change dlete role api from id to key 'role'

add middleware for api
2025-10-24 17:10:28 +02:00 · 2025-10-24 16:29:37 +02:00
4 changed files with 194 additions and 41 deletions
--- a/api.go
+++ b/api.go
@@ -34,13 +34,6 @@ func (aH *AccessHandlerAPI) AddUser(c *gin.Context) {
 		return
 	}

-	hash, err := utils.HashPassword(user.Password)
-	if err != nil {
-		aH.logger.Error("AddUser", err)
-		c.JSON(http.StatusInternalServerError, nil)
-		return
-	}
-
 	if !utils.IsValidEmail(user.Email) {
 		aH.logger.Error("AddUser", "not valid email address")
 		c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(errors.New("not valid email address")))
@@ -48,7 +41,7 @@ func (aH *AccessHandlerAPI) AddUser(c *gin.Context) {
 	}

 	// Hash the provided password before saving
-	hash, err = utils.HashPassword(user.Password)
+	hash, err := utils.HashPassword(user.Password)
 	if err != nil {
 		aH.logger.Error("AddUser", err)
 		c.JSON(http.StatusInternalServerError, nil)
@@ -244,60 +237,53 @@ func (aH *AccessHandlerAPI) UpdateRole(c *gin.Context) {
 }

 func (aH *AccessHandlerAPI) DeleteRole(c *gin.Context) {
-	queryId := c.Query("id")
-
-	if queryId == "" || queryId == "null" || queryId == "undefined" {
-		aH.logger.Error("DeleteRole", "id query missing or wrong value: "+queryId)
-		c.JSON(http.StatusBadRequest, gin.H{
-			"message": "id query missing or wrong value: " + queryId,
-		})
+	queryRole := c.Query("role")
+	if queryRole == "" || queryRole == "null" || queryRole == "undefined" {
+		aH.logger.Error("DeleteRole", "id query missing or wrong value: "+queryRole)
+		c.JSON(http.StatusInternalServerError, nil)
 		return
 	}

 	var request struct {
-		Ids []int `json:"ids"`
+		Roles []string `json:"roles"`
 	}

 	err := c.BindJSON(&request)
 	if err != nil {
-		aH.logger.Error("DeleteRole", "id query missing or wrong value: "+queryId)
-		c.JSON(http.StatusInternalServerError, nil)
+		aH.logger.Error("DeleteRole", err)
+		c.JSON(http.StatusBadRequest, nil)
 		return
 	}

-	if len(request.Ids) == 0 {
+	if len(request.Roles) == 0 {
 		aH.logger.Error("DeleteRole", "no ids given to be deleted")
-		c.JSON(http.StatusBadRequest, gin.H{
-			"message": "no ids given to be deleted",
-		})
+		c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("no roles given to be deleted"))
 		return
 	}

-	var ownId string
-	removeIds := make([]uint, len(request.Ids))
-	for i, id := range request.Ids {
-		if queryId == fmt.Sprint(id) {
-			ownId = queryId
+	var ownRole string
+
+	for _, role := range request.Roles {
+		if queryRole == role {
+			ownRole = role
 			continue
 		}
-		removeIds[i] = uint(id)
-	}
-
-	if ownId != "" {
-		aH.logger.Error("DeleteRole", "can not delete logged in member role id: "+queryId)
-		c.JSON(http.StatusBadRequest, gin.H{
-			"message": "can not delete logged in member id: " + queryId,
-			"id":      queryId,
-		})
-		return
-	}
-
-	err = aH.dbHandler.DeleteById(&models.Role{}, removeIds...)
+		err = aH.dbHandler.DeleteByKey(&models.Role{}, "role", role, false)
 		if err != nil {
 			aH.logger.Error("DeleteRole", err)
 			c.JSON(http.StatusInternalServerError, nil)
 			return
 		}
+	}
+
+	if ownRole != "" {
+		aH.logger.Error("DeleteRole", "can not delete logged in role id: "+ownRole)
+		c.JSON(http.StatusBadRequest, gin.H{
+			"message": "can not delete logged in role id: " + ownRole,
+			"role":    ownRole,
+		})
+		return
+	}

 	c.JSON(http.StatusOK, gin.H{
 		"message": "role(s) deleted",
--- a/db_test.go
+++ b/db_test.go
@@ -112,7 +112,7 @@ func TestLoginHandler(t *testing.T) {
 	r.POST("/login/refresh", aH.Refresh)
 	r.GET("/login/me", aH.Me)
 	r.GET("/logout", aH.Logout)
-	middleware := r.Group("", AuthMiddleware())
+	middleware := r.Group("", aH.AuthMiddleware())

