-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpatinterceptor.go
More file actions
55 lines (49 loc) · 2.04 KB
/
patinterceptor.go
File metadata and controls
55 lines (49 loc) · 2.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
package cidaasinterceptor
import (
"log"
"strings"
"github.com/gofiber/fiber/v2"
)
// PatInterceptor to secure APIs based on OAuth 2.0 with PAT (Personal Access Token) support
// PAT tokens can only be validated via introspection API
type PatInterceptor struct {
Options Options
endpoints cidaasEndpoints
}
// NewPatInterceptor returns a newly constructed PAT interceptor instance with the provided options
func NewPatInterceptor(opts Options) (*PatInterceptor, error) {
cidaasEndpoints, _, err := newInterceptor(opts)
if err != nil {
return nil, err
}
return &PatInterceptor{
Options: opts,
endpoints: cidaasEndpoints,
}, nil
}
// VerifyTokenByIntrospect (check for exp time, issuer and scopes, roles and groups)
// using the accesspass-srv/passes/pat/introspect endpoint
func (m *PatInterceptor) VerifyTokenByIntrospect(apiOptions SecurityOptions) fiber.Handler {
return func(ctx *fiber.Ctx) error {
// get token from auth header
tokenString := getToken(ctx.Request())
if tokenString == "" { // error getting Token from auth header
log.Printf("Error getting token from Header")
return ctx.Status(fiber.StatusUnauthorized).SendString("Unauthorized")
}
tokenData := m.introspectToken(tokenString, apiOptions)
if tokenData == nil {
return ctx.Status(fiber.StatusUnauthorized).SendString("Unauthorized")
}
ctx.Locals(FiberTokenDataKey, *tokenData)
return ctx.Next()
}
}
// introspectToken validates the token using introspection via accesspass-srv/passes/pat/introspect endpoint
// Uses common introspectTokenWithEndpoint function from introspect.go
func (m *PatInterceptor) introspectToken(tokenString string, apiOptions SecurityOptions) *TokenData {
// Construct the accesspass-srv/passes/pat/introspect endpoint (PAT-specific endpoint)
introspectEndpoint := strings.TrimSuffix(m.Options.BaseURI, "/") + "/accesspass-srv/passes/pat/introspect"
// Use common introspectTokenWithEndpoint with PAT-specific endpoint and token type hint
return introspectTokenWithEndpoint(m.Options, introspectEndpoint, tokenString, apiOptions, "pat")
}