admin/hspguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: admin:db99236501e632421fd6d1579470d3ed5b4ee260
Branches Tags
admin:main admin:group-role-permission
...
compare: admin:group-role-permission
Branches Tags
admin:group-role-permission admin:main

94 Commits
db99236501 ... group-role

Author SHA1 Message Date
LandaMm
d35e5813b5 feat: beta version of role management for single user 2025-07-20 17:59:54 +02:00
LandaMm
533e6ea6af fix: no avatar handling 2025-06-30 00:08:25 +02:00
LandaMm
0c24ed9382 feat: check role assignment 2025-06-30 00:08:14 +02:00
LandaMm
f5c61bb6a0 feat: show roles 2025-06-29 23:20:59 +02:00
LandaMm
eb05f830fe feat: roles & group state 2025-06-29 23:20:50 +02:00
LandaMm
d86a9de388 feat: assign system roles 2025-06-29 23:19:05 +02:00
LandaMm
d80caac81b feat: roles API + type def 2025-06-25 11:56:06 +02:00
LandaMm
5d49a661ed feat: add roles & groups page 2025-06-25 11:55:52 +02:00
LandaMm
635a2d6058 feat: roles & groups page 2025-06-25 11:55:41 +02:00
LandaMm
1eb96e906d feat: create system roles 2025-06-25 11:55:27 +02:00
LandaMm
58974d9789 feat: add scope to the role 2025-06-25 11:55:04 +02:00
LandaMm
329fac415f feat: get all roles endpoint 2025-06-25 11:54:45 +02:00
LandaMm
a83ec61fae fix: avoid null value 2025-06-25 11:54:19 +02:00
LandaMm
d5e86acacf fix: import of user permissions API 2025-06-24 19:05:21 +02:00
LandaMm
221ef192bc feat: permissions store 2025-06-24 19:05:07 +02:00
LandaMm
18664dbd8b feat: remove image borders for service 2025-06-24 19:04:59 +02:00
LandaMm
d097735965 fix: remove unnecessary test fethcing 2025-06-24 19:04:48 +02:00
LandaMm
992776b8a6 feat: new nav item for app permissions 2025-06-24 19:04:26 +02:00
LandaMm
3f260b9029 feat: add API for fetching ALL permissions 2025-06-24 19:04:15 +02:00
LandaMm
65f40d0897 feat: app permissions admin page 2025-06-24 19:04:01 +02:00
LandaMm
6d482c784f feat: admin fetch all permissions 2025-06-24 19:03:45 +02:00
LandaMm
dc07868d15 feat: call permissions ensure 2025-06-24 19:01:26 +02:00
LandaMm
09a2f05ee5 feat: fetch permissions + grouped fetching 2025-06-24 19:01:16 +02:00
LandaMm
5cec1cf561 feat: ensure system permissions 2025-06-24 19:00:36 +02:00
LandaMm
3281764eff feat: display user's raw permissions 2025-06-24 14:37:25 +02:00
LandaMm
868337134d feat: get permissions call 2025-06-24 12:59:10 +02:00
LandaMm
9372673bf1 test: get user permissions endpoint 2025-06-24 12:58:29 +02:00
LandaMm
0eea81b42f feat: update repo with group, roles and permissions 2025-06-24 12:58:14 +02:00
LandaMm
7468303e41 feat: make name + scope combi unique 2025-06-24 12:18:54 +02:00
LandaMm
8745e7d8bc feat: group role permission 2025-06-17 12:21:02 +02:00
Amir Adal
bdc42beb27 Merge pull request 'sessions' (#2) from sessions into main 
Reviewed-on: #2
 2025-06-16 19:03:01 +02:00
LandaMm
72083fa0a4 hot+fix: round expires in number 2025-06-16 19:01:28 +02:00
LandaMm
b3ad13e55d feat: ignore .env.remote 2025-06-15 22:16:17 +02:00
LandaMm
0db54e0268 feat: update service session on refresh 2025-06-15 21:13:33 +02:00
LandaMm
b3ef96a0ce feat: update service session's tokens 2025-06-15 21:13:23 +02:00
LandaMm
a773f1f8b4 feat: signed token type 2025-06-15 21:05:09 +02:00
LandaMm
1a71f50914 fix: 'boolean' instead of 'bool' 2025-06-15 21:05:03 +02:00
LandaMm
d17e154e42 feat: logical columns for service sessions table 2025-06-15 21:04:50 +02:00
LandaMm
bad26775eb fix: don't redirect due to credentials modal 2025-06-15 21:04:40 +02:00
LandaMm
c3fd6637a5 fix: numeration 2025-06-15 21:04:22 +02:00
LandaMm
20173ea140 fix: numeration 2025-06-15 21:04:07 +02:00
LandaMm
41d439beab feat: create service session 2025-06-15 21:02:38 +02:00
LandaMm
b36b6e18ca feat: use signed token from types 2025-06-15 21:02:22 +02:00
LandaMm
1765485027 feat: decrease inner spacing 2025-06-15 19:41:05 +02:00
LandaMm
c5fb5e674a feat: revoke service session 2025-06-15 19:40:54 +02:00
LandaMm
03bf655051 feat: service sessions feature 2025-06-15 19:36:02 +02:00
LandaMm
f8589fce5d feat: refetch sessions 2025-06-15 19:29:03 +02:00
LandaMm
ac62158de9 feat: pagination + session revoking UI 2025-06-15 19:27:02 +02:00
LandaMm
44e1a18e9a feat: user sessions state 2025-06-15 19:26:52 +02:00
LandaMm
e0f2c3219f feat: message populating from responswe 2025-06-15 19:26:43 +02:00
LandaMm
d2d52dc041 feat: pagination + revoke session API 2025-06-15 19:26:27 +02:00
LandaMm
d7d142152c feat: repo update 2025-06-15 19:26:18 +02:00
LandaMm
5c321311cd feat: pagination support + fix: able to get inactive session 2025-06-15 19:26:01 +02:00
LandaMm
ffc8a5f44d feat: session verification 2025-06-15 19:25:21 +02:00
LandaMm
dbff94e7b3 feat: pass repo access to middleware 2025-06-15 19:25:13 +02:00
LandaMm
0b1ef77689 feat: user/service sessions type 2025-06-15 18:10:47 +02:00
LandaMm
b0005c6702 feat: add new nav item for user sessions 2025-06-15 18:10:31 +02:00
LandaMm
c2abf1a5ba feat: add admin sessions page 2025-06-15 18:10:21 +02:00
LandaMm
ac50929e6e feat: ui pagination component draft 2025-06-15 18:10:11 +02:00
LandaMm
32785398ca feat: user sessions list page 2025-06-15 18:10:00 +02:00
LandaMm
cc497b6016 feat: sessions API 2025-06-15 18:09:48 +02:00
LandaMm
97ffcbdaa4 feat: sessions endpoints 2025-06-15 18:09:26 +02:00
LandaMm
d09bf8ff02 feat: install moment 2025-06-15 18:09:08 +02:00
LandaMm
c0814093e5 feat: get user sessions joined with user data 2025-06-15 18:08:58 +02:00
LandaMm
d48519741d feat: add user-sessions routes 2025-06-15 18:08:44 +02:00
LandaMm
213991126d feat: move api services dto into separate types file 2025-06-15 18:08:34 +02:00
LandaMm
c7e88606e3 feat: return status of request 2025-06-13 21:46:06 +02:00
LandaMm
a0d506fb76 feat: navigate to list page after successful create 2025-06-13 21:45:53 +02:00
LandaMm
0ec7743fca feat: delimiter handling/support 2025-06-13 21:45:39 +02:00
LandaMm
a8a0fa55b7 feat: delimiter def 2025-06-13 21:45:32 +02:00
LandaMm
7321448ce7 fix: reload accounts 2025-06-11 21:06:36 +02:00
LandaMm
6d5e0fc9a9 feat: signout API 2025-06-11 21:00:22 +02:00
LandaMm
ef05d66787 feat: register signout route 2025-06-11 20:52:30 +02:00
LandaMm
b3296c45ad feat: get request JTI helper 2025-06-11 20:52:22 +02:00
LandaMm
7fd163f957 feat: signout endpoitn 2025-06-11 20:51:39 +02:00
LandaMm
0f0d50a684 feat: set token jti in request 2025-06-11 20:39:34 +02:00
LandaMm
68074e02bc feat: jti request key 2025-06-11 20:39:20 +02:00
LandaMm
8d38a86f86 feat: get client ip util 2025-06-11 20:35:38 +02:00
LandaMm
e0c095c24d feat: create/update session when refreshing 2025-06-11 20:34:56 +02:00
LandaMm
4c318b15cd feat: refactor login 2025-06-11 20:33:49 +02:00
LandaMm
5ea6bc4251 feat: build device info util 2025-06-11 20:33:34 +02:00
LandaMm
1cbe908489 fix: use printf 2025-06-11 18:49:39 +02:00
LandaMm
53ee156e67 feat: get location util 2025-06-11 18:48:54 +02:00
LandaMm
07a936acc7 feat: device info type 2025-06-11 18:48:48 +02:00
LandaMm
f892f0da24 feat: update session + ps type overriding 2025-06-11 18:48:41 +02:00
LandaMm
38955ee4e6 fix: use the token 2025-06-11 18:48:08 +02:00
LandaMm
7fa7e87e88 feat: token sign with meta data 2025-06-11 18:47:59 +02:00
LandaMm
f085f2e271 feat: create user session 2025-06-11 18:47:45 +02:00
LandaMm
08add259a4 feat: install uasurfer 2025-06-11 18:47:34 +02:00
LandaMm
5b6142dfa6 feat: user/service sessions repo 2025-06-10 19:46:37 +02:00
LandaMm
dc41521a99 fix+feat: use verify oauth client helper in token as well 2025-06-09 15:55:36 +02:00
LandaMm
299e7eddc4 feat: verify api service in code generation 2025-06-09 15:39:56 +02:00
LandaMm
b4699e987c feat: service and user session queries 2025-06-08 22:59:33 +02:00
LandaMm
be9d4f2a1b feat: user and service sessions 2025-06-08 22:59:24 +02:00
77 changed files with 4636 additions and 276 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@ -27,6 +27,7 @@ go.work.sum
# env file
.env
.env.remote
# key files
*.pem

1
cmd/hspguard/main.go
View File

@ -45,6 +45,7 @@ func main() {
cache := cache.NewClient(&cfg)
user.EnsureAdminUser(ctx, &cfg, repo)
user.EnsureSystemPermissions(ctx, repo)
server := api.NewAPIServer(fmt.Sprintf("%s:%s", cfg.Host, cfg.Port), repo, fStorage, cache, &cfg)
if err := server.Run(); err != nil {

4
docker-compose.yml
View File

@ -6,6 +6,8 @@ services:
environment:
POSTGRES_USER: guard
POSTGRES_PASSWORD: guard
volumes:
- postgres-data:/var/lib/postgresql/data
ports:
- "5432:5432"
@ -23,3 +25,5 @@ services:
volumes:
redis-data:
driver: local
postgres-data:
driver: local

1
go.mod
View File

@ -11,6 +11,7 @@ require (
)
require (
github.com/avct/uasurfer v0.0.0-20250506104815-f2613aa2d406 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
github.com/dustin/go-humanize v1.0.1 // indirect

2
go.sum
View File

@ -1,3 +1,5 @@
github.com/avct/uasurfer v0.0.0-20250506104815-f2613aa2d406 h1:5/KfwL9TS8yNtUSunutqifcSC8rdX9PNdvbSsw/X/lQ=
github.com/avct/uasurfer v0.0.0-20250506104815-f2613aa2d406/go.mod h1:s+GCtuP4kZNxh1WGoqdWI1+PbluBcycrMMWuKQ9e5Nk=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

50
internal/admin/apiservices.go
View File

@ -4,45 +4,15 @@ import (
"encoding/json"
"log"
"net/http"
"time"
"gitea.local/admin/hspguard/internal/repository"
"gitea.local/admin/hspguard/internal/types"
"gitea.local/admin/hspguard/internal/util"
"gitea.local/admin/hspguard/internal/web"
"github.com/go-chi/chi/v5"
"github.com/google/uuid"
)
type ApiServiceDTO struct {
ID uuid.UUID `json:"id"`
ClientID string `json:"client_id"`
Name string `json:"name"`
Description *string `json:"description"`
IconUrl *string `json:"icon_url"`
RedirectUris []string `json:"redirect_uris"`
Scopes []string `json:"scopes"`
GrantTypes []string `json:"grant_types"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
IsActive bool `json:"is_active"`
}
func NewApiServiceDTO(service repository.ApiService) ApiServiceDTO {
return ApiServiceDTO{
ID: service.ID,
ClientID: service.ClientID,
Name: service.Name,
Description: service.Description,
IconUrl: service.IconUrl,
RedirectUris: service.RedirectUris,
Scopes: service.Scopes,
GrantTypes: service.GrantTypes,
CreatedAt: service.CreatedAt,
UpdatedAt: service.UpdatedAt,
IsActive: service.IsActive,
}
}
func (h *AdminHandler) GetApiServices(w http.ResponseWriter, r *http.Request) {
services, err := h.repo.ListApiServices(r.Context())
if err != nil {
@ -51,15 +21,15 @@ func (h *AdminHandler) GetApiServices(w http.ResponseWriter, r *http.Request) {
return
}
apiServices := make([]ApiServiceDTO, 0)
apiServices := make([]types.ApiServiceDTO, 0)
for _, service := range services {
apiServices = append(apiServices, NewApiServiceDTO(service))
apiServices = append(apiServices, types.NewApiServiceDTO(service))
}
type Response struct {
Items []ApiServiceDTO `json:"items"`
Count int `json:"count"`
Items []types.ApiServiceDTO `json:"items"`
Count int `json:"count"`
}
encoder := json.NewEncoder(w)
@ -146,7 +116,7 @@ func (h *AdminHandler) AddApiService(w http.ResponseWriter, r *http.Request) {
service.ClientSecret = clientSecret
type Response struct {
Service ApiServiceDTO `json:"service"`
Service types.ApiServiceDTO `json:"service"`
Credentials ApiServiceCredentials `json:"credentials"`
}
@ -155,7 +125,7 @@ func (h *AdminHandler) AddApiService(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(Response{
Service: NewApiServiceDTO(service),
Service: types.NewApiServiceDTO(service),
Credentials: ApiServiceCredentials{
ClientId: service.ClientID,
ClientSecret: service.ClientSecret,
@ -183,7 +153,7 @@ func (h *AdminHandler) GetApiService(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(NewApiServiceDTO(service)); err != nil {
if err := encoder.Encode(types.NewApiServiceDTO(service)); err != nil {
web.Error(w, "failed to encode response", http.StatusInternalServerError)
}
}
@ -201,7 +171,7 @@ func (h *AdminHandler) GetApiServiceCID(w http.ResponseWriter, r *http.Request)
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(NewApiServiceDTO(service)); err != nil {
if err := encoder.Encode(types.NewApiServiceDTO(service)); err != nil {
web.Error(w, "failed to encode response", http.StatusInternalServerError)
}
}
@ -303,7 +273,7 @@ func (h *AdminHandler) UpdateApiService(w http.ResponseWriter, r *http.Request)
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(NewApiServiceDTO(updated)); err != nil {
if err := encoder.Encode(types.NewApiServiceDTO(updated)); err != nil {
web.Error(w, "failed to send updated api service", http.StatusInternalServerError)
}
}

82
internal/admin/permissions.go Normal file
View File

@ -0,0 +1,82 @@
package admin
import (
"encoding/json"
"log"
"net/http"
"gitea.local/admin/hspguard/internal/repository"
"gitea.local/admin/hspguard/internal/web"
"github.com/go-chi/chi/v5"
"github.com/google/uuid"
)
func (h *AdminHandler) GetAllPermissions(w http.ResponseWriter, r *http.Request) {
rows, err := h.repo.GetGroupedPermissions(r.Context())
if err != nil {
log.Println("ERR: Failed to list permissions from db:", err)
web.Error(w, "failed to get all permissions", http.StatusInternalServerError)
return
}
type RowDTO struct {
Scope string `json:"scope"`
Permissions []repository.Permission `json:"permissions"`
}
if len(rows) == 0 {
rows = make([]repository.GetGroupedPermissionsRow, 0)
}
var mapped []RowDTO
for _, row := range rows {
var permissions []repository.Permission
if err := json.Unmarshal(row.Permissions, &permissions); err != nil {
log.Println("ERR: Failed to extract permissions from byte array:", err)
web.Error(w, "failed to get permissions", http.StatusInternalServerError)
return
}
mapped = append(mapped, RowDTO{
Scope: row.Scope,
Permissions: permissions,
})
}
if len(mapped) == 0 {
mapped = make([]RowDTO, 0)
}
encoder := json.NewEncoder(w)
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(mapped); err != nil {
web.Error(w, "failed to encode response", http.StatusInternalServerError)
}
}
func (h *AdminHandler) GetUserPermissions(w http.ResponseWriter, r *http.Request) {
userId := chi.URLParam(r, "user_id")
permissions, err := h.repo.GetUserPermissions(r.Context(), uuid.MustParse(userId))
if err != nil {
log.Println("ERR: Failed to list permissions from db:", err)
web.Error(w, "failed to get user permissions", http.StatusInternalServerError)
return
}
if len(permissions) == 0 {
permissions = make([]repository.Permission, 0)
}
encoder := json.NewEncoder(w)
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(permissions); err != nil {
web.Error(w, "failed to encode response", http.StatusInternalServerError)
}
}

156
internal/admin/roles.go Normal file
View File

@ -0,0 +1,156 @@
package admin
import (
"encoding/json"
"log"
"net/http"
"gitea.local/admin/hspguard/internal/repository"
"gitea.local/admin/hspguard/internal/web"
"github.com/go-chi/chi/v5"
"github.com/google/uuid"
)
func (h *AdminHandler) GetAllRoles(w http.ResponseWriter, r *http.Request) {
rows, err := h.repo.GetRolesGroupedWithPermissions(r.Context())
if err != nil {
log.Println("ERR: Failed to list roles from db:", err)
web.Error(w, "failed to get all roles", http.StatusInternalServerError)
return
}
type RolePermissions struct {
Permissions []repository.Permission `json:"permissions"`
repository.Role
}
type RowDTO struct {
Scope string `json:"scope"`
Roles []RolePermissions `json:"roles"`
}
if len(rows) == 0 {
rows = make([]repository.GetRolesGroupedWithPermissionsRow, 0)
}
var mapped []RowDTO
for _, row := range rows {
var mappedRow RowDTO
mappedRow.Scope = row.Scope
if err := json.Unmarshal(row.Roles, &mappedRow.Roles); err != nil {
log.Println("ERR: Failed to extract roles from byte array:", err)
web.Error(w, "failed to get roles", http.StatusInternalServerError)
return
}
mapped = append(mapped, mappedRow)
}
if len(mapped) == 0 {
mapped = make([]RowDTO, 0)
}
encoder := json.NewEncoder(w)
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(mapped); err != nil {
web.Error(w, "failed to encode response", http.StatusInternalServerError)
}
}
func (h *AdminHandler) GetUserRoles(w http.ResponseWriter, r *http.Request) {
userId := chi.URLParam(r, "user_id")
parsed, err := uuid.Parse(userId)
if err != nil {
log.Printf("ERR: Received invalid UUID on get user roles '%s': %v\n", userId, err)
web.Error(w, "invalid user id", http.StatusBadRequest)
return
}
rows, err := h.repo.GetUserRoles(r.Context(), parsed)
if err != nil {
log.Println("ERR: Failed to list roles from db:", err)
web.Error(w, "failed to get user roles", http.StatusInternalServerError)
return
}
if len(rows) == 0 {
rows = make([]repository.Role, 0)
}
encoder := json.NewEncoder(w)
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(rows); err != nil {
web.Error(w, "failed to encode response", http.StatusInternalServerError)
}
}
type AssignRoleRequest struct {
RoleKey string `json:"role_key"`
}
func (h *AdminHandler) AssignUserRole(w http.ResponseWriter, r *http.Request) {
userId := chi.URLParam(r, "user_id")
var req AssignRoleRequest
decoder := json.NewDecoder(r.Body)
if err := decoder.Decode(&req); err != nil {
web.Error(w, "failed to parse request body", http.StatusBadRequest)
return
}
if req.RoleKey == "" {
web.Error(w, "role key is required for assign", http.StatusBadRequest)
return
}
parsed, err := uuid.Parse(userId)
if err != nil {
log.Printf("ERR: Failed to parse provided user ID '%s': %v\n", userId, err)
web.Error(w, "invalid user id provided", http.StatusBadRequest)
return
}
user, err := h.repo.FindUserId(r.Context(), parsed)
if err != nil {
web.Error(w, "no user found under provided id", http.StatusBadRequest)
return
}
if _, err := h.repo.FindUserRole(r.Context(), repository.FindUserRoleParams{
UserID: user.ID,
Key: req.RoleKey,
}); err == nil {
log.Printf("INFO: Unassigning role '%s' for user with '%s' id", req.RoleKey, user.ID.String())
// Unassign Role
if err := h.repo.UnassignUserRole(r.Context(), repository.UnassignUserRoleParams{
UserID: user.ID,
Key: req.RoleKey,
}); err != nil {
log.Printf("ERR: Failed to unassign role '%s' from user with '%s' id: %v\n", req.RoleKey, user.ID.String(), err)
web.Error(w, "failed to unassign role to user", http.StatusInternalServerError)
return
}
} else {
log.Printf("INFO: Assigning role '%s' for user with '%s' id", req.RoleKey, user.ID.String())
if err := h.repo.AssignUserRole(r.Context(), repository.AssignUserRoleParams{
UserID: user.ID,
Key: req.RoleKey,
}); err != nil {
log.Printf("ERR: Failed to assign role '%s' to user with '%s' id: %v\n", req.RoleKey, user.ID.String(), err)
web.Error(w, "failed to assign role to user", http.StatusInternalServerError)
return
}
}
w.WriteHeader(http.StatusOK)
}

