gateway: unify/improve handling of authenticated user

Auth check returning an Unauthenticated (http 401) error must be performed by the auth checker. In the action we assume it's done and in case of missing auth user we return a Forbidden error (http 403).
2024-06-17 10:49:08 +02:00 · 2024-06-17 10:49:08 +02:00 · ef2e41601a
parent ba28b00cf1
commit ef2e41601a
5 changed files with 30 additions and 19 deletions
--- a/internal/services/gateway/action/org.go
+++ b/internal/services/gateway/action/org.go
@ -342,7 +342,7 @@ type OrgInvitationResponse struct {

 func (h *ActionHandler) GetOrgInvitations(ctx context.Context, orgRef string, limit int) ([]*cstypes.OrgInvitation, error) {
 	if !common.IsUserLogged(ctx) {
-		return nil, errors.Errorf("user not logged in")
+		return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	org, _, err := h.configstoreClient.GetOrg(ctx, orgRef)
@ -373,7 +373,7 @@ type CreateOrgInvitationRequest struct {

 func (h *ActionHandler) CreateOrgInvitation(ctx context.Context, req *CreateOrgInvitationRequest) (*OrgInvitationResponse, error) {
 	if !common.IsUserLogged(ctx) {
-		return nil, errors.Errorf("user not logged in")
+		return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	if h.organizationMemberAddingMode != OrganizationMemberAddingModeInvitation {
@ -484,9 +484,8 @@ func (h *ActionHandler) OrgInvitationAction(ctx context.Context, req *OrgInvitat
 }

 func (h *ActionHandler) DeleteOrgInvitation(ctx context.Context, orgRef string, userRef string) error {
-	userID := common.CurrentUserID(ctx)
-	if userID == "" {
-		return errors.Errorf("user not authenticated")
+	if !common.IsUserLogged(ctx) {
+		return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	orgInvitation, _, err := h.configstoreClient.GetOrgInvitation(ctx, orgRef, userRef)
--- a/internal/services/gateway/action/project.go
+++ b/internal/services/gateway/action/project.go
@ -64,6 +64,9 @@ type CreateProjectRequest struct {
 }

 func (h *ActionHandler) CreateProject(ctx context.Context, req *CreateProjectRequest) (*csapitypes.Project, error) {
+	if !common.IsUserLogged(ctx) {
+		return nil, util.NewAPIError(util.ErrBadRequest, util.WithAPIErrorMsg("user not authenticated"))
+	}
 	curUserID := common.CurrentUserID(ctx)

 	user, _, err := h.configstoreClient.GetUser(ctx, curUserID)
--- a/internal/services/gateway/action/run.go
+++ b/internal/services/gateway/action/run.go
@ -330,6 +330,11 @@ type RunTaskActionsRequest struct {
 }

 func (h *ActionHandler) RunTaskAction(ctx context.Context, req *RunTaskActionsRequest) error {
+	if !common.IsUserLogged(ctx) {
+		return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
+	}
+	curUserID := common.CurrentUserID(ctx)
+
 	canDoRunAction, groupID, err := h.CanAuthUserDoRunActions(ctx, req.GroupType, req.Ref, actionTypeTaskAction)
 	if err != nil {
 		return errors.Wrapf(err, "failed to determine permissions")
@ -347,11 +352,6 @@ func (h *ActionHandler) RunTaskAction(ctx context.Context, req *RunTaskActionsRe

 	runID := runResp.Run.ID

-	curUserID := common.CurrentUserID(ctx)
-	if curUserID == "" {
-		return util.NewAPIError(util.ErrBadRequest, util.WithAPIErrorMsg("no logged in user"))
-	}
-
 	switch req.ActionType {
 	case RunTaskActionTypeApprove:
 		rt, ok := runResp.Run.Tasks[req.TaskID]
--- a/internal/services/gateway/action/user.go
+++ b/internal/services/gateway/action/user.go
@ -59,7 +59,6 @@ func (h *ActionHandler) GetCurrentUser(ctx context.Context) (*PrivateUserRespons
 	if !common.IsUserLogged(ctx) {
 		return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}
-
 	userID := common.CurrentUserID(ctx)

