✨ Check permissions GRPC method
This commit is contained in:
parent
73b57164ab
commit
1e2d5e9f9d
27
.idea/workspace.xml
generated
27
.idea/workspace.xml
generated
@ -4,12 +4,14 @@
|
|||||||
<option name="autoReloadType" value="ALL" />
|
<option name="autoReloadType" value="ALL" />
|
||||||
</component>
|
</component>
|
||||||
<component name="ChangeListManager">
|
<component name="ChangeListManager">
|
||||||
<list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":zap: In memory auth context cache">
|
<list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Bug fixes of permission check">
|
||||||
<change beforePath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml" afterDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25/storage_v2/_src_/database/hy_passport.gNOKQQ/schema/public.abK9xQ.meta" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25/storage_v2/_src_/database/hy_passport.gNOKQQ/schema/public.abK9xQ.meta" afterDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
|
||||||
|
<change beforePath="$PROJECT_DIR$/pkg/grpc/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/auth.go" afterDir="false" />
|
||||||
|
<change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth.pb.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth.pb.go" afterDir="false" />
|
||||||
|
<change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth.proto" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth.proto" afterDir="false" />
|
||||||
|
<change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth_grpc.pb.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth_grpc.pb.go" afterDir="false" />
|
||||||
|
<change beforePath="$PROJECT_DIR$/pkg/server/auth_middleware.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/server/auth_middleware.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/pkg/services/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/services/auth.go" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/pkg/services/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/services/auth.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/pkg/services/perms.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/services/perms.go" afterDir="false" />
|
|
||||||
</list>
|
</list>
|
||||||
<option name="SHOW_DIALOG" value="false" />
|
<option name="SHOW_DIALOG" value="false" />
|
||||||
<option name="HIGHLIGHT_CONFLICTS" value="true" />
|
<option name="HIGHLIGHT_CONFLICTS" value="true" />
|
||||||
@ -47,7 +49,7 @@
|
|||||||
<component name="PropertiesComponent"><![CDATA[{
|
<component name="PropertiesComponent"><![CDATA[{
|
||||||
"keyToString": {
|
"keyToString": {
|
||||||
"DefaultGoTemplateProperty": "Go File",
|
"DefaultGoTemplateProperty": "Go File",
|
||||||
"Go 构建.Backend.executor": "Debug",
|
"Go 构建.Backend.executor": "Run",
|
||||||
"RunOnceActivity.ShowReadmeOnStart": "true",
|
"RunOnceActivity.ShowReadmeOnStart": "true",
|
||||||
"RunOnceActivity.go.formatter.settings.were.checked": "true",
|
"RunOnceActivity.go.formatter.settings.were.checked": "true",
|
||||||
"RunOnceActivity.go.migrated.go.modules.settings": "true",
|
"RunOnceActivity.go.migrated.go.modules.settings": "true",
|
||||||
@ -142,7 +144,6 @@
|
|||||||
</option>
|
</option>
|
||||||
</component>
|
</component>
|
||||||
<component name="VcsManagerConfiguration">
|
<component name="VcsManagerConfiguration">
|
||||||
<MESSAGE value=":sparkles: OAuth" />
|
|
||||||
<MESSAGE value=":truck: Update well known" />
