forked from ryyst/kalzu-value-store
fix: secure admin endpoints with authentication middleware (issue #4)
- Add config parameter to AuthService constructor - Implement proper config-based auth checks in middleware - Wrap all admin endpoints (users, groups, tokens) with authentication - Apply granular scopes: admin:users:*, admin:groups:*, admin:tokens:* - Maintain backward compatibility when config is nil 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -26,13 +26,15 @@ type AuthContext struct {
|
|||||||
type AuthService struct {
|
type AuthService struct {
|
||||||
db *badger.DB
|
db *badger.DB
|
||||||
logger *logrus.Logger
|
logger *logrus.Logger
|
||||||
|
config *types.Config
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewAuthService creates a new authentication service
|
// NewAuthService creates a new authentication service
|
||||||
func NewAuthService(db *badger.DB, logger *logrus.Logger) *AuthService {
|
func NewAuthService(db *badger.DB, logger *logrus.Logger, config *types.Config) *AuthService {
|
||||||
return &AuthService{
|
return &AuthService{
|
||||||
db: db,
|
db: db,
|
||||||
logger: logger,
|
logger: logger,
|
||||||
|
config: config,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -138,11 +138,12 @@ func (s *RateLimitService) RateLimitMiddleware(next http.HandlerFunc) http.Handl
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// isAuthEnabled checks if authentication is enabled (would be passed from config)
|
// isAuthEnabled checks if authentication is enabled from config
|
||||||
func (s *AuthService) isAuthEnabled() bool {
|
func (s *AuthService) isAuthEnabled() bool {
|
||||||
// This would normally be injected from config, but for now we'll assume enabled
|
if s.config != nil {
|
||||||
// TODO: Inject config dependency
|
return s.config.AuthEnabled
|
||||||
return true
|
}
|
||||||
|
return true // Default to enabled if no config
|
||||||
}
|
}
|
||||||
|
|
||||||
// Helper method to check rate limits (simplified version)
|
// Helper method to check rate limits (simplified version)
|
||||||
|
|||||||
@@ -32,20 +32,44 @@ func (s *Server) setupRoutes() *mux.Router {
|
|||||||
|
|
||||||
// Authentication and user management endpoints (available when auth is enabled)
|
// Authentication and user management endpoints (available when auth is enabled)
|
||||||
if s.config.AuthEnabled {
|
if s.config.AuthEnabled {
|
||||||
// User Management endpoints
|
// User Management endpoints (with authentication middleware)
|
||||||
router.HandleFunc("/api/users", s.createUserHandler).Methods("POST")
|
router.Handle("/api/users", s.authService.Middleware(
|
||||||
router.HandleFunc("/api/users/{uuid}", s.getUserHandler).Methods("GET")
|
[]string{"admin:users:create"}, nil, "",
|
||||||
router.HandleFunc("/api/users/{uuid}", s.updateUserHandler).Methods("PUT")
|
)(s.createUserHandler)).Methods("POST")
|
||||||
router.HandleFunc("/api/users/{uuid}", s.deleteUserHandler).Methods("DELETE")
|
|
||||||
|
|
||||||
// Group Management endpoints
|
router.Handle("/api/users/{uuid}", s.authService.Middleware(
|
||||||
router.HandleFunc("/api/groups", s.createGroupHandler).Methods("POST")
|
[]string{"admin:users:read"}, nil, "",
|
||||||
router.HandleFunc("/api/groups/{uuid}", s.getGroupHandler).Methods("GET")
|
)(s.getUserHandler)).Methods("GET")
|
||||||
router.HandleFunc("/api/groups/{uuid}", s.updateGroupHandler).Methods("PUT")
|
|
||||||
router.HandleFunc("/api/groups/{uuid}", s.deleteGroupHandler).Methods("DELETE")
|
|
||||||
|
|
||||||
// Token Management endpoints
|
router.Handle("/api/users/{uuid}", s.authService.Middleware(
|
||||||
router.HandleFunc("/api/tokens", s.createTokenHandler).Methods("POST")
|
[]string{"admin:users:update"}, nil, "",
|
||||||
|
)(s.updateUserHandler)).Methods("PUT")
|
||||||
|
|
||||||
|
router.Handle("/api/users/{uuid}", s.authService.Middleware(
|
||||||
|
[]string{"admin:users:delete"}, nil, "",
|
||||||
|
)(s.deleteUserHandler)).Methods("DELETE")
|
||||||
|
|
||||||
|
// Group Management endpoints (with authentication middleware)
|
||||||
|
router.Handle("/api/groups", s.authService.Middleware(
|
||||||
|
[]string{"admin:groups:create"}, nil, "",
|
||||||
|
)(s.createGroupHandler)).Methods("POST")
|
||||||
|
|
||||||
|
router.Handle("/api/groups/{uuid}", s.authService.Middleware(
|
||||||
|
[]string{"admin:groups:read"}, nil, "",
|
||||||
|
)(s.getGroupHandler)).Methods("GET")
|
||||||
|
|
||||||
|
router.Handle("/api/groups/{uuid}", s.authService.Middleware(
|
||||||
|
[]string{"admin:groups:update"}, nil, "",
|
||||||
|
)(s.updateGroupHandler)).Methods("PUT")
|
||||||
|
|
||||||
|
router.Handle("/api/groups/{uuid}", s.authService.Middleware(
|
||||||
|
[]string{"admin:groups:delete"}, nil, "",
|
||||||
|
)(s.deleteGroupHandler)).Methods("DELETE")
|
||||||
|
|
||||||
|
// Token Management endpoints (with authentication middleware)
|
||||||
|
router.Handle("/api/tokens", s.authService.Middleware(
|
||||||
|
[]string{"admin:tokens:create"}, nil, "",
|
||||||
|
)(s.createTokenHandler)).Methods("POST")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Revision History endpoints (available when revision history is enabled)
|
// Revision History endpoints (available when revision history is enabled)
|
||||||
|
|||||||
@@ -118,7 +118,7 @@ func NewServer(config *types.Config) (*Server, error) {
|
|||||||
server.revisionService = storage.NewRevisionService(storageService)
|
server.revisionService = storage.NewRevisionService(storageService)
|
||||||
|
|
||||||
// Initialize authentication service
|
// Initialize authentication service
|
||||||
server.authService = auth.NewAuthService(db, logger)
|
server.authService = auth.NewAuthService(db, logger, config)
|
||||||
|
|
||||||
// Setup initial root account if needed (Issue #3)
|
// Setup initial root account if needed (Issue #3)
|
||||||
if config.AuthEnabled {
|
if config.AuthEnabled {
|
||||||
|
|||||||
Reference in New Issue
Block a user