api/middleware.go

@@ -16,7 +16,6 @@ type authCtxKey int
 const (
 	authCtxUsername authCtxKey = iota
 	authCtxAuthLevel
-	authCtxClaims
 )
 
 func (s *HTTPServer) MiddlewareAccessLogger(next http.Handler) http.Handler {
@@ -67,8 +66,7 @@ func (s *HTTPServer) MiddlewareAuthentication(next http.Handler) http.Handler {
 		}
 
 		ctx := context.WithValue(r.Context(), authCtxUsername, claims.Subject)
-		ctx = context.WithValue(ctx, authCtxAuthLevel, claims.Role)
+		ctx = context.WithValue(ctx, authCtxAuthLevel, gpaste.AuthLevelUser)
-		ctx = context.WithValue(ctx, authCtxClaims, claims)
 		withCtx := r.WithContext(ctx)
 		s.Logger.Debugw("Request is authenticated.", "req_id", reqID, "username", claims.Subject)
 
@@ -81,6 +79,7 @@ func (s *HTTPServer) MiddlewareAuthentication(next http.Handler) http.Handler {
 func UsernameFromRequest(r *http.Request) (string, error) {
 	rawUsername := r.Context().Value(authCtxUsername)
 	if rawUsername == nil {
+
 		return "", fmt.Errorf("no username")
 	}
 	username, ok := rawUsername.(string)
@@ -101,15 +100,3 @@ func AuthLevelFromRequest(r *http.Request) (gpaste.AuthLevel, error) {
 	}
 	return level, nil
 }
-
-func ClaimsFromRequest(r *http.Request) *gpaste.Claims {
-	rawClaims := r.Context().Value(authCtxAuthLevel)
-	if rawClaims == nil {
-		return nil
-	}
-	claims, ok := rawClaims.(*gpaste.Claims)
-	if !ok {
-		return nil
-	}
-	return claims
-}

auth.go

@@ -22,12 +22,6 @@ type AuthService struct {
 	hmacSecret []byte
 }
 
-type Claims struct {
-	Role users.Role `json:"role,omitempty"`
-
-	jwt.StandardClaims
-}
-
 func NewAuthService(store users.UserStore, signingSecret []byte) *AuthService {
 	return &AuthService{users: store, hmacSecret: signingSecret}
 }
@@ -43,13 +37,13 @@ func (as *AuthService) Login(username, password string) (string, error) {
 	}
 
 	// TODO: Set iss and aud
-	claims := new(Claims)
+	claims := jwt.StandardClaims{
-	claims.Subject = user.Username
+		Subject:   user.Username,
-	claims.ExpiresAt = time.Now().Add(7 * 24 * time.Hour).Unix()
+		ExpiresAt: time.Now().Add(7 * 24 * time.Hour).Unix(),
-	claims.NotBefore = time.Now().Unix()
+		NotBefore: time.Now().Unix(),
-	claims.IssuedAt = time.Now().Unix()
+		IssuedAt:  time.Now().Unix(),
-	claims.Id = uuid.NewString()
+		Id:        uuid.NewString(),
-	claims.Role = user.Role
+	}
 
 	token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), claims)
 	signed, err := token.SignedString(as.hmacSecret)
@@ -60,8 +54,8 @@ func (as *AuthService) Login(username, password string) (string, error) {
 	return signed, nil
 }
 
-func (as *AuthService) ValidateToken(rawToken string) (*Claims, error) {
+func (as *AuthService) ValidateToken(rawToken string) (*jwt.StandardClaims, error) {
-	claims := &Claims{}
+	claims := &jwt.StandardClaims{}
 	token, err := jwt.ParseWithClaims(rawToken, claims, func(t *jwt.Token) (interface{}, error) {
 		return as.hmacSecret, nil
 	})

auth_test.go

@@ -6,7 +6,6 @@ import (
 
 	"git.t-juice.club/torjus/gpaste"
 	"git.t-juice.club/torjus/gpaste/users"
-	"github.com/google/go-cmp/cmp"
 )
 
 func TestAuth(t *testing.T) {
@@ -18,7 +17,7 @@ func TestAuth(t *testing.T) {
 		username := randomString(8)
 		password := randomString(16)
 
-		user := &users.User{Username: username, Role: users.RoleAdmin}
+		user := &users.User{Username: username}
 		if err := user.SetPassword(password); err != nil {
 			t.Fatalf("error setting user password: %s", err)
 		}
@@ -31,13 +30,9 @@ func TestAuth(t *testing.T) {
 			t.Fatalf("Error creating token: %s", err)
 		}
 
-		claims, err := as.ValidateToken(token)
+		if _, err := as.ValidateToken(token); err != nil {
-		if err != nil {
 			t.Fatalf("Error validating token: %s", err)
 		}
-		if claims.Role != user.Role {
-			t.Fatalf("Token role is not correct: %s", cmp.Diff(claims.Role, user.Role))
-		}
 		invalidToken := `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDMyMjk3NjMsImp0aSI6ImUzNDk5NWI1LThiZmMtNDQyNy1iZDgxLWFmNmQ3OTRiYzM0YiIsImlhdCI6MTY0MjYyNDk2MywibmJmIjoxNjQyNjI0OTYzLCJzdWIiOiJYdE5Hemt5ZSJ9.VM6dkwSLaBv8cStkWRVVv9ADjdUrHGHrlB7GB7Ly7n8`
 		if _, err := as.ValidateToken(invalidToken); err == nil {
 			t.Fatalf("Invalid token passed validation")

users/user.go

@@ -13,7 +13,7 @@ const (
 type User struct {
 	Username       string `json:"username"`
 	HashedPassword []byte `json:"hashed_password"`
-	Role           Role   `json:"role"`
+	Roles          []Role `json:"roles"`
 }
 
 type UserStore interface {

users/userstore_test.go

@@ -20,7 +20,7 @@ func RunUserStoreTest(newFunc func() (func(), users.UserStore), t *testing.T) {
 			passwordMap[username] = password
 			user := &users.User{
 				Username: username,
-				Role:     users.RoleAdmin,
+				Roles:    []users.Role{users.RoleAdmin},
 			}
 			if err := user.SetPassword(password); err != nil {
 				t.Fatalf("Error setting password: %s", err)