feat: auth-roles, image-gallery, click-to-open (#166)

* schema changes * db generate * db migration * add role based middleware * implement attachment token access * generate docs * implement role based auth * replace attachment specific tokens with gen token * run linter * cleanup temporary token implementation
2022-12-03 10:55:00 -09:00 · 2022-12-03 10:55:00 -09:00 · de419dc37d
commit de419dc37d
parent 974d6914a2
48 changed files with 3127 additions and 244 deletions
--- a/backend/app/api/handlers/v1/v1_ctrl_auth.go
+++ b/backend/app/api/handlers/v1/v1_ctrl_auth.go
@ -13,8 +13,9 @@ import (

 type (
 	TokenResponse struct {
-		Token     string    `json:"token"`
-		ExpiresAt time.Time `json:"expiresAt"`
+		Token           string    `json:"token"`
+		ExpiresAt       time.Time `json:"expiresAt"`
+		AttachmentToken string    `json:"attachmentToken"`
 	}

 	LoginForm struct {
@ -76,8 +77,9 @@ func (ctrl *V1Controller) HandleAuthLogin() server.HandlerFunc {
 		}

 		return server.Respond(w, http.StatusOK, TokenResponse{
-			Token:     "Bearer " + newToken.Raw,
-			ExpiresAt: newToken.ExpiresAt,
+			Token:           "Bearer " + newToken.Raw,
+			ExpiresAt:       newToken.ExpiresAt,
+			AttachmentToken: newToken.AttachmentToken,
 		})
 	}
 }
--- a/backend/app/api/handlers/v1/v1_ctrl_items_attachments.go
+++ b/backend/app/api/handlers/v1/v1_ctrl_items_attachments.go
@ -2,10 +2,7 @@ package v1

 import (
 	"errors"
-	"fmt"
 	"net/http"
-	"path/filepath"
-	"strings"

 	"github.com/hay-kot/homebox/backend/internal/core/services"
 	"github.com/hay-kot/homebox/backend/internal/data/ent/attachment"
@ -99,47 +96,12 @@ func (ctrl *V1Controller) HandleItemAttachmentCreate() server.HandlerFunc {
 // @Summary  retrieves an attachment for an item
 // @Tags     Items Attachments
 // @Produce  application/octet-stream
-// @Param    id    path  string true "Item ID"
-// @Param    token query string true "Attachment token"
-// @Success  200
-// @Router   /v1/items/{id}/attachments/download [GET]
-// @Security Bearer
-func (ctrl *V1Controller) HandleItemAttachmentDownload() server.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) error {
-		token := server.GetParam(r, "token", "")
-
-		doc, err := ctrl.svc.Items.AttachmentPath(r.Context(), token)
-
-		if err != nil {
-			log.Err(err).Msg("failed to get attachment")
-			return validate.NewRequestError(err, http.StatusInternalServerError)
-		}
-
-		ext := filepath.Ext(doc.Path)
-
-		title := doc.Title
-
-		if !strings.HasSuffix(doc.Title, ext) {
-			title = doc.Title + ext
-		}
-
-		w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", title))
-		w.Header().Set("Content-Type", "application/octet-stream")
-		http.ServeFile(w, r, doc.Path)
-		return nil
-	}
-}
-
-// HandleItemAttachmentToken godocs
-// @Summary  retrieves an attachment for an item
-// @Tags     Items Attachments
-// @Produce  application/octet-stream
 // @Param    id            path     string true "Item ID"
 // @Param    attachment_id path     string true "Attachment ID"
 // @Success  200           {object} ItemAttachmentToken
 // @Router   /v1/items/{id}/attachments/{attachment_id} [GET]
 // @Security Bearer
-func (ctrl *V1Controller) HandleItemAttachmentToken() server.HandlerFunc {
+func (ctrl *V1Controller) HandleItemAttachmentGet() server.HandlerFunc {
 	return ctrl.handleItemAttachmentsHandler
 }

