feat: Only request certificates for existing users and orgs

internal/repo/repo.go

@@ -15,6 +15,9 @@ import (
 
 var (
 	pathCache = cache.New(1*time.Hour, 1*time.Hour)
+
+	// Caching the existence of an user
+	userCache = cache.New(24*time.Hour, 12*time.Hour)
 )
 
 type PageCacheEntry struct {
@@ -132,3 +135,19 @@ func RepoFromPath(username, host, cname, path string, giteaClient *gitea.Client)
 	)
 	return repo, path, err
 }
+
+// Checks if the username exists as an organisation or an user on the Gitea
+// instance, so that an attacker can't just request certificates for random
+// usernames.
+func CanRequestCertificate(username string, giteaClient *gitea.Client) bool {
+	if _, found := userCache.Get(username); found {
+		return true
+	}
+
+	user, _, err := giteaClient.GetUserInfo(username)
+	if user != nil && err == nil {
+		userCache.Set(username, true, cache.DefaultExpiration)
+		return true
+	}
+	return false
+}

internal/repo/repo_test.go

@@ -0,0 +1,39 @@
+package repo
+
+import (
+	"net/http"
+	"testing"
+	"time"
+
+	"code.gitea.io/sdk/gitea"
+)
+
+var (
+	giteaClient, _ = gitea.NewClient(
+		"https://git.polynom.me",
+		gitea.SetHTTPClient(&http.Client{Timeout: 10 * time.Second}),
+		gitea.SetToken(""),
+		gitea.SetUserAgent("rio/testing"),
+	)
+)
+
+func TestCanRequestCertificatePositiveUser(t *testing.T) {
+	res := CanRequestCertificate("papatutuwawa", giteaClient)
+	if !res {
+		t.Fatalf("User papatutuwawa should be servable")
+	}
+}
+
+func TestCanRequestCertificatePositiveOrganisation(t *testing.T) {
+	res := CanRequestCertificate("moxxy", giteaClient)
+	if !res {
+		t.Fatalf("Organisation moxxy should be servable")
+	}
+}
+
+func TestCanRequestCertificateNegative(t *testing.T) {
+	res := CanRequestCertificate("user-who-does-not-exist", giteaClient)
+	if res {
+		t.Fatalf("User user-who-does-not-exist should not be servable")
+	}
+}