1 // voter: A simple CGI vote recorder, approval-voting-style
3 // This program is free software: you can redistribute it and/or modify it
4 // under the terms of the GNU Affero General Public License as published
5 // by the Free Software Foundation, version 3.
8 use std::collections::{HashMap, HashSet};
9 use std::io::prelude::*;
10 use std::path::{Path, PathBuf};
12 const DATA_PATH: &str = "/var/lib/voter";
13 const COOKIE_NAME: &[u8] = b"__Secure-id";
14 const COOKIE_LENGTH: usize = 12;
16 fn validate_path(path: &str) -> Result<PathBuf, cgi::Response> {
17 let invalid_path = || cgi::text_response(404, "Invalid path");
19 return Err(cgi::text_response(404, "(This is the voting place. You should have been given a more specific URL for the specific thing you've been invited to vote on.)"));
21 if path.contains("..") || !path.starts_with('/') {
22 return Err(invalid_path());
24 let dir = Path::new(&format!("{DATA_PATH}{path}")).to_path_buf();
27 .map_err(|_| invalid_path())?
28 .starts_with(DATA_PATH)
30 return Err(invalid_path());
33 return Err(invalid_path());
38 fn get_voter(request: &cgi::Request) -> Result<&[u8], cgi::Response> {
39 // Expect exactly one cookie, exactly as we generate it.
42 .get(cgi::http::header::COOKIE)
43 .map(cgi::http::HeaderValue::as_bytes)
44 .and_then(|c| c.strip_prefix(COOKIE_NAME))
45 .and_then(|c| c.strip_prefix(b"="))
46 .ok_or_else(|| cgi::text_response(400, "Invalid cookie"))?;
47 if cookie.len() != COOKIE_LENGTH || cookie.contains(&b' ') || cookie.contains(&b';') {
48 Err(cgi::text_response(400, "Invalid cookie"))
54 fn tally_votes(dir: &Path) -> std::io::Result<HashMap<String, HashSet<String>>> {
55 let mut tally: HashMap<String, HashSet<String>> = HashMap::new();
56 if let Ok(vfile) = std::fs::File::open(dir.to_owned().join("votes")) {
57 for liner in std::io::BufReader::new(vfile).lines() {
59 if let Some((voter, datum)) = line.split_once(' ') {
60 if voter.len() == COOKIE_LENGTH {
61 if let Some((vote, candidate)) = datum.split_once(' ') {
63 if let Some(entry) = tally.get_mut(candidate) {
66 } else if vote == "1" {
68 .entry(candidate.to_owned())
70 .insert(voter.to_owned());
80 fn valid_id_char(c: u8) -> bool {
81 (b'A'..=b'Z').contains(&c) || (b'a'..=b'z').contains(&c) || (b'0'..=b'9').contains(&c)
84 fn make_random_id() -> [u8; COOKIE_LENGTH] {
85 let mut id = [0; COOKIE_LENGTH];
87 while !valid_id_char(*c) {
94 fn set_cookie(mut response: cgi::Response, path: &str) -> Result<cgi::Response, cgi::Response> {
95 response.headers_mut().append(
96 cgi::http::header::SET_COOKIE,
97 cgi::http::header::HeaderValue::from_bytes(
102 b"; Secure; HttpOnly; SameSite=Strict; Max-Age=30000000; Path=",
107 .map_err(|_| cgi::text_response(503, "Couldn't make cookie"))?,
112 const HTML_HEADER: &str = "<!DOCTYPE html>
115 <meta charset=\"utf-8\">
118 th { font-size: 70%; text-align: left }
119 input { transform: scale(1.5) }
120 div { animation: 2s infinite linear spin }
122 from { transform:rotate(0) }
123 to { transform:rotate(1turn) }
127 window.onload = function() {
128 for (cb of document.getElementsByTagName('input')) {
129 cb.addEventListener('click', (function(cb) {
131 cb.style.display = 'none'
132 const spin = document.createElement('div')
133 spin.appendChild(document.createTextNode('⏳'))
134 cb.parentElement.insertBefore(spin, cb)
136 const req = new XMLHttpRequest()
137 req.addEventListener('load', function(e) {
138 cb.parentElement.removeChild(cb.previousElementSibling)
139 if (req.status == 200) {
140 cb.style.display = ''
141 const delta = cb.checked ? 1 : -1
142 const count_td = cb.parentElement.previousElementSibling
