92 lines
2.5 KiB
Go
92 lines
2.5 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"log"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"gitea.local/admin/hspguard/internal/config"
|
|
"gitea.local/admin/hspguard/internal/repository"
|
|
"gitea.local/admin/hspguard/internal/types"
|
|
"gitea.local/admin/hspguard/internal/util"
|
|
"gitea.local/admin/hspguard/internal/web"
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
type AuthMiddleware struct {
|
|
cfg *config.AppConfig
|
|
repo *repository.Queries
|
|
}
|
|
|
|
func NewAuthMiddleware(cfg *config.AppConfig, repo *repository.Queries) *AuthMiddleware {
|
|
return &AuthMiddleware{
|
|
cfg,
|
|
repo,
|
|
}
|
|
}
|
|
|
|
func (m *AuthMiddleware) Runner(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
authHeader := r.Header.Get("Authorization")
|
|
if authHeader == "" {
|
|
web.Error(w, "unauthorized", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
parts := strings.Split(authHeader, "Bearer ")
|
|
if len(parts) != 2 {
|
|
web.Error(w, "invalid auth header format", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
tokenStr := parts[1]
|
|
var userClaims types.UserClaims
|
|
|
|
token, err := util.VerifyToken(tokenStr, m.cfg.Jwt.PublicKey, &userClaims)
|
|
if err != nil || !token.Valid {
|
|
web.Error(w, fmt.Sprintf("invalid token: %v", err), http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
// TODO: redis caching
|
|
parsed, err := uuid.Parse(userClaims.ID)
|
|
if err != nil {
|
|
log.Printf("ERR: Failed to parse token JTI '%s': %v\n", userClaims.ID, err)
|
|
web.Error(w, "failed to get session", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
session, err := m.repo.GetUserSessionByAccessJTI(r.Context(), &parsed)
|
|
if err != nil {
|
|
log.Printf("ERR: Failed to find session with '%s' JTI: %v\n", parsed.String(), err)
|
|
web.Error(w, "no session found", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
if !session.IsActive {
|
|
log.Printf("INFO: Inactive session trying to authorize: %s\n", session.AccessTokenID)
|
|
web.Error(w, "no session found", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
ctx := context.WithValue(r.Context(), types.UserIdKey, userClaims.Subject)
|
|
ctx = context.WithValue(ctx, types.JTIKey, userClaims.ID)
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
|
|
func WithSkipper(mw func(http.Handler) http.Handler, excludedPaths ...string) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
for _, path := range excludedPaths {
|
|
if strings.HasPrefix(r.URL.Path, path) {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
}
|
|
mw(next).ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|