Merge pull request #33 from titouanfreville/issue-30-secureAPI

Issue 30 secure api
titouanfreville · Mar 10, 2017 · 0047b51 · 0047b51
2 parents 22099ab + a389698
commit 0047b51
Show file tree

Hide file tree

Showing 18 changed files with 545 additions and 154 deletions.
diff --git a/api/api.go b/api/api.go
@@ -71,16 +71,9 @@ func initAuth() {
 // createUserToken create JWT auth token for current login user
 func createUserToken(user models.User, role models.Role) (string, error) {
 	claims := jwt.MapClaims{
-		"name":       user.Username,
-		"email":      user.Email,
-		"role":       role.RoleName,
-		"archive":    role.CanArchive,
-		"invite":     role.CanInvite,
-		"manage":     role.CanManage,
-		"manageuser": role.CanManageUser,
-		"moderate":   role.CanModerate,
-		"private":    role.CanUsePrivate,
-		"type":       "userauth",
+		"name":  user.Username,
+		"email": user.Email,
+		"type":  "userauth",
 	}
 	unsignedToken := *jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	tokenString, err := unsignedToken.SignedString(hmacSampleSecret)

diff --git a/api/api_parameters.go b/api/api_parameters.go
@@ -329,3 +329,5 @@ type loginParam struct {
 	// in:body
 	Login loginParameterModel `json:"login"`
 }
+
+// <><><><><> <><><><><> <><><><><> <><><><><> //
diff --git a/api/avatar_route.go b/api/avatar_route.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"strconv"
 
+	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/pressly/chi"
 	chiRender "github.com/pressly/chi/render"
 	"github.com/titouanfreville/popcubeapi/datastores"
@@ -148,113 +149,129 @@ func avatarContext(next http.Handler) http.Handler {
 func getAllAvatar(w http.ResponseWriter, r *http.Request) {
 	store := datastores.Store()
 	db := dbStore.db
-	if err := db.DB().Ping(); err == nil {
-		result := store.Avatar().GetAll(db)
-		render.JSON(w, 200, result)
-	} else {
+	if err := db.DB().Ping(); err != nil {
 		render.JSON(w, error503.StatusCode, error503)
+		return
 	}
+	result := store.Avatar().GetAll(db)
+	render.JSON(w, 200, result)
 }
 
 func getAvatarFromName(w http.ResponseWriter, r *http.Request) {
 	store := datastores.Store()
-
 	db := dbStore.db
-	if err := db.DB().Ping(); err == nil {
-		name := r.Context().Value(avatarNameKey).(string)
-		avatar := store.Avatar().GetByName(name, db)
-		render.JSON(w, 200, avatar)
-	} else {
+	if err := db.DB().Ping(); err != nil {
 		render.JSON(w, error503.StatusCode, error503)
+		return
 	}
+	name := r.Context().Value(avatarNameKey).(string)
+	avatar := store.Avatar().GetByName(name, db)
+	render.JSON(w, 200, avatar)
 }
 
 func getAvatarFromLink(w http.ResponseWriter, r *http.Request) {
 	store := datastores.Store()
-
 	db := dbStore.db
-	if err := db.DB().Ping(); err == nil {
-		link := r.Context().Value(avatarLinkKey).(string)
-		avatar := store.Avatar().GetByLink(link, db)
-		render.JSON(w, 200, avatar)
-	} else {
+	if err := db.DB().Ping(); err != nil {
 		render.JSON(w, error503.StatusCode, error503)
+		return
 	}
+	link := r.Context().Value(avatarLinkKey).(string)
+	avatar := store.Avatar().GetByLink(link, db)
+	render.JSON(w, 200, avatar)
 }
 