143 count_td.textContent = parseInt(count_td.textContent) + delta
145 cb.parentElement.insertBefore(document.createTextNode('❗'), cb)
148 req.open('PUT', window.location.href)
149 req.send((cb.checked ? 1 : 0) + ' ' + cb.parentElement.nextElementSibling.innerHTML)
155 function num_cmp(a, b) {
156 return parseInt(b.textContent) - parseInt(a.textContent)
158 function str_cmp(a, b) {
159 if (a.textContent < b.textContent) return -1
160 if (a.textContent > b.textContent) return 1
163 function checked_cmp(a, b) {
164 vs = [a, b].map(x => {
165 const v = x.children[0].checked + 0
166 return isNaN(v) ? -1 : v
170 function sort_table(col, cmp) {
171 const rows = Array.from(document.getElementsByTagName('tr'))
173 rows.sort((a, b) => cmp(a.children[col], b.children[col]))
175 row.parentElement.appendChild(row)
183 <th onclick='sort_table(0, num_cmp)'>Count</th>
184 <th onclick='sort_table(1, checked_cmp)'>Vote</th>
185 <th onclick='sort_table(2, str_cmp)'>Candidate</th>
187 const HTML_FOOTER: &str = "
192 fn supports(tally: &HashMap<String, HashSet<String>>, me: &str, candidate: &str) -> bool {
195 .map_or(false, |supporters| supporters.contains(me))
198 fn prompt_for_vote(dir: &Path, request: &cgi::Request) -> Result<cgi::Response, cgi::Response> {
199 let voter = get_voter(request);
200 let me = if let Ok(id) = voter {
201 std::str::from_utf8(id).ok()
205 let tally = tally_votes(dir).map_err(|_| cgi::text_response(503, "Couldn't tally votes"))?;
206 let cfile = std::fs::File::open(dir.join("candidates"))
207 .map_err(|_| cgi::text_response(503, "No candidates"))?;
208 let mut response = cgi::html_response(
210 std::iter::once(Ok(HTML_HEADER.to_owned()))
211 .chain(std::io::BufReader::new(cfile).lines().map(|rc| {
213 let count = tally.get(&c).map_or(0, std::collections::HashSet::len);
214 let checked = if me.map_or(false, |me| supports(&tally, me, &c)) {
222 <td><input type=\"checkbox\" autocomplete=\"off\" {checked} disabled></td>
228 .chain(std::iter::once(Ok(HTML_FOOTER.to_owned())))
229 .collect::<std::io::Result<String>>()
230 .map_err(|_| cgi::text_response(503, "Missing candidates"))?,
233 response = set_cookie(response, request.uri().path())?;
238 fn write_vote(dir: &Path, voter: &[u8], vote: &[u8]) -> std::io::Result<()> {
239 let datum = [voter, b" ", vote, b"\n"].concat();
240 let vpath = dir.join("votes");
241 let vfile = std::fs::File::options()
245 let mut vlock = fd_lock::RwLock::new(vfile);
246 vlock.write()?.write_all(&datum)?;
250 fn record_vote(dir: &Path, request: &cgi::Request) -> Result<cgi::Response, cgi::Response> {
251 let body = request.body();
252 // Valid votes look like "0 foo" or "1 bar"
254 || (body[0] != b'0' && body[0] != b'1')
256 || body.contains(&b'\n')
258 return Err(cgi::text_response(415, "Invalid vote"));
260 write_vote(dir, get_voter(request)?, body)
261 .map_err(|_| cgi::text_response(503, "Couldn't record vote"))?;
262 Ok(cgi::text_response(200, "Vote recorded"))
265 fn strip_body(mut response: cgi::Response) -> cgi::Response {
266 response.body_mut().clear();
270 fn respond(request: &cgi::Request) -> Result<cgi::Response, cgi::Response> {
271 let dir = validate_path(request.uri().path())?;
272 match *request.method() {
273 cgi::http::Method::HEAD => prompt_for_vote(&dir, request).map(strip_body),
274 cgi::http::Method::GET => prompt_for_vote(&dir, request),
275 cgi::http::Method::PUT => record_vote(&dir, request),
276 _ => Err(cgi::text_response(405, "Huh?")),
280 fn respond_or_report_error(request: cgi::Request) -> cgi::Response {
281 match respond(&request) {
282 Ok(result) => result,
287 cgi::cgi_main! { respond_or_report_error }