diff --git a/auth/main.go b/auth/main.go index 2ecd0d65..16943aed 100644 --- a/auth/main.go +++ b/auth/main.go @@ -163,6 +163,8 @@ func main() { })) r.GET("/users", h.ListUsers) + r.GET("/users/:id", h.GetUser) + r.GET("/users/me", h.GetMe) e.POST("/users", h.Register) e.POST("/sessions", h.Login) diff --git a/auth/session.go b/auth/sessions.go similarity index 100% rename from auth/session.go rename to auth/sessions.go diff --git a/auth/users.go b/auth/users.go index 53e2e505..08e2f3eb 100644 --- a/auth/users.go +++ b/auth/users.go @@ -78,12 +78,16 @@ func MapOidc(oidc *dbc.OidcHandle) OidcHandle { // @Failure 400 {object} problem.Problem "Invalid after id" // @Router /users [get] func (h *Handler) ListUsers(c echo.Context) error { + err := CheckPermission(c, []string{"user.read"}) + if err != nil { + return err + } + ctx := context.Background() limit := int32(20) id := c.Param("afterId") var users []dbc.User - var err error if id == "" { users, err = h.db.GetAllUsers(ctx, limit) } else { @@ -109,6 +113,38 @@ func (h *Handler) ListUsers(c echo.Context) error { return c.JSON(200, ret) } +// @Summary Get user +// @Description Get informations about a user from it's id +// @Tags users +// @Produce json +// @Security Jwt[users.read] +// @Param id path string true "The id of the user" Format(uuid) +// @Success 200 {object} User +// @Failure 404 {object} problem.Problem "No user with the given id found" +// @Router /users/{id} [get] +func (h *Handler) GetUser(c echo.Context) error { + err := CheckPermission(c, []string{"user.read"}) + if err != nil { + return err + } + + id, err := uuid.Parse(c.Param("id")) + if err != nil { + return echo.NewHTTPError(400, "Invalid id") + } + dbuser, err := h.db.GetUser(context.Background(), id) + if err != nil { + return err + } + + user := MapDbUser(&dbuser[0].User) + for _, oidc := range dbuser { + user.Oidc[oidc.OidcHandle.Provider] = MapOidc(&oidc.OidcHandle) + } + + return c.JSON(200, user) +} + // @Summary Get me // @Description Get informations about the currently connected user // @Tags users @@ -136,22 +172,6 @@ func (h *Handler) GetMe(c echo.Context) error { return c.JSON(200, user) } -func GetCurrentUserId(c echo.Context) (uuid.UUID, error) { - user := c.Get("user").(*jwt.Token) - if user == nil { - return uuid.UUID{}, echo.NewHTTPError(401, "Unauthorized") - } - sub, err := user.Claims.GetSubject() - if err != nil { - return uuid.UUID{}, echo.NewHTTPError(403, "Could not retrive subject") - } - ret, err := uuid.Parse(sub) - if err != nil { - return uuid.UUID{}, echo.NewHTTPError(403, "Invalid id") - } - return ret, nil -} - // @Summary Register // @Description Register as a new user and open a session for it // @Tags users diff --git a/auth/utils.go b/auth/utils.go new file mode 100644 index 00000000..c9e0fa0a --- /dev/null +++ b/auth/utils.go @@ -0,0 +1,62 @@ +package main + +import ( + "fmt" + "slices" + "strings" + + "github.com/golang-jwt/jwt/v5" + "github.com/google/uuid" + "github.com/labstack/echo/v4" +) + +func GetCurrentUserId(c echo.Context) (uuid.UUID, error) { + user := c.Get("user").(*jwt.Token) + if user == nil { + return uuid.UUID{}, echo.NewHTTPError(401, "Unauthorized") + } + sub, err := user.Claims.GetSubject() + if err != nil { + return uuid.UUID{}, echo.NewHTTPError(403, "Could not retrive subject") + } + ret, err := uuid.Parse(sub) + if err != nil { + return uuid.UUID{}, echo.NewHTTPError(403, "Invalid id") + } + return ret, nil +} + +func CheckPremissions(c echo.Context, perms []string) error { + token, ok := c.Get("user").(*jwt.Token) + if !ok { + return echo.NewHTTPError(401, "Not logged in") + } + claims, ok := token.Claims.(jwt.MapClaims) + if !ok { + return echo.NewHTTPError(403, "Could not retrieve claims") + } + + permissions_claims, ok := claims["permissions"] + if !ok { + return echo.NewHTTPError(403, fmt.Sprintf("Missing permissions: %s.", ", ")) + } + permissions, ok := permissions_claims.([]string) + if !ok { + return echo.NewHTTPError(403, "Invalid permission claim.") + } + + missing := make([]string, 0) + for _, perm := range perms { + if !slices.Contains(permissions, perm) { + missing = append(missing, perm) + } + } + + if len(missing) != 0 { + return echo.NewHTTPError( + 403, + fmt.Sprintf("Missing permissions: %s.", strings.Join(missing, ", ")), + ) + } + return nil +}