wg-portal/internal/app/api/v0/handlers/middleware_authentication.go

package handlers

import (
	"github.com/gin-gonic/gin"
	"github.com/h44z/wg-portal/internal/app"
	"github.com/h44z/wg-portal/internal/app/api/v0/model"
	"github.com/h44z/wg-portal/internal/domain"
	"net/http"
)

type Scope string

const (
	ScopeAdmin   Scope = "ADMIN" // Admin scope contains all other scopes
	ScopeSwagger Scope = "SWAGGER"
	ScopeUser    Scope = "USER"
)

type authenticationHandler struct {
	app     *app.App
	Session SessionStore
}

// LoggedIn checks if a user is logged in. If scopes are given, they are validated as well.
func (h authenticationHandler) LoggedIn(scopes ...Scope) gin.HandlerFunc {
	return func(c *gin.Context) {
		session := h.Session.GetData(c)

		if !session.LoggedIn {
			// Abort the request with the appropriate error code
			c.Abort()
			c.JSON(http.StatusUnauthorized, model.Error{Code: http.StatusUnauthorized, Message: "not logged in"})
			return
		}

		if !UserHasScopes(session, scopes...) {
			// Abort the request with the appropriate error code
			c.Abort()
			c.JSON(http.StatusForbidden, model.Error{Code: http.StatusForbidden, Message: "not enough permissions"})
			return
		}

		// Check if logged-in user is still valid
		if !h.app.Authenticator.IsUserValid(c.Request.Context(), domain.UserIdentifier(session.UserIdentifier)) {
			h.Session.DestroyData(c)
			c.Abort()
			c.JSON(http.StatusUnauthorized, model.Error{Code: http.StatusUnauthorized, Message: "session no longer available"})
			return
		}

		c.Set(domain.CtxUserInfo, &domain.ContextUserInfo{
			Id:      domain.UserIdentifier(session.UserIdentifier),
			IsAdmin: session.IsAdmin,
		})

		// Continue down the chain to handler etc
		c.Next()
	}
}

func UserHasScopes(session SessionData, scopes ...Scope) bool {
	// No scopes give, so the check should succeed
	if len(scopes) == 0 {
		return true
	}

	// check if user has admin scope
	if session.IsAdmin {
		return true
	}

	// Check if admin scope is required
	for _, scope := range scopes {
		if scope == ScopeAdmin {
			return false
		}
	}

	// For all other scopes, a logged-in user is sufficient (for now)
	if session.LoggedIn {
		return true
	}

	return false
}
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 13:34:18 +02:00			`package handlers`

			`import (`
			`"github.com/gin-gonic/gin"`
			`"github.com/h44z/wg-portal/internal/app"`
			`"github.com/h44z/wg-portal/internal/app/api/v0/model"`
			`"github.com/h44z/wg-portal/internal/domain"`
			`"net/http"`
			`)`

			`type Scope string`

			`const (`
			`ScopeAdmin Scope = "ADMIN" // Admin scope contains all other scopes`
			`ScopeSwagger Scope = "SWAGGER"`
			`ScopeUser Scope = "USER"`
			`)`

			`type authenticationHandler struct {`
			`app *app.App`
			`Session SessionStore`
			`}`

			`// LoggedIn checks if a user is logged in. If scopes are given, they are validated as well.`
			`func (h authenticationHandler) LoggedIn(scopes ...Scope) gin.HandlerFunc {`
			`return func(c *gin.Context) {`
			`session := h.Session.GetData(c)`

			`if !session.LoggedIn {`
			`// Abort the request with the appropriate error code`
			`c.Abort()`
			`c.JSON(http.StatusUnauthorized, model.Error{Code: http.StatusUnauthorized, Message: "not logged in"})`
			`return`
			`}`

			`if !UserHasScopes(session, scopes...) {`
			`// Abort the request with the appropriate error code`
			`c.Abort()`
			`c.JSON(http.StatusForbidden, model.Error{Code: http.StatusForbidden, Message: "not enough permissions"})`
			`return`
			`}`

			`// Check if logged-in user is still valid`
			`if !h.app.Authenticator.IsUserValid(c.Request.Context(), domain.UserIdentifier(session.UserIdentifier)) {`
			`h.Session.DestroyData(c)`
			`c.Abort()`
			`c.JSON(http.StatusUnauthorized, model.Error{Code: http.StatusUnauthorized, Message: "session no longer available"})`
			`return`
			`}`

			`c.Set(domain.CtxUserInfo, &domain.ContextUserInfo{`
			`Id: domain.UserIdentifier(session.UserIdentifier),`
			`IsAdmin: session.IsAdmin,`
			`})`

			`// Continue down the chain to handler etc`
			`c.Next()`
			`}`
			`}`

			`func UserHasScopes(session SessionData, scopes ...Scope) bool {`
			`// No scopes give, so the check should succeed`
			`if len(scopes) == 0 {`
			`return true`
			`}`

			`// check if user has admin scope`
			`if session.IsAdmin {`
			`return true`
			`}`

			`// Check if admin scope is required`
			`for _, scope := range scopes {`
			`if scope == ScopeAdmin {`
			`return false`
			`}`
			`}`

			`// For all other scopes, a logged-in user is sufficient (for now)`
			`if session.LoggedIn {`
			`return true`
			`}`

			`return false`
			`}`