@ -181,33 +143,15 @@ func (ctrl *V1Controller) handleItemAttachmentsHandler(w http.ResponseWriter, r

 	ctx := services.NewContext(r.Context())
 	switch r.Method {
-	// Token Handler
 	case http.MethodGet:
-		token, err := ctrl.svc.Items.AttachmentToken(ctx, ID, attachmentID)
+		doc, err := ctrl.svc.Items.AttachmentPath(r.Context(), attachmentID)
 		if err != nil {
-			switch err {
-			case services.ErrNotFound:
-				log.Err(err).
-					Str("id", attachmentID.String()).
-					Msg("failed to find attachment with id")
-
-				return validate.NewRequestError(err, http.StatusNotFound)
-
-			case services.ErrFileNotFound:
-				log.Err(err).
-					Str("id", attachmentID.String()).
-					Msg("failed to find file path for attachment with id")
-				log.Warn().Msg("attachment with no file path removed from database")
-
-				return validate.NewRequestError(err, http.StatusNotFound)
-
-			default:
-				log.Err(err).Msg("failed to get attachment")
-				return validate.NewRequestError(err, http.StatusInternalServerError)
-			}
+			log.Err(err).Msg("failed to get attachment path")
+			return validate.NewRequestError(err, http.StatusInternalServerError)
 		}

-		return server.Respond(w, http.StatusOK, ItemAttachmentToken{Token: token})
+		http.ServeFile(w, r, doc.Path)
+		return nil

 	// Delete Attachment Handler
 	case http.MethodDelete:
--- a/backend/app/api/middleware.go
+++ b/backend/app/api/middleware.go
@ -1,6 +1,7 @@
 package main

 import (
+	"context"
 	"errors"
 	"net/http"
 	"strings"
@ -10,17 +11,87 @@ import (
 	"github.com/hay-kot/homebox/backend/pkgs/server"
 )

+type tokenHasKey struct {
+	key string
+}
+
+var (
+	hashedToken = tokenHasKey{key: "hashedToken"}
+)
+
+type RoleMode int
+
+const (
+	RoleModeOr  RoleMode = 0
+	RoleModeAnd RoleMode = 1
+)
+
+// mwRoles is a middleware that will validate the required roles are met. All roles
+// are required to be met for the request to be allowed. If the user does not have
+// the required roles, a 403 Forbidden will be returned.
+//
+// WARNING: This middleware _MUST_ be called after mwAuthToken or else it will panic
+func (a *app) mwRoles(rm RoleMode, required ...string) server.Middleware {
+	return func(next server.Handler) server.Handler {
+		return server.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
+			ctx := r.Context()
+
+			maybeToken := ctx.Value(hashedToken)
+			if maybeToken == nil {
+				panic("mwRoles: token not found in context, you must call mwAuthToken before mwRoles")
+			}
+
+			token := maybeToken.(string)
+
+			roles, err := a.repos.AuthTokens.GetRoles(r.Context(), token)
+			if err != nil {
+				return err
+			}
+
+		outer:
+			switch rm {
+			case RoleModeOr:
+				for _, role := range required {
+					if roles.Contains(role) {
+						break outer
+					}
+				}
+				return validate.NewRequestError(errors.New("Forbidden"), http.StatusForbidden)
+			case RoleModeAnd:
+				for _, req := range required {
+					if !roles.Contains(req) {
+						return validate.NewRequestError(errors.New("Unauthorized"), http.StatusForbidden)
+					}
+				}
+			}
+
+			return next.ServeHTTP(w, r)
+		})
+	}
+}
+
 // mwAuthToken is a middleware that will check the database for a stateful token
-// and attach it to the request context with the user, or return a 401 if it doesn't exist.
+// and attach it's user to the request context, or return an appropriate error.
+// Authorization support is by token via Headers or Query Parameter
+//
+// Example:
+//   - header = "Bearer 1234567890"
+//   - query = "?access_token=1234567890"
 func (a *app) mwAuthToken(next server.Handler) server.Handler {
 	return server.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
 		requestToken := r.Header.Get("Authorization")
-
 		if requestToken == "" {
-			return validate.NewRequestError(errors.New("Authorization header is required"), http.StatusUnauthorized)
+			// check for query param
+			requestToken = r.URL.Query().Get("access_token")
+			if requestToken == "" {
+				return validate.NewRequestError(errors.New("Authorization header or query is required"), http.StatusUnauthorized)
+			}
 		}