 	auth := middleware.Group("/members", aH.AuthorizeRole(""))
 	auth.GET("", func(ctx *gin.Context) {
--- a/middleware.go
+++ b/middleware.go
@@ -56,7 +56,7 @@ func SetMiddlewareLogger(r *gin.Engine, logger *logging.Logger) {
 // Usage:
 //
 //	r.Use(AuthMiddleware())
-func AuthMiddleware() gin.HandlerFunc {
+func (aH *AccessHandler) AuthMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		// Retrieve logger from Gin context
 		middlewareLogger, ok := c.Get("logger")
--- a/middlewareApi.go
+++ b/middlewareApi.go
@@ -0,0 +1,167 @@
+package AccessHandler
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+	"strings"
+
+	"gitea.tecamino.com/paadi/access-handler/models"
+	"gitea.tecamino.com/paadi/tecamino-logger/logging"
+	"github.com/gin-gonic/gin"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+// SetMiddlewareLogger
+//
+// Description:
+//
+//	Registers a Gin middleware that attaches a custom logger instance
+//	to every incoming request via the Gin context. This allows other
+//	middleware and handlers to access the logger using:
+//
+//	    logger := c.MustGet("logger").(*logging.Logger)
+//
+// Parameters:
+//   - r:      The Gin engine to which the middleware is applied.
+//   - logger: A pointer to the application's custom logger.
+//
+// Usage:
+//
+//	SetMiddlewareLogger(router, logger)
+func (aH *AccessHandlerAPI) SetMiddlewareLogger(r *gin.Engine, logger *logging.Logger) {
+	// Add middleware that injects logger into context
+	r.Use(func(c *gin.Context) {
+		c.Set("logger", logger)
+		c.Next()
+	})
+}
+
+// AuthMiddleware
+//
+// Description:
+//
+//	A Gin middleware that performs authentication using a JWT token stored
+//	in a cookie named "access_token". It validates the token and extracts
+//	the user's role from the claims, storing it in the Gin context.
+//
+// Behavior:
+//   - Requires that SetMiddlewareLogger was used earlier to inject the logger.
+//   - If the JWT cookie is missing or invalid, it aborts the request with
+//     an appropriate HTTP error (401 or 500).
+//
+// Returns:
+//
+//	A Gin handler function that can be used as middleware.
+//
+// Usage:
+//
+//	r.Use(AuthMiddleware())
+func (aH *AccessHandlerAPI) AuthMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Retrieve logger from Gin context
+		middlewareLogger, ok := c.Get("logger")
+		if !ok {
+			log.Fatal("middleware logger not set — use SetMiddlewareLogger first")
+			c.AbortWithStatusJSON(http.StatusInternalServerError, http.StatusInternalServerError)
+			return
+		}
+		logger := middlewareLogger.(*logging.Logger)
+
+		// Read access token from cookie
+		cookie, err := c.Cookie("access_token")
+		if err != nil {
+			logger.Error("AuthMiddleware", err)
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
+			return
+		}
+
+		// Parse and validate JWT token
+		token, err := jwt.Parse(cookie, func(t *jwt.Token) (any, error) {
+			return ACCESS_SECRET, nil
+		})
+		if err != nil || !token.Valid {
+			logger.Error("AuthMiddleware", err)
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "invalid token"})
+			return
+		}
+
+		// Extract custom claims (role)
+		if claims, ok := token.Claims.(jwt.MapClaims); ok {
+			role, _ := claims["role"].(string)
+			c.Set("role", role)
+		}
+		c.Next()
+	}
+}
+
+// (AccessHandler).AuthorizeRole
+//
+// Description:
+//
+//	A role-based authorization middleware. It checks whether the authenticated
+//	user (based on the "role" set in AuthMiddleware) has permission to access
+//	the given route. The check is performed by comparing the requested URL
+//	path against the user’s allowed permissions.
+//
+// Parameters:
+//   - suffix: A URL prefix to trim from the request path before matching
+//     permissions (e.g., "/api/v1").
+//
+// Behavior:
+//   - Fetches the user role from Gin context.
+//   - Uses aH.GetRoleByKey() to retrieve role records and permissions.
+//   - Grants access (calls c.Next()) if a matching permission is found.
+//   - Denies access (401 Unauthorized) if no permission matches.
+//
+// Usage:
+//
+//	router.GET("/secure/:id", aH.AuthorizeRole("/api/v1"))
+func (aH *AccessHandlerAPI) AuthorizeRole(suffix string) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		aH.logger.Debug("AuthorizeRole", "permission path of url path")
+		permissionPath := strings.TrimPrefix(c.Request.URL.Path, suffix+"/")
+
+		aH.logger.Debug("AuthorizeRole", "get set role")
+		role, ok := c.Get("role")
+		if !ok {
+			aH.logger.Error("AuthorizeRole", "no role set")
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": http.StatusInternalServerError})
+			return
+		}
+
+		// Fetch roles and associated permissions from the database or store
+		var roles []models.Role
+		err := aH.dbHandler.GetByKey(&roles, "role", role, false)
+		if err != nil {
+			aH.logger.Error("AuthorizeRole", err)
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": http.StatusInternalServerError})
+			return
+		}
+
+		// Validate that a role was found
+		if len(roles) == 0 {
+			log.Println("not logged in")
+			aH.logger.Error("AuthorizeRole", "no logged in")
+			c.JSON(http.StatusUnauthorized, http.StatusUnauthorized)
+			return
+		} else if len(roles) > 1 {
+			aH.logger.Error("AuthorizeRole", "more than one record found")
+			c.JSON(http.StatusInternalServerError, http.StatusInternalServerError)
+			return
+		}
+
+		// Check permissions
+		for _, permission := range roles[0].Permissions {
+			fmt.Println(100, permissionPath, permission.Name)
+			if permission.Name == permissionPath {
+				c.Next()
+				return
+			}
+		}
+
+		// Access denied
+		aH.logger.Error("AuthorizeRole", "Forbidden")
+		c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "Forbidden"})
+	}
+}
Author	SHA1	Message	Date
Adrian Zürcher	1b7218e5de	change dlete role api from id to key 'role'	2025-10-24 17:10:28 +02:00
Adrian Zürcher	8285cf0384	add middleware for api	2025-10-24 16:29:37 +02:00