orchid/servers/auth.go

73 lines
2.4 KiB
Go
Raw Normal View History

2023-07-10 17:51:14 +01:00
package servers
import (
"github.com/1f349/mjwt"
"github.com/1f349/mjwt/auth"
"github.com/1f349/orchid/database"
2024-05-13 19:04:43 +01:00
"github.com/1f349/orchid/logger"
2023-07-22 01:39:39 +01:00
vUtils "github.com/1f349/violet/utils"
2023-07-10 17:51:14 +01:00
"github.com/julienschmidt/httprouter"
"net/http"
)
type AuthClaims mjwt.BaseTypeClaims[auth.AccessTokenClaims]
type AuthCallback func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, b AuthClaims)
type CertAuthCallback func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, b AuthClaims, certId int64)
2023-07-10 17:51:14 +01:00
// checkAuth validates the bearer token against a mjwt.Verifier and returns an
// error message or continues to the next handler
2024-08-12 22:27:23 +01:00
func checkAuth(verify *mjwt.KeyStore, cb AuthCallback) httprouter.Handle {
2023-07-10 17:51:14 +01:00
return func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
// Get bearer token
bearer := vUtils.GetBearer(req)
if bearer == "" {
apiError(rw, http.StatusForbidden, "Missing bearer token")
return
}
// Read claims from mjwt
_, b, err := mjwt.ExtractClaims[auth.AccessTokenClaims](verify, bearer)
if err != nil {
apiError(rw, http.StatusForbidden, "Invalid token")
return
}
cb(rw, req, params, AuthClaims(b))
}
}
// checkAuthWithPerm validates the bearer token and checks if it contains a
// required permission and returns an error message or continues to the next
// handler
2024-08-12 22:27:23 +01:00
func checkAuthWithPerm(verify *mjwt.KeyStore, perm string, cb AuthCallback) httprouter.Handle {
2023-07-10 17:51:14 +01:00
return checkAuth(verify, func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, b AuthClaims) {
// check perms
if !b.Claims.Perms.Has(perm) {
apiError(rw, http.StatusForbidden, "No permission")
return
}
cb(rw, req, params, b)
})
}
// checkAuthForCertificate
2024-08-12 22:27:23 +01:00
func checkAuthForCertificate(verify *mjwt.KeyStore, perm string, db *database.Queries, cb CertAuthCallback) httprouter.Handle {
2023-07-10 17:51:14 +01:00
return checkAuthWithPerm(verify, perm, func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, b AuthClaims) {
// lookup certificate owner
id, err := checkCertOwner(db, params.ByName("id"), b)
2023-07-10 17:51:14 +01:00
if err != nil {
if err.Error() == "not the certificate owner" {
apiError(rw, http.StatusBadRequest, "Not the certificate owner")
return
}
2023-07-10 17:51:14 +01:00
apiError(rw, http.StatusInsufficientStorage, "Database error")
2024-06-04 18:26:07 +01:00
logger.Logger.Info("[API] Failed to find certificate owner:", "err", err)
2023-07-10 17:51:14 +01:00
return
}
cb(rw, req, params, b, id)
})
}