2022-08-30 02:30:36 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
2022-12-03 19:55:00 +00:00
|
|
|
"context"
|
2022-10-30 02:15:35 +00:00
|
|
|
"errors"
|
2022-08-30 02:30:36 +00:00
|
|
|
"net/http"
|
2023-02-18 06:57:21 +00:00
|
|
|
"net/url"
|
2022-08-30 02:30:36 +00:00
|
|
|
"strings"
|
|
|
|
|
|
2022-10-30 04:05:38 +00:00
|
|
|
"github.com/hay-kot/homebox/backend/internal/core/services"
|
2022-10-30 02:15:35 +00:00
|
|
|
"github.com/hay-kot/homebox/backend/internal/sys/validate"
|
2023-04-09 18:39:43 +00:00
|
|
|
"github.com/hay-kot/httpkit/errchain"
|
2022-08-30 02:30:36 +00:00
|
|
|
)
|
|
|
|
|
|
2022-12-03 19:55:00 +00:00
|
|
|
type tokenHasKey struct {
|
|
|
|
|
key string
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-18 06:41:01 +00:00
|
|
|
var hashedToken = tokenHasKey{key: "hashedToken"}
|
2022-12-03 19:55:00 +00:00
|
|
|
|
|
|
|
|
type RoleMode int
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
RoleModeOr RoleMode = 0
|
|
|
|
|
RoleModeAnd RoleMode = 1
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// mwRoles is a middleware that will validate the required roles are met. All roles
|
|
|
|
|
// are required to be met for the request to be allowed. If the user does not have
|
|
|
|
|
// the required roles, a 403 Forbidden will be returned.
|
|
|
|
|
//
|
|
|
|
|
// WARNING: This middleware _MUST_ be called after mwAuthToken or else it will panic
|
2023-03-21 04:32:10 +00:00
|
|
|
func (a *app) mwRoles(rm RoleMode, required ...string) errchain.Middleware {
|
|
|
|
|
return func(next errchain.Handler) errchain.Handler {
|
|
|
|
|
return errchain.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
|
2022-12-03 19:55:00 +00:00
|
|
|
ctx := r.Context()
|
|
|
|
|
|
|
|
|
|
maybeToken := ctx.Value(hashedToken)
|
|
|
|
|
if maybeToken == nil {
|
|
|
|
|
panic("mwRoles: token not found in context, you must call mwAuthToken before mwRoles")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token := maybeToken.(string)
|
|
|
|
|
|
|
|
|
|
roles, err := a.repos.AuthTokens.GetRoles(r.Context(), token)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
outer:
|
|
|
|
|
switch rm {
|
|
|
|
|
case RoleModeOr:
|
|
|
|
|
for _, role := range required {
|
|
|
|
|
if roles.Contains(role) {
|
|
|
|
|
break outer
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return validate.NewRequestError(errors.New("Forbidden"), http.StatusForbidden)
|
|
|
|
|
case RoleModeAnd:
|
|
|
|
|
for _, req := range required {
|
|
|
|
|
if !roles.Contains(req) {
|
|
|
|
|
return validate.NewRequestError(errors.New("Unauthorized"), http.StatusForbidden)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return next.ServeHTTP(w, r)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-18 06:57:21 +00:00
|
|
|
type KeyFunc func(r *http.Request) (string, error)
|
|
|
|
|
|
|
|
|
|
func getBearer(r *http.Request) (string, error) {
|
|
|
|
|
auth := r.Header.Get("Authorization")
|
|
|
|
|
if auth == "" {
|
|
|
|
|
return "", errors.New("authorization header is required")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return auth, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getQuery(r *http.Request) (string, error) {
|
|
|
|
|
token := r.URL.Query().Get("access_token")
|
|
|
|
|
if token == "" {
|
|
|
|
|
return "", errors.New("access_token query is required")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token, err := url.QueryUnescape(token)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", errors.New("access_token query is required")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return token, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getCookie(r *http.Request) (string, error) {
|
|
|
|
|
cookie, err := r.Cookie("hb.auth.token")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", errors.New("access_token cookie is required")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token, err := url.QueryUnescape(cookie.Value)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", errors.New("access_token cookie is required")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return token, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-30 02:30:36 +00:00
|
|
|
// mwAuthToken is a middleware that will check the database for a stateful token
|
2022-12-03 19:55:00 +00:00
|
|
|
// and attach it's user to the request context, or return an appropriate error.
|
|
|
|
|
// Authorization support is by token via Headers or Query Parameter
|
|
|
|
|
//
|
|
|
|
|
// Example:
|
|
|
|
|
// - header = "Bearer 1234567890"
|
|
|
|
|
// - query = "?access_token=1234567890"
|
2023-02-18 06:57:21 +00:00
|
|
|
// - cookie = hb.auth.token = 1234567890
|
2023-03-21 04:32:10 +00:00
|
|
|
func (a *app) mwAuthToken(next errchain.Handler) errchain.Handler {
|
|
|
|
|
return errchain.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
|
2023-02-18 06:57:21 +00:00
|
|
|
keyFuncs := [...]KeyFunc{
|
|
|
|
|
getBearer,
|
|
|
|
|
getCookie,
|
|
|
|
|
getQuery,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var requestToken string
|
|
|
|
|
for _, keyFunc := range keyFuncs {
|
|
|
|
|
token, err := keyFunc(r)
|
|
|
|
|
if err == nil {
|
|
|
|
|
requestToken = token
|
|
|
|
|
break
|
2022-12-03 19:55:00 +00:00
|
|
|
}
|
2022-08-30 02:30:36 +00:00
|
|
|
}
|
|
|
|
|
|
2023-02-18 06:57:21 +00:00
|
|
|
if requestToken == "" {
|
|
|
|
|
return validate.NewRequestError(errors.New("Authorization header or query is required"), http.StatusUnauthorized)
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-30 02:30:36 +00:00
|
|
|
requestToken = strings.TrimPrefix(requestToken, "Bearer ")
|
2022-12-03 19:55:00 +00:00
|
|
|
|
|
|
|
|
r = r.WithContext(context.WithValue(r.Context(), hashedToken, requestToken))
|
|
|
|
|
|
2022-08-31 02:11:23 +00:00
|
|
|
usr, err := a.services.User.GetSelf(r.Context(), requestToken)
|
2022-08-30 02:30:36 +00:00
|
|
|
// Check the database for the token
|
|
|
|
|
if err != nil {
|
2023-02-18 06:57:21 +00:00
|
|
|
return validate.NewRequestError(errors.New("valid authorization header is required"), http.StatusUnauthorized)
|
2022-08-30 02:30:36 +00:00
|
|
|
}
|
|
|
|
|
|
2022-09-27 23:52:13 +00:00
|
|
|
r = r.WithContext(services.SetUserCtx(r.Context(), &usr, requestToken))
|
2022-10-30 02:15:35 +00:00
|
|
|
return next.ServeHTTP(w, r)
|
2022-08-30 02:30:36 +00:00
|
|
|
})
|
|
|
|
|
}
|