15
internal/admin/routes.go
View File

@ -21,7 +21,7 @@ func New(repo *repository.Queries, cfg *config.AppConfig) *AdminHandler {
func (h *AdminHandler) RegisterRoutes(router chi.Router) {
router.Route("/admin", func(r chi.Router) {
authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
adminMiddleware := imiddleware.NewAdminMiddleware(h.repo)
r.Use(authMiddleware.Runner, adminMiddleware.Runner)
@ -35,6 +35,19 @@ func (h *AdminHandler) RegisterRoutes(router chi.Router) {
r.Get("/users", h.GetUsers)
r.Post("/users", h.CreateUser)
r.Get("/users/{id}", h.GetUser)
r.Get("/user-sessions", h.GetUserSessions)
r.Patch("/user-sessions/revoke/{id}", h.RevokeUserSession)
r.Get("/service-sessions", h.GetServiceSessions)
r.Patch("/service-sessions/revoke/{id}", h.RevokeUserSession)
r.Get("/permissions", h.GetAllPermissions)
r.Get("/permissions/{user_id}", h.GetUserPermissions)
r.Get("/roles", h.GetAllRoles)
r.Get("/roles/{user_id}", h.GetUserRoles)
r.Patch("/roles/{user_id}", h.AssignUserRole)
})
router.Get("/api-services/client/{client_id}", h.GetApiServiceCID)

182
internal/admin/sessions.go Normal file
View File

@ -0,0 +1,182 @@
package admin
import (
"encoding/json"
"log"
"math"
"net/http"
"strconv"
"gitea.local/admin/hspguard/internal/repository"
"gitea.local/admin/hspguard/internal/types"
"gitea.local/admin/hspguard/internal/web"
"github.com/go-chi/chi/v5"
"github.com/google/uuid"
)
type GetSessionsParams struct {
PageSize int `json:"size"`
Page int `json:"page"`
// TODO: More filtering possibilities like onlyActive, expired, not-expired etc.
}
func (h *AdminHandler) GetUserSessions(w http.ResponseWriter, r *http.Request) {
q := r.URL.Query()
params := GetSessionsParams{}
if pageSize, err := strconv.Atoi(q.Get("size")); err == nil {
params.PageSize = pageSize
} else {
params.PageSize = 15
}
if page, err := strconv.Atoi(q.Get("page")); err == nil {
params.Page = page
} else {
web.Error(w, "page is required", http.StatusBadRequest)
return
}
sessions, err := h.repo.GetUserSessions(r.Context(), repository.GetUserSessionsParams{
Limit: int32(params.PageSize),
Offset: int32(params.Page-1) * int32(params.PageSize),
})
if err != nil {
log.Println("ERR: Failed to read user sessions from db:", err)
web.Error(w, "failed to retrieve sessions", http.StatusInternalServerError)
return
}
totalSessions, err := h.repo.GetUserSessionsCount(r.Context())
if err != nil {
log.Println("ERR: Failed to get total count of user sessions:", err)
web.Error(w, "failed to retrieve sessions", http.StatusInternalServerError)
return
}
mapped := make([]*types.UserSessionDTO, 0)
for _, session := range sessions {
mapped = append(mapped, types.NewUserSessionDTO(&session))
}
type Response struct {
Items []*types.UserSessionDTO `json:"items"`
Page int `json:"page"`
TotalPages int `json:"total_pages"`
}
response := Response{
Items: mapped,
Page: params.Page,
TotalPages: int(math.Ceil(float64(totalSessions) / float64(params.PageSize))),
}
w.Header().Set("Content-Type", "application/json")
if err := json.NewEncoder(w).Encode(response); err != nil {
log.Println("ERR: Failed to encode sessions in response:", err)
web.Error(w, "failed to encode sessions", http.StatusInternalServerError)
return
}
}
func (h *AdminHandler) RevokeUserSession(w http.ResponseWriter, r *http.Request) {
sessionId := chi.URLParam(r, "id")
parsed, err := uuid.Parse(sessionId)
if err != nil {
web.Error(w, "provided service id is not valid", http.StatusBadRequest)
return
}
if err := h.repo.RevokeUserSession(r.Context(), parsed); err != nil {
log.Println("ERR: Failed to revoke user session:", err)
web.Error(w, "failed to revoke user session", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
w.Write([]byte("{\"success\":true}"))
}
func (h *AdminHandler) GetServiceSessions(w http.ResponseWriter, r *http.Request) {
q := r.URL.Query()
params := GetSessionsParams{}
if pageSize, err := strconv.Atoi(q.Get("size")); err == nil {
params.PageSize = pageSize
} else {
params.PageSize = 15
}
if page, err := strconv.Atoi(q.Get("page")); err == nil {
params.Page = page
} else {
web.Error(w, "page is required", http.StatusBadRequest)
return
}
sessions, err := h.repo.GetServiceSessions(r.Context(), repository.GetServiceSessionsParams{
Limit: int32(params.PageSize),
Offset: int32(params.Page-1) * int32(params.PageSize),
})
if err != nil {
log.Println("ERR: Failed to read api sessions from db:", err)
web.Error(w, "failed to retrieve sessions", http.StatusInternalServerError)
return
}
totalSessions, err := h.repo.GetServiceSessionsCount(r.Context())
if err != nil {
log.Println("ERR: Failed to get total count of service sessions:", err)
web.Error(w, "failed to retrieve sessions", http.StatusInternalServerError)
return
}
mapped := make([]*types.ServiceSessionDTO, 0)
for _, session := range sessions {
mapped = append(mapped, types.NewServiceSessionDTO(&session))
}
type Response struct {
Items []*types.ServiceSessionDTO `json:"items"`
Page int `json:"page"`
TotalPages int `json:"total_pages"`
}
response := Response{
Items: mapped,
Page: params.Page,
TotalPages: int(math.Ceil(float64(totalSessions) / float64(params.PageSize))),
}
w.Header().Set("Content-Type", "application/json")
if err := json.NewEncoder(w).Encode(response); err != nil {
log.Println("ERR: Failed to encode sessions in response:", err)
web.Error(w, "failed to encode sessions", http.StatusInternalServerError)
}
}
func (h *AdminHandler) RevokeServiceSession(w http.ResponseWriter, r *http.Request) {
sessionId := chi.URLParam(r, "id")
parsed, err := uuid.Parse(sessionId)
if err != nil {
web.Error(w, "provided service id is not valid", http.StatusBadRequest)
return
}
if err := h.repo.RevokeServiceSession(r.Context(), parsed); err != nil {
log.Println("ERR: Failed to revoke service session:", err)
web.Error(w, "failed to revoke service session", http.StatusInternalServerError)
return
}
w.WriteHeader(http.StatusOK)
w.Write([]byte("{\"success\":true}"))
}

34
internal/auth/login.go
View File

@ -5,6 +5,7 @@ import (
"log"
"net/http"
"gitea.local/admin/hspguard/internal/repository"
"gitea.local/admin/hspguard/internal/util"
"gitea.local/admin/hspguard/internal/web"
)
@ -32,12 +33,14 @@ func (h *AuthHandler) login(w http.ResponseWriter, r *http.Request) {
user, err := h.repo.FindUserEmail(r.Context(), params.Email)
if err != nil {
web.Error(w, "user with provided email does not exists", http.StatusBadRequest)
log.Printf("DEBUG: No user found with '%s' email: %v\n", params.Email, err)
web.Error(w, "email or/and password are incorrect", http.StatusBadRequest)
return
}
if !util.VerifyPassword(params.Password, user.PasswordHash) {
web.Error(w, "username or/and password are incorrect", http.StatusBadRequest)
log.Printf("DEBUG: Incorrect password '%s' for '%s' email: %v\n", params.Password, params.Email, err)
web.Error(w, "email or/and password are incorrect", http.StatusBadRequest)
return
}
@ -47,6 +50,29 @@ func (h *AuthHandler) login(w http.ResponseWriter, r *http.Request) {
return
}
userAgent := r.UserAgent()
ipAddr := util.GetClientIP(r)
deviceInfo := util.BuildDeviceInfo(userAgent, ipAddr)
// Create User Session
session, err := h.repo.CreateUserSession(r.Context(), repository.CreateUserSessionParams{
UserID: user.ID,
SessionType: "user",
ExpiresAt: &refresh.ExpiresAt,
LastActive: nil,
IpAddress: &ipAddr,
UserAgent: &userAgent,
AccessTokenID: &access.ID,
RefreshTokenID: &refresh.ID,
DeviceInfo: deviceInfo,
})
if err != nil {
log.Printf("ERR: Failed to create user session after logging in: %v\n", err)
}
log.Printf("INFO: User session created for '%s' with '%s' id\n", user.Email, session.ID.String())
if err := h.repo.UpdateLastLogin(r.Context(), user.ID); err != nil {
web.Error(w, "failed to update user's last login", http.StatusInternalServerError)
return
@ -68,8 +94,8 @@ func (h *AuthHandler) login(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(Response{
AccessToken: access,
RefreshToken: refresh,
AccessToken: access.Token,
RefreshToken: refresh.Token,
FullName: user.FullName,
Email: user.Email,
Id: user.ID.String(),

44
internal/auth/refresh.go
View File

@ -3,10 +3,12 @@ package auth
import (
"encoding/json"
"fmt"
"log"
"net/http"
"strings"
"time"
"gitea.local/admin/hspguard/internal/repository"
"gitea.local/admin/hspguard/internal/types"
"gitea.local/admin/hspguard/internal/util"
"gitea.local/admin/hspguard/internal/web"
@ -64,6 +66,44 @@ func (h *AuthHandler) refreshToken(w http.ResponseWriter, r *http.Request) {
return
}
jti, err := uuid.Parse(userClaims.ID)
if session, err := h.repo.GetUserSessionByRefreshJTI(r.Context(), &jti); err != nil {
log.Printf("WARN: No existing user session found for user with '%s' email (jti: '%s'): %v\n", user.Email, userClaims.ID, err)
userAgent := r.UserAgent()
ipAddr := util.GetClientIP(r)
deviceInfo := util.BuildDeviceInfo(userAgent, ipAddr)
// Create User Session
session, err := h.repo.CreateUserSession(r.Context(), repository.CreateUserSessionParams{
UserID: user.ID,
SessionType: "user",
ExpiresAt: &refresh.ExpiresAt,
LastActive: nil,
IpAddress: &ipAddr,
UserAgent: &userAgent,
AccessTokenID: &access.ID,
RefreshTokenID: &refresh.ID,
DeviceInfo: deviceInfo,
})
if err != nil {
log.Printf("ERR: Failed to create user session after logging in: %v\n", err)
}
log.Printf("INFO: User session created for '%s' with '%s' id\n", user.Email, session.ID.String())
} else {
err := h.repo.UpdateSessionTokens(r.Context(), repository.UpdateSessionTokensParams{
ID: session.ID,
AccessTokenID: &access.ID,
RefreshTokenID: &refresh.ID,
ExpiresAt: &refresh.ExpiresAt,
})
if err != nil {
log.Printf("ERR: Failed to update user session with '%s' id: %v\n", session.ID.String(), err)
}
}
type Response struct {
AccessToken string `json:"access"`
RefreshToken string `json:"refresh"`
@ -74,8 +114,8 @@ func (h *AuthHandler) refreshToken(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(Response{
AccessToken: access,
RefreshToken: refresh,
AccessToken: access.Token,
RefreshToken: refresh.Token,
}); err != nil {
web.Error(w, "failed to encode response", http.StatusInternalServerError)
}

24
internal/auth/routes.go
View File

@ -11,6 +11,7 @@ import (
"gitea.local/admin/hspguard/internal/util"
"github.com/go-chi/chi/v5"
"github.com/golang-jwt/jwt/v5"
"github.com/google/uuid"
)
type AuthHandler struct {
@ -19,7 +20,10 @@ type AuthHandler struct {
cfg *config.AppConfig
}
func (h *AuthHandler) signTokens(user *repository.User) (string, string, error) {
func (h *AuthHandler) signTokens(user *repository.User) (*types.SignedToken, *types.SignedToken, error) {
accessExpiresAt := time.Now().Add(15 * time.Minute)
accessJTI := uuid.New()
accessClaims := types.UserClaims{
UserEmail: user.Email,
IsAdmin: user.IsAdmin,
@ -27,15 +31,19 @@ func (h *AuthHandler) signTokens(user *repository.User) (string, string, error)
Issuer: h.cfg.Uri,
Subject: user.ID.String(),
IssuedAt: jwt.NewNumericDate(time.Now()),
ExpiresAt: jwt.NewNumericDate(time.Now().Add(15 * time.Minute)),
ExpiresAt: jwt.NewNumericDate(accessExpiresAt),
ID: accessJTI.String(),
},
}
accessToken, err := util.SignJwtToken(accessClaims, h.cfg.Jwt.PrivateKey)
if err != nil {
return "", "", err
return nil, nil, err
}
refreshExpiresAt := time.Now().Add(30 * 24 * time.Hour)
refreshJTI := uuid.New()
refreshClaims := types.UserClaims{
UserEmail: user.Email,
IsAdmin: user.IsAdmin,
@ -43,16 +51,17 @@ func (h *AuthHandler) signTokens(user *repository.User) (string, string, error)
Issuer: h.cfg.Uri,
Subject: user.ID.String(),
IssuedAt: jwt.NewNumericDate(time.Now()),
ExpiresAt: jwt.NewNumericDate(time.Now().Add(30 * 24 * time.Hour)),
ExpiresAt: jwt.NewNumericDate(refreshExpiresAt),
ID: refreshJTI.String(),
},
}
refreshToken, err := util.SignJwtToken(refreshClaims, h.cfg.Jwt.PrivateKey)
if err != nil {
return "", "", err
return nil, nil, err
}
return accessToken, refreshToken, nil
return types.NewSignedToken(accessToken, accessExpiresAt, accessJTI), types.NewSignedToken(refreshToken, refreshExpiresAt, refreshJTI), nil
}
func NewAuthHandler(repo *repository.Queries, cache *cache.Client, cfg *config.AppConfig) *AuthHandler {
@ -66,13 +75,14 @@ func NewAuthHandler(repo *repository.Queries, cache *cache.Client, cfg *config.A
func (h *AuthHandler) RegisterRoutes(api chi.Router) {
api.Route("/auth", func(r chi.Router) {
r.Group(func(protected chi.Router) {
authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
protected.Use(authMiddleware.Runner)
protected.Get("/profile", h.getProfile)
protected.Post("/email", h.requestEmailOtp)
protected.Post("/email/otp", h.confirmOtp)
protected.Post("/verify", h.finishVerification)
protected.Post("/signout", h.signOut)
})
r.Post("/login", h.login)

40
internal/auth/signout.go Normal file
View File

@ -0,0 +1,40 @@
package auth
import (
"log"
"net/http"
"gitea.local/admin/hspguard/internal/util"
"github.com/google/uuid"
)
func (h *AuthHandler) signOut(w http.ResponseWriter, r *http.Request) {
defer func() {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{\"status\": \"ok\"}"))
}()
jti, ok := util.GetRequestJTI(r.Context())
if !ok {
log.Println("WARN: No JTI found in request")
return
}
jtiId, err := uuid.Parse(jti)
if err != nil {
log.Printf("ERR: Failed to parse jti '%s' as v4 uuid: %v\n", jti, err)
return
}
session, err := h.repo.GetUserSessionByAccessJTI(r.Context(), &jtiId)
if err != nil {
log.Printf("WARN: Could not find session by jti id '%s': %v\n", jtiId.String(), err)
return
}
if err := h.repo.RevokeUserSession(r.Context(), session.ID); err != nil {
log.Printf("ERR: Failed to revoke session with '%s' id: %v\n", session.ID.String(), err)
} else {
log.Printf("INFO: Revoked session with jti = '%s' and session id = '%s'\n", jtiId.String(), session.ID.String())
}
}

30
internal/middleware/auth.go
View File

@ -3,22 +3,27 @@ package middleware
import (
"context"
"fmt"
"log"
"net/http"
"strings"
"gitea.local/admin/hspguard/internal/config"
"gitea.local/admin/hspguard/internal/repository"
"gitea.local/admin/hspguard/internal/types"
"gitea.local/admin/hspguard/internal/util"
"gitea.local/admin/hspguard/internal/web"
"github.com/google/uuid"
)
type AuthMiddleware struct {
cfg *config.AppConfig
cfg *config.AppConfig
repo *repository.Queries
}
func NewAuthMiddleware(cfg *config.AppConfig) *AuthMiddleware {
func NewAuthMiddleware(cfg *config.AppConfig, repo *repository.Queries) *AuthMiddleware {
return &AuthMiddleware{
cfg,
repo,
}
}
@ -45,7 +50,28 @@ func (m *AuthMiddleware) Runner(next http.Handler) http.Handler {
return
}
// TODO: redis caching
parsed, err := uuid.Parse(userClaims.ID)
if err != nil {
log.Printf("ERR: Failed to parse token JTI '%s': %v\n", userClaims.ID, err)
web.Error(w, "failed to get session", http.StatusUnauthorized)
return
}
session, err := m.repo.GetUserSessionByAccessJTI(r.Context(), &parsed)
if err != nil {
log.Printf("ERR: Failed to find session with '%s' JTI: %v\n", parsed.String(), err)
web.Error(w, "no session found", http.StatusUnauthorized)
return
}
if !session.IsActive {
log.Printf("INFO: Inactive session trying to authorize: %s\n", session.AccessTokenID)
web.Error(w, "no session found", http.StatusUnauthorized)
return
}
ctx := context.WithValue(r.Context(), types.UserIdKey, userClaims.Subject)
ctx = context.WithValue(ctx, types.JTIKey, userClaims.ID)
next.ServeHTTP(w, r.WithContext(ctx))
})
}

44
internal/oauth/authorize.go
View File

@ -3,7 +3,6 @@ package oauth
import (
"fmt"
"net/http"
"slices"
"strings"
"gitea.local/admin/hspguard/internal/web"
@ -29,43 +28,14 @@ func (h *OAuthHandler) AuthorizeClient(w http.ResponseWriter, r *http.Request) {
return
}
client, err := h.repo.GetApiServiceCID(r.Context(), clientId)
if err != nil {
uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", redirectUri)
if state != "" {
uri += "&state=" + state
}
http.Redirect(w, r, uri, http.StatusFound)
return
}
scopes := strings.Split(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
if !client.IsActive {
uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", redirectUri)
if state != "" {
uri += "&state=" + state
}
http.Redirect(w, r, uri, http.StatusFound)
return
}
scopes := strings.SplitSeq(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
for scope := range scopes {
if !slices.Contains(client.Scopes, scope) {
uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", redirectUri, strings.ReplaceAll(scope, " ", "+"))
if state != "" {
uri += "&state=" + state
}
http.Redirect(w, r, uri, http.StatusFound)
return
}
}
if !slices.Contains(client.RedirectUris, redirectUri) {
uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", redirectUri)
if state != "" {
uri += "&state=" + state
}
if uri, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
ClientID: clientId,
RedirectURI: &redirectUri,
State: state,
Scopes: &scopes,
}); err != nil {
http.Redirect(w, r, uri, http.StatusFound)
return
}

58
internal/oauth/client.go Normal file
View File

@ -0,0 +1,58 @@
package oauth
import (
"context"
"fmt"
"slices"
"strings"
)
type VerifyOAuthClientParams struct {
ClientID string `json:"client_id"`
RedirectURI *string `json:"redirect_uri"`
State string `json:"state"`
Scopes *[]string `json:"scopes"`
}
func (h *OAuthHandler) verifyOAuthClient(ctx context.Context, params *VerifyOAuthClientParams) (string, error) {
client, err := h.repo.GetApiServiceCID(ctx, params.ClientID)
if err != nil {
uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", *params.RedirectURI)
if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("target oauth service with client id '%s' is not registered", params.ClientID)
}
if !client.IsActive {
uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", *params.RedirectURI)
if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("target oauth service with client id '%s' is not available", client.ClientID)
}
if params.Scopes != nil {
for _, scope := range *params.Scopes {
if !slices.Contains(client.Scopes, scope) {
uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", *params.RedirectURI, strings.ReplaceAll(scope, " ", "+"))
if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("unallowed scope '%s' requested", scope)
}
}
}
if params.RedirectURI != nil {
if !slices.Contains(client.RedirectUris, *params.RedirectURI) {
uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", *params.RedirectURI)
if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("redirect uri '%s' is unallowed", *params.RedirectURI)
}
}
return "", nil
}

