Gate searxng, notes, and hasura behind admin auth via nginx auth_request
Some checks failed
Deploy with Docker Compose / deploy (push) Has been cancelled
Some checks failed
Deploy with Docker Compose / deploy (push) Has been cancelled
Add ValidateAdmin endpoint that checks JWT admin claim for use as an nginx auth_request subrequest. Widen cookie path from backend endpoint to "/" so the access_token is sent on all paths. Extend access token lifetime from 24h to 7 days. Disable hasura service by default via Docker profile. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -44,7 +44,7 @@ func (r *mutationResolver) Login(ctx context.Context, input model.LoginInput) (*
|
||||
"access_token",
|
||||
tokens.AccessToken,
|
||||
int(r.Store.Auth.Config.AccessTokenLifetime.Seconds()),
|
||||
r.Store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
r.Store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
@@ -52,7 +52,7 @@ func (r *mutationResolver) Login(ctx context.Context, input model.LoginInput) (*
|
||||
"refresh_token",
|
||||
tokens.RefreshToken,
|
||||
int(r.Store.Auth.Config.RefreshTokenLifetime.Seconds()),
|
||||
r.Store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
r.Store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
@@ -112,7 +112,7 @@ func (r *mutationResolver) RefreshToken(ctx context.Context) (*model.AuthPayload
|
||||
"access_token",
|
||||
tokens.AccessToken,
|
||||
int(r.Store.Auth.Config.AccessTokenLifetime.Seconds()),
|
||||
r.Store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
r.Store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
@@ -120,7 +120,7 @@ func (r *mutationResolver) RefreshToken(ctx context.Context) (*model.AuthPayload
|
||||
"refresh_token",
|
||||
tokens.RefreshToken,
|
||||
int(r.Store.Auth.Config.RefreshTokenLifetime.Seconds()),
|
||||
r.Store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
r.Store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
|
||||
@@ -50,6 +50,28 @@ func (store *Store) AdminMiddleware(ctx *gin.Context) {
|
||||
ctx.Next()
|
||||
}
|
||||
|
||||
func (store *Store) ValidateAdmin(ctx *gin.Context) {
|
||||
accessToken, err := ctx.Cookie("access_token")
|
||||
if err != nil {
|
||||
ctx.Status(http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
claims, err := store.Auth.VerifyJWT(accessToken)
|
||||
if err != nil {
|
||||
ctx.Status(http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
admin, ok := (*claims)["admin"].(bool)
|
||||
if !ok || !admin {
|
||||
ctx.Status(http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
ctx.Status(http.StatusOK)
|
||||
}
|
||||
|
||||
func (store *Store) CheckToken(ctx *gin.Context) {
|
||||
access_token, err := ctx.Cookie("access_token")
|
||||
if err != nil {
|
||||
@@ -123,7 +145,7 @@ func (store *Store) RefreshToken(ctx *gin.Context) {
|
||||
"access_token",
|
||||
tokens.AccessToken,
|
||||
int(store.Auth.Config.AccessTokenLifetime.Seconds()),
|
||||
store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
@@ -131,7 +153,7 @@ func (store *Store) RefreshToken(ctx *gin.Context) {
|
||||
"refresh_token",
|
||||
tokens.RefreshToken,
|
||||
int(store.Auth.Config.RefreshTokenLifetime.Seconds()),
|
||||
store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
@@ -169,7 +191,7 @@ func (store *Store) Login(ctx *gin.Context) {
|
||||
"access_token",
|
||||
tokens.AccessToken,
|
||||
int(store.Auth.Config.AccessTokenLifetime.Seconds()),
|
||||
store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
@@ -177,7 +199,7 @@ func (store *Store) Login(ctx *gin.Context) {
|
||||
"refresh_token",
|
||||
tokens.RefreshToken,
|
||||
int(store.Auth.Config.RefreshTokenLifetime.Seconds()),
|
||||
store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
@@ -197,7 +219,7 @@ func (store *Store) removeCookies(ctx *gin.Context) {
|
||||
"access_token",
|
||||
"",
|
||||
-1,
|
||||
store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
@@ -205,7 +227,7 @@ func (store *Store) removeCookies(ctx *gin.Context) {
|
||||
"refresh_token",
|
||||
"",
|
||||
-1,
|
||||
store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
|
||||
@@ -173,7 +173,7 @@ func (store *Store) DeleteUser(ctx *gin.Context) {
|
||||
"access_token",
|
||||
"",
|
||||
-1,
|
||||
store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
@@ -181,7 +181,7 @@ func (store *Store) DeleteUser(ctx *gin.Context) {
|
||||
"refresh_token",
|
||||
"",
|
||||
-1,
|
||||
store.Auth.Config.Endpoint,
|
||||
"/",
|
||||
store.Auth.Config.Domain,
|
||||
true, true,
|
||||
)
|
||||
|
||||
@@ -70,7 +70,7 @@ func main() {
|
||||
|
||||
authSecret := os.Getenv("BACKEND_SECRET")
|
||||
backendEndpoint := os.Getenv("BACKEND_ENDPOINT")
|
||||
accessTokenLifetime := 24 * time.Hour
|
||||
accessTokenLifetime := 7 * 24 * time.Hour
|
||||
refreshTokenLifetime := 365 * 24 * time.Hour
|
||||
authConfig := services.AuthConfig{Secret: []byte(authSecret), Domain: domainName, RefreshTokenLifetime: refreshTokenLifetime, AccessTokenLifetime: accessTokenLifetime, Endpoint: backendEndpoint}
|
||||
auth := services.InitAuth(&authConfig)
|
||||
@@ -122,6 +122,7 @@ func main() {
|
||||
r.POST("/auth/refresh", store.RefreshToken)
|
||||
r.GET("/auth/check", store.CheckToken)
|
||||
r.POST("/auth/logout", store.Logout)
|
||||
r.GET("/auth/validate-admin", store.ValidateAdmin)
|
||||
|
||||
// SPOTIFY
|
||||
r.GET("/spotify/callback", store.CompleteSpotifyAuth)
|
||||
|
||||
Reference in New Issue
Block a user