Check backend-permissions to access store

2019-07-03 08:50:09 +08:00 · 2019-07-03 08:50:09 +08:00 · 9ca40754ae
parent ec7026385b
commit 9ca40754ae
2 changed files with 47 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # backend-store

-Single Badger store to serve bite, transcription and any others. Is kinda bite-centric, so required values revolve around a Bite. Receives stores through [NATS](https://nats.io) while data is retrieved via a http api.
+Single Badger store to serve bite, transcription and any others. Is kinda bite-centric, so required values revolve around a Bite. Receives stores through [NATS](https://nats.io) while data is retrieved via a http api. Checks `backend-permissions` for permissions to access the store.

 **Relies on being behind a traefik instance forwarding auth to backend-auth for authentication**

@ -76,6 +76,7 @@ All numbers are Unix epoch timestamps. `starts` goes on for as long as it needs
 | Code | Description |
 | ---- | ----------- |
 | 400 | From/to are not unix epoch/Error marshalling key from params. |
+| 401 | `permissions` denied permission for user to access this store. |
 | 500 | Error scanning badger store. |

 ---
@ -105,4 +106,5 @@ Raw data of the bite.
 | Code | Description |
 | ---- | ----------- |
 | 400 | Error marshalling key from params/`start` was not a valid Epoch timestamp. |
+| 401 | `permissions` denied permission for user to access this store. |
 | 500 | Error retrieving bite from store. |
--- a/main.go
+++ b/main.go
@ -1,6 +1,7 @@
 package main

 import (
+  "context"
  "encoding/json"
  "log"
  "net/http"
@ -19,6 +20,7 @@ import (
 var listen string
 var dbPath string
 var natsHost string
+var permissionsHost string

 var db *badger.DB
 var nc *nats.Conn
@ -32,6 +34,7 @@ func main() {
  dbPath = os.Getenv("DBPATH")
  natsHost = os.Getenv("NATS")
  listen = os.Getenv("LISTEN")
+  permissionsHost = os.Getenv("PERMISSIONS_HOST")

  // Open badger
 	log.Printf("starting badger at %s", dbPath)
@ -54,14 +57,53 @@ func main() {

  // Routes
  router := httprouter.New()
-  router.GET("/:type/:key/scan", ScanStore)
-  router.GET("/:type/:key/start/:start", GetStore)
+  router.GET("/:type/:key/scan", AuthMiddleware(PermissionMiddleware(ScanStore)))
+  router.GET("/:type/:key/start/:start", AuthMiddleware(PermissionMiddleware(GetStore)))

  // Start server
  log.Printf("starting server on %s", listen)
  log.Fatal(http.ListenAndServe(listen, router))
 }

+type RawClient struct {
+  UserId   string `json:"userid"`
+  ClientId string `json:"clientid"`
+}
+func AuthMiddleware(next httprouter.Handle) httprouter.Handle {
+  return func (w http.ResponseWriter, r *http.Request, p httprouter.Params) {
+    ua := r.Header.Get("X-User-Claim")
+    if ua == "" {
+      http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+      return
+    }
+
+    var client RawClient
+    err := json.Unmarshal([]byte(ua), &client)
+    if err != nil {
+      http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+      return
+    }
+
+    context := context.WithValue(r.Context(), "user", client.UserId)
+    next(w, r.WithContext(context), p)
+  }
+}
+
+func PermissionMiddleware(next httprouter.Handle) httprouter.Handle {
+  return func (w http.ResponseWriter, r *http.Request, p httprouter.Params) {
+    userID := r.Context().Value("user").(string)
+    conversationID := p.ByName("key")
+
+    response, err := http.Get(permissionsHost + "/user/" + userID + "/conversation/" + conversationID)
+    if err != nil {
+      http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+      return
+    }
+    response.Body.Close()
+    next(w, r, p)
+  }
+}
+
 func NewStore(m *nats.Msg) {
  storeRequest := Store{}
  if err := proto.Unmarshal(m.Data, &storeRequest); err != nil {