10
internal/oauth/code.go
View File

@ -39,6 +39,16 @@ func (h *OAuthHandler) getAuthCode(w http.ResponseWriter, r *http.Request) {
return
}
if _, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
ClientID: req.ClientID,
RedirectURI: nil,
State: "",
Scopes: nil,
}); err != nil {
web.Error(w, err.Error(), http.StatusInternalServerError)
return
}
buf := make([]byte, 32)
_, err = rand.Read(buf)
if err != nil {

2
internal/oauth/routes.go
View File

@ -25,7 +25,7 @@ func NewOAuthHandler(repo *repository.Queries, cache *cache.Client, cfg *config.
func (h *OAuthHandler) RegisterRoutes(router chi.Router) {
router.Route("/oauth", func(r chi.Router) {
r.Group(func(protected chi.Router) {
authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
protected.Use(authMiddleware.Runner)
protected.Post("/code", h.getAuthCode)

151
internal/oauth/token.go
View File

@ -5,6 +5,7 @@ import (
"encoding/json"
"fmt"
"log"
"math"
"net/http"
"strings"
"time"
@ -17,20 +18,10 @@ import (
"github.com/google/uuid"
)
type ApiToken struct {
Token string
Expiration float64
}
type ApiTokens struct {
ID ApiToken
Access ApiToken
Refresh ApiToken
}
func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *repository.ApiService, nonce *string) (*ApiTokens, error) {
func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *repository.ApiService, nonce *string) (*types.SignedToken, *types.SignedToken, *types.SignedToken, error) {
accessExpiresIn := 15 * time.Minute
accessExpiresAt := time.Now().Add(accessExpiresIn)
accessJTI := uuid.New()
accessClaims := types.ApiClaims{
Permissions: []string{},
@ -40,12 +31,13 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
Audience: jwt.ClaimStrings{apiService.ClientID},
IssuedAt: jwt.NewNumericDate(time.Now()),
ExpiresAt: jwt.NewNumericDate(accessExpiresAt),
ID: accessJTI.String(),
},
}
access, err := util.SignJwtToken(accessClaims, h.cfg.Jwt.PrivateKey)
if err != nil {
return nil, err
return nil, nil, nil, err
}
var roles = []string{"user"}
@ -56,6 +48,7 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
idExpiresIn := 15 * time.Minute
idExpiresAt := time.Now().Add(idExpiresIn)
idJTI := uuid.New()
idClaims := types.IdTokenClaims{
Email: user.Email,
@ -70,16 +63,18 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
Audience: jwt.ClaimStrings{apiService.ClientID},
IssuedAt: jwt.NewNumericDate(time.Now()),
ExpiresAt: jwt.NewNumericDate(idExpiresAt),
ID: idJTI.String(),
},
}
idToken, err := util.SignJwtToken(idClaims, h.cfg.Jwt.PrivateKey)
if err != nil {
return nil, err
return nil, nil, nil, err
}
refreshExpiresIn := 24 * time.Hour
refreshExpiresAt := time.Now().Add(refreshExpiresIn)
refreshJTI := uuid.New()
refreshClaims := types.ApiRefreshClaims{
UserID: user.ID.String(),
@ -89,28 +84,16 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
Audience: jwt.ClaimStrings{apiService.ClientID},
IssuedAt: jwt.NewNumericDate(time.Now()),
ExpiresAt: jwt.NewNumericDate(refreshExpiresAt),
ID: refreshJTI.String(),
},
}
refresh, err := util.SignJwtToken(refreshClaims, h.cfg.Jwt.PrivateKey)
if err != nil {
return nil, err
return nil, nil, nil, err
}
return &ApiTokens{
ID: ApiToken{
Token: idToken,
Expiration: idExpiresIn.Seconds(),
},
Access: ApiToken{
Token: access,
Expiration: accessExpiresIn.Seconds(),
},
Refresh: ApiToken{
Token: refresh,
Expiration: refreshExpiresIn.Seconds(),
},
}, nil
return types.NewSignedToken(idToken, idExpiresAt, idJTI), types.NewSignedToken(access, accessExpiresAt, accessJTI), types.NewSignedToken(refresh, refreshExpiresAt, refreshJTI), nil
}
func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
@ -152,50 +135,93 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
}
grantType := r.FormValue("grant_type")
redirectUri := r.FormValue("redirect_uri")
log.Printf("Redirect URI is %s\n", redirectUri)
log.Println("DEBUG: Verifying target oauth client before proceeding...")
if _, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
ClientID: clientId,
RedirectURI: nil,
State: "",
Scopes: nil,
}); err != nil {
web.Error(w, err.Error(), http.StatusInternalServerError)
return
}
switch grantType {
case "authorization_code":
redirectUri := r.FormValue("redirect_uri")
log.Printf("Redirect URI is %s\n", redirectUri)
code := r.FormValue("code")
fmt.Printf("Code received: %s\n", code)
session, err := h.cache.GetAuthCode(r.Context(), code)
codeSession, err := h.cache.GetAuthCode(r.Context(), code)
if err != nil {
log.Printf("ERR: Failed to find session under the code %s: %v\n", code, err)
web.Error(w, "no session found under this auth code", http.StatusNotFound)
return
}
log.Printf("DEBUG: Fetched code session: %#v\n", session)
log.Printf("DEBUG: Fetched code session: %#v\n", codeSession)
apiService, err := h.repo.GetApiServiceCID(r.Context(), session.ClientID)
apiService, err := h.repo.GetApiServiceCID(r.Context(), codeSession.ClientID)
if err != nil {
log.Printf("ERR: Could not find API service with client %s: %v\n", session.ClientID, err)
log.Printf("ERR: Could not find API service with client %s: %v\n", codeSession.ClientID, err)
web.Error(w, "service is not registered", http.StatusForbidden)
return
}
if session.ClientID != clientId {
if codeSession.ClientID != clientId {
web.Error(w, "invalid auth", http.StatusUnauthorized)
return
}
user, err := h.repo.FindUserId(r.Context(), uuid.MustParse(session.UserID))
user, err := h.repo.FindUserId(r.Context(), uuid.MustParse(codeSession.UserID))
if err != nil {
web.Error(w, "requested user not found", http.StatusNotFound)
return
}
tokens, err := h.signApiTokens(&user, &apiService, &session.Nonce)
id, access, refresh, err := h.signApiTokens(&user, &apiService, &codeSession.Nonce)
if err != nil {
log.Println("ERR: Failed to sign api tokens:", err)
web.Error(w, "failed to sign tokens", http.StatusInternalServerError)
return
}
log.Printf("DEBUG: Created api tokens: %v\n\n%v\n\n%v\n", id.ID.String(), access.ID.String(), refresh.ID.String())
userId, err := uuid.Parse(codeSession.UserID)
if err != nil {
log.Printf("ERR: Failed to parse user '%s' uuid: %v\n", codeSession.UserID, err)
web.Error(w, "failed to sign tokens", http.StatusInternalServerError)
return
}
ipAddr := util.GetClientIP(r)
ua := r.UserAgent()
session, err := h.repo.CreateServiceSession(r.Context(), repository.CreateServiceSessionParams{
ServiceID: apiService.ID,
ClientID: apiService.ClientID,
UserID: &userId,
ExpiresAt: &refresh.ExpiresAt,
LastActive: nil,
IpAddress: &ipAddr,
UserAgent: &ua,
AccessTokenID: &access.ID,
RefreshTokenID: &refresh.ID,
})
if err != nil {
log.Printf("ERR: Failed to create new service session: %v\n", err)
web.Error(w, "failed to create session", http.StatusInternalServerError)
return
}
log.Printf("INFO: Service session created for '%s' client_id with '%s' id\n", apiService.ClientID, session.ID.String())
type Response struct {
IdToken string `json:"id_token"`
TokenType string `json:"token_type"`
@ -207,11 +233,11 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
}
response := Response{
IdToken: tokens.ID.Token,
IdToken: id.Token,
TokenType: "Bearer",
AccessToken: tokens.Access.Token,
RefreshToken: tokens.Refresh.Token,
ExpiresIn: tokens.Access.Expiration,
AccessToken: access.Token,
RefreshToken: refresh.Token,
ExpiresIn: math.Ceil(access.ExpiresAt.Sub(time.Now()).Seconds()),
Email: user.Email,
}
@ -244,6 +270,26 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
return
}
refreshJTI, err := uuid.Parse(claims.ID)
if err != nil {
log.Printf("ERR: Failed to parse refresh token JTI as uuid: %v\n", err)
web.Error(w, "failed to refresh token", http.StatusInternalServerError)
return
}
session, err := h.repo.GetServiceSessionByRefreshJTI(r.Context(), &refreshJTI)
if err != nil {
log.Printf("ERR: Failed to find session by '%s' refresh jti: %v\n", refreshJTI.String(), err)
web.Error(w, "session invalid", http.StatusUnauthorized)
return
}
if !session.IsActive {
log.Printf("INFO: Session with id '%s' is not active", session.ID.String())
web.Error(w, "session ended", http.StatusUnauthorized)
return
}
userID, err := uuid.Parse(claims.UserID)
if err != nil {
web.Error(w, "invalid user credentials in refresh token", http.StatusBadRequest)
@ -257,7 +303,18 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
return
}
tokens, err := h.signApiTokens(&user, &apiService, nil)
id, access, refresh, err := h.signApiTokens(&user, &apiService, nil)
if err := h.repo.UpdateServiceSessionTokens(r.Context(), repository.UpdateServiceSessionTokensParams{
ID: session.ID,
AccessTokenID: &access.ID,
RefreshTokenID: &refresh.ID,
ExpiresAt: &refresh.ExpiresAt,
}); err != nil {
log.Printf("ERR: Failed to update service session with '%s' id: %v\n", session.ID.String(), err)
web.Error(w, "failed to update session", http.StatusInternalServerError)
return
}
type Response struct {
IdToken string `json:"id_token"`
@ -268,11 +325,11 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
}
response := Response{
IdToken: tokens.ID.Token,
IdToken: id.Token,
TokenType: "Bearer",
AccessToken: tokens.Access.Token,
RefreshToken: tokens.Refresh.Token,
ExpiresIn: tokens.Access.Expiration,
AccessToken: access.Token,
RefreshToken: refresh.Token,
ExpiresIn: math.Ceil(access.ExpiresAt.Sub(time.Now()).Seconds()),
}
log.Printf("DEBUG: refresh - sending following response: %#v\n", response)

63
internal/repository/models.go
View File

@ -25,6 +25,43 @@ type ApiService struct {
IconUrl *string `json:"icon_url"`
}
type Permission struct {
ID uuid.UUID `json:"id"`
Name string `json:"name"`
Scope string `json:"scope"`
Description *string `json:"description"`
}
type Role struct {
ID uuid.UUID `json:"id"`
Name string `json:"name"`
Scope string `json:"scope"`
Description *string `json:"description"`
}
type RolePermission struct {
RoleID uuid.UUID `json:"role_id"`
PermissionID uuid.UUID `json:"permission_id"`
}
type ServiceSession struct {
ID uuid.UUID `json:"id"`
ServiceID uuid.UUID `json:"service_id"`
ClientID string `json:"client_id"`
UserID *uuid.UUID `json:"user_id"`
IssuedAt time.Time `json:"issued_at"`
ExpiresAt *time.Time `json:"expires_at"`
LastActive *time.Time `json:"last_active"`
IpAddress *string `json:"ip_address"`
UserAgent *string `json:"user_agent"`
AccessTokenID *uuid.UUID `json:"access_token_id"`
RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
IsActive bool `json:"is_active"`
RevokedAt *time.Time `json:"revoked_at"`
Scope *string `json:"scope"`
Claims []byte `json:"claims"`
}
type User struct {
ID uuid.UUID `json:"id"`
Email string `json:"email"`
@ -41,3 +78,29 @@ type User struct {
AvatarVerified bool `json:"avatar_verified"`
Verified bool `json:"verified"`
}
type UserPermission struct {
UserID uuid.UUID `json:"user_id"`
PermissionID uuid.UUID `json:"permission_id"`
}
type UserRole struct {
UserID uuid.UUID `json:"user_id"`
RoleID uuid.UUID `json:"role_id"`
}
type UserSession struct {
ID uuid.UUID `json:"id"`
UserID uuid.UUID `json:"user_id"`
SessionType string `json:"session_type"`
IssuedAt time.Time `json:"issued_at"`
ExpiresAt *time.Time `json:"expires_at"`
LastActive *time.Time `json:"last_active"`
IpAddress *string `json:"ip_address"`
UserAgent *string `json:"user_agent"`
AccessTokenID *uuid.UUID `json:"access_token_id"`
RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
DeviceInfo []byte `json:"device_info"`
IsActive bool `json:"is_active"`
RevokedAt *time.Time `json:"revoked_at"`
}

156
internal/repository/permissions.sql.go Normal file
View File

@ -0,0 +1,156 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
// sqlc v1.29.0
// source: permissions.sql
package repository
import (
"context"
"github.com/google/uuid"
)
const createPermission = `-- name: CreatePermission :one
INSERT into permissions (
name, scope, description
) VALUES (
$1, $2, $3
) RETURNING id, name, scope, description
`
type CreatePermissionParams struct {
Name string `json:"name"`
Scope string `json:"scope"`
Description *string `json:"description"`
}
func (q *Queries) CreatePermission(ctx context.Context, arg CreatePermissionParams) (Permission, error) {
row := q.db.QueryRow(ctx, createPermission, arg.Name, arg.Scope, arg.Description)
var i Permission
err := row.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
)
return i, err
}
const findPermission = `-- name: FindPermission :one
SELECT id, name, scope, description FROM permissions
WHERE name = $1 AND scope = $2
`
type FindPermissionParams struct {
Name string `json:"name"`
Scope string `json:"scope"`
}
func (q *Queries) FindPermission(ctx context.Context, arg FindPermissionParams) (Permission, error) {
row := q.db.QueryRow(ctx, findPermission, arg.Name, arg.Scope)
var i Permission
err := row.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
)
return i, err
}
const getAllPermissions = `-- name: GetAllPermissions :many
SELECT id, name, scope, description
FROM permissions p
ORDER BY p.scope
`
func (q *Queries) GetAllPermissions(ctx context.Context) ([]Permission, error) {
rows, err := q.db.Query(ctx, getAllPermissions)
if err != nil {
return nil, err
}
defer rows.Close()
var items []Permission
for rows.Next() {
var i Permission
if err := rows.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const getGroupedPermissions = `-- name: GetGroupedPermissions :many
SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
FROM permissions
GROUP BY scope
`
type GetGroupedPermissionsRow struct {
Scope string `json:"scope"`
Permissions []byte `json:"permissions"`
}
func (q *Queries) GetGroupedPermissions(ctx context.Context) ([]GetGroupedPermissionsRow, error) {
rows, err := q.db.Query(ctx, getGroupedPermissions)
if err != nil {
return nil, err
}
defer rows.Close()
var items []GetGroupedPermissionsRow
for rows.Next() {
var i GetGroupedPermissionsRow
if err := rows.Scan(&i.Scope, &i.Permissions); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const getUserPermissions = `-- name: GetUserPermissions :many
SELECT DISTINCT p.id,p.name,p.scope,p.description
FROM user_roles ur
JOIN role_permissions rp ON ur.role_id = rp.role_id
JOIN permissions p ON rp.permission_id = p.id
WHERE ur.user_id = $1
ORDER BY p.scope
`
func (q *Queries) GetUserPermissions(ctx context.Context, userID uuid.UUID) ([]Permission, error) {
rows, err := q.db.Query(ctx, getUserPermissions, userID)
if err != nil {
return nil, err
}
defer rows.Close()
var items []Permission
for rows.Next() {
var i Permission
if err := rows.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}

282
internal/repository/roles.sql.go Normal file
View File

@ -0,0 +1,282 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
// sqlc v1.29.0
// source: roles.sql
package repository
import (
"context"
"github.com/google/uuid"
)
const addPermissionsToRoleByKey = `-- name: AddPermissionsToRoleByKey :exec
INSERT INTO role_permissions (role_id, permission_id)
SELECT
$1,
p.id
FROM
permissions p
JOIN
unnest($2::text[]) AS key_str
ON key_str = p.scope || '_' || p.name
`
type AddPermissionsToRoleByKeyParams struct {
RoleID uuid.UUID `json:"role_id"`
PermissionKeys []string `json:"permission_keys"`
}
func (q *Queries) AddPermissionsToRoleByKey(ctx context.Context, arg AddPermissionsToRoleByKeyParams) error {
_, err := q.db.Exec(ctx, addPermissionsToRoleByKey, arg.RoleID, arg.PermissionKeys)
return err
}
const assignRolePermission = `-- name: AssignRolePermission :exec
INSERT INTO role_permissions (role_id, permission_id)
VALUES (
$1,
(
SELECT id
FROM permissions p
WHERE p.scope = split_part($2, '_', 1)
AND p.name = right($2, length($2) - position('_' IN $2))
)
)
`
type AssignRolePermissionParams struct {
RoleID uuid.UUID `json:"role_id"`
Key string `json:"key"`
}
func (q *Queries) AssignRolePermission(ctx context.Context, arg AssignRolePermissionParams) error {
_, err := q.db.Exec(ctx, assignRolePermission, arg.RoleID, arg.Key)
return err
}
const assignUserRole = `-- name: AssignUserRole :exec
INSERT INTO user_roles (user_id, role_id)
VALUES ($1, (
SELECT id FROM roles r
WHERE r.scope = split_part($2, '_', 1)
AND r.name = right($2, length($2) - position('_' IN $2))
))
`
type AssignUserRoleParams struct {
UserID uuid.UUID `json:"user_id"`
Key string `json:"key"`
}
func (q *Queries) AssignUserRole(ctx context.Context, arg AssignUserRoleParams) error {
_, err := q.db.Exec(ctx, assignUserRole, arg.UserID, arg.Key)
return err
}
const createRole = `-- name: CreateRole :one
INSERT INTO roles (name, scope, description)
VALUES ($1, $2, $3)
RETURNING id, name, scope, description
`
type CreateRoleParams struct {
Name string `json:"name"`
Scope string `json:"scope"`
Description *string `json:"description"`
}
func (q *Queries) CreateRole(ctx context.Context, arg CreateRoleParams) (Role, error) {
row := q.db.QueryRow(ctx, createRole, arg.Name, arg.Scope, arg.Description)
var i Role
err := row.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
)
return i, err
}
const findRole = `-- name: FindRole :one
SELECT id, name, scope, description
FROM roles
WHERE scope = $1 AND name = $2
`
type FindRoleParams struct {
Scope string `json:"scope"`
Name string `json:"name"`
}
func (q *Queries) FindRole(ctx context.Context, arg FindRoleParams) (Role, error) {
row := q.db.QueryRow(ctx, findRole, arg.Scope, arg.Name)
var i Role
err := row.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
)
return i, err
}
const findUserRole = `-- name: FindUserRole :one
SELECT user_id, role_id FROM user_roles
WHERE user_id = $1 AND role_id = (SELECT id FROM roles r WHERE r.scope = split_part($2, '_', 1) AND r.name = right($2, length($2) - position('_' IN $2)))
LIMIT 1
`
type FindUserRoleParams struct {
UserID uuid.UUID `json:"user_id"`
Key string `json:"key"`
}
func (q *Queries) FindUserRole(ctx context.Context, arg FindUserRoleParams) (UserRole, error) {
row := q.db.QueryRow(ctx, findUserRole, arg.UserID, arg.Key)
var i UserRole
err := row.Scan(&i.UserID, &i.RoleID)
return i, err
}
const getRoleAssignment = `-- name: GetRoleAssignment :one
SELECT role_id, permission_id FROM role_permissions
WHERE role_id = $1 AND permission_id = (SELECT id FROM permissions p WHERE p.scope = split_part($2, '_', 1) AND p.name = right($2, length($2) - position('_' IN $2)))
LIMIT 1
`
type GetRoleAssignmentParams struct {
RoleID uuid.UUID `json:"role_id"`
Key string `json:"key"`
}
func (q *Queries) GetRoleAssignment(ctx context.Context, arg GetRoleAssignmentParams) (RolePermission, error) {
row := q.db.QueryRow(ctx, getRoleAssignment, arg.RoleID, arg.Key)
var i RolePermission
err := row.Scan(&i.RoleID, &i.PermissionID)
return i, err
}
const getRolesGroupedWithPermissions = `-- name: GetRolesGroupedWithPermissions :many
SELECT
r.scope,
json_agg (
json_build_object (
'id',
r.id,
'name',
r.name,
'scope',
r.scope,
'description',
r.description,
'permissions',
COALESCE(p_list.permissions, '[]')
)
ORDER BY
r.name
) AS roles
FROM
roles r
LEFT JOIN (
SELECT
rp.role_id,
json_agg (
json_build_object (
'id',
p.id,
'name',
p.name,
'scope',
p.scope,
'description',
p.description
)
ORDER BY
p.name
) AS permissions
FROM
role_permissions rp
JOIN permissions p ON p.id = rp.permission_id
GROUP BY
rp.role_id
) p_list ON p_list.role_id = r.id
GROUP BY
r.scope
`
type GetRolesGroupedWithPermissionsRow struct {
Scope string `json:"scope"`
Roles []byte `json:"roles"`
}
func (q *Queries) GetRolesGroupedWithPermissions(ctx context.Context) ([]GetRolesGroupedWithPermissionsRow, error) {
rows, err := q.db.Query(ctx, getRolesGroupedWithPermissions)
if err != nil {
return nil, err
}
defer rows.Close()
var items []GetRolesGroupedWithPermissionsRow
for rows.Next() {
var i GetRolesGroupedWithPermissionsRow
if err := rows.Scan(&i.Scope, &i.Roles); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const getUserRoles = `-- name: GetUserRoles :many
SELECT r.id, r.name, r.scope, r.description FROM roles r
JOIN user_roles ur ON r.id = ur.role_id
WHERE ur.user_id = $1
`
func (q *Queries) GetUserRoles(ctx context.Context, userID uuid.UUID) ([]Role, error) {
rows, err := q.db.Query(ctx, getUserRoles, userID)
if err != nil {
return nil, err
}
defer rows.Close()
var items []Role
for rows.Next() {
var i Role
if err := rows.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const unassignUserRole = `-- name: UnassignUserRole :exec
DELETE FROM user_roles
WHERE user_id = $1 AND role_id = (
SELECT id FROM roles r
WHERE r.scope = split_part($2, '_', 1)
AND r.name = right($2, length($2) - position('_' IN $2))
)
`
type UnassignUserRoleParams struct {
UserID uuid.UUID `json:"user_id"`
Key string `json:"key"`
}
func (q *Queries) UnassignUserRole(ctx context.Context, arg UnassignUserRoleParams) error {
_, err := q.db.Exec(ctx, unassignUserRole, arg.UserID, arg.Key)
return err
}

