From 8e57b8737844c45a8a69b36ecb85d6386c929cc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leandro=20Ant=C3=B4nio=20Farias=20Machado?= Date: Fri, 16 Jun 2023 11:28:33 -0300 Subject: [PATCH] feat(api): create users with different privileges --- .../services/controller/internal/api/api.go | 53 ++++++++++++++++++- .../services/controller/internal/db/user.go | 1 + 2 files changed, 53 insertions(+), 1 deletion(-) diff --git a/backend/services/controller/internal/api/api.go b/backend/services/controller/internal/api/api.go index 5a1df4b..7c30a14 100644 --- a/backend/services/controller/internal/api/api.go +++ b/backend/services/controller/internal/api/api.go @@ -26,6 +26,11 @@ type Api struct { QMutex *sync.Mutex } +const ( + NormalUser = iota + AdminUser +) + func NewApi(port string, db db.Database, b mtp.Broker, msgQueue map[string](chan usp_msg.Msg), m *sync.Mutex) Api { return Api{ Port: port, @@ -40,7 +45,10 @@ func StartApi(a Api) { r := mux.NewRouter() authentication := r.PathPrefix("/api/auth").Subrouter() authentication.HandleFunc("/login", a.generateToken).Methods("PUT") - //authentication.HandleFunc("/register", a.registerUser).Methods("POST") + authentication.HandleFunc("/register", a.registerUser).Methods("POST") + // Keep the line above commented to avoid people get unintended admin privileges. + // Uncomment it only once for you to get admin privileges and create new users. + // authentication.HandleFunc("/admin/register", a.registerAdminUser).Methods("POST") iot := r.PathPrefix("/api/device").Subrouter() iot.HandleFunc("", a.retrieveDevices).Methods("GET") iot.HandleFunc("/{sn}/get", a.deviceGetMsg).Methods("PUT") @@ -331,6 +339,47 @@ func (a *Api) deviceExists(sn string, w http.ResponseWriter) { } func (a *Api) registerUser(w http.ResponseWriter, r *http.Request) { + + tokenString := r.Header.Get("Authorization") + if tokenString == "" { + w.WriteHeader(http.StatusUnauthorized) + return + } + email, err := auth.ValidateToken(tokenString) + if err != nil { + w.WriteHeader(http.StatusUnauthorized) + return + } + + //Check if user which is requesting creation has the necessary privileges + rUser, err := a.Db.FindUser(email) + if rUser.Level != AdminUser { + w.WriteHeader(http.StatusForbidden) + return + } + + var user db.User + err = json.NewDecoder(r.Body).Decode(&user) + if err != nil { + w.WriteHeader(http.StatusBadRequest) + return + } + + user.Level = NormalUser + + if err := user.HashPassword(user.Password); err != nil { + w.WriteHeader(http.StatusInternalServerError) + return + } + + if err := a.Db.RegisterUser(user); err != nil { + w.WriteHeader(http.StatusInternalServerError) + return + } +} + +func (a *Api) registerAdminUser(w http.ResponseWriter, r *http.Request) { + var user db.User err := json.NewDecoder(r.Body).Decode(&user) if err != nil { @@ -338,6 +387,8 @@ func (a *Api) registerUser(w http.ResponseWriter, r *http.Request) { return } + user.Level = AdminUser + if err := user.HashPassword(user.Password); err != nil { w.WriteHeader(http.StatusInternalServerError) return diff --git a/backend/services/controller/internal/db/user.go b/backend/services/controller/internal/db/user.go index 1552f0d..6cfc563 100644 --- a/backend/services/controller/internal/db/user.go +++ b/backend/services/controller/internal/db/user.go @@ -11,6 +11,7 @@ type User struct { Email string `json:"email"` Name string `json:"name"` Password string `json:"password"` + Level int `json:"level"` } func (d *Database) RegisterUser(user User) error {