117 lines
3.4 KiB
Go
117 lines
3.4 KiB
Go
package server
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/auth"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/seal"
|
|
)
|
|
|
|
type contextKey string
|
|
|
|
const tokenInfoKey contextKey = "tokenInfo"
|
|
|
|
// TokenInfoFromContext extracts the validated token info from the request context.
|
|
func TokenInfoFromContext(ctx context.Context) *auth.TokenInfo {
|
|
info, _ := ctx.Value(tokenInfoKey).(*auth.TokenInfo)
|
|
return info
|
|
}
|
|
|
|
// loggingMiddleware logs HTTP requests, stripping sensitive headers.
|
|
func (s *Server) loggingMiddleware(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
start := time.Now()
|
|
sw := &statusWriter{ResponseWriter: w, status: 200}
|
|
next.ServeHTTP(sw, r)
|
|
s.logger.Info("http request",
|
|
"method", r.Method,
|
|
"path", r.URL.Path,
|
|
"status", sw.status,
|
|
"duration", time.Since(start),
|
|
"remote", r.RemoteAddr,
|
|
)
|
|
})
|
|
}
|
|
|
|
// requireUnseal rejects requests unless the service is unsealed.
|
|
func (s *Server) requireUnseal(next http.HandlerFunc) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
state := s.seal.State()
|
|
switch state {
|
|
case seal.StateUninitialized:
|
|
s.logger.Debug("request rejected: service uninitialized", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"not initialized"}`, http.StatusPreconditionFailed)
|
|
return
|
|
case seal.StateSealed, seal.StateInitializing:
|
|
s.logger.Debug("request rejected: service sealed", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
next(w, r)
|
|
}
|
|
}
|
|
|
|
// requireAuth validates the bearer token and injects TokenInfo into context.
|
|
func (s *Server) requireAuth(next http.HandlerFunc) http.HandlerFunc {
|
|
return s.requireUnseal(func(w http.ResponseWriter, r *http.Request) {
|
|
token := extractToken(r)
|
|
if token == "" {
|
|
s.logger.Debug("request rejected: missing token", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
info, err := s.auth.ValidateToken(token)
|
|
if err != nil {
|
|
s.logger.Debug("request rejected: invalid token", "path", r.URL.Path, "error", err)
|
|
http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
s.logger.Debug("request authenticated", "path", r.URL.Path, "username", info.Username)
|
|
ctx := context.WithValue(r.Context(), tokenInfoKey, info)
|
|
next(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
|
|
// requireAdmin requires the authenticated user to have admin role.
|
|
func (s *Server) requireAdmin(next http.HandlerFunc) http.HandlerFunc {
|
|
return s.requireAuth(func(w http.ResponseWriter, r *http.Request) {
|
|
info := TokenInfoFromContext(r.Context())
|
|
if info == nil || !info.IsAdmin {
|
|
s.logger.Debug("request rejected: admin required", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
|
|
return
|
|
}
|
|
s.logger.Debug("admin request authorized", "path", r.URL.Path, "username", info.Username)
|
|
next(w, r)
|
|
})
|
|
}
|
|
|
|
func extractToken(r *http.Request) string {
|
|
// Check Authorization header first.
|
|
authHeader := r.Header.Get("Authorization")
|
|
if strings.HasPrefix(authHeader, "Bearer ") {
|
|
return strings.TrimPrefix(authHeader, "Bearer ")
|
|
}
|
|
// Fall back to cookie.
|
|
cookie, err := r.Cookie("metacrypt_token")
|
|
if err == nil {
|
|
return cookie.Value
|
|
}
|
|
return ""
|
|
}
|
|
|
|
type statusWriter struct {
|
|
http.ResponseWriter
|
|
status int
|
|
}
|
|
|
|
func (w *statusWriter) WriteHeader(code int) {
|
|
w.status = code
|
|
w.ResponseWriter.WriteHeader(code)
|
|
}
|