Bump golang version, lint

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.16-alpine as build
+FROM golang:1.22-alpine as build
 
 RUN apk add --no-cache \
     git \
@@ -18,7 +18,7 @@ ENV GODEBUG="netdns=go http2server=0"
 
 RUN make build BUILD_VERSION=${BUILD_VERSION}
 
-FROM alpine:3.13.4
+FROM alpine:3.20.0
 LABEL maintainer="github.com/subspacecommunity/subspace"
 
 COPY --from=build  /src/subspace /usr/bin/subspace

Makefile

@@ -8,21 +8,14 @@ BUILD_VERSION?=unknown
 help:  ## Display this help message and exit
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
-build: clean bindata.go ## Build the binary
+# GOOS=linux GOARCH=amd64  
+build: 
 	@echo "Compiling subspace..."
-	@CGO_ENABLED=0 \
-		go build -v --compiler gc --ldflags "-extldflags -static -s -w -X main.version=${BUILD_VERSION}" -o subspace ./cmd/subspace \
-			&& rm cmd/subspace/bindata.go
+	cd web \
+	&& go run github.com/jteeuwen/go-bindata/go-bindata --pkg main static/... templates/... email/.. \
+	&& mv bindata.go ../cmd/subspace/ \
+	&& cd - \
+	&& CGO_ENABLED=0 \
+		go build -v --compiler gc --ldflags "-extldflags -static -s -w -X main.version=${BUILD_VERSION}" -o subspace ./cmd/subspace
+	rm cmd/subspace/bindata.go
 	@echo "+++ subspace compiled"
-
-clean:  ## Remove old binaries
-	rm -f subspace cmd/subspace/bindata.go
-
-bindata.go: $(BINDATA)
-	@echo "Creating bindata.go..."
-	@go-bindata -o cmd/subspace/bindata.go --prefix "web/" --pkg main web/...
-	@echo "+++ bindata.go created"
-
-$(BINDATA):
-	go get github.com/kevinburke/go-bindata/go-bindata
-

cmd/subspace/config.go

@@ -9,7 +9,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"math/big"
 	"os"
 	"path/filepath"
@@ -97,12 +96,12 @@ type Config struct {
 func NewConfig(filename string) (*Config, error) {
 	filename = filepath.Join(datadir, filename)
 	c := &Config{filename: filename}
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 
 	// Create new config with defaults
 	if os.IsNotExist(err) {
 		c.Info = &Info{
-			Email: "null",
+			Email:    "null",
 			HashKey:  RandomString(32),
 			BlockKey: RandomString(32),
 		}

cmd/subspace/handlers.go

@@ -4,11 +4,11 @@ import (
 	"bytes"
 	"fmt"
 	"image/png"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"regexp"
 	"strings"
+	"time"
 
 	"github.com/crewjam/saml/samlsp"
 	"github.com/julienschmidt/httprouter"
@@ -25,13 +25,6 @@ var (
 	maxProfiles   = 250
 )
 
-func getEnv(key, fallback string) string {
-	if value, ok := os.LookupEnv(key); ok {
-		return value
-	}
-	return fallback
-}
-
 // Handles the sign in part separately from the SAML
 func ssoHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	session, err := samlSP.Session.GetSession(r)
@@ -47,7 +40,6 @@ func ssoHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 
 	logger.Debugf("SSO: unable to get session")
 	samlSP.OnError(w, r, err)
-	return
 }
 
 // Handles the SAML part separately from sign in
@@ -72,7 +64,7 @@ func wireguardQRConfigHandler(w *Web) {
 		return
 	}
 
-	b, err := ioutil.ReadFile(profile.WireGuardConfigPath())
+	b, err := os.ReadFile(profile.WireGuardConfigPath())
 	if err != nil {
 		Error(w.w, err)
 		return
@@ -103,7 +95,7 @@ func wireguardConfigHandler(w *Web) {
 		return
 	}
 
-	b, err := ioutil.ReadFile(profile.WireGuardConfigPath())
+	b, err := os.ReadFile(profile.WireGuardConfigPath())
 	if err != nil {
 		Error(w.w, err)
 		return
@@ -143,12 +135,16 @@ func configureHandler(w *Web) {
 		w.Redirect("/forgot?error=bcrypt")
 		return
 	}
-	config.UpdateInfo(func(i *Info) error {
+	err = config.UpdateInfo(func(i *Info) error {
 		i.Email = email
 		i.Password = hashedPassword
 		i.Configured = true
 		return nil
 	})
+	if err != nil {
+		w.Redirect("/configure?error=invalid")
+		return
+	}
 
 	if err := w.SigninSession(true, ""); err != nil {
 		Error(w.w, err)
@@ -189,12 +185,16 @@ func forgotHandler(w *Web) {
 		secret = config.FindInfo().Secret
 		if secret == "" {
 			secret = RandomString(32)
-			config.UpdateInfo(func(i *Info) error {
+			err := config.UpdateInfo(func(i *Info) error {
 				if i.Secret == "" {
 					i.Secret = secret
 				}
 				return nil
 			})
+			if err != nil {
+				w.Redirect("/configure?error=invalid")
+				return
+			}
 		}
 