 		requestToken = strings.TrimPrefix(requestToken, "Bearer ")
+
+		r = r.WithContext(context.WithValue(r.Context(), hashedToken, requestToken))
+
 		usr, err := a.services.User.GetSelf(r.Context(), requestToken)

 		// Check the database for the token
--- a/backend/app/api/routes.go
+++ b/backend/app/api/routes.go
@ -13,6 +13,7 @@ import (
 	"github.com/hay-kot/homebox/backend/app/api/handlers/debughandlers"
 	v1 "github.com/hay-kot/homebox/backend/app/api/handlers/v1"
 	_ "github.com/hay-kot/homebox/backend/app/api/static/docs"
+	"github.com/hay-kot/homebox/backend/internal/data/ent/authroles"
 	"github.com/hay-kot/homebox/backend/internal/data/repo"
 	"github.com/hay-kot/homebox/backend/pkgs/server"
 	httpSwagger "github.com/swaggo/http-swagger" // http-swagger middleware
@ -64,49 +65,55 @@ func (a *app) mountRoutes(repos *repo.AllRepos) {
 	a.server.Post(v1Base("/users/register"), v1Ctrl.HandleUserRegistration())
 	a.server.Post(v1Base("/users/login"), v1Ctrl.HandleAuthLogin())

-	// Attachment download URl needs a `token` query param to be passed in the request.
-	// and also needs to be outside of the `auth` middleware.
-	a.server.Get(v1Base("/items/{id}/attachments/download"), v1Ctrl.HandleItemAttachmentDownload())
+	userMW := []server.Middleware{
+		a.mwAuthToken,
+		a.mwRoles(RoleModeOr, authroles.RoleUser.String()),
+	}

-	a.server.Get(v1Base("/users/self"), v1Ctrl.HandleUserSelf(), a.mwAuthToken)
-	a.server.Put(v1Base("/users/self"), v1Ctrl.HandleUserSelfUpdate(), a.mwAuthToken)
-	a.server.Delete(v1Base("/users/self"), v1Ctrl.HandleUserSelfDelete(), a.mwAuthToken)
-	a.server.Post(v1Base("/users/logout"), v1Ctrl.HandleAuthLogout(), a.mwAuthToken)
-	a.server.Get(v1Base("/users/refresh"), v1Ctrl.HandleAuthRefresh(), a.mwAuthToken)
-	a.server.Put(v1Base("/users/self/change-password"), v1Ctrl.HandleUserSelfChangePassword(), a.mwAuthToken)
+	a.server.Get(v1Base("/users/self"), v1Ctrl.HandleUserSelf(), userMW...)
+	a.server.Put(v1Base("/users/self"), v1Ctrl.HandleUserSelfUpdate(), userMW...)
+	a.server.Delete(v1Base("/users/self"), v1Ctrl.HandleUserSelfDelete(), userMW...)
+	a.server.Post(v1Base("/users/logout"), v1Ctrl.HandleAuthLogout(), userMW...)
+	a.server.Get(v1Base("/users/refresh"), v1Ctrl.HandleAuthRefresh(), userMW...)
+	a.server.Put(v1Base("/users/self/change-password"), v1Ctrl.HandleUserSelfChangePassword(), userMW...)

