paadi/access-handler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: paadi:v1.0.8
Branches Tags
paadi:main
paadi:v1.0.34 paadi:v1.0.33 paadi:v1.0.32 paadi:v1.0.31 paadi:v1.0.30 paadi:v1.0.29 paadi:v1.0.28 paadi:v1.0.27 paadi:v1.0.26 paadi:v1.0.25 paadi:v1.0.24 paadi:v1.0.23 paadi:v1.0.22 paadi:v1.0.21 paadi:v1.0.20 paadi:v1.0.19 paadi:v1.0.18 paadi:v1.0.17 paadi:v1.0.16 paadi:v1.0.15 paadi:v1.0.14 paadi:v1.0.13 paadi:v1.0.12 paadi:v1.0.11 paadi:v1.0.10 paadi:v1.0.9 paadi:v1.0.8 paadi:v1.0.7 paadi:v1.0.6 paadi:v1.0.5 paadi:v1.0.4 paadi:v1.0.3 paadi:v1.0.2 paadi:v1.0.1 paadi:v1.0.0
...
compare: paadi:v1.0.22
Branches Tags
paadi:main
paadi:v1.0.34 paadi:v1.0.33 paadi:v1.0.32 paadi:v1.0.31 paadi:v1.0.30 paadi:v1.0.29 paadi:v1.0.28 paadi:v1.0.27 paadi:v1.0.26 paadi:v1.0.25 paadi:v1.0.24 paadi:v1.0.23 paadi:v1.0.22 paadi:v1.0.21 paadi:v1.0.20 paadi:v1.0.19 paadi:v1.0.18 paadi:v1.0.17 paadi:v1.0.16 paadi:v1.0.15 paadi:v1.0.14 paadi:v1.0.13 paadi:v1.0.12 paadi:v1.0.11 paadi:v1.0.10 paadi:v1.0.9 paadi:v1.0.8 paadi:v1.0.7 paadi:v1.0.6 paadi:v1.0.5 paadi:v1.0.4 paadi:v1.0.3 paadi:v1.0.2 paadi:v1.0.1 paadi:v1.0.0

14 Commits
v1.0.8 ... v1.0.22

Author SHA1 Message Date
Adrian Zürcher
14968bfd4c replace static secrets with enviroment variables 2025-11-12 11:05:04 +01:00
Adrian Zürcher
f8e7b01a28 change member efault permission to 15 for import export permission 2025-11-12 09:02:27 +01:00
Adrian Zürcher
332a84aa57 add appName to user settings 2025-11-12 09:01:54 +01:00
Adrian Zürcher
e9fdea664f read role every refresh 2025-11-08 12:00:09 +01:00
Adrian Zürcher
7704fa9ecb new user expiration with user date format and never option 2025-11-08 11:27:45 +01:00
Adrian Zürcher
9a0019f3ad fix user defined exiration 2025-11-07 15:12:51 +01:00
Adrian Zürcher
0506ed6491 add new user defined user exiration 2025-11-07 13:51:58 +01:00
Adrian Zürcher
296c2e001d fix delete function 2025-11-07 08:19:20 +01:00
Adrian Zürcher
0c37d014a9 fix exist check 2025-11-07 08:06:54 +01:00
Adrian Zürcher
1f60813589 add new default permission 2025-11-06 14:03:13 +01:00
Adrian Zürcher
510d2df6b1 lift go mod versions 2025-10-31 08:13:48 +01:00
Adrian Zürcher
4670c93eff fix missing gin context (fixes #1) 2025-10-26 21:05:55 +01:00
Adrian Zürcher
8d8a1e3c33 change to api only handler and remove unused files, bring more structure 2025-10-26 10:38:44 +01:00
Adrian Zürcher
b6988638c0 fix minor bugs in role api 2025-10-24 17:35:32 +02:00
20 changed files with 702 additions and 1467 deletions
Expand all files Collapse all files

128
accessHandler.go
View File

@@ -1,127 +1,15 @@
package AccessHandler
import (
"gitea.tecamino.com/paadi/dbHandler"
"os"
"gitea.tecamino.com/paadi/access-handler/handlers"
"gitea.tecamino.com/paadi/tecamino-logger/logging"
)
// AccessHandler
//
// Description:
//
// AccessHandler manages access-related functionality, including
// database operations for users and roles, as well as logging.
// It encapsulates a database handler and a logger so that
// authentication and authorization operations can be performed
// consistently across the application.
type AccessHandler struct {
dbHandler *dbHandler.DBHandler // Database handler used for managing users and roles
logger *logging.Logger // Centralized application logger
}
// NewAccessHandler
//
// Description:
//
// Creates and initializes a new AccessHandler instance.
//
// Behavior:
// 1. If a logger is not provided (nil), it creates a new logger instance
// that writes to "accessHandler.log".
// 2. Initializes the AccessHandler struct.
// 3. Sets up the internal DBAHandler with the same logger.
// 4. Automatically creates required database tables and default data:
// - User table
// - Default user(s)
// - Role table
// - Default role(s)
//
// Parameters:
// - dbPath: The file path to the database.
// - logger: Optional pointer to a logging.Logger instance. If nil, a new one is created.
//
// Returns:
// - aH: A pointer to the fully initialized AccessHandler.
// - err: Any error that occurs during initialization.
//
// Example:
//
// handler, err := NewAccessHandler("data/app.db", appLogger)
// if err != nil {
// log.Fatal(err)
// }
func NewAccessHandler(path string, logger *logging.Logger) (aH *AccessHandler, err error) {
if logger == nil {
logger, err = logging.NewLogger("accessHandler.log", nil)
if err != nil {
return
}
}
logger.Debug("NewAccessHandler", "initialize new access handler")
// Initialize AccessHandler with logger
aH = &AccessHandler{
logger: logger,
}
logger.Debug("NewAccessHandler", "initialize db handler")
// Create a new DB handler instance
aH.dbHandler, err = dbHandler.NewDBHandler(path, "user", logger)
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add user table")
// Add the user table to the database
err = aH.AddUserTable()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add default user")
// Add default users to the system
err = aH.AddDefaultUser()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add role table")
// Add the role table to the database
err = aH.AddRoleTable()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add default role")
// Add default roles to the system
err = aH.AddDefaultRole()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
}
return
}
// GetLogger
//
// Description:
//
// Returns the logger associated with this AccessHandler instance.
// Useful when another component or handler needs to reuse the
// same logging instance for consistent log output.
//
// Returns:
// - *logging.Logger: The logger assigned to this AccessHandler.
//
// Example:
//
// log := accessHandler.GetLogger()
// log.Info("Some event")
func (aH *AccessHandler) GetLogger() *logging.Logger {
return aH.logger
func NewAccessHandler(path string, logger *logging.Logger) (aH *handlers.AccessHandler, err error) {
logger.Debug("NewAccessHandler", "get enviroment variables")
handlers.ACCESS_SECRET = []byte(os.Getenv("ACCESS_SECRET"))
handlers.REFRESH_SECRET = []byte(os.Getenv("REFRESH_SECRET"))
return handlers.NewAccessHandler(path, logger)
}

