11 changed files with 148 additions and 94 deletions
--- a/bloat.conf
+++ b/bloat.conf
@ -38,4 +38,5 @@ post_formats=PlainText:text/plain,HTML:text/html,Markdown:text/markdown,BBCode:t
 # single_instance=pl.mydomain.com

 # Path to custom CSS. Value can be a file path relative to the static directory.
+# or a URL starting with either "http://" or "https://".
 # custom_css=custom.css
--- a/main.go
+++ b/main.go
@ -8,6 +8,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"

 	"bloat/config"
 	"bloat/renderer"
@ -46,8 +47,14 @@ func main() {
 		errExit(err)
 	}

+	customCSS := config.CustomCSS
+	if len(customCSS) > 0 && !strings.HasPrefix(customCSS, "http://") &&
+		!strings.HasPrefix(customCSS, "https://") {
+		customCSS = "/static/" + customCSS
+	}
+
 	s := service.NewService(config.ClientName, config.ClientScope,
-		config.ClientWebsite, config.CustomCSS, config.SingleInstance,
+		config.ClientWebsite, customCSS, config.SingleInstance,
 		config.PostFormats, renderer)
 	handler := service.NewHandler(s, *verbose, config.StaticDirectory)

--- a/mastodon/mastodon.go
+++ b/mastodon/mastodon.go
@ -2,14 +2,18 @@
 package mastodon

 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
+	"mime/multipart"
 	"net/http"
 	"net/url"
+	"os"
 	"path"
+	"path/filepath"
 	"strings"

 	"github.com/tomnomnom/linkheader"
@ -57,6 +61,83 @@ func (c *Client) doAPI(ctx context.Context, method string, uri string, params in
 		if err != nil {
 			return err
 		}
+	} else if file, ok := params.(string); ok {
+		f, err := os.Open(file)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+
+		var buf bytes.Buffer
+		mw := multipart.NewWriter(&buf)
+		part, err := mw.CreateFormFile("file", filepath.Base(file))
+		if err != nil {
+			return err
+		}
+		_, err = io.Copy(part, f)
+		if err != nil {
+			return err
+		}
+		err = mw.Close()
+		if err != nil {
+			return err
+		}
+		req, err = http.NewRequest(method, u.String(), &buf)
+		if err != nil {
+			return err
+		}
+		ct = mw.FormDataContentType()
+	} else if file, ok := params.(*multipart.FileHeader); ok {
+		f, err := file.Open()
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+
+		var buf bytes.Buffer
+		mw := multipart.NewWriter(&buf)
+		fname := filepath.Base(file.Filename)
+		err = mw.WriteField("description", fname)
+		if err != nil {
+			return err
+		}
+		part, err := mw.CreateFormFile("file", fname)
+		if err != nil {
+			return err
+		}
+		_, err = io.Copy(part, f)
+		if err != nil {
+			return err
+		}
+		err = mw.Close()
+		if err != nil {
+			return err
+		}
+		req, err = http.NewRequest(method, u.String(), &buf)
+		if err != nil {
+			return err
+		}
+		ct = mw.FormDataContentType()
+	} else if reader, ok := params.(io.Reader); ok {
+		var buf bytes.Buffer
+		mw := multipart.NewWriter(&buf)
+		part, err := mw.CreateFormFile("file", "upload")
+		if err != nil {
+			return err
+		}
+		_, err = io.Copy(part, reader)
+		if err != nil {
+			return err
+		}
+		err = mw.Close()
+		if err != nil {
+			return err
+		}
+		req, err = http.NewRequest(method, u.String(), &buf)
+		if err != nil {
+			return err
+		}
+		ct = mw.FormDataContentType()
 	} else if mr, ok := params.(*multipartRequest); ok {
 		req, err = http.NewRequest(method, u.String(), mr.Data)
 		if err != nil {
@ -138,16 +219,6 @@ func (c *Client) AuthenticateToken(ctx context.Context, authCode, redirectURI st
 	return c.authenticate(ctx, params)
 }

-func (c *Client) RevokeToken(ctx context.Context) error {
-	params := url.Values{
-		"client_id":     {c.config.ClientID},
-		"client_secret": {c.config.ClientSecret},
-		"token":         {c.GetAccessToken(ctx)},
-	}
-
-	return c.doAPI(ctx, http.MethodPost, "/oauth/revoke", params, nil, nil)
-}
-
 func (c *Client) authenticate(ctx context.Context, params url.Values) error {
 	u, err := url.Parse(c.config.Server)
 	if err != nil {
--- a/mastodon/status.go
+++ b/mastodon/status.go
@ -1,14 +1,12 @@
 package mastodon

 import (
-	"bytes"
 	"context"
 	"fmt"
 	"io"
 	"mime/multipart"
 	"net/http"
 	"net/url"
-	"path/filepath"
 	"time"
 )

@ -295,35 +293,30 @@ func (c *Client) Search(ctx context.Context, q string, qType string, limit int,
 	return &results, nil
 }

