fix higher role user registration requirements

tollsimy · tollsimy · commit 36ec90ae12f5 · 2025-06-03T13:07:49.000+02:00
diff --git a/compose.yml b/compose.yml
@@ -1,5 +1,5 @@
 services:
-  opp-backend:
+  opp-auth:
     build:
       context: .
       dockerfile: Containerfile.dev
diff --git a/src/auth/auth.go b/src/auth/auth.go
@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"OPP/auth/api"
 	opp_jwt "OPP/auth/jwt"
 	"context"
 	"errors"
@@ -14,59 +15,74 @@ import (
 
 var DEBUG_MODE = os.Getenv("DEBUG_MODE")
 
-func AuthenticationFunc(ctx context.Context, input *openapi3filter.AuthenticationInput) error {
+func AuthenticationWrapperFunc(ctx context.Context, input *openapi3filter.AuthenticationInput) error {
 	req := input.RequestValidationInput.Request
 	if req == nil {
 		return errors.New("missing HTTP request in authentication input")
 	}
 
-	authHeader := req.Header.Get("Authorization")
+	username, role, err := AuthenticationFunc(req.Header.Get("Authorization"))
+	if err != nil {
+		return err
+	}
+
+	// Update the request context with the username and role
+	ctx = context.WithValue(ctx, "username", username)
+	ctx = context.WithValue(ctx, "role", role)
+
+	*req = *req.WithContext(ctx)
+
+	return nil
+}
+
+// AuthenticationFunc can be used for endpoints that aren't marked as requiring authentication
+// but still need to check auth tokens when provided.
+// Returns (username, role, error) where error is nil if authentication succeeded
+func AuthenticationFunc(authHeader string) (string, api.UserRequestRole, error) {
+	// Debug mode: override username and role
+	if DEBUG_MODE == "true" {
+		return "admin_debug", api.UserRequestRoleAdmin, nil
+	}
+
 	if authHeader == "" {
-		return errors.New("missing Authorization header")
+		return "", "", errors.New("missing Authorization header")
 	}
 
 	if !strings.HasPrefix(authHeader, "Bearer ") {
-		return errors.New("invalid Authorization header format")
+		return "", "", errors.New("invalid Authorization header format")
 	}
 
-	tokenstr := strings.TrimPrefix(authHeader, "Bearer ")
-	token, err := opp_jwt.ValidateToken(tokenstr)
+	tokenStr := strings.TrimPrefix(authHeader, "Bearer ")
+	token, err := opp_jwt.ValidateToken(tokenStr)
 	if err != nil {
-		return errors.New("failed to parse token")
+		return "", "", errors.New("failed to parse token: " + err.Error())
 	}
+
 	claims, ok := token.Claims.(jwt.MapClaims)
 	if !ok || !token.Valid {
-		return errors.New("invalid token")
+		return "", "", errors.New("invalid token")
 	}
 
+	// Validate expiration time
 	expire, err := claims.GetExpirationTime()
 	if err != nil {
-		return errors.New("failed to get expiration time")
+		return "", "", errors.New("failed to get expiration time")
 	}
 
 	if expire.Before(time.Now()) {
-		return errors.New("token expired")
+		return "", "", errors.New("token expired")
 	}
 
 	username, ok := claims["username"].(string)
 	if !ok {
-		return errors.New("missing username in token claims")
-	}
-	role, ok := claims["role"].(string)
-	if !ok {
-		return errors.New("missing role in token claims")
+		return "", "", errors.New("missing username in token claims")
 	}
 
-	// Update the request context with the username and role
-	ctx = context.WithValue(ctx, "username", username)
-	ctx = context.WithValue(ctx, "role", role)
-
-	// Debug mode: override role with "admin"
-	if DEBUG_MODE == "true" {
-		ctx = context.WithValue(ctx, "role", "admin")
+	roleStr, ok := claims["role"].(string)
+	if !ok {
+		return "", "", errors.New("missing role in token claims")
 	}
 
-	*req = *req.WithContext(ctx)
-
-	return nil
+	role := api.UserRequestRole(roleStr)
+	return username, role, nil
 }
diff --git a/src/dao/user.go b/src/dao/user.go
@@ -72,7 +72,7 @@ func (d *UserDao) AddUser(c context.Context, user api.UserRequest) (int64, error
 	return id, nil
 }
 
-func (d *UserDao) GetUser(c context.Context, username string) (*api.UserResponse, error) {
+func (d *UserDao) GetUserByUsername(c context.Context, username string) (*api.UserResponse, error) {
 	query := "SELECT user_id, username, name, surname, email, role FROM users WHERE username = $1"
 	rows, err := d.db.Query(c, query, username)
 	if err != nil {
@@ -92,6 +92,25 @@ func (d *UserDao) GetUser(c context.Context, username string) (*api.UserResponse
 	return nil, ErrUserNotFound
 }
 