|
<MESSAGE value=":truck: Update well known" />
|
||||||
<MESSAGE value=":sparkles: Others userinfo" />
|
<MESSAGE value=":sparkles: Others userinfo" />
|
||||||
<MESSAGE value=":lipstick: Fix ui design" />
|
<MESSAGE value=":lipstick: Fix ui design" />
|
||||||
@ -167,20 +168,10 @@
|
|||||||
<MESSAGE value=":sparkles: Basis perm nodes feature" />
|
<MESSAGE value=":sparkles: Basis perm nodes feature" />
|
||||||
<MESSAGE value=":sparkles: Permission check" />
|
<MESSAGE value=":sparkles: Permission check" />
|
||||||
<MESSAGE value=":zap: In memory auth context cache" />
|
<MESSAGE value=":zap: In memory auth context cache" />
|
||||||
<option name="LAST_COMMIT_MESSAGE" value=":zap: In memory auth context cache" />
|
<MESSAGE value=":sparkles: Bug fixes of permission check" />
|
||||||
|
<option name="LAST_COMMIT_MESSAGE" value=":sparkles: Bug fixes of permission check" />
|
||||||
</component>
|
</component>
|
||||||
<component name="VgoProject">
|
<component name="VgoProject">
|
||||||
<settings-migrated>true</settings-migrated>
|
<settings-migrated>true</settings-migrated>
|
||||||
</component>
|
</component>
|
||||||
<component name="XDebuggerManager">
|
|
||||||
<breakpoint-manager>
|
|
||||||
<breakpoints>
|
|
||||||
<line-breakpoint enabled="true" type="DlvLineBreakpoint">
|
|
||||||
<url>file://$PROJECT_DIR$/pkg/services/perms.go</url>
|
|
||||||
<line>49</line>
|
|
||||||
<option name="timeStamp" value="5" />
|
|
||||||
</line-breakpoint>
|
|
||||||
</breakpoints>
|
|
||||||
</breakpoint-manager>
|
|
||||||
</component>
|
|
||||||
</project>
|
</project>
|
@ -3,26 +3,28 @@ package grpc
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
jsoniter "github.com/json-iterator/go"
|
|
||||||
|
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/grpc/proto"
|
"git.solsynth.dev/hydrogen/passport/pkg/grpc/proto"
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/services"
|
"git.solsynth.dev/hydrogen/passport/pkg/services"
|
||||||
|
jsoniter "github.com/json-iterator/go"
|
||||||
|
"github.com/samber/lo"
|
||||||
"github.com/spf13/viper"
|
"github.com/spf13/viper"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (v *Server) Authenticate(_ context.Context, in *proto.AuthRequest) (*proto.AuthReply, error) {
|
func (v *Server) Authenticate(_ context.Context, in *proto.AuthRequest) (*proto.AuthReply, error) {
|
||||||
user, perms, atk, rtk, err := services.Authenticate(in.GetAccessToken(), in.GetRefreshToken(), 0)
|
ctx, perms, atk, rtk, err := services.Authenticate(in.GetAccessToken(), in.GetRefreshToken(), 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return &proto.AuthReply{
|
return &proto.AuthReply{
|
||||||
IsValid: false,
|
IsValid: false,
|
||||||
}, nil
|
}, nil
|
||||||
} else {
|
} else {
|
||||||
|
user := ctx.Account
|
||||||
rawPerms, _ := jsoniter.Marshal(perms)
|
rawPerms, _ := jsoniter.Marshal(perms)
|
||||||
return &proto.AuthReply{
|
return &proto.AuthReply{
|
||||||
IsValid: true,
|
IsValid: true,
|
||||||
AccessToken: &atk,
|
AccessToken: &atk,
|
||||||
RefreshToken: &rtk,
|
RefreshToken: &rtk,
|
||||||
Permissions: rawPerms,
|
Permissions: rawPerms,
|
||||||
|
TicketId: lo.ToPtr(uint64(ctx.Ticket.ID)),
|
||||||
Userinfo: &proto.Userinfo{
|
Userinfo: &proto.Userinfo{
|
||||||
Id: uint64(user.ID),
|
Id: uint64(user.ID),
|
||||||
Name: user.Name,
|
Name: user.Name,
|
||||||
@ -35,3 +37,23 @@ func (v *Server) Authenticate(_ context.Context, in *proto.AuthRequest) (*proto.
