diff --git a/.idea/workspace.xml b/.idea/workspace.xml
index 160800f..54c3c1d 100644
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@@ -4,12 +4,14 @@
-
-
-
+
+
+
+
+
+
-
@@ -47,7 +49,7 @@
-
@@ -167,20 +168,10 @@
-
+
+
true
-
-
-
-
- file://$PROJECT_DIR$/pkg/services/perms.go
- 49
-
-
-
-
-
\ No newline at end of file
diff --git a/pkg/grpc/auth.go b/pkg/grpc/auth.go
index 1f00a7d..ad8e536 100644
--- a/pkg/grpc/auth.go
+++ b/pkg/grpc/auth.go
@@ -3,26 +3,28 @@ package grpc
import (
"context"
"fmt"
- jsoniter "github.com/json-iterator/go"
-
"git.solsynth.dev/hydrogen/passport/pkg/grpc/proto"
"git.solsynth.dev/hydrogen/passport/pkg/services"
+ jsoniter "github.com/json-iterator/go"
+ "github.com/samber/lo"
"github.com/spf13/viper"
)
func (v *Server) Authenticate(_ context.Context, in *proto.AuthRequest) (*proto.AuthReply, error) {
- user, perms, atk, rtk, err := services.Authenticate(in.GetAccessToken(), in.GetRefreshToken(), 0)
+ ctx, perms, atk, rtk, err := services.Authenticate(in.GetAccessToken(), in.GetRefreshToken(), 0)
if err != nil {
return &proto.AuthReply{
IsValid: false,
}, nil
} else {
+ user := ctx.Account
rawPerms, _ := jsoniter.Marshal(perms)
return &proto.AuthReply{
IsValid: true,
AccessToken: &atk,
RefreshToken: &rtk,
Permissions: rawPerms,
+ TicketId: lo.ToPtr(uint64(ctx.Ticket.ID)),
Userinfo: &proto.Userinfo{
Id: uint64(user.ID),
Name: user.Name,
@@ -35,3 +37,23 @@ func (v *Server) Authenticate(_ context.Context, in *proto.AuthRequest) (*proto.
}, nil
}
}
+
+func (v *Server) CheckPerm(_ context.Context, in *proto.CheckPermRequest) (*proto.CheckPermReply, error) {
+ claims, err := services.DecodeJwt(in.GetToken())
+ if err != nil {
+ return nil, err
+ }
+ ctx, err := services.GetAuthContext(claims.ID)
+ if err != nil {
+ return nil, err
+ }
+
+ var value any
+ _ = jsoniter.Unmarshal(in.GetValue(), &value)
+ perms := services.FilterPermNodes(ctx.Account.PermNodes, ctx.Ticket.Claims)
+ valid := services.HasPermNode(perms, in.GetKey(), value)
+
+ return &proto.CheckPermReply{
+ IsValid: valid,
+ }, nil
+}
diff --git a/pkg/grpc/proto/auth.pb.go b/pkg/grpc/proto/auth.pb.go
index cc9144a..a102b24 100644
--- a/pkg/grpc/proto/auth.pb.go
+++ b/pkg/grpc/proto/auth.pb.go
@@ -180,6 +180,7 @@ type AuthReply struct {
RefreshToken *string `protobuf:"bytes,3,opt,name=refresh_token,json=refreshToken,proto3,oneof" json:"refresh_token,omitempty"`
Userinfo *Userinfo `protobuf:"bytes,4,opt,name=userinfo,proto3,oneof" json:"userinfo,omitempty"`
Permissions []byte `protobuf:"bytes,5,opt,name=permissions,proto3,oneof" json:"permissions,omitempty"`
+ TicketId *uint64 `protobuf:"varint,6,opt,name=ticket_id,json=ticketId,proto3,oneof" json:"ticket_id,omitempty"`
}
func (x *AuthReply) Reset() {
@@ -249,6 +250,123 @@ func (x *AuthReply) GetPermissions() []byte {
return nil
}
+func (x *AuthReply) GetTicketId() uint64 {
+ if x != nil && x.TicketId != nil {
+ return *x.TicketId
+ }
+ return 0
+}
+
+type CheckPermRequest struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
+ Key string `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
+ Value []byte `protobuf:"bytes,3,opt,name=value,proto3" json:"value,omitempty"`
+}
+
+func (x *CheckPermRequest) Reset() {
+ *x = CheckPermRequest{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_auth_proto_msgTypes[3]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *CheckPermRequest) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CheckPermRequest) ProtoMessage() {}
+
+func (x *CheckPermRequest) ProtoReflect() protoreflect.Message {
+ mi := &file_auth_proto_msgTypes[3]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use CheckPermRequest.ProtoReflect.Descriptor instead.