 	user, _, err := h.configstoreClient.GetUser(ctx, userID)
@ -82,7 +81,7 @@ func (h *ActionHandler) GetCurrentUser(ctx context.Context) (*PrivateUserRespons

 func (h *ActionHandler) GetUser(ctx context.Context, userRef string) (*cstypes.User, error) {
 	if !common.IsUserLoggedOrAdmin(ctx) {
-		return nil, errors.Errorf("user not logged in")
+		return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	user, _, err := h.configstoreClient.GetUser(ctx, userRef)
@ -257,6 +256,10 @@ type CreateUserTokenRequest struct {
 }

 func (h *ActionHandler) CreateUserToken(ctx context.Context, req *CreateUserTokenRequest) (string, error) {
+	if !common.IsUserLoggedOrAdmin(ctx) {
+		return "", util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
+	}
+
 	isAdmin := common.IsUserAdmin(ctx)
 	userID := common.CurrentUserID(ctx)

@ -738,10 +741,13 @@ func (h *ActionHandler) HandleRemoteSourceAuth(ctx context.Context, remoteSource
 			return nil, APIErrorFromRemoteError(err, util.WithAPIErrorMsg("failed to get user %q", req.UserRef))
 		}

-		curUserID := common.CurrentUserID(ctx)
-
 		// user must be already logged in the create a linked account and can create a
 		// linked account only on itself.
+		if !common.IsUserLogged(ctx) {
+			return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
+		}
+		curUserID := common.CurrentUserID(ctx)
+
 		if user.ID != curUserID {
 			return nil, util.NewAPIError(util.ErrBadRequest, util.WithAPIErrorMsg("logged in user cannot create linked account for another user"))
 		}
@ -1003,7 +1009,7 @@ func (h *ActionHandler) DeleteUser(ctx context.Context, userRef string) error {

 func (h *ActionHandler) DeleteUserLA(ctx context.Context, userRef, laID string) error {
 	if !common.IsUserLoggedOrAdmin(ctx) {
-		return errors.Errorf("user not logged in")
+		return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	isAdmin := common.IsUserAdmin(ctx)
@ -1027,7 +1033,7 @@ func (h *ActionHandler) DeleteUserLA(ctx context.Context, userRef, laID string)

 func (h *ActionHandler) DeleteUserToken(ctx context.Context, userRef, tokenName string) error {
 	if !common.IsUserLoggedOrAdmin(ctx) {
-		return errors.Errorf("user not logged in")
+		return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	isAdmin := common.IsUserAdmin(ctx)
@ -1063,6 +1069,11 @@ type UserCreateRunRequest struct {
 }

 func (h *ActionHandler) UserCreateRun(ctx context.Context, req *UserCreateRunRequest) error {
+	if !common.IsUserLogged(ctx) {
+		return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
+	}
+	curUserID := common.CurrentUserID(ctx)
+
 	prRefRegexes := []*regexp.Regexp{}
 	for _, res := range req.PullRequestRefRegexes {
 		re, err := regexp.Compile(res)
@ -1072,8 +1083,6 @@ func (h *ActionHandler) UserCreateRun(ctx context.Context, req *UserCreateRunReq
 		prRefRegexes = append(prRefRegexes, re)
 	}

-	curUserID := common.CurrentUserID(ctx)
-
 	user, _, err := h.configstoreClient.GetUser(ctx, curUserID)
 	if err != nil {
 		return APIErrorFromRemoteError(err, util.WithAPIErrorMsg("failed to get user %q", curUserID))
--- a/tests/auth_test.go
+++ b/tests/auth_test.go
@ -227,7 +227,7 @@ func TestCookieAuth(t *testing.T) {
 	}, nil)
 	testutil.NilError(t, err)

-	// Test auth passing recevied login response cookies
+	// Test auth passing received login response cookies
 	authCookieName := common.AuthCookieName(false)
 	secondaryAuthCookieName := common.SecondaryAuthCookieName()
 	cookies := resp.Cookies()