419
internal/repository/service_sessions.sql.go Normal file
View File

@ -0,0 +1,419 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
// sqlc v1.29.0
// source: service_sessions.sql
package repository
import (
"context"
"time"
"github.com/google/uuid"
)
const createServiceSession = `-- name: CreateServiceSession :one
INSERT INTO service_sessions (
service_id, client_id, user_id, issued_at, expires_at, last_active,
ip_address, user_agent, access_token_id, refresh_token_id,
is_active, scope, claims
) VALUES (
$1, $2, $3, NOW(), $4, $5,
$6, $7, $8, $9,
TRUE, $10, $11
)
RETURNING id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims
`
type CreateServiceSessionParams struct {
ServiceID uuid.UUID `json:"service_id"`
ClientID string `json:"client_id"`
UserID *uuid.UUID `json:"user_id"`
ExpiresAt *time.Time `json:"expires_at"`
LastActive *time.Time `json:"last_active"`
IpAddress *string `json:"ip_address"`
UserAgent *string `json:"user_agent"`
AccessTokenID *uuid.UUID `json:"access_token_id"`
RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
Scope *string `json:"scope"`
Claims []byte `json:"claims"`
}
func (q *Queries) CreateServiceSession(ctx context.Context, arg CreateServiceSessionParams) (ServiceSession, error) {
row := q.db.QueryRow(ctx, createServiceSession,
arg.ServiceID,
arg.ClientID,
arg.UserID,
arg.ExpiresAt,
arg.LastActive,
arg.IpAddress,
arg.UserAgent,
arg.AccessTokenID,
arg.RefreshTokenID,
arg.Scope,
arg.Claims,
)
var i ServiceSession
err := row.Scan(
&i.ID,
&i.ServiceID,
&i.ClientID,
&i.UserID,
&i.IssuedAt,
&i.ExpiresAt,
&i.LastActive,
&i.IpAddress,
&i.UserAgent,
&i.AccessTokenID,
&i.RefreshTokenID,
&i.IsActive,
&i.RevokedAt,
&i.Scope,
&i.Claims,
)
return i, err
}
const getServiceSessionByAccessJTI = `-- name: GetServiceSessionByAccessJTI :one
SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
WHERE access_token_id = $1
AND is_active = TRUE
`
func (q *Queries) GetServiceSessionByAccessJTI(ctx context.Context, accessTokenID *uuid.UUID) (ServiceSession, error) {
row := q.db.QueryRow(ctx, getServiceSessionByAccessJTI, accessTokenID)
var i ServiceSession
err := row.Scan(
&i.ID,
&i.ServiceID,
&i.ClientID,
&i.UserID,
&i.IssuedAt,
&i.ExpiresAt,
&i.LastActive,
&i.IpAddress,
&i.UserAgent,
&i.AccessTokenID,
&i.RefreshTokenID,
&i.IsActive,
&i.RevokedAt,
&i.Scope,
&i.Claims,
)
return i, err
}
const getServiceSessionByRefreshJTI = `-- name: GetServiceSessionByRefreshJTI :one
SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
WHERE refresh_token_id = $1
`
func (q *Queries) GetServiceSessionByRefreshJTI(ctx context.Context, refreshTokenID *uuid.UUID) (ServiceSession, error) {
row := q.db.QueryRow(ctx, getServiceSessionByRefreshJTI, refreshTokenID)
var i ServiceSession
err := row.Scan(
&i.ID,
&i.ServiceID,
&i.ClientID,
&i.UserID,
&i.IssuedAt,
&i.ExpiresAt,
&i.LastActive,
&i.IpAddress,
&i.UserAgent,
&i.AccessTokenID,
&i.RefreshTokenID,
&i.IsActive,
&i.RevokedAt,
&i.Scope,
&i.Claims,
)
return i, err
}
const getServiceSessions = `-- name: GetServiceSessions :many
SELECT session.id, session.service_id, session.client_id, session.user_id, session.issued_at, session.expires_at, session.last_active, session.ip_address, session.user_agent, session.access_token_id, session.refresh_token_id, session.is_active, session.revoked_at, session.scope, session.claims, service.id, service.client_id, service.client_secret, service.name, service.redirect_uris, service.scopes, service.grant_types, service.created_at, service.updated_at, service.is_active, service.description, service.icon_url, u.id, u.email, u.full_name, u.password_hash, u.is_admin, u.created_at, u.updated_at, u.last_login, u.phone_number, u.profile_picture, u.created_by, u.email_verified, u.avatar_verified, u.verified
FROM service_sessions AS session
JOIN api_services AS service ON service.id = session.service_id
JOIN users AS u ON u.id = session.user_id
ORDER BY session.issued_at DESC
LIMIT $1 OFFSET $2
`
type GetServiceSessionsParams struct {
Limit int32 `json:"limit"`
Offset int32 `json:"offset"`
}
type GetServiceSessionsRow struct {
ServiceSession ServiceSession `json:"service_session"`
ApiService ApiService `json:"api_service"`
User User `json:"user"`
}
func (q *Queries) GetServiceSessions(ctx context.Context, arg GetServiceSessionsParams) ([]GetServiceSessionsRow, error) {
rows, err := q.db.Query(ctx, getServiceSessions, arg.Limit, arg.Offset)
if err != nil {
return nil, err
}
defer rows.Close()
var items []GetServiceSessionsRow
for rows.Next() {
var i GetServiceSessionsRow
if err := rows.Scan(
&i.ServiceSession.ID,
&i.ServiceSession.ServiceID,
&i.ServiceSession.ClientID,
&i.ServiceSession.UserID,
&i.ServiceSession.IssuedAt,
&i.ServiceSession.ExpiresAt,
&i.ServiceSession.LastActive,
&i.ServiceSession.IpAddress,
&i.ServiceSession.UserAgent,
&i.ServiceSession.AccessTokenID,
&i.ServiceSession.RefreshTokenID,
&i.ServiceSession.IsActive,
&i.ServiceSession.RevokedAt,
&i.ServiceSession.Scope,
&i.ServiceSession.Claims,
&i.ApiService.ID,
&i.ApiService.ClientID,
&i.ApiService.ClientSecret,
&i.ApiService.Name,
&i.ApiService.RedirectUris,
&i.ApiService.Scopes,
&i.ApiService.GrantTypes,
&i.ApiService.CreatedAt,
&i.ApiService.UpdatedAt,
&i.ApiService.IsActive,
&i.ApiService.Description,
&i.ApiService.IconUrl,
&i.User.ID,
&i.User.Email,
&i.User.FullName,
&i.User.PasswordHash,
&i.User.IsAdmin,
&i.User.CreatedAt,
&i.User.UpdatedAt,
&i.User.LastLogin,
&i.User.PhoneNumber,
&i.User.ProfilePicture,
&i.User.CreatedBy,
&i.User.EmailVerified,
&i.User.AvatarVerified,
&i.User.Verified,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const getServiceSessionsCount = `-- name: GetServiceSessionsCount :one
SELECT COUNT(*) FROM service_sessions
`
func (q *Queries) GetServiceSessionsCount(ctx context.Context) (int64, error) {
row := q.db.QueryRow(ctx, getServiceSessionsCount)
var count int64
err := row.Scan(&count)
return count, err
}
const listActiveServiceSessionsByClient = `-- name: ListActiveServiceSessionsByClient :many
SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
WHERE client_id = $1
AND is_active = TRUE
ORDER BY issued_at DESC
LIMIT $1 OFFSET $2
`
type ListActiveServiceSessionsByClientParams struct {
Limit int32 `json:"limit"`
Offset int32 `json:"offset"`
}
func (q *Queries) ListActiveServiceSessionsByClient(ctx context.Context, arg ListActiveServiceSessionsByClientParams) ([]ServiceSession, error) {
rows, err := q.db.Query(ctx, listActiveServiceSessionsByClient, arg.Limit, arg.Offset)
if err != nil {
return nil, err
}
defer rows.Close()
var items []ServiceSession
for rows.Next() {
var i ServiceSession
if err := rows.Scan(
&i.ID,
&i.ServiceID,
&i.ClientID,
&i.UserID,
&i.IssuedAt,
&i.ExpiresAt,
&i.LastActive,
&i.IpAddress,
&i.UserAgent,
&i.AccessTokenID,
&i.RefreshTokenID,
&i.IsActive,
&i.RevokedAt,
&i.Scope,
&i.Claims,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const listActiveServiceSessionsByUser = `-- name: ListActiveServiceSessionsByUser :many
SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
WHERE user_id = $1
AND is_active = TRUE
ORDER BY issued_at DESC
LIMIT $1 OFFSET $2
`
type ListActiveServiceSessionsByUserParams struct {
Limit int32 `json:"limit"`
Offset int32 `json:"offset"`
}
func (q *Queries) ListActiveServiceSessionsByUser(ctx context.Context, arg ListActiveServiceSessionsByUserParams) ([]ServiceSession, error) {
rows, err := q.db.Query(ctx, listActiveServiceSessionsByUser, arg.Limit, arg.Offset)
if err != nil {
return nil, err
}
defer rows.Close()
var items []ServiceSession
for rows.Next() {
var i ServiceSession
if err := rows.Scan(
&i.ID,
&i.ServiceID,
&i.ClientID,
&i.UserID,
&i.IssuedAt,
&i.ExpiresAt,
&i.LastActive,
&i.IpAddress,
&i.UserAgent,
&i.AccessTokenID,
&i.RefreshTokenID,
&i.IsActive,
&i.RevokedAt,
&i.Scope,
&i.Claims,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const listAllServiceSessions = `-- name: ListAllServiceSessions :many
SELECT id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims FROM service_sessions
ORDER BY issued_at DESC
LIMIT $1 OFFSET $2
`
type ListAllServiceSessionsParams struct {
Limit int32 `json:"limit"`
Offset int32 `json:"offset"`
}
func (q *Queries) ListAllServiceSessions(ctx context.Context, arg ListAllServiceSessionsParams) ([]ServiceSession, error) {
rows, err := q.db.Query(ctx, listAllServiceSessions, arg.Limit, arg.Offset)
if err != nil {
return nil, err
}
defer rows.Close()
var items []ServiceSession
for rows.Next() {
var i ServiceSession
if err := rows.Scan(
&i.ID,
&i.ServiceID,
&i.ClientID,
&i.UserID,
&i.IssuedAt,
&i.ExpiresAt,
&i.LastActive,
&i.IpAddress,
&i.UserAgent,
&i.AccessTokenID,
&i.RefreshTokenID,
&i.IsActive,
&i.RevokedAt,
&i.Scope,
&i.Claims,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const revokeServiceSession = `-- name: RevokeServiceSession :exec
UPDATE service_sessions
SET is_active = FALSE,
revoked_at = NOW()
WHERE id = $1
AND is_active = TRUE
`
func (q *Queries) RevokeServiceSession(ctx context.Context, id uuid.UUID) error {
_, err := q.db.Exec(ctx, revokeServiceSession, id)
return err
}
const updateServiceSessionLastActive = `-- name: UpdateServiceSessionLastActive :exec
UPDATE service_sessions
SET last_active = NOW()
WHERE id = $1
AND is_active = TRUE
`
func (q *Queries) UpdateServiceSessionLastActive(ctx context.Context, id uuid.UUID) error {
_, err := q.db.Exec(ctx, updateServiceSessionLastActive, id)
return err
}
const updateServiceSessionTokens = `-- name: UpdateServiceSessionTokens :exec
UPDATE service_sessions
SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
WHERE id = $1
AND is_active = TRUE
`
type UpdateServiceSessionTokensParams struct {
ID uuid.UUID `json:"id"`
AccessTokenID *uuid.UUID `json:"access_token_id"`
RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
ExpiresAt *time.Time `json:"expires_at"`
}
func (q *Queries) UpdateServiceSessionTokens(ctx context.Context, arg UpdateServiceSessionTokensParams) error {
_, err := q.db.Exec(ctx, updateServiceSessionTokens,
arg.ID,
arg.AccessTokenID,
arg.RefreshTokenID,
arg.ExpiresAt,
)
return err
}

334
internal/repository/user_sessions.sql.go Normal file
View File

@ -0,0 +1,334 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
// sqlc v1.29.0
// source: user_sessions.sql
package repository
import (
"context"
"time"
"github.com/google/uuid"
)
const createUserSession = `-- name: CreateUserSession :one
INSERT INTO user_sessions (
user_id, session_type, issued_at, expires_at, last_active,
ip_address, user_agent, access_token_id, refresh_token_id,
device_info, is_active
) VALUES (
$1, $2, NOW(), $3, $4,
$5, $6, $7, $8,
$9, TRUE
)
RETURNING id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at
`
type CreateUserSessionParams struct {
UserID uuid.UUID `json:"user_id"`
SessionType string `json:"session_type"`
ExpiresAt *time.Time `json:"expires_at"`
LastActive *time.Time `json:"last_active"`
IpAddress *string `json:"ip_address"`
UserAgent *string `json:"user_agent"`
AccessTokenID *uuid.UUID `json:"access_token_id"`
RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
DeviceInfo []byte `json:"device_info"`
}
func (q *Queries) CreateUserSession(ctx context.Context, arg CreateUserSessionParams) (UserSession, error) {
row := q.db.QueryRow(ctx, createUserSession,
arg.UserID,
arg.SessionType,
arg.ExpiresAt,
arg.LastActive,
arg.IpAddress,
arg.UserAgent,
arg.AccessTokenID,
arg.RefreshTokenID,
arg.DeviceInfo,
)
var i UserSession
err := row.Scan(
&i.ID,
&i.UserID,
&i.SessionType,
&i.IssuedAt,
&i.ExpiresAt,
&i.LastActive,
&i.IpAddress,
&i.UserAgent,
&i.AccessTokenID,
&i.RefreshTokenID,
&i.DeviceInfo,
&i.IsActive,
&i.RevokedAt,
)
return i, err
}
const getUserSessionByAccessJTI = `-- name: GetUserSessionByAccessJTI :one
SELECT id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at FROM user_sessions
WHERE access_token_id = $1
AND is_active = TRUE
`
func (q *Queries) GetUserSessionByAccessJTI(ctx context.Context, accessTokenID *uuid.UUID) (UserSession, error) {
row := q.db.QueryRow(ctx, getUserSessionByAccessJTI, accessTokenID)
var i UserSession
err := row.Scan(
&i.ID,
&i.UserID,
&i.SessionType,
&i.IssuedAt,
&i.ExpiresAt,
&i.LastActive,
&i.IpAddress,
&i.UserAgent,
&i.AccessTokenID,
&i.RefreshTokenID,
&i.DeviceInfo,
&i.IsActive,
&i.RevokedAt,
)
return i, err
}
const getUserSessionByRefreshJTI = `-- name: GetUserSessionByRefreshJTI :one
SELECT id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at FROM user_sessions
WHERE refresh_token_id = $1
`
func (q *Queries) GetUserSessionByRefreshJTI(ctx context.Context, refreshTokenID *uuid.UUID) (UserSession, error) {
row := q.db.QueryRow(ctx, getUserSessionByRefreshJTI, refreshTokenID)
var i UserSession
err := row.Scan(
&i.ID,
&i.UserID,
&i.SessionType,
&i.IssuedAt,
&i.ExpiresAt,
&i.LastActive,
&i.IpAddress,
&i.UserAgent,
&i.AccessTokenID,
&i.RefreshTokenID,
&i.DeviceInfo,
&i.IsActive,
&i.RevokedAt,
)
return i, err
}
const getUserSessions = `-- name: GetUserSessions :many
SELECT session.id, session.user_id, session.session_type, session.issued_at, session.expires_at, session.last_active, session.ip_address, session.user_agent, session.access_token_id, session.refresh_token_id, session.device_info, session.is_active, session.revoked_at, u.id, u.email, u.full_name, u.password_hash, u.is_admin, u.created_at, u.updated_at, u.last_login, u.phone_number, u.profile_picture, u.created_by, u.email_verified, u.avatar_verified, u.verified
FROM user_sessions AS session
JOIN users AS u ON u.id = session.user_id
ORDER BY session.issued_at DESC
LIMIT $1 OFFSET $2
`
type GetUserSessionsParams struct {
Limit int32 `json:"limit"`
Offset int32 `json:"offset"`
}
type GetUserSessionsRow struct {
UserSession UserSession `json:"user_session"`
User User `json:"user"`
}
func (q *Queries) GetUserSessions(ctx context.Context, arg GetUserSessionsParams) ([]GetUserSessionsRow, error) {
rows, err := q.db.Query(ctx, getUserSessions, arg.Limit, arg.Offset)
if err != nil {
return nil, err
}
defer rows.Close()
var items []GetUserSessionsRow
for rows.Next() {
var i GetUserSessionsRow
if err := rows.Scan(
&i.UserSession.ID,
&i.UserSession.UserID,
&i.UserSession.SessionType,
&i.UserSession.IssuedAt,
&i.UserSession.ExpiresAt,
&i.UserSession.LastActive,
&i.UserSession.IpAddress,
&i.UserSession.UserAgent,
&i.UserSession.AccessTokenID,
&i.UserSession.RefreshTokenID,
&i.UserSession.DeviceInfo,
&i.UserSession.IsActive,
&i.UserSession.RevokedAt,
&i.User.ID,
&i.User.Email,
&i.User.FullName,
&i.User.PasswordHash,
&i.User.IsAdmin,
&i.User.CreatedAt,
&i.User.UpdatedAt,
&i.User.LastLogin,
&i.User.PhoneNumber,
&i.User.ProfilePicture,
&i.User.CreatedBy,
&i.User.EmailVerified,
&i.User.AvatarVerified,
&i.User.Verified,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const getUserSessionsCount = `-- name: GetUserSessionsCount :one
SELECT COUNT(*) FROM user_sessions
`
func (q *Queries) GetUserSessionsCount(ctx context.Context) (int64, error) {
row := q.db.QueryRow(ctx, getUserSessionsCount)
var count int64
err := row.Scan(&count)
return count, err
}
const listActiveUserSessions = `-- name: ListActiveUserSessions :many
SELECT id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at FROM user_sessions
WHERE user_id = $1
AND is_active = TRUE
ORDER BY issued_at DESC
`
func (q *Queries) ListActiveUserSessions(ctx context.Context, userID uuid.UUID) ([]UserSession, error) {
rows, err := q.db.Query(ctx, listActiveUserSessions, userID)
if err != nil {
return nil, err
}
defer rows.Close()
var items []UserSession
for rows.Next() {
var i UserSession
if err := rows.Scan(
&i.ID,
&i.UserID,
&i.SessionType,
&i.IssuedAt,
&i.ExpiresAt,
&i.LastActive,
&i.IpAddress,
&i.UserAgent,
&i.AccessTokenID,
&i.RefreshTokenID,
&i.DeviceInfo,
&i.IsActive,
&i.RevokedAt,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const listAllSessions = `-- name: ListAllSessions :many
SELECT id, user_id, session_type, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, device_info, is_active, revoked_at FROM user_sessions
ORDER BY issued_at DESC
LIMIT $1 OFFSET $2
`
type ListAllSessionsParams struct {
Limit int32 `json:"limit"`
Offset int32 `json:"offset"`
}
func (q *Queries) ListAllSessions(ctx context.Context, arg ListAllSessionsParams) ([]UserSession, error) {
rows, err := q.db.Query(ctx, listAllSessions, arg.Limit, arg.Offset)
if err != nil {
return nil, err
}
defer rows.Close()
var items []UserSession
for rows.Next() {
var i UserSession
if err := rows.Scan(
&i.ID,
&i.UserID,
&i.SessionType,
&i.IssuedAt,
&i.ExpiresAt,
&i.LastActive,
&i.IpAddress,
&i.UserAgent,
&i.AccessTokenID,
&i.RefreshTokenID,
&i.DeviceInfo,
&i.IsActive,
&i.RevokedAt,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const revokeUserSession = `-- name: RevokeUserSession :exec
UPDATE user_sessions
SET is_active = FALSE,
revoked_at = NOW()
WHERE id = $1
AND is_active = TRUE
`
func (q *Queries) RevokeUserSession(ctx context.Context, id uuid.UUID) error {
_, err := q.db.Exec(ctx, revokeUserSession, id)
return err
}
const updateSessionLastActive = `-- name: UpdateSessionLastActive :exec
UPDATE user_sessions
SET last_active = NOW()
WHERE id = $1
AND is_active = TRUE
`
func (q *Queries) UpdateSessionLastActive(ctx context.Context, id uuid.UUID) error {
_, err := q.db.Exec(ctx, updateSessionLastActive, id)
return err
}
const updateSessionTokens = `-- name: UpdateSessionTokens :exec
UPDATE user_sessions
SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
WHERE id = $1
AND is_active = TRUE
`
type UpdateSessionTokensParams struct {
ID uuid.UUID `json:"id"`
AccessTokenID *uuid.UUID `json:"access_token_id"`
RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
ExpiresAt *time.Time `json:"expires_at"`
}
func (q *Queries) UpdateSessionTokens(ctx context.Context, arg UpdateSessionTokensParams) error {
_, err := q.db.Exec(ctx, updateSessionTokens,
arg.ID,
arg.AccessTokenID,
arg.RefreshTokenID,
arg.ExpiresAt,
)
return err
}

