rnsrk/wisski-cloud-distillery
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improvements for tokens

Browse source
This commit is contained in:
Tom 2023-06-29 08:59:19 +02:00
parent effa79aacd
commit 8ccd490bed
15 changed files with 34 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

8
internal/dis/component/auth/api/api.go
View file

@ -43,11 +43,9 @@ func (a *API) HandleRoute(ctx context.Context, path string) (http.Handler, error
Methods: []string{"GET"},
Handler: func(s string, r *http.Request) (ai AuthInfo, err error) {
var user *auth.AuthUser
user, err = a.Dependencies.Auth.SessionOf(r)
if user != nil {
ai.User = user.User.User
}
session, _, err := a.Dependencies.Auth.SessionOf(r)
ai.User = session.Username()
ai.Token = session.Token
return
},
}, nil

2
internal/dis/component/auth/next/next.go
View file

@ -31,7 +31,7 @@ var (
func (next *Next) Routes() component.Routes {
return component.Routes{
Prefix: "/next/",
Decorator: next.Dependencies.Auth.Require(true, scopes.ScopeUserLoggedIn, nil),
Decorator: next.Dependencies.Auth.Require(true, scopes.ScopeUserValid, nil),
}
}

4
internal/dis/component/auth/panel/panel.go
View file

@ -42,7 +42,7 @@ func (panel *UserPanel) Routes() component.Routes {
return component.Routes{
Prefix: "/user/",
CSRF: true,
Decorator: panel.Dependencies.Auth.Require(false, scopes.ScopeUserLoggedIn, nil),
Decorator: panel.Dependencies.Auth.Require(false, scopes.ScopeUserValid, nil),
}
}
@ -137,7 +137,7 @@ func (panel *UserPanel) HandleRoute(ctx context.Context, route string) (http.Han
}
// ensure that the user is logged in!
return panel.Dependencies.Auth.Protect(router, false, scopes.ScopeUserLoggedIn, nil), nil
return panel.Dependencies.Auth.Protect(router, false, scopes.ScopeUserValid, nil), nil
}
type userFormContext struct {

2
internal/dis/component/auth/panel/user.go
View file

@ -62,7 +62,7 @@ func (panel *UserPanel) routeUser(ctx context.Context) http.Handler {
return uc, nil, err
}
uc.ShowAdminURLs = panel.Dependencies.Auth.CheckScope("", scopes.ScopeAdminLoggedIn, r) == nil
uc.ShowAdminURLs = panel.Dependencies.Auth.CheckScope("", scopes.ScopeUserAdmin, r) == nil
// replace the totp action in the menu
var totpAction component.MenuItem

6
internal/dis/component/auth/protect.go
View file

@ -22,14 +22,14 @@ func (auth *Auth) Protect(handler http.Handler, AllowToken bool, scope component
var paramValue string
// load the user in the session
// TODO<tokens>: Check if API access is allowed
user, token, err := auth.SessionOf(r)
// TODO: In a future version of sessions, check if token has the permitted scope.
session, user, err := auth.SessionOf(r)
if err != nil {
goto err
}
// token was set, but not allowed!
if token && !AllowToken {
if session.Token && !AllowToken {
goto forbidden
}

10
internal/dis/component/auth/scopes/admin.go
View file

@ -19,19 +19,19 @@ var (
)
const (
ScopeAdminLoggedIn Scope = "login.admin"
ScopeUserAdmin Scope = "user.admin"
)
func (*AdminLoggedIn) Scope() component.ScopeInfo {
return component.ScopeInfo{
Scope: ScopeAdminLoggedIn,
Description: "session has a signed in admin",
DeniedMessage: "user must be signed into an admin account with TOTP enabled",
Scope: ScopeUserAdmin,
Description: "session must have a valid admin",
DeniedMessage: "user must have an admin account with TOTP enabled",
TakesParam: false,
}
}
func (al *AdminLoggedIn) HasScope(param string, r *http.Request) (bool, error) {
user, _, err := al.Dependencies.Auth.SessionOf(r)
_, user, err := al.Dependencies.Auth.SessionOf(r)
return user != nil && user.IsAdmin() && user.IsTOTPEnabled(), err
}

8
internal/dis/component/auth/scopes/user.go
View file

@ -19,18 +19,18 @@ var (
)
const (
ScopeUserLoggedIn Scope = "login.user"
ScopeUserValid Scope = "user.valid"
)
func (*UserLoggedIn) Scope() component.ScopeInfo {
return component.ScopeInfo{
Scope: ScopeUserLoggedIn,
Description: "session has an associated user",
Scope: ScopeUserValid,
Description: "session must have a valid user",
TakesParam: false,
}
}
func (iu *UserLoggedIn) HasScope(param string, r *http.Request) (bool, error) {
user, _, err := iu.Dependencies.Auth.SessionOf(r)
_, user, err := iu.Dependencies.Auth.SessionOf(r)
return user != nil, err
}

4
internal/dis/component/auth/session.go
View file

@ -41,11 +41,15 @@ func (auth *Auth) SessionOf(r *http.Request) (session component.SessionInfo, use
if err != nil {
return component.SessionInfo{}, nil, err
}
if user == nil {
return component.SessionInfo{}, nil, nil
}
return component.SessionInfo{User: &user.User, Token: false}, user, nil
}
}
// UserOfToken returns the user associated with the token in request.
// To check the user of a token or session, use SessionOf.
func (auth *Auth) UserOfToken(r *http.Request) (user *AuthUser, err error) {
// get the token object
token, err := auth.Dependencies.Tokens.TokenOf(r)