Put some api calls behind admin access
This commit is contained in:
@@ -93,3 +93,86 @@ pub async fn validate_token(
|
|||||||
request.extensions_mut().insert(filter_user(&user));
|
request.extensions_mut().insert(filter_user(&user));
|
||||||
Ok(next.run(request).await)
|
Ok(next.run(request).await)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub async fn validate_admin(
|
||||||
|
cookies: CookieJar,
|
||||||
|
State(data): State<Arc<AppState>>,
|
||||||
|
mut request: Request<Body>,
|
||||||
|
next: Next,
|
||||||
|
) -> Result<impl IntoResponse, (StatusCode, Json<serde_json::Value>)> {
|
||||||
|
let token = cookies
|
||||||
|
.get("token")
|
||||||
|
.map(|cookie| cookie.value().to_string())
|
||||||
|
.or_else(|| {
|
||||||
|
request
|
||||||
|
.headers()
|
||||||
|
.get(header::AUTHORIZATION)
|
||||||
|
.and_then(|header| header.to_str().ok())
|
||||||
|
.and_then(|value| {
|
||||||
|
if value.starts_with("Bearer ") {
|
||||||
|
Some(value[7..].to_owned())
|
||||||
|
} else {
|
||||||
|
None
|
||||||
|
}
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
|
let token = token.ok_or_else(|| {
|
||||||
|
let error = json!({
|
||||||
|
"status": "error",
|
||||||
|
"message": "Please provide a valid token"
|
||||||
|
});
|
||||||
|
(StatusCode::UNAUTHORIZED, Json(error))
|
||||||
|
})?;
|
||||||
|
|
||||||
|
let claims = decode_token(
|
||||||
|
token,
|
||||||
|
&DecodingKey::from_secret(data.env.token_secret.as_ref()),
|
||||||
|
)
|
||||||
|
.map_err(|(status, json_err)| {
|
||||||
|
let error = json!({
|
||||||
|
"status": json_err.status,
|
||||||
|
"message": json_err.message
|
||||||
|
});
|
||||||
|
(status, Json(error))
|
||||||
|
})?;
|
||||||
|
|
||||||
|
let uuid = (&claims.sub).parse::<i16>().map_err(|_| {
|
||||||
|
let error = json!({
|
||||||
|
"status": "error",
|
||||||
|
"message": "Invalid user id"
|
||||||
|
});
|
||||||
|
(StatusCode::UNAUTHORIZED, Json(error))
|
||||||
|
})?;
|
||||||
|
|
||||||
|
let user = sqlx::query_as::<_, User>(r#"SELECT * FROM users WHERE id = $1"#)
|
||||||
|
.bind(uuid)
|
||||||
|
.fetch_optional(&data.db)
|
||||||
|
.await
|
||||||
|
.map_err(|e| {
|
||||||
|
let error = json!({
|
||||||
|
"status": "error",
|
||||||
|
"message": format!("Database error: {}", e)
|
||||||
|
});
|
||||||
|
(StatusCode::INTERNAL_SERVER_ERROR, Json(error))
|
||||||
|
})?;
|
||||||
|
|
||||||
|
let user = user.ok_or_else(|| {
|
||||||
|
let error = json!({
|
||||||
|
"status": "error",
|
||||||
|
"message": "Invalid user"
|
||||||
|
});
|
||||||
|
(StatusCode::UNAUTHORIZED, Json(error))
|
||||||
|
})?;
|
||||||
|
|
||||||
|
if !user.is_admin {
|
||||||
|
let error = json!({
|
||||||
|
"status": "error",
|
||||||
|
"message": "Admin access required"
|
||||||
|
});
|
||||||
|
return Err((StatusCode::FORBIDDEN, Json(error)));
|
||||||
|
}
|
||||||
|
|
||||||
|
request.extensions_mut().insert(filter_user(&user));
|
||||||
|
Ok(next.run(request).await)
|
||||||
|
}
|
||||||
|
|||||||
@@ -7,7 +7,7 @@ use axum::{
|
|||||||
|
|
||||||
use crate::{
|
use crate::{
|
||||||
AppState,
|
AppState,
|
||||||
cookie::validation::validate_token,
|
cookie::validation::{validate_admin, validate_token},
|
||||||
handlers::{
|
handlers::{
|
||||||
auth::{
|
auth::{
|
||||||
create_user, delete_user, get_current_user, get_user_by_id, get_users, login, logout,
|
create_user, delete_user, get_current_user, get_user_by_id, get_users, login, logout,
|
||||||
@@ -18,9 +18,7 @@ use crate::{
|
|||||||
};
|
};
|
||||||
|
|
||||||
pub fn create_router(state: Arc<AppState>) -> Router {
|
pub fn create_router(state: Arc<AppState>) -> Router {
|
||||||
let protected_routes = Router::new()
|
let admin_routes = Router::new()
|
||||||
.route("/api/tickets", get(get_tickets))
|
|
||||||
.route("/api/tickets/create", post(create_ticket))
|
|
||||||
.route(
|
.route(
|
||||||
"/api/tickets/{id}",
|
"/api/tickets/{id}",
|
||||||
get(get_ticket_by_id)
|
get(get_ticket_by_id)
|
||||||
@@ -28,13 +26,22 @@ pub fn create_router(state: Arc<AppState>) -> Router {
|
|||||||
.patch(edit_ticket),
|
.patch(edit_ticket),
|
||||||
)
|
)
|
||||||
.route("/api/register", post(create_user))
|
.route("/api/register", post(create_user))
|
||||||
.route("/api/logout", get(logout))
|
|
||||||
.route("/api/users", get(get_users))
|
.route("/api/users", get(get_users))
|
||||||
.route("/api/users/current", get(get_current_user))
|
.route("/api/users/current", get(get_current_user))
|
||||||
.route(
|
.route(
|
||||||
"/api/users/{id}",
|
"/api/users/{id}",
|
||||||
get(get_user_by_id).delete(delete_user).patch(update_user),
|
get(get_user_by_id).delete(delete_user).patch(update_user),
|
||||||
)
|
)
|
||||||
|
.layer(middleware::from_fn_with_state(
|
||||||
|
state.clone(),
|
||||||
|
validate_admin,
|
||||||
|
));
|
||||||
|
|
||||||
|
let protected_routes = Router::new()
|
||||||
|
.merge(admin_routes)
|
||||||
|
.route("/api/tickets", get(get_tickets))
|
||||||
|
.route("/api/tickets/create", post(create_ticket))
|
||||||
|
.route("/api/logout", get(logout))
|
||||||
.layer(middleware::from_fn_with_state(
|
.layer(middleware::from_fn_with_state(
|
||||||
state.clone(),
|
state.clone(),
|
||||||
validate_token,
|
validate_token,
|
||||||
|
|||||||
Reference in New Issue
Block a user