+func (d *UserDao) GetUserByEmail(c context.Context, email string) (*api.UserResponse, error) {
+	query := "SELECT user_id, username, name, surname, email, role FROM users WHERE email = $1"
+	rows, err := d.db.Query(c, query, email)
+	if err != nil {
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+	defer rows.Close()
+	var user api.UserResponse
+	var roleStr string
+	if rows.Next() {
+		if err := rows.Scan(&user.Id, &user.Username, &user.Name, &user.Surname, &user.Email, &roleStr); err != nil {
+			return nil, fmt.Errorf("failed to scan user: %w", err)
+		}
+		user.Role = api.UserResponseRole(roleStr)
+		return &user, nil
+	}
+	return nil, ErrUserNotFound
+}
+
 func (d *UserDao) GetUserRole(c context.Context, username string) (api.UserRequestRole, error) {
 	query := "SELECT role FROM users WHERE username = $1"
 	rows, err := d.db.Query(c, query, username)
diff --git a/src/handlers/session.go b/src/handlers/session.go
@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"OPP/auth/api"
+	"OPP/auth/auth"
 	"OPP/auth/dao"
 	"OPP/auth/jwt"
 	"net/http"
@@ -19,6 +20,41 @@ func NewSessionHandler() *SessionHandlers {
 	}
 }
 
+func getLoggedUser(c *gin.Context, userDao dao.UserDao) (*api.UserResponse, api.UserRequestRole, error) {
+	curUsername := c.Request.Context().Value("username")
+	if curUsername == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
+		return nil, "", nil
+	}
+	curUsernameStr, ok := curUsername.(string)
+	if !ok {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get username"})
+		return nil, "", nil
+	}
+	user, err := userDao.GetUserByUsername(c.Request.Context(), curUsernameStr)
+	if err != nil {
+		if err == dao.ErrUserNotFound {
+			c.JSON(http.StatusNotFound, gin.H{"error": "User not found"})
+			return nil, "", nil
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get user"})
+		return nil, "", err
+	}
+
+	curRole := c.Request.Context().Value("role")
+	if curRole == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
+		return nil, "", nil
+	}
+	curRoleStr, ok := curRole.(string)
+	if !ok {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get role"})
+		return nil, "", nil
+	}
+	curUserRole := api.UserRequestRole(curRoleStr)
+	return user, curUserRole, nil
+}
+
 func (h *SessionHandlers) GetPubKey(c *gin.Context) {
 	if jwt.PublicKeyBase64 == "" {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Public key not available"})
@@ -28,28 +64,57 @@ func (h *SessionHandlers) GetPubKey(c *gin.Context) {
 }
 
 func (h *SessionHandlers) Register(c *gin.Context) {
-	user := api.UserRequest{}
-	if err := c.ShouldBindJSON(&user); err != nil {
+	newUser := api.UserRequest{}
+	if err := c.ShouldBindJSON(&newUser); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
 		return
 	}
-	if *user.Role == api.UserRequestRoleAdmin || *user.Role == api.UserRequestRoleController {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Cannot register as" + *user.Role + ", permission denied"})
+
+	// Default to creating a normal user if role is not specified
+	if newUser.Role == nil {
+		defaultRole := api.UserRequestRoleDriver
+		newUser.Role = &defaultRole
+	}
+
+	// If registering as an admin or controller, verify permissions
+	if *newUser.Role == api.UserRequestRoleAdmin || *newUser.Role == api.UserRequestRoleController {
+		// Check if the current user is authenticated with admin privileges
+		_, role, err := auth.AuthenticationFunc(c.GetHeader("Authorization"))
+		if err != nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication failed: " + err.Error()})
+			return
+		}
+
+		// Check if the user has admin privileges
+		if role != api.UserRequestRoleAdmin {
+			c.JSON(http.StatusForbidden, gin.H{"error": "Admin privileges required to register " + string(*newUser.Role) + " accounts"})
+			return
+		}
 	}
+
+	// For regular users, allow unauthenticated registration
+
 	// Check if the user already exists
-	_, err := h.dao.GetUser(c.Request.Context(), user.Username)
+	_, err := h.dao.GetUserByUsername(c.Request.Context(), newUser.Username)
 	if err != dao.ErrUserNotFound {
 		c.JSON(http.StatusConflict, gin.H{"error": "User already exists"})
 		return
 	}
+	emailstr := string(newUser.Email)
+	_, err = h.dao.GetUserByEmail(c.Request.Context(), emailstr)
+	if err != dao.ErrUserNotFound {
+		c.JSON(http.StatusConflict, gin.H{"error": "Email already in use"})
+		return
+	}
+
 	// Add the user to the database
 	var id int64
-	id, err = h.dao.AddUser(c.Request.Context(), user)
+	id, err = h.dao.AddUser(c.Request.Context(), newUser)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to add user"})
 		return
 	}
-	token, err := jwt.GenerateToken(user.Username, *user.Role)
+	token, err := jwt.GenerateToken(newUser.Username, *newUser.Role)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
@@ -61,11 +126,11 @@ func (h *SessionHandlers) Register(c *gin.Context) {
 		TokenType:   "Bearer",
 		User: api.UserResponse{
 			Id:       id,
-			Role:     api.UserResponseRole(*user.Role),
-			Username: user.Username,
-			Email:    user.Email,
-			Name:     user.Name,
-			Surname:  user.Surname,
+			Role:     api.UserResponseRole(*newUser.Role),
+			Username: newUser.Username,
+			Email:    newUser.Email,
+			Name:     newUser.Name,
+			Surname:  newUser.Surname,
 		},
 	}
 	c.JSON(http.StatusCreated, response)
@@ -78,7 +143,7 @@ func (h *SessionHandlers) Login(c *gin.Context) {
 		return
 	}
 	// Check if the user exists
-	user, err := h.dao.GetUser(c.Request.Context(), session.Username)
+	user, err := h.dao.GetUserByUsername(c.Request.Context(), session.Username)
 	if err == dao.ErrUserNotFound {
 		c.JSON(http.StatusNotFound, gin.H{"error": "User not found"})
 		return
@@ -123,40 +188,14 @@ func (h *SessionHandlers) Login(c *gin.Context) {
 }
 
