mirror of https://github.com/agola-io/agola
gateway: unify/improve handling of authenticated user
Auth check returning an Unauthenticated (http 401) error must be performed by the auth checker. In the action we assume it's done and in case of missing auth user we return a Forbidden error (http 403).
This commit is contained in:
parent
ba28b00cf1
commit
ef2e41601a
|
@ -342,7 +342,7 @@ type OrgInvitationResponse struct {
|
|||
|
||||
func (h *ActionHandler) GetOrgInvitations(ctx context.Context, orgRef string, limit int) ([]*cstypes.OrgInvitation, error) {
|
||||
if !common.IsUserLogged(ctx) {
|
||||
return nil, errors.Errorf("user not logged in")
|
||||
return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
|
||||
org, _, err := h.configstoreClient.GetOrg(ctx, orgRef)
|
||||
|
@ -373,7 +373,7 @@ type CreateOrgInvitationRequest struct {
|
|||
|
||||
func (h *ActionHandler) CreateOrgInvitation(ctx context.Context, req *CreateOrgInvitationRequest) (*OrgInvitationResponse, error) {
|
||||
if !common.IsUserLogged(ctx) {
|
||||
return nil, errors.Errorf("user not logged in")
|
||||
return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
|
||||
if h.organizationMemberAddingMode != OrganizationMemberAddingModeInvitation {
|
||||
|
@ -484,9 +484,8 @@ func (h *ActionHandler) OrgInvitationAction(ctx context.Context, req *OrgInvitat
|
|||
}
|
||||
|
||||
func (h *ActionHandler) DeleteOrgInvitation(ctx context.Context, orgRef string, userRef string) error {
|
||||
userID := common.CurrentUserID(ctx)
|
||||
if userID == "" {
|
||||
return errors.Errorf("user not authenticated")
|
||||
if !common.IsUserLogged(ctx) {
|
||||
return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
|
||||
orgInvitation, _, err := h.configstoreClient.GetOrgInvitation(ctx, orgRef, userRef)
|
||||
|
|
|
@ -64,6 +64,9 @@ type CreateProjectRequest struct {
|
|||
}
|
||||
|
||||
func (h *ActionHandler) CreateProject(ctx context.Context, req *CreateProjectRequest) (*csapitypes.Project, error) {
|
||||
if !common.IsUserLogged(ctx) {
|
||||
return nil, util.NewAPIError(util.ErrBadRequest, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
curUserID := common.CurrentUserID(ctx)
|
||||
|
||||
user, _, err := h.configstoreClient.GetUser(ctx, curUserID)
|
||||
|
|
|
@ -330,6 +330,11 @@ type RunTaskActionsRequest struct {
|
|||
}
|
||||
|
||||
func (h *ActionHandler) RunTaskAction(ctx context.Context, req *RunTaskActionsRequest) error {
|
||||
if !common.IsUserLogged(ctx) {
|
||||
return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
curUserID := common.CurrentUserID(ctx)
|
||||
|
||||
canDoRunAction, groupID, err := h.CanAuthUserDoRunActions(ctx, req.GroupType, req.Ref, actionTypeTaskAction)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "failed to determine permissions")
|
||||
|
@ -347,11 +352,6 @@ func (h *ActionHandler) RunTaskAction(ctx context.Context, req *RunTaskActionsRe
|
|||
|
||||
runID := runResp.Run.ID
|
||||
|
||||
curUserID := common.CurrentUserID(ctx)
|
||||
if curUserID == "" {
|
||||
return util.NewAPIError(util.ErrBadRequest, util.WithAPIErrorMsg("no logged in user"))
|
||||
}
|
||||
|
||||
switch req.ActionType {
|
||||
case RunTaskActionTypeApprove:
|
||||
rt, ok := runResp.Run.Tasks[req.TaskID]
|
||||
|
|
|
@ -59,7 +59,6 @@ func (h *ActionHandler) GetCurrentUser(ctx context.Context) (*PrivateUserRespons
|
|||
if !common.IsUserLogged(ctx) {
|
||||
return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
|
||||
userID := common.CurrentUserID(ctx)
|
||||
|
||||
user, _, err := h.configstoreClient.GetUser(ctx, userID)
|
||||
|
@ -82,7 +81,7 @@ func (h *ActionHandler) GetCurrentUser(ctx context.Context) (*PrivateUserRespons