 		go func() {
@@ -217,11 +217,15 @@ func forgotHandler(w *Web) {
 		w.Redirect("/forgot?error=bcrypt")
 		return
 	}
-	config.UpdateInfo(func(i *Info) error {
+	err = config.UpdateInfo(func(i *Info) error {
 		i.Password = hashedPassword
 		i.Secret = ""
 		return nil
 	})
+	if err != nil {
+		w.Redirect("/configure?error=invalid")
+		return
+	}
 
 	if err := w.SigninSession(true, ""); err != nil {
 		Error(w.w, err)
@@ -251,6 +255,7 @@ func signinHandler(w *Web) {
 	}
 
 	if err := bcrypt.CompareHashAndPassword(config.FindInfo().Password, []byte(password)); err != nil {
+		time.Sleep(3 * time.Second) // Prevent brute force
 		w.Redirect("/signin?error=invalid")
 		return
 	}
@@ -288,7 +293,11 @@ func totpQRHandler(w *Web) {
 		return
 	}
 
-	png.Encode(&buf, img)
+	err = png.Encode(&buf, img)
+	if err != nil {
+		Error(w.w, err)
+		return
+	}
 
 	w.w.Header().Set("Content-Type", "image/png")
 	w.w.Header().Set("Content-Length", fmt.Sprintf("%d", len(buf.Bytes())))
@@ -328,11 +337,14 @@ func userEditHandler(w *Web) {
 
 	admin := w.r.FormValue("admin") == "yes"
 
-	config.UpdateUser(user.ID, func(u *User) error {
+	err = config.UpdateUser(user.ID, func(u *User) error {
 		u.Admin = admin
 		return nil
 	})
-
+	if err != nil {
+		w.Redirect("/configure?error=invalid")
+		return
+	}
 	w.Redirect("/user/edit/%s?success=edituser", user.ID)
 }
 
@@ -414,58 +426,19 @@ func profileAddHandler(w *Web) {
 		return
 	}
 
-	ipv4Pref := "10.99.97."
-	if pref := getEnv("SUBSPACE_IPV4_PREF", "nil"); pref != "nil" {
-		ipv4Pref = pref
-	}
-	ipv4Gw := "10.99.97.1"
-	if gw := getEnv("SUBSPACE_IPV4_GW", "nil"); gw != "nil" {
-		ipv4Gw = gw
-	}
-	ipv4Cidr := "24"
-	if cidr := getEnv("SUBSPACE_IPV4_CIDR", "nil"); cidr != "nil" {
-		ipv4Cidr = cidr
-	}
-	ipv6Pref := "fd00::10:97:"
-	if pref := getEnv("SUBSPACE_IPV6_PREF", "nil"); pref != "nil" {
-		ipv6Pref = pref
-	}
-	ipv6Gw := "fd00::10:97:1"
-	if gw := getEnv("SUBSPACE_IPV6_GW", "nil"); gw != "nil" {
-		ipv6Gw = gw
-	}
-	ipv6Cidr := "64"
-	if cidr := getEnv("SUBSPACE_IPV6_CIDR", "nil"); cidr != "nil" {
-		ipv6Cidr = cidr
-	}
-	listenport := "51820"
-	if port := getEnv("SUBSPACE_LISTENPORT", "nil"); port != "nil" {
-		listenport = port
-	}
-	endpointHost := httpHost
-	if eh := getEnv("SUBSPACE_ENDPOINT_HOST", "nil"); eh != "nil" {
-		endpointHost = eh
-	}
-	allowedips := "0.0.0.0/0, ::/0"
-	if ips := getEnv("SUBSPACE_ALLOWED_IPS", "nil"); ips != "nil" {
-		allowedips = ips
-	}
-	ipv4Enabled := true
-	if enable := getEnv("SUBSPACE_IPV4_NAT_ENABLED", "1"); enable == "0" {
-		ipv4Enabled = false
-	}
-	ipv6Enabled := true
-	if enable := getEnv("SUBSPACE_IPV6_NAT_ENABLED", "1"); enable == "0" {
-		ipv6Enabled = false
-	}
-	disableDNS := false
-	if shouldDisableDNS := getEnv("SUBSPACE_DISABLE_DNS", "0"); shouldDisableDNS == "1" {
-		disableDNS = true
-	}
-	persistentKeepalive := "0"
-	if keepalive := getEnv("SUBSPACE_PERSISTENT_KEEPALIVE", "nil"); keepalive != "nil" {
-		persistentKeepalive = keepalive
-	}
+	ipv4Pref := getEnv("SUBSPACE_IPV4_PREF", "10.99.97.")
+	ipv4Gw := getEnv("SUBSPACE_IPV4_GW", "10.99.97.1")
+	ipv4Cidr := getEnv("SUBSPACE_IPV4_CIDR", "24")
+	ipv6Pref := getEnv("SUBSPACE_IPV6_PREF", "fd00::10:97:")
+	ipv6Gw := getEnv("SUBSPACE_IPV6_GW", "fd00::10:97:1")
+	ipv6Cidr := getEnv("SUBSPACE_IPV6_CIDR", "64")
+	listenport := getEnv("SUBSPACE_LISTENPORT", "51820")
+	endpointHost := getEnv("SUBSPACE_ENDPOINT_HOST", httpHost)
+	allowedips := getEnv("SUBSPACE_ALLOWED_IPS", "0.0.0.0/0, ::/0")
+	ipv4Enabled := getEnvAsBool("SUBSPACE_IPV4_NAT_ENABLED", true)
+	ipv6Enabled := getEnvAsBool("SUBSPACE_IPV6_NAT_ENABLED", true)
+	disableDNS := getEnvAsBool("SUBSPACE_DISABLE_DNS", false)
+	persistentKeepalive := getEnv("SUBSPACE_PERSISTENT_KEEPALIVE", "0")
 
