paadi/access-handler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: paadi:v1.0.8
Branches Tags
paadi:main
paadi:v1.0.34 paadi:v1.0.33 paadi:v1.0.32 paadi:v1.0.31 paadi:v1.0.30 paadi:v1.0.29 paadi:v1.0.28 paadi:v1.0.27 paadi:v1.0.26 paadi:v1.0.25 paadi:v1.0.24 paadi:v1.0.23 paadi:v1.0.22 paadi:v1.0.21 paadi:v1.0.20 paadi:v1.0.19 paadi:v1.0.18 paadi:v1.0.17 paadi:v1.0.16 paadi:v1.0.15 paadi:v1.0.14 paadi:v1.0.13 paadi:v1.0.12 paadi:v1.0.11 paadi:v1.0.10 paadi:v1.0.9 paadi:v1.0.8 paadi:v1.0.7 paadi:v1.0.6 paadi:v1.0.5 paadi:v1.0.4 paadi:v1.0.3 paadi:v1.0.2 paadi:v1.0.1 paadi:v1.0.0
...
compare: paadi:v1.0.29
Branches Tags
paadi:main
paadi:v1.0.34 paadi:v1.0.33 paadi:v1.0.32 paadi:v1.0.31 paadi:v1.0.30 paadi:v1.0.29 paadi:v1.0.28 paadi:v1.0.27 paadi:v1.0.26 paadi:v1.0.25 paadi:v1.0.24 paadi:v1.0.23 paadi:v1.0.22 paadi:v1.0.21 paadi:v1.0.20 paadi:v1.0.19 paadi:v1.0.18 paadi:v1.0.17 paadi:v1.0.16 paadi:v1.0.15 paadi:v1.0.14 paadi:v1.0.13 paadi:v1.0.12 paadi:v1.0.11 paadi:v1.0.10 paadi:v1.0.9 paadi:v1.0.8 paadi:v1.0.7 paadi:v1.0.6 paadi:v1.0.5 paadi:v1.0.4 paadi:v1.0.3 paadi:v1.0.2 paadi:v1.0.1 paadi:v1.0.0

24 Commits
v1.0.8 ... v1.0.29

Author SHA1 Message Date
Adrian Zürcher
21daaf1819 add relational table request 2025-11-27 07:53:22 +01:00
Adrian Zürcher
8156fea488 lift dbhandler version 2025-11-20 10:41:41 +01:00
Adrian Zürcher
e15a94184c add relation to delete 2025-11-19 22:51:30 +01:00
Adrian Zürcher
2736aa1f6b add new db handler with table change to reference many2many 2025-11-19 16:29:37 +01:00
Adrian Zürcher
567cc726cc add new function to change passsword with test 2025-11-13 13:16:58 +01:00
Adrian Zürcher
3684fa224a add new permission group 2025-11-13 13:16:46 +01:00
Adrian Zürcher
db82dcf443 add exeption array to middleware Autorization 2025-11-13 13:16:11 +01:00
Adrian Zürcher
51d20dba37 increase member permission to 31 for import export 2025-11-12 17:15:18 +01:00
Adrian Zürcher
2a400f4ee4 add domain env to test 2025-11-12 14:23:07 +01:00
Adrian Zürcher
d50691776b move env vars to login and add domain 2025-11-12 14:21:57 +01:00
Adrian Zürcher
14968bfd4c replace static secrets with enviroment variables 2025-11-12 11:05:04 +01:00
Adrian Zürcher
f8e7b01a28 change member efault permission to 15 for import export permission 2025-11-12 09:02:27 +01:00
Adrian Zürcher
332a84aa57 add appName to user settings 2025-11-12 09:01:54 +01:00
Adrian Zürcher
e9fdea664f read role every refresh 2025-11-08 12:00:09 +01:00
Adrian Zürcher
7704fa9ecb new user expiration with user date format and never option 2025-11-08 11:27:45 +01:00
Adrian Zürcher
9a0019f3ad fix user defined exiration 2025-11-07 15:12:51 +01:00
Adrian Zürcher
0506ed6491 add new user defined user exiration 2025-11-07 13:51:58 +01:00
Adrian Zürcher
296c2e001d fix delete function 2025-11-07 08:19:20 +01:00
Adrian Zürcher
0c37d014a9 fix exist check 2025-11-07 08:06:54 +01:00
Adrian Zürcher
1f60813589 add new default permission 2025-11-06 14:03:13 +01:00
Adrian Zürcher
510d2df6b1 lift go mod versions 2025-10-31 08:13:48 +01:00
Adrian Zürcher
4670c93eff fix missing gin context (fixes #1) 2025-10-26 21:05:55 +01:00
Adrian Zürcher
8d8a1e3c33 change to api only handler and remove unused files, bring more structure 2025-10-26 10:38:44 +01:00
Adrian Zürcher
b6988638c0 fix minor bugs in role api 2025-10-24 17:35:32 +02:00
20 changed files with 790 additions and 1502 deletions
Expand all files Collapse all files

123
accessHandler.go
View File

@@ -1,127 +1,10 @@
package AccessHandler package AccessHandler
import ( import (
"gitea.tecamino.com/paadi/dbHandler" "gitea.tecamino.com/paadi/access-handler/handlers"
"gitea.tecamino.com/paadi/tecamino-logger/logging" "gitea.tecamino.com/paadi/tecamino-logger/logging"
) )
// AccessHandler func NewAccessHandler(path string, logger *logging.Logger) (aH *handlers.AccessHandler, err error) {
// return handlers.NewAccessHandler(path, logger)
// Description:
//
// AccessHandler manages access-related functionality, including
// database operations for users and roles, as well as logging.
// It encapsulates a database handler and a logger so that
// authentication and authorization operations can be performed
// consistently across the application.
type AccessHandler struct {
dbHandler *dbHandler.DBHandler // Database handler used for managing users and roles
logger *logging.Logger // Centralized application logger
}
// NewAccessHandler
//
// Description:
//
// Creates and initializes a new AccessHandler instance.
//
// Behavior:
// 1. If a logger is not provided (nil), it creates a new logger instance
// that writes to "accessHandler.log".
// 2. Initializes the AccessHandler struct.
// 3. Sets up the internal DBAHandler with the same logger.
// 4. Automatically creates required database tables and default data:
// - User table
// - Default user(s)
// - Role table
// - Default role(s)
//
// Parameters:
// - dbPath: The file path to the database.
// - logger: Optional pointer to a logging.Logger instance. If nil, a new one is created.
//
// Returns:
// - aH: A pointer to the fully initialized AccessHandler.
// - err: Any error that occurs during initialization.
//
// Example:
//
// handler, err := NewAccessHandler("data/app.db", appLogger)
// if err != nil {
// log.Fatal(err)
// }
func NewAccessHandler(path string, logger *logging.Logger) (aH *AccessHandler, err error) {
if logger == nil {
logger, err = logging.NewLogger("accessHandler.log", nil)
if err != nil {
return
}
}
logger.Debug("NewAccessHandler", "initialize new access handler")
// Initialize AccessHandler with logger
aH = &AccessHandler{
logger: logger,
}
logger.Debug("NewAccessHandler", "initialize db handler")
// Create a new DB handler instance
aH.dbHandler, err = dbHandler.NewDBHandler(path, "user", logger)
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add user table")
// Add the user table to the database
err = aH.AddUserTable()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add default user")
// Add default users to the system
err = aH.AddDefaultUser()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add role table")
// Add the role table to the database
err = aH.AddRoleTable()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add default role")
// Add default roles to the system
err = aH.AddDefaultRole()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
}
return
}
// GetLogger
//
// Description:
//
// Returns the logger associated with this AccessHandler instance.
// Useful when another component or handler needs to reuse the
// same logging instance for consistent log output.
//
// Returns:
// - *logging.Logger: The logger assigned to this AccessHandler.
//
// Example:
//
// log := accessHandler.GetLogger()
// log.Info("Some event")
func (aH *AccessHandler) GetLogger() *logging.Logger {
return aH.logger
} }

