64 lines
1.7 KiB
Go
64 lines
1.7 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
accountModels "goaresv3/app/accounts/models"
|
|
"goaresv3/config"
|
|
jwtHelper "goaresv3/pkg/jwt"
|
|
)
|
|
|
|
// AuthRequired validates the Bearer access token and injects claims into context.
|
|
func AuthRequired() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
header := c.GetHeader("Authorization")
|
|
if !strings.HasPrefix(header, "Bearer ") {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "authorization header missing or malformed"})
|
|
return
|
|
}
|
|
|
|
tokenStr := strings.TrimPrefix(header, "Bearer ")
|
|
claims, err := jwtHelper.ValidateToken(tokenStr, os.Getenv("JWT_SECRET"))
|
|
if err != nil {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid or expired access token"})
|
|
return
|
|
}
|
|
|
|
c.Set("user_id", claims.UserID)
|
|
c.Set("email", claims.Email)
|
|
c.Set("username", claims.UserName)
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// AdminRequired checks whether the authenticated user has admin privileges.
|
|
func AdminRequired() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
userID := c.GetUint("user_id")
|
|
if userID == 0 {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
|
|
return
|
|
}
|
|
if config.DB == nil {
|
|
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "database is not connected"})
|
|
return
|
|
}
|
|
|
|
var user accountModels.User
|
|
if err := config.DB.Select("id", "is_admin").First(&user, userID).Error; err != nil {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid user"})
|
|
return
|
|
}
|
|
if user.IsAdmin == nil || !*user.IsAdmin {
|
|
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "admin role required"})
|
|
return
|
|
}
|
|
|
|
c.Next()
|
|
}
|
|
}
|