38
internal/types/apiservices.go Normal file
View File

@ -0,0 +1,38 @@
package types
import (
"time"
"gitea.local/admin/hspguard/internal/repository"
"github.com/google/uuid"
)
type ApiServiceDTO struct {
ID uuid.UUID `json:"id"`
ClientID string `json:"client_id"`
Name string `json:"name"`
Description *string `json:"description"`
IconUrl *string `json:"icon_url"`
RedirectUris []string `json:"redirect_uris"`
Scopes []string `json:"scopes"`
GrantTypes []string `json:"grant_types"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
IsActive bool `json:"is_active"`
}
func NewApiServiceDTO(service repository.ApiService) ApiServiceDTO {
return ApiServiceDTO{
ID: service.ID,
ClientID: service.ClientID,
Name: service.Name,
Description: service.Description,
IconUrl: service.IconUrl,
RedirectUris: service.RedirectUris,
Scopes: service.Scopes,
GrantTypes: service.GrantTypes,
CreatedAt: service.CreatedAt,
UpdatedAt: service.UpdatedAt,
IsActive: service.IsActive,
}
}

12
internal/types/device.go Normal file
View File

@ -0,0 +1,12 @@
package types
type DeviceInfo struct {
DeviceType string `json:"device_type"`
OS string `json:"os"`
OSVersion string `json:"os_version"`
Browser string `json:"browser"`
BrowserVersion string `json:"browser_version"`
DeviceName string `json:"device_name"`
UserAgent string `json:"user_agent"`
Location string `json:"location"`
}

2
internal/types/middleware.go
View File

@ -3,4 +3,4 @@ package types
type contextKey string
const UserIdKey contextKey = "userID"
const JTIKey contextKey = "jti"

29
internal/types/session.go Normal file
View File

@ -0,0 +1,29 @@
package types
import "gitea.local/admin/hspguard/internal/repository"
type ServiceSessionDTO struct {
User UserDTO `json:"user"`
ApiService ApiServiceDTO `json:"api_service"`
repository.ServiceSession
}
func NewServiceSessionDTO(row *repository.GetServiceSessionsRow) *ServiceSessionDTO {
return &ServiceSessionDTO{
User: NewUserDTO(&row.User),
ApiService: NewApiServiceDTO(row.ApiService),
ServiceSession: row.ServiceSession,
}
}
type UserSessionDTO struct {
User UserDTO `json:"user"`
repository.UserSession
}
func NewUserSessionDTO(row *repository.GetUserSessionsRow) *UserSessionDTO {
return &UserSessionDTO{
User: NewUserDTO(&row.User),
UserSession: row.UserSession,
}
}

21
internal/types/token.go Normal file
View File

@ -0,0 +1,21 @@
package types
import (
"time"
"github.com/google/uuid"
)
type SignedToken struct {
Token string
ExpiresAt time.Time
ID uuid.UUID
}
func NewSignedToken(token string, expiresAt time.Time, jti uuid.UUID) *SignedToken {
return &SignedToken{
Token: token,
ExpiresAt: expiresAt,
ID: jti,
}
}

215
internal/user/permissions.go Normal file
View File

@ -0,0 +1,215 @@
package user
import (
"context"
"log"
"gitea.local/admin/hspguard/internal/repository"
)
func String(s string) *string {
return &s
}
type RolePermissions struct {
Permissions []string `json:"permissions"`
repository.Role
}
var (
SYSTEM_SCOPE string = "system"
SYSTEM_PERMISSIONS []repository.Permission = []repository.Permission{
{
Name: "log_into_guard",
Description: String("Allow users to log into their accounts"),
},
{
Name: "register",
Description: String("Allow users to register new accounts"),
},
{
Name: "edit_profile",
Description: String("Allow users to edit their profiles"),
},
{
Name: "recover_credentials",
Description: String("Allow users to recover their password/email"),
},
{
Name: "verify_profile",
Description: String("Allow users to verify their accounts"),
},
{
Name: "access_home_services",
Description: String("Allow users to access home services and tools"),
},
{
Name: "view_sessions",
Description: String("Allow users to view their active sessions"),
},
{
Name: "revoke_sessions",
Description: String("Allow users to revoke their active sessions"),
},
{
Name: "view_api_services",
Description: String("Allow users to view API Services (for admin)"),
},
{
Name: "add_api_services",
Description: String("Allow users to register new API Services (for admin)"),
},
{
Name: "edit_api_services",
Description: String("Allow users to edit API Services (for admin)"),
},
{
Name: "remove_api_services",
Description: String("Allow users to remove API Services (for admin)"),
},
{
Name: "view_users",
Description: String("Allow users to view other users (for admin)"),
},
{
Name: "add_users",
Description: String("Allow users to create new users (for admin)"),
},
// TODO: block, delete users
{
Name: "view_user_sessions",
Description: String("Allow users to view user sessions (for admin)"),
},
{
Name: "revoke_user_sessions",
Description: String("Allow users to revoke user sessions (for admin)"),
},
{
Name: "view_service_sessions",
Description: String("Allow users to view service sessions (for admin)"),
},
{
Name: "revoke_service_sessions",
Description: String("Allow users to revoke service sessions (for admin)"),
},
{
Name: "view_permissions",
Description: String("Allow users to view all permissions (for admin)"),
},
{
Name: "view_roles_groups",
Description: String("Allow users to view roles & groups (for admin)"),
},
}
SYSTEM_ROLES []RolePermissions = []RolePermissions{
{
Permissions: []string{
"system_log_into_guard",
"system_register",
"system_edit_profile",
"system_recover_credentials",
"system_verify_profile",
"system_access_home_services",
"system_view_sessions",
"system_revoke_sessions",
"system_view_api_services",
"system_add_api_services",
"system_edit_api_services",
"system_remove_api_services",
"system_view_users",
"system_add_users",
"system_view_user_sessions",
"system_revoke_user_sessions",
"system_view_service_sessions",
"system_revoke_service_sessions",
"system_view_permissions",
"system_view_roles_groups",
},
Role: repository.Role{
Name: "admin",
Description: String("User with full power"),
},
},
{
Permissions: []string{
"system_log_into_guard",
"system_register",
"system_edit_profile",
"system_recover_credentials",
"system_verify_profile",
"system_access_home_services",
"system_view_sessions",
"system_revoke_sessions",
},
Role: repository.Role{
Name: "member",
Description: String("User that is able to use home services"),
},
},
{
Permissions: []string{
"system_log_into_guard",
"system_register",
},
Role: repository.Role{
Name: "guest",
Description: String("New user that needs approve for everything from admin"),
},
},
}
)
func EnsureSystemPermissions(ctx context.Context, repo *repository.Queries) {
for _, permission := range SYSTEM_PERMISSIONS {
_, err := repo.FindPermission(ctx, repository.FindPermissionParams{
Name: permission.Name,
Scope: SYSTEM_SCOPE,
})
if err != nil {
log.Printf("INFO: Creating SYSTEM permission: '%s'\n", permission.Name)
_, err = repo.CreatePermission(ctx, repository.CreatePermissionParams{
Name: permission.Name,
Scope: SYSTEM_SCOPE,
Description: permission.Description,
})
if err != nil {
log.Fatalf("ERR: Failed to create SYSTEM permission: '%s'\n", permission.Name)
}
}
}
for _, role := range SYSTEM_ROLES {
var found repository.Role
var err error
found, err = repo.FindRole(ctx, repository.FindRoleParams{
Scope: SYSTEM_SCOPE,
Name: role.Name,
})
if err != nil {
log.Printf("INFO: Create new SYSTEM role '%s'\n", role.Name)
found, err = repo.CreateRole(ctx, repository.CreateRoleParams{
Name: role.Name,
Scope: SYSTEM_SCOPE,
Description: role.Description,
})
if err != nil {
log.Fatalf("ERR: Failed to create SYSTEM role '%s': %v\n", role.Name, err)
}
}
for _, perm := range role.Permissions {
if _, exists := repo.GetRoleAssignment(ctx, repository.GetRoleAssignmentParams{
RoleID: found.ID,
Key: perm,
}); exists != nil {
if err := repo.AssignRolePermission(ctx, repository.AssignRolePermissionParams{
RoleID: found.ID,
Key: perm,
}); err != nil {
log.Fatalf("ERR: Failed to assign permission '%s' to SYSTEM role %s: %v\n", perm, found.Name, err)
}
}
}
}
}

2
internal/user/routes.go
View File

@ -38,7 +38,7 @@ func NewUserHandler(repo *repository.Queries, minio *storage.FileStorage, cfg *c
func (h *UserHandler) RegisterRoutes(api chi.Router) {
api.Group(func(protected chi.Router) {
authMiddleware := imiddleware.NewAuthMiddleware(h.cfg)
authMiddleware := imiddleware.NewAuthMiddleware(h.cfg, h.repo)
protected.Use(authMiddleware.Runner)
protected.Put("/avatar", h.uploadAvatar)

46
internal/util/location.go Normal file
View File

@ -0,0 +1,46 @@
package util
import (
"encoding/json"
"log"
"net"
"net/http"
"strings"
)
type LocationResult struct {
Country string `json:"country"`
Region string `json:"regionName"`
City string `json:"city"`
}
func GetLocation(ip string) (LocationResult, error) {
var loc LocationResult
// Example using ipinfo.io free API
resp, err := http.Get("http://ip-api.com/json/" + ip + "?fields=25")
if err != nil {
return loc, err
}
defer resp.Body.Close()
json.NewDecoder(resp.Body).Decode(&loc)
return loc, nil
}
func GetClientIP(r *http.Request) string {
// This header will be set by ngrok to the original client IP
if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
log.Printf("DEBUG: Getting IP from X-Forwarded-For: %s\n", xff)
// X-Forwarded-For: client, proxy1, proxy2, ...
ips := strings.Split(xff, ",")
if len(ips) > 0 {
return strings.TrimSpace(ips[0])
}
}
// Fallback to RemoteAddr (not the real client IP, but just in case)
host, _, err := net.SplitHostPort(r.RemoteAddr)
log.Printf("DEBUG: Falling to request remote addr: %s (%s)\n", host, r.RemoteAddr)
if err != nil {
return r.RemoteAddr
}
return host
}

4
internal/util/request.go
View File

@ -11,3 +11,7 @@ func GetRequestUserId(ctx context.Context) (string, bool) {
return userId, ok
}
func GetRequestJTI(ctx context.Context) (string, bool) {
jti, ok := ctx.Value(types.JTIKey).(string)
return jti, ok
}

39
internal/util/session.go Normal file
View File

@ -0,0 +1,39 @@
package util
import (
"encoding/json"
"fmt"
"log"
"gitea.local/admin/hspguard/internal/types"
"github.com/avct/uasurfer"
)
func BuildDeviceInfo(userAgent string, remoteAddr string) []byte {
var deviceInfo types.DeviceInfo
parsed := uasurfer.Parse(userAgent)
deviceInfo.Browser = parsed.Browser.Name.StringTrimPrefix()
deviceInfo.BrowserVersion = fmt.Sprintf("%d.%d.%d", parsed.Browser.Version.Major, parsed.Browser.Version.Minor, parsed.Browser.Version.Patch)
deviceInfo.DeviceName = fmt.Sprintf("%s %s", parsed.OS.Platform.StringTrimPrefix(), parsed.OS.Name.StringTrimPrefix())
deviceInfo.DeviceType = parsed.DeviceType.StringTrimPrefix()
deviceInfo.OS = parsed.OS.Platform.StringTrimPrefix()
deviceInfo.OSVersion = fmt.Sprintf("%d.%d.%d", parsed.OS.Version.Major, parsed.OS.Version.Minor, parsed.OS.Version.Patch)
deviceInfo.UserAgent = userAgent
if location, err := GetLocation(remoteAddr); err != nil {
log.Printf("WARN: Failed to get location from ip (%s): %v\n", remoteAddr, err)
} else {
log.Printf("DEBUG: Response from IP fetcher: %#v\n", location)
deviceInfo.Location = fmt.Sprintf("%s, %s, %s", location.Country, location.Region, location.City)
}
serialized, err := json.Marshal(deviceInfo)
if err != nil {
log.Printf("ERR: Failed to serialize device info: %v\n", err)
serialized = []byte{'{', '}'}
}
return serialized
}

34
migrations/00011_add_user_sessions_table.sql Normal file
View File

@ -0,0 +1,34 @@
-- +goose Up
-- +goose StatementBegin
CREATE TABLE user_sessions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
user_id UUID REFERENCES users (id) NOT NULL,
session_type VARCHAR(32) NOT NULL DEFAULT 'user', -- e.g. 'user', 'admin'
issued_at TIMESTAMP
WITH
TIME ZONE NOT NULL DEFAULT NOW (),
expires_at TIMESTAMP
WITH
TIME ZONE,
last_active TIMESTAMP
WITH
TIME ZONE,
ip_address VARCHAR(45), -- supports IPv4/IPv6
user_agent TEXT,
access_token_id UUID,
refresh_token_id UUID,
device_info JSONB, -- optional: structured info (browser, OS, etc.)
is_active BOOLEAN NOT NULL DEFAULT TRUE,
revoked_at TIMESTAMP
WITH
TIME ZONE
);
CREATE INDEX IF NOT EXISTS idx_user_sessions_user_id ON user_sessions (user_id);
-- +goose StatementEnd
-- +goose Down
-- +goose StatementBegin
DROP TABLE IF EXISTS user_sessions;
-- +goose StatementEnd

38
migrations/00012_add_service_sessions.sql Normal file
View File

@ -0,0 +1,38 @@
-- +goose Up
-- +goose StatementBegin
CREATE TABLE service_sessions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
service_id UUID REFERENCES api_services (id) NOT NULL,
client_id TEXT NOT NULL,
user_id UUID REFERENCES users (id), -- user on behalf of whom the service is acting, nullable for direct use with client creds
issued_at TIMESTAMP
WITH
TIME ZONE NOT NULL DEFAULT NOW (),
expires_at TIMESTAMP
WITH
TIME ZONE,
last_active TIMESTAMP
WITH
TIME ZONE,
ip_address VARCHAR(45),
user_agent TEXT,
access_token_id UUID,
refresh_token_id UUID,
is_active BOOLEAN NOT NULL DEFAULT TRUE,
revoked_at TIMESTAMP
WITH
TIME ZONE,
scope TEXT, -- what scopes/permissions this session was issued for
claims JSONB -- snapshot of claims at session start, optional
);
CREATE INDEX IF NOT EXISTS idx_service_sessions_client_id ON service_sessions (client_id);
CREATE INDEX IF NOT EXISTS idx_service_sessions_user_id ON service_sessions (user_id);
-- +goose StatementEnd
-- +goose Down
-- +goose StatementBegin
DROP TABLE IF EXISTS service_sessions;
-- +goose StatementEnd

55
migrations/00013_add_group_role_permission.sql Normal file
View File

@ -0,0 +1,55 @@
-- +goose Up
-- +goose StatementBegin
-- ROLES
CREATE TABLE roles (
id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
name TEXT NOT NULL,
scope TEXT NOT NULL,
description TEXT,
UNIQUE (name, scope)
);
-- PERMISSIONS
CREATE TABLE permissions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
name TEXT NOT NULL,
scope TEXT NOT NULL,
description TEXT,
UNIQUE (name, scope)
);
-- ROLE-PERMISSIONS (many-to-many)
CREATE TABLE role_permissions (
role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
PRIMARY KEY (role_id, permission_id)
);
-- USER-ROLES (direct assignment, optional)
CREATE TABLE user_roles (
user_id UUID REFERENCES users (id) ON DELETE CASCADE,
role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
PRIMARY KEY (user_id, role_id)
);
-- USER-PERMISSIONS (direct assignment, optional)
CREATE TABLE user_permissions (
user_id UUID REFERENCES users (id) ON DELETE CASCADE,
permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
PRIMARY KEY (user_id, permission_id)
);
-- +goose StatementEnd
-- +goose Down
-- +goose StatementBegin
DROP TABLE IF EXISTS user_permissions;
DROP TABLE IF EXISTS user_roles;
DROP TABLE IF EXISTS role_permissions;
DROP TABLE IF EXISTS permissions;
DROP TABLE IF EXISTS roles;
-- +goose StatementEnd

29
queries/permissions.sql Normal file
View File

@ -0,0 +1,29 @@
-- name: GetAllPermissions :many
SELECT *
FROM permissions p
ORDER BY p.scope;
-- name: GetGroupedPermissions :many
SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
FROM permissions
GROUP BY scope;
-- name: CreatePermission :one
INSERT into permissions (
name, scope, description
) VALUES (
$1, $2, $3
) RETURNING *;
-- name: FindPermission :one
SELECT * FROM permissions
WHERE name = $1 AND scope = $2;
-- name: GetUserPermissions :many
SELECT DISTINCT p.id,p.name,p.scope,p.description
FROM user_roles ur
JOIN role_permissions rp ON ur.role_id = rp.role_id
JOIN permissions p ON rp.permission_id = p.id
WHERE ur.user_id = $1
ORDER BY p.scope;

109
queries/roles.sql Normal file
View File

@ -0,0 +1,109 @@
-- name: FindRole :one
SELECT *
FROM roles
WHERE scope = $1 AND name = $2;
-- name: GetRolesGroupedWithPermissions :many
SELECT
r.scope,
json_agg (
json_build_object (
'id',
r.id,
'name',
r.name,
'scope',
r.scope,
'description',
r.description,
'permissions',
COALESCE(p_list.permissions, '[]')
)
ORDER BY
r.name
) AS roles
FROM
roles r
LEFT JOIN (
SELECT
rp.role_id,
json_agg (
json_build_object (
'id',
p.id,
'name',
p.name,
'scope',
p.scope,
'description',
p.description
)
ORDER BY
p.name
) AS permissions
FROM
role_permissions rp
JOIN permissions p ON p.id = rp.permission_id
GROUP BY
rp.role_id
) p_list ON p_list.role_id = r.id
GROUP BY
r.scope;
-- name: CreateRole :one
INSERT INTO roles (name, scope, description)
VALUES ($1, $2, $3)
RETURNING *;
-- name: GetRoleAssignment :one
SELECT * FROM role_permissions
WHERE role_id = $1 AND permission_id = (SELECT id FROM permissions p WHERE p.scope = split_part(sqlc.arg('key'), '_', 1) AND p.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key'))))
LIMIT 1;
-- name: AssignRolePermission :exec
INSERT INTO role_permissions (role_id, permission_id)
VALUES (
$1,
(
SELECT id
FROM permissions p
WHERE p.scope = split_part(sqlc.arg('key'), '_', 1)
AND p.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key')))
)
);
-- name: AddPermissionsToRoleByKey :exec
INSERT INTO role_permissions (role_id, permission_id)
SELECT
sqlc.arg(role_id),
p.id
FROM
permissions p
JOIN
unnest(sqlc.arg(permission_keys)::text[]) AS key_str
ON key_str = p.scope || '_' || p.name;
-- name: GetUserRoles :many
SELECT r.* FROM roles r
JOIN user_roles ur ON r.id = ur.role_id
WHERE ur.user_id = $1;
-- name: AssignUserRole :exec
INSERT INTO user_roles (user_id, role_id)
VALUES ($1, (
SELECT id FROM roles r
WHERE r.scope = split_part(sqlc.arg('key'), '_', 1)
AND r.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key')))
));
-- name: UnassignUserRole :exec
DELETE FROM user_roles
WHERE user_id = $1 AND role_id = (
SELECT id FROM roles r
WHERE r.scope = split_part(sqlc.arg('key'), '_', 1)
AND r.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key')))
);
-- name: FindUserRole :one
SELECT * FROM user_roles
WHERE user_id = $1 AND role_id = (SELECT id FROM roles r WHERE r.scope = split_part(sqlc.arg('key'), '_', 1) AND r.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key'))))
LIMIT 1;

