feat(api): create users with different privileges

2023-06-16 11:28:33 -03:00 · 2023-06-16 11:28:33 -03:00 · 8e57b87378
commit 8e57b87378
parent 57ebbc7c45
2 changed files with 53 additions and 1 deletions
--- a/backend/services/controller/internal/api/api.go
+++ b/backend/services/controller/internal/api/api.go
@ -26,6 +26,11 @@ type Api struct {
 	QMutex   *sync.Mutex
 }

+const (
+	NormalUser = iota
+	AdminUser
+)
+
 func NewApi(port string, db db.Database, b mtp.Broker, msgQueue map[string](chan usp_msg.Msg), m *sync.Mutex) Api {
 	return Api{
 		Port:     port,
@ -40,7 +45,10 @@ func StartApi(a Api) {
 	r := mux.NewRouter()
 	authentication := r.PathPrefix("/api/auth").Subrouter()
 	authentication.HandleFunc("/login", a.generateToken).Methods("PUT")
-	//authentication.HandleFunc("/register", a.registerUser).Methods("POST")
+	authentication.HandleFunc("/register", a.registerUser).Methods("POST")
+	// Keep the line above commented to avoid people get unintended admin privileges.
+	// Uncomment it only once for you to get admin privileges and create new users.
+	// authentication.HandleFunc("/admin/register", a.registerAdminUser).Methods("POST")
 	iot := r.PathPrefix("/api/device").Subrouter()
 	iot.HandleFunc("", a.retrieveDevices).Methods("GET")
 	iot.HandleFunc("/{sn}/get", a.deviceGetMsg).Methods("PUT")
@ -331,6 +339,47 @@ func (a *Api) deviceExists(sn string, w http.ResponseWriter) {
 }

 func (a *Api) registerUser(w http.ResponseWriter, r *http.Request) {
+
+	tokenString := r.Header.Get("Authorization")
+	if tokenString == "" {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+	email, err := auth.ValidateToken(tokenString)
+	if err != nil {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	//Check if user which is requesting creation has the necessary privileges
+	rUser, err := a.Db.FindUser(email)
+	if rUser.Level != AdminUser {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+
+	var user db.User
+	err = json.NewDecoder(r.Body).Decode(&user)
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	user.Level = NormalUser
+
+	if err := user.HashPassword(user.Password); err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	if err := a.Db.RegisterUser(user); err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+}
+
+func (a *Api) registerAdminUser(w http.ResponseWriter, r *http.Request) {
+
 	var user db.User
 	err := json.NewDecoder(r.Body).Decode(&user)
 	if err != nil {
@ -338,6 +387,8 @@ func (a *Api) registerUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	user.Level = AdminUser
+
 	if err := user.HashPassword(user.Password); err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		return
--- a/backend/services/controller/internal/db/user.go
+++ b/backend/services/controller/internal/db/user.go
@ -11,6 +11,7 @@ type User struct {
 	Email    string `json:"email"`
 	Name     string `json:"name"`
 	Password string `json:"password"`
+	Level    int    `json:"level"`
 }

 func (d *Database) RegisterUser(user User) error {