From e5cd2700aa88f32e5455a1d90e0a1cdac76cb57d Mon Sep 17 00:00:00 2001 From: cialloo Date: Sat, 25 Oct 2025 08:23:36 +0800 Subject: [PATCH] update --- app/etc/blog.yaml | 5 ++ app/internal/config/config.go | 7 +++ .../middleware/superadminauthmiddleware.go | 57 ++++++++++++++++++- 3 files changed, 67 insertions(+), 2 deletions(-) diff --git a/app/etc/blog.yaml b/app/etc/blog.yaml index 88ff659..847d6f5 100644 --- a/app/etc/blog.yaml +++ b/app/etc/blog.yaml @@ -2,6 +2,11 @@ Name: Blog Host: 0.0.0.0 Port: 8888 +JWT: + Secret: your-secret-key-change-in-production + Issuer: cialloo-authenticator + ExpiresIn: 604800 # 7 days in seconds + Database: DSN: "${DATABASE_DSN}" # postgres: host=localhost port=5432 user=postgres password=your_password dbname=steam_union sslmode=disable diff --git a/app/internal/config/config.go b/app/internal/config/config.go index 1c48122..249e11d 100644 --- a/app/internal/config/config.go +++ b/app/internal/config/config.go @@ -6,6 +6,7 @@ type Config struct { rest.RestConf Database DatabaseConfig S3 S3Config + JWT JWTConfig } type DatabaseConfig struct { @@ -20,3 +21,9 @@ type S3Config struct { Endpoint string `json:",optional"` // Optional: for S3-compatible services PresignedURLExpiration int64 `json:",default=3600"` // Default 1 hour } + +type JWTConfig struct { + Secret string + Issuer string + ExpiresIn int64 +} diff --git a/app/internal/middleware/superadminauthmiddleware.go b/app/internal/middleware/superadminauthmiddleware.go index e519b1f..f8fe882 100644 --- a/app/internal/middleware/superadminauthmiddleware.go +++ b/app/internal/middleware/superadminauthmiddleware.go @@ -2,8 +2,10 @@ package middleware import ( "net/http" + "strings" "git.cialloo.com/CiallooWeb/Blog/app/internal/config" + "github.com/golang-jwt/jwt/v4" ) type SuperAdminAuthMiddleware struct { @@ -14,11 +16,62 @@ func NewSuperAdminAuthMiddleware(c config.Config) *SuperAdminAuthMiddleware { return &SuperAdminAuthMiddleware{Config: c} } +type Claims struct { + SteamID string `json:"steamId"` + jwt.RegisteredClaims +} + func (m *SuperAdminAuthMiddleware) Handle(next http.HandlerFunc) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { - // TODO generate middleware implement function, delete after code implementation + // Get Authorization header + authHeader := r.Header.Get("Authorization") + if authHeader == "" { + http.Error(w, "Missing authorization header", http.StatusUnauthorized) + return + } - // Passthrough to next handler if need + // Check Bearer token format + parts := strings.SplitN(authHeader, " ", 2) + if len(parts) != 2 || parts[0] != "Bearer" { + http.Error(w, "Invalid authorization header format", http.StatusUnauthorized) + return + } + + tokenString := parts[1] + + // Parse and validate JWT token + claims := &Claims{} + token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) { + // Validate signing method + if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { + return nil, jwt.ErrSignatureInvalid + } + return []byte(m.Config.JWT.Secret), nil + }) + + if err != nil { + http.Error(w, "Invalid token: "+err.Error(), http.StatusUnauthorized) + return + } + + if !token.Valid { + http.Error(w, "Invalid token", http.StatusUnauthorized) + return + } + + // Validate issuer + if claims.Issuer != m.Config.JWT.Issuer { + http.Error(w, "Invalid token issuer", http.StatusUnauthorized) + return + } + + // Check if user is super admin (steamId must be "1234567") + if claims.SteamID != "1234567" { + http.Error(w, "Forbidden: Super admin access required", http.StatusForbidden) + return + } + + // Passthrough to next handler if authenticated and authorized next(w, r) } }