Merge pull request 'Add middleware for AdminRouter and added IsAdmin function' (#5) from feature/admin into main

Reviewed-on: #5
2024-11-24 15:52:53 +00:00 · 2024-11-24 15:52:53 +00:00 · 43c2abf138
parent 29dd3bb2bb 9d813bfd43
commit 43c2abf138
2 changed files with 32 additions and 6 deletions
--- a/handlers.go
+++ b/handlers.go
@ -28,12 +28,13 @@ func NewHandler(oauth2Config *oauth2.Config, session SessionStorer, verifier *oi
 }

 type UserClaims struct {
-	Email    string `json:"email"`
-	Verified bool   `json:"email_verified"`
-	Name     string `json:"given_name"`
-	Username string `json:"cognito:username"`
-	Picture  string `json:"picture"`
-	Sub      string `json:"sub"`
+	Email    string   `json:"email"`
+	Verified bool     `json:"email_verified"`
+	Name     string   `json:"given_name"`
+	Username string   `json:"cognito:username"`
+	Picture  string   `json:"picture"`
+	Sub      string   `json:"sub"`
+	Groups   []string `json:"cognito:groups"`
 }

 func generateState() (string, error) {
--- a/middleware.go
+++ b/middleware.go
@ -85,6 +85,31 @@ func (m *Middleware) ProtectedRouteWithRedirect(next http.Handler) http.Handler
 	})
 }

+// IsAdmin Checks if admin group is present
+func IsAdmin(groups []string) bool {
+	for _, group := range groups {
+		if group == "admin" {
+			return true
+		}
+	}
+	return false
+}
+
+// AdminProtectedRoute Checks if user is member of admin group, if not return forbidden
+func (m *Middleware) AdminProtectedRoute(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		userOptional := r.Context().Value(userContextKey)
+		if userOptional != nil {
+			user := userOptional.(UserClaims)
+			if IsAdmin(user.Groups) {
+				next.ServeHTTP(w, r)
+			}
+		}
+
+		http.Error(w, "Forbidden", http.StatusForbidden)
+	})
+}
+
 func GetUserFromContext(r *http.Request) *UserClaims {
 	userOptional := r.Context().Value(userContextKey)
 	if userOptional != nil {