|
|||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (v *Server) CheckPerm(_ context.Context, in *proto.CheckPermRequest) (*proto.CheckPermReply, error) {
|
||||||
|
claims, err := services.DecodeJwt(in.GetToken())
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
ctx, err := services.GetAuthContext(claims.ID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var value any
|
||||||
|
_ = jsoniter.Unmarshal(in.GetValue(), &value)
|
||||||
|
perms := services.FilterPermNodes(ctx.Account.PermNodes, ctx.Ticket.Claims)
|
||||||
|
valid := services.HasPermNode(perms, in.GetKey(), value)
|
||||||
|
|
||||||
|
return &proto.CheckPermReply{
|
||||||
|
IsValid: valid,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
@ -180,6 +180,7 @@ type AuthReply struct {
|
|||||||
RefreshToken *string `protobuf:"bytes,3,opt,name=refresh_token,json=refreshToken,proto3,oneof" json:"refresh_token,omitempty"`
|
RefreshToken *string `protobuf:"bytes,3,opt,name=refresh_token,json=refreshToken,proto3,oneof" json:"refresh_token,omitempty"`
|
||||||
Userinfo *Userinfo `protobuf:"bytes,4,opt,name=userinfo,proto3,oneof" json:"userinfo,omitempty"`
|
Userinfo *Userinfo `protobuf:"bytes,4,opt,name=userinfo,proto3,oneof" json:"userinfo,omitempty"`
|
||||||
Permissions []byte `protobuf:"bytes,5,opt,name=permissions,proto3,oneof" json:"permissions,omitempty"`
|
Permissions []byte `protobuf:"bytes,5,opt,name=permissions,proto3,oneof" json:"permissions,omitempty"`
|
||||||
|
TicketId *uint64 `protobuf:"varint,6,opt,name=ticket_id,json=ticketId,proto3,oneof" json:"ticket_id,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (x *AuthReply) Reset() {
|
func (x *AuthReply) Reset() {
|
||||||
@ -249,6 +250,123 @@ func (x *AuthReply) GetPermissions() []byte {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (x *AuthReply) GetTicketId() uint64 {
|
||||||
|
if x != nil && x.TicketId != nil {
|
||||||
|
return *x.TicketId
|
||||||
|
}
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
type CheckPermRequest struct {
|
||||||
|
state protoimpl.MessageState
|
||||||
|
sizeCache protoimpl.SizeCache
|
||||||
|
unknownFields protoimpl.UnknownFields
|
||||||
|
|
||||||
|
Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
|
||||||
|
Key string `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
|
||||||
|
Value []byte `protobuf:"bytes,3,opt,name=value,proto3" json:"value,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPermRequest) Reset() {
|
||||||
|
*x = CheckPermRequest{}
|
||||||
|
if protoimpl.UnsafeEnabled {
|
||||||
|
mi := &file_auth_proto_msgTypes[3]
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPermRequest) String() string {
|
||||||
|
return protoimpl.X.MessageStringOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (*CheckPermRequest) ProtoMessage() {}
|
||||||
|
|
||||||
|
func (x *CheckPermRequest) ProtoReflect() protoreflect.Message {
|
||||||
|
mi := &file_auth_proto_msgTypes[3]
|
||||||
|
if protoimpl.UnsafeEnabled && x != nil {
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
if ms.LoadMessageInfo() == nil {
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
return ms
|
||||||
|
}
|
||||||
|
return mi.MessageOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Deprecated: Use CheckPermRequest.ProtoReflect.Descriptor instead.