|
|||
|
||||
func (h *ActionHandler) GetUser(ctx context.Context, userRef string) (*cstypes.User, error) {
|
||||
if !common.IsUserLoggedOrAdmin(ctx) {
|
||||
return nil, errors.Errorf("user not logged in")
|
||||
return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
|
||||
user, _, err := h.configstoreClient.GetUser(ctx, userRef)
|
||||
|
@ -257,6 +256,10 @@ type CreateUserTokenRequest struct {
|
|||
}
|
||||
|
||||
func (h *ActionHandler) CreateUserToken(ctx context.Context, req *CreateUserTokenRequest) (string, error) {
|
||||
if !common.IsUserLoggedOrAdmin(ctx) {
|
||||
return "", util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
|
||||
isAdmin := common.IsUserAdmin(ctx)
|
||||
userID := common.CurrentUserID(ctx)
|
||||
|
||||
|
@ -738,10 +741,13 @@ func (h *ActionHandler) HandleRemoteSourceAuth(ctx context.Context, remoteSource
|
|||
return nil, APIErrorFromRemoteError(err, util.WithAPIErrorMsg("failed to get user %q", req.UserRef))
|
||||
}
|
||||
|
||||
curUserID := common.CurrentUserID(ctx)
|
||||
|
||||
// user must be already logged in the create a linked account and can create a
|
||||
// linked account only on itself.
|
||||
if !common.IsUserLogged(ctx) {
|
||||
return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
curUserID := common.CurrentUserID(ctx)
|
||||
|
||||
if user.ID != curUserID {
|
||||
return nil, util.NewAPIError(util.ErrBadRequest, util.WithAPIErrorMsg("logged in user cannot create linked account for another user"))
|
||||
}
|
||||
|
@ -1003,7 +1009,7 @@ func (h *ActionHandler) DeleteUser(ctx context.Context, userRef string) error {
|
|||
|
||||
func (h *ActionHandler) DeleteUserLA(ctx context.Context, userRef, laID string) error {
|
||||
if !common.IsUserLoggedOrAdmin(ctx) {
|
||||
return errors.Errorf("user not logged in")
|
||||
return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
|
||||
isAdmin := common.IsUserAdmin(ctx)
|
||||
|
@ -1027,7 +1033,7 @@ func (h *ActionHandler) DeleteUserLA(ctx context.Context, userRef, laID string)
|
|||
|
||||
func (h *ActionHandler) DeleteUserToken(ctx context.Context, userRef, tokenName string) error {
|
||||
if !common.IsUserLoggedOrAdmin(ctx) {
|
||||
return errors.Errorf("user not logged in")
|
||||
return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
|
||||
isAdmin := common.IsUserAdmin(ctx)
|
||||
|
@ -1063,6 +1069,11 @@ type UserCreateRunRequest struct {
|
|||
}
|
||||
|
||||
func (h *ActionHandler) UserCreateRun(ctx context.Context, req *UserCreateRunRequest) error {
|
||||
if !common.IsUserLogged(ctx) {
|
||||
return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
|
||||
}
|
||||
curUserID := common.CurrentUserID(ctx)
|
||||
|
||||
prRefRegexes := []*regexp.Regexp{}
|
||||
for _, res := range req.PullRequestRefRegexes {
|
||||
re, err := regexp.Compile(res)
|
||||
|
@ -1072,8 +1083,6 @@ func (h *ActionHandler) UserCreateRun(ctx context.Context, req *UserCreateRunReq
|
|||
prRefRegexes = append(prRefRegexes, re)
|
||||
}
|
||||
|
||||
curUserID := common.CurrentUserID(ctx)
|
||||
|
||||
user, _, err := h.configstoreClient.GetUser(ctx, curUserID)
|
||||
if err != nil {
|
||||
return APIErrorFromRemoteError(err, util.WithAPIErrorMsg("failed to get user %q", curUserID))
|
||||
|
|
|
@ -227,7 +227,7 @@ func TestCookieAuth(t *testing.T) {
|
|||
}, nil)
|
||||
testutil.NilError(t, err)
|
||||
|
||||
// Test auth passing recevied login response cookies
|
||||
// Test auth passing received login response cookies
|
||||
authCookieName := common.AuthCookieName(false)
|
||||
secondaryAuthCookieName := common.SecondaryAuthCookieName()
|
||||
cookies := resp.Cookies()
|
||||
|
|
Loading…
Reference in New Issue