homebox/backend/app/api/middleware.go

package main

import (
	"context"
	"errors"
	"net/http"
	"strings"

	"github.com/hay-kot/homebox/backend/internal/core/services"
	"github.com/hay-kot/homebox/backend/internal/sys/validate"
	"github.com/hay-kot/homebox/backend/pkgs/server"
)

type tokenHasKey struct {
	key string
}

var (
	hashedToken = tokenHasKey{key: "hashedToken"}
)

type RoleMode int

const (
	RoleModeOr  RoleMode = 0
	RoleModeAnd RoleMode = 1
)

// mwRoles is a middleware that will validate the required roles are met. All roles
// are required to be met for the request to be allowed. If the user does not have
// the required roles, a 403 Forbidden will be returned.
//
// WARNING: This middleware _MUST_ be called after mwAuthToken or else it will panic
func (a *app) mwRoles(rm RoleMode, required ...string) server.Middleware {
	return func(next server.Handler) server.Handler {
		return server.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
			ctx := r.Context()

			maybeToken := ctx.Value(hashedToken)
			if maybeToken == nil {
				panic("mwRoles: token not found in context, you must call mwAuthToken before mwRoles")
			}

			token := maybeToken.(string)

			roles, err := a.repos.AuthTokens.GetRoles(r.Context(), token)
			if err != nil {
				return err
			}

		outer:
			switch rm {
			case RoleModeOr:
				for _, role := range required {
					if roles.Contains(role) {
						break outer
					}
				}
				return validate.NewRequestError(errors.New("Forbidden"), http.StatusForbidden)
			case RoleModeAnd:
				for _, req := range required {
					if !roles.Contains(req) {
						return validate.NewRequestError(errors.New("Unauthorized"), http.StatusForbidden)
					}
				}
			}

			return next.ServeHTTP(w, r)
		})
	}
}

// mwAuthToken is a middleware that will check the database for a stateful token
// and attach it's user to the request context, or return an appropriate error.
// Authorization support is by token via Headers or Query Parameter
//
// Example:
//   - header = "Bearer 1234567890"
//   - query = "?access_token=1234567890"
func (a *app) mwAuthToken(next server.Handler) server.Handler {
	return server.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
		requestToken := r.Header.Get("Authorization")
		if requestToken == "" {
			// check for query param
			requestToken = r.URL.Query().Get("access_token")
			if requestToken == "" {
				return validate.NewRequestError(errors.New("Authorization header or query is required"), http.StatusUnauthorized)
			}
		}

		requestToken = strings.TrimPrefix(requestToken, "Bearer ")

		r = r.WithContext(context.WithValue(r.Context(), hashedToken, requestToken))

		usr, err := a.services.User.GetSelf(r.Context(), requestToken)

		// Check the database for the token
		if err != nil {
			return validate.NewRequestError(errors.New("Authorization header is required"), http.StatusUnauthorized)
		}

		r = r.WithContext(services.SetUserCtx(r.Context(), &usr, requestToken))
		return next.ServeHTTP(w, r)
	})
}
Initial commit 2022-08-30 02:30:36 +00:00			`package main`

			`import (`
feat: auth-roles, image-gallery, click-to-open (#166) * schema changes * db generate * db migration * add role based middleware * implement attachment token access * generate docs * implement role based auth * replace attachment specific tokens with gen token * run linter * cleanup temporary token implementation 2022-12-03 19:55:00 +00:00			`"context"`
refactor: http interfaces (#114) * implement custom http handler interface * implement trace_id * normalize http method spacing for consistent logs * fix failing test * fix linter errors * cleanup old dead code * more route cleanup * cleanup some inconsistent errors * update and generate code * make taskfile more consistent * update task calls * run tidy * drop `@` tag for version * use relative paths * tidy * fix auto-setting variables * update build paths * add contributing guide * tidy 2022-10-30 02:15:35 +00:00			`"errors"`
Initial commit 2022-08-30 02:30:36 +00:00			`"net/http"`
			`"strings"`

