fix higher role user registration requirements

Author: tollsimy

compose.yml

@@ -1,5 +1,5 @@
 services:
-  opp-backend:
+  opp-auth:
     build:
       context: .
       dockerfile: Containerfile.dev

src/auth/auth.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"OPP/auth/api"
 	opp_jwt "OPP/auth/jwt"
 	"context"
 	"errors"
@@ -14,59 +15,74 @@ import (
 
 var DEBUG_MODE = os.Getenv("DEBUG_MODE")
 
-func AuthenticationFunc(ctx context.Context, input *openapi3filter.AuthenticationInput) error {
+func AuthenticationWrapperFunc(ctx context.Context, input *openapi3filter.AuthenticationInput) error {
 	req := input.RequestValidationInput.Request
 	if req == nil {
 		return errors.New("missing HTTP request in authentication input")
 	}
 
-	authHeader := req.Header.Get("Authorization")
+	username, role, err := AuthenticationFunc(req.Header.Get("Authorization"))
+	if err != nil {
+		return err
+	}
+
+	// Update the request context with the username and role
+	ctx = context.WithValue(ctx, "username", username)
+	ctx = context.WithValue(ctx, "role", role)
+
+	*req = *req.WithContext(ctx)
+
+	return nil
+}
+
+// AuthenticationFunc can be used for endpoints that aren't marked as requiring authentication
+// but still need to check auth tokens when provided.
+// Returns (username, role, error) where error is nil if authentication succeeded
+func AuthenticationFunc(authHeader string) (string, api.UserRequestRole, error) {
+	// Debug mode: override username and role
+	if DEBUG_MODE == "true" {
+		return "admin_debug", api.UserRequestRoleAdmin, nil
+	}
+
 	if authHeader == "" {
-		return errors.New("missing Authorization header")
+		return "", "", errors.New("missing Authorization header")
 	}
 
 	if !strings.HasPrefix(authHeader, "Bearer ") {
-		return errors.New("invalid Authorization header format")
+		return "", "", errors.New("invalid Authorization header format")
 	}
 
-	tokenstr := strings.TrimPrefix(authHeader, "Bearer ")
-	token, err := opp_jwt.ValidateToken(tokenstr)
+	tokenStr := strings.TrimPrefix(authHeader, "Bearer ")
+	token, err := opp_jwt.ValidateToken(tokenStr)
 	if err != nil {
-		return errors.New("failed to parse token")
+		return "", "", errors.New("failed to parse token: " + err.Error())
 	}
+
 	claims, ok := token.Claims.(jwt.MapClaims)
 	if !ok || !token.Valid {
-		return errors.New("invalid token")
+		return "", "", errors.New("invalid token")
 	}
 
+	// Validate expiration time
 	expire, err := claims.GetExpirationTime()
 	if err != nil {
-		return errors.New("failed to get expiration time")
+		return "", "", errors.New("failed to get expiration time")
 	}
 
 	if expire.Before(time.Now()) {
-		return errors.New("token expired")
+		return "", "", errors.New("token expired")
 	}
 
 	username, ok := claims["username"].(string)
 	if !ok {
-		return errors.New("missing username in token claims")
-	}
-	role, ok := claims["role"].(string)
-	if !ok {
-		return errors.New("missing role in token claims")
+		return "", "", errors.New("missing username in token claims")
 	}
 
-	// Update the request context with the username and role
-	ctx = context.WithValue(ctx, "username", username)
-	ctx = context.WithValue(ctx, "role", role)
-
-	// Debug mode: override role with "admin"
-	if DEBUG_MODE == "true" {
-		ctx = context.WithValue(ctx, "role", "admin")
+	roleStr, ok := claims["role"].(string)
+	if !ok {
+		return "", "", errors.New("missing role in token claims")
 	}
 
-	*req = *req.WithContext(ctx)
-
-	return nil
+	role := api.UserRequestRole(roleStr)
+	return username, role, nil
 }

src/handlers/session.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"OPP/auth/api"
+	"OPP/auth/auth"
 	"OPP/auth/dao"
 	"OPP/auth/jwt"
 	"net/http"
@@ -19,6 +20,41 @@ func NewSessionHandler() *SessionHandlers {
 	}
 }
 
+func getLoggedUser(c *gin.Context, userDao dao.UserDao) (*api.UserResponse, api.UserRequestRole, error) {
+	curUsername := c.Request.Context().Value("username")
+	if curUsername == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
+		return nil, "", nil
+	}
+	curUsernameStr, ok := curUsername.(string)
+	if !ok {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get username"})
+		return nil, "", nil
+	}
+	user, err := userDao.GetUser(c.Request.Context(), curUsernameStr)
+	if err != nil {
+		if err == dao.ErrUserNotFound {
+			c.JSON(http.StatusNotFound, gin.H{"error": "User not found"})
+			return nil, "", nil
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get user"})
+		return nil, "", err
+	}
+
+	curRole := c.Request.Context().Value("role")
+	if curRole == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
+		return nil, "", nil
+	}
+	curRoleStr, ok := curRole.(string)
+	if !ok {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get role"})
+		return nil, "", nil
+	}
+	curUserRole := api.UserRequestRole(curRoleStr)
+	return user, curUserRole, nil
+}
+
 func (h *SessionHandlers) GetPubKey(c *gin.Context) {
 	if jwt.PublicKeyBase64 == "" {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Public key not available"})
@@ -28,28 +64,51 @@ func (h *SessionHandlers) GetPubKey(c *gin.Context) {
 }
 
