Merge pull request #45 from titouanfreville/issue-30-secureAPI

Issue 30 secure api
titouanfreville · Mar 27, 2017 · 2613de6 · 2613de6
2 parents 15bc0a4 + 8453cd0
commit 2613de6
Show file tree

Hide file tree

Showing 13 changed files with 294 additions and 366 deletions.
diff --git a/api/api.go b/api/api.go
@@ -262,6 +262,7 @@ func loginMiddleware(w http.ResponseWriter, r *http.Request) {
 	request := r.Body
 	err := chiRender.Bind(request, &data)
 	if err != nil {
+		log.Print("422 Here - loginMiddleware")
 		render.JSON(w, error422.StatusCode, error422)
 		return
 	}
@@ -291,7 +292,7 @@ func initOrganisation(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if jwtErr, ok := ctx.Value(jwtErrorKey).(error); ok {
 		if jwtErr != nil {
-			render.JSON(w, 401, jwtErr)
+			render.JSON(w, 401, "Token not found. You Are not allowed to proceed without token.")
 			return
 		}
 	}
@@ -367,6 +368,7 @@ func newPublicUser(w http.ResponseWriter, r *http.Request) {
 		render.JSON(w, 401, "You can't sign up if organisation is not public or your email domain was unauthorized.")
 	}
 	if err != nil || data.User == nil {
+		log.Print("422 here. New Public User")
 		render.JSON(w, error422.StatusCode, error422)
 	} else {
 		if err := db.DB().Ping(); err == nil {
@@ -406,6 +408,7 @@ func StartAPI(hostname string, port string, DbConnectionInfo *configs.DbConnecti
 	initRoleRoute(router)
 	initUserRoute(router)
 	initDevGetter(router)
+	// initUserParameterRoute(router)
 	// Passing -routes to the program will generate docs for the above
 	// router definition. See the `routes.json` file in this folder for
 	// the output.

diff --git a/api/channel_route.go b/api/channel_route.go
@@ -5,6 +5,8 @@ import (
 	"net/http"
 	"strconv"
 
+	"log"
+
 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/pressly/chi"
 	chiRender "github.com/pressly/chi/render"
@@ -45,29 +47,6 @@ func initChannelRoute(router chi.Router) {
 		// 	  503: databaseError
 		// 	  default: genericError
 		r.Post("/", newChannel)
-		// swagger:route GET /channel/all Channels getAllChannel1
-		//
-		// Get channels
-		//
-		// This will get all the channels available in the organisation.
-		//
-		// 	Responses:
-		//    200: channelArraySuccess
-		// 	  503: databaseError
-		// 	  default: genericError
-		r.Get("/all", getAllChannel)
-		// swagger:route POST /channel/new Channels newChannel1
-		//
-		// New channel
-		//
-		// This will create an channel for organisation channels library.
-		//
-		// 	Responses:
-		//    201: channelObjectSuccess
-		// 	  422: wrongEntity
-		// 	  503: databaseError
-		// 	  default: genericError
-		r.Post("/new", newChannel)
 		// swagger:route GET /channel/public Channels getPublicChannel
 		//
 		// Get public channels
@@ -106,24 +85,19 @@ func initChannelRoute(router chi.Router) {
 				r.Get("/", getChannelFromType)
 			})
 		})
-		r.Route("/name/", func(r chi.Router) {
-			r.Route("/:channelName", func(r chi.Router) {
-				r.Use(channelContext)
-				// swagger:route GET /channel/name/{channelName} Channels getChannelFromName
-				//
-				// Get nammed channel
-				//
-				// This will get the channels having provided name in the organisation.
-				//
-				// 	Responses:
-				//    200: channelObjectSuccess
-				// 	  503: databaseError
-				// 	  default: genericError
-				r.Get("/", getChannelFromName)
-			})
-		})
 		r.Route("/:channelID", func(r chi.Router) {
 			r.Use(channelContext)
+			// swagger:route GET /channel/{channelID} Channels getChannelFromID
+			//
+			// Get nammed channel  - Currently in conflict with channel/{channelID}/member/{}
+			//
+			// This will get the channels having provided name in the organisation.
+			//
+			// 	Responses:
+			//    200: channelObjectSuccess
+			// 	  503: databaseError
+			// 	  default: genericError
+			r.Get("/", getChannelFromID)
 			// swagger:route PUT /channel/{channelID} Channels updateChannel
 			//
 			// Update channel
@@ -135,7 +109,7 @@ func initChannelRoute(router chi.Router) {
 			// 	  422: wrongEntity
 			// 	  503: databaseError
 			// 	  default: genericError
-			r.Put("/update", updateChannel)
+			r.Put("/", updateChannel)
 			// swagger:route DELETE /channel/{channelID} Channels deleteChannel
 			//
 			// Delete channel
@@ -146,7 +120,8 @@ func initChannelRoute(router chi.Router) {
 			//    200: deleteMessage
 			// 	  503: databaseError
 			// 	  default: genericError
-			r.Delete("/delete", deleteChannel)
+			r.Delete("/", deleteChannel)
+			initMemberOverChannel(r)
 		})
 	})
 }
@@ -178,13 +153,15 @@ func canArchive(currentChannelID uint64, token *jwt.Token) bool {
 func channelContext(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		channelID, err := strconv.ParseUint(chi.URLParam(r, "channelID"), 10, 64)
-		name := chi.URLParam(r, "channelName")
+		name := chi.URLParam(r, "channelID")
 		channelType := chi.URLParam(r, "channelType")
 		oldChannel := models.Channel{}
 		ctx := context.WithValue(r.Context(), channelNameKey, name)
 		ctx = context.WithValue(ctx, channelTypeKey, channelType)
 		if err == nil {
 			oldChannel = datastores.Store().Channel().GetByID(channelID, dbStore.db)
+		} else {
+			oldChannel = datastores.Store().Channel().GetByName(name, dbStore.db)
 		}
 		ctx = context.WithValue(ctx, oldChannelKey, oldChannel)
 		next.ServeHTTP(w, r.WithContext(ctx))
@@ -227,15 +204,13 @@ func getPrivateChannel(w http.ResponseWriter, r *http.Request) {
 
