Add admin user, and an option to add a user admin on startup
This commit is contained in:
@@ -2,6 +2,7 @@ package middleware
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"git.artlef.fr/bibliomane/internal/jwtauth"
|
||||
@@ -27,29 +28,33 @@ func Auth() gin.HandlerFunc {
|
||||
return
|
||||
}
|
||||
|
||||
username, err := parseUserFromJwt(c)
|
||||
jwtokenStr := jwtFromBearerToken(c.GetHeader("Authorization"))
|
||||
jwtoken, err := jwt.Parse(jwtokenStr,
|
||||
func(token *jwt.Token) (any, error) {
|
||||
return jwtauth.GetJwtKey()
|
||||
}, jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Alg()}))
|
||||
|
||||
if err != nil {
|
||||
c.AbortWithStatusJSON(http.StatusUnauthorized,
|
||||
gin.H{"error": "You must be logged in to access this resource."})
|
||||
abortError(c)
|
||||
return
|
||||
}
|
||||
|
||||
//check admin rights
|
||||
if strings.HasPrefix(c.FullPath(), "/ws/admin/") && !hasAdminRights(jwtoken) {
|
||||
c.AbortWithStatusJSON(http.StatusForbidden,
|
||||
gin.H{"error": "You do not have the right to access this resource."})
|
||||
return
|
||||
}
|
||||
|
||||
username, err := jwtoken.Claims.GetSubject()
|
||||
if err != nil {
|
||||
abortError(c)
|
||||
} else {
|
||||
c.Set("user", username)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func parseUserFromJwt(c *gin.Context) (string, error) {
|
||||
|
||||
jwtokenStr := jwtFromBearerToken(c.GetHeader("Authorization"))
|
||||
jwtoken, parseErr := jwt.Parse(jwtokenStr,
|
||||
func(token *jwt.Token) (any, error) {
|
||||
return jwtauth.GetJwtKey()
|
||||
}, jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Alg()}))
|
||||
if parseErr != nil {
|
||||
return "", parseErr
|
||||
}
|
||||
return jwtoken.Claims.GetSubject()
|
||||
}
|
||||
|
||||
func jwtFromBearerToken(bearerToken string) string {
|
||||
splitToken := strings.Split(bearerToken, " ")
|
||||
if len(splitToken) == 2 {
|
||||
@@ -58,3 +63,28 @@ func jwtFromBearerToken(bearerToken string) string {
|
||||
return ""
|
||||
}
|
||||
}
|
||||
|
||||
func hasAdminRights(token *jwt.Token) bool {
|
||||
claims, ok := token.Claims.(jwt.MapClaims)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
raw, ok := claims["admin"]
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
adminStr, ok := raw.(string)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
isAdmin, err := strconv.ParseBool(adminStr)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
return isAdmin
|
||||
}
|
||||
|
||||
func abortError(c *gin.Context) {
|
||||
c.AbortWithStatusJSON(http.StatusUnauthorized,
|
||||
gin.H{"error": "You must be logged in to access this resource."})
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user