|
||||||
|
func (*CheckPermRequest) Descriptor() ([]byte, []int) {
|
||||||
|
return file_auth_proto_rawDescGZIP(), []int{3}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPermRequest) GetToken() string {
|
||||||
|
if x != nil {
|
||||||
|
return x.Token
|
||||||
|
}
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPermRequest) GetKey() string {
|
||||||
|
if x != nil {
|
||||||
|
return x.Key
|
||||||
|
}
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPermRequest) GetValue() []byte {
|
||||||
|
if x != nil {
|
||||||
|
return x.Value
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
type CheckPermReply struct {
|
||||||
|
state protoimpl.MessageState
|
||||||
|
sizeCache protoimpl.SizeCache
|
||||||
|
unknownFields protoimpl.UnknownFields
|
||||||
|
|
||||||
|
IsValid bool `protobuf:"varint,1,opt,name=is_valid,json=isValid,proto3" json:"is_valid,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPermReply) Reset() {
|
||||||
|
*x = CheckPermReply{}
|
||||||
|
if protoimpl.UnsafeEnabled {
|
||||||
|
mi := &file_auth_proto_msgTypes[4]
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPermReply) String() string {
|
||||||
|
return protoimpl.X.MessageStringOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (*CheckPermReply) ProtoMessage() {}
|
||||||
|
|
||||||
|
func (x *CheckPermReply) ProtoReflect() protoreflect.Message {
|
||||||
|
mi := &file_auth_proto_msgTypes[4]
|
||||||
|
if protoimpl.UnsafeEnabled && x != nil {
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
if ms.LoadMessageInfo() == nil {
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
return ms
|
||||||
|
}
|
||||||
|
return mi.MessageOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Deprecated: Use CheckPermReply.ProtoReflect.Descriptor instead.
|
||||||
|
func (*CheckPermReply) Descriptor() ([]byte, []int) {
|
||||||
|
return file_auth_proto_rawDescGZIP(), []int{4}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPermReply) GetIsValid() bool {
|
||||||
|
if x != nil {
|
||||||
|
return x.IsValid
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
var File_auth_proto protoreflect.FileDescriptor
|
var File_auth_proto protoreflect.FileDescriptor
|
||||||
|
|
||||||
var file_auth_proto_rawDesc = []byte{
|
var file_auth_proto_rawDesc = []byte{
|
||||||
@ -272,7 +390,7 @@ var file_auth_proto_rawDesc = []byte{
|
|||||||
0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00,
|
0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00,
|
||||||
0x52, 0x0c, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x88, 0x01,
|
0x52, 0x0c, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x88, 0x01,
|
||||||
0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f,
|
0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f,
|
||||||
0x6b, 0x65, 0x6e, 0x22, 0x91, 0x02, 0x0a, 0x09, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x70, 0x6c,
|
0x6b, 0x65, 0x6e, 0x22, 0xc1, 0x02, 0x0a, 0x09, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x70, 0x6c,
|
||||||
0x79, 0x12, 0x19, 0x0a, 0x08, 0x69, 0x73, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x18, 0x01, 0x20,
|
0x79, 0x12, 0x19, 0x0a, 0x08, 0x69, 0x73, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x18, 0x01, 0x20,
|
||||||
0x01, 0x28, 0x08, 0x52, 0x07, 0x69, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x12, 0x26, 0x0a, 0x0c,
|
0x01, 0x28, 0x08, 0x52, 0x07, 0x69, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x12, 0x26, 0x0a, 0x0c,
|
||||||
0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01,
|
0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01,
|
||||||
@ -285,16 +403,31 @@ var file_auth_proto_rawDesc = []byte{
|
|||||||
0x6f, 0x48, 0x02, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x69, 0x6e, 0x66, 0x6f, 0x88, 0x01, 0x01,
|
0x6f, 0x48, 0x02, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x69, 0x6e, 0x66, 0x6f, 0x88, 0x01, 0x01,
|
||||||
0x12, 0x25, 0x0a, 0x0b, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18,
|
0x12, 0x25, 0x0a, 0x0b, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18,
|
||||||
