wip(token): verifying user when getting the image

2025-04-11 19:35:49 +01:00
parent 207f263853
commit 5b03d38392
2 changed files with 179 additions and 154 deletions
--- a/backend/main.go
+++ b/backend/main.go
@ -66,18 +66,11 @@ func main() {
 		w.WriteHeader(http.StatusOK)
 	})

+	r.Group(func(r chi.Router) {
+		r.Use(ProtectedRoute)
+
 		r.Get("/image", func(w http.ResponseWriter, r *http.Request) {
-		token := r.Header.Get("Authorization")[7:]
-
-		fmt.Println(token)
-
-		userId, err := GetUserIdFromAccess(token)
-		if err != nil {
-			log.Println(err)
-			w.WriteHeader(http.StatusForbidden)
-			fmt.Fprintf(w, "Get out of here!")
-			return
-		}
+			userId := r.Context().Value(USER_ID).(uuid.UUID)

 			images, err := userModel.ListWithProperties(r.Context(), userId)
 			if err != nil {
@ -132,6 +125,8 @@ func main() {
 		r.Get("/image/{id}", func(w http.ResponseWriter, r *http.Request) {
 			imageId := r.PathValue("id")

+			_ = r.Context().Value(USER_ID).(uuid.UUID)
+
 			// TODO: really need authorization here!
 			image, err := imageModel.Get(r.Context(), uuid.MustParse(imageId))
 			if err != nil {
@ -239,6 +234,8 @@ func main() {
 			w.Header().Add("Content-Type", "application/json")
 		})

+	})
+
 	r.Post("/login", func(w http.ResponseWriter, r *http.Request) {
 		type LoginBody struct {
 			Email string `json:"email"`
--- a/backend/middleware.go
+++ b/backend/middleware.go
@ -1,6 +1,10 @@
 package main

-import "net/http"
+import (
+	"context"
+	"fmt"
+	"net/http"
+)

 func CorsMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -11,3 +15,27 @@ func CorsMiddleware(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+const USER_ID = "UserID"
+
+func ProtectedRoute(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		token := r.Header.Get("Authorization")
+		if len(token) < len("Bearer ") {
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		fmt.Println(token[len("Bearer "):])
+		userId, err := GetUserIdFromAccess(token[len("Bearer "):])
+		if err != nil {
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		contextWithUserId := context.WithValue(r.Context(), USER_ID, userId)
+
+		newR := r.WithContext(contextWithUserId)
+		next.ServeHTTP(w, newR)
+	})
+}