+func (*CheckPermRequest) Descriptor() ([]byte, []int) {
+ return file_auth_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *CheckPermRequest) GetToken() string {
+ if x != nil {
+ return x.Token
+ }
+ return ""
+}
+
+func (x *CheckPermRequest) GetKey() string {
+ if x != nil {
+ return x.Key
+ }
+ return ""
+}
+
+func (x *CheckPermRequest) GetValue() []byte {
+ if x != nil {
+ return x.Value
+ }
+ return nil
+}
+
+type CheckPermReply struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ IsValid bool `protobuf:"varint,1,opt,name=is_valid,json=isValid,proto3" json:"is_valid,omitempty"`
+}
+
+func (x *CheckPermReply) Reset() {
+ *x = CheckPermReply{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_auth_proto_msgTypes[4]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *CheckPermReply) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CheckPermReply) ProtoMessage() {}
+
+func (x *CheckPermReply) ProtoReflect() protoreflect.Message {
+ mi := &file_auth_proto_msgTypes[4]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use CheckPermReply.ProtoReflect.Descriptor instead.
+func (*CheckPermReply) Descriptor() ([]byte, []int) {
+ return file_auth_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *CheckPermReply) GetIsValid() bool {
+ if x != nil {
+ return x.IsValid
+ }
+ return false
+}
+
var File_auth_proto protoreflect.FileDescriptor
var file_auth_proto_rawDesc = []byte{
@@ -272,7 +390,7 @@ var file_auth_proto_rawDesc = []byte{
0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00,
0x52, 0x0c, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x88, 0x01,
0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f,
- 0x6b, 0x65, 0x6e, 0x22, 0x91, 0x02, 0x0a, 0x09, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x70, 0x6c,
+ 0x6b, 0x65, 0x6e, 0x22, 0xc1, 0x02, 0x0a, 0x09, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x70, 0x6c,
0x79, 0x12, 0x19, 0x0a, 0x08, 0x69, 0x73, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x18, 0x01, 0x20,
0x01, 0x28, 0x08, 0x52, 0x07, 0x69, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x12, 0x26, 0x0a, 0x0c,
0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01,
@@ -285,16 +403,31 @@ var file_auth_proto_rawDesc = []byte{
0x6f, 0x48, 0x02, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x69, 0x6e, 0x66, 0x6f, 0x88, 0x01, 0x01,
0x12, 0x25, 0x0a, 0x0b, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18,
0x05, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x03, 0x52, 0x0b, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
- 0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x61, 0x63, 0x63, 0x65,
- 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72, 0x65, 0x66,
- 0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x0b, 0x0a, 0x09, 0x5f, 0x75,
- 0x73, 0x65, 0x72, 0x69, 0x6e, 0x66, 0x6f, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x70, 0x65, 0x72, 0x6d,
- 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x3e, 0x0a, 0x04, 0x41, 0x75, 0x74, 0x68, 0x12,
- 0x36, 0x0a, 0x0c, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12,
- 0x12, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x71, 0x75,
- 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68,
- 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x09, 0x5a, 0x07, 0x2e, 0x3b, 0x70, 0x72, 0x6f,
- 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x12, 0x20, 0x0a, 0x09, 0x74, 0x69, 0x63, 0x6b, 0x65,
+ 0x74, 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x04, 0x48, 0x04, 0x52, 0x08, 0x74, 0x69,
+ 0x63, 0x6b, 0x65, 0x74, 0x49, 0x64, 0x88, 0x01, 0x01, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x61, 0x63,
+ 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72,
+ 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x0b, 0x0a, 0x09,
+ 0x5f, 0x75, 0x73, 0x65, 0x72, 0x69, 0x6e, 0x66, 0x6f, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x70, 0x65,
+ 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x0c, 0x0a, 0x0a, 0x5f, 0x74, 0x69,
+ 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x22, 0x50, 0x0a, 0x10, 0x43, 0x68, 0x65, 0x63, 0x6b,
+ 0x50, 0x65, 0x72, 0x6d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x74,
+ 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65,
+ 0x6e, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+ 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01,
+ 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2b, 0x0a, 0x0e, 0x43, 0x68, 0x65,
+ 0x63, 0x6b, 0x50, 0x65, 0x72, 0x6d, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x69,
+ 0x73, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x69,
+ 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x32, 0x7d, 0x0a, 0x04, 0x41, 0x75, 0x74, 0x68, 0x12, 0x36,