158
accessHandlerAPI.go
View File

@@ -1,158 +0,0 @@
package AccessHandler
import (
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/dbHandler"
"gitea.tecamino.com/paadi/tecamino-logger/logging"
)
// AccessHandler
//
// Description:
//
// AccessHandler manages access-related functionality, including
// database operations for users and roles, as well as logging.
// It encapsulates a database handler and a logger so that
// authentication and authorization operations can be performed
// consistently across the application.
type AccessHandlerAPI struct {
dbHandler *dbHandler.DBHandler // Database handler used for managing users and roles
logger *logging.Logger // Centralized application logger
}
// NewAccessHandlerAPI
//
// Description:
//
// Creates and initializes a new AccessHandler instance.
//
// Behavior:
// 1. If a logger is not provided (nil), it creates a new logger instance
// that writes to "accessHandler.log".
// 2. Initializes the AccessHandler struct.
// 3. Sets up the internal DBAHandler with the same logger.
// 4. Automatically creates required database tables and default data:
// - User table
// - Default user(s)
// - Role table
// - Default role(s)
//
// Parameters:
// - dbPath: The file path to the database.
// - logger: Optional pointer to a logging.Logger instance. If nil, a new one is created.
//
// Returns:
// - aH: A pointer to the fully initialized AccessHandler.
// - err: Any error that occurs during initialization.
//
// Example:
//
// handler, err := NewAccessHandlerAPI("data/app.db", appLogger)
// if err != nil {
// log.Fatal(err)
// }
func NewAccessHandlerAPI(path string, logger *logging.Logger) (aH *AccessHandlerAPI, err error) {
if logger == nil {
logger, err = logging.NewLogger("accessHandler.log", nil)
if err != nil {
return
}
}
logger.Debug("NewAccessHandlerAPI", "initialize new access handler")
// Initialize AccessHandler with logger
aH = &AccessHandlerAPI{
logger: logger,
}
logger.Debug("NewAccessHandlerAPI", "initialize db handler")
// Create a new DB handler instance
aH.dbHandler, err = dbHandler.NewDBHandler(path, "user", logger)
if err != nil {
aH.logger.Error("NewAccessHandlerAPI", err)
return
}
logger.Debug("NewAccessHandlerAPI", "add user table")
// Add the user table to the database
err = aH.dbHandler.AddNewTable(models.User{})
if err != nil {
aH.logger.Error("NewAccessHandlerAPI", err)
return
}
logger.Debug("NewAccessHandlerAPI", "add default user")
// Add default users to the system
name := "admin"
role := "admin"
email := "zuercher@tecamino.ch"
// Check if a user with this email already exists
if err := aH.dbHandler.Exists(&models.User{}, "email", email, false); err == nil {
aH.logger.Debug("AddDefaultUser", "user email "+email+" exists already")
// Found a user → skip create
} else {
// Create default settings for the new user
settings := models.Settings{}
aH.logger.Debug("AddDefaultUser", "set default quasar settings")
settings.DefaultQuasarSettings()
// Insert default admin user into the database
aH.dbHandler.AddNewColum(&models.User{
Name: name,
Role: role,
Email: email,
Password: "$2a$10$sZZOWBP8DSFLrLFQNoXw8OsEEr0tez1B8lPzKCHofaHg6PMNxx1pG",
Settings: settings,
})
}
logger.Debug("NewAccessHandlerAPI", "add role table")
// Add the role table to the database
err = aH.dbHandler.AddNewTable(models.Role{})
if err != nil {
aH.logger.Error("NewAccessHandlerAPI", err)
return
}
// Add default roles to the system
logger.Debug("NewAccessHandlerAPI", "add default role")
// Check if a role with this name already exists
if err := aH.dbHandler.Exists(&models.Role{}, "role", role, false); err == nil {
// Found a role → skip creation
aH.logger.Debug("AddDefaultRole", "role "+role+" exists already")
} else {
// Initialize default permissions for admin
permissions := models.Permissions{}
aH.logger.Debug("AddDefaultRole", "set default Permissions")
permissions.DefaultPermissions()
// Create the default admin role
aH.dbHandler.AddNewColum(&models.Role{
Role: role,
Permissions: permissions,
})
}
return
}
// GetLogger
//
// Description:
//
// Returns the logger associated with this AccessHandler instance.
// Useful when another component or handler needs to reuse the
// same logging instance for consistent log output.
//
// Returns:
// - *logging.Logger: The logger assigned to this AccessHandler.
//
// Example:
//
// log := accessHandler.GetLogger()
// log.Info("Some event")
func (aH *AccessHandlerAPI) GetLogger() *logging.Logger {
return aH.logger
}

291
api.go
View File

@@ -1,291 +0,0 @@
package AccessHandler
import (
"errors"
"fmt"
"net/http"
"strconv"
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/access-handler/utils"
"github.com/gin-gonic/gin"
)
func (aH *AccessHandlerAPI) AddUser(c *gin.Context) {
var user models.User
err := c.BindJSON(&user)
if err != nil {
aH.logger.Error("AddUser", err)
c.JSON(http.StatusInternalServerError, models.NewJsonErrorResponse(err))
return
}
if !user.IsValid() {
aH.logger.Error("AddUser", "user empty")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("user empty"))
return
}
// Check if a user with this email already exists
if err := aH.dbHandler.Exists(&models.User{}, "email", user.Email, false); err == nil {
// Found a user → skip create
aH.logger.Error("AddUser", "user with email "+user.Email+" already exists")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse(fmt.Sprintf("user with email %s already exists", user.Email)))
return
}
if !utils.IsValidEmail(user.Email) {
aH.logger.Error("AddUser", "not valid email address")
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(errors.New("not valid email address")))
return
}
// Hash the provided password before saving
hash, err := utils.HashPassword(user.Password)
if err != nil {
aH.logger.Error("AddUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
aH.logger.Debug("AddUser", "add new user "+user.Name+" with role "+user.Role)
// Insert the new user record
aH.dbHandler.AddNewColum(&models.User{
Name: user.Name,
Role: user.Role,
Email: user.Email,
Password: hash,
})
c.JSON(http.StatusOK, gin.H{
"message": fmt.Sprintf("user '%s' successfully added", user.Name),
})
}
func (aH *AccessHandlerAPI) GetUser(c *gin.Context) {
var i int
var err error
id := c.Query("id")
if id != "" {
i, err = strconv.Atoi(id)
if err != nil {
aH.logger.Error("GetUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
var users []models.User
err = aH.dbHandler.GetById(&users, uint(i))
if err != nil {
aH.logger.Error("GetUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, users)
}
func (aH *AccessHandlerAPI) UpdateUser(c *gin.Context) {
var user models.User
if err := c.BindJSON(&user); err != nil {
aH.logger.Error("UpdateUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
err := aH.dbHandler.UpdateValuesById(&user, user.Id)
if err != nil {
aH.logger.Error("UpdateUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, models.NewJsonMessageResponse("successfully updated user '"+user.Email+"'"))
}
func (aH *AccessHandlerAPI) DeleteUser(c *gin.Context) {
queryId := c.Query("id")
if queryId == "" || queryId == "null" || queryId == "undefined" {
aH.logger.Error("DeleteUser", "id query missing or wrong value: "+queryId)
c.JSON(http.StatusBadRequest, gin.H{
"message": "id query missing or wrong value: " + queryId,
})
return
}
var request struct {
Ids []int `json:"ids"`
}
err := c.BindJSON(&request)
if err != nil {
aH.logger.Error("DeleteUser", "id query missing or wrong value: "+queryId)
c.JSON(http.StatusInternalServerError, nil)
return
}
if len(request.Ids) == 0 {
aH.logger.Error("DeleteUser", "no ids given to be deleted")
c.JSON(http.StatusBadRequest, gin.H{
"message": "no ids given to be deleted",
})
return
}
var ownId string
removeIds := make([]uint, len(request.Ids))
for i, id := range request.Ids {
if queryId == fmt.Sprint(id) {
ownId = queryId
continue
}
removeIds[i] = uint(id)
}
if ownId != "" {
aH.logger.Error("DeleteUser", "can not delete logged in member id: "+queryId)
c.JSON(http.StatusBadRequest, gin.H{
"message": "can not delete logged in member id: " + queryId,
"id": queryId,
})
return
}
err = aH.dbHandler.DeleteById(&models.User{}, removeIds...)
if err != nil {
aH.logger.Error("DeleteUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, gin.H{
"message": "member(s) deleted",
})
}
func (aH *AccessHandlerAPI) AddRole(c *gin.Context) {
var role models.Role
err := c.BindJSON(&role)
if err != nil {
aH.logger.Error("AddRole", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
if !role.IsValid() {
aH.logger.Error("AddRole", "user empty")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("user empty"))
return
}
// Check if a role with this name already exists
if err := aH.dbHandler.Exists(&models.Role{}, "role", role, false); err == nil {
aH.logger.Error("AddRole", fmt.Sprintf("role with name %s already exists", role.Role))
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse(fmt.Sprintf("role with name %s already exists", role.Role)))
}
// Insert new role with provided permissions
aH.dbHandler.AddNewColum(&models.Role{
Role: role.Role,
Permissions: role.Permissions,
})
c.JSON(http.StatusOK, gin.H{
"message": fmt.Sprintf("role '%s' successfully added", role.Role),
})
}
func (aH *AccessHandlerAPI) GetRole(c *gin.Context) {
var i int
var err error
id := c.Query("id")
if id != "" {
i, err = strconv.Atoi(id)
if err != nil {
aH.logger.Error("GetRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
var role []models.Role
err = aH.dbHandler.GetById(&role, uint(i))
if err != nil {
aH.logger.Error("GetRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, role)
}
func (aH *AccessHandlerAPI) UpdateRole(c *gin.Context) {
var role models.Role
if err := c.BindJSON(&role); err != nil {
aH.logger.Error("UpdateRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
err := aH.dbHandler.UpdateValuesById(&role, role.Id)
if err != nil {
aH.logger.Error("UpdateRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, models.NewJsonMessageResponse("successfully updated role '"+role.Role+"'"))
}
func (aH *AccessHandlerAPI) DeleteRole(c *gin.Context) {
queryRole := c.Query("role")
if queryRole == "" || queryRole == "null" || queryRole == "undefined" {
aH.logger.Error("DeleteRole", "id query missing or wrong value: "+queryRole)
c.JSON(http.StatusInternalServerError, nil)
return
}
var request struct {
Roles []string `json:"roles"`
}
err := c.BindJSON(&request)
if err != nil {
aH.logger.Error("DeleteRole", err)
c.JSON(http.StatusBadRequest, nil)
return
}
if len(request.Roles) == 0 {
aH.logger.Error("DeleteRole", "no ids given to be deleted")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("no roles given to be deleted"))
return
}
var ownRole string
for _, role := range request.Roles {
if queryRole == role {
ownRole = role
continue
}
err = aH.dbHandler.DeleteByKey(&models.Role{}, "role", role, false)
if err != nil {
aH.logger.Error("DeleteRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
if ownRole != "" {
aH.logger.Error("DeleteRole", "can not delete logged in role id: "+ownRole)
c.JSON(http.StatusBadRequest, gin.H{
"message": "can not delete logged in role id: " + ownRole,
"role": ownRole,
})
return
}
c.JSON(http.StatusOK, gin.H{
"message": "role(s) deleted",
})
}

