ADD: added new auth middleware and changed the roles value ind the jwt token to a array

2025-11-23 22:55:04 +01:00
parent 139a99d96e
commit 3a6c3a86e3
9 changed files with 84 additions and 30 deletions
--- a/backend/internal/auth/middleware.go
+++ b/backend/internal/auth/middleware.go
@@ -7,6 +7,15 @@ import (
 	"github.com/gin-gonic/gin"
 )

+func contains(slice []string, item string) bool {
+	for _, s := range slice {
+		if s == item {
+			return true
+		}
+	}
+	return false
+}
+
 func AuthMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		authHeader := c.GetHeader("Authorization")
@@ -28,3 +37,43 @@ func AuthMiddleware() gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+func AuthorizeJWT(requiredRole string) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		//A. Token aus Header holen
+		authHeader := c.GetHeader("Authorization")
+		if authHeader == "" {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Authorization Header fehlt"})
+			return
+		}
+
+		// "Bearer " entfernen
+		tokenString := strings.TrimPrefix(authHeader, "Bearer ")
+		if tokenString == authHeader {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Token Format muss 'Bearer <token>' sein"})
+			return
+		}
+
+		claims, err := ParseJWT(tokenString)
+		if err != nil {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Token ungültig oder abgelaufen"})
+		}
+		// --- NEUE LOGIK ---
+		// Wir prüfen: Hat der User die geforderte Rolle ODER ist er "admin"?
+		// (Angenommen "admin" darf alles. Falls nicht, entferne den "admin"-Check)
+		userHasRequiredRole := contains(claims.Role, requiredRole)
+		userIsAdmin := contains(claims.Role, "admin")
+
+		if !userHasRequiredRole && !userIsAdmin {
+			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "Keine Berechtigung"})
+			return
+		}
+
+		// User und Rollen im Context speichern (als Interface{}, daher später casten)
+		c.Set("userId", claims.UserID)
+		c.Set("email", claims.Email)
+		c.Set("role", claims.Role)
+
+		c.Next()
+	}
+}