 func (h *SessionHandlers) GetSession(c *gin.Context) {
-	username := c.Request.Context().Value("username")
-	if username == nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
-		return
-	}
-	usernameStr, ok := username.(string)
-	if !ok {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get username"})
-		return
-	}
-	user, err := h.dao.GetUser(c.Request.Context(), usernameStr)
-	if err != nil {
-		if err == dao.ErrUserNotFound {
-			c.JSON(http.StatusNotFound, gin.H{"error": "User not found"})
-			return
-		}
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get user"})
-		return
-	}
-
-	role := c.Request.Context().Value("role")
-	if role == nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
-		return
-	}
-	roleStr, ok := role.(string)
-	if !ok {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get role"})
+	user, userRole, err := getLoggedUser(c, h.dao)
+	if err != nil || user == nil {
 		return
 	}
-	userRole := api.UserRequestRole(roleStr)
 
+	// No need to fetch the user again since we already have it
 	// return a new token for the authenticated user
-	token, err := jwt.GenerateToken(usernameStr, userRole)
+	token, err := jwt.GenerateToken(user.Username, userRole)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate token"})
 		return
@@ -171,7 +210,7 @@ func (h *SessionHandlers) GetSession(c *gin.Context) {
 			Email:    user.Email,
 			Name:     user.Name,
 			Surname:  user.Surname,
-			Role:     api.UserResponseRole(roleStr),
+			Role:     api.UserResponseRole(string(userRole)),
 		},
 	}
 	c.JSON(http.StatusOK, sessionResponse)
diff --git a/src/handlers/user.go b/src/handlers/user.go
@@ -63,7 +63,7 @@ func (uh *UserHandlers) GetUser(c *gin.Context) {
 		return
 	}
 
-	user, err := uh.dao.GetUser(c.Request.Context(), usernameStr)
+	user, err := uh.dao.GetUserByUsername(c.Request.Context(), usernameStr)
 	if err != nil {
 		if errors.Is(err, dao.ErrUserNotFound) {
 			c.JSON(http.StatusNotFound, gin.H{"error": "user not found"})
diff --git a/src/main.go b/src/main.go
@@ -71,7 +71,7 @@ func main() {
 	validatorOptions := &ginmiddleware.Options{
 		Options: openapi3filter.Options{
 			AuthenticationFunc: func(ctx context.Context, input *openapi3filter.AuthenticationInput) error {
-				return auth.AuthenticationFunc(ctx, input)
+				return auth.AuthenticationWrapperFunc(ctx, input)
 			},
 		},
 		SilenceServersWarning: silenceServersWarning,

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func (uh UserHandlers) GetUser(c gin.Context) {`
`63`	`63`	`return`
`64`	`64`	`}`
`65`	`65`
`66`		`- user, err := uh.dao.GetUser(c.Request.Context(), usernameStr)`
	`66`	`+ user, err := uh.dao.GetUserByUsername(c.Request.Context(), usernameStr)`
`67`	`67`	`if err != nil {`
`68`	`68`	`if errors.Is(err, dao.ErrUserNotFound) {`
`69`	`69`	`c.JSON(http.StatusNotFound, gin.H{"error": "user not found"})`