tulip/server/auth.go

109 lines
2.9 KiB
Go
Raw Normal View History

2023-09-06 22:20:09 +01:00
package server
import (
"github.com/1f349/mjwt"
"github.com/1f349/mjwt/auth"
"github.com/1f349/tulip/database"
2023-09-06 22:20:09 +01:00
"github.com/julienschmidt/httprouter"
"net/http"
"net/url"
2023-09-24 18:24:16 +01:00
"strings"
2023-09-06 22:20:09 +01:00
)
type UserHandler func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth)
type UserAuth struct {
ID string
NeedOtp bool
}
func (u UserAuth) NextFlowUrl(origin *url.URL) *url.URL {
if u.NeedOtp {
return PrepareRedirectUrl("/login/otp", origin)
}
return nil
2023-09-06 22:20:09 +01:00
}
func (u UserAuth) IsGuest() bool {
return u.ID == ""
2023-09-06 22:20:09 +01:00
}
func (h *HttpServer) RequireAdminAuthentication(next UserHandler) httprouter.Handle {
return h.RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
var role database.UserRole
if h.DbTx(rw, func(tx *database.Tx) (err error) {
role, err = tx.GetUserRole(auth.ID)
return
}) {
return
}
if role != database.RoleAdmin {
http.Error(rw, "403 Forbidden", http.StatusForbidden)
return
}
next(rw, req, params, auth)
})
}
func (h *HttpServer) RequireAuthentication(next UserHandler) httprouter.Handle {
return h.OptionalAuthentication(false, func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
2023-09-06 22:20:09 +01:00
if auth.IsGuest() {
redirectUrl := PrepareRedirectUrl("/login", req.URL)
http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
2023-09-06 22:20:09 +01:00
return
}
next(rw, req, params, auth)
})
}
func (h *HttpServer) OptionalAuthentication(flowPart bool, next UserHandler) httprouter.Handle {
2023-09-06 22:20:09 +01:00
return func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
authData, err := h.internalAuthenticationHandler(req)
if err == nil {
if n := authData.NextFlowUrl(req.URL); n != nil && !flowPart {
http.Redirect(rw, req, n.String(), http.StatusFound)
return
}
}
next(rw, req, params, authData)
2023-09-06 22:20:09 +01:00
}
}
func (h *HttpServer) internalAuthenticationHandler(req *http.Request) (UserAuth, error) {
if loginCookie, err := req.Cookie("tulip-login-data"); err == nil {
_, b, err := mjwt.ExtractClaims[auth.AccessTokenClaims](h.signingKey, loginCookie.Value)
2023-09-06 22:20:09 +01:00
if err != nil {
return UserAuth{}, err
2023-09-06 22:20:09 +01:00
}
return UserAuth{ID: b.Subject, NeedOtp: b.Claims.Perms.Has("need-otp")}, nil
2023-09-06 22:20:09 +01:00
}
// not logged in
return UserAuth{}, nil
}
func PrepareRedirectUrl(targetPath string, origin *url.URL) *url.URL {
2023-09-24 18:24:16 +01:00
// find start of query parameters in target path
n := strings.IndexByte(targetPath, '?')
v := url.Values{}
2023-09-24 18:24:16 +01:00
// parse existing query parameters
if n != -1 {
q, err := url.ParseQuery(targetPath[n+1:])
if err != nil {
panic("PrepareRedirectUrl: invalid hardcoded target path query parameters")
}
v = q
targetPath = targetPath[:n]
}
// add path of origin as a new query parameter
orig := origin.Path
if origin.RawQuery != "" || origin.ForceQuery {
orig += "?" + origin.RawQuery
}
if orig != "" {
v.Set("redirect", orig)
}
return &url.URL{Path: targetPath, RawQuery: v.Encode()}
2023-09-06 22:20:09 +01:00
}