0x05, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x03, 0x52, 0x0b, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
|
0x05, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x03, 0x52, 0x0b, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
|
||||||
0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x61, 0x63, 0x63, 0x65,
|
0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x12, 0x20, 0x0a, 0x09, 0x74, 0x69, 0x63, 0x6b, 0x65,
|
||||||
0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72, 0x65, 0x66,
|
0x74, 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x04, 0x48, 0x04, 0x52, 0x08, 0x74, 0x69,
|
||||||
0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x0b, 0x0a, 0x09, 0x5f, 0x75,
|
0x63, 0x6b, 0x65, 0x74, 0x49, 0x64, 0x88, 0x01, 0x01, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x61, 0x63,
|
||||||
0x73, 0x65, 0x72, 0x69, 0x6e, 0x66, 0x6f, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x70, 0x65, 0x72, 0x6d,
|
0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72,
|
||||||
0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x3e, 0x0a, 0x04, 0x41, 0x75, 0x74, 0x68, 0x12,
|
0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x0b, 0x0a, 0x09,
|
||||||
0x36, 0x0a, 0x0c, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12,
|
0x5f, 0x75, 0x73, 0x65, 0x72, 0x69, 0x6e, 0x66, 0x6f, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x70, 0x65,
|
||||||
0x12, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x71, 0x75,
|
0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x0c, 0x0a, 0x0a, 0x5f, 0x74, 0x69,
|
||||||
0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68,
|
0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x22, 0x50, 0x0a, 0x10, 0x43, 0x68, 0x65, 0x63, 0x6b,
|
||||||
0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x09, 0x5a, 0x07, 0x2e, 0x3b, 0x70, 0x72, 0x6f,
|
0x50, 0x65, 0x72, 0x6d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x74,
|
||||||
0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65,
|
||||||
|
0x6e, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
|
||||||
|
0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01,
|
||||||
|
0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2b, 0x0a, 0x0e, 0x43, 0x68, 0x65,
|
||||||
|
0x63, 0x6b, 0x50, 0x65, 0x72, 0x6d, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x69,
|
||||||
|
0x73, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x69,
|
||||||
|
0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x32, 0x7d, 0x0a, 0x04, 0x41, 0x75, 0x74, 0x68, 0x12, 0x36,
|
||||||
|
0x0a, 0x0c, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x12,
|
||||||
|
0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x52, 0x65, 0x71, 0x75, 0x65,
|
||||||
|
0x73, 0x74, 0x1a, 0x10, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x52,
|
||||||
|
0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x09, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x50,
|
||||||
|
0x65, 0x72, 0x6d, 0x12, 0x17, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x68, 0x65, 0x63,
|
||||||
|
0x6b, 0x50, 0x65, 0x72, 0x6d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15, 0x2e, 0x70,
|
||||||
|
0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x50, 0x65, 0x72, 0x6d, 0x52, 0x65,
|
||||||
|
0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x09, 0x5a, 0x07, 0x2e, 0x3b, 0x70, 0x72, 0x6f, 0x74, 0x6f,
|
||||||
|
0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@ -309,18 +442,22 @@ func file_auth_proto_rawDescGZIP() []byte {
|
|||||||
return file_auth_proto_rawDescData
|
return file_auth_proto_rawDescData
|
||||||
}
|
}
|
||||||
|
|
||||||
var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
|
var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
|
||||||
var file_auth_proto_goTypes = []interface{}{
|
var file_auth_proto_goTypes = []interface{}{
|
||||||
(*Userinfo)(nil), // 0: proto.Userinfo
|
(*Userinfo)(nil), // 0: proto.Userinfo
|
||||||
(*AuthRequest)(nil), // 1: proto.AuthRequest
|
(*AuthRequest)(nil), // 1: proto.AuthRequest
|
||||||
(*AuthReply)(nil), // 2: proto.AuthReply
|
(*AuthReply)(nil), // 2: proto.AuthReply
|
