chore: replace gin with standard lib net/http

internal/app/api/v0/handlers/web_authentication.go

@@ -0,0 +1,126 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/h44z/wg-portal/internal/app/api/core/request"
+	"github.com/h44z/wg-portal/internal/app/api/core/respond"
+	"github.com/h44z/wg-portal/internal/app/api/v0/model"
+	"github.com/h44z/wg-portal/internal/domain"
+)
+
+type Scope string
+
+const (
+	ScopeAdmin Scope = "ADMIN" // Admin scope contains all other scopes
+)
+
+type UserAuthenticator interface {
+	IsUserValid(ctx context.Context, id domain.UserIdentifier) bool
+}
+
+type AuthenticationHandler struct {
+	authenticator UserAuthenticator
+	session       Session
+}
+
+func NewAuthenticationHandler(authenticator UserAuthenticator, session Session) AuthenticationHandler {
+	return AuthenticationHandler{
+		authenticator: authenticator,
+		session:       session,
+	}
+}
+
+// LoggedIn checks if a user is logged in. If scopes are given, they are validated as well.
+func (h AuthenticationHandler) LoggedIn(scopes ...Scope) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			session := h.session.GetData(r.Context())
+
+			if !session.LoggedIn {
+				// Abort the request with the appropriate error code
+				respond.JSON(w, http.StatusUnauthorized,
+					model.Error{Code: http.StatusUnauthorized, Message: "not logged in"})
+				return
+			}
+
+			if !UserHasScopes(session, scopes...) {
+				// Abort the request with the appropriate error code
+				respond.JSON(w, http.StatusForbidden,
+					model.Error{Code: http.StatusForbidden, Message: "not enough permissions"})
+				return
+			}
+
+			// Check if logged-in user is still valid
+			if !h.authenticator.IsUserValid(r.Context(), domain.UserIdentifier(session.UserIdentifier)) {
+				h.session.DestroyData(r.Context())
+				respond.JSON(w, http.StatusUnauthorized,
+					model.Error{Code: http.StatusUnauthorized, Message: "session no longer available"})
+				return
+			}
+
+			ctx := context.WithValue(r.Context(), domain.CtxUserInfo, &domain.ContextUserInfo{
+				Id:      domain.UserIdentifier(session.UserIdentifier),
+				IsAdmin: session.IsAdmin,
+			})
+			r = r.WithContext(ctx)
+
+			// Continue down the chain to Handler etc
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// UserIdMatch checks if the user id in the session matches the user id in the request. If not, the request is aborted.
+func (h AuthenticationHandler) UserIdMatch(idParameter string) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			session := h.session.GetData(r.Context())
+
+			if session.IsAdmin {
+				next.ServeHTTP(w, r) // Admins can do everything
+				return
+			}
+
+			sessionUserId := domain.UserIdentifier(session.UserIdentifier)
+			requestUserId := domain.UserIdentifier(Base64UrlDecode(request.Path(r, idParameter)))
+
+			if sessionUserId != requestUserId {
+				// Abort the request with the appropriate error code
+				respond.JSON(w, http.StatusForbidden,
+					model.Error{Code: http.StatusForbidden, Message: "not enough permissions"})
+				return
+			}
+
+			// Continue down the chain to Handler etc
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+func UserHasScopes(session SessionData, scopes ...Scope) bool {
+	// No scopes give, so the check should succeed
+	if len(scopes) == 0 {
+		return true
+	}
+
+	// check if user has admin scope
+	if session.IsAdmin {
+		return true
+	}
+
+	// Check if admin scope is required
+	for _, scope := range scopes {
+		if scope == ScopeAdmin {
+			return false
+		}
+	}
+
+	// For all other scopes, a logged-in user is sufficient (for now)
+	if session.LoggedIn {
+		return true
+	}
+
+	return false
+}