158
accessHandlerAPI.go
View File

@@ -1,158 +0,0 @@
package AccessHandler
import (
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/dbHandler"
"gitea.tecamino.com/paadi/tecamino-logger/logging"
)
// AccessHandler
//
// Description:
//
// AccessHandler manages access-related functionality, including
// database operations for users and roles, as well as logging.
// It encapsulates a database handler and a logger so that
// authentication and authorization operations can be performed
// consistently across the application.
type AccessHandlerAPI struct {
dbHandler *dbHandler.DBHandler // Database handler used for managing users and roles
logger *logging.Logger // Centralized application logger
}
// NewAccessHandlerAPI
//
// Description:
//
// Creates and initializes a new AccessHandler instance.
//
// Behavior:
// 1. If a logger is not provided (nil), it creates a new logger instance
// that writes to "accessHandler.log".
// 2. Initializes the AccessHandler struct.
// 3. Sets up the internal DBAHandler with the same logger.
// 4. Automatically creates required database tables and default data:
// - User table
// - Default user(s)
// - Role table
// - Default role(s)
//
// Parameters:
// - dbPath: The file path to the database.
// - logger: Optional pointer to a logging.Logger instance. If nil, a new one is created.
//
// Returns:
// - aH: A pointer to the fully initialized AccessHandler.
// - err: Any error that occurs during initialization.
//
// Example:
//
// handler, err := NewAccessHandlerAPI("data/app.db", appLogger)
// if err != nil {
// log.Fatal(err)
// }
func NewAccessHandlerAPI(path string, logger *logging.Logger) (aH *AccessHandlerAPI, err error) {
if logger == nil {
logger, err = logging.NewLogger("accessHandler.log", nil)
if err != nil {
return
}
}
logger.Debug("NewAccessHandlerAPI", "initialize new access handler")
// Initialize AccessHandler with logger
aH = &AccessHandlerAPI{
logger: logger,
}
logger.Debug("NewAccessHandlerAPI", "initialize db handler")
// Create a new DB handler instance
aH.dbHandler, err = dbHandler.NewDBHandler(path, "user", logger)
if err != nil {
aH.logger.Error("NewAccessHandlerAPI", err)
return
}
logger.Debug("NewAccessHandlerAPI", "add user table")
// Add the user table to the database
err = aH.dbHandler.AddNewTable(models.User{})
if err != nil {
aH.logger.Error("NewAccessHandlerAPI", err)
return
}
logger.Debug("NewAccessHandlerAPI", "add default user")
// Add default users to the system
name := "admin"
role := "admin"
email := "zuercher@tecamino.ch"
// Check if a user with this email already exists
if err := aH.dbHandler.Exists(&models.User{}, "email", email, false); err == nil {
aH.logger.Debug("AddDefaultUser", "user email "+email+" exists already")
// Found a user → skip create
} else {
// Create default settings for the new user
settings := models.Settings{}
aH.logger.Debug("AddDefaultUser", "set default quasar settings")
settings.DefaultQuasarSettings()
// Insert default admin user into the database
aH.dbHandler.AddNewColum(&models.User{
Name: name,
Role: role,
Email: email,
Password: "$2a$10$sZZOWBP8DSFLrLFQNoXw8OsEEr0tez1B8lPzKCHofaHg6PMNxx1pG",
Settings: settings,
})
}
logger.Debug("NewAccessHandlerAPI", "add role table")
// Add the role table to the database
err = aH.dbHandler.AddNewTable(models.Role{})
if err != nil {
aH.logger.Error("NewAccessHandlerAPI", err)
return
}
// Add default roles to the system
logger.Debug("NewAccessHandlerAPI", "add default role")
// Check if a role with this name already exists
if err := aH.dbHandler.Exists(&models.Role{}, "role", role, false); err == nil {
// Found a role → skip creation
aH.logger.Debug("AddDefaultRole", "role "+role+" exists already")
} else {
// Initialize default permissions for admin
permissions := models.Permissions{}
aH.logger.Debug("AddDefaultRole", "set default Permissions")
permissions.DefaultPermissions()
// Create the default admin role
aH.dbHandler.AddNewColum(&models.Role{
Role: role,
Permissions: permissions,
})
}
return
}
// GetLogger
//
// Description:
//
// Returns the logger associated with this AccessHandler instance.
// Useful when another component or handler needs to reuse the
// same logging instance for consistent log output.
//
// Returns:
// - *logging.Logger: The logger assigned to this AccessHandler.
//
// Example:
//
// log := accessHandler.GetLogger()
// log.Info("Some event")
func (aH *AccessHandlerAPI) GetLogger() *logging.Logger {
return aH.logger
}

291
api.go
View File

@@ -1,291 +0,0 @@
package AccessHandler
import (
"errors"
"fmt"
"net/http"
"strconv"
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/access-handler/utils"
"github.com/gin-gonic/gin"
)
func (aH *AccessHandlerAPI) AddUser(c *gin.Context) {
var user models.User
err := c.BindJSON(&user)
if err != nil {
aH.logger.Error("AddUser", err)
c.JSON(http.StatusInternalServerError, models.NewJsonErrorResponse(err))
return
}
if !user.IsValid() {
aH.logger.Error("AddUser", "user empty")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("user empty"))
return
}
// Check if a user with this email already exists
if err := aH.dbHandler.Exists(&models.User{}, "email", user.Email, false); err == nil {
// Found a user → skip create
aH.logger.Error("AddUser", "user with email "+user.Email+" already exists")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse(fmt.Sprintf("user with email %s already exists", user.Email)))
return
}
if !utils.IsValidEmail(user.Email) {
aH.logger.Error("AddUser", "not valid email address")
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(errors.New("not valid email address")))
return
}
// Hash the provided password before saving
hash, err := utils.HashPassword(user.Password)
if err != nil {
aH.logger.Error("AddUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
aH.logger.Debug("AddUser", "add new user "+user.Name+" with role "+user.Role)
// Insert the new user record
aH.dbHandler.AddNewColum(&models.User{
Name: user.Name,
Role: user.Role,
Email: user.Email,
Password: hash,
})
c.JSON(http.StatusOK, gin.H{
"message": fmt.Sprintf("user '%s' successfully added", user.Name),
})
}
func (aH *AccessHandlerAPI) GetUser(c *gin.Context) {
var i int
var err error
id := c.Query("id")
if id != "" {
i, err = strconv.Atoi(id)
if err != nil {
aH.logger.Error("GetUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
var users []models.User
err = aH.dbHandler.GetById(&users, uint(i))
if err != nil {
aH.logger.Error("GetUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, users)
}
func (aH *AccessHandlerAPI) UpdateUser(c *gin.Context) {
var user models.User
if err := c.BindJSON(&user); err != nil {
aH.logger.Error("UpdateUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
err := aH.dbHandler.UpdateValuesById(&user, user.Id)
if err != nil {
aH.logger.Error("UpdateUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, models.NewJsonMessageResponse("successfully updated user '"+user.Email+"'"))
}
func (aH *AccessHandlerAPI) DeleteUser(c *gin.Context) {
queryId := c.Query("id")
if queryId == "" || queryId == "null" || queryId == "undefined" {
aH.logger.Error("DeleteUser", "id query missing or wrong value: "+queryId)
c.JSON(http.StatusBadRequest, gin.H{
"message": "id query missing or wrong value: " + queryId,
})
return
}
var request struct {
Ids []int `json:"ids"`
}
err := c.BindJSON(&request)
if err != nil {
aH.logger.Error("DeleteUser", "id query missing or wrong value: "+queryId)
c.JSON(http.StatusInternalServerError, nil)
return
}
if len(request.Ids) == 0 {
aH.logger.Error("DeleteUser", "no ids given to be deleted")
c.JSON(http.StatusBadRequest, gin.H{
"message": "no ids given to be deleted",
})
return
}
var ownId string
removeIds := make([]uint, len(request.Ids))
for i, id := range request.Ids {
if queryId == fmt.Sprint(id) {
ownId = queryId
continue
}
removeIds[i] = uint(id)
}
if ownId != "" {
aH.logger.Error("DeleteUser", "can not delete logged in member id: "+queryId)
c.JSON(http.StatusBadRequest, gin.H{
"message": "can not delete logged in member id: " + queryId,
"id": queryId,
})
return
}
err = aH.dbHandler.DeleteById(&models.User{}, removeIds...)
if err != nil {
aH.logger.Error("DeleteUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, gin.H{
"message": "member(s) deleted",
})
}
func (aH *AccessHandlerAPI) AddRole(c *gin.Context) {
var role models.Role
err := c.BindJSON(&role)
if err != nil {
aH.logger.Error("AddRole", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
if !role.IsValid() {
aH.logger.Error("AddRole", "user empty")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("user empty"))
return
}
// Check if a role with this name already exists
if err := aH.dbHandler.Exists(&models.Role{}, "role", role, false); err == nil {
aH.logger.Error("AddRole", fmt.Sprintf("role with name %s already exists", role.Role))
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse(fmt.Sprintf("role with name %s already exists", role.Role)))
}
// Insert new role with provided permissions
aH.dbHandler.AddNewColum(&models.Role{
Role: role.Role,
Permissions: role.Permissions,
})
c.JSON(http.StatusOK, gin.H{
"message": fmt.Sprintf("role '%s' successfully added", role.Role),
})
}
func (aH *AccessHandlerAPI) GetRole(c *gin.Context) {
var i int
var err error
id := c.Query("id")
if id != "" {
i, err = strconv.Atoi(id)
if err != nil {
aH.logger.Error("GetRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
var role []models.Role
err = aH.dbHandler.GetById(&role, uint(i))
if err != nil {
aH.logger.Error("GetRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, role)
}
func (aH *AccessHandlerAPI) UpdateRole(c *gin.Context) {
var role models.Role
if err := c.BindJSON(&role); err != nil {
aH.logger.Error("UpdateRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
err := aH.dbHandler.UpdateValuesById(&role, role.Id)
if err != nil {
aH.logger.Error("UpdateRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, models.NewJsonMessageResponse("successfully updated role '"+role.Role+"'"))
}
func (aH *AccessHandlerAPI) DeleteRole(c *gin.Context) {
queryRole := c.Query("role")
if queryRole == "" || queryRole == "null" || queryRole == "undefined" {
aH.logger.Error("DeleteRole", "id query missing or wrong value: "+queryRole)
c.JSON(http.StatusInternalServerError, nil)
return
}
var request struct {
Roles []string `json:"roles"`
}
err := c.BindJSON(&request)
if err != nil {
aH.logger.Error("DeleteRole", err)
c.JSON(http.StatusBadRequest, nil)
return
}
if len(request.Roles) == 0 {
aH.logger.Error("DeleteRole", "no ids given to be deleted")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("no roles given to be deleted"))
return
}
var ownRole string
for _, role := range request.Roles {
if queryRole == role {
ownRole = role
continue
}
err = aH.dbHandler.DeleteByKey(&models.Role{}, "role", role, false)
if err != nil {
aH.logger.Error("DeleteRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
if ownRole != "" {
aH.logger.Error("DeleteRole", "can not delete logged in role id: "+ownRole)
c.JSON(http.StatusBadRequest, gin.H{
"message": "can not delete logged in role id: " + ownRole,
"role": ownRole,
})
return
}
c.JSON(http.StatusOK, gin.H{
"message": "role(s) deleted",
})
}

