66 lines
1.8 KiB
Go
66 lines
1.8 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/Wikid82/charon/backend/internal/services"
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
func AuthMiddleware(authService *services.AuthService) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
authHeader := c.GetHeader("Authorization")
|
|
|
|
if authHeader == "" {
|
|
// Try cookie first for browser flows (including WebSocket upgrades)
|
|
if cookie, err := c.Cookie("auth_token"); err == nil && cookie != "" {
|
|
authHeader = "Bearer " + cookie
|
|
}
|
|
}
|
|
|
|
// DEPRECATED: Query parameter authentication for WebSocket connections
|
|
// This fallback exists only for backward compatibility and will be removed in a future version.
|
|
// Query parameters are logged in access logs and should not be used for sensitive data.
|
|
// Use HttpOnly cookies instead, which are automatically sent by browsers and not logged.
|
|
if authHeader == "" {
|
|
if token := c.Query("token"); token != "" {
|
|
authHeader = "Bearer " + token
|
|
}
|
|
}
|
|
|
|
if authHeader == "" {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Authorization header required"})
|
|
return
|
|
}
|
|
|
|
tokenString := strings.TrimPrefix(authHeader, "Bearer ")
|
|
claims, err := authService.ValidateToken(tokenString)
|
|
if err != nil {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Invalid token"})
|
|
return
|
|
}
|
|
|
|
c.Set("userID", claims.UserID)
|
|
c.Set("role", claims.Role)
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
func RequireRole(role string) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
userRole, exists := c.Get("role")
|
|
if !exists {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"})
|
|
return
|
|
}
|
|
|
|
if userRole.(string) != role && userRole.(string) != "admin" {
|
|
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "Forbidden"})
|
|
return
|
|
}
|
|
|
|
c.Next()
|
|
}
|
|
}
|