Kyle Isom
bbe382dc10
All import paths updated to git.wntrmute.dev/mc/. Bumps mcdsl to v1.2.0. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
91 lines
2.8 KiB
Go
91 lines
2.8 KiB
Go
package server
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"git.wntrmute.dev/mc/metacrypt/internal/auth"
|
|
"git.wntrmute.dev/mc/metacrypt/internal/seal"
|
|
)
|
|
|
|
type contextKey string
|
|
|
|
const tokenInfoKey contextKey = "tokenInfo"
|
|
|
|
// TokenInfoFromContext extracts the validated token info from the request context.
|
|
func TokenInfoFromContext(ctx context.Context) *auth.TokenInfo {
|
|
info, _ := ctx.Value(tokenInfoKey).(*auth.TokenInfo)
|
|
return info
|
|
}
|
|
|
|
// requireUnseal rejects requests unless the service is unsealed.
|
|
func (s *Server) requireUnseal(next http.HandlerFunc) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
state := s.seal.State()
|
|
switch state {
|
|
case seal.StateUninitialized:
|
|
s.logger.Debug("request rejected: service uninitialized", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"not initialized"}`, http.StatusPreconditionFailed)
|
|
return
|
|
case seal.StateSealed, seal.StateInitializing:
|
|
s.logger.Debug("request rejected: service sealed", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
next(w, r)
|
|
}
|
|
}
|
|
|
|
// requireAuth validates the bearer token and injects TokenInfo into context.
|
|
func (s *Server) requireAuth(next http.HandlerFunc) http.HandlerFunc {
|
|
return s.requireUnseal(func(w http.ResponseWriter, r *http.Request) {
|
|
token := extractToken(r)
|
|
if token == "" {
|
|
s.logger.Debug("request rejected: missing token", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
info, err := s.auth.ValidateToken(token)
|
|
if err != nil {
|
|
s.logger.Debug("request rejected: invalid token", "path", r.URL.Path, "error", err)
|
|
http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
s.logger.Debug("request authenticated", "path", r.URL.Path, "username", info.Username)
|
|
ctx := context.WithValue(r.Context(), tokenInfoKey, info)
|
|
next(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
|
|
// requireAdmin requires the authenticated user to have admin role.
|
|
func (s *Server) requireAdmin(next http.HandlerFunc) http.HandlerFunc {
|
|
return s.requireAuth(func(w http.ResponseWriter, r *http.Request) {
|
|
info := TokenInfoFromContext(r.Context())
|
|
if info == nil || !info.IsAdmin {
|
|
s.logger.Debug("request rejected: admin required", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
|
|
return
|
|
}
|
|
s.logger.Debug("admin request authorized", "path", r.URL.Path, "username", info.Username)
|
|
next(w, r)
|
|
})
|
|
}
|
|
|
|
func extractToken(r *http.Request) string {
|
|
// Check Authorization header first.
|
|
authHeader := r.Header.Get("Authorization")
|
|
if strings.HasPrefix(authHeader, "Bearer ") {
|
|
return strings.TrimPrefix(authHeader, "Bearer ")
|
|
}
|
|
// Fall back to cookie.
|
|
cookie, err := r.Cookie("metacrypt_token")
|
|
if err == nil {
|
|
return cookie.Value
|
|
}
|
|
return ""
|
|
}
|
|
|