Junie: fix token authentication
This commit is contained in:
51
api/auth.go
51
api/auth.go
@@ -91,15 +91,17 @@ func (s *Server) handleTokenLogin(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
userID, err := s.verifyToken(req.Login.User, req.Login.Token)
|
||||
// Verify the token is valid
|
||||
_, err := s.verifyToken(req.Login.User, req.Login.Token)
|
||||
if err != nil {
|
||||
s.sendError(w, "Invalid or expired token", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
token, expires, err := s.createToken(userID)
|
||||
// Renew the existing token instead of creating a new one
|
||||
expires, err := s.renewToken(req.Login.User, req.Login.Token)
|
||||
if err != nil {
|
||||
s.Logger.Printf("Token creation error: %v", err)
|
||||
s.Logger.Printf("Token renewal error: %v", err)
|
||||
s.sendError(w, "Internal server error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
@@ -107,7 +109,7 @@ func (s *Server) handleTokenLogin(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
if err := json.NewEncoder(w).Encode(TokenResponse{
|
||||
Token: token,
|
||||
Token: req.Login.Token,
|
||||
Expires: expires,
|
||||
}); err != nil {
|
||||
s.Logger.Printf("Error encoding response: %v", err)
|
||||
@@ -190,6 +192,30 @@ func (s *Server) verifyToken(username, token string) (string, error) {
|
||||
return userID, nil
|
||||
}
|
||||
|
||||
func (s *Server) renewToken(username, token string) (int64, error) {
|
||||
// First, verify the token exists and get the token ID
|
||||
query := `
|
||||
SELECT t.id FROM tokens t
|
||||
JOIN users u ON t.uid = u.id
|
||||
WHERE u.user = ? AND t.token = ?
|
||||
`
|
||||
var tokenID string
|
||||
err := s.DB.QueryRow(query, username, token).Scan(&tokenID)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
|
||||
// Update the token's expiry time
|
||||
expires := time.Now().Add(24 * time.Hour).Unix()
|
||||
updateQuery := `UPDATE tokens SET expires = ? WHERE id = ?`
|
||||
_, err = s.DB.Exec(updateQuery, expires, tokenID)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
|
||||
return expires, nil
|
||||
}
|
||||
|
||||
func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Request) {
|
||||
// Extract authorization header
|
||||
authHeader := r.Header.Get("Authorization")
|
||||
@@ -219,7 +245,7 @@ func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Reques
|
||||
return
|
||||
}
|
||||
|
||||
// Check if user has admin role
|
||||
// Check if user has permission to read database credentials
|
||||
user, err := s.getUserByUsername(username)
|
||||
if err != nil {
|
||||
s.Logger.Printf("Database error: %v", err)
|
||||
@@ -227,16 +253,15 @@ func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Reques
|
||||
return
|
||||
}
|
||||
|
||||
hasAdminRole := false
|
||||
for _, role := range user.Roles {
|
||||
if role == "admin" {
|
||||
hasAdminRole = true
|
||||
break
|
||||
}
|
||||
hasPermission, err := user.HasPermission(s.Auth, "database_credentials", "read")
|
||||
if err != nil {
|
||||
s.Logger.Printf("Permission check error: %v", err)
|
||||
s.sendError(w, "Internal server error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if !hasAdminRole {
|
||||
s.sendError(w, "Insufficient permissions", http.StatusForbidden)
|
||||
if !hasPermission {
|
||||
s.sendError(w, "Insufficient permissions: requires database_credentials:read permission", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user