add error message for unauthorized users

mantil-io · Feb 28, 2022 · eccced0 · eccced0
1 parent 6025601
commit eccced0
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 17 deletions.
diff --git a/go.mod b/go.mod
@@ -32,7 +32,7 @@ require (
 	github.com/json-iterator/go v1.1.12
 	github.com/kataras/jwt v0.1.2
 	github.com/manifoldco/promptui v0.8.0
-	github.com/mantil-io/mantil.go v0.1.11
+	github.com/mantil-io/mantil.go v0.1.12-0.20220228164738-fbb93fb06a5e
 	github.com/mattn/go-colorable v0.1.11
 	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/nats-io/jsm.go v0.0.27

diff --git a/go.sum b/go.sum
@@ -354,6 +354,8 @@ github.com/manifoldco/promptui v0.8.0 h1:R95mMF+McvXZQ7j1g8ucVZE1gLP3Sv6j9vlF9ky
 github.com/manifoldco/promptui v0.8.0/go.mod h1:n4zTdgP0vr0S3w7/O/g98U+e0gwLScEXGwov2nIKuGQ=
 github.com/mantil-io/mantil.go v0.1.11 h1:d+1ator/hzGEIsWfRWPn+l6gNAPhbbkt1jxj8Iuaz+k=
 github.com/mantil-io/mantil.go v0.1.11/go.mod h1:Lg6ycpc9d/27j0UctFZXLAA7kP+rEEmRkBly4KM73MI=
+github.com/mantil-io/mantil.go v0.1.12-0.20220228164738-fbb93fb06a5e h1:4SKeWgpytL9HbISfn1afgs2FaYgJRdyYmlLC3qtWFHU=
+github.com/mantil-io/mantil.go v0.1.12-0.20220228164738-fbb93fb06a5e/go.mod h1:Lg6ycpc9d/27j0UctFZXLAA7kP+rEEmRkBly4KM73MI=
 github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=

diff --git a/node/api/node/auth.go b/node/api/node/auth.go
@@ -3,11 +3,13 @@ package node
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log"
 	"time"
 
 	"github.com/google/go-github/v42/github"
+	"github.com/mantil-io/mantil.go"
 	"github.com/mantil-io/mantil.go/logs"
 	"github.com/mantil-io/mantil/cli/secret"
 	"github.com/mantil-io/mantil/domain"
@@ -110,20 +112,7 @@ func (a *Auth) generateJWT() (string, error) {
 	case domain.Owner:
 		return a.ownerToken(*ghUser.Login)
 	case domain.Member:
-		// check if user is allowed to access the node
-		user, err := a.store.FindUser(*ghUser.Login)
-		if err != nil {
-			return "", err
-		}
-		projects, err := a.store.FindProjects()
-		if err != nil {
-			return "", err
-		}
-		var repos []string
-		for _, p := range projects {
-			repos = append(repos, p.Repo)
-		}
-		return a.memberToken(user.Name, repos)
+		return a.memberToken(*ghUser.Login)
 	default:
 		return "", fmt.Errorf("unsupported role")
 	}
@@ -154,10 +143,28 @@ func (a *Auth) ownerToken(username string) (string, error) {
 	}, 7*24*time.Hour)
 }
 
-func (a *Auth) memberToken(username string, projects []string) (string, error) {
+func (a *Auth) memberToken(username string) (string, error) {
+	// check if user is allowed to access the node
+	user, err := a.store.FindUser(username)
+	var nerr *mantil.ErrItemNotFound
+	if errors.As(err, &nerr) {
+		return "", fmt.Errorf("user %s is not authorized to perform this action", username)
+	}
+	if err != nil {
+		return "", err
+	}
+	projects, err := a.store.FindProjects()
+	if err != nil {
+		return "", err
+	}
+	var repos []string
+	for _, p := range projects {
+		repos = append(repos, p.Repo)
+	}
 	return token.JWT(a.privateKey, &domain.AccessTokenClaims{
-		Username: username,
+		Username: user.Name,
 		Role:     domain.Member,
+		Projects: repos,
 	}, 1*time.Hour)
 }