mirror of
https://github.com/GlueOps/autoglue.git
synced 2026-02-13 04:40:05 +01:00
46 lines
1.5 KiB
Go
46 lines
1.5 KiB
Go
package httpmiddleware
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/glueops/autoglue/internal/utils"
|
|
)
|
|
|
|
// RequireAuthenticatedUser ensures a user principal is present (i.e. not an org/machine key).
|
|
func RequireAuthenticatedUser() func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if user, ok := UserFrom(r.Context()); !ok || user == nil {
|
|
// No user in context -> probably org/machine principal, or unauthenticated
|
|
utils.WriteError(w, http.StatusUnauthorized, "unauthorized", "user principal required")
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// RequirePlatformAdmin requires a user principal with IsAdmin=true.
|
|
// This is platform-wide (non-org) admin and does NOT depend on org roles.
|
|
func RequirePlatformAdmin() func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
user, ok := UserFrom(r.Context())
|
|
if !ok || user == nil {
|
|
utils.WriteError(w, http.StatusUnauthorized, "unauthorized", "user principal required")
|
|
return
|
|
}
|
|
if !user.IsAdmin {
|
|
utils.WriteError(w, http.StatusForbidden, "forbidden", "platform admin required")
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// RequireUserAdmin is an alias for RequirePlatformAdmin for readability at call sites.
|
|
func RequireUserAdmin() func(http.Handler) http.Handler {
|
|
return RequirePlatformAdmin()
|
|
}
|