Skip to content

Commit

Permalink
fix: configure auth checker
Browse files Browse the repository at this point in the history
  • Loading branch information
katallaxie authored May 4, 2024
1 parent 00abd1f commit c97b092
Showing 1 changed file with 55 additions and 1 deletion.
56 changes: 55 additions & 1 deletion openapi.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,44 @@ import (
middleware "github.com/oapi-codegen/fiber-middleware"
)

// OpenAPIAuthenticatorOpts are the OpenAPI authenticator options.
type OpenAPIAuthenticatorOpts struct {
PathParam string
Checker AuthzChecker
}

// Conigure the OpenAPI authenticator.
func (o *OpenAPIAuthenticatorOpts) Conigure(opts ...OpenAPIAuthenticatorOpt) {
for _, opt := range opts {
opt(o)
}
}

// OpenAPIAuthenticatorOpt is a function that sets an option on the OpenAPI authenticator.
type OpenAPIAuthenticatorOpt func(*OpenAPIAuthenticatorOpts)

// OpenAPIAuthenticatorDefaultOpts are the default OpenAPI authenticator options.
func OpenAPIAuthenticatorDefaultOpts() OpenAPIAuthenticatorOpts {
return OpenAPIAuthenticatorOpts{
PathParam: "teamId",
Checker: NewNoop(),
}
}

// WithPathParam sets the path parameter.
func WithPathParam(param string) OpenAPIAuthenticatorOpt {
return func(opts *OpenAPIAuthenticatorOpts) {
opts.PathParam = param
}
}

// WithChecker sets the authz checker.
func WithChecker(checker AuthzChecker) OpenAPIAuthenticatorOpt {
return func(opts *OpenAPIAuthenticatorOpts) {
opts.Checker = checker
}
}

// NewOpenAPIErrorHandler creates a new OpenAPI error handler.
func NewOpenAPIErrorHandler() middleware.ErrorHandler {
return func(c *fiber.Ctx, message string, statusCode int) {
Expand All @@ -21,9 +59,13 @@ func NewOpenAPIErrorHandler() middleware.ErrorHandler {
}

// NewOpenAPIAuthenticator creates a new OpenAPI authenticator.
func NewOpenAPIAuthenticator() openapi3filter.AuthenticationFunc {
func NewOpenAPIAuthenticator(opts ...OpenAPIAuthenticatorOpt) openapi3filter.AuthenticationFunc {
return func(ctx context.Context, input *openapi3filter.AuthenticationInput) error {
opt := OpenAPIAuthenticatorDefaultOpts()
opt.Conigure(opts...)

c := middleware.GetFiberContext(ctx)
obj := AuthzObject(c.Params(opt.PathParam, ""))

key, err := GetAPIKeyFromRequest(input.RequestValidationInput.Request)
if err != nil {
Expand All @@ -35,6 +77,18 @@ func NewOpenAPIAuthenticator() openapi3filter.AuthenticationFunc {
return fiber.NewError(fiber.StatusUnauthorized, "Invalid API key")
}

allowed := len(input.Scopes) == 0
if len(input.Scopes) > 0 {
allowed, err = opt.Checker.Allowed(ctx, AuthzPrincipal(key), obj, AuthzAction(input.Scopes[0]))
if err != nil {
return fiber.NewError(fiber.StatusInternalServerError, "Internal Server Error")
}
}

if !allowed {
return fiber.NewError(fiber.StatusForbidden, "Forbidden")
}

// Create a new context with the API key.
usrCtx := c.UserContext()
authCtx := context.WithValue(usrCtx, authzAPIKey, key)
Expand Down

0 comments on commit c97b092

Please sign in to comment.