165
db_test.go
View File

@@ -3,8 +3,10 @@ package AccessHandler
import (
"bytes"
"encoding/json"
"io"
"net/http"
"net/http/httptest"
"os"
"testing"
"gitea.tecamino.com/paadi/access-handler/models"
@@ -13,7 +15,19 @@ import (
"github.com/go-playground/assert/v2"
)
func TestAccesshandlerLogin(t *testing.T) {
func TestDatabase(t *testing.T) {
// set enviroment variables
os.Setenv("ACCESS_SECRET", "12345678910111213141516171819202")
os.Setenv("REFRESH_SECRET", "9998979695949392919089888786858")
dbName := "user.db"
if _, err := os.Stat(dbName); err == nil {
t.Log("remove user.db to start test with empty database")
if err := os.Remove(dbName); err != nil {
t.Fatal(err)
}
}
t.Log("start access handler test")
t.Log("initialize accessHandler")
@@ -22,39 +36,87 @@ func TestAccesshandlerLogin(t *testing.T) {
t.Fatal(err)
}
t.Log("add another user")
err = accessHandler.AddNewUser("guest", "guest@gmail.com", "passwordd1", "admin")
if err != nil {
t.Log(err)
r := gin.Default()
accessHandler.SetMiddlewareLogger(r)
r.POST("/users/add", accessHandler.AddUser)
r.GET("/users", accessHandler.GetUser)
r.GET("/roles", accessHandler.GetRole)
r.POST("/roles/add", accessHandler.AddRole)
type request struct {
Log string
Name string
Method string
Path string
Payload any
Cookie *http.Cookie
ignoreError bool
}
var requests []request
requests = append(requests,
request{Log: "add another user", Name: "add user", Method: "POST", Path: "/users/add", Payload: models.User{
Name: "guest",
Password: "passwordd1",
Role: "admin",
Email: "guest@gmail.com",
}, ignoreError: true},
request{Log: "Get all users", Name: "get all users", Method: "GET", Path: "/users"},
request{Log: "Get user id 1", Name: "get user id 1", Method: "GET", Path: "/users?id=1"},
request{Log: "Add new role", Name: "add new role", Method: "POST", Path: "/roles/add", Payload: models.Role{
Role: "testRole",
}, ignoreError: true},
request{Log: "Get all roles", Name: "get all roles", Method: "GET", Path: "/roles"},
request{Log: "Get all role id 1", Name: "get role id 1", Method: "GET", Path: "/roles?id=1"},
)
for _, request := range requests {
if request.Log != "" {
t.Log(request.Log)
}
var bodyReader io.Reader
if request.Payload != nil {
jsonBytes, _ := json.Marshal(request.Payload)
bodyReader = bytes.NewBuffer(jsonBytes)
}
req, _ := http.NewRequest(request.Method, request.Path, bodyReader)
if request.Cookie != nil {
req.AddCookie(request.Cookie) // attach refresh_token cookie
}
w := httptest.NewRecorder()
r.ServeHTTP(w, req)
t.Log(request.Name+" response:", w.Body.String())
if !request.ignoreError {
assert.Equal(t, http.StatusOK, w.Code)
}
}
t.Log("get user id 1")
result, err := accessHandler.GetUserByKey("user_name", "admin", false)
if err != nil {
t.Fatal(err)
}
t.Log(result)
// t.Log("get user id 1")
// result, err := accessHandler.GetUserByKey("user_name", "admin", false)
// if err != nil {
// t.Fatal(err)
// }
// t.Log(result)
t.Log("get all users")
result, err = accessHandler.GetUserById(0)
if err != nil {
t.Fatal(err)
}
t.Log(result)
// t.Log("get user by key")
// result, err = accessHandler.GetUserByKey("password", "passwordd", false)
// if err != nil {
// t.Fatal(err)
// }
// t.Log(result)
t.Log("get user by key")
result, err = accessHandler.GetUserByKey("password", "passwordd", false)
if err != nil {
t.Fatal(err)
}
t.Log(result)
t.Log("get user by key and like")
result, err = accessHandler.GetUserByKey("user_name", "a*", true)
if err != nil {
t.Fatal(err)
}
t.Log(result)
// t.Log("get user by key and like")
// result, err = accessHandler.GetUserByKey("user_name", "a*", true)
// if err != nil {
// t.Fatal(err)
// }
// t.Log(result)
// var user_name string = "admin1"
// if len(result) > 0 {
@@ -68,34 +130,37 @@ func TestAccesshandlerLogin(t *testing.T) {
// Name: user_name,
// }, "user_name", result[0].Name)
// }
t.Log("read user again")
result, err = accessHandler.GetUserByKey("user_name", "a*", true)
if err != nil {
t.Fatal(err)
}
t.Log(result)
// t.Log("read user again")
// result, err = accessHandler.GetUserByKey("user_name", "a*", true)
// if err != nil {
// t.Fatal(err)
// }
// t.Log(result)
// t.Log("delete user id 1")
// err = accessHandler.DeleteUserByKey("user_name", user_name, false)
// if err != nil {
// t.Fatal(err)
// }
t.Log("read user again")
result, err = accessHandler.GetUserById(0)
if err != nil {
t.Fatal(err)
}
t.Log(result)
// t.Log("read user again")
// result, err = accessHandler.GetUserById(0)
// if err != nil {
// t.Fatal(err)
// }
// t.Log(result)
t.Log("read admin permissions")
result1, err := accessHandler.GetRoleByKey("role", "admin", false)
if err != nil {
t.Fatal(err)
}
t.Log(result1)
// t.Log("read admin permissions")
// result1, err := accessHandler.GetRoleByKey("role", "admin", false)
// if err != nil {
// t.Fatal(err)
// }
// t.Log(result1)
}
func TestLoginHandler(t *testing.T) {
func TestLoginAndAuthorization(t *testing.T) {
os.Setenv("ACCESS_SECRET", "12345678910111213141516171819202")
os.Setenv("REFRESH_SECRET", "9998979695949392919089888786858")
gin.SetMode(gin.TestMode)
// Setup your AccessHandler and router
@@ -106,7 +171,7 @@ func TestLoginHandler(t *testing.T) {
r := gin.Default()
SetMiddlewareLogger(r, aH.GetLogger())
aH.SetMiddlewareLogger(r)
r.POST("/login", aH.Login)
r.POST("/login/refresh", aH.Refresh)

2
go.mod
View File

@@ -3,7 +3,7 @@ module gitea.tecamino.com/paadi/access-handler
go 1.24.5
require (
gitea.tecamino.com/paadi/dbHandler v1.0.2
gitea.tecamino.com/paadi/dbHandler v1.0.8
gitea.tecamino.com/paadi/tecamino-logger v0.2.1
github.com/gin-gonic/gin v1.11.0
github.com/go-playground/assert/v2 v2.2.0

