Merge remote-tracking branch 'origin/master'
This commit is contained in:
@@ -10,29 +10,49 @@ import (
|
||||
|
||||
func AuthMiddleware(db *sql.DB, next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
authHeader := r.Header.Get("Authorization")
|
||||
if authHeader == "" {
|
||||
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
||||
log.Printf(
|
||||
"AUTH_MIDDLEWARE 401 reason=missing_authorization_header method=%s path=%s",
|
||||
r.Method,
|
||||
r.URL.Path,
|
||||
)
|
||||
http.Error(w, "unauthorized: authorization header missing", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
parts := strings.SplitN(authHeader, " ", 2)
|
||||
if len(parts) != 2 || parts[0] != "Bearer" {
|
||||
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
||||
log.Printf(
|
||||
"AUTH_MIDDLEWARE 401 reason=invalid_authorization_format method=%s path=%s raw=%q",
|
||||
r.Method,
|
||||
r.URL.Path,
|
||||
authHeader,
|
||||
)
|
||||
http.Error(w, "unauthorized: invalid authorization format", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
claims, err := auth.ValidateToken(parts[1])
|
||||
if err != nil {
|
||||
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
||||
log.Printf(
|
||||
"AUTH_MIDDLEWARE 401 reason=token_validation_failed method=%s path=%s err=%v",
|
||||
r.Method,
|
||||
r.URL.Path,
|
||||
err,
|
||||
)
|
||||
http.Error(w, "unauthorized: token validation failed", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
// 🔥 BU SATIR ŞART
|
||||
ctx := auth.WithClaims(r.Context(), claims)
|
||||
|
||||
log.Printf("🔐 AUTH CTX SET user=%d role=%s", claims.ID, claims.RoleCode)
|
||||
log.Printf(
|
||||
"AUTH_MIDDLEWARE PASS user=%d role=%s method=%s path=%s",
|
||||
claims.ID,
|
||||
claims.RoleCode,
|
||||
r.Method,
|
||||
r.URL.Path,
|
||||
)
|
||||
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
})
|
||||
|
||||
@@ -859,7 +859,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
|
||||
// =====================================================
|
||||
claims, ok := auth.GetClaimsFromContext(r.Context())
|
||||
if !ok || claims == nil {
|
||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||
log.Printf(
|
||||
"AUTHZ_BY_ROUTE 401 reason=claims_missing method=%s path=%s",
|
||||
r.Method,
|
||||
r.URL.Path,
|
||||
)
|
||||
http.Error(w, "unauthorized: token missing or invalid", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -873,7 +878,7 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
|
||||
r.Method, r.URL.Path,
|
||||
)
|
||||
|
||||
http.Error(w, "route not resolved", 403)
|
||||
http.Error(w, "route not resolved", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -881,7 +886,14 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
|
||||
if err != nil {
|
||||
log.Printf("❌ AUTHZ: path template error: %v", err)
|
||||
|
||||
http.Error(w, "route template error", 403)
|
||||
http.Error(w, "route template error", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
// Password change must be reachable for every authenticated user.
|
||||
// This avoids permission deadlocks during forced first-password flow.
|
||||
if pathTemplate == "/api/password/change" {
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -908,7 +920,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
|
||||
pathTemplate,
|
||||
)
|
||||
|
||||
http.Error(w, "route permission not found", 403)
|
||||
if pathTemplate == "/api/password/change" {
|
||||
http.Error(w, "password change route permission not found", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
http.Error(w, "route permission not found", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -935,7 +952,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
|
||||
err,
|
||||
)
|
||||
|
||||
http.Error(w, "forbidden", 403)
|
||||
if pathTemplate == "/api/password/change" {
|
||||
http.Error(w, "password change permission check failed", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
http.Error(w, "forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -948,7 +970,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
|
||||
action,
|
||||
)
|
||||
|
||||
http.Error(w, "forbidden", 403)
|
||||
if pathTemplate == "/api/password/change" {
|
||||
http.Error(w, "password change forbidden: permission denied", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
http.Error(w, "forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user