Updated auth interface (#1384)

* Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu>
2020-03-23 16:19:30 +00:00
parent 9826ddbd64
commit e0e77f3983
23 changed files with 1842 additions and 649 deletions
--- a/api/server/auth/auth.go
+++ b/api/server/auth/auth.go
@@ -43,44 +43,42 @@ func (h authHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	} else {
 		// Get the token out the cookies if not provided in headers
 		if c, err := req.Cookie("micro-token"); err == nil && c != nil {
-			token = strings.TrimPrefix(c.Value, auth.CookieName+"=")
+			token = strings.TrimPrefix(c.Value, auth.TokenCookieName+"=")
 			req.Header.Set("Authorization", BearerScheme+token)
 		}
 	}

-	// Return if the user disabled auth on this endpoint
-	excludes := h.auth.Options().Exclude
-	excludes = append(excludes, DefaultExcludes...)
-
-	loginURL := h.auth.Options().LoginURL
-	if len(loginURL) > 0 {
-		excludes = append(excludes, loginURL)
+	// Get the account using the token, fallback to a blank account
+	// since some endpoints can be unauthenticated, so the lack of an
+	// account doesn't necesserially mean a forbidden request
+	acc, err := h.auth.Inspect(token)
+	if err != nil {
+		acc = &auth.Account{}
 	}
+	err = h.auth.Verify(acc, &auth.Resource{
+		Type:     "service",
+		Name:     "go.micro.web",
+		Endpoint: req.URL.Path,
+	})

-	for _, e := range excludes {
-		// is a standard exclude, e.g. /rpc
-		if e == req.URL.Path {
-			h.handler.ServeHTTP(w, req)
-			return
-		}
-
-		// is a wildcard exclude, e.g. /services/*
-		wildcard := strings.Replace(e, "*", "", 1)
-		if strings.HasSuffix(e, "*") && strings.HasPrefix(req.URL.Path, wildcard) {
-			h.handler.ServeHTTP(w, req)
-			return
-		}
-	}
-
-	// If the token is valid, allow the request
-	if _, err := h.auth.Verify(token); err == nil {
+	// The account has the necessary permissions to access the
+	// resource
+	if err == nil {
 		h.handler.ServeHTTP(w, req)
 		return
 	}

+	// The account is set, but they don't have enough permissions,
+	// hence we 403.
+	if len(acc.ID) > 0 {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+
 	// If there is no auth login url set, 401
+	loginURL := h.auth.Options().LoginURL
 	if loginURL == "" {
-		w.WriteHeader(401)
+		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}