4
go.sum
View File

@@ -1,5 +1,5 @@
gitea.tecamino.com/paadi/dbHandler v1.0.2 h1:5d3sWIFY6JQLX0PGSTsxcvZFCSNTgtx4lHTX5lwF2H8=
gitea.tecamino.com/paadi/dbHandler v1.0.2/go.mod h1:y/xn/POJg1DO++67uKvnO23lJQgh+XFQq7HZCS9Getw=
gitea.tecamino.com/paadi/dbHandler v1.0.8 h1:ZWSBM/KFtLwTv2cBqwK1mOxWAxAfL0BcWEC3kJ9JALU=
gitea.tecamino.com/paadi/dbHandler v1.0.8/go.mod h1:y/xn/POJg1DO++67uKvnO23lJQgh+XFQq7HZCS9Getw=
gitea.tecamino.com/paadi/tecamino-logger v0.2.1 h1:sQTBKYPdzn9mmWX2JXZBtGBvNQH7cuXIwsl4TD0aMgE=
gitea.tecamino.com/paadi/tecamino-logger v0.2.1/go.mod h1:FkzRTldUBBOd/iy2upycArDftSZ5trbsX5Ira5OzJgM=
github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=

127
handlers/access.go Normal file
View File

@@ -0,0 +1,127 @@
package handlers
import (
"gitea.tecamino.com/paadi/dbHandler"
"gitea.tecamino.com/paadi/tecamino-logger/logging"
)
// AccessHandler
//
// Description:
//
// AccessHandler manages access-related functionality, including
// database operations for users and roles, as well as logging.
// It encapsulates a database handler and a logger so that
// authentication and authorization operations can be performed
// consistently across the application.
type AccessHandler struct {
dbHandler *dbHandler.DBHandler // Database handler used for managing users and roles
logger *logging.Logger // Centralized application logger
}
// NewAccessHandler
//
// Description:
//
// Creates and initializes a new AccessHandler instance.
//
// Behavior:
// 1. If a logger is not provided (nil), it creates a new logger instance
// that writes to "accessHandler.log".
// 2. Initializes the AccessHandler struct.
// 3. Sets up the internal DBAHandler with the same logger.
// 4. Automatically creates required database tables and default data:
// - User table
// - Default user(s)
// - Role table
// - Default role(s)
//
// Parameters:
// - dbPath: The file path to the database.
// - logger: Optional pointer to a logging.Logger instance. If nil, a new one is created.
//
// Returns:
// - aH: A pointer to the fully initialized AccessHandler.
// - err: Any error that occurs during initialization.
//
// Example:
//
// handler, err := NewAccessHandler("data/app.db", appLogger)
// if err != nil {
// log.Fatal(err)
// }
func NewAccessHandler(path string, logger *logging.Logger) (aH *AccessHandler, err error) {
if logger == nil {
logger, err = logging.NewLogger("accessHandler.log", nil)
if err != nil {
return
}
}
logger.Debug("NewAccessHandler", "initialize new access handler")
// Initialize AccessHandler with logger
aH = &AccessHandler{
logger: logger,
}
logger.Debug("NewAccessHandler", "initialize db handler")
// Create a new DB handler instance
aH.dbHandler, err = dbHandler.NewDBHandler("user", path, logger)
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add user table")
// Add the user table to the database
err = aH.AddUserTable()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add default user")
// Add default users to the system
err = aH.AddDefaultUser()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add role table")
// Add the role table to the database
err = aH.AddRoleTable()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add default role")
// Add default roles to the system
err = aH.AddDefaultRole()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
}
return
}
// GetLogger
//
// Description:
//
// Returns the logger associated with this AccessHandler instance.
// Useful when another component or handler needs to reuse the
// same logging instance for consistent log output.
//
// Returns:
// - *logging.Logger: The logger assigned to this AccessHandler.
//
// Example:
//
// log := accessHandler.GetLogger()
// log.Info("Some event")
func (aH *AccessHandler) GetLogger() *logging.Logger {
return aH.logger
}

67
login.go → handlers/login.go
View File

@@ -1,13 +1,12 @@
package AccessHandler
package handlers
import (
"fmt"
"log"
"net/http"
"time"
"gitea.tecamino.com/paadi/access-handler/internal/utils"
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/access-handler/utils"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
@@ -17,9 +16,9 @@ import (
// 🔐 AUTHENTICATION CONSTANTS
// -----------------------------
// JWT secrets (replace "*" with strong random values in production!)
var ACCESS_SECRET = []byte("ShFRprALcXjlosJ2hFCnGYGG3Ce2uRx6")
var REFRESH_SECRET = []byte("pQIjuX6g6Tzf0FEfdScxttT3hlL9NFaa")
// JWT secrets
var ACCESS_SECRET []byte
var REFRESH_SECRET []byte
// DOMAIN defines where cookies are valid. Change this in production.
var DOMAIN = "localhost"
@@ -53,27 +52,18 @@ func (aH *AccessHandler) Login(c *gin.Context) {
}
// Fetch user record from DB
dbRecord, err := aH.GetUserByKey("user_name", user.Name, false)
if err != nil {
aH.logger.Error("Login", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
if len(dbRecord) > 1 {
log.Println("multiple users found")
aH.logger.Error("Login", "more than one record found")
c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("internal error"))
dbUser, hasError := aH.getUserFromDB(c, user.Name)
if hasError {
return
}
// Check password
if !utils.CheckPassword(user.Password, dbRecord[0].Password) {
if !utils.CheckPassword(user.Password, dbUser.Password) {
aH.logger.Error("Login", "invalid password")
c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("invalid credentials"))
return
}
user = dbRecord[0]
user = dbUser
// -----------------------------
// 🔑 TOKEN CREATION
@@ -174,7 +164,11 @@ func (aH *AccessHandler) Refresh(c *gin.Context) {
username := claims["username"].(string)
id := int(claims["id"].(float64))
role := claims["role"].(string)
user, hasError := aH.getUserFromDB(c, username)
if hasError {
return
}
// Create new access token
aH.logger.Debug("Refresh", "create new access token")
@@ -182,7 +176,7 @@ func (aH *AccessHandler) Refresh(c *gin.Context) {
newAccess := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"id": id,
"username": username,
"role": role,
"role": user.Role,
"exp": accessExp.Unix(),
})
accessString, _ := newAccess.SignedString(ACCESS_SECRET)
@@ -241,3 +235,34 @@ func (aH *AccessHandler) Logout(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"message": "logged out"})
}
func (aH *AccessHandler) getUserFromDB(c *gin.Context, userName string) (user models.User, hasError bool) {
hasError = true
// Fetch user record from DB
var dbRecord []models.User
err := aH.dbHandler.GetByKey(&dbRecord, "user_name", userName, false)
if err != nil {
aH.logger.Error("Login", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
if len(dbRecord) == 0 {
aH.logger.Error("Login", "no user "+userName+" found")
c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("invalid credentials"))
return
}
if len(dbRecord) > 1 {
aH.logger.Error("Login", "more than one record found")
c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("internal error"))
return
}
if !dbRecord[0].ExpirationIsValid() {
aH.logger.Error("Login", fmt.Sprintf("user %s is expired", userName))
c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("user "+userName+" is expired"))
return
}
return dbRecord[0], false
}

15
middleware.go → handlers/middleware.go
View File

@@ -1,11 +1,11 @@
package AccessHandler
package handlers
import (
"fmt"
"log"
"net/http"
"strings"
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/tecamino-logger/logging"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
@@ -28,10 +28,10 @@ import (
// Usage:
//
// SetMiddlewareLogger(router, logger)
func SetMiddlewareLogger(r *gin.Engine, logger *logging.Logger) {
func (aH *AccessHandler) SetMiddlewareLogger(r *gin.Engine) {
// Add middleware that injects logger into context
r.Use(func(c *gin.Context) {
c.Set("logger", logger)
c.Set("logger", aH.logger)
c.Next()
})
}
@@ -130,7 +130,8 @@ func (aH *AccessHandler) AuthorizeRole(suffix string) gin.HandlerFunc {
}
// Fetch roles and associated permissions from the database or store
roles, err := aH.GetRoleByKey("role", role, false)
var roles []models.Role
err := aH.dbHandler.GetByKey(&roles, "role", role, false)
if err != nil {
aH.logger.Error("AuthorizeRole", err)
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": http.StatusInternalServerError})
@@ -139,8 +140,7 @@ func (aH *AccessHandler) AuthorizeRole(suffix string) gin.HandlerFunc {
// Validate that a role was found
if len(roles) == 0 {
log.Println("not logged in")
aH.logger.Error("AuthorizeRole", "no logged in")
aH.logger.Error("AuthorizeRole", "not logged in")
c.JSON(http.StatusUnauthorized, http.StatusUnauthorized)
return
} else if len(roles) > 1 {
@@ -151,7 +151,6 @@ func (aH *AccessHandler) AuthorizeRole(suffix string) gin.HandlerFunc {
// Check permissions
for _, permission := range roles[0].Permissions {
fmt.Println(100, permissionPath, permission.Name)
if permission.Name == permissionPath {
c.Next()
return

