soroushdes/flatrender
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cd95ca2c6f148abb8ac1faf40b7efa051af6782f
flatrender/services/file/internal/middleware/auth.go
T
soroush.asadi cd95ca2c6f
Build backend images / build content-svc (push) Failing after 56s
Details
Build backend images / build file-svc (push) Failing after 54s
Details
Build backend images / build gateway (push) Failing after 55s
Details
Build backend images / build identity-svc (push) Failing after 48s
Details
Build backend images / build notification-svc (push) Failing after 55s
Details
Build backend images / build render-svc (push) Failing after 57s
Details
Build backend images / build studio-svc (push) Failing after 44s
Details
fix(gateway/services): admin node/render pages 500 — redirect loop + is_admin claim 
- gateway proxy: trim trailing slash before forwarding upstream. gin's
  RedirectTrailingSlash adds /nodes → /nodes/ while render-svc redirects
  /nodes/ → /nodes, forming an infinite redirect loop (admin pages 500'd)
- accept is_admin as bool OR string "true" in render/file/notification/gateway
  auth middleware (identity emits it as a string) — admin endpoints were 403'ing

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-02 11:26:44 +03:30

86 lines
2.1 KiB
Go
Raw Blame History

package middleware
import (
"net/http"
"strings"
"github.com/flatrender/file-svc/internal/models"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
"github.com/google/uuid"
)
const (
KeyUserID = "user_id"
KeyTenantID = "tenant_id"
KeyIsAdmin = "is_admin"
)
func Auth(jwtSecret string) gin.HandlerFunc {
return func(c *gin.Context) {
header := c.GetHeader("Authorization")
if !strings.HasPrefix(header, "Bearer ") {
c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
Error: models.APIError{Code: "unauthorized", Message: "missing bearer token"},
})
return
}
tokenStr := strings.TrimPrefix(header, "Bearer ")
token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (any, error) {
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, jwt.ErrSignatureInvalid
}
return []byte(jwtSecret), nil
})
if err != nil || !token.Valid {
c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
Error: models.APIError{Code: "unauthorized", Message: "invalid token"},
})
return
}
claims, ok := token.Claims.(jwt.MapClaims)
if !ok {
c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
Error: models.APIError{Code: "unauthorized", Message: "invalid claims"},
})
return
}
userID, err := uuid.Parse(claims["sub"].(string))
if err != nil {
c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
Error: models.APIError{Code: "unauthorized", Message: "invalid sub claim"},
})
return
}
tenantID, _ := uuid.Parse(claims["tenant_id"].(string))
isAdmin := false
switch v := claims["is_admin"].(type) {
case bool:
isAdmin = v
case string:
isAdmin = v == "true"
}
c.Set(KeyUserID, userID)
c.Set(KeyTenantID, tenantID)
c.Set(KeyIsAdmin, isAdmin)
c.Next()
}
}
func AdminOnly() gin.HandlerFunc {
return func(c *gin.Context) {
if isAdmin, _ := c.Get(KeyIsAdmin); isAdmin != true {
c.AbortWithStatusJSON(http.StatusForbidden, models.ErrorResponse{
Error: models.APIError{Code: "forbidden", Message: "admin only"},
})
return
}
c.Next()
}
}
Reference in New Issue View Git Blame Copy Permalink