+ 0x0a, 0x0c, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x12,
+ 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x71, 0x75, 0x65,
+ 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x52,
+ 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x09, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x50,
+ 0x65, 0x72, 0x6d, 0x12, 0x17, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x68, 0x65, 0x63,
+ 0x6b, 0x50, 0x65, 0x72, 0x6d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15, 0x2e, 0x70,
+ 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x50, 0x65, 0x72, 0x6d, 0x52, 0x65,
+ 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x09, 0x5a, 0x07, 0x2e, 0x3b, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+ 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -309,18 +442,22 @@ func file_auth_proto_rawDescGZIP() []byte {
return file_auth_proto_rawDescData
}
-var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
+var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
var file_auth_proto_goTypes = []interface{}{
- (*Userinfo)(nil), // 0: proto.Userinfo
- (*AuthRequest)(nil), // 1: proto.AuthRequest
- (*AuthReply)(nil), // 2: proto.AuthReply
+ (*Userinfo)(nil), // 0: proto.Userinfo
+ (*AuthRequest)(nil), // 1: proto.AuthRequest
+ (*AuthReply)(nil), // 2: proto.AuthReply
+ (*CheckPermRequest)(nil), // 3: proto.CheckPermRequest
+ (*CheckPermReply)(nil), // 4: proto.CheckPermReply
}
var file_auth_proto_depIdxs = []int32{
0, // 0: proto.AuthReply.userinfo:type_name -> proto.Userinfo
1, // 1: proto.Auth.Authenticate:input_type -> proto.AuthRequest
- 2, // 2: proto.Auth.Authenticate:output_type -> proto.AuthReply
- 2, // [2:3] is the sub-list for method output_type
- 1, // [1:2] is the sub-list for method input_type
+ 3, // 2: proto.Auth.CheckPerm:input_type -> proto.CheckPermRequest
+ 2, // 3: proto.Auth.Authenticate:output_type -> proto.AuthReply
+ 4, // 4: proto.Auth.CheckPerm:output_type -> proto.CheckPermReply
+ 3, // [3:5] is the sub-list for method output_type
+ 1, // [1:3] is the sub-list for method input_type
1, // [1:1] is the sub-list for extension type_name
1, // [1:1] is the sub-list for extension extendee
0, // [0:1] is the sub-list for field type_name
@@ -368,6 +505,30 @@ func file_auth_proto_init() {
return nil
}
}
+ file_auth_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*CheckPermRequest); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_auth_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*CheckPermReply); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
}
file_auth_proto_msgTypes[0].OneofWrappers = []interface{}{}
file_auth_proto_msgTypes[1].OneofWrappers = []interface{}{}
@@ -378,7 +539,7 @@ func file_auth_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_auth_proto_rawDesc,
NumEnums: 0,
- NumMessages: 3,
+ NumMessages: 5,
NumExtensions: 0,
NumServices: 1,
},
diff --git a/pkg/grpc/proto/auth.proto b/pkg/grpc/proto/auth.proto
index b0b8365..94c8169 100644
--- a/pkg/grpc/proto/auth.proto
+++ b/pkg/grpc/proto/auth.proto
@@ -6,6 +6,7 @@ package proto;
service Auth {
rpc Authenticate(AuthRequest) returns (AuthReply) {}
+ rpc CheckPerm(CheckPermRequest) returns (CheckPermReply) {}
}
message Userinfo {
@@ -29,4 +30,15 @@ message AuthReply {
optional string refresh_token = 3;
optional Userinfo userinfo = 4;
optional bytes permissions = 5;
+ optional uint64 ticket_id = 6;
+}
+
+message CheckPermRequest {
+ string token = 1;
+ string key = 2;
+ bytes value = 3;
+}
+
+message CheckPermReply {
+ bool is_valid = 1;
}
\ No newline at end of file
diff --git a/pkg/grpc/proto/auth_grpc.pb.go b/pkg/grpc/proto/auth_grpc.pb.go
index b794591..cce3c8d 100644
--- a/pkg/grpc/proto/auth_grpc.pb.go
+++ b/pkg/grpc/proto/auth_grpc.pb.go
@@ -20,6 +20,7 @@ const _ = grpc.SupportPackageIsVersion7
const (
Auth_Authenticate_FullMethodName = "/proto.Auth/Authenticate"
+ Auth_CheckPerm_FullMethodName = "/proto.Auth/CheckPerm"
)
// AuthClient is the client API for Auth service.
@@ -27,6 +28,7 @@ const (
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
type AuthClient interface {
Authenticate(ctx context.Context, in *AuthRequest, opts ...grpc.CallOption) (*AuthReply, error)
+ CheckPerm(ctx context.Context, in *CheckPermRequest, opts ...grpc.CallOption) (*CheckPermReply, error)
}
type authClient struct {
@@ -46,11 +48,21 @@ func (c *authClient) Authenticate(ctx context.Context, in *AuthRequest, opts ...
return out, nil
}
+func (c *authClient) CheckPerm(ctx context.Context, in *CheckPermRequest, opts ...grpc.CallOption) (*CheckPermReply, error) {
+ out := new(CheckPermReply)
+ err := c.cc.Invoke(ctx, Auth_CheckPerm_FullMethodName, in, out, opts...)
