fix: secure admin endpoints with authentication middleware (issue #4)
- Add config parameter to AuthService constructor - Implement proper config-based auth checks in middleware - Wrap all admin endpoints (users, groups, tokens) with authentication - Apply granular scopes: admin:users:*, admin:groups:*, admin:tokens:* - Maintain backward compatibility when config is nil 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -32,20 +32,44 @@ func (s *Server) setupRoutes() *mux.Router {
|
||||
|
||||
// Authentication and user management endpoints (available when auth is enabled)
|
||||
if s.config.AuthEnabled {
|
||||
// User Management endpoints
|
||||
router.HandleFunc("/api/users", s.createUserHandler).Methods("POST")
|
||||
router.HandleFunc("/api/users/{uuid}", s.getUserHandler).Methods("GET")
|
||||
router.HandleFunc("/api/users/{uuid}", s.updateUserHandler).Methods("PUT")
|
||||
router.HandleFunc("/api/users/{uuid}", s.deleteUserHandler).Methods("DELETE")
|
||||
// User Management endpoints (with authentication middleware)
|
||||
router.Handle("/api/users", s.authService.Middleware(
|
||||
[]string{"admin:users:create"}, nil, "",
|
||||
)(s.createUserHandler)).Methods("POST")
|
||||
|
||||
router.Handle("/api/users/{uuid}", s.authService.Middleware(
|
||||
[]string{"admin:users:read"}, nil, "",
|
||||
)(s.getUserHandler)).Methods("GET")
|
||||
|
||||
router.Handle("/api/users/{uuid}", s.authService.Middleware(
|
||||
[]string{"admin:users:update"}, nil, "",
|
||||
)(s.updateUserHandler)).Methods("PUT")
|
||||
|
||||
router.Handle("/api/users/{uuid}", s.authService.Middleware(
|
||||
[]string{"admin:users:delete"}, nil, "",
|
||||
)(s.deleteUserHandler)).Methods("DELETE")
|
||||
|
||||
// Group Management endpoints
|
||||
router.HandleFunc("/api/groups", s.createGroupHandler).Methods("POST")
|
||||
router.HandleFunc("/api/groups/{uuid}", s.getGroupHandler).Methods("GET")
|
||||
router.HandleFunc("/api/groups/{uuid}", s.updateGroupHandler).Methods("PUT")
|
||||
router.HandleFunc("/api/groups/{uuid}", s.deleteGroupHandler).Methods("DELETE")
|
||||
// Group Management endpoints (with authentication middleware)
|
||||
router.Handle("/api/groups", s.authService.Middleware(
|
||||
[]string{"admin:groups:create"}, nil, "",
|
||||
)(s.createGroupHandler)).Methods("POST")
|
||||
|
||||
router.Handle("/api/groups/{uuid}", s.authService.Middleware(
|
||||
[]string{"admin:groups:read"}, nil, "",
|
||||
)(s.getGroupHandler)).Methods("GET")
|
||||
|
||||
router.Handle("/api/groups/{uuid}", s.authService.Middleware(
|
||||
[]string{"admin:groups:update"}, nil, "",
|
||||
)(s.updateGroupHandler)).Methods("PUT")
|
||||
|
||||
router.Handle("/api/groups/{uuid}", s.authService.Middleware(
|
||||
[]string{"admin:groups:delete"}, nil, "",
|
||||
)(s.deleteGroupHandler)).Methods("DELETE")
|
||||
|
||||
// Token Management endpoints
|
||||
router.HandleFunc("/api/tokens", s.createTokenHandler).Methods("POST")
|
||||
// Token Management endpoints (with authentication middleware)
|
||||
router.Handle("/api/tokens", s.authService.Middleware(
|
||||
[]string{"admin:tokens:create"}, nil, "",
|
||||
)(s.createTokenHandler)).Methods("POST")
|
||||
}
|
||||
|
||||
// Revision History endpoints (available when revision history is enabled)
|
||||
|
||||
@@ -118,7 +118,7 @@ func NewServer(config *types.Config) (*Server, error) {
|
||||
server.revisionService = storage.NewRevisionService(storageService)
|
||||
|
||||
// Initialize authentication service
|
||||
server.authService = auth.NewAuthService(db, logger)
|
||||
server.authService = auth.NewAuthService(db, logger, config)
|
||||
|
||||
// Setup initial root account if needed (Issue #3)
|
||||
if config.AuthEnabled {
|
||||
|
||||
Reference in New Issue
Block a user