ADD: added new auth middleware and changed the roles value ind the jwt token to a array

2025-11-23 22:55:04 +01:00
parent 139a99d96e
commit 3a6c3a86e3
9 changed files with 84 additions and 30 deletions
--- a/backend/internal/auth/handler.go
+++ b/backend/internal/auth/handler.go
@@ -35,8 +35,8 @@ func LoginHandler(c *gin.Context, db *sql.DB) {
 	// Systemnutzer
 	var token string
 	var err error
-	if req.Email == "test@localhost.de" {
-		token, err = CreateJWT("system-user-id", req.Email, "admin", 60*time.Minute)
+	if req.Email == "test@localhost.de" { //nolint:goconst
+		token, err = CreateJWT("system-user-id", req.Email, []string{"admin"}, 60*time.Minute)
 	} else {

 		hash, err := common.HashPassword(req.Password)
@@ -55,7 +55,7 @@ func LoginHandler(c *gin.Context, db *sql.DB) {
 			return
 		}
 		// Create JWT token
-		token, err = CreateJWT(loggedInPlayer.UUID, req.Email, "player", 60*time.Minute)
+		token, err = CreateJWT(loggedInPlayer.UUID, req.Email, []string{"player"}, 60*time.Minute)
 		if err != nil {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": "Token creation error"})
 			return
--- a/backend/internal/auth/jwt.go
+++ b/backend/internal/auth/jwt.go
@@ -2,6 +2,7 @@ package auth

 import (
 	"errors"
+	"fmt"
 	"time"

 	"github.com/golang-jwt/jwt/v4"
@@ -10,38 +11,39 @@ import (
 var jwtSecret = []byte("supersecret")

 type Claims struct {
-	UserID string
-	Email  string
-	Role   string
+	UserID string   `json:"userId"`
+	Email  string   `json:"email"`
+	Role   []string `json:"role"`
+	jwt.RegisteredClaims
 }

-func CreateJWT(userID, email, role string, duration time.Duration) (string, error) {
+func CreateJWT(userID string, email string, role []string, duration time.Duration) (string, error) {
 	claims := jwt.MapClaims{
 		"userId": userID,
 		"email":  email,
 		"role":   role,
 		"exp":    time.Now().Add(duration).Unix(),
 	}
-
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	return token.SignedString(jwtSecret)
 }

-func ParseJWT(tokenStr string) (*Claims, error) {
-	token, err := jwt.Parse(tokenStr, func(token *jwt.Token) (interface{}, error) {
+func ParseJWT(tokenString string) (*Claims, error) {
+
+	claims := &Claims{}
+	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
+		// Algorithmus Check (Sicherheit)
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unerwartete Signing-Methode: %v", token.Header["alg"])
+		}
 		return jwtSecret, nil
 	})
+
+	// C. Validierung
 	if err != nil || !token.Valid {
+
 		return nil, errors.New("invalid token")
 	}
-	claims, ok := token.Claims.(jwt.MapClaims)
-	if !ok {
-		return nil, errors.New("invalid claims")
-	}

-	return &Claims{
-		UserID: claims["userId"].(string),
-		Email:  claims["email"].(string),
-		Role:   claims["role"].(string),
-	}, nil
+	return claims, nil
 }
--- a/backend/internal/auth/middleware.go
+++ b/backend/internal/auth/middleware.go
@@ -7,6 +7,15 @@ import (
 	"github.com/gin-gonic/gin"
 )

+func contains(slice []string, item string) bool {
+	for _, s := range slice {
+		if s == item {
+			return true
+		}
+	}
+	return false
+}
+
 func AuthMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		authHeader := c.GetHeader("Authorization")
@@ -28,3 +37,43 @@ func AuthMiddleware() gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+func AuthorizeJWT(requiredRole string) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		//A. Token aus Header holen
+		authHeader := c.GetHeader("Authorization")
+		if authHeader == "" {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Authorization Header fehlt"})
+			return
+		}
+
+		// "Bearer " entfernen
+		tokenString := strings.TrimPrefix(authHeader, "Bearer ")
+		if tokenString == authHeader {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Token Format muss 'Bearer <token>' sein"})
+			return
+		}
+
+		claims, err := ParseJWT(tokenString)
+		if err != nil {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Token ungültig oder abgelaufen"})
+		}
+		// --- NEUE LOGIK ---
+		// Wir prüfen: Hat der User die geforderte Rolle ODER ist er "admin"?
+		// (Angenommen "admin" darf alles. Falls nicht, entferne den "admin"-Check)
+		userHasRequiredRole := contains(claims.Role, requiredRole)
+		userIsAdmin := contains(claims.Role, "admin")
+
+		if !userHasRequiredRole && !userIsAdmin {
+			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "Keine Berechtigung"})
+			return
+		}
+
+		// User und Rollen im Context speichern (als Interface{}, daher später casten)
+		c.Set("userId", claims.UserID)
+		c.Set("email", claims.Email)
+		c.Set("role", claims.Role)
+
+		c.Next()
+	}
+}
--- a/backend/internal/player/handler.go
+++ b/backend/internal/player/handler.go
@@ -11,6 +11,7 @@ import (
 )

 func GetPlayers(c *gin.Context, db *sql.DB) {
+	// log.Println(c.)
 	log.Println(c.GetString("userId"), c.GetString("email"), c.GetString("role"))
 	// Simulate fetching players from a database