+ if err != nil {
+ return nil, err
+ }
+ return out, nil
+}
+
// AuthServer is the server API for Auth service.
// All implementations must embed UnimplementedAuthServer
// for forward compatibility
type AuthServer interface {
Authenticate(context.Context, *AuthRequest) (*AuthReply, error)
+ CheckPerm(context.Context, *CheckPermRequest) (*CheckPermReply, error)
mustEmbedUnimplementedAuthServer()
}
@@ -61,6 +73,9 @@ type UnimplementedAuthServer struct {
func (UnimplementedAuthServer) Authenticate(context.Context, *AuthRequest) (*AuthReply, error) {
return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
}
+func (UnimplementedAuthServer) CheckPerm(context.Context, *CheckPermRequest) (*CheckPermReply, error) {
+ return nil, status.Errorf(codes.Unimplemented, "method CheckPerm not implemented")
+}
func (UnimplementedAuthServer) mustEmbedUnimplementedAuthServer() {}
// UnsafeAuthServer may be embedded to opt out of forward compatibility for this service.
@@ -92,6 +107,24 @@ func _Auth_Authenticate_Handler(srv interface{}, ctx context.Context, dec func(i
return interceptor(ctx, in, info, handler)
}
+func _Auth_CheckPerm_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+ in := new(CheckPermRequest)
+ if err := dec(in); err != nil {
+ return nil, err
+ }
+ if interceptor == nil {
+ return srv.(AuthServer).CheckPerm(ctx, in)
+ }
+ info := &grpc.UnaryServerInfo{
+ Server: srv,
+ FullMethod: Auth_CheckPerm_FullMethodName,
+ }
+ handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+ return srv.(AuthServer).CheckPerm(ctx, req.(*CheckPermRequest))
+ }
+ return interceptor(ctx, in, info, handler)
+}
+
// Auth_ServiceDesc is the grpc.ServiceDesc for Auth service.
// It's only intended for direct use with grpc.RegisterService,
// and not to be introspected or modified (even as a copy)
@@ -103,6 +136,10 @@ var Auth_ServiceDesc = grpc.ServiceDesc{
MethodName: "Authenticate",
Handler: _Auth_Authenticate_Handler,
},
+ {
+ MethodName: "CheckPerm",
+ Handler: _Auth_CheckPerm_Handler,
+ },
},
Streams: []grpc.StreamDesc{},
Metadata: "auth.proto",
diff --git a/pkg/server/auth_middleware.go b/pkg/server/auth_middleware.go
index 0576110..05cf3fb 100644
--- a/pkg/server/auth_middleware.go
+++ b/pkg/server/auth_middleware.go
@@ -42,12 +42,12 @@ func authFunc(c *fiber.Ctx, overrides ...string) error {
}
rtk := c.Cookies(services.CookieRefreshKey)
- if user, perms, atk, rtk, err := services.Authenticate(token, rtk, 0); err == nil {
+ if ctx, perms, atk, rtk, err := services.Authenticate(token, rtk, 0); err == nil {
if atk != token {
services.SetJwtCookieSet(c, atk, rtk)
}
c.Locals("permissions", perms)
- c.Locals("principal", user)
+ c.Locals("principal", ctx.Account)
return nil
} else {
return err
diff --git a/pkg/services/auth.go b/pkg/services/auth.go
index f260d09..0e1141b 100644
--- a/pkg/services/auth.go
+++ b/pkg/services/auth.go
@@ -11,7 +11,7 @@ import (
var authContextCache = make(map[string]models.AuthContext)
-func Authenticate(access, refresh string, depth int) (user models.Account, perms map[string]any, newAccess, newRefresh string, err error) {
+func Authenticate(access, refresh string, depth int) (ctx models.AuthContext, perms map[string]any, newAccess, newRefresh string, err error) {
var claims PayloadClaims
claims, err = DecodeJwt(access)
if err != nil {
@@ -29,10 +29,8 @@ func Authenticate(access, refresh string, depth int) (user models.Account, perms
newAccess = access
newRefresh = refresh
- var ctx models.AuthContext
if ctx, err = GetAuthContext(claims.ID); err == nil {
perms = FilterPermNodes(ctx.Account.PermNodes, ctx.Ticket.Claims)
- user = ctx.Account
return
}