refactor: remove empty services (#116) * remove empty services * remove old factory * remove old static files * cleanup more duplicate service code * file/folder reorg 2022-10-30 04:05:38 +00:00			`"github.com/hay-kot/homebox/backend/internal/core/services"`
refactor: http interfaces (#114) * implement custom http handler interface * implement trace_id * normalize http method spacing for consistent logs * fix failing test * fix linter errors * cleanup old dead code * more route cleanup * cleanup some inconsistent errors * update and generate code * make taskfile more consistent * update task calls * run tidy * drop `@` tag for version * use relative paths * tidy * fix auto-setting variables * update build paths * add contributing guide * tidy 2022-10-30 02:15:35 +00:00			`"github.com/hay-kot/homebox/backend/internal/sys/validate"`
feat: item-attachments CRUD (#22) * change /content/ -> /homebox/ * add cache to code generators * update env variables to set data storage * update env variables * set env variables in prod container * implement attachment post route (WIP) * get attachment endpoint * attachment download * implement string utilities lib * implement generic drop zone * use explicit truncate * remove clean dir * drop strings composable for lib * update item types and add attachments * add attachment API * implement service context * consolidate API code * implement editing attachments * implement upload limit configuration * improve error handling * add docs for max upload size * fix test cases 2022-09-24 19:33:38 +00:00			`"github.com/hay-kot/homebox/backend/pkgs/server"`
Initial commit 2022-08-30 02:30:36 +00:00			`)`

feat: auth-roles, image-gallery, click-to-open (#166) * schema changes * db generate * db migration * add role based middleware * implement attachment token access * generate docs * implement role based auth * replace attachment specific tokens with gen token * run linter * cleanup temporary token implementation 2022-12-03 19:55:00 +00:00			`type tokenHasKey struct {`
			`key string`
			`}`

			`var (`
			`hashedToken = tokenHasKey{key: "hashedToken"}`
			`)`

			`type RoleMode int`

			`const (`
			`RoleModeOr RoleMode = 0`
			`RoleModeAnd RoleMode = 1`
			`)`

			`// mwRoles is a middleware that will validate the required roles are met. All roles`
			`// are required to be met for the request to be allowed. If the user does not have`
			`// the required roles, a 403 Forbidden will be returned.`
			`//`
			`// WARNING: This middleware _MUST_ be called after mwAuthToken or else it will panic`
			`func (a *app) mwRoles(rm RoleMode, required ...string) server.Middleware {`
			`return func(next server.Handler) server.Handler {`
			`return server.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {`
			`ctx := r.Context()`

			`maybeToken := ctx.Value(hashedToken)`
			`if maybeToken == nil {`
			`panic("mwRoles: token not found in context, you must call mwAuthToken before mwRoles")`
			`}`

			`token := maybeToken.(string)`

			`roles, err := a.repos.AuthTokens.GetRoles(r.Context(), token)`
			`if err != nil {`
			`return err`
			`}`

			`outer:`
			`switch rm {`
			`case RoleModeOr:`
			`for _, role := range required {`
			`if roles.Contains(role) {`
			`break outer`
			`}`
			`}`
			`return validate.NewRequestError(errors.New("Forbidden"), http.StatusForbidden)`
			`case RoleModeAnd:`
			`for _, req := range required {`
			`if !roles.Contains(req) {`
			`return validate.NewRequestError(errors.New("Unauthorized"), http.StatusForbidden)`
			`}`
			`}`
			`}`