||||||
|
(*CheckPermRequest)(nil), // 3: proto.CheckPermRequest
|
||||||
|
(*CheckPermReply)(nil), // 4: proto.CheckPermReply
|
||||||
}
|
}
|
||||||
var file_auth_proto_depIdxs = []int32{
|
var file_auth_proto_depIdxs = []int32{
|
||||||
0, // 0: proto.AuthReply.userinfo:type_name -> proto.Userinfo
|
0, // 0: proto.AuthReply.userinfo:type_name -> proto.Userinfo
|
||||||
1, // 1: proto.Auth.Authenticate:input_type -> proto.AuthRequest
|
1, // 1: proto.Auth.Authenticate:input_type -> proto.AuthRequest
|
||||||
2, // 2: proto.Auth.Authenticate:output_type -> proto.AuthReply
|
3, // 2: proto.Auth.CheckPerm:input_type -> proto.CheckPermRequest
|
||||||
2, // [2:3] is the sub-list for method output_type
|
2, // 3: proto.Auth.Authenticate:output_type -> proto.AuthReply
|
||||||
1, // [1:2] is the sub-list for method input_type
|
4, // 4: proto.Auth.CheckPerm:output_type -> proto.CheckPermReply
|
||||||
|
3, // [3:5] is the sub-list for method output_type
|
||||||
|
1, // [1:3] is the sub-list for method input_type
|
||||||
1, // [1:1] is the sub-list for extension type_name
|
1, // [1:1] is the sub-list for extension type_name
|
||||||
1, // [1:1] is the sub-list for extension extendee
|
1, // [1:1] is the sub-list for extension extendee
|
||||||
0, // [0:1] is the sub-list for field type_name
|
0, // [0:1] is the sub-list for field type_name
|
||||||
@ -368,6 +505,30 @@ func file_auth_proto_init() {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
file_auth_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
|
||||||
|
switch v := v.(*CheckPermRequest); i {
|
||||||
|
case 0:
|
||||||
|
return &v.state
|
||||||
|
case 1:
|
||||||
|
return &v.sizeCache
|
||||||
|
case 2:
|
||||||
|
return &v.unknownFields
|
||||||
|
default:
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
file_auth_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
|
||||||
|
switch v := v.(*CheckPermReply); i {
|
||||||
|
case 0:
|
||||||
|
return &v.state
|
||||||
|
case 1:
|
||||||
|
return &v.sizeCache
|
||||||
|
case 2:
|
||||||
|
return &v.unknownFields
|
||||||
|
default:
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
file_auth_proto_msgTypes[0].OneofWrappers = []interface{}{}
|
file_auth_proto_msgTypes[0].OneofWrappers = []interface{}{}
|
||||||
file_auth_proto_msgTypes[1].OneofWrappers = []interface{}{}
|
file_auth_proto_msgTypes[1].OneofWrappers = []interface{}{}
|
||||||
@ -378,7 +539,7 @@ func file_auth_proto_init() {
|
|||||||
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
||||||
RawDescriptor: file_auth_proto_rawDesc,
|
RawDescriptor: file_auth_proto_rawDesc,
|
||||||
NumEnums: 0,
|
NumEnums: 0,
|
||||||
NumMessages: 3,
|
NumMessages: 5,
|
||||||
NumExtensions: 0,
|
NumExtensions: 0,
|
||||||
NumServices: 1,
|
NumServices: 1,
|
||||||
},
|
},
|
||||||
|
@ -6,6 +6,7 @@ package proto;
|
|||||||
|
|
||||||
service Auth {
|
service Auth {
|
||||||
rpc Authenticate(AuthRequest) returns (AuthReply) {}
|
rpc Authenticate(AuthRequest) returns (AuthReply) {}
|
||||||
|
rpc CheckPerm(CheckPermRequest) returns (CheckPermReply) {}
|
||||||
}
|
}
|
||||||
|
|
||||||
message Userinfo {
|
message Userinfo {
|
||||||
@ -29,4 +30,15 @@ message AuthReply {
|
|||||||
optional string refresh_token = 3;
|
optional string refresh_token = 3;
|
||||||
optional Userinfo userinfo = 4;
|
optional Userinfo userinfo = 4;
|
||||||
optional bytes permissions = 5;
|
optional bytes permissions = 5;
|
||||||
|
optional uint64 ticket_id = 6;
|
||||||
|
}
|
||||||
|
|
||||||
|
message CheckPermRequest {
|
||||||
|
string token = 1;
|
||||||
|
string key = 2;
|
||||||
|
bytes value = 3;
|
||||||
|
}
|
||||||
|
|
||||||
|
message CheckPermReply {
|
||||||
|
bool is_valid = 1;
|
||||||
}
|
}
|
@ -20,6 +20,7 @@ const _ = grpc.SupportPackageIsVersion7
|
|||||||
|
|
||||||
const (
|
const (
|
||||||
Auth_Authenticate_FullMethodName = "/proto.Auth/Authenticate"
|
Auth_Authenticate_FullMethodName = "/proto.Auth/Authenticate"
|
||||||
|
Auth_CheckPerm_FullMethodName = "/proto.Auth/CheckPerm"
|
||||||
)
|
)
|
||||||
|
|
||||||
// AuthClient is the client API for Auth service.
