api.acmcsuf.com/internal/api/middleware/oauth.go at 91d9391e9cc65d60efd78f9d742337c5e841c357 · acmcsufoss/api.acmcsuf.com · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
package middleware

import (
	"net/http"
	"sync"
	"time"

	"github.com/bwmarrin/discordgo"
	"github.com/gin-gonic/gin"

	"github.com/acmcsufoss/api.acmcsuf.com/internal/api/config"
)

// NOTE: Hardcoded relation of role IDs -> role names. Discord's API works with the IDs, and this
// map lets us use the role names in our code for readability reasons. Maybe this could be made
// more portable in the future for testing reasons.
var RoleMap = map[string]string{
	"1446729257236697168": "Board",
	"1446729292389159063": "President",
}

var roleCache = sync.Map{}

type cacheEntry struct {
	Roles     []string
	UserID    string
	ExpiresAt time.Time
}

func DiscordAuth(bot *discordgo.Session, requiredRole string) gin.HandlerFunc {
	return func(c *gin.Context) {
		// expects the header 'Authorization: Bearer <access_token>'
		authHeader := c.GetHeader("Authorization")

		if authHeader == "" {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
				"error": "Missing Authorization header",
			})
			return
		}

		// dev mode bypass (ENV=development)
		cfg := config.Load()
		if cfg.Env == "development" && authHeader == "Bearer dev-token" {
			c.Set("userID", "dev-user-id")
			c.Next()
			return
		}

		// using a cache is required since discord has pretty strict rate limits on their API
		if value, ok := roleCache.Load(authHeader); ok {
			cached := value.(cacheEntry)
			if time.Now().Before(cached.ExpiresAt) {
				if checkRoles(cached.Roles, requiredRole) {
					c.Set("userID", cached.UserID)
					c.Next()
					return
				} else {
					c.AbortWithStatusJSON(http.StatusForbidden, gin.H{
						"error": "Insufficient permissions (cached)",
					})
					return
				}
			} else {
				roleCache.Delete(authHeader)
			}

		}

		userSession, _ := discordgo.New(authHeader)
		user, err := userSession.User("@me")
		if err != nil {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
				"error": "Invalid or expired Discord token",
			})
			return
		}

		member, err := bot.GuildMember(cfg.GuildID, user.ID)
		if err != nil {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
				"error": "You are not a member of the Discord server",
			})
			return
		}

		roleCache.Store(authHeader, cacheEntry{
			Roles:     member.Roles,
			UserID:    user.ID,
			ExpiresAt: time.Now().Add(time.Minute * 5),
		})

		if checkRoles(member.Roles, requiredRole) {
			c.Set("userID", user.ID)
			c.Next()
		} else {
			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{
				"error": "Insufficient permissions",
			})
		}

	}
}

func checkRoles(userRoleIDs []string, requiredRole string) bool {
	for _, id := range userRoleIDs {
		roleName, exists := RoleMap[id]
		if !exists {
			continue
		}

		if roleName == requiredRole {
			return true
		}
		if roleName == "President" && requiredRole == "Board" {
			return true
		}
	}
	return false
}