diff --git a/server/backend/internal/httpapi/middleware.go b/server/backend/internal/httpapi/middleware.go new file mode 100644 index 0000000..081c668 --- /dev/null +++ b/server/backend/internal/httpapi/middleware.go @@ -0,0 +1,102 @@ +package httpapi + +import ( + "context" + "net/http" + "net/url" + + "git.az-it.net/az/morz-infoboard/server/backend/internal/store" +) + +// contextKey is an unexported type for context keys in this package. +// Using a named type prevents collisions with keys from other packages. +type contextKey int + +const ( + contextKeyUser contextKey = iota +) + +// UserFromContext returns the authenticated *store.User stored in ctx, +// or nil if none is present. +func UserFromContext(ctx context.Context) *store.User { + u, _ := ctx.Value(contextKeyUser).(*store.User) + return u +} + +// RequireAuth returns middleware that validates the morz_session cookie. +// On success it stores the *store.User in the request context and calls next. +// On failure it redirects to /login?next=. +func RequireAuth(authStore *store.AuthStore) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + cookie, err := r.Cookie("morz_session") + if err != nil { + redirectToLogin(w, r) + return + } + + user, err := authStore.GetSessionUser(r.Context(), cookie.Value) + if err != nil { + redirectToLogin(w, r) + return + } + + ctx := context.WithValue(r.Context(), contextKeyUser, user) + next.ServeHTTP(w, r.WithContext(ctx)) + }) + } +} + +// RequireAdmin is middleware that allows only users with role "admin". +// It must be chained after RequireAuth (so a user is present in context). +// On failure it responds with 403 Forbidden. +func RequireAdmin(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + user := UserFromContext(r.Context()) + if user == nil || user.Role != "admin" { + http.Error(w, "Forbidden", http.StatusForbidden) + return + } + next.ServeHTTP(w, r) + }) +} + +// RequireTenantAccess is middleware that allows access only when the +// authenticated user belongs to the tenant identified by the {tenantSlug} +// path value, or when the user has role "admin" (admins can access everything). +// It must be chained after RequireAuth. +func RequireTenantAccess(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + user := UserFromContext(r.Context()) + if user == nil { + http.Error(w, "Forbidden", http.StatusForbidden) + return + } + // Admins bypass tenant isolation. + if user.Role == "admin" { + next.ServeHTTP(w, r) + return + } + tenantSlug := r.PathValue("tenantSlug") + if tenantSlug != "" && user.TenantSlug != tenantSlug { + http.Error(w, "Forbidden", http.StatusForbidden) + return + } + next.ServeHTTP(w, r) + }) +} + +// chain applies a list of middleware to a handler, wrapping outermost first. +// chain(m1, m2, m3)(h) == m1(m2(m3(h))) +func chain(h http.Handler, middlewares ...func(http.Handler) http.Handler) http.Handler { + for i := len(middlewares) - 1; i >= 0; i-- { + h = middlewares[i](h) + } + return h +} + +// redirectToLogin issues a 303 redirect to /login with the current path as ?next=. +func redirectToLogin(w http.ResponseWriter, r *http.Request) { + target := "/login?next=" + url.QueryEscape(r.URL.RequestURI()) + http.Redirect(w, r, target, http.StatusSeeOther) +} diff --git a/server/backend/internal/httpapi/router.go b/server/backend/internal/httpapi/router.go index 31097fd..0d74aae 100644 --- a/server/backend/internal/httpapi/router.go +++ b/server/backend/internal/httpapi/router.go @@ -96,58 +96,74 @@ func registerManageRoutes(mux *http.ServeMux, d RouterDeps) { mux.HandleFunc("POST /login", manage.HandleLoginPost(d.AuthStore, d.Config)) mux.HandleFunc("POST /logout", manage.HandleLogoutPost(d.AuthStore)) + // Shorthand middleware combinators for this router. + authOnly := func(h http.Handler) http.Handler { + return chain(h, RequireAuth(d.AuthStore)) + } + authAdmin := func(h http.Handler) http.Handler { + return chain(h, RequireAuth(d.AuthStore), RequireAdmin) + } + authTenant := func(h http.Handler) http.Handler { + return chain(h, RequireAuth(d.AuthStore), RequireTenantAccess) + } + // ── Admin UI ────────────────────────────────────────────────────────── - mux.HandleFunc("GET /admin", manage.HandleAdminUI(d.TenantStore, d.ScreenStore)) - mux.HandleFunc("POST /admin/screens/provision", manage.HandleProvisionUI(d.TenantStore, d.ScreenStore)) - mux.HandleFunc("POST /admin/screens", manage.HandleCreateScreenUI(d.TenantStore, d.ScreenStore)) - mux.HandleFunc("POST /admin/screens/{screenId}/delete", manage.HandleDeleteScreenUI(d.ScreenStore)) + mux.Handle("GET /admin", + authAdmin(http.HandlerFunc(manage.HandleAdminUI(d.TenantStore, d.ScreenStore)))) + mux.Handle("POST /admin/screens/provision", + authAdmin(http.HandlerFunc(manage.HandleProvisionUI(d.TenantStore, d.ScreenStore)))) + mux.Handle("POST /admin/screens", + authAdmin(http.HandlerFunc(manage.HandleCreateScreenUI(d.TenantStore, d.ScreenStore)))) + mux.Handle("POST /admin/screens/{screenId}/delete", + authAdmin(http.HandlerFunc(manage.HandleDeleteScreenUI(d.ScreenStore)))) // ── Playlist management UI ──────────────────────────────────────────── - mux.HandleFunc("GET /manage/{screenSlug}", - manage.HandleManageUI(d.TenantStore, d.ScreenStore, d.MediaStore, d.PlaylistStore)) - mux.HandleFunc("POST /manage/{screenSlug}/upload", - manage.HandleUploadMediaUI(d.MediaStore, d.ScreenStore, uploadDir)) - mux.HandleFunc("POST /manage/{screenSlug}/items", - manage.HandleAddItemUI(d.PlaylistStore, d.MediaStore, d.ScreenStore, notifier)) - mux.HandleFunc("POST /manage/{screenSlug}/items/{itemId}", - manage.HandleUpdateItemUI(d.PlaylistStore, notifier)) - mux.HandleFunc("POST /manage/{screenSlug}/items/{itemId}/delete", - manage.HandleDeleteItemUI(d.PlaylistStore, notifier)) - mux.HandleFunc("POST /manage/{screenSlug}/reorder", - manage.HandleReorderUI(d.PlaylistStore, d.ScreenStore, notifier)) - mux.HandleFunc("POST /manage/{screenSlug}/media/{mediaId}/delete", - manage.HandleDeleteMediaUI(d.MediaStore, d.ScreenStore, uploadDir, notifier)) + mux.Handle("GET /manage/{screenSlug}", + authOnly(http.HandlerFunc(manage.HandleManageUI(d.TenantStore, d.ScreenStore, d.MediaStore, d.PlaylistStore)))) + mux.Handle("POST /manage/{screenSlug}/upload", + authOnly(http.HandlerFunc(manage.HandleUploadMediaUI(d.MediaStore, d.ScreenStore, uploadDir)))) + mux.Handle("POST /manage/{screenSlug}/items", + authOnly(http.HandlerFunc(manage.HandleAddItemUI(d.PlaylistStore, d.MediaStore, d.ScreenStore, notifier)))) + mux.Handle("POST /manage/{screenSlug}/items/{itemId}", + authOnly(http.HandlerFunc(manage.HandleUpdateItemUI(d.PlaylistStore, notifier)))) + mux.Handle("POST /manage/{screenSlug}/items/{itemId}/delete", + authOnly(http.HandlerFunc(manage.HandleDeleteItemUI(d.PlaylistStore, notifier)))) + mux.Handle("POST /manage/{screenSlug}/reorder", + authOnly(http.HandlerFunc(manage.HandleReorderUI(d.PlaylistStore, d.ScreenStore, notifier)))) + mux.Handle("POST /manage/{screenSlug}/media/{mediaId}/delete", + authOnly(http.HandlerFunc(manage.HandleDeleteMediaUI(d.MediaStore, d.ScreenStore, uploadDir, notifier)))) // ── JSON API — screens ──────────────────────────────────────────────── - // Self-registration: called by agent on startup (must be before /{tenantSlug}/ routes) + // Self-registration: no auth (player calls this on startup). mux.HandleFunc("POST /api/v1/screens/register", manage.HandleRegisterScreen(d.TenantStore, d.ScreenStore)) - mux.HandleFunc("GET /api/v1/tenants/{tenantSlug}/screens", - manage.HandleListScreens(d.TenantStore, d.ScreenStore)) - mux.HandleFunc("POST /api/v1/tenants/{tenantSlug}/screens", - manage.HandleCreateScreen(d.TenantStore, d.ScreenStore)) + mux.Handle("GET /api/v1/tenants/{tenantSlug}/screens", + authTenant(http.HandlerFunc(manage.HandleListScreens(d.TenantStore, d.ScreenStore)))) + mux.Handle("POST /api/v1/tenants/{tenantSlug}/screens", + authTenant(http.HandlerFunc(manage.HandleCreateScreen(d.TenantStore, d.ScreenStore)))) // ── JSON API — media ────────────────────────────────────────────────── - mux.HandleFunc("GET /api/v1/tenants/{tenantSlug}/media", - manage.HandleListMedia(d.TenantStore, d.MediaStore)) - mux.HandleFunc("POST /api/v1/tenants/{tenantSlug}/media", - manage.HandleUploadMedia(d.TenantStore, d.MediaStore, uploadDir)) - mux.HandleFunc("DELETE /api/v1/media/{id}", - manage.HandleDeleteMedia(d.MediaStore, uploadDir)) + mux.Handle("GET /api/v1/tenants/{tenantSlug}/media", + authTenant(http.HandlerFunc(manage.HandleListMedia(d.TenantStore, d.MediaStore)))) + mux.Handle("POST /api/v1/tenants/{tenantSlug}/media", + authTenant(http.HandlerFunc(manage.HandleUploadMedia(d.TenantStore, d.MediaStore, uploadDir)))) + mux.Handle("DELETE /api/v1/media/{id}", + authOnly(http.HandlerFunc(manage.HandleDeleteMedia(d.MediaStore, uploadDir)))) // ── JSON API — playlists ────────────────────────────────────────────── + // Player fetches its playlist — no auth required. mux.HandleFunc("GET /api/v1/screens/{screenId}/playlist", manage.HandlePlayerPlaylist(d.ScreenStore, d.PlaylistStore)) - mux.HandleFunc("GET /api/v1/playlists/{screenId}", - manage.HandleGetPlaylist(d.ScreenStore, d.PlaylistStore)) - mux.HandleFunc("POST /api/v1/playlists/{playlistId}/items", - manage.HandleAddItem(d.PlaylistStore, d.MediaStore, notifier)) - mux.HandleFunc("PATCH /api/v1/items/{itemId}", - manage.HandleUpdateItem(d.PlaylistStore, notifier)) - mux.HandleFunc("DELETE /api/v1/items/{itemId}", - manage.HandleDeleteItem(d.PlaylistStore, notifier)) - mux.HandleFunc("PUT /api/v1/playlists/{playlistId}/order", - manage.HandleReorder(d.PlaylistStore, notifier)) - mux.HandleFunc("PATCH /api/v1/playlists/{playlistId}/duration", - manage.HandleUpdatePlaylistDuration(d.PlaylistStore)) + mux.Handle("GET /api/v1/playlists/{screenId}", + authOnly(http.HandlerFunc(manage.HandleGetPlaylist(d.ScreenStore, d.PlaylistStore)))) + mux.Handle("POST /api/v1/playlists/{playlistId}/items", + authOnly(http.HandlerFunc(manage.HandleAddItem(d.PlaylistStore, d.MediaStore, notifier)))) + mux.Handle("PATCH /api/v1/items/{itemId}", + authOnly(http.HandlerFunc(manage.HandleUpdateItem(d.PlaylistStore, notifier)))) + mux.Handle("DELETE /api/v1/items/{itemId}", + authOnly(http.HandlerFunc(manage.HandleDeleteItem(d.PlaylistStore, notifier)))) + mux.Handle("PUT /api/v1/playlists/{playlistId}/order", + authOnly(http.HandlerFunc(manage.HandleReorder(d.PlaylistStore, notifier)))) + mux.Handle("PATCH /api/v1/playlists/{playlistId}/duration", + authOnly(http.HandlerFunc(manage.HandleUpdatePlaylistDuration(d.PlaylistStore)))) } diff --git a/server/backend/internal/store/auth.go b/server/backend/internal/store/auth.go index 82b1ed1..8000542 100644 --- a/server/backend/internal/store/auth.go +++ b/server/backend/internal/store/auth.go @@ -18,6 +18,7 @@ import ( type User struct { ID string `json:"id"` TenantID string `json:"tenant_id"` + TenantSlug string `json:"tenant_slug"` Username string `json:"username"` PasswordHash string `json:"-"` Role string `json:"role"` @@ -64,14 +65,16 @@ func (s *AuthStore) CreateSession(ctx context.Context, userID string, ttl time.D // GetSessionUser returns the user associated with sessionID if the session is still valid. // Returns pgx.ErrNoRows when the session does not exist or has expired. +// TenantSlug is populated via JOIN on tenants. func (s *AuthStore) GetSessionUser(ctx context.Context, sessionID string) (*User, error) { row := s.pool.QueryRow(ctx, - `select u.id, u.tenant_id, u.username, u.password_hash, u.role, u.created_at + `select u.id, u.tenant_id, coalesce(t.slug, ''), u.username, u.password_hash, u.role, u.created_at from sessions se join users u on u.id = se.user_id + left join tenants t on t.id = u.tenant_id where se.id = $1 and se.expires_at > now()`, sessionID) - return scanUser(row) + return scanUserWithSlug(row) } // DeleteSession removes the session with the given ID. @@ -158,6 +161,21 @@ func scanUser(row interface { return &u, nil } +// scanUserWithSlug scans a row that includes tenant_slug as the third column. +func scanUserWithSlug(row interface { + Scan(dest ...any) error +}) (*User, error) { + var u User + err := row.Scan(&u.ID, &u.TenantID, &u.TenantSlug, &u.Username, &u.PasswordHash, &u.Role, &u.CreatedAt) + if err != nil { + if err == pgx.ErrNoRows { + return nil, pgx.ErrNoRows + } + return nil, fmt.Errorf("scan user: %w", err) + } + return &u, nil +} + func scanSession(row interface { Scan(dest ...any) error }) (*Session, error) {