDelete }
|
|
if r.FormValue(fmt.Sprintf("cat_%d_m", catID)) == "1" { catOps |= lib.PermManage }
|
|
|
|
// Preserve relation from existing grants
|
|
existingGrants, _ := lib.ListGrants(targetID, granteeID)
|
|
relationInt := 0
|
|
if len(existingGrants) > 0 {
|
|
relationInt = existingGrants[0].Relation
|
|
}
|
|
lib.GrantAccess(targetID, granteeID, targetID, catOps, relationInt)
|
|
}
|
|
|
|
lib.InvalidateCacheForAccessor(granteeID)
|
|
lib.AuditLogFull(p.DossierID, granteeID, targetID, "rbac_update", "", 0)
|
|
http.Redirect(w, r, "/dossier/"+targetID+"/rbac/"+granteeID+"?success=1", http.StatusSeeOther)
|
|
return
|
|
}
|
|
}
|
|
|
|
// GET: Load current grants and build view
|
|
grants, _ := lib.ListGrants(targetID, granteeID)
|
|
|
|
// Parse grants to determine per-category permissions
|
|
catPerms := make(map[int]int) // catID -> ops bitmask
|
|
for _, g := range grants {
|
|
if g.EntryID == targetID {
|
|
// Root grant - applies to all categories
|
|
for cat := 1; cat <= 24; cat++ {
|
|
catPerms[cat] |= g.Ops
|
|
}
|
|
continue
|
|
}
|
|
entry, err := lib.EntryGet(nil, g.EntryID)
|
|
if err == nil && entry != nil {
|
|
catPerms[entry.Category] |= g.Ops
|
|
}
|
|
}
|
|
|
|
// Build category RBAC views (all categories except Upload=5)
|
|
var categoriesRBAC []CategoryRBACView
|
|
for _, cat := range lib.Categories() {
|
|
if cat.ID == lib.CategoryUpload {
|
|
continue
|
|
}
|
|
ops := catPerms[cat.ID]
|
|
categoriesRBAC = append(categoriesRBAC, CategoryRBACView{
|
|
ID: cat.ID,
|
|
Name: cat.Name,
|
|
CanRead: (ops & lib.PermRead) != 0,
|
|
CanWrite: (ops & lib.PermWrite) != 0,
|
|
CanDelete: (ops & lib.PermDelete) != 0,
|
|
CanManage: (ops & lib.PermManage) != 0,
|
|
})
|
|
}
|
|
|
|
// Role system removed - simplified to direct permission management
|
|
var roles []RoleView
|
|
|
|
successMsg := ""
|
|
if r.URL.Query().Get("success") == "1" {
|
|
successMsg = "Permissions updated"
|
|
}
|
|
|
|
data := PageData{
|
|
Page: "edit_rbac",
|
|
Lang: lang,
|
|
Dossier: p,
|
|
TargetDossier: target,
|
|
GranteeID: granteeID,
|
|
GranteeName: grantee.Name,
|
|
CategoriesRBAC: categoriesRBAC,
|
|
Roles: roles,
|
|
SelectedRole: "",
|
|
Success: successMsg,
|
|
}
|
|
|
|
if devMode { loadTemplates() }
|
|
data.T = translations[lang]
|
|
if data.T == nil { data.T = translations["en"] }
|
|
data.RequestPath = r.URL.Path
|
|
|
|
if err := templates.ExecuteTemplate(w, "base.tmpl", data); err != nil {
|
|
lib.SendSignal(fmt.Sprintf("**Template error**\nPage: %s (base)\nLang: %s\nError: %v", data.Page, data.Lang, err))
|
|
fmt.Fprintf(os.Stderr, "Template error: %v\n", err)
|
|
http.Error(w, "Template error", 500)
|
|
}
|
|
}
|
|
|
|
func handleEditAccess(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Redirect(w, r, "/", http.StatusSeeOther); return }
|
|
lang := getLang(r)
|
|
|
|
// Parse path: /dossier/{id}/access/{grantee_id}
|
|
parts := strings.Split(r.URL.Path, "/")
|
|
if len(parts) < 5 { http.NotFound(w, r); return }
|
|
targetID := parts[2]
|
|
granteeID := parts[4]
|
|
|
|
target, err := lib.DossierGet(p.DossierID, targetID)
|
|
if err != nil { http.NotFound(w, r); return }
|
|
|
|
grantee, err := lib.DossierGet(p.DossierID, granteeID)
|
|
if err != nil { http.NotFound(w, r); return }
|
|
|
|
// Check manage permission
|
|
if !lib.CanManageDossier(p.DossierID, targetID) {
|
|
http.Error(w, "Forbidden", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
// Handle POST
|
|
if r.Method == "POST" {
