diff --git a/auth/jwt/provider.go b/auth/jwt/provider.go index 80aed31..e74b07d 100644 --- a/auth/jwt/provider.go +++ b/auth/jwt/provider.go @@ -9,9 +9,8 @@ import ( jwtmiddleware "github.com/auth0/go-jwt-middleware" "github.com/demdxx/gocast/v2" "github.com/form3tech-oss/jwt-go" - "github.com/ory/fosite" - "github.com/geniusrabbit/blaze-api/auth/elogin/utils" + "github.com/geniusrabbit/blaze-api/auth/tokenextractor" ) var ( @@ -64,15 +63,8 @@ func NewDefaultProvider(secret string, tokenLifetime time.Duration, isDebug bool TokenLifetime: tokenLifetime, Secret: secret, MiddlewareOpts: &jwtmiddleware.Options{ - Debug: isDebug, - Extractor: func(r *http.Request) (string, error) { - token := fosite.AccessTokenFromRequest(r) - if token == "" { - state := utils.DecodeState(r.URL.Query().Get("state")) - token = state.Get(`access_token`) - } - return token, nil - }, + Debug: isDebug, + Extractor: tokenextractor.DefaultExtractor, }, } } diff --git a/auth/tokenextractor/default.go b/auth/tokenextractor/default.go new file mode 100644 index 0000000..ccf97c2 --- /dev/null +++ b/auth/tokenextractor/default.go @@ -0,0 +1,18 @@ +package tokenextractor + +import ( + "net/http" + + "github.com/ory/fosite" + + "github.com/geniusrabbit/blaze-api/auth/elogin/utils" +) + +func DefaultExtractor(r *http.Request) (string, error) { + token := fosite.AccessTokenFromRequest(r) + if token == "" { + state := utils.DecodeState(r.URL.Query().Get("state")) + token = state.Get(`access_token`) + } + return token, nil +} diff --git a/middleware/auth.go b/middleware/auth.go index 6a54524..2850560 100644 --- a/middleware/auth.go +++ b/middleware/auth.go @@ -15,9 +15,9 @@ import ( "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" - "github.com/geniusrabbit/blaze-api/auth/elogin/utils" "github.com/geniusrabbit/blaze-api/auth/jwt" "github.com/geniusrabbit/blaze-api/auth/oauth2/serverprovider" + "github.com/geniusrabbit/blaze-api/auth/tokenextractor" "github.com/geniusrabbit/blaze-api/context/ctxlogger" "github.com/geniusrabbit/blaze-api/context/session" "github.com/geniusrabbit/blaze-api/model" @@ -68,16 +68,13 @@ func AuthHTTP(metricsPrefix string, next http.Handler, oauth2provider fosite.OAu authWr := newAuthWrapper(metricsPrefix) return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { var ( - err error - ctx = r.Context() - isJWTSession = false - token = fosite.AccessTokenFromRequest(r) authorized = false + isJWTSession = false + ctx = r.Context() + token, err = tokenextractor.DefaultExtractor(r) ) - // If authroization by social network then all parameters will be passed in the state - if token == "" && r.URL.Query().Get("state") != "" { - state := utils.DecodeState(r.URL.Query().Get("state")) - token = state.Get("access_token") + if err != nil { + ctxlogger.Get(r.Context()).Error("token extraction", zap.Error(err)) } // If token is empty then it's anonymous user if token == "" { diff --git a/migrations/initial/005_auth_roles.up.sql b/migrations/initial/005_auth_roles.up.sql index a105952..e307369 100644 --- a/migrations/initial/005_auth_roles.up.sql +++ b/migrations/initial/005_auth_roles.up.sql @@ -3,16 +3,16 @@ INSERT INTO rbac_role (name, title, context, permissions) VALUES -- System roles ('system:admin', 'System admins', NULL, '{"*"}'), - ('system:manager', 'System manager', NULL, '{"*.{view|list|count|create|update|delete|restore|approve|reject|reset}.*", "role.**", "user.password.reset", "account.member.**"}'), - ('system:analyst', 'System analyst', NULL, '{"*.{view|list|count}.*", "*.*.{view|list|count}.*", "role.check", "user.password.reset"}'), - ('system:viewer', 'System viewer', NULL, '{"*.{view|list|count}.*", "role.check", "user.password.reset"}'), - ('system:compliance', 'System compliance', NULL, '{"*.{view|list|count|approve|reject}.*", "*.*.{view|list|count|approve|reject}.*", "role.check", "user.password.reset"}'), + ('system:manager', 'System manager', NULL, '{"*.{view|list|count|create|update|delete|restore|approve|reject|reset}.*", "role.**", "user.password.reset", "account.member.**", "permission.**"}'), + ('system:analyst', 'System analyst', NULL, '{"*.{view|list|count}.*", "*.*.{view|list|count}.*", "role.check", "user.password.reset", "permission.list"}'), + ('system:viewer', 'System viewer', NULL, '{"*.{view|list|count}.*", "role.check", "user.password.reset", "permission.list"}'), + ('system:compliance', 'System compliance', NULL, '{"*.{view|list|count|approve|reject}.*", "*.*.{view|list|count|approve|reject}.*", "role.check", "user.password.reset", "permission.list"}'), -- Account roles' - ('account:admin', 'Account admins', NULL, '{"*.*.{account|owner}", "*.*.*.{account|owner}", "role.check", "user.password.reset"}'), - ('account:writer', 'Account writer', NULL, '{"*.{view|list|restore}.{account|owner}", "*.*.{view|list|restore}.{account|owner}", "role.check", "user.password.reset"}'), - ('account:analyst', 'Account analyst', NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset"}'), - ('account:viewer', 'Account viewer', NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset"}'), - ('account:compliance', 'Account compliance', NULL, '{"*.{view|list|approve|reject}.{account|owner}", "*.*.{view|list|approve|reject}.{account|owner}", "role.check", "user.password.reset"}'); + ('account:admin', 'Account admins', NULL, '{"*.*.{account|owner}", "*.*.*.{account|owner}", "role.check", "user.password.reset", "permission.list"}'), + ('account:writer', 'Account writer', NULL, '{"*.{view|list|restore}.{account|owner}", "*.*.{view|list|restore}.{account|owner}", "role.check", "user.password.reset", "permission.list"}'), + ('account:analyst', 'Account analyst', NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset", "permission.list"}'), + ('account:viewer', 'Account viewer', NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset", "permission.list"}'), + ('account:compliance', 'Account compliance', NULL, '{"*.{view|list|approve|reject}.{account|owner}", "*.*.{view|list|approve|reject}.{account|owner}", "role.check", "user.password.reset", "permission.list"}'); INSERT INTO m2m_account_member_role(member_id, role_id) SELECT m.id as member_id, (SELECT id FROM rbac_role WHERE name = 'system:admin') AS role_id