69
queries/service_sessions.sql Normal file
View File

@ -0,0 +1,69 @@
-- name: CreateServiceSession :one
INSERT INTO service_sessions (
service_id, client_id, user_id, issued_at, expires_at, last_active,
ip_address, user_agent, access_token_id, refresh_token_id,
is_active, scope, claims
) VALUES (
$1, $2, $3, NOW(), $4, $5,
$6, $7, $8, $9,
TRUE, $10, $11
)
RETURNING *;
-- name: ListActiveServiceSessionsByClient :many
SELECT * FROM service_sessions
WHERE client_id = $1
AND is_active = TRUE
ORDER BY issued_at DESC
LIMIT $1 OFFSET $2;
-- name: ListActiveServiceSessionsByUser :many
SELECT * FROM service_sessions
WHERE user_id = $1
AND is_active = TRUE
ORDER BY issued_at DESC
LIMIT $1 OFFSET $2;
-- name: GetServiceSessionByAccessJTI :one
SELECT * FROM service_sessions
WHERE access_token_id = $1
AND is_active = TRUE;
-- name: GetServiceSessionByRefreshJTI :one
SELECT * FROM service_sessions
WHERE refresh_token_id = $1;
-- name: RevokeServiceSession :exec
UPDATE service_sessions
SET is_active = FALSE,
revoked_at = NOW()
WHERE id = $1
AND is_active = TRUE;
-- name: UpdateServiceSessionLastActive :exec
UPDATE service_sessions
SET last_active = NOW()
WHERE id = $1
AND is_active = TRUE;
-- name: UpdateServiceSessionTokens :exec
UPDATE service_sessions
SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
WHERE id = $1
AND is_active = TRUE;
-- name: ListAllServiceSessions :many
SELECT * FROM service_sessions
ORDER BY issued_at DESC
LIMIT $1 OFFSET $2;
-- name: GetServiceSessions :many
SELECT sqlc.embed(session), sqlc.embed(service), sqlc.embed(u)
FROM service_sessions AS session
JOIN api_services AS service ON service.id = session.service_id
JOIN users AS u ON u.id = session.user_id
ORDER BY session.issued_at DESC
LIMIT $1 OFFSET $2;
-- name: GetServiceSessionsCount :one
SELECT COUNT(*) FROM service_sessions;

60
queries/user_sessions.sql Normal file
View File

@ -0,0 +1,60 @@
-- name: CreateUserSession :one
INSERT INTO user_sessions (
user_id, session_type, issued_at, expires_at, last_active,
ip_address, user_agent, access_token_id, refresh_token_id,
device_info, is_active
) VALUES (
$1, $2, NOW(), $3, $4,
$5, $6, $7, $8,
$9, TRUE
)
RETURNING *;
-- name: ListActiveUserSessions :many
SELECT * FROM user_sessions
WHERE user_id = $1
AND is_active = TRUE
ORDER BY issued_at DESC;
-- name: GetUserSessionByAccessJTI :one
SELECT * FROM user_sessions
WHERE access_token_id = $1
AND is_active = TRUE;
-- name: GetUserSessionByRefreshJTI :one
SELECT * FROM user_sessions
WHERE refresh_token_id = $1;
-- name: RevokeUserSession :exec
UPDATE user_sessions
SET is_active = FALSE,
revoked_at = NOW()
WHERE id = $1
AND is_active = TRUE;
-- name: UpdateSessionLastActive :exec
UPDATE user_sessions
SET last_active = NOW()
WHERE id = $1
AND is_active = TRUE;
-- name: UpdateSessionTokens :exec
UPDATE user_sessions
SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
WHERE id = $1
AND is_active = TRUE;
-- name: ListAllSessions :many
SELECT * FROM user_sessions
ORDER BY issued_at DESC
LIMIT $1 OFFSET $2;
-- name: GetUserSessions :many
SELECT sqlc.embed(session), sqlc.embed(u)
FROM user_sessions AS session
JOIN users AS u ON u.id = session.user_id
ORDER BY session.issued_at DESC
LIMIT $1 OFFSET $2;
-- name: GetUserSessionsCount :one
SELECT COUNT(*) FROM user_sessions;

25
sqlc.yaml
View File

@ -41,20 +41,39 @@ sql:
# ───── text ──────────────────────────────────────────
- db_type: "pg_catalog.text"
go_type: { type: "string" }
- db_type: "text" # or just "bool"
- db_type: "text"
go_type: { type: "string" }
- db_type: "pg_catalog.text"
nullable: true
go_type:
type: "string"
pointer: true # ⇒ *bool for NULLable columns
pointer: true
- db_type: "text"
nullable: true
go_type:
type: "string"
pointer: true # ⇒ *bool for NULLable columns
pointer: true
- db_type: "pg_catalog.varchar"
go_type: { type: "string" }
- db_type: "varchar"
go_type: { type: "string" }
- db_type: "pg_catalog.varchar"
nullable: true
go_type:
type: "string"
pointer: true
- db_type: "varchar"
nullable: true
go_type:
type: "string"
pointer: true
# ───── timestamp (WITHOUT TZ) ────────────────────────
- db_type: "pg_catalog.timestamp" # or "timestamp"

10
web/package-lock.json generated
View File

@ -12,6 +12,7 @@
"axios": "^1.9.0",
"idb": "^8.0.3",
"lucide-react": "^0.511.0",
"moment": "^2.30.1",
"next-themes": "^0.4.6",
"react": "^19.1.0",
"react-dom": "^19.1.0",
@ -3809,6 +3810,15 @@
"url": "https://github.com/sponsors/isaacs"
}
},
"node_modules/moment": {
"version": "2.30.1",
"resolved": "https://registry.npmjs.org/moment/-/moment-2.30.1.tgz",
"integrity": "sha512-uEmtNhbDOrWPFS+hdjFCBfy9f2YoyzRpwcl+DqpC6taX21FzsTLQVbMV/W7PzNSX6x/bhC1zA3c2UQ5NzH6how==",
"license": "MIT",
"engines": {
"node": "*"
}
},
"node_modules/ms": {
"version": "2.1.3",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",

1
web/package.json
View File

@ -15,6 +15,7 @@
"axios": "^1.9.0",
"idb": "^8.0.3",
"lucide-react": "^0.511.0",
"moment": "^2.30.1",
"next-themes": "^0.4.6",
"react": "^19.1.0",
"react-dom": "^19.1.0",

24
web/src/App.tsx
View File

@ -25,6 +25,10 @@ import VerifyEmailPage from "./pages/Verify/Email";
import VerifyEmailOtpPage from "./pages/Verify/Email/OTP";
import VerifyAvatarPage from "./pages/Verify/Avatar";
import VerifyReviewPage from "./pages/Verify/Review";
import AdminUserSessionsPage from "./pages/Admin/UserSessions";
import AdminServiceSessionsPage from "./pages/Admin/ServiceSessions";
import AdminAppPermissionsPage from "./pages/Admin/AppPermissions";
import AdminRolesGroupsPage from "./pages/Admin/RolesGroups";
const router = createBrowserRouter([
{
@ -81,6 +85,26 @@ const router = createBrowserRouter([
// },
],
},
{
path: "user-sessions",
children: [{ index: true, element: <AdminUserSessionsPage /> }],
},
{
path: "service-sessions",
children: [
{ index: true, element: <AdminServiceSessionsPage /> },
],
},
{
path: "app-permissions",
children: [
{ index: true, element: <AdminAppPermissionsPage /> },
],
},
{
path: "roles-groups",
children: [{ index: true, element: <AdminRolesGroupsPage /> }],
},
],
},
],

34
web/src/api/admin/permissions.ts Normal file
View File

@ -0,0 +1,34 @@
import type { AppPermission } from "@/types";
import { axios, handleApiError } from "..";
export type FetchPermissionsResponse = AppPermission[];
export const getUserPermissionsApi = async (
userId: string,
): Promise<FetchPermissionsResponse> => {
const response = await axios.get<FetchPermissionsResponse>(
`/api/v1/admin/permissions/${userId}`,
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};
export type FetchGroupedPermissionsResponse = {
scope: string;
permissions: AppPermission[];
}[];
export const getPermissionsApi =
async (): Promise<FetchGroupedPermissionsResponse> => {
const response = await axios.get<FetchGroupedPermissionsResponse>(
"/api/v1/admin/permissions",
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};

51
web/src/api/admin/roles.ts Normal file
View File

@ -0,0 +1,51 @@
import type { AppPermission, AppRole } from "@/types";
import { axios, handleApiError } from "..";
export type FetchGroupedRolesResponse = {
scope: string;
roles: (AppRole & {
permissions: AppPermission[];
})[];
}[];
export const getRolesApi = async (): Promise<FetchGroupedRolesResponse> => {
const response = await axios.get<FetchGroupedRolesResponse>(
"/api/v1/admin/roles",
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};
export type FetchUserRolesResponse = AppRole[];
export const getUserRolesApi = async (
userId: string,
): Promise<FetchUserRolesResponse> => {
const response = await axios.get<FetchUserRolesResponse>(
`/api/v1/admin/roles/${userId}`,
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};
export interface AssignUserRoleRequest {
role_key: string;
}
export const assignUserRoleApi = async (
userId: string,
params: AssignUserRoleRequest,
) => {
const response = await axios.patch(`/api/v1/admin/roles/${userId}`, params);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};

78
web/src/api/admin/sessions.ts Normal file
View File

@ -0,0 +1,78 @@
import type { ServiceSession, UserSession } from "@/types";
import { axios, handleApiError } from "..";
export interface FetchUserSessionsRequest {
page: number;
size: number;
}
export interface FetchUserSessionsResponse {
items: UserSession[];
page: number;
total_pages: number;
}
export const adminGetUserSessionsApi = async (
req: FetchUserSessionsRequest,
): Promise<FetchUserSessionsResponse> => {
const response = await axios.get<FetchUserSessionsResponse>(
"/api/v1/admin/user-sessions",
{
params: req,
},
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};
export const adminRevokeUserSessionApi = async (
sessionId: string,
): Promise<void> => {
const response = await axios.patch<FetchServiceSessionsResponse>(
`/api/v1/admin/user-sessions/revoke/${sessionId}`,
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
};
export interface FetchServiceSessionsRequest {
page: number;
size: number;
}
export interface FetchServiceSessionsResponse {
items: ServiceSession[];
page: number;
total_pages: number;
}
export const adminGetServiceSessionsApi = async (
req: FetchServiceSessionsRequest,
): Promise<FetchServiceSessionsResponse> => {
const response = await axios.get<FetchServiceSessionsResponse>(
"/api/v1/admin/service-sessions",
{
params: req,
},
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};
export const adminRevokeServiceSessionApi = async (
sessionId: string,
): Promise<void> => {
const response = await axios.patch<FetchServiceSessionsResponse>(
`/api/v1/admin/service-sessions/revoke/${sessionId}`,
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
};

4
web/src/api/index.ts
View File

@ -27,11 +27,13 @@ const processRefreshQueue = async (token: string | null) => {
const logout = async (accountId: string) => {
const db = useDbStore.getState().db;
const requireSignIn = useAuth.getState().requireSignIn;
const { requireSignIn, loadAccounts } = useAuth.getState();
if (db) {
await deleteAccount(db, accountId);
}
await loadAccounts();
requireSignIn?.();
};

21
web/src/api/signout.ts Normal file
View File

@ -0,0 +1,21 @@
import axios from "axios";
import { handleApiError } from ".";
export const signoutApi = async (token: string) => {
const response = await axios.post(
"/api/v1/auth/signout",
{},
{
headers: {
Authorization: `Bearer ${token}`,
},
},
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
const data = response.data;
return data;
};

31
web/src/components/Home/Sidebar/index.tsx
View File

@ -7,17 +7,32 @@ const Sidebar: FC = () => {
return (
<div className="hidden sm:flex flex-col gap-2 items-stretch border-r border-gray-300 dark:border-gray-700 min-w-80 w-80 p-5 pt-18 min-h-screen select-none">
{barItems.map((item) => (
<Link to={item.pathname} key={item.tab}>
{barItems.map((item, index) =>
item.type !== "delimiter" ? (
<Link to={item.pathname} key={item.tab}>
<div
className={`dark:text-gray-200 transition-colors text-sm cursor-pointer p-4 rounded-lg flex flex-row items-center gap-3${
isActive(item) ? " bg-gray-200 dark:bg-gray-900" : ""
}`}
>
{item.icon} {item.title}
</div>
</Link>
) : (
<div
className={`dark:text-gray-200 transition-colors text-sm cursor-pointer p-4 rounded-lg flex flex-row items-center gap-3${
isActive(item) ? " bg-gray-200 dark:bg-gray-900" : ""
}`}
key={item.key}
className={`flex flex-row items-center gap-4 my-2 ${index === 0 ? "mt-0" : "mt-4"}`}
>
{item.icon} {item.title}
<div className="w-full h-[2px] rounded-lg bg-gray-800"></div>
{typeof item.title === "string" && (
<p className="text-gray-800 dark:text-gray-400 text-sm">
{item.title}
</p>
)}
<div className="w-full h-[2px] rounded-lg bg-gray-800"></div>
</div>
</Link>
))}
),
)}
</div>
);
};

28
web/src/components/Home/TopBar/index.tsx
View File

@ -7,19 +7,21 @@ const TopBar: FC = () => {
return (
<div className="sm:hidden flex w-full overflow-x-auto sm:overflow-x-visible max-w-full min-w-full sm:justify-center sm:space-x-4 no-scrollbar shadow-md shadow-gray-300 dark:shadow-gray-700 dark:bg-black/70 bg-white/70">
{barItems.map((item) => (
<Link to={item.pathname} key={item.tab}>
<div
className={`flex-shrink-0 transition-all border-b-4 px-4 py-2 min-w-[120px] sm:min-w-0 sm:flex-1 flex items-center justify-center cursor-pointer select-none whitespace-nowrap text-sm font-medium ${
isActive(item)
? " border-b-4 border-b-blue-500 text-blue-500"
: " border-b-transparent text-gray-500"
}`}
>
{item.title}
</div>
</Link>
))}
{barItems
.filter((item) => item.type !== "delimiter")
.map((item) => (
<Link to={item.pathname} key={item.tab}>
<div
className={`flex-shrink-0 transition-all border-b-4 px-4 py-2 min-w-[120px] sm:min-w-0 sm:flex-1 flex items-center justify-center cursor-pointer select-none whitespace-nowrap text-sm font-medium ${
isActive(item)
? " border-b-4 border-b-blue-500 text-blue-500"
: " border-b-transparent text-gray-500"
}`}
>
{item.title}
</div>
</Link>
))}
</div>
);
};

64
web/src/components/ui/pagination.tsx Normal file
View File

@ -0,0 +1,64 @@
import { ArrowLeft, ArrowRight } from "lucide-react";
import React, { useCallback } from "react";
import { Button } from "./button";
type PaginationProps = {
currentPage: number;
totalPages: number;
onPageChange: (page: number) => void;
};
const Pagination: React.FC<PaginationProps> = ({
currentPage,
totalPages,
onPageChange,
}) => {
const getPageNumbers = useCallback(() => {
const delta = 2;
const pages = [];
for (
let i = Math.max(1, currentPage - delta);
i <= Math.min(totalPages, currentPage + delta);
i++
) {
pages.push(i);
}
return pages;
}, [currentPage, totalPages]);
if (totalPages <= 1) return null;
return (
<nav className="flex justify-center items-center gap-2 mt-4">
<Button
onClick={() => onPageChange(currentPage - 1)}
disabled={currentPage === 1}
variant="outlined"
>
<ArrowLeft size={17} />
</Button>
{getPageNumbers().map((page) => (
<Button
key={page}
onClick={() => onPageChange(page)}
variant={page === currentPage ? "contained" : "outlined"}
>
<p className="text-sm">{page}</p>
</Button>
))}
<Button
onClick={() => onPageChange(currentPage + 1)}
disabled={currentPage === totalPages}
variant="outlined"
>
<ArrowRight size={17} />
</Button>
</nav>
);
};
export default Pagination;

2
web/src/feature/Avatar/index.tsx
View File

@ -5,7 +5,7 @@ import { useMemo, type FC } from "react";
export interface AvatarProps {
iconSize?: number;
className?: string;
avatarId?: string;
avatarId?: string | null;
}
const Avatar: FC<AvatarProps> = ({ iconSize = 32, className, avatarId }) => {

115
web/src/feature/FoldableRolesTable/index.tsx Normal file
View File

@ -0,0 +1,115 @@
import { Button } from "@/components/ui/button";
import { useRoles } from "@/store/admin/rolesGroups";
import { useUsers } from "@/store/admin/users";
import type { AppRole } from "@/types";
import { ChevronDown, LoaderCircle, Plus } from "lucide-react";
import React, { useCallback, useEffect, useState } from "react";
type Props = {
userRoles: AppRole[];
onToggleRole?: (scope: string, role: string, isAssigned: boolean) => void;
};
const FoldableRolesTable: React.FC<Props> = ({ userRoles, onToggleRole }) => {
const [openScopes, setOpenScopes] = useState<Record<string, boolean>>({});
const roleMap = useRoles((s) => s.roles);
const loadRoles = useRoles((s) => s.fetch);
const loadUserRoles = useUsers((state) => state.fetchUserRoles);
const user = useUsers((s) => s.current);
const togglingRole = useRoles((s) => s.toggling);
const toggleRole = useRoles((s) => s.assign);
const toggleUserRole = useCallback(
async (role: AppRole) => {
if (togglingRole === role.id) return;
if (user) {
await toggleRole(user.id, role);
loadRoles();
loadUserRoles();
}
},
[loadRoles, loadUserRoles, toggleRole, togglingRole, user],
);
const toggleScope = (scope: string) => {
setOpenScopes((prev) => ({
...prev,
[scope]: !prev[scope],
}));
};
useEffect(() => {
loadRoles();
}, [loadRoles]);
return (
<div className="w-full mx-auto shadow-md overflow-hidden">
<div className="divide-y divide-gray-200 dark:divide-gray-700">
{Object.entries(roleMap).map(([scope, roles]) => (
<div key={`${scope}`}>
<div
className="w-full text-left px-4 py-3 flex items-center justify-between cursor-pointer"
onClick={() => toggleScope(scope)}
>
<div className="flex items-center">
<span className="font-semibold text-gray-800 dark:text-gray-200">
{scope.toUpperCase()}{" "}
<span className="text-sm opacity-50 font-light">
(
{
roles.filter((r) =>
userRoles.some((ur) => ur.id === r.id),
).length
}
/{roles.length})
</span>
</span>
</div>
<span className="text-sm text-gray-500">
<ChevronDown
className={`${openScopes[scope] ? "rotate-180" : ""} transition`}
/>
</span>
</div>
<ul
className={`px-5 py-1 pb-4 transition-height ${openScopes[scope] ? "h-auto" : "h-0 py-0!"} overflow-hidden flex items-center flex-wrap gap-2`}
>
{roles.length === 0 ? (
<li className="text-gray-500 italic">No roles found</li>
) : (
roles.map((role) => (
<li
key={role.id}
className="flex items-center justify-between"
onClick={() => toggleUserRole(role)}
>
<span
className={`px-2 py-1 flex items-center gap-1 cursor-pointer select-none rounded text-xs ${
userRoles.some((ur) => ur.id === role.id)
? "bg-green-200 text-green-800 dark:bg-green-700/20 dark:text-green-300"
: "bg-red-200 text-red-800 dark:bg-red-700/20 dark:text-red-300"
} ${togglingRole === role.id ? "opacity-50" : ""}`}
>
{togglingRole === role.id && (
<LoaderCircle className="animate-spin" size={12} />
)}
{role.name.toUpperCase()}
</span>
</li>
))
)}
</ul>
</div>
))}
</div>
</div>
);
};
export default FoldableRolesTable;