197
db_test.go
View File

@@ -3,8 +3,10 @@ package AccessHandler
import ( import (
"bytes" "bytes"
"encoding/json" "encoding/json"
"io"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"os"
"testing" "testing"
"gitea.tecamino.com/paadi/access-handler/models" "gitea.tecamino.com/paadi/access-handler/models"
@@ -13,7 +15,20 @@ import (
"github.com/go-playground/assert/v2" "github.com/go-playground/assert/v2"
) )
func TestAccesshandlerLogin(t *testing.T) { func TestDatabase(t *testing.T) {
// set enviroment variables
os.Setenv("ACCESS_SECRET", "12345678910111213141516171819202")
os.Setenv("REFRESH_SECRET", "9998979695949392919089888786858")
os.Setenv("DOMAIN", "localhost")
dbName := "user.db"
if _, err := os.Stat(dbName); err == nil {
t.Log("remove user.db to start test with empty database")
if err := os.Remove(dbName); err != nil {
t.Fatal(err)
}
}
t.Log("start access handler test") t.Log("start access handler test")
t.Log("initialize accessHandler") t.Log("initialize accessHandler")
@@ -22,80 +37,74 @@ func TestAccesshandlerLogin(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
t.Log("add another user") r := gin.Default()
err = accessHandler.AddNewUser("guest", "guest@gmail.com", "passwordd1", "admin")
if err != nil { accessHandler.SetMiddlewareLogger(r)
t.Log(err)
r.POST("/users/add", accessHandler.AddUser)
r.GET("/users", accessHandler.GetUser)
r.GET("/roles", accessHandler.GetRole)
r.POST("/roles/add", accessHandler.AddRole)
type request struct {
Log string
Name string
Method string
Path string
Payload any
Cookie *http.Cookie
ignoreError bool
}
var requests []request
requests = append(requests,
request{Log: "add another user", Name: "add user", Method: "POST", Path: "/users/add", Payload: models.User{
Name: "guest",
Password: "passwordd1",
Role: &models.Role{Role: "guest"},
Email: "guest@gmail.com",
}, ignoreError: true},
request{Log: "Get all users", Name: "get all users", Method: "GET", Path: "/users"},
request{Log: "Get user id 1", Name: "get user id 1", Method: "GET", Path: "/users?id=1"},
request{Log: "Add new role", Name: "add new role", Method: "POST", Path: "/roles/add", Payload: models.Role{
Role: "testRole",
}, ignoreError: true},
request{Log: "Get all roles", Name: "get all roles", Method: "GET", Path: "/roles"},
request{Log: "Get all role id 1", Name: "get role id 1", Method: "GET", Path: "/roles?id=1"},
request{Log: "Get user id 2", Name: "get user id 2", Method: "GET", Path: "/users?id=2"},
)
for _, request := range requests {
if request.Log != "" {
t.Log(request.Log)
}
var bodyReader io.Reader
if request.Payload != nil {
jsonBytes, _ := json.Marshal(request.Payload)
bodyReader = bytes.NewBuffer(jsonBytes)
}
req, _ := http.NewRequest(request.Method, request.Path, bodyReader)
if request.Cookie != nil {
req.AddCookie(request.Cookie) // attach refresh_token cookie
}
w := httptest.NewRecorder()
r.ServeHTTP(w, req)
t.Log(request.Name+" response:", w.Body.String())
if !request.ignoreError {
assert.Equal(t, http.StatusOK, w.Code)
}
} }
t.Log("get user id 1")
result, err := accessHandler.GetUserByKey("user_name", "admin", false)
if err != nil {
t.Fatal(err)
}
t.Log(result)
t.Log("get all users")
result, err = accessHandler.GetUserById(0)
if err != nil {
t.Fatal(err)
}
t.Log(result)
t.Log("get user by key")
result, err = accessHandler.GetUserByKey("password", "passwordd", false)
if err != nil {
t.Fatal(err)
}
t.Log(result)
t.Log("get user by key and like")
result, err = accessHandler.GetUserByKey("user_name", "a*", true)
if err != nil {
t.Fatal(err)
}
t.Log(result)
// var user_name string = "admin1"
// if len(result) > 0 {
// if result[0].Name == user_name {
// user_name = "admin"
// }
// t.Log("update user to ", user_name)
// accessHandler.UpdateUserByKey(models.User{
// Name: user_name,
// }, "user_name", result[0].Name)
// }
t.Log("read user again")
result, err = accessHandler.GetUserByKey("user_name", "a*", true)
if err != nil {
t.Fatal(err)
}
t.Log(result)
// t.Log("delete user id 1")
// err = accessHandler.DeleteUserByKey("user_name", user_name, false)
// if err != nil {
// t.Fatal(err)
// }
t.Log("read user again")
result, err = accessHandler.GetUserById(0)
if err != nil {
t.Fatal(err)
}
t.Log(result)
t.Log("read admin permissions")
result1, err := accessHandler.GetRoleByKey("role", "admin", false)
if err != nil {
t.Fatal(err)
}
t.Log(result1)
} }
func TestLoginHandler(t *testing.T) { func TestLoginAndAuthorization(t *testing.T) {
os.Setenv("ACCESS_SECRET", "12345678910111213141516171819202")
os.Setenv("REFRESH_SECRET", "9998979695949392919089888786858")
os.Setenv("DOMAIN", "localhost")
gin.SetMode(gin.TestMode) gin.SetMode(gin.TestMode)
// Setup your AccessHandler and router // Setup your AccessHandler and router
@@ -106,10 +115,11 @@ func TestLoginHandler(t *testing.T) {
r := gin.Default() r := gin.Default()
SetMiddlewareLogger(r, aH.GetLogger()) aH.SetMiddlewareLogger(r)
r.POST("/login", aH.Login) r.POST("/login", aH.Login)
r.POST("/login/refresh", aH.Refresh) r.POST("/login/refresh", aH.Refresh)
r.POST("/roles/update", aH.UpdateRole)
r.GET("/login/me", aH.Me) r.GET("/login/me", aH.Me)
r.GET("/logout", aH.Logout) r.GET("/logout", aH.Logout)
middleware := r.Group("", aH.AuthMiddleware()) middleware := r.Group("", aH.AuthMiddleware())
@@ -118,11 +128,15 @@ func TestLoginHandler(t *testing.T) {
auth.GET("", func(ctx *gin.Context) { auth.GET("", func(ctx *gin.Context) {
ctx.JSON(http.StatusOK, "ok") ctx.JSON(http.StatusOK, "ok")
}) })
auth2 := middleware.Group("", aH.AuthorizeRole("/login/change", "password"))
auth2.POST("/login/change/password", aH.ChangePassword)
// ---- Step 1: Perform login ---- // ---- Step 1: Perform login ----
user := models.User{ user := models.User{
Name: "guest", Name: "guest",
Password: "passwordd1", Password: "passwordd1",
NewPassword: "Newpasswordd1",
} }
jsonBody, _ := json.Marshal(user) jsonBody, _ := json.Marshal(user)
@@ -151,22 +165,43 @@ func TestLoginHandler(t *testing.T) {
} }
type request struct { type request struct {
Name string Name string
Method string Method string
Path string Path string
Cookie *http.Cookie Payload any
Cookie *http.Cookie
ignoreError bool
} }
var requests []request var requests []request
user.Id = 2
correctUser := user
correctUser.Password = user.NewPassword
requests = append(requests, requests = append(requests,
request{Name: "Refresh", Method: "POST", Path: "/login/refresh", Cookie: refreshCookie}, request{Name: "Refresh", Method: "POST", Path: "/login/refresh", Cookie: refreshCookie},
request{Name: "Me", Method: "GET", Path: "/login/me", Cookie: accessCookie}, request{Name: "Me", Method: "GET", Path: "/login/me", Cookie: accessCookie},
request{Name: "add new role", Method: "POST", Path: "/roles/update", Payload: models.Role{
Role: "guest", Permissions: models.Permissions{{Name: "members", Permission: 31}},
}, ignoreError: true},
request{Name: "Authorization", Method: "GET", Path: "/members", Cookie: accessCookie}, request{Name: "Authorization", Method: "GET", Path: "/members", Cookie: accessCookie},
request{Name: "Change Password", Method: "POST", Path: "/login/change/password", Cookie: accessCookie, Payload: user},
request{Name: "Logout", Method: "GET", Path: "/logout", Cookie: refreshCookie}, request{Name: "Logout", Method: "GET", Path: "/logout", Cookie: refreshCookie},
request{Name: "New wrong login", Method: "POST", Path: "/login", Payload: user, ignoreError: true},
request{Name: "New login", Method: "POST", Path: "/login", Payload: correctUser},
) )
for _, request := range requests { for _, request := range requests {
req, _ := http.NewRequest(request.Method, request.Path, nil) var body io.Reader
if request.Payload != nil {
jsonBytes, err := json.Marshal(request.Payload)
if err != nil {
t.Fatal(err)
}
body = bytes.NewBuffer(jsonBytes)
}
req, _ := http.NewRequest(request.Method, request.Path, body)
if request.Cookie != nil { if request.Cookie != nil {
req.AddCookie(request.Cookie) // attach refresh_token cookie req.AddCookie(request.Cookie) // attach refresh_token cookie
} }
@@ -175,6 +210,8 @@ func TestLoginHandler(t *testing.T) {
r.ServeHTTP(w, req) r.ServeHTTP(w, req)
t.Log(request.Name+" response:", w.Body.String()) t.Log(request.Name+" response:", w.Body.String())
assert.Equal(t, http.StatusOK, w.Code) if !request.ignoreError {
assert.Equal(t, http.StatusOK, w.Code)
}
} }
} }

2
go.mod
View File

@@ -3,7 +3,7 @@ module gitea.tecamino.com/paadi/access-handler
go 1.24.5 go 1.24.5
require ( require (
gitea.tecamino.com/paadi/dbHandler v1.0.2 gitea.tecamino.com/paadi/dbHandler v1.1.7
gitea.tecamino.com/paadi/tecamino-logger v0.2.1 gitea.tecamino.com/paadi/tecamino-logger v0.2.1
github.com/gin-gonic/gin v1.11.0 github.com/gin-gonic/gin v1.11.0
github.com/go-playground/assert/v2 v2.2.0 github.com/go-playground/assert/v2 v2.2.0