170
handlers/role.go Normal file
View File

@@ -0,0 +1,170 @@
package handlers
import (
"fmt"
"net/http"
"strconv"
"gitea.tecamino.com/paadi/access-handler/models"
"github.com/gin-gonic/gin"
)
func (aH *AccessHandler) AddRoleTable() error {
return aH.dbHandler.AddNewTable(models.Role{})
}
func (aH *AccessHandler) AddDefaultRole() (err error) {
role := "admin"
// Check if a role with this name already exists
if aH.dbHandler.Exists(&models.Role{}, "role", role, false) {
// Found a role → skip creation
aH.logger.Debug("AddDefaultRole", "role "+role+" exists already")
return nil
}
// Initialize default permissions for admin
permissions := models.Permissions{}
aH.logger.Debug("AddDefaultRole", "set default Permissions")
permissions.DefaultPermissions()
// Create the default admin role
aH.dbHandler.AddNewColum(&models.Role{
Role: role,
Permissions: permissions,
})
return
}
func (aH *AccessHandler) AddRole(c *gin.Context) {
var role models.Role
err := c.BindJSON(&role)
if err != nil {
aH.logger.Error("AddRole", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
if !role.IsValid() {
aH.logger.Error("AddRole", "user empty")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("user empty"))
return
}
// Check if a role with this name already exists
if aH.dbHandler.Exists(&models.Role{}, "role", role.Role, false) {
aH.logger.Error("AddRole", fmt.Sprintf("role with name %s already exists", role.Role))
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse(fmt.Sprintf("role with name %s already exists", role.Role)))
}
// Insert new role with provided permissions
aH.dbHandler.AddNewColum(&models.Role{
Role: role.Role,
Permissions: role.Permissions,
})
c.JSON(http.StatusOK, gin.H{
"message": fmt.Sprintf("role '%s' successfully added", role.Role),
})
}
func (aH *AccessHandler) GetRole(c *gin.Context) {
var i int
var err error
var roles []models.Role
role := c.Query("role")
id := c.Query("id")
if role != "" {
err = aH.dbHandler.GetByKey(&roles, "role", role, false)
} else if id != "" {
i, err = strconv.Atoi(id)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{
"message": err.Error(),
})
return
}
err = aH.dbHandler.GetById(&roles, uint(i))
} else {
err = aH.dbHandler.GetById(&roles, 0)
}
if err != nil {
aH.logger.Error("GetRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, roles)
}
func (aH *AccessHandler) UpdateRole(c *gin.Context) {
var role models.Role
if err := c.BindJSON(&role); err != nil {
aH.logger.Error("UpdateRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
err := aH.dbHandler.UpdateValuesById(&role, role.Id)
if err != nil {
aH.logger.Error("UpdateRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, models.NewJsonMessageResponse("successfully updated role '"+role.Role+"'"))
}
func (aH *AccessHandler) DeleteRole(c *gin.Context) {
queryRole := c.Query("role")
if queryRole == "" || queryRole == "null" || queryRole == "undefined" {
aH.logger.Error("DeleteRole", "id query missing or wrong value: "+queryRole)
c.JSON(http.StatusInternalServerError, nil)
return
}
var request struct {
Roles []string `json:"roles"`
}
err := c.BindJSON(&request)
if err != nil {
aH.logger.Error("DeleteRole", err)
c.JSON(http.StatusBadRequest, nil)
return
}
if len(request.Roles) == 0 {
aH.logger.Error("DeleteRole", "no ids given to be deleted")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("no roles given to be deleted"))
return
}
var ownRole string
for _, role := range request.Roles {
if queryRole == role {
ownRole = role
continue
}
err = aH.dbHandler.DeleteByKey(&models.Role{}, "role", role, false)
if err != nil {
aH.logger.Error("DeleteRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
if ownRole != "" {
aH.logger.Error("DeleteRole", "can not delete logged in role id: "+ownRole)
c.JSON(http.StatusBadRequest, gin.H{
"message": "can not delete logged in role id: " + ownRole,
"role": ownRole,
})
return
}
c.JSON(http.StatusOK, gin.H{
"message": "role(s) deleted",
})
}

203
handlers/user.go Normal file
View File

@@ -0,0 +1,203 @@
package handlers
import (
"errors"
"fmt"
"net/http"
"strconv"
"gitea.tecamino.com/paadi/access-handler/internal/utils"
"gitea.tecamino.com/paadi/access-handler/models"
"github.com/gin-gonic/gin"
)
func (aH *AccessHandler) AddUserTable() error {
return aH.dbHandler.AddNewTable(models.User{})
}
func (aH *AccessHandler) AddDefaultUser() (err error) {
name := "admin"
role := "admin"
email := "zuercher@tecamino.ch"
// Check if a user with this email already exists
if aH.dbHandler.Exists(&models.User{}, "email", email, false) {
aH.logger.Debug("AddDefaultUser", "user email "+email+" exists already")
// Found a user → skip create
return nil
}
// Create default settings for the new user
settings := models.Settings{}
aH.logger.Debug("AddDefaultUser", "set default quasar settings")
settings.DefaultQuasarSettings()
// Insert default admin user into the database
aH.dbHandler.AddNewColum(&models.User{
Name: name,
Role: role,
Email: email,
Password: "$2a$10$sZZOWBP8DSFLrLFQNoXw8OsEEr0tez1B8lPzKCHofaHg6PMNxx1pG",
Settings: settings,
})
return
}
func (aH *AccessHandler) AddUser(c *gin.Context) {
var user models.User
err := c.BindJSON(&user)
if err != nil {
aH.logger.Error("AddUser", err)
c.JSON(http.StatusInternalServerError, models.NewJsonErrorResponse(err))
return
}
if !user.IsValid() {
aH.logger.Error("AddUser", "user empty")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("user empty"))
return
}
// Check if a user with this email already exists
if aH.dbHandler.Exists(&models.User{}, "email", user.Email, false) {
// Found a user → skip create
aH.logger.Error("AddUser", "user with email "+user.Email+" already exists")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse(fmt.Sprintf("user with email %s already exists", user.Email)))
return
}
if !utils.IsValidEmail(user.Email) {
aH.logger.Error("AddUser", "not valid email address")
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(errors.New("not valid email address")))
return
}
// Hash the provided password before saving
hash, err := utils.HashPassword(user.Password)
if err != nil {
aH.logger.Error("AddUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
aH.logger.Debug("AddUser", "add default quasar user setting ")
user.Settings.DefaultQuasarSettings()
aH.logger.Debug("AddUser", "add new user "+user.Name+" with role "+user.Role)
// Insert the new user record
aH.dbHandler.AddNewColum(&models.User{
Name: user.Name,
Role: user.Role,
Email: user.Email,
Password: hash,
Settings: user.Settings,
})
c.JSON(http.StatusOK, gin.H{
"message": fmt.Sprintf("user '%s' successfully added", user.Name),
})
}
func (aH *AccessHandler) GetUser(c *gin.Context) {
var i int
var err error
id := c.Query("id")
if id == "undefined" || id == "null" || id == "" {
i = 0
} else {
i, err = strconv.Atoi(id)
if err != nil {
aH.logger.Error("GetUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
var users []models.User
err = aH.dbHandler.GetById(&users, uint(i))
if err != nil {
aH.logger.Error("GetUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, users)
}
func (aH *AccessHandler) UpdateUser(c *gin.Context) {
var user models.User
if err := c.BindJSON(&user); err != nil {
aH.logger.Error("UpdateUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
err := aH.dbHandler.UpdateValuesById(&user, user.Id)
if err != nil {
aH.logger.Error("UpdateUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, models.NewJsonMessageResponse("successfully updated user '"+user.Email+"'"))
}
func (aH *AccessHandler) DeleteUser(c *gin.Context) {
queryId := c.Query("id")
if queryId == "" || queryId == "null" || queryId == "undefined" {
aH.logger.Error("DeleteUser", "id query missing or wrong value: "+queryId)
c.JSON(http.StatusBadRequest, gin.H{
"message": "id query missing or wrong value: " + queryId,
})
return
}
var request struct {
Ids []int `json:"ids"`
}
err := c.BindJSON(&request)
if err != nil {
aH.logger.Error("DeleteUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
if len(request.Ids) == 0 {
aH.logger.Error("DeleteUser", "no ids given to be deleted")
c.JSON(http.StatusBadRequest, gin.H{
"message": "no ids given to be deleted",
})
return
}
var ownId string
removeIds := make([]uint, len(request.Ids))
for i, id := range request.Ids {
if queryId == fmt.Sprint(id) {
ownId = queryId
continue
}
removeIds[i] = uint(id)
}
if ownId != "" {
aH.logger.Error("DeleteUser", "can not delete logged in member id: "+queryId)
c.JSON(http.StatusBadRequest, gin.H{
"message": "can not delete logged in member id: " + queryId,
"id": queryId,
})
return
}
err = aH.dbHandler.DeleteById(&models.User{}, removeIds...)
if err != nil {
aH.logger.Error("DeleteUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, gin.H{
"message": "member(s) deleted",
})
}