			`return next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`

Initial commit 2022-08-30 02:30:36 +00:00			`// mwAuthToken is a middleware that will check the database for a stateful token`
feat: auth-roles, image-gallery, click-to-open (#166) * schema changes * db generate * db migration * add role based middleware * implement attachment token access * generate docs * implement role based auth * replace attachment specific tokens with gen token * run linter * cleanup temporary token implementation 2022-12-03 19:55:00 +00:00			`// and attach it's user to the request context, or return an appropriate error.`
			`// Authorization support is by token via Headers or Query Parameter`
			`//`
			`// Example:`
			`// - header = "Bearer 1234567890"`
			`// - query = "?access_token=1234567890"`
refactor: http interfaces (#114) * implement custom http handler interface * implement trace_id * normalize http method spacing for consistent logs * fix failing test * fix linter errors * cleanup old dead code * more route cleanup * cleanup some inconsistent errors * update and generate code * make taskfile more consistent * update task calls * run tidy * drop `@` tag for version * use relative paths * tidy * fix auto-setting variables * update build paths * add contributing guide * tidy 2022-10-30 02:15:35 +00:00			`func (a *app) mwAuthToken(next server.Handler) server.Handler {`
			`return server.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {`
Initial commit 2022-08-30 02:30:36 +00:00			`requestToken := r.Header.Get("Authorization")`
			`if requestToken == "" {`
feat: auth-roles, image-gallery, click-to-open (#166) * schema changes * db generate * db migration * add role based middleware * implement attachment token access * generate docs * implement role based auth * replace attachment specific tokens with gen token * run linter * cleanup temporary token implementation 2022-12-03 19:55:00 +00:00			`// check for query param`
			`requestToken = r.URL.Query().Get("access_token")`
			`if requestToken == "" {`
			`return validate.NewRequestError(errors.New("Authorization header or query is required"), http.StatusUnauthorized)`
			`}`
Initial commit 2022-08-30 02:30:36 +00:00			`}`

			`requestToken = strings.TrimPrefix(requestToken, "Bearer ")`
feat: auth-roles, image-gallery, click-to-open (#166) * schema changes * db generate * db migration * add role based middleware * implement attachment token access * generate docs * implement role based auth * replace attachment specific tokens with gen token * run linter * cleanup temporary token implementation 2022-12-03 19:55:00 +00:00
			`r = r.WithContext(context.WithValue(r.Context(), hashedToken, requestToken))`

cleanup user token access 2022-08-31 02:11:23 +00:00			`usr, err := a.services.User.GetSelf(r.Context(), requestToken)`
Initial commit 2022-08-30 02:30:36 +00:00
			`// Check the database for the token`
			`if err != nil {`
refactor: http interfaces (#114) * implement custom http handler interface * implement trace_id * normalize http method spacing for consistent logs * fix failing test * fix linter errors * cleanup old dead code * more route cleanup * cleanup some inconsistent errors * update and generate code * make taskfile more consistent * update task calls * run tidy * drop `@` tag for version * use relative paths * tidy * fix auto-setting variables * update build paths * add contributing guide * tidy 2022-10-30 02:15:35 +00:00			`return validate.NewRequestError(errors.New("Authorization header is required"), http.StatusUnauthorized)`
Initial commit 2022-08-30 02:30:36 +00:00			`}`

refactor: repositories (#28) * cleanup unnecessary mocks * refactor document storage location * remove unused function * move ownership to document types to repo package * move types and mappers to repo package * refactor sets to own package 2022-09-27 23:52:13 +00:00			`r = r.WithContext(services.SetUserCtx(r.Context(), &usr, requestToken))`
refactor: http interfaces (#114) * implement custom http handler interface * implement trace_id * normalize http method spacing for consistent logs * fix failing test * fix linter errors * cleanup old dead code * more route cleanup * cleanup some inconsistent errors * update and generate code * make taskfile more consistent * update task calls * run tidy * drop `@` tag for version * use relative paths * tidy * fix auto-setting variables * update build paths * add contributing guide * tidy 2022-10-30 02:15:35 +00:00			`return next.ServeHTTP(w, r)`
Initial commit 2022-08-30 02:30:36 +00:00			`})`
			`}`