golang-saas-starter-kit/internal/mid/auth.go

package mid

import (
	"context"
	"net/http"
	"strings"

	"geeks-accelerator/oss/saas-starter-kit/internal/platform/auth"
	"geeks-accelerator/oss/saas-starter-kit/internal/platform/web"
	"geeks-accelerator/oss/saas-starter-kit/internal/platform/web/webcontext"
	"geeks-accelerator/oss/saas-starter-kit/internal/platform/web/weberror"
	"github.com/pkg/errors"
	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
)

// ErrorForbidden is returned when an authenticated user does not have a
// sufficient role for an action.
func ErrorForbidden(ctx context.Context) error {
	return weberror.NewError(ctx,
		errors.New("you are not authorized for that action"),
		http.StatusForbidden,
	)
}

// Authenticate validates a JWT from the `Authorization` header.
func AuthenticateHeader(authenticator *auth.Authenticator) web.Middleware {

	// This is the actual middleware function to be executed.
	f := func(after web.Handler) web.Handler {

		// Wrap this handler around the next one provided.
		h := func(ctx context.Context, w http.ResponseWriter, r *http.Request, params map[string]string) error {
			span, ctx := tracer.StartSpanFromContext(ctx, "internal.mid.AuthenticateHeader")
			defer span.Finish()

			m := func() error {

				authHdr := r.Header.Get("Authorization")
				if authHdr == "" {
					err := errors.New("missing Authorization header")
					return weberror.NewError(ctx, err, http.StatusUnauthorized)
				}

				tknStr, err := parseAuthHeader(authHdr)
				if err != nil {
					return weberror.NewError(ctx, err, http.StatusUnauthorized)
				}

				claims, err := authenticator.ParseClaims(tknStr)
				if err != nil {
					return weberror.NewError(ctx, err, http.StatusUnauthorized)
				}

				// Add claims to the context so they can be retrieved later.
				ctx = context.WithValue(ctx, auth.Key, claims)

				return nil
			}

			if err := m(); err != nil {
				if web.RequestIsJson(r) {
					return web.RespondJsonError(ctx, w, err)
				}
				return err
			}

			return after(ctx, w, r, params)
		}

		return h
	}

	return f
}

// AuthenticateSessionRequired requires a JWT access token to be loaded from the session.
func AuthenticateSessionRequired(authenticator *auth.Authenticator) web.Middleware {
	return authenticateSession(authenticator, true)
}

// AuthenticateSessionOptional loads a JWT access token from the session if it exists.
func AuthenticateSessionOptional(authenticator *auth.Authenticator) web.Middleware {
	return authenticateSession(authenticator, false)
}

// authenticateSession validates a JWT by the loading the access token from the session.
func authenticateSession(authenticator *auth.Authenticator, required bool) web.Middleware {

	// This is the actual middleware function to be executed.
	f := func(after web.Handler) web.Handler {

		// Wrap this handler around the next one provided.
		h := func(ctx context.Context, w http.ResponseWriter, r *http.Request, params map[string]string) error {
			span, ctx := tracer.StartSpanFromContext(ctx, "internal.mid.AuthenticateSession")
			defer span.Finish()

			m := func() error {
				tknStr, ok := webcontext.ContextAccessToken(ctx)
				if !ok || tknStr == "" {
					if required {
						err := errors.New("missing AccessToken from session")
						return weberror.NewError(ctx, err, http.StatusUnauthorized)
					} else {
						return nil
					}
				}

				claims, err := authenticator.ParseClaims(tknStr)
				if err != nil {
					if required {
						return weberror.NewError(ctx, err, http.StatusUnauthorized)
					} else {
						return nil
					}
				}

				// Add claims to the context so they can be retrieved later.
				ctx = context.WithValue(ctx, auth.Key, claims)

				return nil
			}

			if err := m(); err != nil {
				if web.RequestIsJson(r) {
					return web.RespondJsonError(ctx, w, err)
				}
				return err
			}

			return after(ctx, w, r, params)
		}

		return h
	}

	return f
}

// HasAuth validates the current user is an authenticated user,
func HasAuth() web.Middleware {

