evaluate role in higher layer

2023-11-06 22:09:29 +01:00
parent ab2d527dbd
commit f6120640d2
5 changed files with 33 additions and 16 deletions
--- a/internal/server.go
+++ b/internal/server.go
@ -178,12 +178,23 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 		}

 		// Get user
-		user, err := p.GetUser(token)
+		user, roles, err := p.GetUser(token)
 		if err != nil {
 			logger.WithField("error", err).Error("Error getting user")
 			http.Error(w, "Service unavailable", 503)
 			return
 		}
+    found := false
+    for _, r := range roles.Roles {
+      if r == "whoami_admin" {
+        found = true
+      }
+    }
+    if ! found {
+      logger.Debug("required role not found, deny access")
+      http.Error(w, "Forbidden", 403)
+      return
+    }

 		// Generate cookie
 		http.SetCookie(w, MakeCookie(r, user.Email))
@ -191,6 +202,7 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 			"provider": providerName,
 			"redirect": redirect,
 			"user":     user.Email,
+      "roles":    roles.Roles,
 		}).Info("Successfully generated auth cookie, redirecting user.")

 		// Redirect