authcheck.go 1.7 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071
  1. package auth
  2. import (
  3. "context"
  4. "net/http"
  5. "connectrpc.com/connect"
  6. types "github.com/OliveTin/OliveTin/internal/auth/authpublic"
  7. otjwt "github.com/OliveTin/OliveTin/internal/auth/otjwt"
  8. "github.com/OliveTin/OliveTin/internal/config"
  9. log "github.com/sirupsen/logrus"
  10. )
  11. var authChain = []func(*types.AuthCheckingContext) *types.AuthenticatedUser{
  12. checkUserFromHeaders,
  13. checkUserFromLocalSession,
  14. checkUserFromLocalBearerApiKey,
  15. otjwt.CheckUserFromJwtHeader,
  16. otjwt.CheckUserFromJwtCookie,
  17. }
  18. // Handlers like the OAuth2's handler are "instance methods", so they need to be added to the auth chain after the other handlers.
  19. func AddAuthChainFunction(check func(*types.AuthCheckingContext) *types.AuthenticatedUser) {
  20. authChain = append(authChain, check)
  21. }
  22. func runAuthChain[T any](req *connect.Request[T], cfg *config.Config) *types.AuthenticatedUser {
  23. var user *types.AuthenticatedUser
  24. authCtx := &types.AuthCheckingContext{
  25. Request: &http.Request{Header: req.Header()},
  26. Config: cfg,
  27. }
  28. for _, check := range authChain {
  29. user = check(authCtx)
  30. if user != nil && user.Username != "" {
  31. return user
  32. }
  33. }
  34. return nil
  35. }
  36. func UserFromApiCall[T any](ctx context.Context, req *connect.Request[T], cfg *config.Config) *types.AuthenticatedUser {
  37. user := runAuthChain(req, cfg)
  38. log.Tracef("UserFromApiCall Context: %+v", ctx)
  39. if user == nil || user.Username == "" {
  40. user = UserGuest(cfg)
  41. } else {
  42. user.BuildUserAcls(cfg)
  43. }
  44. path := ""
  45. if req != nil {
  46. path = req.Spec().Procedure
  47. }
  48. log.WithFields(log.Fields{
  49. "username": user.Username,
  50. "usergroupLine": user.UsergroupLine,
  51. "provider": user.Provider,
  52. "acls": user.Acls,
  53. "path": path,
  54. }).Debugf("Authenticated API request")
  55. return user
  56. }