172 lines
5.1 KiB
Go
172 lines
5.1 KiB
Go
package handlers
|
||
|
||
import (
|
||
"log"
|
||
"net/http"
|
||
"slices"
|
||
"strings"
|
||
|
||
"gitea.tecamino.com/paadi/access-handler/models"
|
||
"gitea.tecamino.com/paadi/tecamino-logger/logging"
|
||
"github.com/gin-gonic/gin"
|
||
"github.com/golang-jwt/jwt/v5"
|
||
)
|
||
|
||
// SetMiddlewareLogger
|
||
//
|
||
// Description:
|
||
//
|
||
// Registers a Gin middleware that attaches a custom logger instance
|
||
// to every incoming request via the Gin context. This allows other
|
||
// middleware and handlers to access the logger using:
|
||
//
|
||
// logger := c.MustGet("logger").(*logging.Logger)
|
||
//
|
||
// Parameters:
|
||
// - r: The Gin engine to which the middleware is applied.
|
||
// - logger: A pointer to the application's custom logger.
|
||
//
|
||
// Usage:
|
||
//
|
||
// SetMiddlewareLogger(router, logger)
|
||
func (aH *AccessHandler) SetMiddlewareLogger(r *gin.Engine) {
|
||
// Add middleware that injects logger into context
|
||
r.Use(func(c *gin.Context) {
|
||
c.Set("logger", aH.logger)
|
||
c.Next()
|
||
})
|
||
}
|
||
|
||
// AuthMiddleware
|
||
//
|
||
// Description:
|
||
//
|
||
// A Gin middleware that performs authentication using a JWT token stored
|
||
// in a cookie named "access_token". It validates the token and extracts
|
||
// the user's role from the claims, storing it in the Gin context.
|
||
//
|
||
// Behavior:
|
||
// - Requires that SetMiddlewareLogger was used earlier to inject the logger.
|
||
// - If the JWT cookie is missing or invalid, it aborts the request with
|
||
// an appropriate HTTP error (401 or 500).
|
||
//
|
||
// Returns:
|
||
//
|
||
// A Gin handler function that can be used as middleware.
|
||
//
|
||
// Usage:
|
||
//
|
||
// r.Use(AuthMiddleware())
|
||
func (aH *AccessHandler) AuthMiddleware() gin.HandlerFunc {
|
||
return func(c *gin.Context) {
|
||
// Retrieve logger from Gin context
|
||
middlewareLogger, ok := c.Get("logger")
|
||
if !ok {
|
||
log.Fatal("middleware logger not set — use SetMiddlewareLogger first")
|
||
c.AbortWithStatusJSON(http.StatusInternalServerError, http.StatusInternalServerError)
|
||
return
|
||
}
|
||
logger := middlewareLogger.(*logging.Logger)
|
||
|
||
// Read access token from cookie
|
||
cookie, err := c.Cookie("access_token")
|
||
if err != nil {
|
||
logger.Error("AuthMiddleware", err)
|
||
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
|
||
return
|
||
}
|
||
|
||
// Parse and validate JWT token
|
||
token, err := jwt.Parse(cookie, func(t *jwt.Token) (any, error) {
|
||
return ACCESS_SECRET, nil
|
||
})
|
||
if err != nil || !token.Valid {
|
||
logger.Error("AuthMiddleware", err)
|
||
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "invalid token"})
|
||
return
|
||
}
|
||
|
||
// Extract custom claims (role)
|
||
if claims, ok := token.Claims.(jwt.MapClaims); ok {
|
||
role, _ := claims["role"].(string)
|
||
c.Set("role", role)
|
||
}
|
||
c.Next()
|
||
}
|
||
}
|
||
|
||
// (AccessHandler).AuthorizeRole
|
||
//
|
||
// Description:
|
||
//
|
||
// A role-based authorization middleware. It checks whether the authenticated
|
||
// user (based on the "role" set in AuthMiddleware) has permission to access
|
||
// the given route. The check is performed by comparing the requested URL
|
||
// path against the user’s allowed permissions.
|
||
//
|
||
// Parameters:
|
||
// - suffix: A URL prefix to trim from the request path before matching
|
||
// permissions (e.g., "/api/v1").
|
||
//
|
||
// Behavior:
|
||
// - Fetches the user role from Gin context.
|
||
// - Uses aH.GetRoleByKey() to retrieve role records and permissions.
|
||
// - Grants access (calls c.Next()) if a matching permission is found.
|
||
// - Denies access (401 Unauthorized) if no permission matches.
|
||
//
|
||
// Usage:
|
||
//
|
||
// router.GET("/secure/:id", aH.AuthorizeRole("/api/v1"))
|
||
func (aH *AccessHandler) AuthorizeRole(suffix string, exeptions ...string) gin.HandlerFunc {
|
||
return func(c *gin.Context) {
|
||
aH.logger.Debug("AuthorizeRole", "permission path of url path")
|
||
permissionPath := strings.TrimPrefix(c.Request.URL.Path, suffix+"/")
|
||
|
||
aH.logger.Debug("AuthorizeRole", "get set role")
|
||
role, ok := c.Get("role")
|
||
if !ok {
|
||
aH.logger.Error("AuthorizeRole", "no role set")
|
||
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": http.StatusInternalServerError})
|
||
return
|
||
}
|
||
|
||
// Fetch roles and associated permissions from the database or store
|
||
var roles []models.Role
|
||
err := aH.dbHandler.GetByKey(&roles, "role", role, false)
|
||
if err != nil {
|
||
aH.logger.Error("AuthorizeRole", err)
|
||
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": http.StatusInternalServerError})
|
||
return
|
||
}
|
||
|
||
// Validate that a role was found
|
||
if len(roles) == 0 {
|
||
aH.logger.Error("AuthorizeRole", "not logged in")
|
||
c.JSON(http.StatusUnauthorized, http.StatusUnauthorized)
|
||
return
|
||
} else if len(roles) > 1 {
|
||
aH.logger.Error("AuthorizeRole", "more than one record found")
|
||
c.JSON(http.StatusInternalServerError, http.StatusInternalServerError)
|
||
return
|
||
}
|
||
|
||
// check exeptions
|
||
if slices.Contains(exeptions, permissionPath) {
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
// Check permissions
|
||
for _, permission := range roles[0].Permissions {
|
||
if permission.Name == permissionPath {
|
||
c.Next()
|
||
return
|
||
}
|
||
}
|
||
|
||
// Access denied
|
||
aH.logger.Error("AuthorizeRole", "Forbidden")
|
||
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "Forbidden"})
|
||
}
|
||
}
|