|
// AuthClient is the client API for Auth service.
|
||||||
@ -27,6 +28,7 @@ const (
|
|||||||
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
|
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
|
||||||
type AuthClient interface {
|
type AuthClient interface {
|
||||||
Authenticate(ctx context.Context, in *AuthRequest, opts ...grpc.CallOption) (*AuthReply, error)
|
Authenticate(ctx context.Context, in *AuthRequest, opts ...grpc.CallOption) (*AuthReply, error)
|
||||||
|
CheckPerm(ctx context.Context, in *CheckPermRequest, opts ...grpc.CallOption) (*CheckPermReply, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
type authClient struct {
|
type authClient struct {
|
||||||
@ -46,11 +48,21 @@ func (c *authClient) Authenticate(ctx context.Context, in *AuthRequest, opts ...
|
|||||||
return out, nil
|
return out, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *authClient) CheckPerm(ctx context.Context, in *CheckPermRequest, opts ...grpc.CallOption) (*CheckPermReply, error) {
|
||||||
|
out := new(CheckPermReply)
|
||||||
|
err := c.cc.Invoke(ctx, Auth_CheckPerm_FullMethodName, in, out, opts...)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return out, nil
|
||||||
|
}
|
||||||
|
|
||||||
// AuthServer is the server API for Auth service.
|
// AuthServer is the server API for Auth service.
|
||||||
// All implementations must embed UnimplementedAuthServer
|
// All implementations must embed UnimplementedAuthServer
|
||||||
// for forward compatibility
|
// for forward compatibility
|
||||||
type AuthServer interface {
|
type AuthServer interface {
|
||||||
Authenticate(context.Context, *AuthRequest) (*AuthReply, error)
|
Authenticate(context.Context, *AuthRequest) (*AuthReply, error)
|
||||||
|
CheckPerm(context.Context, *CheckPermRequest) (*CheckPermReply, error)
|
||||||
mustEmbedUnimplementedAuthServer()
|
mustEmbedUnimplementedAuthServer()
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -61,6 +73,9 @@ type UnimplementedAuthServer struct {
|
|||||||
func (UnimplementedAuthServer) Authenticate(context.Context, *AuthRequest) (*AuthReply, error) {
|
func (UnimplementedAuthServer) Authenticate(context.Context, *AuthRequest) (*AuthReply, error) {
|
||||||
return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
|
return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
|
||||||
}
|
}
|
||||||
|
func (UnimplementedAuthServer) CheckPerm(context.Context, *CheckPermRequest) (*CheckPermReply, error) {
|
||||||
|
return nil, status.Errorf(codes.Unimplemented, "method CheckPerm not implemented")
|
||||||
|
}
|
||||||
func (UnimplementedAuthServer) mustEmbedUnimplementedAuthServer() {}
|
func (UnimplementedAuthServer) mustEmbedUnimplementedAuthServer() {}
|
||||||
|
|
||||||
// UnsafeAuthServer may be embedded to opt out of forward compatibility for this service.
|
// UnsafeAuthServer may be embedded to opt out of forward compatibility for this service.