 	script := `
 cd {{$.Datadir}}/wireguard
@@ -487,6 +460,7 @@ PrivateKey = ${wg_private_key}
 DNS = {{if .Ipv4Enabled}}{{$.IPv4Gw}}{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Gw}}{{end}}
 {{- end }}
 Address = {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/{{$.IPv4Cidr}}{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/{{$.IPv6Cidr}}{{end}}
+MTU = 1280
 
 [Peer]
 PublicKey = $(cat server.public)
@@ -497,20 +471,20 @@ PersistentKeepalive = {{$.PersistentKeepalive}}
 WGCLIENT
 `
 	_, err = bash(script, struct {
-		Profile      		Profile
-		EndpointHost 		string
-		Datadir      		string
-		IPv4Gw       		string
-		IPv6Gw       		string
-		IPv4Pref     		string
-		IPv6Pref     		string
-		IPv4Cidr     		string
-		IPv6Cidr     		string
-		Listenport   		string
-		AllowedIPS   		string
-		Ipv4Enabled  		bool
-		Ipv6Enabled  		bool
-		DisableDNS   		bool
+		Profile             Profile
+		EndpointHost        string
+		Datadir             string
+		IPv4Gw              string
+		IPv6Gw              string
+		IPv4Pref            string
+		IPv6Pref            string
+		IPv4Cidr            string
+		IPv6Cidr            string
+		Listenport          string
+		AllowedIPS          string
+		Ipv4Enabled         bool
+		Ipv6Enabled         bool
+		DisableDNS          bool
 		PersistentKeepalive string
 	}{
 		profile,
@@ -533,7 +507,10 @@ WGCLIENT
 		logger.Warn(err)
 		f, _ := os.Create("/tmp/error.txt")
 		errstr := fmt.Sprintln(err)
-		f.WriteString(errstr)
+		_, err = f.WriteString(errstr)
+		if err != nil {
+			logger.Warn(err)
+		}
 		w.Redirect("/?error=addprofile")
 		return
 	}
@@ -620,11 +597,15 @@ func settingsHandler(w *Web) {
 	resetTotp := w.r.FormValue("reset_totp")
 	totpCode := w.r.FormValue("totp_code")
 
-	config.UpdateInfo(func(i *Info) error {
+	err := config.UpdateInfo(func(i *Info) error {
 		i.SAML.IDPMetadata = samlMetadata
 		i.Email = email
 		return nil
 	})
+	if err != nil {
+		w.Redirect("/configure?error=invalid")
+		return
+	}
 
 	// Configure SAML if metadata is present.
 	if len(samlMetadata) > 0 {
@@ -653,10 +634,14 @@ func settingsHandler(w *Web) {
 			return
 		}
 
-		config.UpdateInfo(func(i *Info) error {
+		err = config.UpdateInfo(func(i *Info) error {
 			i.Password = hashedPassword
 			return nil
 		})
+		if err != nil {
+			w.Redirect("/configure?error=invalid")
+			return
+		}
 	}
 
 	if resetTotp == "true" {
@@ -676,7 +661,12 @@ func settingsHandler(w *Web) {
 			return
 		}
 		config.Info.TotpKey = tempTotpKey.Secret()
-		config.save()
+		err = config.save()
+		if err != nil {
+			logger.Warnf("failed to save totp key: %s", err)
+			w.Redirect("/settings?error=totp")
+			return
+		}
 	}
 
 	w.Redirect("/settings?success=settings")
@@ -686,9 +676,7 @@ func helpHandler(w *Web) {
 	w.HTML()
 }
 
-//
 // Helpers
-//
 func deleteProfile(profile Profile) error {
 	script := `
 # WireGuard