feat: use multi roles login (#60)

* feat: use multi roles login

- add support for protected roles
- refactor oauth code

* fix: adminUpdate role validation

* fix: update app

server/resolvers/adminUpdateUser.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/enum"
 	"github.com/authorizerdev/authorizer/server/graph/model"
@@ -91,7 +92,7 @@ func AdminUpdateUser(ctx context.Context, params model.AdminUpdateUserInput) (*m
 			inputRoles = append(inputRoles, *item)
 		}
 
-		if !utils.IsValidRolesArray(inputRoles) {
+		if !utils.IsValidRoles(append([]string{}, append(constants.ROLES, constants.PROTECTED_ROLES...)...), inputRoles) {
 			return res, fmt.Errorf("invalid list of roles")
 		}
 

server/resolvers/login.go

@@ -46,19 +46,19 @@ func Login(ctx context.Context, params model.LoginInput) (*model.AuthResponse, e
 		log.Println("Compare password error:", err)
 		return res, fmt.Errorf(`invalid password`)
 	}
-	role := constants.DEFAULT_ROLE
-	if params.Role != nil {
-		// validate role
-		if !utils.IsValidRole(strings.Split(user.Roles, ","), *params.Role) {
-			return res, fmt.Errorf(`invalid role`)
+	roles := constants.DEFAULT_ROLES
+	currentRoles := strings.Split(user.Roles, ",")
+	if len(params.Roles) > 0 {
+		if !utils.IsValidRoles(currentRoles, params.Roles) {
+			return res, fmt.Errorf(`invalid roles`)
 		}
 
-		role = *params.Role
+		roles = params.Roles
 	}
 	userIdStr := fmt.Sprintf("%v", user.ID)
-	refreshToken, _, _ := utils.CreateAuthToken(user, enum.RefreshToken, role)
+	refreshToken, _, _ := utils.CreateAuthToken(user, enum.RefreshToken, roles)
 
-	accessToken, expiresAt, _ := utils.CreateAuthToken(user, enum.AccessToken, role)
+	accessToken, expiresAt, _ := utils.CreateAuthToken(user, enum.AccessToken, roles)
 
 	session.SetToken(userIdStr, refreshToken)
 

server/resolvers/signup.go

@@ -37,16 +37,15 @@ func Signup(ctx context.Context, params model.SignUpInput) (*model.AuthResponse,
 
 	inputRoles := []string{}
 
-	if params.Roles != nil && len(params.Roles) > 0 {
+	if len(params.Roles) > 0 {
 		// check if roles exists
-		for _, item := range params.Roles {
-			inputRoles = append(inputRoles, *item)
-		}
-		if !utils.IsValidRolesArray(inputRoles) {
+		if !utils.IsValidRoles(constants.ROLES, params.Roles) {
 			return res, fmt.Errorf(`invalid roles`)
+		} else {
+			inputRoles = params.Roles
 		}
 	} else {
-		inputRoles = []string{constants.DEFAULT_ROLE}
+		inputRoles = constants.DEFAULT_ROLES
 	}
 
 	// find user with email
@@ -85,6 +84,7 @@ func Signup(ctx context.Context, params model.SignUpInput) (*model.AuthResponse,
 		return res, err
 	}
 	userIdStr := fmt.Sprintf("%v", user.ID)
+	roles := strings.Split(user.Roles, ",")
 	userToReturn := &model.User{
 		ID:              userIdStr,
 		Email:           user.Email,
@@ -123,9 +123,9 @@ func Signup(ctx context.Context, params model.SignUpInput) (*model.AuthResponse,
 		}
 	} else {
 
-		refreshToken, _, _ := utils.CreateAuthToken(user, enum.RefreshToken, constants.DEFAULT_ROLE)
+		refreshToken, _, _ := utils.CreateAuthToken(user, enum.RefreshToken, roles)
 
-		accessToken, expiresAt, _ := utils.CreateAuthToken(user, enum.AccessToken, constants.DEFAULT_ROLE)
+		accessToken, expiresAt, _ := utils.CreateAuthToken(user, enum.AccessToken, roles)
 
 		session.SetToken(userIdStr, refreshToken)
 		res = &model.AuthResponse{

server/resolvers/token.go

@@ -14,7 +14,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
-func Token(ctx context.Context, role *string) (*model.AuthResponse, error) {
+func Token(ctx context.Context, roles []string) (*model.AuthResponse, error) {
 	var res *model.AuthResponse
 
 	gc, err := utils.GinContextFromContext(ctx)
@@ -30,16 +30,11 @@ func Token(ctx context.Context, role *string) (*model.AuthResponse, error) {
 	expiresAt := claim["exp"].(int64)
 	email := fmt.Sprintf("%v", claim["email"])
 
