Authorization improvemen and add direct access token

example/api/cmd/api/appinit/acl.go

@@ -39,6 +39,7 @@ func InitModelPermissions(pm *permissions.Manager) {
 		&model.AccountSocial{},
 		&model.HistoryAction{},
 		&model.Option{},
+		&model.DirectAccessToken{},
 	)
 
 	// Register user permissions
@@ -50,7 +51,9 @@ func InitModelPermissions(pm *permissions.Manager) {
 
 	// Register basic roles permissions
 	_ = pm.RegisterNewOwningPermissions(&model.Role{}, crudPermissions)
-	_ = pm.RegisterNewPermission(nil, PermPermissionList)
+	_ = pm.RegisterNewPermission(&model.Role{}, `check`,
+		rbac.WithDescription("Check role permissions is assigned to the user"))
+	_ = pm.RegisterNewPermission(nil, PermPermissionList, rbac.WithDescription("List all permissions"))
 
 	// Register basic permissions for the AuthClient model
 	_ = pm.RegisterNewOwningPermissions(&model.AuthClient{}, crudPermissions)
@@ -65,13 +68,31 @@ func InitModelPermissions(pm *permissions.Manager) {
 	// Register basic permissions for the Option model
 	_ = pm.RegisterNewOwningPermissions(&model.Option{}, []string{acl.PermGet, acl.PermSet, acl.PermList, acl.PermCount})
 
+	// Register basic permissions for the DirectAccessToken model
+	_ = pm.RegisterNewOwningPermissions(&model.DirectAccessToken{}, []string{acl.PermGet, acl.PermList, acl.PermCount, acl.PermCreate, acl.PermDelete})
+
 	// Register anonymous role and fill permissions for it
 	pm.RegisterRole(context.Background(),
-		rbac.MustNewRole(session.AnonymousDefaultRole, rbac.WithPermissions(
-			`user.view.owner`, `user.list.owner`, `user.count.owner`,
-			`user.password.reset.owner`, `user.password.set.owner`, PermAccountRegister,
-			`account.view.owner`, `account.list.owner`, `account.count.owner`,
-		)),
+		rbac.MustNewRole(session.AnonymousDefaultRole,
+			rbac.WithDescription("Anonymous user role"),
+			rbac.WithPermissions(
+				`user.view.owner`, `user.list.owner`, `user.count.owner`,
+				`user.password.reset.owner`, `user.password.set.owner`, PermAccountRegister,
+				`account.view.owner`, `account.list.owner`, `account.count.owner`,
+				`directaccesstoken.view.owner`, `directaccesstoken.list.owner`, `directaccesstoken.count.owner`,
+				`role.check`,
+			),
+		),
+		rbac.MustNewRole(permissions.DefaultRole,
+			rbac.WithDescription("Default user role"),
+			rbac.WithPermissions(
+				`user.view.owner`, `user.list.owner`, `user.count.owner`,
+				`user.password.reset.owner`, `user.password.set.owner`, PermAccountRegister,
+				`account.view.owner`, `account.list.owner`, `account.count.owner`,
+				`directaccesstoken.view.owner`, `directaccesstoken.list.owner`, `directaccesstoken.count.owner`, `directaccesstoken.create.owner`, `directaccesstoken.update.owner`, `directaccesstoken.delete.owner`,
+				`role.check`,
+			),
+		),
 	)
 }
 

