initial commit

2024-05-04 08:28:22 -05:00
commit e2b82ba683
5 changed files with 190 additions and 0 deletions
--- a/auth.go
+++ b/auth.go
@@ -0,0 +1,126 @@
+package middleware
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/MicahParks/keyfunc"
+	"github.com/golang-jwt/jwt/v4"
+	"gitlab.com/developerdurp/logger"
+)
+
+type StandardMessage struct {
+	Message string `json:"message" example:"message"`
+}
+
+func failedReponse(message string, w http.ResponseWriter) {
+	response := StandardMessage{
+		Message: message,
+	}
+
+	w.WriteHeader(http.StatusUnauthorized)
+	w.Header().Set("Content-Type", "application/json")
+
+	err := json.NewEncoder(w).Encode(response)
+	if err != nil {
+		logger.LogError("Failed to Encode")
+	}
+}
+
+func AuthMiddleware(next http.Handler, allowedGroups []string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var groups []string
+		JwksURL := os.Getenv("jwksurl")
+		tokenString := w.Header().Get("Authorization")
+
+		if tokenString == "" {
+			failedReponse("No Token Detected", w)
+		}
+
+		tokenString = strings.TrimPrefix(tokenString, "Bearer ")
+
+		ctx, cancel := context.WithCancel(context.Background())
+
+		options := keyfunc.Options{
+			Ctx: ctx,
+			RefreshErrorHandler: func(err error) {
+				logger.LogError("There was an error with the jwt.Keyfunc" + err.Error())
+			},
+			RefreshInterval:   time.Hour,
+			RefreshRateLimit:  time.Minute * 5,
+			RefreshTimeout:    time.Second * 10,
+			RefreshUnknownKID: true,
+		}
+
+		jwks, err := keyfunc.Get(JwksURL, options)
+		if err != nil {
+			failedReponse("Failed to create JWKS:"+err.Error(), w)
+
+			cancel()
+			jwks.EndBackground()
+			return
+		}
+
+		token, err := jwt.Parse(tokenString, jwks.Keyfunc)
+		if err != nil {
+			failedReponse(err.Error(), w)
+
+			cancel()
+			jwks.EndBackground()
+			return
+		}
+
+		if !token.Valid {
+			failedReponse("Token is invalid: "+err.Error(), w)
+
+			cancel()
+			jwks.EndBackground()
+			return
+		}
+
+		cancel()
+		jwks.EndBackground()
+
+		claims, ok := token.Claims.(jwt.MapClaims)
+		if !ok {
+			failedReponse("Invalid authorization token claims", w)
+			return
+		}
+
+		groupsClaim, ok := claims["groups"].([]interface{})
+		if !ok {
+			failedReponse("Missing or invalid groups claim in the authorization token", w)
+			return
+		}
+
+		for _, group := range groupsClaim {
+			if groupName, ok := group.(string); ok {
+				groups = append(groups, groupName)
+			}
+		}
+
+		isAllowed := false
+		for _, allowedGroup := range allowedGroups {
+			for _, group := range groups {
+				if group == allowedGroup {
+					isAllowed = true
+					break
+				}
+			}
+			if isAllowed {
+				break
+			}
+		}
+
+		if !isAllowed {
+			failedReponse("Unaothorized to use this endpoint", w)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}