diff --git a/internal/auth/jwtCookieSession.go b/internal/auth/jwtCookieSession.go index bff08f2..8c05408 100644 --- a/internal/auth/jwtCookieSession.go +++ b/internal/auth/jwtCookieSession.go @@ -6,6 +6,7 @@ package auth import ( "crypto/ed25519" + "database/sql" "encoding/base64" "errors" "fmt" @@ -166,16 +167,20 @@ func (ja *JWTCookieSessionAuthenticator) Login( } var roles []string + projects := make([]string, 0) if jc.ValidateUser { + var err error + user, err = repository.GetUserRepository().GetUser(sub) + if err != nil && err != sql.ErrNoRows { + log.Errorf("Error while loading user '%v'", sub) + } + // Deny any logins for unknown usernames if user == nil { log.Warn("Could not find user from JWT in internal database.") return nil, errors.New("unknown user") } - - // Take user roles from database instead of trusting the JWT - roles = user.Roles } else { // Extract roles from JWT (if present) if rawroles, ok := claims["roles"].([]interface{}); ok { @@ -185,20 +190,6 @@ func (ja *JWTCookieSessionAuthenticator) Login( } } } - } - - // (Ask browser to) Delete JWT cookie - deletedCookie := &http.Cookie{ - Name: jc.CookieName, - Value: "", - Path: "/", - MaxAge: -1, - HttpOnly: true, - } - http.SetCookie(rw, deletedCookie) - - if user == nil { - projects := make([]string, 0) user = &schema.User{ Username: sub, Name: name, @@ -215,5 +206,15 @@ func (ja *JWTCookieSessionAuthenticator) Login( } } + // (Ask browser to) Delete JWT cookie + deletedCookie := &http.Cookie{ + Name: jc.CookieName, + Value: "", + Path: "/", + MaxAge: -1, + HttpOnly: true, + } + http.SetCookie(rw, deletedCookie) + return user, nil } diff --git a/internal/auth/jwtSession.go b/internal/auth/jwtSession.go index 91c2050..e5a30d4 100644 --- a/internal/auth/jwtSession.go +++ b/internal/auth/jwtSession.go @@ -5,6 +5,7 @@ package auth import ( + "database/sql" "encoding/base64" "errors" "fmt" @@ -92,16 +93,20 @@ func (ja *JWTSessionAuthenticator) Login( } var roles []string + projects := make([]string, 0) if config.Keys.JwtConfig.ValidateUser { + var err error + user, err = repository.GetUserRepository().GetUser(sub) + if err != nil && err != sql.ErrNoRows { + log.Errorf("Error while loading user '%v'", sub) + } + // Deny any logins for unknown usernames if user == nil { log.Warn("Could not find user from JWT in internal database.") return nil, errors.New("unknown user") } - - // Take user roles from database instead of trusting the JWT - roles = user.Roles } else { // Extract roles from JWT (if present) if rawroles, ok := claims["roles"].([]interface{}); ok { @@ -113,23 +118,17 @@ func (ja *JWTSessionAuthenticator) Login( } } } - } - projects := make([]string, 0) - // Java/Grails Issued Token - // if rawprojs, ok := claims["projects"].([]interface{}); ok { - // for _, pp := range rawprojs { - // if p, ok := pp.(string); ok { - // projects = append(projects, p) - // } - // } - // } else if rawprojs, ok := claims["projects"]; ok { - // for _, p := range rawprojs.([]string) { - // projects = append(projects, p) - // } - // } + if rawprojs, ok := claims["projects"].([]interface{}); ok { + for _, pp := range rawprojs { + if p, ok := pp.(string); ok { + projects = append(projects, p) + } + } + } else if rawprojs, ok := claims["projects"]; ok { + projects = append(projects, rawprojs.([]string)...) + } - if user == nil { user = &schema.User{ Username: sub, Name: name,