4
go.sum
View File

@@ -1,5 +1,5 @@
gitea.tecamino.com/paadi/dbHandler v1.0.2 h1:5d3sWIFY6JQLX0PGSTsxcvZFCSNTgtx4lHTX5lwF2H8= gitea.tecamino.com/paadi/dbHandler v1.1.7 h1:NqVbxbUwd7EZX6HYntyLYwwPbyTPevOhIBTFqoCVqOU=
gitea.tecamino.com/paadi/dbHandler v1.0.2/go.mod h1:y/xn/POJg1DO++67uKvnO23lJQgh+XFQq7HZCS9Getw= gitea.tecamino.com/paadi/dbHandler v1.1.7/go.mod h1:y/xn/POJg1DO++67uKvnO23lJQgh+XFQq7HZCS9Getw=
gitea.tecamino.com/paadi/tecamino-logger v0.2.1 h1:sQTBKYPdzn9mmWX2JXZBtGBvNQH7cuXIwsl4TD0aMgE= gitea.tecamino.com/paadi/tecamino-logger v0.2.1 h1:sQTBKYPdzn9mmWX2JXZBtGBvNQH7cuXIwsl4TD0aMgE=
gitea.tecamino.com/paadi/tecamino-logger v0.2.1/go.mod h1:FkzRTldUBBOd/iy2upycArDftSZ5trbsX5Ira5OzJgM= gitea.tecamino.com/paadi/tecamino-logger v0.2.1/go.mod h1:FkzRTldUBBOd/iy2upycArDftSZ5trbsX5Ira5OzJgM=
github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ= github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=

126
handlers/access.go Normal file
View File

@@ -0,0 +1,126 @@
package handlers
import (
"gitea.tecamino.com/paadi/dbHandler"
"gitea.tecamino.com/paadi/tecamino-logger/logging"
)
// AccessHandler
//
// Description:
//
// AccessHandler manages access-related functionality, including
// database operations for users and roles, as well as logging.
// It encapsulates a database handler and a logger so that
// authentication and authorization operations can be performed
// consistently across the application.
type AccessHandler struct {
dbHandler *dbHandler.DBHandler // Database handler used for managing users and roles
logger *logging.Logger // Centralized application logger
}
// NewAccessHandler
//
// Description:
//
// Creates and initializes a new AccessHandler instance.
//
// Behavior:
// 1. If a logger is not provided (nil), it creates a new logger instance
// that writes to "accessHandler.log".
// 2. Initializes the AccessHandler struct.
// 3. Sets up the internal DBAHandler with the same logger.
// 4. Automatically creates required database tables and default data:
// - User table
// - Default user(s)
// - Role table
// - Default role(s)
//
// Parameters:
// - dbPath: The file path to the database.
// - logger: Optional pointer to a logging.Logger instance. If nil, a new one is created.
//
// Returns:
// - aH: A pointer to the fully initialized AccessHandler.
// - err: Any error that occurs during initialization.
//
// Example:
//
// handler, err := NewAccessHandler("data/app.db", appLogger)
// if err != nil {
// log.Fatal(err)
// }
func NewAccessHandler(path string, logger *logging.Logger) (aH *AccessHandler, err error) {
if logger == nil {
logger, err = logging.NewLogger("accessHandler.log", nil)
if err != nil {
return
}
}
logger.Debug("NewAccessHandler", "initialize new access handler")
// Initialize AccessHandler with logger
aH = &AccessHandler{
logger: logger,
}
logger.Debug("NewAccessHandler", "initialize db handler")
// Create a new DB handler instance
aH.dbHandler, err = dbHandler.NewDBHandler("user", path, logger)
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add role table")
// Add the role table to the database
err = aH.AddRoleTable()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add default role")
// Add default roles to the system
err = aH.AddDefaultRole()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
}
logger.Debug("NewAccessHandler", "add user table")
// Add the user table to the database
err = aH.AddUserTable()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
logger.Debug("NewAccessHandler", "add default user")
// Add default users to the system
err = aH.AddDefaultUser()
if err != nil {
aH.logger.Error("NewAccessHandler", err)
return
}
return
}
// GetLogger
//
// Description:
//
// Returns the logger associated with this AccessHandler instance.
// Useful when another component or handler needs to reuse the
// same logging instance for consistent log output.
//
// Returns:
// - *logging.Logger: The logger assigned to this AccessHandler.
//
// Example:
//
// log := accessHandler.GetLogger()
// log.Info("Some event")
func (aH *AccessHandler) GetLogger() *logging.Logger {
return aH.logger
}

77
login.go → handlers/login.go
View File

@@ -1,13 +1,13 @@
package AccessHandler package handlers
import ( import (
"fmt" "fmt"
"log"
"net/http" "net/http"
"os"
"time" "time"
"gitea.tecamino.com/paadi/access-handler/internal/utils"
"gitea.tecamino.com/paadi/access-handler/models" "gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/access-handler/utils"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5" "github.com/golang-jwt/jwt/v5"
@@ -17,12 +17,12 @@ import (
// 🔐 AUTHENTICATION CONSTANTS // 🔐 AUTHENTICATION CONSTANTS
// ----------------------------- // -----------------------------
// JWT secrets (replace "*" with strong random values in production!) // JWT secrets
var ACCESS_SECRET = []byte("ShFRprALcXjlosJ2hFCnGYGG3Ce2uRx6") var ACCESS_SECRET = []byte(os.Getenv("ACCESS_SECRET"))
var REFRESH_SECRET = []byte("pQIjuX6g6Tzf0FEfdScxttT3hlL9NFaa") var REFRESH_SECRET = []byte(os.Getenv("REFRESH_SECRET"))
// DOMAIN defines where cookies are valid. Change this in production. // DOMAIN defines where cookies are valid. Change this in production.
var DOMAIN = "localhost" var DOMAIN = os.Getenv("DOMAIN")
// ACCESS_TOKEN_TIME defines how long access tokens are valid. // ACCESS_TOKEN_TIME defines how long access tokens are valid.
var ACCESS_TOKEN_TIME = 15 * time.Minute var ACCESS_TOKEN_TIME = 15 * time.Minute
@@ -53,27 +53,18 @@ func (aH *AccessHandler) Login(c *gin.Context) {
} }
// Fetch user record from DB // Fetch user record from DB
dbRecord, err := aH.GetUserByKey("user_name", user.Name, false) dbUser, hasError := aH.getUserFromDB(c, user.Name)
if err != nil { if hasError {
aH.logger.Error("Login", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
if len(dbRecord) > 1 {
log.Println("multiple users found")
aH.logger.Error("Login", "more than one record found")
c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("internal error"))
return return
} }
// Check password // Check password
if !utils.CheckPassword(user.Password, dbRecord[0].Password) { if !utils.CheckPassword(user.Password, dbUser.Password) {
aH.logger.Error("Login", "invalid password") aH.logger.Error("Login", "invalid password")
c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("invalid credentials")) c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("invalid credentials"))
return return
} }
user = dbRecord[0] user = dbUser
// ----------------------------- // -----------------------------
// 🔑 TOKEN CREATION // 🔑 TOKEN CREATION
@@ -87,7 +78,7 @@ func (aH *AccessHandler) Login(c *gin.Context) {
accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{ accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"id": user.Id, "id": user.Id,
"username": user.Name, "username": user.Name,
"role": user.Role, "role": user.Role.Role,
"type": "access", "type": "access",
"exp": accessTokenExp.Unix(), "exp": accessTokenExp.Unix(),
}) })
@@ -96,7 +87,7 @@ func (aH *AccessHandler) Login(c *gin.Context) {
refreshToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{ refreshToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"id": user.Id, "id": user.Id,
"username": user.Name, "username": user.Name,
"role": user.Role, "role": user.Role.Role,
"type": "refresh", "type": "refresh",
"exp": refreshTokenExp.Unix(), "exp": refreshTokenExp.Unix(),
}) })
@@ -134,7 +125,7 @@ func (aH *AccessHandler) Login(c *gin.Context) {
"message": "login successful", "message": "login successful",
"id": user.Id, "id": user.Id,
"user": user.Name, "user": user.Name,
"role": user.Role, "role": user.Role.Role,
"settings": user.Settings, "settings": user.Settings,
}) })
} }
@@ -174,7 +165,11 @@ func (aH *AccessHandler) Refresh(c *gin.Context) {
username := claims["username"].(string) username := claims["username"].(string)
id := int(claims["id"].(float64)) id := int(claims["id"].(float64))
role := claims["role"].(string)
user, hasError := aH.getUserFromDB(c, username)
if hasError {
return
}
// Create new access token // Create new access token
aH.logger.Debug("Refresh", "create new access token") aH.logger.Debug("Refresh", "create new access token")
@@ -182,7 +177,7 @@ func (aH *AccessHandler) Refresh(c *gin.Context) {
newAccess := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{ newAccess := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"id": id, "id": id,
"username": username, "username": username,
"role": role, "role": user.Role.Role,
"exp": accessExp.Unix(), "exp": accessExp.Unix(),
}) })
accessString, _ := newAccess.SignedString(ACCESS_SECRET) accessString, _ := newAccess.SignedString(ACCESS_SECRET)
@@ -241,3 +236,35 @@ func (aH *AccessHandler) Logout(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"message": "logged out"}) c.JSON(http.StatusOK, gin.H{"message": "logged out"})
} }
func (aH *AccessHandler) getUserFromDB(c *gin.Context, userName string) (user models.User, hasError bool) {
hasError = true
// Fetch user record from DB
var dbRecord []models.User
err := aH.dbHandler.GetByKey(&dbRecord, "user_name", userName, false, "Role")
if err != nil {
aH.logger.Error("Login", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
if len(dbRecord) == 0 {
aH.logger.Error("Login", "no user "+userName+" found")
c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("invalid credentials"))
return
}
if len(dbRecord) > 1 {
aH.logger.Error("Login", "more than one record found")
c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("internal error"))
return
}
if !dbRecord[0].ExpirationIsValid() {
aH.logger.Error("Login", fmt.Sprintf("user %s is expired", userName))
c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("user "+userName+" is expired"))
return
}
return dbRecord[0], false
}