-	a.server.Post(v1Base("/groups/invitations"), v1Ctrl.HandleGroupInvitationsCreate(), a.mwAuthToken)
-	a.server.Get(v1Base("/groups/statistics"), v1Ctrl.HandleGroupStatistics(), a.mwAuthToken)
+	a.server.Post(v1Base("/groups/invitations"), v1Ctrl.HandleGroupInvitationsCreate(), userMW...)
+	a.server.Get(v1Base("/groups/statistics"), v1Ctrl.HandleGroupStatistics(), userMW...)

 	// TODO: I don't like /groups being the URL for users
-	a.server.Get(v1Base("/groups"), v1Ctrl.HandleGroupGet(), a.mwAuthToken)
-	a.server.Put(v1Base("/groups"), v1Ctrl.HandleGroupUpdate(), a.mwAuthToken)
+	a.server.Get(v1Base("/groups"), v1Ctrl.HandleGroupGet(), userMW...)
+	a.server.Put(v1Base("/groups"), v1Ctrl.HandleGroupUpdate(), userMW...)

-	a.server.Post(v1Base("/actions/ensure-asset-ids"), v1Ctrl.HandleEnsureAssetID(), a.mwAuthToken)
+	a.server.Post(v1Base("/actions/ensure-asset-ids"), v1Ctrl.HandleEnsureAssetID(), userMW...)

-	a.server.Get(v1Base("/locations"), v1Ctrl.HandleLocationGetAll(), a.mwAuthToken)
-	a.server.Post(v1Base("/locations"), v1Ctrl.HandleLocationCreate(), a.mwAuthToken)
-	a.server.Get(v1Base("/locations/{id}"), v1Ctrl.HandleLocationGet(), a.mwAuthToken)
-	a.server.Put(v1Base("/locations/{id}"), v1Ctrl.HandleLocationUpdate(), a.mwAuthToken)
-	a.server.Delete(v1Base("/locations/{id}"), v1Ctrl.HandleLocationDelete(), a.mwAuthToken)
+	a.server.Get(v1Base("/locations"), v1Ctrl.HandleLocationGetAll(), userMW...)
+	a.server.Post(v1Base("/locations"), v1Ctrl.HandleLocationCreate(), userMW...)
+	a.server.Get(v1Base("/locations/{id}"), v1Ctrl.HandleLocationGet(), userMW...)
+	a.server.Put(v1Base("/locations/{id}"), v1Ctrl.HandleLocationUpdate(), userMW...)
+	a.server.Delete(v1Base("/locations/{id}"), v1Ctrl.HandleLocationDelete(), userMW...)

-	a.server.Get(v1Base("/labels"), v1Ctrl.HandleLabelsGetAll(), a.mwAuthToken)
-	a.server.Post(v1Base("/labels"), v1Ctrl.HandleLabelsCreate(), a.mwAuthToken)
-	a.server.Get(v1Base("/labels/{id}"), v1Ctrl.HandleLabelGet(), a.mwAuthToken)
-	a.server.Put(v1Base("/labels/{id}"), v1Ctrl.HandleLabelUpdate(), a.mwAuthToken)
-	a.server.Delete(v1Base("/labels/{id}"), v1Ctrl.HandleLabelDelete(), a.mwAuthToken)
+	a.server.Get(v1Base("/labels"), v1Ctrl.HandleLabelsGetAll(), userMW...)
+	a.server.Post(v1Base("/labels"), v1Ctrl.HandleLabelsCreate(), userMW...)
+	a.server.Get(v1Base("/labels/{id}"), v1Ctrl.HandleLabelGet(), userMW...)
+	a.server.Put(v1Base("/labels/{id}"), v1Ctrl.HandleLabelUpdate(), userMW...)
+	a.server.Delete(v1Base("/labels/{id}"), v1Ctrl.HandleLabelDelete(), userMW...)

