lavender/server/auth.go

88 lines
2.4 KiB
Go
Raw Normal View History

2024-02-07 01:18:17 +00:00
package server
import (
2024-09-13 15:31:40 +01:00
"database/sql"
2024-05-31 13:51:44 +01:00
"errors"
2024-09-13 15:31:40 +01:00
"github.com/1f349/lavender/auth"
2024-02-07 01:18:17 +00:00
"github.com/1f349/lavender/database"
2024-09-13 15:31:40 +01:00
"github.com/1f349/lavender/role"
2024-02-07 01:18:17 +00:00
"github.com/julienschmidt/httprouter"
"net/http"
)
2024-05-31 13:51:44 +01:00
var ErrAuthHttpError = errors.New("auth http error")
func (h *httpServer) RequireAdminAuthentication(next auth.UserHandler) httprouter.Handle {
return h.RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, userAuth auth.UserAuth) {
2024-09-13 15:31:40 +01:00
var hasRole bool
if h.DbTx(rw, func(tx *database.Queries) (err error) {
2024-09-13 15:31:40 +01:00
err = tx.UserHasRole(req.Context(), database.UserHasRoleParams{
Role: role.LavenderAdmin,
Subject: userAuth.Subject,
2024-09-13 15:31:40 +01:00
})
switch {
case err == nil:
hasRole = true
case errors.Is(err, sql.ErrNoRows):
hasRole = false
err = nil
}
2024-02-07 01:18:17 +00:00
return
}) {
return
}
2024-09-13 15:31:40 +01:00
if !hasRole {
2024-02-07 01:18:17 +00:00
http.Error(rw, "403 Forbidden", http.StatusForbidden)
return
}
next(rw, req, params, userAuth)
2024-02-07 01:18:17 +00:00
})
}
func (h *httpServer) RequireAuthentication(next auth.UserHandler) httprouter.Handle {
return h.OptionalAuthentication(false, func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, userAuth auth.UserAuth) {
if userAuth.IsGuest() {
redirectUrl := auth.PrepareRedirectUrl("/login", req.URL)
2024-02-07 01:18:17 +00:00
http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
return
}
next(rw, req, params, userAuth)
2024-02-07 01:18:17 +00:00
})
}
func (h *httpServer) OptionalAuthentication(flowPart bool, next auth.UserHandler) httprouter.Handle {
2024-02-07 01:18:17 +00:00
return func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
authData, err := h.internalAuthenticationHandler(rw, req)
2024-02-07 01:18:17 +00:00
if err != nil {
2024-05-31 13:51:44 +01:00
if !errors.Is(err, ErrAuthHttpError) {
http.Error(rw, err.Error(), http.StatusInternalServerError)
}
2024-02-07 01:18:17 +00:00
return
}
if n := authData.NextFlowUrl(req.URL); n != nil && !flowPart {
http.Redirect(rw, req, n.String(), http.StatusFound)
return
}
next(rw, req, params, authData)
2024-02-07 01:18:17 +00:00
}
}
func (h *httpServer) internalAuthenticationHandler(rw http.ResponseWriter, req *http.Request) (auth.UserAuth, error) {
2024-05-31 13:51:44 +01:00
// Delete previous login data cookie
http.SetCookie(rw, &http.Cookie{
Name: "lavender-login-data",
Path: "/",
MaxAge: -1,
Secure: true,
SameSite: http.SameSiteLaxMode,
})
var u auth.UserAuth
2024-05-31 13:51:44 +01:00
err := h.readLoginAccessCookie(rw, req, &u)
if err != nil {
// not logged in
return auth.UserAuth{}, nil
2024-02-07 01:18:17 +00:00
}
return u, nil
2024-02-07 01:18:17 +00:00
}