|
||||||
@ -92,6 +107,24 @@ func _Auth_Authenticate_Handler(srv interface{}, ctx context.Context, dec func(i
|
|||||||
return interceptor(ctx, in, info, handler)
|
return interceptor(ctx, in, info, handler)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func _Auth_CheckPerm_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
||||||
|
in := new(CheckPermRequest)
|
||||||
|
if err := dec(in); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if interceptor == nil {
|
||||||
|
return srv.(AuthServer).CheckPerm(ctx, in)
|
||||||
|
}
|
||||||
|
info := &grpc.UnaryServerInfo{
|
||||||
|
Server: srv,
|
||||||
|
FullMethod: Auth_CheckPerm_FullMethodName,
|
||||||
|
}
|
||||||
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
||||||
|
return srv.(AuthServer).CheckPerm(ctx, req.(*CheckPermRequest))
|
||||||
|
}
|
||||||
|
return interceptor(ctx, in, info, handler)
|
||||||
|
}
|
||||||
|
|
||||||
// Auth_ServiceDesc is the grpc.ServiceDesc for Auth service.
|
// Auth_ServiceDesc is the grpc.ServiceDesc for Auth service.
|
||||||
// It's only intended for direct use with grpc.RegisterService,
|
// It's only intended for direct use with grpc.RegisterService,
|
||||||
// and not to be introspected or modified (even as a copy)
|
// and not to be introspected or modified (even as a copy)
|
||||||
@ -103,6 +136,10 @@ var Auth_ServiceDesc = grpc.ServiceDesc{
|
|||||||
MethodName: "Authenticate",
|
MethodName: "Authenticate",
|
||||||
Handler: _Auth_Authenticate_Handler,
|
Handler: _Auth_Authenticate_Handler,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
MethodName: "CheckPerm",
|
||||||
|
Handler: _Auth_CheckPerm_Handler,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
Streams: []grpc.StreamDesc{},
|
Streams: []grpc.StreamDesc{},
|
||||||
Metadata: "auth.proto",
|
Metadata: "auth.proto",
|
||||||
|
@ -42,12 +42,12 @@ func authFunc(c *fiber.Ctx, overrides ...string) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
rtk := c.Cookies(services.CookieRefreshKey)
|
rtk := c.Cookies(services.CookieRefreshKey)
|
||||||
if user, perms, atk, rtk, err := services.Authenticate(token, rtk, 0); err == nil {
|
if ctx, perms, atk, rtk, err := services.Authenticate(token, rtk, 0); err == nil {
|
||||||
if atk != token {
|
if atk != token {
|
||||||
services.SetJwtCookieSet(c, atk, rtk)
|
services.SetJwtCookieSet(c, atk, rtk)
|
||||||
}
|
}
|
||||||
c.Locals("permissions", perms)
|
c.Locals("permissions", perms)
|
||||||
c.Locals("principal", user)
|
c.Locals("principal", ctx.Account)
|
||||||
return nil
|
return nil
|
||||||
} else {
|
} else {
|
||||||
return err
|
return err
|
||||||
|
@ -11,7 +11,7 @@ import (
|
|||||||
|
|
||||||
var authContextCache = make(map[string]models.AuthContext)
|
var authContextCache = make(map[string]models.AuthContext)
|
||||||
|
|
||||||
func Authenticate(access, refresh string, depth int) (user models.Account, perms map[string]any, newAccess, newRefresh string, err error) {
|
func Authenticate(access, refresh string, depth int) (ctx models.AuthContext, perms map[string]any, newAccess, newRefresh string, err error) {
|
||||||
var claims PayloadClaims
|
var claims PayloadClaims
|
||||||
claims, err = DecodeJwt(access)
|
claims, err = DecodeJwt(access)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -29,10 +29,8 @@ func Authenticate(access, refresh string, depth int) (user models.Account, perms
|
|||||||
newAccess = access
|
newAccess = access
|
||||||
newRefresh = refresh
|
newRefresh = refresh
|
||||||
|
|
||||||
var ctx models.AuthContext
|
|
||||||
if ctx, err = GetAuthContext(claims.ID); err == nil {
|
if ctx, err = GetAuthContext(claims.ID); err == nil {
|
||||||
perms = FilterPermNodes(ctx.Account.PermNodes, ctx.Ticket.Claims)
|
perms = FilterPermNodes(ctx.Account.PermNodes, ctx.Ticket.Claims)
|
||||||
user = ctx.Account
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user