fix: hotfix for invalid api base url prefix (#203)

2023-08-10 21:12:56 +03:00 · 2021-05-19 10:18:18 +02:00
parent 712949afc7
commit ee31212cdd
12 changed files with 486 additions and 435 deletions
--- a/routes/utils/user_utils.go
+++ b/routes/utils/user_utils.go
@@ -0,0 +1,46 @@
+package utils
+
+import (
+	"errors"
+	"github.com/gorilla/mux"
+	conf "github.com/muety/wakapi/config"
+	"github.com/muety/wakapi/middlewares"
+	"github.com/muety/wakapi/models"
+	"github.com/muety/wakapi/services"
+	"net/http"
+)
+
+// CheckEffectiveUser extracts the requested user from a URL (like '/users/{user}'), compares it with the currently authorized user and writes an HTTP error if they differ.
+// Fallback can be used to manually set a value for '{user}' if none is present.
+func CheckEffectiveUser(w http.ResponseWriter, r *http.Request, userService services.IUserService, fallback string) (*models.User, error) {
+	var vars = mux.Vars(r)
+	var authorizedUser, requestedUser *models.User
+
+	if vars["user"] == "" {
+		vars["user"] = fallback
+	}
+
+	authorizedUser = middlewares.GetPrincipal(r)
+	if authorizedUser != nil {
+		if vars["user"] == "current" {
+			vars["user"] = authorizedUser.ID
+		}
+	}
+
+	requestedUser, err := userService.GetUserById(vars["user"])
+	if err != nil {
+		err := errors.New("user not found")
+		w.WriteHeader(http.StatusNotFound)
+		w.Write([]byte(err.Error()))
+		return nil, err
+	}
+
+	if authorizedUser == nil || authorizedUser.ID != requestedUser.ID {
+		err := errors.New(conf.ErrUnauthorized)
+		w.WriteHeader(http.StatusUnauthorized)
+		w.Write([]byte(err.Error()))
+		return nil, err
+	}
+
+	return authorizedUser, nil
+}