95 lines
2.5 KiB
Go
95 lines
2.5 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"rideaware/internal/config"
|
|
)
|
|
|
|
const UserContextKey = "user"
|
|
|
|
type AuthMiddleware struct{}
|
|
|
|
func NewAuthMiddleware() *AuthMiddleware {
|
|
return &AuthMiddleware{}
|
|
}
|
|
|
|
// RequireRole returns middleware that checks for a specific user role.
|
|
// It must be used after ProtectedRoute (or any middleware that sets the user context).
|
|
func (am *AuthMiddleware) RequireRole(role string) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
claims, ok := r.Context().Value(UserContextKey).(*config.CustomClaims)
|
|
if !ok || claims == nil {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
json.NewEncoder(w).Encode(map[string]string{
|
|
"error": "unauthorized",
|
|
})
|
|
return
|
|
}
|
|
|
|
if claims.Role != role {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusForbidden)
|
|
json.NewEncoder(w).Encode(map[string]string{
|
|
"error": "insufficient permissions",
|
|
})
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
func (am *AuthMiddleware) ProtectedRoute(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
authHeader := r.Header.Get("Authorization")
|
|
if authHeader == "" {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
json.NewEncoder(w).Encode(map[string]string{
|
|
"error": "missing authorization header",
|
|
})
|
|
return
|
|
}
|
|
|
|
parts := strings.SplitN(authHeader, " ", 2)
|
|
if len(parts) != 2 || parts[0] != "Bearer" {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
json.NewEncoder(w).Encode(map[string]string{
|
|
"error": "invalid authorization header format",
|
|
})
|
|
return
|
|
}
|
|
|
|
token := parts[1]
|
|
claims, err := config.VerifyToken(token)
|
|
if err != nil {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
json.NewEncoder(w).Encode(map[string]string{
|
|
"error": "invalid or expired token",
|
|
})
|
|
return
|
|
}
|
|
|
|
if claims.TokenType != "access" {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
json.NewEncoder(w).Encode(map[string]string{
|
|
"error": "refresh token cannot be used for access",
|
|
})
|
|
return
|
|
}
|
|
|
|
ctx := context.WithValue(r.Context(), UserContextKey, claims)
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|