Token authorization is ready for MVP

Reviewed-on: #8
2026-05-15 12:53:58 +00:00
parent 35c6689a2c
commit cfa666e0a2
18 changed files with 917 additions and 61 deletions
--- a/internal/controllers/authorization.go
+++ b/internal/controllers/authorization.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"slices"
 	"strings"
 	"time"

@@ -22,6 +23,8 @@ type TokenType string
 const (
 	TokenTypeAccess  TokenType = "access"
 	TokenTypeRefresh TokenType = "refresh"
+	TokenAudToken    string    = "token"
+	TokenAudWeb      string    = "web"
 )

 var (
@@ -33,6 +36,7 @@ type Claims struct {
 	UserID    string    `json:"user_id"`
 	TokenID   string    `json:"token_id"`
 	TokenType TokenType `json:"token_type"`
+	Scope     string    `json:"scope,omitempty"`
 	jwt.RegisteredClaims
 }

@@ -56,6 +60,13 @@ func NewAuthController(jwtSecret []byte, accessTTL, refreshTTL time.Duration, re
 	}
 }

+type JWTData struct {
+	UserID    string
+	TokenType TokenType
+	TokenAud  string
+	Scope     string
+}
+
 // Write claims into context
 func (a *AuthController) WithClaims(ctx context.Context, claims *Claims) context.Context {
 	return context.WithValue(ctx, claimsContextKey, claims)
@@ -87,15 +98,43 @@ func (a *AuthController) AuthInterceptorFN(ctx context.Context) (context.Context
 		}
 	}

+	// If it's a cli token, we need to check the scope
+	if slices.Contains(claims.Audience, TokenAudToken) {
+		currentMethod, ok := grpc.Method(ctx)
+		if !ok {
+			return nil, errors.New("unknown method")
+		}
+
+		scopeMap := map[string][]string{}
+		if err := json.Unmarshal([]byte(claims.Scope), &scopeMap); err != nil {
+			return nil, ErrServerError
+		}
+		allowed := isAllowed(scopeMap, currentMethod)
+		if !allowed {
+			return nil, errors.New("not authorized")
+		}
+	}
+
 	ctx = a.WithClaims(ctx, claims)
 	return ctx, nil
 }

+func isAllowed(scope map[string][]string, currentMethod string) bool {
+	for service, methods := range scope {
+		for _, method := range methods {
+			if fmt.Sprintf("/%s/%s", service, method) == currentMethod {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // Generate JWT token
-func (a *AuthController) GenerateToken(userID string, tokenType TokenType) (token, tokenID string, err error) {
+func (a *AuthController) GenerateToken(data *JWTData) (token, tokenID string, err error) {
 	var expiresAt time.Time
 	notBefore := time.Now()
-	switch tokenType {
+	switch data.TokenType {
 	case TokenTypeAccess:
 		expiresAt = time.Now().Add(a.accessTTL)
 	case TokenTypeRefresh:
@@ -103,25 +142,25 @@ func (a *AuthController) GenerateToken(userID string, tokenType TokenType) (toke
 	default:
 		return "", "", ErrUnknownTokenType
 	}
-	if tokenType != TokenTypeAccess && tokenType != TokenTypeRefresh {
-		return "", "", ErrUnknownTokenType
-	}

 	tokenID = uuid.New().String()
+
 	claims := Claims{
-		UserID:    userID,
+		UserID:    data.UserID,
 		TokenID:   tokenID,
-		TokenType: tokenType,
+		TokenType: data.TokenType,
+		Scope:     data.Scope,
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    "",
-			Subject:   "",
-			Audience:  jwt.ClaimStrings{},
+			Subject:   data.UserID,
+			Audience:  jwt.ClaimStrings{data.TokenAud},
 			ExpiresAt: jwt.NewNumericDate(expiresAt),
 			NotBefore: jwt.NewNumericDate(notBefore),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
-			ID:        userID,
+			ID:        tokenID,
 		},
 	}
+
 	tokenJwt := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	token, err = tokenJwt.SignedString(a.jwtSecret)
 	if err != nil {