0
utils/hash.go → internal/utils/hash.go
View File

0
utils/utils.go → internal/utils/utils.go
View File

227
loginApi.go
View File

@@ -1,227 +0,0 @@
package AccessHandler
import (
"fmt"
"log"
"net/http"
"time"
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/access-handler/utils"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
)
// -----------------------------
// 🧠 HANDLERS
// -----------------------------
// Login authenticates a user and returns JWT tokens (access + refresh).
func (aH *AccessHandlerAPI) Login(c *gin.Context) {
var user models.User
aH.logger.Debug("Login", "bind JSON request")
if err := c.BindJSON(&user); err != nil {
aH.logger.Error("Login", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
// Validate input
if !user.IsValid() {
aH.logger.Error("Login", "user empty")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("user empty"))
return
}
// Fetch user record from DB
var dbRecord []models.User
err := aH.dbHandler.GetByKey(&dbRecord, "user_name", user.Name, false)
if err != nil {
aH.logger.Error("Login", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
if len(dbRecord) > 1 {
log.Println("multiple users found")
aH.logger.Error("Login", "more than one record found")
c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("internal error"))
return
}
// Check password
if !utils.CheckPassword(user.Password, dbRecord[0].Password) {
aH.logger.Error("Login", "invalid password")
c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("invalid credentials"))
return
}
user = dbRecord[0]
// -----------------------------
// 🔑 TOKEN CREATION
// -----------------------------
aH.logger.Debug("Login", "create tokens")
accessTokenExp := time.Now().Add(ACCESS_TOKEN_TIME)
refreshTokenExp := time.Now().Add(REFRESH_TOKEN_TIME)
// Create access token
accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"id": user.Id,
"username": user.Name,
"role": user.Role,
"type": "access",
"exp": accessTokenExp.Unix(),
})
// Create refresh token
refreshToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"id": user.Id,
"username": user.Name,
"role": user.Role,
"type": "refresh",
"exp": refreshTokenExp.Unix(),
})
// Sign tokens
accessString, err := accessToken.SignedString(ACCESS_SECRET)
if err != nil {
aH.logger.Error("Login", "failed to sign access token")
c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("could not create access token"))
return
}
refreshString, err := refreshToken.SignedString(REFRESH_SECRET)
if err != nil {
aH.logger.Error("Login", "failed to sign refresh token")
c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("could not create refresh token"))
return
}
// -----------------------------
// 🍪 SET COOKIES
// -----------------------------
aH.logger.Debug("Login", "set cookies")
secure := gin.Mode() == gin.ReleaseMode
c.SetCookie("access_token", accessString, int(time.Until(accessTokenExp).Seconds()),
"/", "", secure, true)
c.SetCookie("refresh_token", refreshString, int(time.Until(refreshTokenExp).Seconds()),
"/", "", secure, true)
aH.logger.Info("Login", "user "+user.Name+" logged in successfully")
c.JSON(http.StatusOK, gin.H{
"message": "login successful",
"id": user.Id,
"user": user.Name,
"role": user.Role,
"settings": user.Settings,
})
}
// Refresh generates a new access token from a valid refresh token.
func (aH *AccessHandlerAPI) Refresh(c *gin.Context) {
aH.logger.Debug("Refresh", "get refresh cookie")
refreshCookie, err := c.Cookie("refresh_token")
if err != nil {
aH.logger.Error("Refresh", "no refresh token")
c.JSON(http.StatusUnauthorized, gin.H{"message": "no refresh token"})
return
}
// Validate token
aH.logger.Debug("Refresh", "parse token")
token, err := jwt.Parse(refreshCookie, func(token *jwt.Token) (any, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return REFRESH_SECRET, nil
})
if err != nil || !token.Valid {
aH.logger.Error("Refresh", err)
c.JSON(http.StatusUnauthorized, gin.H{"message": "invalid refresh token"})
return
}
// Extract claims
claims, ok := token.Claims.(jwt.MapClaims)
if !ok || claims["type"] != "refresh" {
aH.logger.Error("Refresh", "invalid token type")
c.JSON(http.StatusUnauthorized, gin.H{"message": "invalid token type"})
return
}
username := claims["username"].(string)
id := int(claims["id"].(float64))
role := claims["role"].(string)
// Create new access token
aH.logger.Debug("Refresh", "create new access token")
accessExp := time.Now().Add(ACCESS_TOKEN_TIME)
newAccess := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"id": id,
"username": username,
"role": role,
"exp": accessExp.Unix(),
})
accessString, _ := newAccess.SignedString(ACCESS_SECRET)
// Set new access cookie
aH.logger.Debug("Refresh", "set new access cookie")
c.SetCookie("access_token", accessString, int(time.Until(accessExp).Seconds()),
"/", DOMAIN, gin.Mode() == gin.ReleaseMode, true)
c.JSON(http.StatusOK, gin.H{"message": "token refreshed"})
}
// Me returns information about the currently authenticated user.
func (aH *AccessHandlerAPI) Me(c *gin.Context) {
aH.logger.Debug("Me", "get access cookie")
cookie, err := c.Cookie("access_token")
if err != nil {
aH.logger.Error("Me", err)
c.JSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
return
}
// Parse and validate access token
aH.logger.Debug("Me", "parse token")
token, err := jwt.Parse(cookie, func(t *jwt.Token) (any, error) {
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
}
return ACCESS_SECRET, nil
})
if err != nil || !token.Valid {
aH.logger.Error("Me", err)
c.JSON(http.StatusUnauthorized, gin.H{"message": "invalid token"})
return
}
claims := token.Claims.(jwt.MapClaims)
c.JSON(http.StatusOK, gin.H{
"id": claims["id"],
"user": claims["username"],
"role": claims["role"],
})
}
// Logout clears authentication cookies and ends the session.
func (aH *AccessHandlerAPI) Logout(c *gin.Context) {
aH.logger.Info("Logout", "logout user")
secure := gin.Mode() == gin.ReleaseMode
aH.logger.Debug("Logout", fmt.Sprintf("domain=%s secure=%t", DOMAIN, secure))
// Clear cookies
c.SetCookie("access_token", "", -1, "/", DOMAIN, secure, true)
c.SetCookie("refresh_token", "", -1, "/", DOMAIN, secure, true)
c.JSON(http.StatusOK, gin.H{"message": "logged out"})
}