67
web/src/feature/RoleMatrix/index.tsx Normal file
View File

@ -0,0 +1,67 @@
import React from "react";
type RoleMatrixProps = {
scopes: string[];
roles: string[];
userRoles: Record<string, string[]>; // e.g. { "Project Alpha": ["admin", "viewer"] }
onToggle?: (scope: string, role: string, isAssigned: boolean) => void;
};
const RoleMatrix: React.FC<RoleMatrixProps> = ({
scopes,
roles,
userRoles,
onToggle,
}) => {
const isChecked = (scope: string, role: string) =>
userRoles[scope]?.includes(role) ?? false;
return (
<div className="overflow-x-auto">
<table className="min-w-full table-auto border border-gray-300">
<thead className="bg-gray-100">
<tr>
<th className="border border-gray-300 px-4 py-2 text-left">
Scope / Role
</th>
{roles.map((role) => (
<th
key={role}
className="border border-gray-300 px-4 py-2 text-center capitalize"
>
{role}
</th>
))}
</tr>
</thead>
<tbody>
{scopes.map((scope) => (
<tr key={scope} className="hover:bg-gray-50">
<td className="border border-gray-300 px-4 py-2 font-medium">
{scope}
</td>
{roles.map((role) => {
const checked = isChecked(scope, role);
return (
<td
key={`${scope}-${role}`}
className="border border-gray-300 px-4 py-2 text-center"
>
<input
type="checkbox"
className="form-checkbox h-4 w-4 text-indigo-600 transition duration-150"
checked={checked}
onChange={() => onToggle?.(scope, role, !checked)}
/>
</td>
);
})}
</tr>
))}
</tbody>
</table>
</div>
);
};
export default RoleMatrix;

72
web/src/hooks/barItems.tsx
View File

@ -1,21 +1,40 @@
import { useAuth } from "@/store/auth";
import { Blocks, Home, Settings2, User, Users } from "lucide-react";
import {
Blocks,
ContactRound,
EarthLock,
Home,
KeyRound,
User,
UserLock,
Users,
} from "lucide-react";
import { useCallback, type ReactNode } from "react";
import { useLocation } from "react-router";
export interface BarDelimiter {
type: "delimiter";
key: string;
title?: string;
}
export interface BarItem {
type?: "nav";
icon: ReactNode;
title: string;
tab: string;
pathname: string;
}
export const useBarItems = (): [BarItem[], (item: BarItem) => boolean] => {
export type Item = BarItem | BarDelimiter;
export const useBarItems = (): [Item[], (item: Item) => boolean] => {
const profile = useAuth((state) => state.profile);
const location = useLocation();
const isActive = useCallback(
(item: BarItem) => {
(item: Item) => {
if (item.type === "delimiter") return false;
if (item.pathname === "/") return location.pathname === item.pathname;
return location.pathname.startsWith(item.pathname);
},
@ -28,6 +47,11 @@ export const useBarItems = (): [BarItem[], (item: BarItem) => boolean] => {
return [
[
{
type: "delimiter" as const,
title: "Basic",
key: "basic-del",
},
{
icon: <Home />,
title: "Home",
@ -40,14 +64,20 @@ export const useBarItems = (): [BarItem[], (item: BarItem) => boolean] => {
tab: "personal-info",
pathname: "/personal-info",
},
{
icon: <Settings2 />,
title: "Data & Personalization",
tab: "data-personalization",
pathname: "/data-personalize",
},
// TODO:
// {
// icon: <Settings2 />,
// title: "Data & Personalization",
// tab: "data-personalization",
// pathname: "/data-personalize",
// },
...(profile.is_admin
? [
{
type: "delimiter" as const,
title: "Admin",
key: "admin-del",
},
{
icon: <Blocks />,
title: "API Services",
@ -60,6 +90,30 @@ export const useBarItems = (): [BarItem[], (item: BarItem) => boolean] => {
tab: "admin.users",
pathname: "/admin/users",
},
{
icon: <UserLock />,
title: "User Sessions",
tab: "admin.user-sessions",
pathname: "/admin/user-sessions",
},
{
icon: <EarthLock />,
title: "Service Sessions",
tab: "admin.service-sessions",
pathname: "/admin/service-sessions",
},
{
icon: <KeyRound />,
title: "App Permissions",
tab: "admin.app-permissions",
pathname: "/admin/app-permissions",
},
{
icon: <ContactRound />,
title: "Roles & Groups",
tab: "admin.roles-groups",
pathname: "/admin/roles-groups",
},
]
: []),
],

5
web/src/index.css
View File

@ -9,6 +9,11 @@
-ms-overflow-style: none;
scrollbar-width: none;
}
.transition-height {
transition-property: height;
transition-duration: 300ms;
transition-timing-function: ease;
}
}
html,

7
web/src/pages/Admin/ApiServices/Create/index.tsx
View File

@ -33,9 +33,9 @@ const ApiServiceCreatePage: FC = () => {
const credentials = useApiServices((state) => state.createdCredentials);
const onSubmit = useCallback(
(data: FormData) => {
async (data: FormData) => {
console.log("Form submitted:", data);
createApiService({
await createApiService({
name: data.name,
description: data.description ?? "",
redirect_uris: data.redirectUris.trim().split("\n"),
@ -45,6 +45,9 @@ const ApiServiceCreatePage: FC = () => {
: ["authorization_code"],
is_active: data.enabled,
});
// if (success) {
// navigate("/admin/api-services");
// }
},
[createApiService],
);

130
web/src/pages/Admin/AppPermissions/index.tsx Normal file
View File

@ -0,0 +1,130 @@
import { useEffect, type FC } from "react";
import Breadcrumbs from "@/components/ui/breadcrumbs";
import { usePermissions } from "@/store/admin/permissions";
interface DisplayPermission {
name: string;
description: string;
}
interface IPermissionGroupProps {
scope: string;
permissions?: DisplayPermission[] | null | undefined;
generatedPermissions?: DisplayPermission[] | null | undefined;
}
const PermissionGroup: FC<IPermissionGroupProps> = ({
scope,
permissions,
generatedPermissions,
}) => {
return (
<div className="border dark:border-gray-800 border-gray-300 p-4 rounded mb-4">
<h2 className="dark:text-gray-300 text-gray-800 text-lg font-semibold">
{scope}
</h2>
{(generatedPermissions?.length ?? 0) > 0 && (
<>
<p className="text-gray-500 text-sm mt-2 mb-4">Generated by Guard</p>
<ol
className={`grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium mb-${permissions && permissions.length > 0 ? "6" : "2"}`}
>
{generatedPermissions!.map(({ name, description }) => (
<li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
<div className="flex flex-col gap-1">
<label>{name}</label>
<p className="text-xs text-gray-400 dark:text-gray-500">
{description}
</p>
</div>
</li>
))}
</ol>
</>
)}
{(permissions?.length ?? 0) > 0 && (
<>
<p className="text-gray-500 text-sm mt-2 mb-4">Manually Created</p>
<ol className="grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium">
{permissions!.map(({ name, description }) => (
<li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
<div className="flex flex-col gap-1">
<label>{name}</label>
<p className="text-xs text-gray-400 dark:text-gray-500">
{description}
</p>
</div>
</li>
))}
</ol>
</>
)}
</div>
);
};
const AdminAppPermissionsPage: FC = () => {
const permissions = usePermissions((s) => s.permissions);
const fetch = usePermissions((s) => s.fetch);
useEffect(() => {
fetch();
}, [fetch]);
return (
<div className="relative flex flex-col items-stretch w-full">
<div className="p-4">
<Breadcrumbs
className="pb-2"
items={[
{
href: "/admin",
label: "Admin",
},
{
label: "App Permissions",
},
]}
/>
</div>
<div className="px-7">
{Object.keys(permissions).map((scope) => (
<PermissionGroup
scope={scope.toUpperCase()}
generatedPermissions={permissions[scope].map((p) => ({
name: p.name
.split("_")
.map((s) => s[0].toUpperCase() + s.slice(1))
.join(" "),
description: p.description,
}))}
/>
))}
{/* <PermissionGroup
scope="Open Chat"
generatedPermissions={["Access Open Chat"].map((name) => ({
name,
description: `You can ${name.toLowerCase()}`,
}))}
permissions={[
"Receive Messages",
"Send Messages",
"View Status",
"Post Status",
"Use Ghost Mode",
"Send Large Media",
].map((name) => ({
name,
description: `You can ${name.toLowerCase()}`,
}))}
/> */}
</div>
</div>
);
};
export default AdminAppPermissionsPage;

91
web/src/pages/Admin/RolesGroups/index.tsx Normal file
View File

@ -0,0 +1,91 @@
import { useEffect, type FC } from "react";
import Breadcrumbs from "@/components/ui/breadcrumbs";
import { useRoles } from "@/store/admin/rolesGroups";
import type { AppPermission } from "@/types";
interface DisplayRole {
name: string;
description: string;
permissions: AppPermission[];
}
interface IPermissionGroupProps {
scope: string;
roles?: DisplayRole[] | null | undefined;
}
const RolesGroup: FC<IPermissionGroupProps> = ({ scope, roles }) => {
return (
<div className="border dark:border-gray-800 border-gray-300 p-4 rounded mb-4">
<h2 className="dark:text-gray-300 text-gray-800 text-lg font-semibold mb-4">
{scope.toUpperCase()} <span className="opacity-45">(scope)</span>
</h2>
{roles?.map((role, index) => (
<div>
<h2 className="dark:text-gray-300 text-gray-800 text-md font-semibold">
{role.name.toUpperCase()} <span className="opacity-45">(role)</span>
</h2>
<p className="text-sm text-gray-400 dark:text-gray-500">
{role.description}
</p>
<ol className="grid gap-4 gap-y-3 grid-cols-1 my-4 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium">
{role.permissions.map(({ name, description }) => (
<li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
<div className="flex flex-col gap-1">
<label>{name}</label>
<p className="text-xs text-gray-400 dark:text-gray-500">
{description}
</p>
</div>
</li>
))}
</ol>
{index + 1 < roles.length && (
<div className="h-[1px] bg-gray-700 w-full rounded my-6"></div>
)}
</div>
))}
</div>
);
};
const AdminRolesGroupsPage: FC = () => {
const roles = useRoles((s) => s.roles);
const fetch = useRoles((s) => s.fetch);
useEffect(() => {
fetch();
}, [fetch]);
console.log("roles:", roles);
return (
<div className="relative flex flex-col items-stretch w-full">
<div className="p-4">
<Breadcrumbs
className="pb-2"
items={[
{
href: "/admin",
label: "Admin",
},
{
label: "Roles & Groups",
},
]}
/>
</div>
<div className="px-7">
{Object.keys(roles).map((scope) => (
<RolesGroup scope={scope} roles={roles[scope]} />
))}
</div>
</div>
);
};
export default AdminRolesGroupsPage;

214
web/src/pages/Admin/ServiceSessions/index.tsx Normal file
View File

@ -0,0 +1,214 @@
import Breadcrumbs from "@/components/ui/breadcrumbs";
import { Button } from "@/components/ui/button";
import Avatar from "@/feature/Avatar";
import { Ban } from "lucide-react";
import { useCallback, useEffect, type FC } from "react";
import { Link } from "react-router";
import moment from "moment";
import Pagination from "@/components/ui/pagination";
import { useAuth } from "@/store/auth";
import { useServiceSessions } from "@/store/admin/serviceSessions";
const AdminServiceSessionsPage: FC = () => {
const loading = useServiceSessions((s) => s.loading);
const sessions = useServiceSessions((s) => s.items);
const page = useServiceSessions((s) => s.page);
const totalPages = useServiceSessions((s) => s.totalPages);
const fetchSessions = useServiceSessions((s) => s.fetch);
const revokeSession = useServiceSessions((s) => s.revoke);
const revokingId = useServiceSessions((s) => s.revokingId);
const profile = useAuth((s) => s.profile);
const handleRevokeSession = useCallback(
(id: string) => {
revokeSession(id);
},
[revokeSession],
);
useEffect(() => {
fetchSessions(1);
}, [fetchSessions]);
return (
<div className="relative flex flex-col items-stretch w-full">
<div className="p-4">
<Breadcrumbs
className="pb-2"
items={[
{
href: "/admin",
label: "Admin",
},
{
label: "Service Sessions",
},
]}
/>
</div>
<div className="p-4 flex flex-row items-center justify-between">
<p className="text-gray-800 dark:text-gray-300">Search...</p>
{/* TODO: Filters */}
</div>
<div className="flex-1 overflow-x-auto">
<table className="relative min-w-full border-l-0 border border-gray-300 dark:border-gray-700 border-collapse divide-y divide-gray-200 dark:divide-gray-800">
{loading && (
<div className="absolute inset-0 z-10 flex items-center justify-center bg-white/60 dark:bg-gray-900/60 backdrop-blur-sm">
<div className="text-gray-800 dark:text-gray-200 font-medium">
Loading...
</div>
</div>
)}
<thead className="bg-black/5 dark:bg-white/5 text-nowrap">
<tr>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Service
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
User + IP
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Status
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Issued At
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Expires At
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Last Active
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Revoked At
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Actions
</th>
</tr>
</thead>
<tbody className="divide-y divide-gray-200 dark:divide-gray-700">
{!loading && sessions.length === 0 ? (
<tr>
<td
colSpan={5}
className="px-6 py-12 text-center text-gray-500 dark:text-gray-400"
>
No sessions found.
</td>
</tr>
) : (
sessions.map((session) => (
<tr
key={session.id}
className="hover:bg-gray-50 dark:hover:bg-gray-800"
>
<td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
{/* <SessionSource deviceInfo={session.} /> */}
{typeof session.api_service?.icon_url === "string" && (
<Avatar
avatarId={session.api_service.icon_url ?? null}
className="w-7 h-7 min-w-7"
/>
)}
<Link to={`/admin/api-services/view/${session.service_id}`}>
<p className="cursor-pointer text-blue-500 text-nowrap">
{session.api_service?.name ?? session.client_id}
</p>
</Link>
</td>
<td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
<div className="flex flex-col items-stretch gap-2 justify-start">
<div className="flex flex-row items-center gap-2 justify-start">
{typeof session.user?.profile_picture === "string" && (
<Avatar
avatarId={session.user.profile_picture ?? null}
className="w-7 h-7 min-w-7"
/>
)}
<div className="flex flex-col items-stretch justify-center">
<Link to={`/admin/users/view/${session.user_id}`}>
<p className="cursor-pointer text-blue-500 text-nowrap">
{session.user?.full_name ?? ""}{" "}
{session.user_id === profile?.id ? "(You)" : ""}
</p>
</Link>
<p className="opacity-75">
{session.ip_address ?? "No IP available"}
</p>
</div>
</div>
</div>
</td>
<td className="px-5 py-3 text-sm border border-gray-300 dark:border-gray-700">
<span
className={`inline-block px-2 py-1 text-xs rounded-full font-semibold ${
!session.is_active ||
(session.expires_at &&
moment(session.expires_at).isSameOrBefore(
moment(new Date()),
))
? "bg-red-100 text-red-800 dark:bg-red-900 dark:text-red-300"
: "bg-green-100 text-green-800 dark:bg-green-900 dark:text-green-300"
}`}
>
{session.is_active ? "Active" : "Inactive"}
{moment(session.expires_at).isSameOrBefore(
moment(new Date()),
) && " (Expired)"}
</span>
</td>
<td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
{moment(session.issued_at).format("LLLL")}
</td>
<td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
{session.expires_at
? moment(session.expires_at).format("LLLL")
: "never"}
</td>
<td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
{session.last_active
? moment(session.last_active).format("LLLL")
: "never"}
</td>
<td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
{session.revoked_at
? new Date(session.revoked_at).toLocaleString()
: "never"}
</td>
<td>
<div className="flex flex-row items-center justify-center gap-2">
<Button
variant="contained"
className="bg-red-500 hover:bg-red-600 !px-1.5 !py-1.5"
onClick={() => handleRevokeSession(session.id)}
disabled={revokingId === session.id}
>
<Ban size={18} />
</Button>
</div>
</td>
</tr>
))
)}
</tbody>
</table>
</div>
<Pagination
currentPage={page}
onPageChange={(newPage) => fetchSessions(newPage)}
totalPages={totalPages}
/>
</div>
);
};
export default AdminServiceSessionsPage;

209
web/src/pages/Admin/UserSessions/index.tsx Normal file
View File

@ -0,0 +1,209 @@
import Breadcrumbs from "@/components/ui/breadcrumbs";
import { Button } from "@/components/ui/button";
import Avatar from "@/feature/Avatar";
import type { DeviceInfo } from "@/types";
import { Ban } from "lucide-react";
import { useCallback, useEffect, useMemo, type FC } from "react";
import { Link } from "react-router";
import moment from "moment";
import Pagination from "@/components/ui/pagination";
import { useUserSessions } from "@/store/admin/userSessions";
import { useAuth } from "@/store/auth";
const SessionSource: FC<{ deviceInfo: string }> = ({ deviceInfo }) => {
const parsed = useMemo<DeviceInfo>(
() => JSON.parse(atob(deviceInfo)),
[deviceInfo],
);
return (
<p>
{parsed.os} {parsed.os_version} {parsed.browser} {parsed.browser_version}
</p>
);
};
const AdminUserSessionsPage: FC = () => {
const loading = useUserSessions((s) => s.loading);
const sessions = useUserSessions((s) => s.items);
const page = useUserSessions((s) => s.page);
const totalPages = useUserSessions((s) => s.totalPages);
const fetchSessions = useUserSessions((s) => s.fetch);
const revokeSession = useUserSessions((s) => s.revoke);
const revokingId = useUserSessions((s) => s.revokingId);
const profile = useAuth((s) => s.profile);
const handleRevokeSession = useCallback(
(id: string) => {
revokeSession(id);
},
[revokeSession],
);
useEffect(() => {
fetchSessions(1);
}, [fetchSessions]);
return (
<div className="relative flex flex-col items-stretch w-full">
<div className="p-4">
<Breadcrumbs
className="pb-2"
items={[
{
href: "/admin",
label: "Admin",
},
{
label: "User Sessions",
},
]}
/>
</div>
<div className="p-4 flex flex-row items-center justify-between">
<p className="text-gray-800 dark:text-gray-300">Search...</p>
{/* TODO: Filters */}
</div>
<div className="flex-1 overflow-x-auto">
<table className="relative min-w-full border-l-0 border border-gray-300 dark:border-gray-700 border-collapse divide-y divide-gray-200 dark:divide-gray-800">
{loading && (
<div className="absolute inset-0 z-10 flex items-center justify-center bg-white/60 dark:bg-gray-900/60 backdrop-blur-sm">
<div className="text-gray-800 dark:text-gray-200 font-medium">
Loading...
</div>
</div>
)}
<thead className="bg-black/5 dark:bg-white/5 text-nowrap">
<tr>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
User
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Source
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Status
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Issued At
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Expires At
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Last Active
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Revoked At
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Actions
</th>
</tr>
</thead>
<tbody className="divide-y divide-gray-200 dark:divide-gray-700">
{!loading && sessions.length === 0 ? (
<tr>
<td
colSpan={5}
className="px-6 py-12 text-center text-gray-500 dark:text-gray-400"
>
No sessions found.
</td>
</tr>
) : (
sessions.map((session) => (
<tr
key={session.id}
className="hover:bg-gray-50 dark:hover:bg-gray-800"
>
<td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
<div className="flex flex-row items-center gap-2 justify-start">
{typeof session.user?.profile_picture === "string" && (
<Avatar
avatarId={session.user.profile_picture ?? null}
className="w-7 h-7 min-w-7"
/>
)}
<Link to={`/admin/users/view/${session.user_id}`}>
<p className="cursor-pointer text-blue-500 text-nowrap">
{session.user?.full_name ?? ""}{" "}
{session.user_id === profile?.id ? "(You)" : ""}
</p>
</Link>
</div>
</td>
<td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
<SessionSource deviceInfo={session.device_info} />
</td>
<td className="px-5 py-3 text-sm border border-gray-300 dark:border-gray-700">
<span
className={`inline-block px-2 py-1 text-xs rounded-full font-semibold ${
!session.is_active ||
(session.expires_at &&
moment(session.expires_at).isSameOrBefore(
moment(new Date()),
))
? "bg-red-100 text-red-800 dark:bg-red-900 dark:text-red-300"
: "bg-green-100 text-green-800 dark:bg-green-900 dark:text-green-300"
}`}
>
{session.is_active ? "Active" : "Inactive"}
{moment(session.expires_at).isSameOrBefore(
moment(new Date()),
) && " (Expired)"}
</span>
</td>
<td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
{moment(session.issued_at).format("LLLL")}
</td>
<td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
{session.expires_at
? moment(session.expires_at).format("LLLL")
: "never"}
</td>
<td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
{session.last_active
? moment(session.last_active).format("LLLL")
: "never"}
</td>
<td className="px-5 py-3 text-sm text-gray-500 dark:text-gray-400 border border-gray-300 dark:border-gray-700">
{session.revoked_at
? new Date(session.revoked_at).toLocaleString()
: "never"}
</td>
<td>
<div className="flex flex-row items-center justify-center gap-2">
<Button
variant="contained"
className="bg-red-500 hover:bg-red-600 !px-1.5 !py-1.5"
onClick={() => handleRevokeSession(session.id)}
disabled={revokingId === session.id}
>
<Ban size={18} />
</Button>
</div>
</td>
</tr>
))
)}
</tbody>
</table>
</div>
<Pagination
currentPage={page}
onPageChange={(newPage) => fetchSessions(newPage)}
totalPages={totalPages}
/>
</div>
);
};
export default AdminUserSessionsPage;