-func (c *Client) UploadMediaFromMultipartFileHeader(ctx context.Context, fh *multipart.FileHeader) (*Attachment, error) {
-	f, err := fh.Open()
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	var buf bytes.Buffer
-	mw := multipart.NewWriter(&buf)
-	fname := filepath.Base(fh.Filename)
-	err = mw.WriteField("description", fname)
-	if err != nil {
-		return nil, err
-	}
-	part, err := mw.CreateFormFile("file", fname)
-	if err != nil {
-		return nil, err
-	}
-	_, err = io.Copy(part, f)
-	if err != nil {
-		return nil, err
-	}
-	err = mw.Close()
-	if err != nil {
-		return nil, err
-	}
-	params := &multipartRequest{Data: &buf, ContentType: mw.FormDataContentType()}
+// UploadMedia upload a media attachment from a file.
+func (c *Client) UploadMedia(ctx context.Context, file string) (*Attachment, error) {
 	var attachment Attachment
-	err = c.doAPI(ctx, http.MethodPost, "/api/v1/media", params, &attachment, nil)
+	err := c.doAPI(ctx, http.MethodPost, "/api/v1/media", file, &attachment, nil)
+	if err != nil {
+		return nil, err
+	}
+	return &attachment, nil
+}
+
+// UploadMediaFromReader uploads a media attachment from a io.Reader.
+func (c *Client) UploadMediaFromReader(ctx context.Context, reader io.Reader) (*Attachment, error) {
+	var attachment Attachment
+	err := c.doAPI(ctx, http.MethodPost, "/api/v1/media", reader, &attachment, nil)
+	if err != nil {
+		return nil, err
+	}
+	return &attachment, nil
+}
+
+// UploadMediaFromReader uploads a media attachment from a io.Reader.
+func (c *Client) UploadMediaFromMultipartFileHeader(ctx context.Context, fh *multipart.FileHeader) (*Attachment, error) {
+	var attachment Attachment
+	err := c.doAPI(ctx, http.MethodPost, "/api/v1/media", fh, &attachment, nil)
 	if err != nil {
 		return nil, err
 	}
--- a/model/session.go
+++ b/model/session.go
@ -1,6 +1,7 @@
 package model

 type Session struct {
+	ID           string   `json:"id,omitempty"`
 	UserID       string   `json:"uid,omitempty"`
 	Instance     string   `json:"ins,omitempty"`
 	ClientID     string   `json:"cid,omitempty"`
@ -27,7 +28,6 @@ type Settings struct {
 	AntiDopamineMode      bool   `json:"adm,omitempty"`
 	HideUnsupportedNotifs bool   `json:"hun,omitempty"`
 	CSS                   string `json:"css,omitempty"`
-	CSSHash               string `json:"cssh,omitempty"`
 }

 func NewSettings() *Settings {
@ -44,6 +44,5 @@ func NewSettings() *Settings {
 		AntiDopamineMode:      false,
 		HideUnsupportedNotifs: false,
 		CSS:                   "",
-		CSSHash:               "",
 	}
 }
--- a/service/client.go
+++ b/service/client.go
@ -33,11 +33,9 @@ func (c *client) setSession(sess *model.Session) error {
 		return err
 	}
 	http.SetCookie(c.w, &http.Cookie{
-		Name:     "session",
-		Path:     "/",
-		HttpOnly: true,
-		Value:    sb.String(),
-		Expires:  time.Now().Add(365 * 24 * time.Hour),
+		Name:    "session",
+		Value:   sb.String(),
+		Expires: time.Now().Add(365 * 24 * time.Hour),
 	})
 	return nil
 }
@ -55,7 +53,6 @@ func (c *client) getSession() (sess *model.Session, err error) {
 func (c *client) unsetSession() {
 	http.SetCookie(c.w, &http.Cookie{
 		Name:    "session",
-		Path:    "/",
 		Value:   "",
 		Expires: time.Now(),
 	})
--- a/service/service.go
+++ b/service/service.go
@ -1,8 +1,6 @@
 package service

 import (
-	"crypto/sha256"
-	"encoding/base64"
 	"errors"
 	"fmt"
 	"mime/multipart"
@ -842,6 +840,10 @@ func (s *service) NewSession(c *client, instance string) (rurl string, sess *mod
 		instanceURL = "https://" + instance
 	}

+	sid, err := util.NewSessionID()
+	if err != nil {
+		return
+	}
 	csrf, err := util.NewCSRFToken()
 	if err != nil {
 		return
@ -857,14 +859,28 @@ func (s *service) NewSession(c *client, instance string) (rurl string, sess *mod
 	if err != nil {
 		return
 	}
-	rurl = app.AuthURI
 	sess = &model.Session{
+		ID:           sid,
 		Instance:     instance,
 		ClientID:     app.ClientID,
 		ClientSecret: app.ClientSecret,
 		CSRFToken:    csrf,
 		Settings:     *model.NewSettings(),
 	}
+
+	u, err := url.Parse("/oauth/authorize")
+	if err != nil {
+		return
+	}
+
+	q := make(url.Values)
+	q.Set("scope", "read write follow")
+	q.Set("client_id", app.ClientID)
+	q.Set("response_type", "code")
+	q.Set("redirect_uri", s.cwebsite+"/oauth_callback")
+	u.RawQuery = q.Encode()
+
+	rurl = instanceURL + u.String()
 	return
 }