	// This is the actual middleware function to be executed.
	f := func(after web.Handler) web.Handler {

		h := func(ctx context.Context, w http.ResponseWriter, r *http.Request, params map[string]string) error {
			span, ctx := tracer.StartSpanFromContext(ctx, "internal.mid.HasAuth")
			defer span.Finish()

			m := func() error {
				claims, err := auth.ClaimsFromContext(ctx)
				if err != nil {
					return err
				}

				if !claims.HasAuth() {
					return ErrorForbidden(ctx)
				}

				return nil
			}

			if err := m(); err != nil {
				if web.RequestIsJson(r) {
					return web.RespondJsonError(ctx, w, err)
				}
				return err
			}

			return after(ctx, w, r, params)
		}

		return h
	}

	return f
}

// HasRole validates that an authenticated user has at least one role from a
// specified list. This method constructs the actual function that is used.
func HasRole(roles ...string) web.Middleware {

	// This is the actual middleware function to be executed.
	f := func(after web.Handler) web.Handler {

		h := func(ctx context.Context, w http.ResponseWriter, r *http.Request, params map[string]string) error {
			span, ctx := tracer.StartSpanFromContext(ctx, "internal.mid.HasRole")
			defer span.Finish()

			m := func() error {
				claims, err := auth.ClaimsFromContext(ctx)
				if err != nil {
					return err
				}

				if !claims.HasRole(roles...) {
					return ErrorForbidden(ctx)
				}

				return nil
			}

			if err := m(); err != nil {
				if web.RequestIsJson(r) {
					return web.RespondJsonError(ctx, w, err)
				}
				return err
			}

			return after(ctx, w, r, params)
		}

		return h
	}

	return f
}

// parseAuthHeader parses an authorization header. Expected header is of
// the format `Bearer <token>`.
func parseAuthHeader(bearerStr string) (string, error) {
	split := strings.Split(bearerStr, " ")
	if len(split) != 2 || strings.ToLower(split[0]) != "bearer" {
		return "", errors.New("Expected Authorization header format: Bearer <token>")
	}

	return split[1], nil
}
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00			`package mid`

			`import (`
			`"context"`
			`"net/http"`
			`"strings"`

Completed removing example-project directory and moving all files back a a directory 2019-07-13 12:16:28 -08:00			`"geeks-accelerator/oss/saas-starter-kit/internal/platform/auth"`
			`"geeks-accelerator/oss/saas-starter-kit/internal/platform/web"`
Completed user login with session authentication 2019-07-31 18:34:27 -08:00			`"geeks-accelerator/oss/saas-starter-kit/internal/platform/web/webcontext"`
			`"geeks-accelerator/oss/saas-starter-kit/internal/platform/web/weberror"`
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00			`"github.com/pkg/errors"`
completed schema migration 2019-05-25 08:26:37 -05:00			`"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"`
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00			`)`

issue#16 web-app account signup Account signup works with validation and translations. 2019-07-31 13:47:30 -08:00			`// ErrorForbidden is returned when an authenticated user does not have a`
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00			`// sufficient role for an action.`
issue#16 web-app account signup Account signup works with validation and translations. 2019-07-31 13:47:30 -08:00			`func ErrorForbidden(ctx context.Context) error {`
			`return weberror.NewError(ctx,`
			`errors.New("you are not authorized for that action"),`
			`http.StatusForbidden,`
			`)`
			`}`
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00
			// Authenticate validates a JWT from the `Authorization` header.
Completed user login with session authentication 2019-07-31 18:34:27 -08:00			`func AuthenticateHeader(authenticator *auth.Authenticator) web.Middleware {`
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00
			`// This is the actual middleware function to be executed.`
			`f := func(after web.Handler) web.Handler {`

