backend/internal/middleware/jwt_auth.go

package middleware

import (
	"strings"

	"github.com/gin-gonic/gin"
	"github.com/pocket-id/pocket-id/backend/internal/common"
	"github.com/pocket-id/pocket-id/backend/internal/service"
	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
)

type JwtAuthMiddleware struct {
	userService *service.UserService
	jwtService  *service.JwtService
}

func NewJwtAuthMiddleware(jwtService *service.JwtService, userService *service.UserService) *JwtAuthMiddleware {
	return &JwtAuthMiddleware{jwtService: jwtService, userService: userService}
}

func (m *JwtAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
	return func(c *gin.Context) {
		userID, isAdmin, err := m.Verify(c, adminRequired)
		if err != nil {
			c.Abort()
			_ = c.Error(err)
			return
		}

		c.Set("userID", userID)
		c.Set("userIsAdmin", isAdmin)
		c.Next()
	}
}

func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (subject string, isAdmin bool, err error) {
	// Extract the token from the cookie
	accessToken, err := c.Cookie(cookie.AccessTokenCookieName)
	if err != nil {
		// Try to extract the token from the Authorization header if it's not in the cookie
		var ok bool
		_, accessToken, ok = strings.Cut(c.GetHeader("Authorization"), " ")
		if !ok || accessToken == "" {
			return "", false, &common.NotSignedInError{}
		}
	}

	token, err := m.jwtService.VerifyAccessToken(accessToken)
	if err != nil {
		return "", false, &common.NotSignedInError{}
	}

	subject, ok := token.Subject()
	if !ok {
		_ = c.Error(&common.TokenInvalidError{})
		return
	}

	user, err := m.userService.GetUser(c, subject)
	if err != nil {
		return "", false, &common.NotSignedInError{}
	}

	if user.Disabled {
		return "", false, &common.UserDisabledError{}
	}

	if adminRequired && !user.IsAdmin {
		return "", false, &common.MissingPermissionError{}
	}

	return subject, isAdmin, nil
}
initial commit 2024-08-12 11:00:25 +02:00			`package middleware`

			`import (`
			`"strings"`
chore: replace `stonith404` with `pocket-id` after org migration 2025-02-05 18:08:01 +01:00
			`"github.com/gin-gonic/gin"`
			`"github.com/pocket-id/pocket-id/backend/internal/common"`
			`"github.com/pocket-id/pocket-id/backend/internal/service"`
			`"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"`
initial commit 2024-08-12 11:00:25 +02:00			`)`

refactor: use dependency injection in backend 2024-08-17 21:57:14 +02:00			`type JwtAuthMiddleware struct {`
feat: disable/enable users (#437) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-04-18 10:38:50 -05:00			`userService *service.UserService`
			`jwtService *service.JwtService`
refactor: use dependency injection in backend 2024-08-17 21:57:14 +02:00			`}`

feat: disable/enable users (#437) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-04-18 10:38:50 -05:00			`func NewJwtAuthMiddleware(jwtService service.JwtService, userService service.UserService) *JwtAuthMiddleware {`
			`return &JwtAuthMiddleware{jwtService: jwtService, userService: userService}`
refactor: use dependency injection in backend 2024-08-17 21:57:14 +02:00			`}`
initial commit 2024-08-12 11:00:25 +02:00
feat: api key authentication (#291) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-11 14:16:42 -05:00			`func (m *JwtAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {`
refactor: use dependency injection in backend 2024-08-17 21:57:14 +02:00			`return func(c *gin.Context) {`
feat: api key authentication (#291) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-11 14:16:42 -05:00			`userID, isAdmin, err := m.Verify(c, adminRequired)`
			`if err != nil {`
initial commit 2024-08-12 11:00:25 +02:00			`c.Abort()`
refactor: fix code smells 2025-03-27 16:48:36 +01:00			`_ = c.Error(err)`
initial commit 2024-08-12 11:00:25 +02:00			`return`
			`}`

feat: api key authentication (#291) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-11 14:16:42 -05:00			`c.Set("userID", userID)`
			`c.Set("userIsAdmin", isAdmin)`
			`c.Next()`
			`}`
			`}`

feat: add support for ECDSA and EdDSA keys (#359) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-27 10:20:39 -07:00			`func (m JwtAuthMiddleware) Verify(c gin.Context, adminRequired bool) (subject string, isAdmin bool, err error) {`
feat: api key authentication (#291) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-11 14:16:42 -05:00			`// Extract the token from the cookie`
feat: add support for ECDSA and EdDSA keys (#359) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-27 10:20:39 -07:00			`accessToken, err := c.Cookie(cookie.AccessTokenCookieName)`
feat: api key authentication (#291) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-11 14:16:42 -05:00			`if err != nil {`
			`// Try to extract the token from the Authorization header if it's not in the cookie`
feat: add support for ECDSA and EdDSA keys (#359) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-27 10:20:39 -07:00			`var ok bool`
			`_, accessToken, ok = strings.Cut(c.GetHeader("Authorization"), " ")`
			`if !ok \|\| accessToken == "" {`
feat: api key authentication (#291) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-11 14:16:42 -05:00			`return "", false, &common.NotSignedInError{}`
initial commit 2024-08-12 11:00:25 +02:00			`}`
feat: api key authentication (#291) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-11 14:16:42 -05:00			`}`
initial commit 2024-08-12 11:00:25 +02:00
feat: add support for ECDSA and EdDSA keys (#359) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-27 10:20:39 -07:00			`token, err := m.jwtService.VerifyAccessToken(accessToken)`
feat: api key authentication (#291) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-11 14:16:42 -05:00			`if err != nil {`
			`return "", false, &common.NotSignedInError{}`
initial commit 2024-08-12 11:00:25 +02:00			`}`
feat: api key authentication (#291) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-11 14:16:42 -05:00
feat: add support for ECDSA and EdDSA keys (#359) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-27 10:20:39 -07:00			`subject, ok := token.Subject()`
			`if !ok {`
			`_ = c.Error(&common.TokenInvalidError{})`
			`return`
			`}`

feat: disable/enable users (#437) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-04-18 10:38:50 -05:00			`user, err := m.userService.GetUser(c, subject)`
feat: add support for ECDSA and EdDSA keys (#359) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-27 10:20:39 -07:00			`if err != nil {`
feat: disable/enable users (#437) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-04-18 10:38:50 -05:00			`return "", false, &common.NotSignedInError{}`
			`}`

			`if user.Disabled {`
			`return "", false, &common.UserDisabledError{}`
feat: add support for ECDSA and EdDSA keys (#359) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-27 10:20:39 -07:00			`}`
feat: disable/enable users (#437) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-04-18 10:38:50 -05:00
			`if adminRequired && !user.IsAdmin {`
feat: api key authentication (#291) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-11 14:16:42 -05:00			`return "", false, &common.MissingPermissionError{}`
			`}`

feat: add support for ECDSA and EdDSA keys (#359) Co-authored-by: Elias Schneider <login@eliasschneider.com> 2025-03-27 10:20:39 -07:00			`return subject, isAdmin, nil`
initial commit 2024-08-12 11:00:25 +02:00			`}`