|
|
action := r.FormValue("action")
|
|
|
|
if action == "revoke" {
|
|
lib.RevokeAllAccess(targetID, granteeID)
|
|
lib.InvalidateCacheForAccessor(granteeID)
|
|
lib.AuditLogFull(p.DossierID, granteeID, targetID, "rbac_revoke", "", 0)
|
|
http.Redirect(w, r, "/dossier/"+targetID, http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
if action == "update" {
|
|
// Remove entry-specific grant if requested
|
|
if entryID := r.FormValue("remove_entry"); entryID != "" {
|
|
lib.RevokeAccess(targetID, granteeID, entryID)
|
|
lib.InvalidateCacheForAccessor(granteeID)
|
|
http.Redirect(w, r, "/dossier/"+targetID+"/access/"+granteeID+"?success=1", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// Build ops from checkboxes
|
|
ops := 0
|
|
if r.FormValue("op_r") == "1" { ops |= lib.PermRead }
|
|
if r.FormValue("op_w") == "1" { ops |= lib.PermWrite }
|
|
if r.FormValue("op_d") == "1" { ops |= lib.PermDelete }
|
|
if r.FormValue("op_m") == "1" { ops |= lib.PermManage }
|
|
|
|
// Check which categories are selected
|
|
var allowedCats []int
|
|
for _, cat := range accessCategories {
|
|
if r.FormValue(fmt.Sprintf("cat_%d", cat.ID)) == "1" {
|
|
allowedCats = append(allowedCats, cat.ID)
|
|
}
|
|
}
|
|
|
|
// Clear existing grants for this grantee on this dossier
|
|
lib.RevokeAllAccess(targetID, granteeID)
|
|
|
|
// If all categories selected, just create root grant
|
|
if len(allowedCats) == len(accessCategories) && ops != 0 {
|
|
// Use relation 0 (unspecified) for now - TODO: preserve existing relation
|
|
lib.GrantAccess(targetID, granteeID, targetID, ops, 0)
|
|
} else if len(allowedCats) > 0 && ops != 0 {
|
|
// Create category-specific grants
|
|
for _, _ = range allowedCats {
|
|
// Use relation 0 (unspecified) for now - TODO: preserve existing relation
|
|
lib.GrantAccess(targetID, granteeID, targetID, ops, 0)
|
|
}
|
|
}
|
|
|
|
lib.InvalidateCacheForAccessor(granteeID)
|
|
lib.AuditLogFull(p.DossierID, granteeID, targetID, "rbac_update", "", 0)
|
|
http.Redirect(w, r, "/dossier/"+targetID+"/access/"+granteeID+"?success=1", http.StatusSeeOther)
|
|
return
|
|
}
|
|
}
|
|
|
|
// GET: Load current grants
|
|
grants, _ := lib.ListGrants(targetID, granteeID)
|
|
|
|
// Determine current permissions
|
|
hasRead, hasWrite, hasDelete, hasManage := false, false, false, false
|
|
hasRootGrant := false
|
|
allowedCatMap := make(map[int]bool)
|
|
|
|
for _, g := range grants {
|
|
if g.EntryID == "" {
|
|
// Root grant
|
|
hasRootGrant = true
|
|
hasRead = hasRead || (g.Ops & lib.PermRead) != 0
|
|
hasWrite = hasWrite || (g.Ops & lib.PermWrite) != 0
|
|
hasDelete = hasDelete || (g.Ops & lib.PermDelete) != 0
|
|
hasManage = hasManage || (g.Ops & lib.PermManage) != 0
|
|
} else if strings.HasPrefix(g.EntryID, "cat:") {
|
|
// Category grant
|
|
var catID int
|
|
fmt.Sscanf(g.EntryID, "cat:%d", &catID)
|
|
allowedCatMap[catID] = true
|
|
hasRead = hasRead || (g.Ops & lib.PermRead) != 0
|
|
hasWrite = hasWrite || (g.Ops & lib.PermWrite) != 0
|
|
hasDelete = hasDelete || (g.Ops & lib.PermDelete) != 0
|
|
hasManage = hasManage || (g.Ops & lib.PermManage) != 0
|
|
}
|
|
}
|
|
|
|
// Build category list
|
|
var categories []CategoryAccess
|
|
for _, cat := range accessCategories {
|
|
allowed := hasRootGrant || allowedCatMap[cat.ID]
|
|
categories = append(categories, CategoryAccess{
|
|
ID: cat.ID,
|
|
Name: cat.Name,
|
|
Allowed: allowed,
|
|
})
|
|
}
|
|
|
|
// Build entry grants list (non-root, non-category)