24
middleware.go → handlers/middleware.go
View File

@@ -1,11 +1,12 @@
package AccessHandler package handlers
import ( import (
"fmt"
"log" "log"
"net/http" "net/http"
"slices"
"strings" "strings"
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/tecamino-logger/logging" "gitea.tecamino.com/paadi/tecamino-logger/logging"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5" "github.com/golang-jwt/jwt/v5"
@@ -28,10 +29,10 @@ import (
// Usage: // Usage:
// //
// SetMiddlewareLogger(router, logger) // SetMiddlewareLogger(router, logger)
func SetMiddlewareLogger(r *gin.Engine, logger *logging.Logger) { func (aH *AccessHandler) SetMiddlewareLogger(r *gin.Engine) {
// Add middleware that injects logger into context // Add middleware that injects logger into context
r.Use(func(c *gin.Context) { r.Use(func(c *gin.Context) {
c.Set("logger", logger) c.Set("logger", aH.logger)
c.Next() c.Next()
}) })
} }
@@ -116,7 +117,7 @@ func (aH *AccessHandler) AuthMiddleware() gin.HandlerFunc {
// Usage: // Usage:
// //
// router.GET("/secure/:id", aH.AuthorizeRole("/api/v1")) // router.GET("/secure/:id", aH.AuthorizeRole("/api/v1"))
func (aH *AccessHandler) AuthorizeRole(suffix string) gin.HandlerFunc { func (aH *AccessHandler) AuthorizeRole(suffix string, exeptions ...string) gin.HandlerFunc {
return func(c *gin.Context) { return func(c *gin.Context) {
aH.logger.Debug("AuthorizeRole", "permission path of url path") aH.logger.Debug("AuthorizeRole", "permission path of url path")
permissionPath := strings.TrimPrefix(c.Request.URL.Path, suffix+"/") permissionPath := strings.TrimPrefix(c.Request.URL.Path, suffix+"/")
@@ -130,7 +131,8 @@ func (aH *AccessHandler) AuthorizeRole(suffix string) gin.HandlerFunc {
} }
// Fetch roles and associated permissions from the database or store // Fetch roles and associated permissions from the database or store
roles, err := aH.GetRoleByKey("role", role, false) var roles []models.Role
err := aH.dbHandler.GetByKey(&roles, "role", role, false)
if err != nil { if err != nil {
aH.logger.Error("AuthorizeRole", err) aH.logger.Error("AuthorizeRole", err)
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": http.StatusInternalServerError}) c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": http.StatusInternalServerError})
@@ -139,8 +141,7 @@ func (aH *AccessHandler) AuthorizeRole(suffix string) gin.HandlerFunc {
// Validate that a role was found // Validate that a role was found
if len(roles) == 0 { if len(roles) == 0 {
log.Println("not logged in") aH.logger.Error("AuthorizeRole", "not logged in")
aH.logger.Error("AuthorizeRole", "no logged in")
c.JSON(http.StatusUnauthorized, http.StatusUnauthorized) c.JSON(http.StatusUnauthorized, http.StatusUnauthorized)
return return
} else if len(roles) > 1 { } else if len(roles) > 1 {
@@ -149,9 +150,14 @@ func (aH *AccessHandler) AuthorizeRole(suffix string) gin.HandlerFunc {
return return
} }
// check exeptions
if slices.Contains(exeptions, permissionPath) {
c.Next()
return
}
// Check permissions // Check permissions
for _, permission := range roles[0].Permissions { for _, permission := range roles[0].Permissions {
fmt.Println(100, permissionPath, permission.Name)
if permission.Name == permissionPath { if permission.Name == permissionPath {
c.Next() c.Next()
return return

183
handlers/role.go Normal file
View File

@@ -0,0 +1,183 @@
package handlers
import (
"fmt"
"net/http"
"strconv"
"gitea.tecamino.com/paadi/access-handler/models"
"github.com/gin-gonic/gin"
)
func (aH *AccessHandler) AddRoleTable() error {
return aH.dbHandler.AddNewTable(models.Role{})
}
func (aH *AccessHandler) AddDefaultRole() (err error) {
role := "admin"
// Check if a role with this name already exists
if aH.dbHandler.Exists(&models.Role{}, "role", role, false) {
// Found a role → skip creation
aH.logger.Debug("AddDefaultRole", "role "+role+" exists already")
return nil
}
// Initialize default permissions for admin
permissions := models.Permissions{}
aH.logger.Debug("AddDefaultRole", "set default Permissions")
permissions.DefaultPermissions()
// Create the default admin role
aH.dbHandler.AddNewColum(&models.Role{
Role: role,
Permissions: permissions,
})
return
}
func (aH *AccessHandler) AddRole(c *gin.Context) {
var role models.Role
err := c.BindJSON(&role)
if err != nil {
aH.logger.Error("AddRole", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
if !role.IsValid() {
aH.logger.Error("AddRole", "user empty")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("user empty"))
return
}
// Check if a role with this name already exists
if aH.dbHandler.Exists(&models.Role{}, "role", role.Role, false) {
aH.logger.Error("AddRole", fmt.Sprintf("role with name %s already exists", role.Role))
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse(fmt.Sprintf("role with name %s already exists", role.Role)))
return
}
// Insert new role with provided permissions
aH.dbHandler.AddNewColum(&models.Role{
Role: role.Role,
Permissions: role.Permissions,
})
c.JSON(http.StatusOK, gin.H{
"message": fmt.Sprintf("role '%s' successfully added", role.Role),
})
}
func (aH *AccessHandler) GetRole(c *gin.Context) {
var i int
var err error
var roles []models.Role
role := c.Query("role")
id := c.Query("id")
if role != "" {
err = aH.dbHandler.GetByKey(&roles, "role", role, false)
} else if id != "" {
i, err = strconv.Atoi(id)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{
"message": err.Error(),
})
return
}
err = aH.dbHandler.GetById(&roles, uint(i))
} else {
err = aH.dbHandler.GetById(&roles, 0)
}
if err != nil {
aH.logger.Error("GetRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, roles)
}
func (aH *AccessHandler) UpdateRole(c *gin.Context) {
var role models.Role
if err := c.BindJSON(&role); err != nil {
aH.logger.Error("UpdateRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
if role.Id != 0 {
err := aH.dbHandler.UpdateValuesById(&role, role.Id)
if err != nil {
aH.logger.Error("UpdateRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
} else {
err := aH.dbHandler.UpdateValuesByKey(&role, "", "role", role.Role)
if err != nil {
aH.logger.Error("UpdateRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
c.JSON(http.StatusOK, models.NewJsonMessageResponse("successfully updated role '"+role.Role+"'"))
}
func (aH *AccessHandler) DeleteRole(c *gin.Context) {
queryRole := c.Query("role")
if queryRole == "" || queryRole == "null" || queryRole == "undefined" {
aH.logger.Error("DeleteRole", "id query missing or wrong value: "+queryRole)
c.JSON(http.StatusInternalServerError, nil)
return
}
var request struct {
Roles []string `json:"roles"`
}
err := c.BindJSON(&request)
if err != nil {
aH.logger.Error("DeleteRole", err)
c.JSON(http.StatusBadRequest, nil)
return
}
if len(request.Roles) == 0 {
aH.logger.Error("DeleteRole", "no ids given to be deleted")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("no roles given to be deleted"))
return
}
var ownRole string
for _, role := range request.Roles {
if queryRole == role {
ownRole = role
continue
}
err = aH.dbHandler.DeleteByKey(&models.Role{}, "role", role, false)
if err != nil {
aH.logger.Error("DeleteRole", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
if ownRole != "" {
aH.logger.Error("DeleteRole", "can not delete logged in role id: "+ownRole)
c.JSON(http.StatusBadRequest, gin.H{
"message": "can not delete logged in role id: " + ownRole,
"role": ownRole,
})
return
}
c.JSON(http.StatusOK, gin.H{
"message": "role(s) deleted",
})
}