13
web/src/pages/Admin/Users/Create/index.tsx
View File

@ -4,7 +4,7 @@ import { Input } from "@/components/ui/input";
import { useUsers } from "@/store/admin/users";
import { useCallback, type FC } from "react";
import { useForm } from "react-hook-form";
import { Link } from "react-router";
import { Link, useNavigate } from "react-router";
interface FormData {
fullName: string;
@ -24,17 +24,22 @@ const AdminCreateUserPage: FC = () => {
const createUser = useUsers((state) => state.createUser);
const navigate = useNavigate();
const onSubmit = useCallback(
(data: FormData) => {
async (data: FormData) => {
console.log("Form submitted:", data);
createUser({
const success = await createUser({
email: data.email,
full_name: data.fullName,
password: data.password,
is_admin: data.isAdmin,
});
if (success) {
navigate("/admin/users");
}
},
[createUser],
[createUser, navigate],
);
return (

233
web/src/pages/Admin/Users/View/index.tsx
View File

@ -1,38 +1,65 @@
import Breadcrumbs from "@/components/ui/breadcrumbs";
import { Button } from "@/components/ui/button";
import Avatar from "@/feature/Avatar";
import FoldableRolesTable from "@/feature/FoldableRolesTable";
import RoleMatrix from "@/feature/RoleMatrix";
import { useRoles } from "@/store/admin/rolesGroups";
import { useUsers } from "@/store/admin/users";
import { useEffect, type FC } from "react";
import type { UserProfile } from "@/types";
import { Check, Mail, Phone } from "lucide-react";
import moment from "moment";
import { useEffect, type FC, type HTMLAttributes } from "react";
import { Link, useParams } from "react-router";
const InfoCard = ({
title,
children,
}: {
interface InfoCardProps extends HTMLAttributes<HTMLDivElement> {
title: string;
children: React.ReactNode;
}) => (
<div className="border dark:border-gray-800 border-gray-300 rounded mb-4">
<div className="p-4 border-b dark:border-gray-800 border-gray-300">
<h2 className="text-gray-800 dark:text-gray-200 font-semibold text-lg">
{title}
</h2>
hasSpacing?: boolean | undefined;
}
const InfoCard = ({
children,
hasSpacing = true,
title,
...props
}: InfoCardProps) => (
<div className="mb-6">
<h2 className="mb-4 text-xl">{title}</h2>
<div
{...props}
className={`border dark:border-gray-800 border-gray-300 rounded mb-4 ${props.className}`}
>
{/* <div className="p-4 border-b dark:border-gray-800 border-gray-300">
<h2 className="text-gray-800 dark:text-gray-200 font-semibold text-lg">
{title}
</h2>
</div> */}
<div className={hasSpacing ? "p-4" : ""}>{children}</div>
</div>
<div className="p-4">{children}</div>
</div>
);
const AdminViewUserPage: FC = () => {
const { userId } = useParams();
const user = useUsers((state) => state.current);
const userRoles = useUsers((s) => s.userRoles);
// const loading = useApiServices((state) => state.fetchingApiService);
const loadUser = useUsers((state) => state.fetchUser);
const loadUserRoles = useUsers((state) => state.fetchUserRoles);
useEffect(() => {
if (typeof userId === "string") loadUser(userId);
}, [loadUser, userId]);
useEffect(() => {
if (user) loadUserRoles();
}, [loadUserRoles, user]);
console.log({ userRoles });
if (!user) {
return (
<div className="p-4 flex items-center justify-center h-[60vh]">
@ -55,70 +82,138 @@ const AdminViewUserPage: FC = () => {
/>
<div className="sm:p-4 pt-4">
{/* 📋 Main Details */}
<InfoCard title="Personal Info">
<InfoCard title="Profile" hasSpacing={false}>
<div className="flex flex-col gap-4 text-sm">
<div className="flex flex-col gap-4">
<span className="font-medium text-gray-900 dark:text-white">
Avatar:
</span>
<Avatar
avatarId={user.profile_picture ?? undefined}
className="w-16 h-16"
iconSize={28}
/>
<div className="bg-black/15 shadow/20">
{/* Header */}
<div className="flex flex-row gap-4 items-center p-4">
<Avatar
avatarId={user.profile_picture ?? null}
className="w-28 h-28"
iconSize={48}
/>
<div className="flex flex-col gap-1">
<h2 className="text-lg font-medium">{user.full_name}</h2>
<div className="flex flex-row items-center gap-2">
<h3 className="text-base opacity-50 flex flex-row items-center gap-2">
<span>
<Mail size={18} />
</span>
{user.email}
</h3>
<div className="w-1 h-1 rounded-full bg-gray-600" />
<h3 className="text-base opacity-50 flex flex-row items-center gap-2">
<span>
<Phone size={18} />
</span>
{user.phone_number || "No Phone Number"}
</h3>
</div>
</div>
</div>
{/* TODO: */}
{/* Top Bars */}
{/* <div className="w-full border-b border-b-gray-600 p-4">
somethign
</div> */}
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Full Name:
</span>{" "}
{user.full_name}
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Email:
</span>{" "}
{user.email}
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Phone Number:
</span>{" "}
{user.phone_number || "-"}{" "}
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Is Admin:
</span>{" "}
<span
className={`font-semibold px-2 py-1 rounded ${
user.is_admin
? "bg-green-200 text-green-800 dark:bg-green-700/20 dark:text-green-300"
: "bg-red-200 text-red-800 dark:bg-red-700/20 dark:text-red-300"
}`}
>
{user.is_admin ? "Yes" : "No"}
</span>
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Created At:
</span>{" "}
{new Date(user.created_at).toLocaleString()}
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Last Login At:
</span>{" "}
{user.last_login
? new Date(user.last_login).toLocaleString()
: "never"}
<div className="grid grid-cols-2 gap-2 gap-y-4 p-4">
<div className="flex flex-col gap-2 items-start">
<span className="font-medium text-gray-400 dark:text-gray-500">
Verification
</span>{" "}
<div className="flex items-center gap-2">
{[
["avatar_verified", "Avatar"],
["email_verified", "Email"],
].map(([key, label]) => (
<span
key={key}
className={`px-2 py-1 rounded ${
user[key as keyof UserProfile] === true
? "bg-green-200 text-green-800 dark:bg-green-700/20 dark:text-green-300"
: "bg-red-200 text-red-800 dark:bg-red-700/20 dark:text-red-300"
}`}
>
{label}
</span>
))}
</div>
</div>
<div className="flex flex-col gap-2 items-start">
<span className="font-medium text-gray-400 dark:text-gray-500">
Roles
</span>{" "}
<span className={`font-semibold py-1 rounded`}>
{userRoles.length === 0 && <p>No Roles</p>}
{userRoles.map((role) => (
<span
key={role.id}
className="px-2 py-1 rounded bg-blue-200 text-blue-800 dark:bg-blue-700/20 dark:text-blue-300"
>
{role.name}
</span>
))}
</span>
</div>
<div className="flex flex-col gap-2 items-start">
<span className="font-medium text-gray-400 dark:text-gray-500">
Created At
</span>{" "}
<span className={`font-semibold py-1 rounded`}>
{moment(user.created_at).format("LLLL")}
</span>
</div>
<div className="flex flex-col gap-2 items-start">
<span className="font-medium text-gray-400 dark:text-gray-500">
Last Login
</span>{" "}
<span className={`font-semibold py-1 rounded`}>
{user.last_login
? moment(user.last_login).format("LLLL")
: "never"}
</span>
</div>
</div>
</div>
</InfoCard>
<InfoCard title="Roles Management" hasSpacing={false}>
<FoldableRolesTable userRoles={userRoles} />
</InfoCard>
{/* <InfoCard title="Roles" hasSpacing={false}>
{Object.entries(roles).map(([scope, roles]) => (
<div className="w-full">
<h4 className="bg-black/40 p-3 text-xs opacity-50">
{scope.toUpperCase()}
</h4>
<ul className="bg-black/20">
{roles.map((r, index) => (
<div key={r.id}>
<li
key={r.id}
className="p-2 px-4 flex flex-row items-center gap-2"
>
<span
className={`opacity-${userRoles.some((ur) => ur.id === r.id) ? "100" : "0"}`}
>
<Check size={16} />
</span>
{r.name.toUpperCase()}
</li>
{index + 1 < roles.length && (
<div className="h-[1px] bg-gray-800 w-[95%] mx-auto"></div>
)}
</div>
))}
</ul>
</div>
))}
</InfoCard> */}
{/* 🚀 Actions */}
<div className="flex flex-wrap gap-4 mt-6 justify-between items-center">
<div className="flex flex-wrap gap-4 mt-6 justify-between items-center col-span-3">
<Link to="/admin/users">
<Button variant="outlined">Back</Button>
</Link>

2
web/src/pages/Admin/Users/index.tsx
View File

@ -94,7 +94,7 @@ const AdminUsersPage: FC = () => {
<Avatar
iconSize={21}
className="w-8 h-8"
avatarId={user.profile_picture ?? undefined}
avatarId={user.profile_picture ?? null}
/>
<p>{user.full_name}</p>
</div>

24
web/src/pages/Authorize/index.tsx
View File

@ -76,21 +76,21 @@ const AuthorizePage: FC = () => {
<div className="text-gray-400 dark:text-gray-600">
<ArrowLeftRight />
</div>
<div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500">
{/* <img
{/* <div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500"> */}
{/* <img
src="https://lucide.dev/logo.dark.svg"
className="w-8 h-8"
/> */}
{apiService?.icon_url ? (
<img
src={apiService.icon_url}
className="w-full h-full"
alt="service_icon"
/>
) : (
<LayoutDashboard size={32} color="#fefefe" />
)}
</div>
{apiService?.icon_url ? (
<img
src={apiService.icon_url}
className="w-12 h-12"
alt="service_icon"
/>
) : (
<LayoutDashboard size={32} color="#fefefe" />
)}
{/* </div> */}
</div>
<div className="px-4 sm:mt-4 mt-8">

5
web/src/pages/Login/index.tsx
View File

@ -62,8 +62,9 @@ export default function LoginPage() {
} catch (err: any) {
console.log(err);
setError(
"Failed to create account. " +
(err.message ?? "Unexpected error happened"),
err.response?.data?.error ??
err.message ??
"Unexpected error happened",
);
} finally {
setLoading(false);

2
web/src/pages/Verify/Review/index.tsx
View File

@ -21,7 +21,7 @@ const VerifyReviewPage: FC = () => {
</p>
<Avatar
avatarId={profile?.profile_picture ?? undefined}
avatarId={profile?.profile_picture ?? null}
iconSize={64}
className="w-48 h-48 min-w-48 mx-auto mt-4"
/>

7
web/src/store/admin/apiServices.ts
View File

@ -22,7 +22,7 @@ interface IApiServicesState {
fetch: () => Promise<void>;
fetchSingle: (id: string) => Promise<void>;
create: (req: CreateApiServiceRequest) => Promise<void>;
create: (req: CreateApiServiceRequest) => Promise<boolean>;
resetCredentials: () => void;
toggling: boolean;
@ -117,11 +117,12 @@ export const useApiServices = create<IApiServicesState>((set, get) => ({
try {
const response = await postApiService(req);
set({ createdCredentials: response.credentials });
set({ createdCredentials: response.credentials, creating: false });
return true;
} catch (err) {
console.log("ERR: Failed to fetch services:", err);
} finally {
set({ creating: false });
return false;
}
},
}));

32
web/src/store/admin/permissions.ts Normal file
View File

@ -0,0 +1,32 @@
import { getPermissionsApi } from "@/api/admin/permissions";
import type { AppPermission } from "@/types";
import { create } from "zustand";
export interface IAdminPermissionsState {
permissions: Record<string, AppPermission[]>;
fetching: boolean;
fetch: () => Promise<void>;
}
export const usePermissions = create<IAdminPermissionsState>((set) => ({
permissions: {},
fetching: false,
fetch: async () => {
set({ fetching: true });
try {
const response = await getPermissionsApi();
set({
permissions: Object.fromEntries(
response.map(({ scope, permissions }) => [scope, permissions]),
),
});
} catch (err) {
console.log("ERR: Failed to fetch admin permissions:", err);
} finally {
set({ fetching: false });
}
},
}));

57
web/src/store/admin/rolesGroups.ts Normal file
View File

@ -0,0 +1,57 @@
import {
assignUserRoleApi,
getRolesApi,
type AssignUserRoleRequest,
} from "@/api/admin/roles";
import type { AppPermission, AppRole } from "@/types";
import { create } from "zustand";
export type RolesMap = Record<
string,
(AppRole & { permissions: AppPermission[] })[]
>;
export interface IRolesGroups {
roles: RolesMap;
fetching: boolean;
toggling: string | null;
fetch: () => Promise<void>;
assign: (userId: string, role: AppRole) => Promise<void>;
}
export const useRoles = create<IRolesGroups>((set) => ({
roles: {},
fetching: false,
toggling: null,
fetch: async () => {
set({ fetching: true });
try {
const response = await getRolesApi();
set({
roles: Object.fromEntries(response.map((r) => [r.scope, r.roles])),
});
} catch (err) {
console.log("ERR: Failed to fetch admin roles:", err);
} finally {
set({ fetching: false });
}
},
assign: async (userId, role) => {
set({ toggling: role.id });
try {
await assignUserRoleApi(userId, {
role_key: `${role.scope}_${role.name}`,
});
} catch (err) {
console.log("ERR: Failed to assign user role:", err);
} finally {
set({ toggling: null });
}
},
}));

59
web/src/store/admin/serviceSessions.ts Normal file
View File

@ -0,0 +1,59 @@
import {
adminGetServiceSessionsApi,
adminRevokeServiceSessionApi,
} from "@/api/admin/sessions";
import type { ServiceSession } from "@/types";
import { create } from "zustand";
export const ADMIN_SERVICE_SESSIONS_PAGE_SIZE = 10;
export interface IServiceSessionsState {
items: ServiceSession[];
totalPages: number;
page: number;
loading: boolean;
revokingId: string | null;
fetch: (page: number) => Promise<void>;
revoke: (id: string) => Promise<void>;
}
export const useServiceSessions = create<IServiceSessionsState>((set, get) => ({
items: [],
totalPages: 0,
page: 1,
loading: false,
revokingId: null,
fetch: async (page) => {
set({ loading: true, page });
try {
const response = await adminGetServiceSessionsApi({
page,
size: ADMIN_SERVICE_SESSIONS_PAGE_SIZE,
});
set({ items: response.items, totalPages: response.total_pages });
} catch (err) {
console.log("ERR: Failed to fetch admin service sessions:", err);
} finally {
set({ loading: false });
}
},
revoke: async (id) => {
set({ revokingId: id });
try {
await adminRevokeServiceSessionApi(id);
} catch (err) {
console.log("ERR: Failed to revoke service sessions:", err);
} finally {
set({ revokingId: null });
const { fetch, page } = get();
await fetch(page);
}
},
}));

59
web/src/store/admin/userSessions.ts Normal file
View File

@ -0,0 +1,59 @@
import {
adminGetUserSessionsApi,
adminRevokeUserSessionApi,
} from "@/api/admin/sessions";
import type { UserSession } from "@/types";
import { create } from "zustand";
export const ADMIN_USER_SESSIONS_PAGE_SIZE = 10;
export interface IUserSessionsState {
items: UserSession[];
totalPages: number;
page: number;
loading: boolean;
revokingId: string | null;
fetch: (page: number) => Promise<void>;
revoke: (id: string) => Promise<void>;
}
export const useUserSessions = create<IUserSessionsState>((set, get) => ({
items: [],
totalPages: 0,
page: 1,
loading: false,
revokingId: null,
fetch: async (page) => {
set({ loading: true, page });
try {
const response = await adminGetUserSessionsApi({
page,
size: ADMIN_USER_SESSIONS_PAGE_SIZE,
});
set({ items: response.items, totalPages: response.total_pages });
} catch (err) {
console.log("ERR: Failed to fetch admin user sessions:", err);
} finally {
set({ loading: false });
}
},
revoke: async (id) => {
set({ revokingId: id });
try {
await adminRevokeUserSessionApi(id);
} catch (err) {
console.log("ERR: Failed to revoke user sessions:", err);
} finally {
set({ revokingId: null });
const { fetch, page } = get();
await fetch(page);
}
},
}));

88
web/src/store/admin/users.ts
View File

@ -1,10 +1,12 @@
import { getUserPermissionsApi } from "@/api/admin/permissions";
import { assignUserRoleApi, getUserRolesApi } from "@/api/admin/roles";
import {
adminGetUserApi,
adminGetUsersApi,
postUser,
type CreateUserRequest,
} from "@/api/admin/users";
import type { UserProfile } from "@/types";
import type { AppPermission, AppRole, UserProfile } from "@/types";
import { create } from "zustand";
export interface IUsersState {
@ -14,14 +16,26 @@ export interface IUsersState {
current: UserProfile | null;
fetchingCurrent: boolean;
userPermissions: AppPermission[];
fetchingPermissions: boolean;
userRoles: AppRole[];
fetchingRoles: boolean;
creating: boolean;
createUser: (req: CreateUserRequest) => Promise<void>;
createUser: (req: CreateUserRequest) => Promise<boolean>;
assigningRole: boolean;
fetchUsers: () => Promise<void>;
fetchUser: (id: string) => Promise<void>;
fetchUserPermissions: () => Promise<void>;
fetchUserRoles: () => Promise<void>;
assignUserRole: (roleKey: string) => Promise<void>;
}
export const useUsers = create<IUsersState>((set) => ({
export const useUsers = create<IUsersState>((set, get) => ({
users: [],
fetching: false,
@ -30,16 +44,26 @@ export const useUsers = create<IUsersState>((set) => ({
current: null,
fetchingCurrent: false,
userRoles: [],
fetchingRoles: false,
userPermissions: [],
fetchingPermissions: false,
assigningRole: false,
createUser: async (req: CreateUserRequest) => {
set({ creating: true });
try {
const response = await postUser(req);
console.log("INFO: User has been created:", response);
set({ creating: false });
return true;
} catch (err) {
console.log("ERR: Failed to create user:", err);
} finally {
set({ creating: false });
return false;
}
},
@ -68,4 +92,60 @@ export const useUsers = create<IUsersState>((set) => ({
set({ fetchingCurrent: false });
}
},
fetchUserPermissions: async () => {
const user = get().current;
if (!user) {
console.warn("Trying to fetch user permissions without selected user");
return;
}
set({ fetchingPermissions: true });
try {
const response = await getUserPermissionsApi(user.id);
set({ userPermissions: response });
} catch (err) {
console.log("ERR: Failed to fetch single user for admin:", err);
} finally {
set({ fetchingPermissions: false });
}
},
fetchUserRoles: async () => {
const user = get().current;
if (!user) {
console.warn("Trying to fetch user permissions without selected user");
return;
}
set({ fetchingRoles: true });
try {
const response = await getUserRolesApi(user.id);
set({ userRoles: response ?? [] });
} catch (err) {
console.log("ERR: Failed to fetch single user for admin:", err);
} finally {
set({ fetchingRoles: false });
}
},
assignUserRole: async (roleKey: string) => {
const user = get().current;
if (!user) {
console.warn("Trying to fetch user permissions without selected user");
return;
}
set({ assigningRole: true });
try {
await assignUserRoleApi(user.id, { roleKey });
} catch (err) {
console.log("ERR: Failed to assign user role:", err);
} finally {
set({ assigningRole: false });
}
},
}));

61
web/src/types/index.ts
View File

@ -31,3 +31,64 @@ export interface ApiServiceCredentials {
client_id: string;
client_secret: string;
}
export interface ServiceSession {
id: string;
service_id: string;
api_service?: ApiService | null;
client_id: string;
user_id?: string | null;
user?: UserProfile | null;
issued_at: string;
expires_at?: string | null;
last_active?: string | null;
ip_address?: string | null;
user_agent?: string | null;
access_token_id?: string | null;
refresh_token_id?: string | null;
is_active: boolean;
revoked_at?: string | null;
scope?: string | null;
claims: string; // base64 encoded
}
export interface UserSession {
id: string;
user_id: string;
user?: UserProfile | null;
session_type: string; // "user" | "admin"
issued_at: string;
expires_at?: string | null;
last_active?: string | null;
ip_address?: string | null;
user_agent?: string | null;
access_token_id?: string | null;
refresh_token_id?: string | null;
device_info: string; // base64 encoded
is_active: boolean;
revoked_at?: string | null;
}
export interface DeviceInfo {
os: string;
os_version: string;
device_name: string;
device_type: string;
location: string;
browser: string;
browser_version: string;
}
export interface AppPermission {
id: string;
name: string;
scope: string;
description: string;
}
export interface AppRole {
id: string;
name: string;
scope: string;
description: string;
}