add frontend auth middleware, embed user data in frontend html

2023-09-04 17:32:45 +02:00 · 2023-09-04 17:32:45 +02:00 · 0fa769a248
commit 0fa769a248
parent d8cb8c8fa8
12 changed files with 265 additions and 42 deletions
--- a/internal/database/sql/token.go
+++ b/internal/database/sql/token.go
@ -34,7 +34,7 @@ func (s *TokenStore) GetApplication(ctx context.Context, id ulid.ULID) (database
 	return app, errors.Wrap(err, "executing query")
 }

-func (s *TokenStore) Create(ctx context.Context, userID, appID ulid.ULID, scopes []string, expires time.Time) (database.Token, error) {
+func (s *TokenStore) Create(ctx context.Context, userID, appID ulid.ULID, scopes database.TokenScopes, expires time.Time) (database.Token, error) {
 	q := sqlf.Sprintf(`INSERT INTO tokens
 	(id, user_id, app_id, scopes, expires)
 	values (%s, %s, %s, %v, %v)
--- a/internal/database/token.go
+++ b/internal/database/token.go
@ -19,7 +19,7 @@ type Token struct {
 	ID      ulid.ULID
 	AppID   ulid.ULID
 	UserID  ulid.ULID
-	Scopes  []string
+	Scopes  TokenScopes
 	Expires time.Time
 }

@ -43,3 +43,34 @@ type TokenClaims struct {
 	UserID  ulid.ULID `json:"sub"`
 	jwt.RegisteredClaims
 }
+
+type TokenScope string
+
+const (
+	// All scopes below
+	TokenScopeAll          TokenScope = "all"
+	TokenScopeAccountsRead TokenScope = "accounts.read"
+	// Controls whether tokens have access to sensitive account data, NOT if they can use `/accounts/@me` endpoints.
+	TokenScopeAccountsMe    TokenScope = "accounts.me"
+	TokenScopeAccountsWrite TokenScope = "accounts.write"
+)
+
+func (s TokenScope) IsValid() bool {
+	switch s {
+	case TokenScopeAccountsRead, TokenScopeAccountsMe, TokenScopeAccountsWrite:
+		return true
+	default:
+		return false
+	}
+}
+
+type TokenScopes []TokenScope
+
+func (s TokenScopes) Has(scope TokenScope) bool {
+	for i := range s {
+		if s[i] == scope || s[i] == TokenScopeAll {
+			return true
+		}
+	}
+	return false
+}