 func (h *SessionHandlers) Register(c *gin.Context) {
-	user := api.UserRequest{}
-	if err := c.ShouldBindJSON(&user); err != nil {
+	newUser := api.UserRequest{}
+	if err := c.ShouldBindJSON(&newUser); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
 		return
 	}
-	if *user.Role == api.UserRequestRoleAdmin || *user.Role == api.UserRequestRoleController {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Cannot register as" + *user.Role + ", permission denied"})
+
+	// Default to creating a normal user if role is not specified
+	if newUser.Role == nil {
+		defaultRole := api.UserRequestRoleDriver
+		newUser.Role = &defaultRole
+	}
+
+	// If registering as an admin or controller, verify permissions
+	if *newUser.Role == api.UserRequestRoleAdmin || *newUser.Role == api.UserRequestRoleController {
+		// Check if the current user is authenticated with admin privileges
+		_, role, err := auth.AuthenticationFunc(c.GetHeader("Authorization"))
+		if err != nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication failed: " + err.Error()})
+			return
+		}
+
+		// Check if the user has admin privileges
+		if role != api.UserRequestRoleAdmin {
+			c.JSON(http.StatusForbidden, gin.H{"error": "Admin privileges required to register " + string(*newUser.Role) + " accounts"})
+			return
+		}
 	}
+
+	// For regular users, allow unauthenticated registration
+
 	// Check if the user already exists
-	_, err := h.dao.GetUser(c.Request.Context(), user.Username)
+	_, err := h.dao.GetUser(c.Request.Context(), newUser.Username)
 	if err != dao.ErrUserNotFound {
 		c.JSON(http.StatusConflict, gin.H{"error": "User already exists"})
 		return
 	}
+
 	// Add the user to the database
 	var id int64
-	id, err = h.dao.AddUser(c.Request.Context(), user)
+	id, err = h.dao.AddUser(c.Request.Context(), newUser)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to add user"})
 		return
 	}
-	token, err := jwt.GenerateToken(user.Username, *user.Role)
+	token, err := jwt.GenerateToken(newUser.Username, *newUser.Role)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
@@ -61,11 +120,11 @@ func (h *SessionHandlers) Register(c *gin.Context) {
 		TokenType:   "Bearer",
 		User: api.UserResponse{
 			Id:       id,
-			Role:     api.UserResponseRole(*user.Role),
-			Username: user.Username,
-			Email:    user.Email,
-			Name:     user.Name,
-			Surname:  user.Surname,
+			Role:     api.UserResponseRole(*newUser.Role),
+			Username: newUser.Username,
+			Email:    newUser.Email,
+			Name:     newUser.Name,
+			Surname:  newUser.Surname,
 		},
 	}
 	c.JSON(http.StatusCreated, response)
@@ -123,40 +182,14 @@ func (h *SessionHandlers) Login(c *gin.Context) {
 }
 
 func (h *SessionHandlers) GetSession(c *gin.Context) {
-	username := c.Request.Context().Value("username")
-	if username == nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
-		return
-	}
-	usernameStr, ok := username.(string)
-	if !ok {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get username"})
-		return
-	}
-	user, err := h.dao.GetUser(c.Request.Context(), usernameStr)
-	if err != nil {
-		if err == dao.ErrUserNotFound {
-			c.JSON(http.StatusNotFound, gin.H{"error": "User not found"})
-			return
-		}
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get user"})
-		return
-	}
-
-	role := c.Request.Context().Value("role")
-	if role == nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
-		return
-	}
-	roleStr, ok := role.(string)
-	if !ok {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get role"})
+	user, userRole, err := getLoggedUser(c, h.dao)
+	if err != nil || user == nil {
 		return
 	}
-	userRole := api.UserRequestRole(roleStr)
 
+	// No need to fetch the user again since we already have it
 	// return a new token for the authenticated user
-	token, err := jwt.GenerateToken(usernameStr, userRole)
+	token, err := jwt.GenerateToken(user.Username, userRole)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate token"})
 		return
@@ -171,7 +204,7 @@ func (h *SessionHandlers) GetSession(c *gin.Context) {
 			Email:    user.Email,
 			Name:     user.Name,
 			Surname:  user.Surname,
-			Role:     api.UserResponseRole(roleStr),
+			Role:     api.UserResponseRole(string(userRole)),
 		},
 	}
 	c.JSON(http.StatusOK, sessionResponse)

src/main.go

@@ -71,7 +71,7 @@ func main() {
 	validatorOptions := &ginmiddleware.Options{
 		Options: openapi3filter.Options{
 			AuthenticationFunc: func(ctx context.Context, input *openapi3filter.AuthenticationInput) error {
-				return auth.AuthenticationFunc(ctx, input)
+				return auth.AuthenticationWrapperFunc(ctx, input)
 			},
 		},
 		SilenceServersWarning: silenceServersWarning,