From a0dc818f5faaeb0ef5dda8ecd5628fd0a73b18e4 Mon Sep 17 00:00:00 2001
From: MrMelon54 <github@mrmelon54.com>
Date: Wed, 12 Jul 2023 20:55:53 +0100
Subject: [PATCH] Use access token permissions to find owned domains

---
 servers/api.go              | 16 +++++++---------
 servers/certDomainManage.go |  7 +------
 2 files changed, 8 insertions(+), 15 deletions(-)

diff --git a/servers/api.go b/servers/api.go
index 3175c2e..e8c0ff9 100644
--- a/servers/api.go
+++ b/servers/api.go
@@ -5,9 +5,9 @@ import (
 	"encoding/json"
 	"fmt"
 	"github.com/MrMelon54/mjwt"
+	"github.com/MrMelon54/mjwt/claims"
 	oUtils "github.com/MrMelon54/orchid/utils"
 	vUtils "github.com/MrMelon54/violet/utils"
-	"github.com/golang-jwt/jwt/v4"
 	"github.com/julienschmidt/httprouter"
 	"net/http"
 	"strconv"
@@ -53,8 +53,8 @@ func NewApiServer(listen string, db *sql.DB, signer mjwt.Verifier, domains oUtil
 	}))
 
 	// Endpoint for adding/removing domains to/from a certificate
-	manageGet, managePutDelete := certDomainManageGET(db, signer), certDomainManagePUTandDELETE(db, signer, domains)
-	r.GET("/cert/:id/domains", manageGet)
+	managePutDelete := certDomainManagePUTandDELETE(db, signer, domains)
+	r.GET("/cert/:id/domains", certDomainManageGET(db, signer))
 	r.PUT("/cert/:id/domains", managePutDelete)
 	r.DELETE("/cert/:id/domains", managePutDelete)
 
@@ -164,14 +164,12 @@ func safeTransaction(rw http.ResponseWriter, db *sql.DB, cb func(rw http.Respons
 	return nil
 }
 
-// validateDomainAudienceClaims validates if the audience claims contain the
+// validateDomainOwnershipClaims validates if the claims contain the
 // `owns=<fqdn>` field with the matching top level domain
-func validateDomainAudienceClaims(a string, aud jwt.ClaimStrings) bool {
+func validateDomainOwnershipClaims(a string, perms *claims.PermStorage) bool {
 	if fqdn, ok := vUtils.GetTopFqdn(a); ok {
-		for _, i := range aud {
-			if i == "owns="+fqdn {
-				return true
-			}
+		if perms.Has("owns=" + fqdn) {
+			return true
 		}
 	}
 	return false
diff --git a/servers/certDomainManage.go b/servers/certDomainManage.go
index 29ef316..011dadb 100644
--- a/servers/certDomainManage.go
+++ b/servers/certDomainManage.go
@@ -46,11 +46,6 @@ func certDomainManagePUTandDELETE(db *sql.DB, signer mjwt.Verifier, domains util
 		// check request type
 		isAdd := req.Method == http.MethodPut
 
-		if len(b.Audience) == 0 {
-			apiError(rw, http.StatusForbidden, "Missing audience tag, to specify owned domains")
-			return
-		}
-
 		// read domains from request body
 		var d []string
 		if json.NewDecoder(req.Body).Decode(&d) != nil {
@@ -60,7 +55,7 @@ func certDomainManagePUTandDELETE(db *sql.DB, signer mjwt.Verifier, domains util
 
 		// validate all domains
 		for _, i := range d {
-			if !validateDomainAudienceClaims(i, b.Audience) {
+			if !validateDomainOwnershipClaims(i, b.Claims.Perms) {
 				apiError(rw, http.StatusBadRequest, "Token cannot modify a specified domain")
 				return
 			}