265
handlers/user.go Normal file
View File

@@ -0,0 +1,265 @@
package handlers
import (
"errors"
"fmt"
"net/http"
"strconv"
"gitea.tecamino.com/paadi/access-handler/internal/utils"
"gitea.tecamino.com/paadi/access-handler/models"
"github.com/gin-gonic/gin"
)
func (aH *AccessHandler) AddUserTable() error {
return aH.dbHandler.AddNewTable(models.User{})
}
func (aH *AccessHandler) AddDefaultUser() (err error) {
// Create default settings for the new user
settings := models.Settings{}
aH.logger.Debug("AddDefaultUser", "set default quasar settings")
settings.DefaultQuasarSettings()
user := &models.User{
Name: "admin",
Email: "zuercher@tecamino.ch",
Password: "$2a$10$sZZOWBP8DSFLrLFQNoXw8OsEEr0tez1B8lPzKCHofaHg6PMNxx1pG",
Settings: settings,
}
// Check if a user with this email already exists
if aH.dbHandler.Exists(&models.User{}, "email", user.Email, false) {
aH.logger.Debug("AddDefaultUser", "user email "+user.Email+" exists already")
// Found a user → skip create
return nil
}
// Insert default admin user into the database
if err := aH.dbHandler.AddNewColum(user); err != nil {
return err
}
role := &models.Role{}
if err := aH.dbHandler.GetByKey(role, "role", "admin", false); err != nil {
return err
}
return aH.dbHandler.AddRelation(user, role, "Role")
}
func (aH *AccessHandler) AddUser(c *gin.Context) {
var user models.User
err := c.BindJSON(&user)
if err != nil {
aH.logger.Error("AddUser", err)
c.JSON(http.StatusInternalServerError, models.NewJsonErrorResponse(err))
return
}
if !user.IsValid() {
aH.logger.Error("AddUser", "user empty")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("user empty"))
return
}
// Check if a user with this email already exists
if aH.dbHandler.Exists(&models.User{}, "email", user.Email, false) {
// Found a user → skip create
aH.logger.Error("AddUser", "user with email "+user.Email+" already exists")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse(fmt.Sprintf("user with email %s already exists", user.Email)))
return
}
if !utils.IsValidEmail(user.Email) {
aH.logger.Error("AddUser", "not valid email address")
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(errors.New("not valid email address")))
return
}
// Hash the provided password before saving
user.Password, err = utils.HashPassword(user.Password)
if err != nil {
aH.logger.Error("AddUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
aH.logger.Debug("AddUser", "add default quasar user setting ")
user.Settings.DefaultQuasarSettings()
aH.logger.Debug("AddUser", "add new user "+user.Name+" with role "+user.Role.Role)
if user.Role.Id != 0 {
if err := aH.dbHandler.GetById(&user.Role, user.Role.Id); err != nil {
aH.logger.Error("AddUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
} else {
if err := aH.dbHandler.GetByKey(&user.Role, "role", user.Role.Role, false); err != nil {
aH.logger.Error("AddUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
user.RoleID = &user.Role.Id
// Insert the new user record
if err := aH.dbHandler.AddNewColum(&user); err != nil {
aH.logger.Error("AddUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, gin.H{
"message": fmt.Sprintf("user '%s' successfully added", user.Name),
})
}
func (aH *AccessHandler) ChangePassword(c *gin.Context) {
var user models.User
err := c.BindJSON(&user)
if err != nil {
aH.logger.Error("ChangePassword", err)
c.JSON(http.StatusInternalServerError, models.NewJsonErrorResponse(err))
return
}
// get user to check ChangePassword
var dbRecord models.User
err = aH.dbHandler.GetById(&dbRecord, user.Id, "Role")
if err != nil {
aH.logger.Error("ChangePassword", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
// Check if old password is correct
if !utils.CheckPassword(user.Password, dbRecord.Password) {
// Found a user → skip create
aH.logger.Error("ChangePassword", "wrong password entered for user: "+user.Name)
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("invalid credentials"))
return
}
// Hash the provided password before saving
user.Password, err = utils.HashPassword(user.NewPassword)
if err != nil {
aH.logger.Error("ChangePassword", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
aH.logger.Debug("ChangePassword", "change user "+user.Name+" password")
// Update user
aH.dbHandler.UpdateValuesById(&user, user.Id, "Role")
c.JSON(http.StatusOK, gin.H{
"message": fmt.Sprintf("password of user '%s' changed", user.Name),
})
}
func (aH *AccessHandler) GetUser(c *gin.Context) {
var i int
var err error
id := c.Query("id")
if id == "undefined" || id == "null" || id == "" {
i = 0
} else {
i, err = strconv.Atoi(id)
if err != nil {
aH.logger.Error("GetUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
}
var users []models.User
err = aH.dbHandler.GetById(&users, uint(i), "Role")
if err != nil {
aH.logger.Error("GetUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, users)
}
func (aH *AccessHandler) UpdateUser(c *gin.Context) {
var user models.User
if err := c.BindJSON(&user); err != nil {
aH.logger.Error("UpdateUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
err := aH.dbHandler.UpdateValuesById(&user, user.Id, "Role")
if err != nil {
aH.logger.Error("UpdateUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, models.NewJsonMessageResponse("successfully updated user '"+user.Email+"'"))
}
func (aH *AccessHandler) DeleteUser(c *gin.Context) {
queryId := c.Query("id")
if queryId == "" || queryId == "null" || queryId == "undefined" {
aH.logger.Error("DeleteUser", "id query missing or wrong value: "+queryId)
c.JSON(http.StatusBadRequest, gin.H{
"message": "id query missing or wrong value: " + queryId,
})
return
}
var request struct {
Ids []int `json:"ids"`
}
err := c.BindJSON(&request)
if err != nil {
aH.logger.Error("DeleteUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
if len(request.Ids) == 0 {
aH.logger.Error("DeleteUser", "no ids given to be deleted")
c.JSON(http.StatusBadRequest, gin.H{
"message": "no ids given to be deleted",
})
return
}
var ownId string
removeIds := make([]uint, len(request.Ids))
for i, id := range request.Ids {
if queryId == fmt.Sprint(id) {
ownId = queryId
continue
}
removeIds[i] = uint(id)
}
if ownId != "" {
aH.logger.Error("DeleteUser", "can not delete logged in member id: "+queryId)
c.JSON(http.StatusBadRequest, gin.H{
"message": "can not delete logged in member id: " + queryId,
"id": queryId,
})
return
}
err = aH.dbHandler.DeleteById(&models.User{}, "", removeIds...)
if err != nil {
aH.logger.Error("DeleteUser", err)
c.JSON(http.StatusInternalServerError, nil)
return
}
c.JSON(http.StatusOK, gin.H{
"message": "member(s) deleted",
})
}

0
utils/hash.go → internal/utils/hash.go
View File

0
utils/utils.go → internal/utils/utils.go
View File

227
loginApi.go
View File

@@ -1,227 +0,0 @@
package AccessHandler
import (
"fmt"
"log"
"net/http"
"time"
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/access-handler/utils"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
)
// -----------------------------
// 🧠 HANDLERS
// -----------------------------
// Login authenticates a user and returns JWT tokens (access + refresh).
func (aH *AccessHandlerAPI) Login(c *gin.Context) {
var user models.User
aH.logger.Debug("Login", "bind JSON request")
if err := c.BindJSON(&user); err != nil {
aH.logger.Error("Login", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
// Validate input
if !user.IsValid() {
aH.logger.Error("Login", "user empty")
c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("user empty"))
return
}
// Fetch user record from DB
var dbRecord []models.User
err := aH.dbHandler.GetByKey(&dbRecord, "user_name", user.Name, false)
if err != nil {
aH.logger.Error("Login", err)
c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
return
}
if len(dbRecord) > 1 {
log.Println("multiple users found")
aH.logger.Error("Login", "more than one record found")
c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("internal error"))
return
}
// Check password
if !utils.CheckPassword(user.Password, dbRecord[0].Password) {
aH.logger.Error("Login", "invalid password")
c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("invalid credentials"))
return
}
user = dbRecord[0]
// -----------------------------
// 🔑 TOKEN CREATION
// -----------------------------
aH.logger.Debug("Login", "create tokens")
accessTokenExp := time.Now().Add(ACCESS_TOKEN_TIME)
refreshTokenExp := time.Now().Add(REFRESH_TOKEN_TIME)
// Create access token
accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"id": user.Id,
"username": user.Name,
"role": user.Role,
"type": "access",
"exp": accessTokenExp.Unix(),
})
// Create refresh token
refreshToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"id": user.Id,
"username": user.Name,
"role": user.Role,
"type": "refresh",
"exp": refreshTokenExp.Unix(),
})
// Sign tokens
accessString, err := accessToken.SignedString(ACCESS_SECRET)
if err != nil {
aH.logger.Error("Login", "failed to sign access token")
c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("could not create access token"))
return
}
refreshString, err := refreshToken.SignedString(REFRESH_SECRET)
if err != nil {
aH.logger.Error("Login", "failed to sign refresh token")
c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("could not create refresh token"))
return
}
// -----------------------------
// 🍪 SET COOKIES
// -----------------------------
aH.logger.Debug("Login", "set cookies")
secure := gin.Mode() == gin.ReleaseMode
c.SetCookie("access_token", accessString, int(time.Until(accessTokenExp).Seconds()),
"/", "", secure, true)
c.SetCookie("refresh_token", refreshString, int(time.Until(refreshTokenExp).Seconds()),
"/", "", secure, true)
aH.logger.Info("Login", "user "+user.Name+" logged in successfully")
c.JSON(http.StatusOK, gin.H{
"message": "login successful",
"id": user.Id,
"user": user.Name,
"role": user.Role,
"settings": user.Settings,
})
}
// Refresh generates a new access token from a valid refresh token.
func (aH *AccessHandlerAPI) Refresh(c *gin.Context) {
aH.logger.Debug("Refresh", "get refresh cookie")
refreshCookie, err := c.Cookie("refresh_token")
if err != nil {
aH.logger.Error("Refresh", "no refresh token")
c.JSON(http.StatusUnauthorized, gin.H{"message": "no refresh token"})
return
}
// Validate token
aH.logger.Debug("Refresh", "parse token")
token, err := jwt.Parse(refreshCookie, func(token *jwt.Token) (any, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return REFRESH_SECRET, nil
})
if err != nil || !token.Valid {
aH.logger.Error("Refresh", err)
c.JSON(http.StatusUnauthorized, gin.H{"message": "invalid refresh token"})
return
}
// Extract claims
claims, ok := token.Claims.(jwt.MapClaims)
if !ok || claims["type"] != "refresh" {
aH.logger.Error("Refresh", "invalid token type")
c.JSON(http.StatusUnauthorized, gin.H{"message": "invalid token type"})
return
}
username := claims["username"].(string)
id := int(claims["id"].(float64))
role := claims["role"].(string)
// Create new access token
aH.logger.Debug("Refresh", "create new access token")
accessExp := time.Now().Add(ACCESS_TOKEN_TIME)
newAccess := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"id": id,
"username": username,
"role": role,
"exp": accessExp.Unix(),
})
accessString, _ := newAccess.SignedString(ACCESS_SECRET)
// Set new access cookie
aH.logger.Debug("Refresh", "set new access cookie")
c.SetCookie("access_token", accessString, int(time.Until(accessExp).Seconds()),
"/", DOMAIN, gin.Mode() == gin.ReleaseMode, true)
c.JSON(http.StatusOK, gin.H{"message": "token refreshed"})
}
// Me returns information about the currently authenticated user.
func (aH *AccessHandlerAPI) Me(c *gin.Context) {
aH.logger.Debug("Me", "get access cookie")
cookie, err := c.Cookie("access_token")
if err != nil {
aH.logger.Error("Me", err)
c.JSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
return
}
// Parse and validate access token
aH.logger.Debug("Me", "parse token")
token, err := jwt.Parse(cookie, func(t *jwt.Token) (any, error) {
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
}
return ACCESS_SECRET, nil
})
if err != nil || !token.Valid {
aH.logger.Error("Me", err)
c.JSON(http.StatusUnauthorized, gin.H{"message": "invalid token"})
return
}
claims := token.Claims.(jwt.MapClaims)
c.JSON(http.StatusOK, gin.H{
"id": claims["id"],
"user": claims["username"],
"role": claims["role"],
})
}
// Logout clears authentication cookies and ends the session.
func (aH *AccessHandlerAPI) Logout(c *gin.Context) {
aH.logger.Info("Logout", "logout user")
secure := gin.Mode() == gin.ReleaseMode
aH.logger.Debug("Logout", fmt.Sprintf("domain=%s secure=%t", DOMAIN, secure))
// Clear cookies
c.SetCookie("access_token", "", -1, "/", DOMAIN, secure, true)
c.SetCookie("refresh_token", "", -1, "/", DOMAIN, secure, true)
c.JSON(http.StatusOK, gin.H{"message": "logged out"})
}