example/api/cmd/api/main.go

@@ -17,11 +17,14 @@ import (
 	"github.com/geniusrabbit/blaze-api/example/api/cmd/api/appinit"
 	"github.com/geniusrabbit/blaze-api/example/api/cmd/api/migratedb"
 	"github.com/geniusrabbit/blaze-api/example/api/internal/server"
+	"github.com/geniusrabbit/blaze-api/pkg/auth"
+	"github.com/geniusrabbit/blaze-api/pkg/auth/devtoken"
 	"github.com/geniusrabbit/blaze-api/pkg/auth/elogin/facebook"
+	"github.com/geniusrabbit/blaze-api/pkg/auth/jwt"
+	"github.com/geniusrabbit/blaze-api/pkg/auth/oauth2"
 	"github.com/geniusrabbit/blaze-api/pkg/context/ctxlogger"
 	"github.com/geniusrabbit/blaze-api/pkg/context/version"
 	"github.com/geniusrabbit/blaze-api/pkg/database"
-	"github.com/geniusrabbit/blaze-api/pkg/middleware"
 	"github.com/geniusrabbit/blaze-api/pkg/permissions"
 	"github.com/geniusrabbit/blaze-api/pkg/profiler"
 	"github.com/geniusrabbit/blaze-api/pkg/zlogger"
@@ -114,14 +117,23 @@ func main() {
 
 	httpServer := server.HTTPServer{
 		Logger:         loggerObj,
-		OAuth2provider: oauth2provider,
 		JWTProvider:    jwtProvider,
 		SessionManager: appinit.SessionManager(conf.Session.CookieName, conf.Session.Lifetime),
-		AuthOption: gocast.IfThen(conf.IsDebug(), &middleware.AuthOption{
-			DevToken:     conf.Session.DevToken,
-			DevUserID:    conf.Session.DevUserID,
-			DevAccountID: conf.Session.DevAccountID,
-		}, nil),
+		// OAuth2provider: oauth2provider,
+		// AuthOption: gocast.IfThen(conf.IsDebug(), &middleware.AuthOption{
+		// 	DevToken:     conf.Session.DevToken,
+		// 	DevUserID:    conf.Session.DevUserID,
+		// 	DevAccountID: conf.Session.DevAccountID,
+		// }, nil),
+		Authorizers: []auth.Authorizer{
+			jwt.NewAuthorizer(jwtProvider),
+			oauth2.NewAuthorizer(oauth2provider),
+			devtoken.NewAuthorizer(gocast.IfThen(conf.IsDebug(), &devtoken.AuthOption{
+				DevToken:     conf.Session.DevToken,
+				DevUserID:    conf.Session.DevUserID,
+				DevAccountID: conf.Session.DevAccountID,
+			}, nil)),
+		},
 		ContextWrap: func(ctx context.Context) context.Context {
 			ctx = ctxlogger.WithLogger(ctx, loggerObj)
 			ctx = database.WithDatabase(ctx, masterDatabase, slaveDatabase)

example/api/internal/server/server.go

@@ -12,10 +12,10 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/opentracing-contrib/go-stdlib/nethttp"
 	"github.com/opentracing/opentracing-go"
-	"github.com/ory/fosite"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"go.uber.org/zap"
 
+	"github.com/geniusrabbit/blaze-api/pkg/auth"
 	"github.com/geniusrabbit/blaze-api/pkg/auth/jwt"
 	"github.com/geniusrabbit/blaze-api/pkg/middleware"
 	"github.com/geniusrabbit/blaze-api/pkg/profiler"
@@ -32,10 +32,9 @@ type HTTPServer struct {
 	RequestTimeout time.Duration
 	ContextWrap    contextWrapper
 	InitWrap       muxInitWrapper
-	OAuth2provider fosite.OAuth2Provider
+	Authorizers    []auth.Authorizer
 	JWTProvider    *jwt.Provider
 	SessionManager *scs.SessionManager
-	AuthOption     *middleware.AuthOption
 	Logger         *zap.Logger
 }
 
@@ -58,7 +57,7 @@ func (s *HTTPServer) Run(ctx context.Context, address string) (err error) {
 	h := http.Handler(mux)
 
 	// Add middleware's
-	h = middleware.AuthHTTP("http_", h, s.OAuth2provider, s.JWTProvider, s.AuthOption)
+	h = auth.Middelware(h, s.Authorizers...)
 	h = middleware.HTTPContextWrapper(h, s.ContextWrap)
 	h = middleware.HTTPSession(h, s.SessionManager)
 	h = middleware.RealIP(h)