taskcafe/internal/route/middleware.go

package route

import (
	"context"
	"net/http"

	"github.com/google/uuid"
	"github.com/jordanknott/taskcafe/internal/db"
	"github.com/jordanknott/taskcafe/internal/utils"
	log "github.com/sirupsen/logrus"
)

// AuthenticationMiddleware is a middleware that requires a valid JWT token to be passed via the Authorization header
type AuthenticationMiddleware struct {
	repo db.Repository
}

// Middleware returns the middleware handler
func (m *AuthenticationMiddleware) Middleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		requestID := uuid.New()
		foundToken := true
		tokenRaw := ""
		c, err := r.Cookie("authToken")
		if err != nil {
			if err == http.ErrNoCookie {
				foundToken = false
			} else {
				log.WithError(err).Error("unknown error")
				w.WriteHeader(http.StatusBadRequest)
				return
			}
		}
		if !foundToken {
			token := r.Header.Get("Authorization")
			if token == "" {
				log.WithError(err).Error("no auth token found in cookie or authorization header")
				w.WriteHeader(http.StatusBadRequest)
				return
			}
			tokenRaw = token
		} else {
			tokenRaw = c.Value
		}
		authTokenID := uuid.MustParse(tokenRaw)
		token, err := m.repo.GetAuthTokenByID(r.Context(), authTokenID)

		if err != nil {
			w.WriteHeader(http.StatusUnauthorized)
			w.Write([]byte(`{
	"data": {},
	"errors": [
	{
		"extensions": {
			"code": "UNAUTHENTICATED"
		}
	}
	]
				}`))
			return
		}

		ctx := context.WithValue(r.Context(), utils.UserIDKey, token.UserID)
		// ctx = context.WithValue(ctx, utils.RestrictedModeKey, accessClaims.Restricted)
		// ctx = context.WithValue(ctx, utils.OrgRoleKey, accessClaims.OrgRole)
		ctx = context.WithValue(ctx, utils.ReqIDKey, requestID)

		next.ServeHTTP(w, r.WithContext(ctx))
	})
}
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`package route`
initial commit 2020-04-10 04:40:22 +02:00
			`import (`
			`"context"`
			`"net/http"`

feature: add ability to assign tasks 2020-04-20 05:02:55 +02:00			`"github.com/google/uuid"`
refactor: replace refresh & access token with auth token only changes authentication to no longer use a refresh token & access token for accessing protected endpoints. Instead only an auth token is used. Before the login flow was: Login -> get refresh (stored as HttpOnly cookie) + access token (stored in memory) -> protected endpoint request (attach access token as Authorization header) -> access token expires in 15 minutes, so use refresh token to obtain new one when that happens now it looks like this: Login -> get auth token (stored as HttpOnly cookie) -> make protected endpont request (token sent) the reasoning for using the refresh + access token was to reduce DB calls, but in the end I don't think its worth the hassle. 2021-04-29 04:32:19 +02:00			`"github.com/jordanknott/taskcafe/internal/db"`
fix: use correct context keys when retrieving userID & role 2020-08-22 06:08:30 +02:00			`"github.com/jordanknott/taskcafe/internal/utils"`
initial commit 2020-04-10 04:40:22 +02:00			`log "github.com/sirupsen/logrus"`
			`)`

feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// AuthenticationMiddleware is a middleware that requires a valid JWT token to be passed via the Authorization header`
fix: secret key is no longer hard coded the secret key for signing JWT tokens is now read from server.secret. if that does not exist, then a random UUID v4 is generated and used instead. a log warning is also shown. 2020-09-13 01:03:17 +02:00			`type AuthenticationMiddleware struct {`
refactor: replace refresh & access token with auth token only changes authentication to no longer use a refresh token & access token for accessing protected endpoints. Instead only an auth token is used. Before the login flow was: Login -> get refresh (stored as HttpOnly cookie) + access token (stored in memory) -> protected endpoint request (attach access token as Authorization header) -> access token expires in 15 minutes, so use refresh token to obtain new one when that happens now it looks like this: Login -> get auth token (stored as HttpOnly cookie) -> make protected endpont request (token sent) the reasoning for using the refresh + access token was to reduce DB calls, but in the end I don't think its worth the hassle. 2021-04-29 04:32:19 +02:00			`repo db.Repository`
fix: secret key is no longer hard coded the secret key for signing JWT tokens is now read from server.secret. if that does not exist, then a random UUID v4 is generated and used instead. a log warning is also shown. 2020-09-13 01:03:17 +02:00			`}`