			`// Wrap this handler around the next one provided.`
			`h := func(ctx context.Context, w http.ResponseWriter, r *http.Request, params map[string]string) error {`
Completed user login with session authentication 2019-07-31 18:34:27 -08:00			`span, ctx := tracer.StartSpanFromContext(ctx, "internal.mid.AuthenticateHeader")`
update tracing, fixed docker-compose and removed vendor dir 2019-05-23 19:40:29 -05:00			`defer span.Finish()`
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00
checkpoint 2019-06-26 20:21:00 -08:00			`m := func() error {`
Completed user login with session authentication 2019-07-31 18:34:27 -08:00
checkpoint 2019-06-26 20:21:00 -08:00			`authHdr := r.Header.Get("Authorization")`
			`if authHdr == "" {`
			`err := errors.New("missing Authorization header")`
issue#16 web-app account signup Account signup works with validation and translations. 2019-07-31 13:47:30 -08:00			`return weberror.NewError(ctx, err, http.StatusUnauthorized)`
checkpoint 2019-06-26 20:21:00 -08:00			`}`

			`tknStr, err := parseAuthHeader(authHdr)`
			`if err != nil {`
issue#16 web-app account signup Account signup works with validation and translations. 2019-07-31 13:47:30 -08:00			`return weberror.NewError(ctx, err, http.StatusUnauthorized)`
checkpoint 2019-06-26 20:21:00 -08:00			`}`

			`claims, err := authenticator.ParseClaims(tknStr)`
			`if err != nil {`
issue#16 web-app account signup Account signup works with validation and translations. 2019-07-31 13:47:30 -08:00			`return weberror.NewError(ctx, err, http.StatusUnauthorized)`
checkpoint 2019-06-26 20:21:00 -08:00			`}`

			`// Add claims to the context so they can be retrieved later.`
			`ctx = context.WithValue(ctx, auth.Key, claims)`

			`return nil`
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00			`}`

checkpoint 2019-06-26 20:21:00 -08:00			`if err := m(); err != nil {`
			`if web.RequestIsJson(r) {`
			`return web.RespondJsonError(ctx, w, err)`
			`}`
			`return err`
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00			`}`

			`return after(ctx, w, r, params)`
			`}`

			`return h`
			`}`

			`return f`
			`}`

Completed user login with session authentication 2019-07-31 18:34:27 -08:00			`// AuthenticateSessionRequired requires a JWT access token to be loaded from the session.`
			`func AuthenticateSessionRequired(authenticator *auth.Authenticator) web.Middleware {`
			`return authenticateSession(authenticator, true)`
			`}`

			`// AuthenticateSessionOptional loads a JWT access token from the session if it exists.`
			`func AuthenticateSessionOptional(authenticator *auth.Authenticator) web.Middleware {`
			`return authenticateSession(authenticator, false)`
			`}`

			`// authenticateSession validates a JWT by the loading the access token from the session.`
			`func authenticateSession(authenticator *auth.Authenticator, required bool) web.Middleware {`

			`// This is the actual middleware function to be executed.`
			`f := func(after web.Handler) web.Handler {`

			`// Wrap this handler around the next one provided.`
			`h := func(ctx context.Context, w http.ResponseWriter, r *http.Request, params map[string]string) error {`
			`span, ctx := tracer.StartSpanFromContext(ctx, "internal.mid.AuthenticateSession")`
			`defer span.Finish()`

			`m := func() error {`
			`tknStr, ok := webcontext.ContextAccessToken(ctx)`
			`if !ok \|\| tknStr == "" {`
			`if required {`
			`err := errors.New("missing AccessToken from session")`
			`return weberror.NewError(ctx, err, http.StatusUnauthorized)`
			`} else {`
			`return nil`
			`}`
			`}`

			`claims, err := authenticator.ParseClaims(tknStr)`
			`if err != nil {`
fix optional auth for middleware in session 2019-08-12 12:48:06 -08:00			`if required {`
			`return weberror.NewError(ctx, err, http.StatusUnauthorized)`
			`} else {`
			`return nil`
			`}`
Completed user login with session authentication 2019-07-31 18:34:27 -08:00			`}`