-	claimRole := fmt.Sprintf("%v", claim[constants.JWT_ROLE_CLAIM])
 	user, err := db.Mgr.GetUserByEmail(email)
 	if err != nil {
 		return res, err
 	}
 
-	if role != nil && *role != claimRole {
-		return res, fmt.Errorf(`unauthorized`)
-	}
-
 	userIdStr := fmt.Sprintf("%v", user.ID)
 
 	sessionToken := session.GetToken(userIdStr)
@@ -47,15 +42,30 @@ func Token(ctx context.Context, role *string) (*model.AuthResponse, error) {
 	if sessionToken == "" {
 		return res, fmt.Errorf(`unauthorized`)
 	}
-	// TODO check if refresh/session token has expired
 
 	expiresTimeObj := time.Unix(expiresAt, 0)
 	currentTimeObj := time.Now()
+
+	claimRoleInterface := claim[constants.JWT_ROLE_CLAIM].([]interface{})
+	claimRoles := make([]string, len(claimRoleInterface))
+	for i, v := range claimRoleInterface {
+		claimRoles[i] = v.(string)
+	}
+
+	if len(roles) > 0 {
+		for _, v := range roles {
+			if !utils.StringContains(claimRoles, v) {
+				return res, fmt.Errorf(`unauthorized`)
+			}
+		}
+	}
+
 	if accessTokenErr != nil || expiresTimeObj.Sub(currentTimeObj).Minutes() <= 5 {
 		// if access token has expired and refresh/session token is valid
 		// generate new accessToken
-		token, expiresAt, _ = utils.CreateAuthToken(user, enum.AccessToken, claimRole)
+		token, expiresAt, _ = utils.CreateAuthToken(user, enum.AccessToken, claimRoles)
 	}
+
 	utils.SetCookie(gc, token)
 	res = &model.AuthResponse{
 		Message:              `Token verified`,

server/resolvers/updateProfile.go

@@ -124,31 +124,6 @@ func UpdateProfile(ctx context.Context, params model.UpdateProfileInput) (*model
 		}()
 	}
 
-	// TODO this idea needs to be verified otherwise every user can make themselves super admin
-	// rolesToSave := ""
-	// if params.Roles != nil && len(params.Roles) > 0 {
-	// 	currentRoles := strings.Split(user.Roles, ",")
-	// 	inputRoles := []string{}
-	// 	for _, item := range params.Roles {
-	// 		inputRoles = append(inputRoles, *item)
-	// 	}
-
-	// 	if !utils.IsValidRolesArray(inputRoles) {
-	// 		return res, fmt.Errorf("invalid list of roles")
-	// 	}
-
-	// 	if !utils.IsStringArrayEqual(inputRoles, currentRoles) {
-	// 		rolesToSave = strings.Join(inputRoles, ",")
-	// 	}
-
-	// 	session.DeleteToken(fmt.Sprintf("%v", user.ID))
-	// 	utils.DeleteCookie(gc)
-	// }
-
-	// if rolesToSave != "" {
-	// 	user.Roles = rolesToSave
-	// }
-
 	_, err = db.Mgr.UpdateUser(user)
 	if err != nil {
 		log.Println("Error updating user:", err)

server/resolvers/verifyEmail.go

@@ -6,7 +6,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/enum"
 	"github.com/authorizerdev/authorizer/server/graph/model"
@@ -43,9 +42,10 @@ func VerifyEmail(ctx context.Context, params model.VerifyEmailInput) (*model.Aut
 	db.Mgr.DeleteToken(claim.Email)
 
 	userIdStr := fmt.Sprintf("%v", user.ID)
-	refreshToken, _, _ := utils.CreateAuthToken(user, enum.RefreshToken, constants.DEFAULT_ROLE)
+	roles := strings.Split(user.Roles, ",")
+	refreshToken, _, _ := utils.CreateAuthToken(user, enum.RefreshToken, roles)
 
-	accessToken, expiresAt, _ := utils.CreateAuthToken(user, enum.AccessToken, constants.DEFAULT_ROLE)
+	accessToken, expiresAt, _ := utils.CreateAuthToken(user, enum.AccessToken, roles)
 
 	session.SetToken(userIdStr, refreshToken)