|
|
var entryGrants []EntryGrant
|
|
for _, g := range grants {
|
|
if g.EntryID != "" && !strings.HasPrefix(g.EntryID, "cat:") {
|
|
entry, err := lib.EntryGet(nil, g.EntryID)
|
|
desc := g.EntryID
|
|
catName := ""
|
|
if err == nil && entry != nil {
|
|
desc = entry.Summary
|
|
if desc == "" { desc = entry.Type }
|
|
catName = lib.CategoryTranslate(entry.Category, "en")
|
|
}
|
|
entryGrants = append(entryGrants, EntryGrant{
|
|
EntryID: g.EntryID,
|
|
Description: desc,
|
|
CategoryName: catName,
|
|
})
|
|
}
|
|
}
|
|
|
|
successMsg := ""
|
|
if r.URL.Query().Get("success") == "1" {
|
|
successMsg = "Access updated"
|
|
}
|
|
|
|
data := PageData{
|
|
Page: "edit_access",
|
|
Lang: lang,
|
|
Dossier: p,
|
|
TargetDossier: target,
|
|
GranteeID: granteeID,
|
|
GranteeName: grantee.Name,
|
|
HasRead: hasRead,
|
|
HasWrite: hasWrite,
|
|
HasDelete: hasDelete,
|
|
HasManage: hasManage,
|
|
Categories: categories,
|
|
EntryGrants: entryGrants,
|
|
Success: successMsg,
|
|
}
|
|
|
|
if devMode { loadTemplates() }
|
|
data.T = translations[lang]
|
|
if data.T == nil { data.T = translations["en"] }
|
|
data.RequestPath = r.URL.Path
|
|
|
|
if err := templates.ExecuteTemplate(w, "base.tmpl", data); err != nil {
|
|
lib.SendSignal(fmt.Sprintf("**Template error**\nPage: %s (base)\nLang: %s\nError: %v", data.Page, data.Lang, err))
|
|
fmt.Fprintf(os.Stderr, "Template error: %v\n", err)
|
|
http.Error(w, "Template error", 500)
|
|
}
|
|
}
|
|
|
|
func setupMux() http.Handler {
|
|
viewerProxy := &httputil.ReverseProxy{
|
|
Director: func(req *http.Request) {
|
|
req.URL.Scheme = "http"
|
|
req.URL.Host = "localhost:8765"
|
|
req.Host = "inou.com"
|
|
},
|
|
}
|
|
mux := http.NewServeMux()
|
|
mux.HandleFunc("/static/viewer.js", func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/javascript"); http.ServeFile(w, r, staticDir+"/viewer.js") })
|
|
mux.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir(staticDir))))
|
|
mux.HandleFunc("/robots.txt", func(w http.ResponseWriter, r *http.Request) { http.ServeFile(w, r, staticDir+"/robots.txt") })
|
|
mux.HandleFunc("/.well-known/traffic-advice", func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/trafficadvice+json")
|
|
w.Write([]byte(`[{"user_agent":"prefetch-proxy","disallow":false}]`))
|
|
})
|
|
mux.HandleFunc("/sitemap.xml", func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/xml"); http.ServeFile(w, r, staticDir+"/sitemap.xml") })
|
|
mux.HandleFunc("/favicon.ico", func(w http.ResponseWriter, r *http.Request) { http.ServeFile(w, r, staticDir+"/favicon.ico") })
|
|
mux.HandleFunc("/apple-touch-icon.png", func(w http.ResponseWriter, r *http.Request) { http.ServeFile(w, r, staticDir+"/apple-touch-icon.png") })
|
|
mux.HandleFunc("/apple-touch-icon-precomposed.png", func(w http.ResponseWriter, r *http.Request) { http.ServeFile(w, r, staticDir+"/apple-touch-icon.png") })
|
|
mux.HandleFunc("/app-ads.txt", func(w http.ResponseWriter, r *http.Request) { http.ServeFile(w, r, staticDir+"/app-ads.txt") })
|
|
mux.HandleFunc("/llms.txt", func(w http.ResponseWriter, r *http.Request) { http.ServeFile(w, r, staticDir+"/llms.txt") })
|
|
|
|
mux.HandleFunc("/", handleLanding)
|
|
mux.HandleFunc("/send-code", handleSendCode)
|
|
mux.HandleFunc("/verify", handleVerify)
|
|
mux.HandleFunc("/onboard", handleOnboard)
|
|
mux.HandleFunc("/logout", handleLogout)
|
|
mux.HandleFunc("/set-lang", handleSetLang)
|
|
mux.HandleFunc("/dashboard", handleDashboard)
