fixed bugs

2025-03-19 19:56:58 +02:00
parent 1488d7db16
commit 32d64f3637
14 changed files with 173 additions and 98 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -48,28 +48,6 @@ func (con *AuthApi) signToken(token Claims) (string, error) {
 	return t.SignedString([]byte(con.config.Signing.Key))
 }

-func AuthorizedTo(requiredPermissions models.Permission) gin.HandlerFunc {
-	return func(ctx *gin.Context) {
-		claimsPointer, exists := ctx.Get("claims")
-		if !exists {
-			log.Printf("LoggedIn was not called first")
-			ctx.AbortWithError(500, fmt.Errorf("Misconfigured method"))
-			return
-		}
-
-		claims, ok := claimsPointer.(*AuthClaims)
-		if !ok {
-			ctx.AbortWithStatus(500)
-			return
-		}
-
-		if (requiredPermissions&claims.Permissions != requiredPermissions) && (models.Admin&claims.Permissions != models.Admin) {
-			ctx.AbortWithStatusJSON(403, "matching permissions were not found")
-			return
-		}
-	}
-}
-
 func (con *AuthApi) LoggedIn(ctx *gin.Context) {
 	authCookie, err := ctx.Request.Cookie("auth")
 	if err != nil {
@@ -77,7 +55,7 @@ func (con *AuthApi) LoggedIn(ctx *gin.Context) {
 		return
 	}

-	token, err := jwt.ParseWithClaims(authCookie.Value, &AuthClaims{}, func(token *jwt.Token) (interface{}, error) {
+	token, err := jwt.ParseWithClaims(authCookie.Value, &AuthClaims{}, func(token *jwt.Token) (any, error) {
 		// Don't forget to validate the alg is what you expect:
 		if token.Method.Alg() != con.config.Signing.Algorithm {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
@@ -216,6 +194,7 @@ func (con AuthApi) Verify(ctx *gin.Context) {

 	ctx.Redirect(303, fmt.Sprintf("http://%s/login", con.config.Domain))
 }
+
 func LoadGroup(group *gin.RouterGroup, config models.GlobalConfig) gin.HandlerFunc {
 	userAuthHandler, err := factories.GetUserPassAuthDbHandler(config.Authentication.UserPass)
 	if err != nil {
@@ -234,7 +213,7 @@ func LoadGroup(group *gin.RouterGroup, config models.GlobalConfig) gin.HandlerFu
 	}

 	group.POST("/signin", connection.signIn)
-	group.POST("/signup", connection.LoggedIn, AuthorizedTo(models.Admin), connection.signUp)
+	group.POST("/signup", connection.signUp)
 	group.Any("/verify", connection.Verify)

 	return connection.LoggedIn
--- a/auth/utils.go
+++ b/auth/utils.go
@@ -0,0 +1,46 @@
+package auth
+
+import (
+	"fmt"
+
+	"git.acooldomain.co/server-manager/backend/models"
+	"github.com/gin-gonic/gin"
+)
+
+const AuthorizedParam string = "authorized"
+
+func AuthorizedTo(requiredPermissions models.Permission) gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		claimsPointer, exists := ctx.Get("claims")
+		if !exists {
+			ctx.AbortWithError(500, fmt.Errorf("Did not call LoggedIn first"))
+			return
+		}
+
+		claims, ok := claimsPointer.(*AuthClaims)
+		if !ok {
+			return
+		}
+
+		if (requiredPermissions&claims.Permissions != requiredPermissions) && (models.Admin&claims.Permissions != models.Admin) {
+			return
+		}
+
+		ctx.Set(AuthorizedParam, true)
+	}
+}
+
+func AuthorizationEnforcer() gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		authorized, exists := ctx.Get(AuthorizedParam)
+		if !exists {
+			ctx.AbortWithStatus(403)
+			return
+		}
+
+		if !authorized.(bool) {
+			ctx.AbortWithStatus(403)
+		}
+
+	}
+}