167
middlewareApi.go
View File

@@ -1,167 +0,0 @@
package AccessHandler
import (
"fmt"
"log"
"net/http"
"strings"
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/tecamino-logger/logging"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
)
// SetMiddlewareLogger
//
// Description:
//
// Registers a Gin middleware that attaches a custom logger instance
// to every incoming request via the Gin context. This allows other
// middleware and handlers to access the logger using:
//
// logger := c.MustGet("logger").(*logging.Logger)
//
// Parameters:
// - r: The Gin engine to which the middleware is applied.
// - logger: A pointer to the application's custom logger.
//
// Usage:
//
// SetMiddlewareLogger(router, logger)
func (aH *AccessHandlerAPI) SetMiddlewareLogger(r *gin.Engine, logger *logging.Logger) {
// Add middleware that injects logger into context
r.Use(func(c *gin.Context) {
c.Set("logger", logger)
c.Next()
})
}
// AuthMiddleware
//
// Description:
//
// A Gin middleware that performs authentication using a JWT token stored
// in a cookie named "access_token". It validates the token and extracts
// the user's role from the claims, storing it in the Gin context.
//
// Behavior:
// - Requires that SetMiddlewareLogger was used earlier to inject the logger.
// - If the JWT cookie is missing or invalid, it aborts the request with
// an appropriate HTTP error (401 or 500).
//
// Returns:
//
// A Gin handler function that can be used as middleware.
//
// Usage:
//
// r.Use(AuthMiddleware())
func (aH *AccessHandlerAPI) AuthMiddleware() gin.HandlerFunc {
return func(c *gin.Context) {
// Retrieve logger from Gin context
middlewareLogger, ok := c.Get("logger")
if !ok {
log.Fatal("middleware logger not set — use SetMiddlewareLogger first")
c.AbortWithStatusJSON(http.StatusInternalServerError, http.StatusInternalServerError)
return
}
logger := middlewareLogger.(*logging.Logger)
// Read access token from cookie
cookie, err := c.Cookie("access_token")
if err != nil {
logger.Error("AuthMiddleware", err)
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
return
}
// Parse and validate JWT token
token, err := jwt.Parse(cookie, func(t *jwt.Token) (any, error) {
return ACCESS_SECRET, nil
})
if err != nil || !token.Valid {
logger.Error("AuthMiddleware", err)
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "invalid token"})
return
}
// Extract custom claims (role)
if claims, ok := token.Claims.(jwt.MapClaims); ok {
role, _ := claims["role"].(string)
c.Set("role", role)
}
c.Next()
}
}
// (AccessHandler).AuthorizeRole
//
// Description:
//
// A role-based authorization middleware. It checks whether the authenticated
// user (based on the "role" set in AuthMiddleware) has permission to access
// the given route. The check is performed by comparing the requested URL
// path against the users allowed permissions.
//
// Parameters:
// - suffix: A URL prefix to trim from the request path before matching
// permissions (e.g., "/api/v1").
//
// Behavior:
// - Fetches the user role from Gin context.
// - Uses aH.GetRoleByKey() to retrieve role records and permissions.
// - Grants access (calls c.Next()) if a matching permission is found.
// - Denies access (401 Unauthorized) if no permission matches.
//
// Usage:
//
// router.GET("/secure/:id", aH.AuthorizeRole("/api/v1"))
func (aH *AccessHandlerAPI) AuthorizeRole(suffix string) gin.HandlerFunc {
return func(c *gin.Context) {
aH.logger.Debug("AuthorizeRole", "permission path of url path")
permissionPath := strings.TrimPrefix(c.Request.URL.Path, suffix+"/")
aH.logger.Debug("AuthorizeRole", "get set role")
role, ok := c.Get("role")
if !ok {
aH.logger.Error("AuthorizeRole", "no role set")
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": http.StatusInternalServerError})
return
}
// Fetch roles and associated permissions from the database or store
var roles []models.Role
err := aH.dbHandler.GetByKey(&roles, "role", role, false)
if err != nil {
aH.logger.Error("AuthorizeRole", err)
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": http.StatusInternalServerError})
return
}
// Validate that a role was found
if len(roles) == 0 {
log.Println("not logged in")
aH.logger.Error("AuthorizeRole", "no logged in")
c.JSON(http.StatusUnauthorized, http.StatusUnauthorized)
return
} else if len(roles) > 1 {
aH.logger.Error("AuthorizeRole", "more than one record found")
c.JSON(http.StatusInternalServerError, http.StatusInternalServerError)
return
}
// Check permissions
for _, permission := range roles[0].Permissions {
fmt.Println(100, permissionPath, permission.Name)
if permission.Name == permissionPath {
c.Next()
return
}
}
// Access denied
aH.logger.Error("AuthorizeRole", "Forbidden")
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "Forbidden"})
}
}

4
models/permission.go
View File

@@ -12,8 +12,10 @@ func (r *Permissions) DefaultPermissions() {
*r = append(*r, *r = append(*r,
Permission{Name: "settings", Permission: 7}, Permission{Name: "settings", Permission: 7},
Permission{Name: "userSettings", Permission: 7}, Permission{Name: "userSettings", Permission: 7},
Permission{Name: "members", Permission: 7}, Permission{Name: "members", Permission: 31},
Permission{Name: "events", Permission: 7}, Permission{Name: "events", Permission: 7},
Permission{Name: "responsible", Permission: 7},
Permission{Name: "group", Permission: 7},
) )
} }

1
models/settings.go
View File

@@ -12,6 +12,7 @@ type Settings struct {
SecondaryColor string `json:"secondaryColor,omitempty"` SecondaryColor string `json:"secondaryColor,omitempty"`
SecondaryColorText string `json:"secondaryColorText,omitempty"` SecondaryColorText string `json:"secondaryColorText,omitempty"`
Icon string `json:"icon,omitempty"` Icon string `json:"icon,omitempty"`
AppName string `json:"appName,omitempty"`
DatabaseName string `json:"databaseName,omitempty"` DatabaseName string `json:"databaseName,omitempty"`
DatabaseToken string `json:"databaseToken,omitempty"` DatabaseToken string `json:"databaseToken,omitempty"`
} }

28
models/user.go
View File

@@ -1,14 +1,30 @@
package models package models
import (
"time"
)
type User struct { type User struct {
Id uint `gorm:"primaryKey" json:"id"` Id uint `gorm:"primaryKey" json:"id"`
Name string `gorm:"column:user_name" json:"user"` Name string `gorm:"column:user_name" json:"user"`
Email string `gorm:"column:email" json:"email"` Email string `gorm:"column:email" json:"email"`
Role string `gorm:"column:role" json:"role"` RoleID *uint `gorm:"column:roleId" json:"roleId,omitempty"`
Password string `gorm:"column:password" json:"password"` Role *Role `gorm:"foreignKey:RoleID" json:"role,omitempty"`
Settings Settings `gorm:"type:json" json:"settings"` Password string `gorm:"column:password" json:"password"`
NewPassword string `gorm:"-" json:"newPassword,omitempty"`
Expiration string `gorm:"column:expiration" json:"expiration,omitempty"`
Settings Settings `gorm:"type:json" json:"settings"`
} }
func (u *User) IsValid() bool { func (u *User) IsValid() bool {
return u.Name != "" return u.Name != ""
} }
func (u *User) ExpirationIsValid() bool {
if u.Expiration == "" || u.Expiration == "never" {
return true
}
loc := time.Now().Location()
parsedTime, _ := time.ParseInLocation("2006-01-02 15:04:05", u.Expiration, loc)
return parsedTime.After(time.Now())
}