-	a.server.Get(v1Base("/items"), v1Ctrl.HandleItemsGetAll(), a.mwAuthToken)
-	a.server.Post(v1Base("/items/import"), v1Ctrl.HandleItemsImport(), a.mwAuthToken)
-	a.server.Post(v1Base("/items"), v1Ctrl.HandleItemsCreate(), a.mwAuthToken)
-	a.server.Get(v1Base("/items/{id}"), v1Ctrl.HandleItemGet(), a.mwAuthToken)
-	a.server.Put(v1Base("/items/{id}"), v1Ctrl.HandleItemUpdate(), a.mwAuthToken)
-	a.server.Delete(v1Base("/items/{id}"), v1Ctrl.HandleItemDelete(), a.mwAuthToken)
+	a.server.Get(v1Base("/items"), v1Ctrl.HandleItemsGetAll(), userMW...)
+	a.server.Post(v1Base("/items/import"), v1Ctrl.HandleItemsImport(), userMW...)
+	a.server.Post(v1Base("/items"), v1Ctrl.HandleItemsCreate(), userMW...)
+	a.server.Get(v1Base("/items/{id}"), v1Ctrl.HandleItemGet(), userMW...)
+	a.server.Put(v1Base("/items/{id}"), v1Ctrl.HandleItemUpdate(), userMW...)
+	a.server.Delete(v1Base("/items/{id}"), v1Ctrl.HandleItemDelete(), userMW...)

-	a.server.Post(v1Base("/items/{id}/attachments"), v1Ctrl.HandleItemAttachmentCreate(), a.mwAuthToken)
-	a.server.Get(v1Base("/items/{id}/attachments/{attachment_id}"), v1Ctrl.HandleItemAttachmentToken(), a.mwAuthToken)
-	a.server.Put(v1Base("/items/{id}/attachments/{attachment_id}"), v1Ctrl.HandleItemAttachmentUpdate(), a.mwAuthToken)
-	a.server.Delete(v1Base("/items/{id}/attachments/{attachment_id}"), v1Ctrl.HandleItemAttachmentDelete(), a.mwAuthToken)
+	a.server.Post(v1Base("/items/{id}/attachments"), v1Ctrl.HandleItemAttachmentCreate(), userMW...)
+	a.server.Put(v1Base("/items/{id}/attachments/{attachment_id}"), v1Ctrl.HandleItemAttachmentUpdate(), userMW...)
+	a.server.Delete(v1Base("/items/{id}/attachments/{attachment_id}"), v1Ctrl.HandleItemAttachmentDelete(), userMW...)
+
+	a.server.Get(
+		v1Base("/items/{id}/attachments/{attachment_id}"),
+		v1Ctrl.HandleItemAttachmentGet(),
+		a.mwAuthToken, a.mwRoles(RoleModeOr, authroles.RoleUser.String(), authroles.RoleAttachments.String()),
+	)

 	a.server.NotFound(notFoundHandler())
 }
--- a/backend/app/api/static/docs/docs.go
+++ b/backend/app/api/static/docs/docs.go
@ -1966,6 +1966,9 @@ const docTemplate = `{
        "v1.TokenResponse": {
            "type": "object",
            "properties": {
+                "attachmentToken": {
+                    "type": "string"
+                },
                "expiresAt": {
                    "type": "string"
                },
--- a/backend/app/api/static/docs/swagger.json
+++ b/backend/app/api/static/docs/swagger.json
@ -1958,6 +1958,9 @@
        "v1.TokenResponse": {
            "type": "object",
            "properties": {
+                "attachmentToken": {
+                    "type": "string"
+                },
                "expiresAt": {
                    "type": "string"
                },
--- a/backend/app/api/static/docs/swagger.yaml
+++ b/backend/app/api/static/docs/swagger.yaml
@ -510,6 +510,8 @@ definitions:
    type: object
  v1.TokenResponse:
    properties:
+      attachmentToken:
+        type: string
      expiresAt:
        type: string
      token: