leo
dbd0e9d01d
All checks were successful
continuous-integration/drone/push Build is passing
* simplify protection of endpoints * role discernment still occures in respective handlers * db client needs to be passed into handlers as a global var now
100 lines
2.5 KiB
Go
100 lines
2.5 KiB
Go
// Copyright 2023 wanderer <a_mirre at utb dot cz>
|
|
// SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
package handlers
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
|
|
moduser "git.dotya.ml/mirre-mt/pcmt/modules/user"
|
|
"github.com/labstack/echo-contrib/session"
|
|
"github.com/labstack/echo/v4"
|
|
)
|
|
|
|
func MiddlewareSession(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
sess, _ := session.Get(setting.SessionCookieName(), c)
|
|
if sess == nil {
|
|
c.Logger().Info("No session found, unauthorised.")
|
|
|
|
// return a 404 instead of 401 to not disclose the existence of
|
|
// resources for unauthenticated users with no past sessions.
|
|
return echo.NewHTTPError(http.StatusNotFound).SetInternal(ErrNoSession)
|
|
}
|
|
|
|
uname := sess.Values["username"]
|
|
if uname == nil {
|
|
c.Logger().Debugf("%d - %s", http.StatusUnauthorized, "seassion expired or invalid")
|
|
// return echo.NewHTTPError(http.StatusUnauthorized).SetInternal(ErrSessionExpired)
|
|
return renderErrorPage(
|
|
c,
|
|
http.StatusUnauthorized,
|
|
http.StatusText(http.StatusUnauthorized),
|
|
ErrSessionExpired.Error(),
|
|
)
|
|
}
|
|
|
|
username, ok := sess.Values["username"].(string)
|
|
if !ok {
|
|
return renderErrorPage(
|
|
c,
|
|
http.StatusUnauthorized,
|
|
http.StatusText(http.StatusUnauthorized),
|
|
"username was nil",
|
|
)
|
|
}
|
|
|
|
log.Info("gorilla session", "username", username)
|
|
|
|
refreshSession(
|
|
sess,
|
|
"/",
|
|
// setting.SessionMaxAge,
|
|
86400,
|
|
true,
|
|
c.Request().URL.Scheme == "https", //nolint:goconst
|
|
http.SameSiteStrictMode,
|
|
)
|
|
|
|
if err := sess.Save(c.Request(), c.Response()); err != nil {
|
|
c.Logger().Error("failed to save session")
|
|
|
|
return renderErrorPage(
|
|
c,
|
|
http.StatusInternalServerError,
|
|
http.StatusText(http.StatusInternalServerError)+" (make sure you've got cookies enabled)",
|
|
err.Error(),
|
|
)
|
|
}
|
|
|
|
c.Set("sess", sess)
|
|
|
|
var u moduser.User
|
|
|
|
ctx := context.WithValue(context.Background(), moduser.CtxKey{}, slogger)
|
|
if usr, err := moduser.QueryUser(ctx, dbclient, username); err == nil && usr != nil {
|
|
u.ID = usr.ID
|
|
u.Username = usr.Username
|
|
u.IsAdmin = usr.IsAdmin
|
|
u.CreatedAt = usr.CreatedAt
|
|
u.IsActive = usr.IsActive
|
|
u.IsLoggedIn = true
|
|
} else {
|
|
c.Logger().Error(http.StatusText(http.StatusInternalServerError) + " - " + err.Error())
|
|
|
|
return renderErrorPage(
|
|
c,
|
|
http.StatusInternalServerError,
|
|
http.StatusText(http.StatusInternalServerError),
|
|
err.Error(),
|
|
)
|
|
}
|
|
|
|
c.Set("sloggerCtx", ctx)
|
|
c.Set("sessUsr", u)
|
|
|
|
return next(c)
|
|
}
|
|
}
|