167
middlewareApi.go
View File

@@ -1,167 +0,0 @@
package AccessHandler
import (
"fmt"
"log"
"net/http"
"strings"
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/tecamino-logger/logging"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
)
// SetMiddlewareLogger
//
// Description:
//
// Registers a Gin middleware that attaches a custom logger instance
// to every incoming request via the Gin context. This allows other
// middleware and handlers to access the logger using:
//
// logger := c.MustGet("logger").(*logging.Logger)
//
// Parameters:
// - r: The Gin engine to which the middleware is applied.
// - logger: A pointer to the application's custom logger.
//
// Usage:
//
// SetMiddlewareLogger(router, logger)
func (aH *AccessHandlerAPI) SetMiddlewareLogger(r *gin.Engine, logger *logging.Logger) {
// Add middleware that injects logger into context
r.Use(func(c *gin.Context) {
c.Set("logger", logger)
c.Next()
})
}
// AuthMiddleware
//
// Description:
//
// A Gin middleware that performs authentication using a JWT token stored
// in a cookie named "access_token". It validates the token and extracts
// the user's role from the claims, storing it in the Gin context.
//
// Behavior:
// - Requires that SetMiddlewareLogger was used earlier to inject the logger.
// - If the JWT cookie is missing or invalid, it aborts the request with
// an appropriate HTTP error (401 or 500).
//
// Returns:
//
// A Gin handler function that can be used as middleware.
//
// Usage:
//
// r.Use(AuthMiddleware())
func (aH *AccessHandlerAPI) AuthMiddleware() gin.HandlerFunc {
return func(c *gin.Context) {
// Retrieve logger from Gin context
middlewareLogger, ok := c.Get("logger")
if !ok {
log.Fatal("middleware logger not set — use SetMiddlewareLogger first")
c.AbortWithStatusJSON(http.StatusInternalServerError, http.StatusInternalServerError)
return
}
logger := middlewareLogger.(*logging.Logger)
// Read access token from cookie
cookie, err := c.Cookie("access_token")
if err != nil {
logger.Error("AuthMiddleware", err)
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
return
}
// Parse and validate JWT token
token, err := jwt.Parse(cookie, func(t *jwt.Token) (any, error) {
return ACCESS_SECRET, nil
})
if err != nil || !token.Valid {
logger.Error("AuthMiddleware", err)
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "invalid token"})
return
}
// Extract custom claims (role)
if claims, ok := token.Claims.(jwt.MapClaims); ok {
role, _ := claims["role"].(string)
c.Set("role", role)
}
c.Next()
}
}
// (AccessHandler).AuthorizeRole
//
// Description:
//
// A role-based authorization middleware. It checks whether the authenticated
// user (based on the "role" set in AuthMiddleware) has permission to access
// the given route. The check is performed by comparing the requested URL
// path against the users allowed permissions.
//
// Parameters:
// - suffix: A URL prefix to trim from the request path before matching
// permissions (e.g., "/api/v1").
//
// Behavior:
// - Fetches the user role from Gin context.
// - Uses aH.GetRoleByKey() to retrieve role records and permissions.
// - Grants access (calls c.Next()) if a matching permission is found.
// - Denies access (401 Unauthorized) if no permission matches.
//
// Usage:
//
// router.GET("/secure/:id", aH.AuthorizeRole("/api/v1"))
func (aH *AccessHandlerAPI) AuthorizeRole(suffix string) gin.HandlerFunc {
return func(c *gin.Context) {
aH.logger.Debug("AuthorizeRole", "permission path of url path")
permissionPath := strings.TrimPrefix(c.Request.URL.Path, suffix+"/")
aH.logger.Debug("AuthorizeRole", "get set role")
role, ok := c.Get("role")
if !ok {
aH.logger.Error("AuthorizeRole", "no role set")
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": http.StatusInternalServerError})
return
}
// Fetch roles and associated permissions from the database or store
var roles []models.Role
err := aH.dbHandler.GetByKey(&roles, "role", role, false)
if err != nil {
aH.logger.Error("AuthorizeRole", err)
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": http.StatusInternalServerError})
return
}
// Validate that a role was found
if len(roles) == 0 {
log.Println("not logged in")
aH.logger.Error("AuthorizeRole", "no logged in")
c.JSON(http.StatusUnauthorized, http.StatusUnauthorized)
return
} else if len(roles) > 1 {
aH.logger.Error("AuthorizeRole", "more than one record found")
c.JSON(http.StatusInternalServerError, http.StatusInternalServerError)
return
}
// Check permissions
for _, permission := range roles[0].Permissions {
fmt.Println(100, permissionPath, permission.Name)
if permission.Name == permissionPath {
c.Next()
return
}
}
// Access denied
aH.logger.Error("AuthorizeRole", "Forbidden")
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "Forbidden"})
}
}

3
models/permission.go
View File

@@ -12,8 +12,9 @@ func (r *Permissions) DefaultPermissions() {
*r = append(*r,
Permission{Name: "settings", Permission: 7},
Permission{Name: "userSettings", Permission: 7},
Permission{Name: "members", Permission: 7},
Permission{Name: "members", Permission: 15},
Permission{Name: "events", Permission: 7},
Permission{Name: "responsible", Permission: 7},
)
}

1
models/settings.go
View File

@@ -12,6 +12,7 @@ type Settings struct {
SecondaryColor string `json:"secondaryColor,omitempty"`
SecondaryColorText string `json:"secondaryColorText,omitempty"`
Icon string `json:"icon,omitempty"`
AppName string `json:"appName,omitempty"`
DatabaseName string `json:"databaseName,omitempty"`
DatabaseToken string `json:"databaseToken,omitempty"`
}

16
models/user.go
View File

@@ -1,14 +1,28 @@
package models
import (
"time"
)
type User struct {
Id uint `gorm:"primaryKey" json:"id"`
Name string `gorm:"column:user_name" json:"user"`
Email string `gorm:"column:email" json:"email"`
Role string `gorm:"column:role" json:"role"`
Role string `gorm:"column:role" json:"role,omitempty"`
Password string `gorm:"column:password" json:"password"`
Expiration string `gorm:"column:expiration" json:"expiration,omitempty"`
Settings Settings `gorm:"type:json" json:"settings"`
}
func (u *User) IsValid() bool {
return u.Name != ""
}
func (u *User) ExpirationIsValid() bool {
if u.Expiration == "" || u.Expiration == "never" {
return true
}
loc := time.Now().Location()
parsedTime, _ := time.ParseInLocation("2006-01-02 15:04:05", u.Expiration, loc)
return parsedTime.After(time.Now())
}