|
|
mux.HandleFunc("/connect", handleConnect)
|
|
mux.HandleFunc("/install", func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, "/connect", http.StatusMovedPermanently) })
|
|
mux.HandleFunc("/start", handleLogin)
|
|
mux.HandleFunc("/invite", handleInvite)
|
|
mux.HandleFunc("/privacy-policy", handlePrivacy)
|
|
mux.HandleFunc("/privacy-policy/", func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, "/privacy-policy", http.StatusMovedPermanently) })
|
|
mux.HandleFunc("/docs", handleDocs)
|
|
mux.HandleFunc("/pricing", handlePricing)
|
|
mux.HandleFunc("/faq", handleFAQ)
|
|
mux.HandleFunc("/security", handleSecurity)
|
|
mux.HandleFunc("/legal/dpa", handleDPA)
|
|
mux.HandleFunc("/legal/dpa/", func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, "/legal/dpa", http.StatusMovedPermanently) })
|
|
mux.HandleFunc("/legal/terms", handleTerms)
|
|
mux.HandleFunc("/legal/terms/", func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, "/legal/terms", http.StatusMovedPermanently) })
|
|
mux.HandleFunc("/styleguide", handleStyleguide)
|
|
mux.HandleFunc("/demo", handleDemo)
|
|
mux.HandleFunc("/dossier/add", handleAddDossier)
|
|
mux.HandleFunc("/dossier/", func(w http.ResponseWriter, r *http.Request) {
|
|
path := r.URL.Path
|
|
if strings.HasSuffix(path, "/edit") { handleEditDossier(w, r)
|
|
} else if strings.HasSuffix(path, "/share") { handleShareAccess(w, r)
|
|
} else if strings.HasSuffix(path, "/revoke") { handleRevokeAccess(w, r)
|
|
} else if strings.HasSuffix(path, "/audit") { handleAuditLog(w, r)
|
|
} else if strings.HasSuffix(path, "/export") { handleExportData(w, r)
|
|
} else if strings.HasSuffix(path, "/permissions") { handlePermissions(w, r)
|
|
} else if strings.Contains(path, "/rbac/") { handleEditRBAC(w, r)
|
|
} else if strings.Contains(path, "/access/") { handleEditAccess(w, r)
|
|
} else if strings.HasSuffix(path, "/trackers") { handleTrackers(w, r)
|
|
} else if strings.Contains(path, "/trackers/card/") { handleRenderTrackerCard(w, r)
|
|
} else if strings.HasSuffix(path, "/trackers/respond") { handleTrackerRespond(w, r)
|
|
} else if strings.HasSuffix(path, "/upload") { if r.Method == "POST" { handleUploadPost(w, r) } else { handleUploadPage(w, r) }
|
|
} else if strings.Contains(path, "/files/") && strings.HasSuffix(path, "/delete") { handleDeleteFile(w, r)
|
|
} else if strings.Contains(path, "/files/") && strings.HasSuffix(path, "/update") { handleUpdateFile(w, r)
|
|
} else if strings.Contains(path, "/files/") && strings.HasSuffix(path, "/status") { handleFileStatus(w, r)
|
|
} else if strings.Contains(path, "/files/") && strings.HasSuffix(path, "/undo") { handleUndoImport(w, r)
|
|
} else if strings.Contains(path, "/files/") && strings.HasSuffix(path, "/reprocess") { handleReprocess(w, r)
|
|
} else if strings.HasSuffix(path, "/process-imaging") { handleProcessImaging(w, r)
|
|
} else if strings.HasSuffix(path, "/process-status") { handleProcessStatus(w, r)
|
|
} else if strings.HasSuffix(path, "/labs") { handleLabSearch(w, r)
|
|
} else if strings.Contains(path, "/document/") { handleDocumentView(w, r)
|
|
} else { handleDossierV2(w, r) }
|
|
})
|
|
mux.HandleFunc("/viewer/", func(w http.ResponseWriter, r *http.Request) {
|
|
r.URL.Path = strings.TrimPrefix(r.URL.Path, "/viewer")
|
|
if r.URL.Path == "" { r.URL.Path = "/" }
|
|
viewerProxy.ServeHTTP(w, r)
|
|
})
|
|
mux.HandleFunc("/data/", func(w http.ResponseWriter, r *http.Request) { viewerProxy.ServeHTTP(w, r) })
