69 lines
1.7 KiB
Go
69 lines
1.7 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"errors"
|
|
"log"
|
|
"net/http"
|
|
"regexp"
|
|
|
|
"github.com/viktorstrate/photoview/api/graphql/models"
|
|
)
|
|
|
|
var ErrUnauthorized = errors.New("unauthorized")
|
|
|
|
// A private key for context that only this package can access. This is important
|
|
// to prevent collisions between different context uses
|
|
var userCtxKey = &contextKey{"user"}
|
|
|
|
type contextKey struct {
|
|
name string
|
|
}
|
|
|
|
// Middleware decodes the share session cookie and packs the session into context
|
|
func Middleware(db *sql.DB) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
bearer := r.Header.Get("Authorization")
|
|
if bearer == "" {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
regex, _ := regexp.Compile("^Bearer ([a-zA-Z0-9]{24})$")
|
|
matches := regex.FindStringSubmatch(bearer)
|
|
if len(matches) != 2 {
|
|
http.Error(w, "Invalid authorization header format", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
token := matches[1]
|
|
log.Printf("Access token: %s\n", token)
|
|
|
|
user, err := models.VerifyTokenAndGetUser(db, token)
|
|
if err != nil {
|
|
log.Printf("Invalid token")
|
|
http.Error(w, "Invalid authorization token", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
log.Printf("Found user '%s', from token\n", user.Username)
|
|
|
|
// put it in context
|
|
ctx := context.WithValue(r.Context(), userCtxKey, user)
|
|
|
|
// and call the next with our new context
|
|
r = r.WithContext(ctx)
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// UserFromContext finds the user from the context. REQUIRES Middleware to have run.
|
|
func UserFromContext(ctx context.Context) *models.User {
|
|
raw, _ := ctx.Value(userCtxKey).(*models.User)
|
|
return raw
|
|
}
|