197
role.go
View File

@@ -1,197 +0,0 @@
package AccessHandler
import (
"fmt"
"gitea.tecamino.com/paadi/access-handler/models"
)
// AddRoleTable
//
// Description:
//
// Creates a new database table for storing role definitions if it does not already exist.
//
// Behavior:
// - Uses the DBHandler to add a table based on the `models.Role` struct.
// - Returns an error if table creation fails.
//
// Returns:
// - error: Any database error encountered.
func (aH *AccessHandler) AddRoleTable() error {
return aH.dbHandler.AddNewTable(models.Role{})
}
// AddDefaultRole
//
// Description:
//
// Ensures that a default administrative role exists in the database.
// If a role named "admin" is already present, it logs and skips creation.
//
// Behavior:
// 1. Checks for an existing "admin" role.
// 2. If not found, initializes default permissions using
// `models.Permissions.DefaultPermissions()`.
// 3. Creates a new role record with those permissions.
//
// Default Role:
// - Role: "admin"
// - Permissions: all default permissions defined in `models.Permissions`.
//
// Returns:
// - error: Any database or creation error encountered.
func (aH *AccessHandler) AddDefaultRole() (err error) {
role := "admin"
// Check if a role with this name already exists
if err := aH.dbHandler.Exists(&models.Role{}, "role", role, false); err == nil {
// Found a role → skip creation
aH.logger.Debug("AddDefaultRole", "role "+role+" exists already")
return nil
}
// Initialize default permissions for admin
permissions := models.Permissions{}
aH.logger.Debug("AddDefaultRole", "set default Permissions")
permissions.DefaultPermissions()
// Create the default admin role
aH.dbHandler.AddNewColum(&models.Role{
Role: role,
Permissions: permissions,
})
return
}
// AddNewRole
//
// Description:
//
// Adds a new role with a specific set of permissions to the database.
//
// Behavior:
// 1. Checks whether a role with the same name already exists.
// 2. If it does not exist, creates a new role record.
//
// Parameters:
// - role: The role name (e.g., "manager", "viewer").
// - permissions: A `models.Permissions` struct defining allowed actions.
//
// Returns:
// - error: If the role already exists or insertion fails.
func (aH *AccessHandler) AddNewRole(role string, permissions models.Permissions) (err error) {
// Check if a role with this name already exists
if err := aH.dbHandler.Exists(&models.Role{}, "role", role, false); err == nil {
// Found a role → skip creation
return fmt.Errorf("role with name %s already exists", role)
}
// Insert new role with provided permissions
aH.dbHandler.AddNewColum(&models.Role{
Role: role,
Permissions: permissions,
})
return
}
// GetRoleById
//
// Description:
//
// Retrieves a role record from the database by its numeric ID.
//
// Parameters:
// - id: The unique ID of the role.
//
// Returns:
// - roles: A slice containing the matched role (usually length 1).
// - err: Any database error encountered.
func (aH *AccessHandler) GetRoleById(id uint) (roles []models.Role, err error) {
err = aH.dbHandler.GetById(&roles, id)
return
}
// GetRoleByKey
//
// Description:
//
// Retrieves one or more roles based on a key/value query.
//
// Parameters:
// - key: The column name to search by (e.g., "role").
// - value: The value to match (e.g., "admin").
// - likeSearch: Whether to use SQL LIKE for partial matches.
//
// Returns:
// - roles: A list of matched roles.
// - err: Any database error encountered.
func (aH *AccessHandler) GetRoleByKey(key string, value any, likeSearch bool) (roles []models.Role, err error) {
err = aH.dbHandler.GetByKey(&roles, key, value, likeSearch)
return
}
// UpdateRoleById
//
// Description:
//
// Updates a role record identified by its numeric ID.
//
// Parameters:
// - id: The ID of the role to update.
// - role: A struct containing updated role data.
//
// Returns:
// - error: Any database error encountered.
func (aH *AccessHandler) UpdateRoleById(id uint, role models.Role) error {
return aH.dbHandler.UpdateValuesById(&role, id)
}
// UpdateRoleByKey
//
// Description:
//
// Updates a role record using a column key/value lookup.
//
// Parameters:
// - role: The updated role data.
// - key: The column name to search by.
// - value: The value to match against the key column.
//
// Returns:
// - error: Any database error encountered.
func (aH *AccessHandler) UpdateRoleByKey(role models.Role, key string, value any) error {
return aH.dbHandler.UpdateValuesByKey(&role, key, value)
}
// DeleteRoleById
//
// Description:
//
// Deletes a role record from the database by its numeric ID.
//
// Parameters:
// - id: The ID of the role to delete.
//
// Returns:
// - error: Any database error encountered during deletion.
func (aH *AccessHandler) DeleteRoleById(id uint) (err error) {
return aH.dbHandler.DeleteById(&models.Role{}, id)
}
// DeleteRoleByKey
//
// Description:
//
// Deletes one or more roles from the database matching a given key/value pair.
//
// Parameters:
// - key: The column name used for filtering (e.g., "role").
// - value: The matching value (e.g., "admin").
// - likeSearch: If true, performs a LIKE (partial) match.
//
// Returns:
// - error: Any database error encountered.
func (aH *AccessHandler) DeleteRoleByKey(key string, value any, likeSearch bool) (err error) {
return aH.dbHandler.DeleteByKey(&models.Role{}, key, value, likeSearch)
}

218
user.go
View File

@@ -1,218 +0,0 @@
package AccessHandler
import (
"fmt"
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/access-handler/utils"
)
// AddUserTable
//
// Description:
//
// Creates a new database table for storing user records if it does not already exist.
//
// Behavior:
// - Uses the DBHandler to add a table based on the `models.User` struct.
// - Returns any error encountered during table creation.
//
// Returns:
// - error: Any database error that occurs while creating the table.
func (aH *AccessHandler) AddUserTable() error {
return aH.dbHandler.AddNewTable(models.User{})
}
// AddDefaultUser
//
// Description:
//
// Ensures a default administrative user exists in the database.
// If a user with the predefined email already exists, the function logs
// a debug message and exits without making changes.
//
// Behavior:
// 1. Checks if the default user (admin) already exists by email.
// 2. If not found, creates default Quasar UI settings and adds the user.
//
// Default User:
// - Name: "admin"
// - Role: "admin"
// - Email: "zuercher@tecamino.ch"
// - Password: (empty or hashed later)
//
// Returns:
// - error: Any database or creation error encountered.
func (aH *AccessHandler) AddDefaultUser() (err error) {
name := "admin"
role := "admin"
email := "zuercher@tecamino.ch"
// Check if a user with this email already exists
if err := aH.dbHandler.Exists(&models.User{}, "email", email, false); err == nil {
aH.logger.Debug("AddDefaultUser", "user email "+email+" exists already")
// Found a user → skip create
return nil
}
// Create default settings for the new user
settings := models.Settings{}
aH.logger.Debug("AddDefaultUser", "set default quasar settings")
settings.DefaultQuasarSettings()
// Insert default admin user into the database
aH.dbHandler.AddNewColum(&models.User{
Name: name,
Role: role,
Email: email,
Password: "$2a$10$sZZOWBP8DSFLrLFQNoXw8OsEEr0tez1B8lPzKCHofaHg6PMNxx1pG",
Settings: settings,
})
return
}
// AddNewUser
//
// Description:
//
// Adds a new user record to the database with a hashed password.
//
// Behavior:
// 1. Verifies that the email does not already exist.
// 2. Hashes the password using utils.HashPassword().
// 3. Inserts the new user record into the database.
//
// Parameters:
// - userName: The user's display name.
// - email: The user's unique email address.
// - password: The user's raw password (will be hashed).
// - role: The role assigned to the user.
//
// Returns:
// - error: If the user already exists or if hashing/insertion fails.
func (aH *AccessHandler) AddNewUser(userName, email, password, role string) (err error) {
// Check if a user with this email already exists
if err := aH.dbHandler.Exists(&models.User{}, "email", email, false); err == nil {
// Found a user → skip create
aH.logger.Error("AddNewUser", "user with email "+email+" already exists")
return fmt.Errorf("user with email %s already exists", email)
}
// Hash the provided password before saving
hash, err := utils.HashPassword(password)
if err != nil {
return err
}
aH.logger.Debug("AddNewUser", "add new user "+userName+" with role "+role)
// Insert the new user record
aH.dbHandler.AddNewColum(&models.User{
Name: userName,
Role: role,
Email: email,
Password: hash,
})
return
}
// GetUserById
//
// Description:
//
// Retrieves user(s) from the database by their unique ID.
//
// Parameters:
// - id: The numeric user ID.
//
// Returns:
// - users: A slice containing the matched user (usually length 1).
// - err: Any database error encountered.
func (aH *AccessHandler) GetUserById(id uint) (users []models.User, err error) {
err = aH.dbHandler.GetById(&users, id)
return
}
// GetUserByKey
//
// Description:
//
// Queries users based on a given column key and value.
//
// Parameters:
// - key: The column name to search by (e.g., "email").
// - value: The value to match.
// - likeSearch: If true, performs a LIKE (partial) search.
//
// Returns:
// - users: A list of users that match the search criteria.
// - err: Any database error encountered.
func (aH *AccessHandler) GetUserByKey(key string, value any, likeSearch bool) (users []models.User, err error) {
err = aH.dbHandler.GetByKey(&users, key, value, likeSearch)
return
}
// UpdateUserById
//
// Description:
//
// Updates an existing user record identified by its numeric ID.
//
// Parameters:
// - id: The user ID to update.
// - user: A struct containing updated field values.
//
// Returns:
// - error: Any error encountered during the update.
func (aH *AccessHandler) UpdateUserById(id uint, user models.User) error {
return aH.dbHandler.UpdateValuesById(&user, id)
}
// UpdateUserByKey
//
// Description:
//
// Updates a user record based on a specified column key and value.
//
// Parameters:
// - user: The updated user data.
// - key: The column name used for lookup.
// - value: The value to match against the key column.
//
// Returns:
// - error: Any error encountered during the update.
func (aH *AccessHandler) UpdateUserByKey(user models.User, key string, value any) error {
return aH.dbHandler.UpdateValuesByKey(&user, key, value)
}
// DeleteUserById
//
// Description:
//
// Deletes a user from the database using their numeric ID.
//
// Parameters:
// - id: The ID of the user to delete.
//
// Returns:
// - error: Any database error encountered during deletion.
func (aH *AccessHandler) DeleteUserById(id uint) (err error) {
return aH.dbHandler.DeleteById(&models.User{}, id)
}
// DeleteUserByKey
//
// Description:
//
// Deletes users matching a specific key/value pair from the database.
//
// Parameters:
// - key: The column name to search by.
// - value: The value to match.
// - likeSearch: Whether to use a partial match (LIKE).
//
// Returns:
// - error: Any database error encountered during deletion.
func (aH *AccessHandler) DeleteUserByKey(key string, value any, likeSearch bool) (err error) {
return aH.dbHandler.DeleteByKey(&models.User{}, key, value, likeSearch)
}