 func newAvatar(w http.ResponseWriter, r *http.Request) {
 	var data struct {
 		Avatar *models.Avatar
 		OmitID interface{} `json:"id,omitempty"`
 	}
+	token := r.Context().Value(jwtTokenKey).(*jwt.Token)
+	if !canManageOrganisation(token) {
+		res := error401
+		res.Message = "You don't have the right to manage organisation."
+		render.JSON(w, error401.StatusCode, error401)
+		return
+	}
 	store := datastores.Store()
-
 	db := dbStore.db
 	request := r.Body
 	err := chiRender.Bind(request, &data)
 	if err != nil || data.Avatar == nil {
 		render.JSON(w, error422.StatusCode, error422)
-	} else {
-		if err := db.DB().Ping(); err == nil {
-			err := store.Avatar().Save(data.Avatar, db)
-			if err == nil {
-				render.JSON(w, 201, data.Avatar)
-			} else {
-				render.JSON(w, err.StatusCode, err)
-			}
-		} else {
-			render.JSON(w, error503.StatusCode, error503)
-		}
+		return
 	}
+	if err := db.DB().Ping(); err != nil {
+		render.JSON(w, error503.StatusCode, error503)
+		return
+	}
+	rerr := store.Avatar().Save(data.Avatar, db)
+	if rerr != nil {
+		render.JSON(w, rerr.StatusCode, rerr)
+		return
+	}
+	render.JSON(w, 201, data.Avatar)
 }
 
 func updateAvatar(w http.ResponseWriter, r *http.Request) {
 	var data struct {
 		Avatar *models.Avatar
 		OmitID interface{} `json:"id,omitempty"`
 	}
+	token := r.Context().Value(jwtTokenKey).(*jwt.Token)
+	if !canManageOrganisation(token) {
+		res := error401
+		res.Message = "You don't have the right to manage organisation."
+		render.JSON(w, error401.StatusCode, error401)
+		return
+	}
 	store := datastores.Store()
-
 	db := dbStore.db
 	request := r.Body
 	err := chiRender.Bind(request, &data)
 	avatar := r.Context().Value(oldAvatarKey).(models.Avatar)
 	if err != nil || data.Avatar == nil {
 		render.JSON(w, error422.StatusCode, error422)
-	} else {
-		if err := db.DB().Ping(); err == nil {
-			err := store.Avatar().Update(&avatar, data.Avatar, db)
-			if err == nil {
-				render.JSON(w, 200, avatar)
-			} else {
-				render.JSON(w, err.StatusCode, err)
-			}
-		} else {
-			render.JSON(w, error503.StatusCode, error503)
-		}
+		return
+	}
+	if err := db.DB().Ping(); err != nil {
+		render.JSON(w, error503.StatusCode, error503)
+		return
 	}
+	rerr := store.Avatar().Update(&avatar, data.Avatar, db)
+	if err != nil {
+		render.JSON(w, rerr.StatusCode, rerr)
+		return
+	}
+	render.JSON(w, 200, avatar)
 }
 
 func deleteAvatar(w http.ResponseWriter, r *http.Request) {
+	token := r.Context().Value(jwtTokenKey).(*jwt.Token)
+	if !canManageOrganisation(token) {
+		res := error401
+		res.Message = "You don't have the right to manage organisation."
+		render.JSON(w, error401.StatusCode, error401)
+		return
+	}
 	avatar := r.Context().Value(oldAvatarKey).(models.Avatar)
 	store := datastores.Store()
-
 	message := deleteMessageModel{
 		Object: avatar,
 	}
 	db := dbStore.db
-	if err := db.DB().Ping(); err == nil {
-		err := store.Avatar().Delete(&avatar, db)
-		if err == nil {
-			message.Success = true
-			message.Message = "Avatar well removed."
-			render.JSON(w, 200, message)
-		} else {
-			message.Success = false
-			message.Message = err.Message
-			render.JSON(w, err.StatusCode, message.Message)
-		}
-	} else {
-		render.JSON(w, 503, error503)
+	if err := db.DB().Ping(); err != nil {
+		render.JSON(w, error503.StatusCode, error503)
+		return
+	}
+	err := store.Avatar().Delete(&avatar, db)
+	if err != nil {
+		message.Success = false
+		message.Message = err.Message
+		render.JSON(w, err.StatusCode, message.Message)
+		return
 	}
+	message.Success = true
+	message.Message = "Avatar well removed."
+	render.JSON(w, 200, message)
 }