			`// Middleware returns the middleware handler`
			`func (m *AuthenticationMiddleware) Middleware(next http.Handler) http.Handler {`
initial commit 2020-04-10 04:40:22 +02:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
feat: redesign project sharing & initial registration redesigned the project sharing popup to be a multi select dropdown that populates the options by using the input as a fuzzy search filter on the current users & invited users. users can now also be directly invited by email from the project share window. if invited this way, then the user will receive an email that sends them to a registration page, then a confirmation page. the initial registration was always redone so that it uses a similar system to the above in that it now will accept the first registered user if there are no other accounts (besides 'system'). 2020-10-21 01:52:09 +02:00			`requestID := uuid.New()`
refactor: replace refresh & access token with auth token only changes authentication to no longer use a refresh token & access token for accessing protected endpoints. Instead only an auth token is used. Before the login flow was: Login -> get refresh (stored as HttpOnly cookie) + access token (stored in memory) -> protected endpoint request (attach access token as Authorization header) -> access token expires in 15 minutes, so use refresh token to obtain new one when that happens now it looks like this: Login -> get auth token (stored as HttpOnly cookie) -> make protected endpont request (token sent) the reasoning for using the refresh + access token was to reduce DB calls, but in the end I don't think its worth the hassle. 2021-04-29 04:32:19 +02:00			`foundToken := true`
			`tokenRaw := ""`
			`c, err := r.Cookie("authToken")`
			`if err != nil {`
			`if err == http.ErrNoCookie {`
			`foundToken = false`
			`} else {`
			`log.WithError(err).Error("unknown error")`
			`w.WriteHeader(http.StatusBadRequest)`
			`return`
			`}`
			`}`
			`if !foundToken {`
			`token := r.Header.Get("Authorization")`
			`if token == "" {`
			`log.WithError(err).Error("no auth token found in cookie or authorization header")`
			`w.WriteHeader(http.StatusBadRequest)`
			`return`
			`}`
			`tokenRaw = token`
			`} else {`
			`tokenRaw = c.Value`
initial commit 2020-04-10 04:40:22 +02:00			`}`
refactor: replace refresh & access token with auth token only changes authentication to no longer use a refresh token & access token for accessing protected endpoints. Instead only an auth token is used. Before the login flow was: Login -> get refresh (stored as HttpOnly cookie) + access token (stored in memory) -> protected endpoint request (attach access token as Authorization header) -> access token expires in 15 minutes, so use refresh token to obtain new one when that happens now it looks like this: Login -> get auth token (stored as HttpOnly cookie) -> make protected endpont request (token sent) the reasoning for using the refresh + access token was to reduce DB calls, but in the end I don't think its worth the hassle. 2021-04-29 04:32:19 +02:00			`authTokenID := uuid.MustParse(tokenRaw)`
			`token, err := m.repo.GetAuthTokenByID(r.Context(), authTokenID)`

initial commit 2020-04-10 04:40:22 +02:00			`if err != nil {`
refactor: replace refresh & access token with auth token only changes authentication to no longer use a refresh token & access token for accessing protected endpoints. Instead only an auth token is used. Before the login flow was: Login -> get refresh (stored as HttpOnly cookie) + access token (stored in memory) -> protected endpoint request (attach access token as Authorization header) -> access token expires in 15 minutes, so use refresh token to obtain new one when that happens now it looks like this: Login -> get auth token (stored as HttpOnly cookie) -> make protected endpont request (token sent) the reasoning for using the refresh + access token was to reduce DB calls, but in the end I don't think its worth the hassle. 2021-04-29 04:32:19 +02:00			`w.WriteHeader(http.StatusUnauthorized)`
			w.Write([]byte(`{
cleanup: merge types & add graphql-codegen-cli 2020-04-10 05:27:57 +02:00			`"data": {},`
initial commit 2020-04-10 04:40:22 +02:00			`"errors": [`
			`{`
			`"extensions": {`
			`"code": "UNAUTHENTICATED"`
			`}`
			`}`
			`]`
			}`))
			`return`
			`}`

refactor: replace refresh & access token with auth token only changes authentication to no longer use a refresh token & access token for accessing protected endpoints. Instead only an auth token is used. Before the login flow was: Login -> get refresh (stored as HttpOnly cookie) + access token (stored in memory) -> protected endpoint request (attach access token as Authorization header) -> access token expires in 15 minutes, so use refresh token to obtain new one when that happens now it looks like this: Login -> get auth token (stored as HttpOnly cookie) -> make protected endpont request (token sent) the reasoning for using the refresh + access token was to reduce DB calls, but in the end I don't think its worth the hassle. 2021-04-29 04:32:19 +02:00			`ctx := context.WithValue(r.Context(), utils.UserIDKey, token.UserID)`
			`// ctx = context.WithValue(ctx, utils.RestrictedModeKey, accessClaims.Restricted)`
			`// ctx = context.WithValue(ctx, utils.OrgRoleKey, accessClaims.OrgRole)`
feat: redesign project sharing & initial registration redesigned the project sharing popup to be a multi select dropdown that populates the options by using the input as a fuzzy search filter on the current users & invited users. users can now also be directly invited by email from the project share window. if invited this way, then the user will receive an email that sends them to a registration page, then a confirmation page. the initial registration was always redone so that it uses a similar system to the above in that it now will accept the first registered user if there are no other accounts (besides 'system'). 2020-10-21 01:52:09 +02:00			`ctx = context.WithValue(ctx, utils.ReqIDKey, requestID)`
initial commit 2020-04-10 04:40:22 +02:00
			`next.ServeHTTP(w, r.WithContext(ctx))`
			`})`
			`}`