197
role.go
View File

@@ -1,197 +0,0 @@
package AccessHandler
import (
"fmt"
"gitea.tecamino.com/paadi/access-handler/models"
)
// AddRoleTable
//
// Description:
//
// Creates a new database table for storing role definitions if it does not already exist.
//
// Behavior:
// - Uses the DBHandler to add a table based on the `models.Role` struct.
// - Returns an error if table creation fails.
//
// Returns:
// - error: Any database error encountered.
func (aH *AccessHandler) AddRoleTable() error {
return aH.dbHandler.AddNewTable(models.Role{})
}
// AddDefaultRole
//
// Description:
//
// Ensures that a default administrative role exists in the database.
// If a role named "admin" is already present, it logs and skips creation.
//
// Behavior:
// 1. Checks for an existing "admin" role.
// 2. If not found, initializes default permissions using
// `models.Permissions.DefaultPermissions()`.
// 3. Creates a new role record with those permissions.
//
// Default Role:
// - Role: "admin"
// - Permissions: all default permissions defined in `models.Permissions`.
//
// Returns:
// - error: Any database or creation error encountered.
func (aH *AccessHandler) AddDefaultRole() (err error) {
role := "admin"
// Check if a role with this name already exists
if err := aH.dbHandler.Exists(&models.Role{}, "role", role, false); err == nil {
// Found a role → skip creation
aH.logger.Debug("AddDefaultRole", "role "+role+" exists already")
return nil
}
// Initialize default permissions for admin
permissions := models.Permissions{}
aH.logger.Debug("AddDefaultRole", "set default Permissions")
permissions.DefaultPermissions()
// Create the default admin role
aH.dbHandler.AddNewColum(&models.Role{
Role: role,
Permissions: permissions,
})
return
}
// AddNewRole
//
// Description:
//
// Adds a new role with a specific set of permissions to the database.
//
// Behavior:
// 1. Checks whether a role with the same name already exists.
// 2. If it does not exist, creates a new role record.
//
// Parameters:
// - role: The role name (e.g., "manager", "viewer").
// - permissions: A `models.Permissions` struct defining allowed actions.
//
// Returns:
// - error: If the role already exists or insertion fails.
func (aH *AccessHandler) AddNewRole(role string, permissions models.Permissions) (err error) {
// Check if a role with this name already exists
if err := aH.dbHandler.Exists(&models.Role{}, "role", role, false); err == nil {
// Found a role → skip creation
return fmt.Errorf("role with name %s already exists", role)
}
// Insert new role with provided permissions
aH.dbHandler.AddNewColum(&models.Role{
Role: role,
Permissions: permissions,
})
return
}
// GetRoleById
//
// Description:
//
// Retrieves a role record from the database by its numeric ID.
//
// Parameters:
// - id: The unique ID of the role.
//
// Returns:
// - roles: A slice containing the matched role (usually length 1).
// - err: Any database error encountered.
func (aH *AccessHandler) GetRoleById(id uint) (roles []models.Role, err error) {
err = aH.dbHandler.GetById(&roles, id)
return
}
// GetRoleByKey
//
// Description:
//
// Retrieves one or more roles based on a key/value query.
//
// Parameters:
// - key: The column name to search by (e.g., "role").
// - value: The value to match (e.g., "admin").
// - likeSearch: Whether to use SQL LIKE for partial matches.
//
// Returns:
// - roles: A list of matched roles.
// - err: Any database error encountered.
func (aH *AccessHandler) GetRoleByKey(key string, value any, likeSearch bool) (roles []models.Role, err error) {
err = aH.dbHandler.GetByKey(&roles, key, value, likeSearch)
return
}
// UpdateRoleById
//
// Description:
//
// Updates a role record identified by its numeric ID.
//
// Parameters:
// - id: The ID of the role to update.
// - role: A struct containing updated role data.
//
// Returns:
// - error: Any database error encountered.
func (aH *AccessHandler) UpdateRoleById(id uint, role models.Role) error {
return aH.dbHandler.UpdateValuesById(&role, id)
}
// UpdateRoleByKey
//
// Description:
//
// Updates a role record using a column key/value lookup.
//
// Parameters:
// - role: The updated role data.
// - key: The column name to search by.
// - value: The value to match against the key column.
//
// Returns:
// - error: Any database error encountered.
func (aH *AccessHandler) UpdateRoleByKey(role models.Role, key string, value any) error {
return aH.dbHandler.UpdateValuesByKey(&role, key, value)
}
// DeleteRoleById
//
// Description:
//
// Deletes a role record from the database by its numeric ID.
//
// Parameters:
// - id: The ID of the role to delete.
//
// Returns:
// - error: Any database error encountered during deletion.
func (aH *AccessHandler) DeleteRoleById(id uint) (err error) {
return aH.dbHandler.DeleteById(&models.Role{}, id)
}
// DeleteRoleByKey
//
// Description:
//
// Deletes one or more roles from the database matching a given key/value pair.
//
// Parameters:
// - key: The column name used for filtering (e.g., "role").
// - value: The matching value (e.g., "admin").
// - likeSearch: If true, performs a LIKE (partial) match.
//
// Returns:
// - error: Any database error encountered.
func (aH *AccessHandler) DeleteRoleByKey(key string, value any, likeSearch bool) (err error) {
return aH.dbHandler.DeleteByKey(&models.Role{}, key, value, likeSearch)
}

218
user.go
View File

@@ -1,218 +0,0 @@
package AccessHandler
import (
"fmt"
"gitea.tecamino.com/paadi/access-handler/models"
"gitea.tecamino.com/paadi/access-handler/utils"
)
// AddUserTable
//
// Description:
//
// Creates a new database table for storing user records if it does not already exist.
//
// Behavior:
// - Uses the DBHandler to add a table based on the `models.User` struct.
// - Returns any error encountered during table creation.
//
// Returns:
// - error: Any database error that occurs while creating the table.
func (aH *AccessHandler) AddUserTable() error {
return aH.dbHandler.AddNewTable(models.User{})
}
// AddDefaultUser
//
// Description:
//
// Ensures a default administrative user exists in the database.
// If a user with the predefined email already exists, the function logs
// a debug message and exits without making changes.
//
// Behavior:
// 1. Checks if the default user (admin) already exists by email.
// 2. If not found, creates default Quasar UI settings and adds the user.
//
// Default User:
// - Name: "admin"
// - Role: "admin"
// - Email: "zuercher@tecamino.ch"
// - Password: (empty or hashed later)
//
// Returns:
// - error: Any database or creation error encountered.
func (aH *AccessHandler) AddDefaultUser() (err error) {
name := "admin"
role := "admin"
email := "zuercher@tecamino.ch"
// Check if a user with this email already exists
if err := aH.dbHandler.Exists(&models.User{}, "email", email, false); err == nil {
aH.logger.Debug("AddDefaultUser", "user email "+email+" exists already")
// Found a user → skip create
return nil
}
// Create default settings for the new user
settings := models.Settings{}
aH.logger.Debug("AddDefaultUser", "set default quasar settings")
settings.DefaultQuasarSettings()
// Insert default admin user into the database
aH.dbHandler.AddNewColum(&models.User{
Name: name,
Role: role,
Email: email,
Password: "$2a$10$sZZOWBP8DSFLrLFQNoXw8OsEEr0tez1B8lPzKCHofaHg6PMNxx1pG",
Settings: settings,
})
return
}
// AddNewUser
//
// Description:
//
// Adds a new user record to the database with a hashed password.
//
// Behavior:
// 1. Verifies that the email does not already exist.
// 2. Hashes the password using utils.HashPassword().
// 3. Inserts the new user record into the database.
//
// Parameters:
// - userName: The user's display name.
// - email: The user's unique email address.
// - password: The user's raw password (will be hashed).
// - role: The role assigned to the user.
//
// Returns:
// - error: If the user already exists or if hashing/insertion fails.
func (aH *AccessHandler) AddNewUser(userName, email, password, role string) (err error) {
// Check if a user with this email already exists
if err := aH.dbHandler.Exists(&models.User{}, "email", email, false); err == nil {
// Found a user → skip create
aH.logger.Error("AddNewUser", "user with email "+email+" already exists")
return fmt.Errorf("user with email %s already exists", email)
}
// Hash the provided password before saving
hash, err := utils.HashPassword(password)
if err != nil {
return err
}
aH.logger.Debug("AddNewUser", "add new user "+userName+" with role "+role)
// Insert the new user record
aH.dbHandler.AddNewColum(&models.User{
Name: userName,
Role: role,
Email: email,
Password: hash,
})
return
}
// GetUserById
//
// Description:
//
// Retrieves user(s) from the database by their unique ID.
//
// Parameters:
// - id: The numeric user ID.
//
// Returns:
// - users: A slice containing the matched user (usually length 1).
// - err: Any database error encountered.
func (aH *AccessHandler) GetUserById(id uint) (users []models.User, err error) {
err = aH.dbHandler.GetById(&users, id)
return
}
// GetUserByKey
//
// Description:
//
// Queries users based on a given column key and value.
//
// Parameters:
// - key: The column name to search by (e.g., "email").
// - value: The value to match.
// - likeSearch: If true, performs a LIKE (partial) search.
//
// Returns:
// - users: A list of users that match the search criteria.
// - err: Any database error encountered.
func (aH *AccessHandler) GetUserByKey(key string, value any, likeSearch bool) (users []models.User, err error) {
err = aH.dbHandler.GetByKey(&users, key, value, likeSearch)
return
}
// UpdateUserById
//
// Description:
//
// Updates an existing user record identified by its numeric ID.
//
// Parameters:
// - id: The user ID to update.
// - user: A struct containing updated field values.
//
// Returns:
// - error: Any error encountered during the update.
func (aH *AccessHandler) UpdateUserById(id uint, user models.User) error {
return aH.dbHandler.UpdateValuesById(&user, id)
}
// UpdateUserByKey
//
// Description:
//
// Updates a user record based on a specified column key and value.
//
// Parameters:
// - user: The updated user data.
// - key: The column name used for lookup.
// - value: The value to match against the key column.
//
// Returns:
// - error: Any error encountered during the update.
func (aH *AccessHandler) UpdateUserByKey(user models.User, key string, value any) error {
return aH.dbHandler.UpdateValuesByKey(&user, key, value)
}
// DeleteUserById
//
// Description:
//
// Deletes a user from the database using their numeric ID.
//
// Parameters:
// - id: The ID of the user to delete.
//
// Returns:
// - error: Any database error encountered during deletion.
func (aH *AccessHandler) DeleteUserById(id uint) (err error) {
return aH.dbHandler.DeleteById(&models.User{}, id)
}
// DeleteUserByKey
//
// Description:
//
// Deletes users matching a specific key/value pair from the database.
//
// Parameters:
// - key: The column name to search by.
// - value: The value to match.
// - likeSearch: Whether to use a partial match (LIKE).
//
// Returns:
// - error: Any database error encountered during deletion.
func (aH *AccessHandler) DeleteUserByKey(key string, value any, likeSearch bool) (err error) {
return aH.dbHandler.DeleteByKey(&models.User{}, key, value, likeSearch)
}