@ -886,10 +902,6 @@ func (s *service) Signin(c *client, code string) (err error) {
 	return c.setSession(c.s)
 }

-func (s *service) Signout(c *client) (err error) {
-	return c.RevokeToken(c.ctx)
-}
-
 func (s *service) Post(c *client, content string, replyToID string,
 	format string, visibility string, isNSFW bool,
 	files []*multipart.FileHeader) (id string, err error) {
@ -1016,18 +1028,8 @@ func (s *service) SaveSettings(c *client, settings *model.Settings) (err error)
 	default:
 		return errInvalidArgument
 	}
-	if len(settings.CSS) > 0 {
-		if len(settings.CSS) > 1<<20 {
-			return errInvalidArgument
-		}
-		// For some reason, browsers convert CRLF to LF before calculating
-		// the hash of the inline resources.
-		settings.CSS = strings.Replace(settings.CSS, "\x0d\x0a", "\x0a", -1)
-
-		h := sha256.Sum256([]byte(settings.CSS))
-		settings.CSSHash = base64.StdEncoding.EncodeToString(h[:])
-	} else {
-		settings.CSSHash = ""
+	if len(settings.CSS) > 1<<20 {
+		return errInvalidArgument
 	}
 	c.s.Settings = *settings
 	return c.setSession(c.s)
--- a/service/transport.go
+++ b/service/transport.go
@ -26,15 +26,6 @@ const (
 	CSRF
 )

-const csp = "default-src 'none';" +
-	" img-src *;" +
-	" media-src *;" +
-	" font-src *;" +
-	" child-src *;" +
-	" connect-src 'self';" +
-	" script-src 'self';" +
-	" style-src 'self'"
-
 func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
 	r := mux.NewRouter()

@ -67,14 +58,14 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
 				}(time.Now())
 			}

-			h := c.w.Header()
+			var ct string
 			switch rt {
 			case HTML:
-				h.Set("Content-Type", "text/html; charset=utf-8")
-				h.Set("Content-Security-Policy", csp)
+				ct = "text/html; charset=utf-8"
 			case JSON:
-				h.Set("Content-Type", "application/json")
+				ct = "application/json"
 			}
+			c.w.Header().Add("Content-Type", ct)

 			err = c.authenticate(at, s.instance)
 			if err != nil {
@ -82,13 +73,6 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
 				return
 			}

-			// Override the CSP header to allow custom CSS
-			if rt == HTML && len(c.s.Settings.CSS) > 0 &&
-				len(c.s.Settings.CSSHash) > 0 {
-				v := fmt.Sprintf("%s 'sha256-%s'", csp, c.s.Settings.CSSHash)
-				h.Set("Content-Security-Policy", v)
-			}
-
 			err = f(c)
 			if err != nil {
 				writeError(c, err, rt, req.Method == http.MethodGet)
@ -692,10 +676,6 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
 	}, CSRF, HTML)

 	signout := handle(func(c *client) error {
-		err := s.Signout(c)
-		if err != nil {
-			return err
-		}
 		c.unsetSession()
 		c.redirect("/")
 		return nil
--- a/static/fluoride.js
+++ b/static/fluoride.js
@ -325,7 +325,7 @@ document.addEventListener("DOMContentLoaded", function() {
 		links[j].target = "_blank";
 	}

-	var links = document.querySelectorAll(".status-media-container .img-link, .user-profile-img-container .img-link");
+	var links = document.querySelectorAll(".status-media-container .img-link");
 	for (var j = 0; j < links.length; j++) {
 		handleImgPreview(links[j]);
 	}
--- a/templates/header.tmpl
+++ b/templates/header.tmpl
@ -20,7 +20,7 @@
 	<title> {{if gt .Count 0}}({{.Count}}){{end}} {{.Title}} </title>
 	<link rel="stylesheet" href="/static/style.css">
 	{{if .CustomCSS}}
-	<link rel="stylesheet" href="/static/{{.CustomCSS}}">
+	<link rel="stylesheet" href="{{.CustomCSS}}">
 	{{end}}
 	{{if $.Ctx.FluorideMode}}
 	<script src="/static/fluoride.js"></script>
--- a/util/rand.go
+++ b/util/rand.go
@ -16,6 +16,10 @@ func NewRandID(n int) (string, error) {
 	return enc.EncodeToString(data), nil
 }

+func NewSessionID() (string, error) {
+	return NewRandID(24)
+}
+
 func NewCSRFToken() (string, error) {
 	return NewRandID(24)
 }