feat: admin routes + better auth routing

internal/auth/jwt.go

@@ -1,83 +0,0 @@
-package auth
-
-import (
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/base64"
-	"fmt"
-
-	"gitea.local/admin/hspguard/internal/types"
-	"github.com/golang-jwt/jwt/v5"
-)
-
-func ParseBase64PrivateKey(b64 string) (*rsa.PrivateKey, error) {
-	decoded, err := base64.StdEncoding.DecodeString(b64)
-	if err != nil {
-		return nil, fmt.Errorf("failed to decode base64 key: %v", err)
-	}
-
-	key, err := x509.ParsePKCS8PrivateKey(decoded)
-	return key.(*rsa.PrivateKey), err
-}
-
-func ParseBase64PublicKey(b64 string) (*rsa.PublicKey, error) {
-	decoded, err := base64.StdEncoding.DecodeString(b64)
-	if err != nil {
-		return nil, fmt.Errorf("failed to decode base64 key: %v", err)
-	}
-
-	pubInterface, err := x509.ParsePKIXPublicKey(decoded)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse public key: %v", err)
-	}
-
-	pubKey, ok := pubInterface.(*rsa.PublicKey)
-	if !ok {
-		return nil, fmt.Errorf("not an RSA public key")
-	}
-
-	return pubKey, nil
-}
-
-func SignJwtToken(claims jwt.Claims, key string) (string, error) {
-	privateKey, err := ParseBase64PrivateKey(key)
-	if err != nil {
-		return "", err
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-
-	token.Header["kid"] = "my-rsa-key-1"
-
-	s, err := token.SignedString(privateKey)
-	if err != nil {
-		return "", err
-	}
-
-	return s, nil
-}
-
-func VerifyToken(token string, key string) (*jwt.Token, *types.UserClaims, error) {
-	publicKey, err := ParseBase64PublicKey(key)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	claims := &types.UserClaims{}
-	parsed, err := jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (any, error) {
-		if _, ok := t.Method.(*jwt.SigningMethodRSA); !ok {
-			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
-		}
-		return publicKey, nil
-	})
-
-	if err != nil {
-		return nil, nil, fmt.Errorf("invalid token: %w", err)
-	}
-
-	if !parsed.Valid {
-		return nil, nil, fmt.Errorf("token is not valid")
-	}
-
-	return parsed, claims, nil
-}

internal/auth/routes.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"gitea.local/admin/hspguard/internal/config"
+	imiddleware "gitea.local/admin/hspguard/internal/middleware"
 	"gitea.local/admin/hspguard/internal/repository"
 	"gitea.local/admin/hspguard/internal/types"
 	"gitea.local/admin/hspguard/internal/util"
@@ -34,7 +35,7 @@ func (h *AuthHandler) signTokens(user *repository.User) (string, string, error)
 		},
 	}
 
-	accessToken, err := SignJwtToken(accessClaims, h.cfg.Jwt.PrivateKey)
+	accessToken, err := util.SignJwtToken(accessClaims, h.cfg.Jwt.PrivateKey)
 	if err != nil {
 		return "", "", err
 	}
@@ -50,7 +51,7 @@ func (h *AuthHandler) signTokens(user *repository.User) (string, string, error)
 		},
 	}
 
-	refreshToken, err := SignJwtToken(refreshClaims, h.cfg.Jwt.PrivateKey)
+	refreshToken, err := util.SignJwtToken(refreshClaims, h.cfg.Jwt.PrivateKey)
 	if err != nil {
 		return "", "", err
 	}
@@ -66,9 +67,17 @@ func NewAuthHandler(repo *repository.Queries, cfg *config.AppConfig) *AuthHandle
 }
 
 func (h *AuthHandler) RegisterRoutes(api chi.Router) {
-	api.Get("/auth/profile", h.getProfile)
-	api.Post("/auth/login", h.login)
-	api.Post("/auth/refresh", h.refreshToken)
+	api.Route("/auth", func(r chi.Router) {
+		r.Group(func(protected chi.Router) {
+			authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
+			protected.Use(authMiddleware.Runner)
+
+			protected.Get("/profile", h.getProfile)
+		})
+
+		r.Post("/login", h.login)
+		r.Post("/refresh", h.refreshToken)
+	})
 }
 
 func (h *AuthHandler) refreshToken(w http.ResponseWriter, r *http.Request) {
@@ -85,7 +94,7 @@ func (h *AuthHandler) refreshToken(w http.ResponseWriter, r *http.Request) {
 	}
 
 	tokenStr := parts[1]
-	token, userClaims, err := VerifyToken(tokenStr, h.cfg.Jwt.PublicKey)
+	token, userClaims, err := util.VerifyToken(tokenStr, h.cfg.Jwt.PublicKey)
 	if err != nil || !token.Valid {
 		http.Error(w, fmt.Sprintf("invalid token: %v", err), http.StatusUnauthorized)
 		return