akanealw
eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Quality Checks / Backend (Go) (push) Has been cancelled
Quality Checks / Frontend (React) (push) Has been cancelled
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
WAF integration / Coraza WAF Integration (push) Has been cancelled
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Repo Health Check / Repo health (push) Has been cancelled
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Prune Renovate Branches / prune (push) Has been cancelled
Renovate / renovate (push) Has been cancelled
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
126 lines
3.0 KiB
Go
Executable File
126 lines
3.0 KiB
Go
Executable File
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/Wikid82/charon/backend/internal/models"
|
|
"github.com/Wikid82/charon/backend/internal/services"
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
func AuthMiddleware(authService *services.AuthService) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
if bypass, exists := c.Get("emergency_bypass"); exists {
|
|
if bypassActive, ok := bypass.(bool); ok && bypassActive {
|
|
c.Set("role", "admin")
|
|
c.Set("userID", uint(0))
|
|
c.Next()
|
|
return
|
|
}
|
|
}
|
|
|
|
if authService == nil {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Authorization header required"})
|
|
return
|
|
}
|
|
|
|
tokenString, ok := extractAuthToken(c)
|
|
if !ok {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Authorization header required"})
|
|
return
|
|
}
|
|
|
|
user, _, err := authService.AuthenticateToken(tokenString)
|
|
if err != nil {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Invalid token"})
|
|
return
|
|
}
|
|
|
|
c.Set("userID", user.ID)
|
|
c.Set("role", string(user.Role))
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
func extractAuthToken(c *gin.Context) (string, bool) {
|
|
authHeader := c.GetHeader("Authorization")
|
|
|
|
// Fall back to cookie for browser flows (including WebSocket upgrades)
|
|
if authHeader == "" {
|
|
if cookieToken := extractAuthCookieToken(c); cookieToken != "" {
|
|
authHeader = "Bearer " + cookieToken
|
|
}
|
|
}
|
|
|
|
// DEPRECATED: Query parameter authentication for WebSocket connections
|
|
// This fallback exists only for backward compatibility and will be removed in a future version.
|
|
// Query parameters are logged in access logs and should not be used for sensitive data.
|
|
// Use HttpOnly cookies instead, which are automatically sent by browsers and not logged.
|
|
if authHeader == "" {
|
|
if token := c.Query("token"); token != "" {
|
|
authHeader = "Bearer " + token
|
|
}
|
|
}
|
|
|
|
if authHeader == "" {
|
|
return "", false
|
|
}
|
|
|
|
tokenString := strings.TrimPrefix(authHeader, "Bearer ")
|
|
if tokenString == "" {
|
|
return "", false
|
|
}
|
|
|
|
return tokenString, true
|
|
}
|
|
|
|
func extractAuthCookieToken(c *gin.Context) string {
|
|
if c.Request == nil {
|
|
return ""
|
|
}
|
|
|
|
token := ""
|
|
for _, cookie := range c.Request.Cookies() {
|
|
if cookie.Name != "auth_token" {
|
|
continue
|
|
}
|
|
|
|
if cookie.Value == "" {
|
|
continue
|
|
}
|
|
|
|
token = cookie.Value
|
|
}
|
|
|
|
return token
|
|
}
|
|
|
|
func RequireRole(role models.UserRole) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
userRole := c.GetString("role")
|
|
if userRole == "" {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"})
|
|
return
|
|
}
|
|
|
|
if userRole != string(role) && userRole != string(models.RoleAdmin) {
|
|
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "Forbidden"})
|
|
return
|
|
}
|
|
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
func RequireManagementAccess() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
role := c.GetString("role")
|
|
if role == string(models.RolePassthrough) {
|
|
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "Pass-through users cannot access management features"})
|
|
return
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|