authcheck.go 1.7 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970
  1. package auth
  2. import (
  3. "context"
  4. "net/http"
  5. "connectrpc.com/connect"
  6. types "github.com/OliveTin/OliveTin/internal/auth/authpublic"
  7. otjwt "github.com/OliveTin/OliveTin/internal/auth/otjwt"
  8. "github.com/OliveTin/OliveTin/internal/config"
  9. log "github.com/sirupsen/logrus"
  10. )
  11. var authChain = []func(*types.AuthCheckingContext) *types.AuthenticatedUser{
  12. checkUserFromHeaders,
  13. checkUserFromLocalSession,
  14. otjwt.CheckUserFromJwtHeader,
  15. otjwt.CheckUserFromJwtCookie,
  16. }
  17. // Handlers like the OAuth2's handler are "instance methods", so they need to be added to the auth chain after the other handlers.
  18. func AddAuthChainFunction(check func(*types.AuthCheckingContext) *types.AuthenticatedUser) {
  19. authChain = append(authChain, check)
  20. }
  21. func runAuthChain[T any](req *connect.Request[T], cfg *config.Config) *types.AuthenticatedUser {
  22. var user *types.AuthenticatedUser
  23. authCtx := &types.AuthCheckingContext{
  24. Request: &http.Request{Header: req.Header()},
  25. Config: cfg,
  26. }
  27. for _, check := range authChain {
  28. user = check(authCtx)
  29. if user != nil && user.Username != "" {
  30. return user
  31. }
  32. }
  33. return nil
  34. }
  35. func UserFromApiCall[T any](ctx context.Context, req *connect.Request[T], cfg *config.Config) *types.AuthenticatedUser {
  36. user := runAuthChain(req, cfg)
  37. log.Tracef("UserFromApiCall Context: %+v", ctx)
  38. if user == nil || user.Username == "" {
  39. user = UserGuest(cfg)
  40. } else {
  41. user.BuildUserAcls(cfg)
  42. }
  43. path := ""
  44. if req != nil {
  45. path = req.Spec().Procedure
  46. }
  47. log.WithFields(log.Fields{
  48. "username": user.Username,
  49. "usergroupLine": user.UsergroupLine,
  50. "provider": user.Provider,
  51. "acls": user.Acls,
  52. "path": path,
  53. }).Debugf("Authenticated API request")
  54. return user
  55. }