Protected POST /account and fixed with JWT stuff in general

2021-01-03 18:21:42 +01:00
parent bb7e525adc
commit a36ec47324
13 changed files with 352 additions and 40 deletions
--- a/src/handlers/helpers.go
+++ b/src/handlers/helpers.go
@@ -0,0 +1,115 @@
+package handlers
+
+import (
+	"errors"
+	"strings"
+	"time"
+
+	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/gofiber/fiber/v2"
+	log "github.com/sirupsen/logrus"
+	"gitlab.larvit.se/power-plan/auth/src/db"
+)
+
+func (h Handlers) returnTokens(account db.Account, c *fiber.Ctx) error {
+	expirationTime := time.Now().Add(15 * time.Minute)
+
+	claims := &Claims{
+		AccountID:     account.ID.String(),
+		AccountName:   account.Name,
+		AccountFields: account.Fields,
+		StandardClaims: jwt.StandardClaims{
+			ExpiresAt: expirationTime.Unix(),
+		},
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	tokenString, err := token.SignedString(h.JwtKey)
+	if err != nil {
+		log.Error("Could not create token string, err: " + err.Error())
+		return c.Status(500).JSON([]ResJSONError{{Error: "Could not create JWT token string"}})
+	}
+
+	renewalToken, renewalTokenErr := h.Db.RenewalTokenGet(account.ID.String())
+	if renewalTokenErr != nil {
+		log.Error("Could not create renewal token, err: " + renewalTokenErr.Error())
+		return c.Status(500).JSON([]ResJSONError{{Error: "Could not create renewal token"}})
+	}
+
+	return c.Status(200).JSON(ResToken{
+		JWT:          tokenString,
+		RenewalToken: renewalToken,
+	})
+}
+
+func (h Handlers) parseJWT(JWT string) (Claims, error) {
+	logContext := log.WithFields(log.Fields{"JWT": JWT})
+	logContext.Trace("Parsing JWT")
+
+	JWT = strings.TrimPrefix(JWT, "bearer ") // Since the Authorization header should always start with "bearer "
+	logContext.WithFields(log.Fields{"TrimmedJWT": JWT}).Trace("JWT trimmed")
+
+	claims := &Claims{}
+
+	token, err := jwt.ParseWithClaims(JWT, claims, func(token *jwt.Token) (interface{}, error) {
+		return h.JwtKey, nil
+	})
+	if err != nil {
+		return Claims{}, err
+	}
+	if !token.Valid {
+		err := errors.New("Invalid token")
+		return Claims{}, err
+	}
+
+	return *claims, nil
+}
+
+func (h Handlers) parseHeaders(c *fiber.Ctx) map[string]string {
+	headersMap := make(map[string]string)
+
+	headersString := c.Request().Header.String()
+	headersLines := strings.Split(headersString, "\r\n")
+
+	for _, line := range headersLines {
+		lineParts := strings.Split(line, ": ")
+
+		if len(lineParts) == 1 {
+			log.WithFields(log.Fields{"line": line}).Trace("Ignoring header line")
+		} else {
+			headersMap[lineParts[0]] = lineParts[1]
+		}
+	}
+
+	return headersMap
+}
+
+// RequireAdminRole returns nil if no error is found
+func (h Handlers) RequireAdminRole(c *fiber.Ctx) error {
+	headers := h.parseHeaders(c)
+
+	if headers["Authorization"] == "" {
+		return errors.New("Authorization header is missing")
+	}
+
+	claims, claimsErr := h.parseJWT(headers["Authorization"])
+	if claimsErr != nil {
+		return claimsErr
+	}
+
+	if claims.AccountFields == nil {
+		return errors.New("Account have no fields at all")
+	}
+
+	if claims.AccountFields["role"] == nil {
+		return errors.New("Account have no field named \"role\"")
+	}
+
+	for _, role := range claims.AccountFields["role"] {
+		if role == "admin" {
+			return nil
+		}
+	}
+
+	return errors.New("No \"admin\" role found on account")
+}