67 lines
1.5 KiB
Go
67 lines
1.5 KiB
Go
package middlewares
|
||
|
||
import (
|
||
"bssapp-backend/auth"
|
||
"database/sql"
|
||
"log"
|
||
"net/http"
|
||
"strings"
|
||
)
|
||
|
||
// 🔓 force_password_change=true iken izinli endpoint prefixleri
|
||
var passwordChangeAllowlist = []string{
|
||
"/api/password/change",
|
||
"/api/password/reset",
|
||
"/api/password/reset/validate",
|
||
"/api/auth/refresh",
|
||
}
|
||
|
||
func ForcePasswordChangeGuard(db *sql.DB) func(http.Handler) http.Handler {
|
||
return func(next http.Handler) http.Handler {
|
||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
|
||
claims, ok := auth.GetClaimsFromContext(r.Context())
|
||
if !ok || claims == nil {
|
||
log.Println("❌ FPC GUARD: claims NOT FOUND")
|
||
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
||
return
|
||
}
|
||
|
||
log.Printf(
|
||
"🛡️ FPC GUARD user=%s force=%v path=%s",
|
||
claims.Username,
|
||
claims.ForcePasswordChange,
|
||
r.URL.Path,
|
||
)
|
||
|
||
// 🔓 Şifre değişimi zorunlu DEĞİL → serbest
|
||
if !claims.ForcePasswordChange {
|
||
next.ServeHTTP(w, r)
|
||
return
|
||
}
|
||
|
||
// 🔐 Şifre değişimi ZORUNLU → allowlist kontrolü
|
||
for _, allowed := range passwordChangeAllowlist {
|
||
if strings.HasPrefix(r.URL.Path, allowed) {
|
||
log.Printf(
|
||
"✅ FPC GUARD PASS user=%s path=%s",
|
||
claims.Username,
|
||
r.URL.Path,
|
||
)
|
||
next.ServeHTTP(w, r)
|
||
return
|
||
}
|
||
}
|
||
|
||
// ⛔ Zorunlu ama yanlış endpoint
|
||
log.Printf(
|
||
"⛔ FPC GUARD BLOCK user=%s path=%s",
|
||
claims.Username,
|
||
r.URL.Path,
|
||
)
|
||
|
||
http.Error(w, "password change required", http.StatusUnauthorized)
|
||
})
|
||
}
|
||
}
|