|
|
mux.HandleFunc("/image/", handleImageProxy)
|
|
mux.HandleFunc("/contact-sheet.webp/", handleImageProxy)
|
|
// Mobile API (JSON)
|
|
mux.HandleFunc("/api/v1/auth/send", handleAPISend)
|
|
mux.HandleFunc("/api/v1/auth/verify", handleAPIVerify)
|
|
mux.HandleFunc("/api/v1/dashboard", handleAPIDashboard)
|
|
mux.HandleFunc("/api/v1/trackers", handleAPIPrompts)
|
|
mux.HandleFunc("/api/v1/trackers/respond", handleAPITrackerRespond)
|
|
|
|
mux.HandleFunc("/api", handleAPI)
|
|
mux.HandleFunc("/api/token/generate", handleAPITokenGenerate)
|
|
mux.HandleFunc("/api/token/regenerate", handleAPITokenRegenerate)
|
|
mux.HandleFunc("/api/openapi.yaml", handleOpenAPI)
|
|
mux.HandleFunc("/api/docs", handleAPIDocs)
|
|
mux.HandleFunc("/api/", normalizeQuery(handleAPIProxy))
|
|
|
|
// OAuth 2.0 endpoints
|
|
RegisterOAuthRoutes(mux)
|
|
|
|
// MCP HTTP server (for Anthropic Connectors Directory)
|
|
RegisterMCPRoutes(mux)
|
|
|
|
return defense(notifyOn404(logMiddleware(mux)))
|
|
}
|
|
|
|
func main() {
|
|
if err := lib.CryptoInit("master.key"); err != nil {
|
|
fmt.Printf("Error loading master key: %v\n", err)
|
|
os.Exit(1)
|
|
}
|
|
initDB()
|
|
if err := lib.DBInit(dbPath); err != nil {
|
|
fmt.Printf("Error initializing lib DB: %v\n", err)
|
|
os.Exit(1)
|
|
}
|
|
if err := lib.RefDBInit("/tank/inou/data/reference.db"); err != nil {
|
|
fmt.Printf("Error initializing reference DB: %v\n", err)
|
|
os.Exit(1)
|
|
}
|
|
if err := lib.AuthDBInit(authDBPath); err != nil {
|
|
fmt.Printf("Error initializing auth DB: %v\n", err)
|
|
os.Exit(1)
|
|
}
|
|
if err := EnsureBridgeClient(); err != nil {
|
|
fmt.Printf("Warning: could not ensure bridge client: %v\n", err)
|
|
}
|
|
fmt.Println("lib.DBInit successful")
|
|
lib.ConfigInit()
|
|
|
|
// Initialize prompts directory (shared with API for extraction prompts)
|
|
// Deployed layout: /tank/inou/bin/portal, prompts at /tank/inou/tracker_prompts/
|
|
exe, _ := os.Executable()
|
|
promptsDir := filepath.Join(filepath.Dir(exe), "..", "tracker_prompts")
|
|
if _, err := os.Stat(promptsDir); os.IsNotExist(err) {
|
|
promptsDir = "api/tracker_prompts" // Dev fallback
|
|
}
|
|
lib.InitPrompts(promptsDir)
|
|
|
|
loadTranslations()
|
|
lib.TranslateInit("lang")
|
|
lib.TemplateInit("email_templates")
|
|
loadTemplates()
|
|
loadSMTPConfig()
|
|
|
|
fmt.Println("Portal starting on :1080")
|
|
if err := http.ListenAndServe(":1080", setupMux()); err != nil {
|
|
fmt.Fprintf(os.Stderr, "HTTP error: %v\n", err)
|
|
os.Exit(1)
|
|
}
|
|
}
|
|
|
|
func handleFileStatus(w http.ResponseWriter, r *http.Request) {
|
|
p := getLoggedInDossier(r)
|
|
if p == nil { http.Error(w, "Unauthorized", http.StatusUnauthorized); return }
|
|
|
|
// Parse /dossier/{hex}/files/{id}/status
|
|
parts := strings.Split(r.URL.Path, "/")
|
|
if len(parts) < 6 { http.NotFound(w, r); return }
|
|
targetID := parts[2]
|
|
fileID := parts[4]
|
|
|
|
isSelf := targetID == p.DossierID
|
|
if !isSelf {
|
|
if access, found := getAccess(formatHexID(p.DossierID), formatHexID(targetID)); !found || !access.CanEdit {
|
|
http.Error(w, "Forbidden", http.StatusForbidden); return
|
|
}
|
|
}
|
|
|
|
|
|
_, _, _, status, deleted := getUploadEntry(fileID, targetID)
|
|
if deleted {
|
|
http.Error(w, "Not found", http.StatusNotFound); return
|
|
}
|
|
details := ""
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.Write([]byte(fmt.Sprintf(`{"status":"%s","details":"%s"}`, status, details)))
|
|
}
|