Compare commits

...

2 Commits

2 changed files with 32 additions and 6 deletions

View File

@ -28,12 +28,13 @@ func NewHandler(oauth2Config *oauth2.Config, session SessionStorer, verifier *oi
} }
type UserClaims struct { type UserClaims struct {
Email string `json:"email"` Email string `json:"email"`
Verified bool `json:"email_verified"` Verified bool `json:"email_verified"`
Name string `json:"given_name"` Name string `json:"given_name"`
Username string `json:"cognito:username"` Username string `json:"cognito:username"`
Picture string `json:"picture"` Picture string `json:"picture"`
Sub string `json:"sub"` Sub string `json:"sub"`
Groups []string `json:"cognito:groups"`
} }
func generateState() (string, error) { func generateState() (string, error) {

View File

@ -85,6 +85,31 @@ func (m *Middleware) ProtectedRouteWithRedirect(next http.Handler) http.Handler
}) })
} }
// IsAdmin Checks if admin group is present
func IsAdmin(groups []string) bool {
for _, group := range groups {
if group == "admin" {
return true
}
}
return false
}
// AdminProtectedRoute Checks if user is member of admin group, if not return forbidden
func (m *Middleware) AdminProtectedRoute(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
userOptional := r.Context().Value(userContextKey)
if userOptional != nil {
user := userOptional.(UserClaims)
if IsAdmin(user.Groups) {
next.ServeHTTP(w, r)
}
}
http.Error(w, "Forbidden", http.StatusForbidden)
})
}
func GetUserFromContext(r *http.Request) *UserClaims { func GetUserFromContext(r *http.Request) *UserClaims {
userOptional := r.Context().Value(userContextKey) userOptional := r.Context().Value(userContextKey)
if userOptional != nil { if userOptional != nil {