 }
 
-func getChannelFromName(w http.ResponseWriter, r *http.Request) {
-	store := datastores.Store()
+func getChannelFromID(w http.ResponseWriter, r *http.Request) {
 	db := dbStore.db
 	if err := db.DB().Ping(); err != nil {
 		render.JSON(w, error503.StatusCode, error503)
 		return
 	}
-	name := r.Context().Value(channelNameKey).(string)
-	channel := store.Channel().GetByName(name, db)
+	channel := r.Context().Value(oldChannelKey).(models.Channel)
 	render.JSON(w, 200, channel)
 }
 
@@ -252,10 +227,7 @@ func getChannelFromType(w http.ResponseWriter, r *http.Request) {
 }
 
 func newChannel(w http.ResponseWriter, r *http.Request) {
-	var data struct {
-		Channel *models.Channel
-		OmitID  interface{} `json:"id,omitempty"`
-	}
+	var Channel models.Channel
 	token := r.Context().Value(jwtTokenKey).(*jwt.Token)
 	if !canManageUser("global", false, "", token) {
 		res := error401
@@ -266,49 +238,48 @@ func newChannel(w http.ResponseWriter, r *http.Request) {
 	store := datastores.Store()
 	db := dbStore.db
 	request := r.Body
-	err := chiRender.Bind(request, &data)
-	if err != nil || data.Channel == nil {
+	err := chiRender.Bind(request, &Channel)
+	if err != nil || Channel == (models.Channel{}) {
+		log.Print("422 here - new channel")
 		render.JSON(w, error422.StatusCode, error422)
 		return
 	}
 	if err := db.DB().Ping(); err != nil {
 		render.JSON(w, error503.StatusCode, error503)
 		return
 	}
-	rerr := store.Channel().Save(data.Channel, db)
+	rerr := store.Channel().Save(&Channel, db)
 	if err != nil {
 		render.JSON(w, rerr.StatusCode, rerr)
 		return
 	}
-	render.JSON(w, 201, data.Channel)
+	render.JSON(w, 201, Channel)
 }
 
 func updateChannel(w http.ResponseWriter, r *http.Request) {
-	var data struct {
-		Channel *models.Channel
-		OmitID  interface{} `json:"id,omitempty"`
-	}
+	var Channel models.Channel
 	channel := r.Context().Value(oldChannelKey).(models.Channel)
 	token := r.Context().Value(jwtTokenKey).(*jwt.Token)
 	if !canManageUser(channel.ChannelName, false, "", token) {
 		res := error401
-		res.Message = "You don't have the right to manage user."
+		res.Message = "You don't have the right to manage channels."
 		render.JSON(w, error401.StatusCode, error401)
 		return
 	}
 	store := datastores.Store()
 	db := dbStore.db
 	request := r.Body
-	err := chiRender.Bind(request, &data)
-	if err != nil || data.Channel == nil {
+	err := chiRender.Bind(request, &Channel)
+	if err != nil || Channel == (models.Channel{}) {
+		log.Print("422 here - Update channel")
 		render.JSON(w, error422.StatusCode, error422)
 		return
 	}
 	if err := db.DB().Ping(); err != nil {
 		render.JSON(w, error503.StatusCode, error503)
 		return
 	}
-	rerr := store.Channel().Update(&channel, data.Channel, db)
+	rerr := store.Channel().Update(&channel, &Channel, db)
 	if err == nil {
 		render.JSON(w, rerr.StatusCode, rerr)
 		return
@@ -321,7 +292,7 @@ func deleteChannel(w http.ResponseWriter, r *http.Request) {
 	token := r.Context().Value(jwtTokenKey).(*jwt.Token)
 	if !canManageUser(channel.ChannelName, false, "", token) {
 		res := error401
-		res.Message = "You don't have the right to manage user."
+		res.Message = "You don't have the right to manage channels."
 		render.JSON(w, error401.StatusCode, error401)
 		return
 	}

diff --git a/api/jwtauth.go b/api/jwtauth.go
@@ -210,7 +210,7 @@ func Authenticator(next http.Handler) http.Handler {
 
 		if jwtErr, ok := ctx.Value(jwtErrorKey).(error); ok {
 			if jwtErr != nil {
-				render.JSON(w, 401, jwtErr)
+				render.JSON(w, 401, "Token not found. You Are not allowed to proceed without token.")
 				return
 			}
 		}
@@ -245,7 +245,7 @@ func allowUserCreationFromToken(next http.Handler) http.Handler {
 
 		if jwtErr, ok := ctx.Value(jwtErrorKey).(error); ok {
 			if jwtErr != nil {
-				render.JSON(w, 401, jwtErr)
+				render.JSON(w, 401, "Token not found. You Are not allowed to proceed without token.")
 				return
 			}
 		}