schn33fuchs/ticketsystem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Put some api calls behind admin access

Browse Source
This commit is contained in:
Silas
2026-05-02 19:15:40 +02:00
parent 931bd27c65
commit 654b55a2a4
2 changed files with 95 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
backend/src/cookie/validation.rs
View File

@@ -93,3 +93,86 @@ pub async fn validate_token(
request.extensions_mut().insert(filter_user(&user));
Ok(next.run(request).await)
}
pub async fn validate_admin(
cookies: CookieJar,
State(data): State<Arc<AppState>>,
mut request: Request<Body>,
next: Next,
) -> Result<impl IntoResponse, (StatusCode, Json<serde_json::Value>)> {
let token = cookies
.get("token")
.map(|cookie| cookie.value().to_string())
.or_else(|| {
request
.headers()
.get(header::AUTHORIZATION)
.and_then(|header| header.to_str().ok())
.and_then(|value| {
if value.starts_with("Bearer ") {
Some(value[7..].to_owned())
} else {
None
}
})
});
let token = token.ok_or_else(|| {
let error = json!({
"status": "error",
"message": "Please provide a valid token"
});
(StatusCode::UNAUTHORIZED, Json(error))
})?;
let claims = decode_token(
token,
&DecodingKey::from_secret(data.env.token_secret.as_ref()),
)
.map_err(|(status, json_err)| {
let error = json!({
"status": json_err.status,
"message": json_err.message
});
(status, Json(error))
})?;
let uuid = (&claims.sub).parse::<i16>().map_err(|_| {
let error = json!({
"status": "error",
"message": "Invalid user id"
});
(StatusCode::UNAUTHORIZED, Json(error))
})?;
let user = sqlx::query_as::<_, User>(r#"SELECT * FROM users WHERE id = $1"#)
.bind(uuid)
.fetch_optional(&data.db)
.await
.map_err(|e| {
let error = json!({
"status": "error",
"message": format!("Database error: {}", e)
});
(StatusCode::INTERNAL_SERVER_ERROR, Json(error))
})?;
let user = user.ok_or_else(|| {
let error = json!({
"status": "error",
"message": "Invalid user"
});
(StatusCode::UNAUTHORIZED, Json(error))
})?;
if !user.is_admin {
let error = json!({
"status": "error",
"message": "Admin access required"
});
return Err((StatusCode::FORBIDDEN, Json(error)));
}
request.extensions_mut().insert(filter_user(&user));
Ok(next.run(request).await)
}

17
backend/src/router.rs
View File

@@ -7,7 +7,7 @@ use axum::{
use crate::{
AppState,
cookie::validation::validate_token,
cookie::validation::{validate_admin, validate_token},
handlers::{
auth::{
create_user, delete_user, get_current_user, get_user_by_id, get_users, login, logout,
@@ -18,9 +18,7 @@ use crate::{
};
pub fn create_router(state: Arc<AppState>) -> Router {
let protected_routes = Router::new()
.route("/api/tickets", get(get_tickets))
.route("/api/tickets/create", post(create_ticket))
let admin_routes = Router::new()
.route(
"/api/tickets/{id}",
get(get_ticket_by_id)
@@ -28,13 +26,22 @@ pub fn create_router(state: Arc<AppState>) -> Router {
.patch(edit_ticket),
)
.route("/api/register", post(create_user))
.route("/api/logout", get(logout))
.route("/api/users", get(get_users))
.route("/api/users/current", get(get_current_user))
.route(
"/api/users/{id}",
get(get_user_by_id).delete(delete_user).patch(update_user),
)
.layer(middleware::from_fn_with_state(
state.clone(),
validate_admin,
));
let protected_routes = Router::new()
.merge(admin_routes)
.route("/api/tickets", get(get_tickets))
.route("/api/tickets/create", post(create_ticket))
.route("/api/logout", get(logout))
.layer(middleware::from_fn_with_state(
state.clone(),
validate_token,