			`// Add claims to the context so they can be retrieved later.`
			`ctx = context.WithValue(ctx, auth.Key, claims)`

			`return nil`
			`}`

			`if err := m(); err != nil {`
			`if web.RequestIsJson(r) {`
			`return web.RespondJsonError(ctx, w, err)`
			`}`
			`return err`
			`}`

			`return after(ctx, w, r, params)`
			`}`

			`return h`
			`}`

			`return f`
			`}`

issue#16 web-app account signup Account signup works with validation and translations. 2019-07-31 13:47:30 -08:00			`// HasAuth validates the current user is an authenticated user,`
			`func HasAuth() web.Middleware {`

			`// This is the actual middleware function to be executed.`
			`f := func(after web.Handler) web.Handler {`

			`h := func(ctx context.Context, w http.ResponseWriter, r *http.Request, params map[string]string) error {`
			`span, ctx := tracer.StartSpanFromContext(ctx, "internal.mid.HasAuth")`
			`defer span.Finish()`

			`m := func() error {`
			`claims, err := auth.ClaimsFromContext(ctx)`
			`if err != nil {`
			`return err`
			`}`

			`if !claims.HasAuth() {`
			`return ErrorForbidden(ctx)`
			`}`

			`return nil`
			`}`

			`if err := m(); err != nil {`
			`if web.RequestIsJson(r) {`
			`return web.RespondJsonError(ctx, w, err)`
			`}`
			`return err`
			`}`

			`return after(ctx, w, r, params)`
			`}`

			`return h`
			`}`

			`return f`
			`}`

Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00			`// HasRole validates that an authenticated user has at least one role from a`
			`// specified list. This method constructs the actual function that is used.`
			`func HasRole(roles ...string) web.Middleware {`

			`// This is the actual middleware function to be executed.`
			`f := func(after web.Handler) web.Handler {`

			`h := func(ctx context.Context, w http.ResponseWriter, r *http.Request, params map[string]string) error {`
update tracing, fixed docker-compose and removed vendor dir 2019-05-23 19:40:29 -05:00			`span, ctx := tracer.StartSpanFromContext(ctx, "internal.mid.HasRole")`
			`defer span.Finish()`
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00
checkpoint 2019-06-26 20:21:00 -08:00			`m := func() error {`
issue#16 web-app account signup Account signup works with validation and translations. 2019-07-31 13:47:30 -08:00			`claims, err := auth.ClaimsFromContext(ctx)`
			`if err != nil {`
			`return err`
checkpoint 2019-06-26 20:21:00 -08:00			`}`

			`if !claims.HasRole(roles...) {`
issue#16 web-app account signup Account signup works with validation and translations. 2019-07-31 13:47:30 -08:00			`return ErrorForbidden(ctx)`
checkpoint 2019-06-26 20:21:00 -08:00			`}`

			`return nil`
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00			`}`

checkpoint 2019-06-26 20:21:00 -08:00			`if err := m(); err != nil {`
			`if web.RequestIsJson(r) {`
			`return web.RespondJsonError(ctx, w, err)`
			`}`
			`return err`
Imported github.com/ardanlabs/service as base example project 2019-05-16 10:39:25 -04:00			`}`

			`return after(ctx, w, r, params)`
			`}`

			`return h`
			`}`

			`return f`
			`}`

			`// parseAuthHeader parses an authorization header. Expected header is of`
			// the format `Bearer <token>`.
			`func parseAuthHeader(bearerStr string) (string, error) {`
			`split := strings.Split(bearerStr, " ")`
			`if len(split) != 2 \|\| strings.ToLower(split[0]) != "bearer" {`
			`return "", errors.New("Expected Authorization header format: Bearer <token>")`
			`}`

			`return split[1], nil`
			`}`