*: move user API auth to middleware and fix return status
Move client authentication into its own middleware and provide differentiation between HTTP requests that do not provide credentials (401) and requests that authenticate as a non-admin user (403). Closes #152
This commit is contained in:
parent
b5c7f1978e
commit
0ada4c8010
2 changed files with 28 additions and 38 deletions
|
@ -51,24 +51,33 @@ func (s *UserMgmtServer) HTTPHandler() http.Handler {
|
|||
r := httprouter.New()
|
||||
r.RedirectTrailingSlash = false
|
||||
r.RedirectFixedPath = false
|
||||
r.GET(UsersListEndpoint, s.listUsers)
|
||||
r.POST(UsersCreateEndpoint, s.createUser)
|
||||
r.POST(UsersDisableEndpoint, s.disableUser)
|
||||
r.GET(UsersGetEndpoint, s.getUser)
|
||||
r.GET(UsersListEndpoint, s.authAPIHandle(s.listUsers))
|
||||
r.POST(UsersCreateEndpoint, s.authAPIHandle(s.createUser))
|
||||
r.POST(UsersDisableEndpoint, s.authAPIHandle(s.disableUser))
|
||||
r.GET(UsersGetEndpoint, s.authAPIHandle(s.getUser))
|
||||
return r
|
||||
}
|
||||
|
||||
func (s *UserMgmtServer) listUsers(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
||||
creds, err := s.getCreds(r)
|
||||
if err != nil {
|
||||
s.writeError(w, err)
|
||||
return
|
||||
}
|
||||
// authedHandle is an HTTP handle which requires requests to be authenticated as an admin user.
|
||||
type authedHandle func(w http.ResponseWriter, r *http.Request, ps httprouter.Params, creds api.Creds)
|
||||
|
||||
// authAPIHandle is a middleware function with authenticates an HTTP request before passing
|
||||
// it along to the authedHandle.
|
||||
func (s *UserMgmtServer) authAPIHandle(handle authedHandle) httprouter.Handle {
|
||||
return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
||||
creds, err := s.getCreds(r)
|
||||
if err != nil {
|
||||
s.writeError(w, err)
|
||||
return
|
||||
}
|
||||
handle(w, r, ps, creds)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *UserMgmtServer) listUsers(w http.ResponseWriter, r *http.Request, ps httprouter.Params, creds api.Creds) {
|
||||
nextPageToken := r.URL.Query().Get("nextPageToken")
|
||||
|
||||
maxResults, err := intFromQuery(r.URL.Query(), "maxResults", defaultMaxResults)
|
||||
|
||||
if err != nil {
|
||||
writeAPIError(w, http.StatusBadRequest,
|
||||
newAPIError(errorInvalidRequest, "maxResults must be an integer"))
|
||||
|
@ -88,13 +97,7 @@ func (s *UserMgmtServer) listUsers(w http.ResponseWriter, r *http.Request, ps ht
|
|||
writeResponseWithBody(w, http.StatusOK, usersResponse)
|
||||
}
|
||||
|
||||
func (s *UserMgmtServer) getUser(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
||||
creds, err := s.getCreds(r)
|
||||
if err != nil {
|
||||
s.writeError(w, err)
|
||||
return
|
||||
}
|
||||
|
||||
func (s *UserMgmtServer) getUser(w http.ResponseWriter, r *http.Request, ps httprouter.Params, creds api.Creds) {
|
||||
id := ps.ByName("id")
|
||||
if id == "" {
|
||||
writeAPIError(w, http.StatusBadRequest,
|
||||
|
@ -113,16 +116,9 @@ func (s *UserMgmtServer) getUser(w http.ResponseWriter, r *http.Request, ps http
|
|||
writeResponseWithBody(w, http.StatusOK, userResponse)
|
||||
}
|
||||
|
||||
func (s *UserMgmtServer) createUser(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
||||
creds, err := s.getCreds(r)
|
||||
if err != nil {
|
||||
s.writeError(w, err)
|
||||
return
|
||||
}
|
||||
|
||||
func (s *UserMgmtServer) createUser(w http.ResponseWriter, r *http.Request, ps httprouter.Params, creds api.Creds) {
|
||||
createReq := schema.UserCreateRequest{}
|
||||
err = json.NewDecoder(r.Body).Decode(&createReq)
|
||||
if err != nil {
|
||||
if err := json.NewDecoder(r.Body).Decode(&createReq); err != nil {
|
||||
writeInvalidRequest(w, "cannot parse JSON body")
|
||||
return
|
||||
}
|
||||
|
@ -143,13 +139,7 @@ func (s *UserMgmtServer) createUser(w http.ResponseWriter, r *http.Request, ps h
|
|||
writeResponseWithBody(w, http.StatusOK, createdResponse)
|
||||
}
|
||||
|
||||
func (s *UserMgmtServer) disableUser(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
||||
creds, err := s.getCreds(r)
|
||||
if err != nil {
|
||||
s.writeError(w, err)
|
||||
return
|
||||
}
|
||||
|
||||
func (s *UserMgmtServer) disableUser(w http.ResponseWriter, r *http.Request, ps httprouter.Params, creds api.Creds) {
|
||||
id := ps.ByName("id")
|
||||
if id == "" {
|
||||
writeAPIError(w, http.StatusBadRequest,
|
||||
|
@ -158,8 +148,7 @@ func (s *UserMgmtServer) disableUser(w http.ResponseWriter, r *http.Request, ps
|
|||
}
|
||||
|
||||
disableReq := schema.UserDisableRequest{}
|
||||
err = json.NewDecoder(r.Body).Decode(&disableReq)
|
||||
if err != nil {
|
||||
if err := json.NewDecoder(r.Body).Decode(&disableReq); err != nil {
|
||||
writeInvalidRequest(w, "cannot parse JSON body")
|
||||
}
|
||||
|
||||
|
@ -240,7 +229,7 @@ func (s *UserMgmtServer) getCreds(r *http.Request) (api.Creds, error) {
|
|||
return api.Creds{}, err
|
||||
}
|
||||
if !isAdmin {
|
||||
return api.Creds{}, api.ErrorUnauthorized
|
||||
return api.Creds{}, api.ErrorForbidden
|
||||
}
|
||||
|
||||
return api.Creds{
|
||||
|
|
|
@ -31,7 +31,8 @@ var (
|
|||
ErrorDuplicateEmail = newError("duplicate_email", "Email already in use.", http.StatusBadRequest)
|
||||
ErrorResourceNotFound = newError("resource_not_found", "Resource could not be found.", http.StatusNotFound)
|
||||
|
||||
ErrorUnauthorized = newError("unauthorized", "The given user and client are not authorized to make this request.", http.StatusUnauthorized)
|
||||
ErrorUnauthorized = newError("unauthorized", "Necessary credentials not provided.", http.StatusUnauthorized)
|
||||
ErrorForbidden = newError("forbidden", "The given user and client are not authorized to make this request.", http.StatusForbidden)
|
||||
|
||||
ErrorMaxResultsTooHigh = newError("max_results_too_high", fmt.Sprintf("The max number of results per page is %d", maxUsersPerPage), http.StatusBadRequest)
|
||||
|
||||
|
|
Reference in a new issue