soroush.asadi
cd95ca2c6f
Build backend images / build content-svc (push) Failing after 56s
Build backend images / build file-svc (push) Failing after 54s
Build backend images / build gateway (push) Failing after 55s
Build backend images / build identity-svc (push) Failing after 48s
Build backend images / build notification-svc (push) Failing after 55s
Build backend images / build render-svc (push) Failing after 57s
Build backend images / build studio-svc (push) Failing after 44s
- gateway proxy: trim trailing slash before forwarding upstream. gin's RedirectTrailingSlash adds /nodes → /nodes/ while render-svc redirects /nodes/ → /nodes, forming an infinite redirect loop (admin pages 500'd) - accept is_admin as bool OR string "true" in render/file/notification/gateway auth middleware (identity emits it as a string) — admin endpoints were 403'ing Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
114 lines
3.0 KiB
Go
114 lines
3.0 KiB
Go
package middleware
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/flatrender/render-svc/internal/models"
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
const (
|
|
CtxUserID = "user_id"
|
|
CtxTenantID = "tenant_id"
|
|
CtxIsAdmin = "is_admin"
|
|
CtxRole = "role"
|
|
)
|
|
|
|
func JWTAuth(secret string) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
hdr := c.GetHeader("Authorization")
|
|
if !strings.HasPrefix(hdr, "Bearer ") {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, models.APIError{Code: "unauthorized", Message: "missing bearer token"})
|
|
return
|
|
}
|
|
tokenStr := hdr[7:]
|
|
token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (interface{}, error) {
|
|
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
return nil, jwt.ErrSignatureInvalid
|
|
}
|
|
return []byte(secret), nil
|
|
})
|
|
if err != nil || !token.Valid {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, models.APIError{Code: "unauthorized", Message: "invalid token"})
|
|
return
|
|
}
|
|
claims, ok := token.Claims.(jwt.MapClaims)
|
|
if !ok {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, models.APIError{Code: "unauthorized", Message: "bad claims"})
|
|
return
|
|
}
|
|
userID, _ := uuid.Parse(fmt.Sprintf("%v", claims["sub"]))
|
|
tenantID, _ := uuid.Parse(fmt.Sprintf("%v", claims["tenant_id"]))
|
|
// is_admin may arrive as a JSON bool or as the string "true" (identity emits a
|
|
// string). Accept both so [RequireAdmin] works regardless of token encoding.
|
|
isAdmin := false
|
|
switch v := claims["is_admin"].(type) {
|
|
case bool:
|
|
isAdmin = v
|
|
case string:
|
|
isAdmin = v == "true"
|
|
}
|
|
role, _ := claims["role"].(string)
|
|
|
|
c.Set(CtxUserID, userID)
|
|
c.Set(CtxTenantID, tenantID)
|
|
c.Set(CtxIsAdmin, isAdmin)
|
|
c.Set(CtxRole, role)
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
func RequireAdmin() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
isAdmin, _ := c.Get(CtxIsAdmin)
|
|
b, _ := isAdmin.(bool)
|
|
if !b {
|
|
c.AbortWithStatusJSON(http.StatusForbidden, models.APIError{Code: "forbidden", Message: "admin required"})
|
|
return
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// RequireServiceRole allows callers presenting a token with role="Service"
|
|
func RequireServiceRole() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
role, _ := c.Get(CtxRole)
|
|
isAdmin, _ := c.Get(CtxIsAdmin)
|
|
b, _ := isAdmin.(bool)
|
|
if role != "Service" && !b {
|
|
c.AbortWithStatusJSON(http.StatusForbidden, models.APIError{Code: "forbidden", Message: "service role required"})
|
|
return
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// NodeHMAC verifies the X-Node-Signature header for node-agent calls
|
|
func NodeHMAC(nodeSecret string) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
sig := c.GetHeader("X-Node-Signature")
|
|
if sig == "" || sig != nodeSecret {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, models.APIError{Code: "unauthorized", Message: "invalid node signature"})
|
|
return
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
func GetUserID(c *gin.Context) uuid.UUID {
|
|
v, _ := c.Get(CtxUserID)
|
|
id, _ := v.(uuid.UUID)
|
|
return id
|
|
}
|
|
|
|
func GetTenantID(c *gin.Context) uuid.UUID {
|
|
v, _ := c.Get(CtxTenantID)
|
|
id, _ := v.(uuid.UUID)
|
|
return id
|
|
}
|