From c6cbcd2e66df03eda61801500c6d8a1aec2db69e Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Sun, 18 Jul 2021 09:37:08 +0530
Subject: [PATCH] Add super admin validation

Resolves #24
---
 server/constants/env.go            |  7 ++++++-
 server/resolvers/users.go          | 10 ++++++++++
 server/utils/validateSuperAdmin.go | 15 +++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 server/utils/validateSuperAdmin.go

diff --git a/server/constants/env.go b/server/constants/env.go
index e156b19..9b93418 100644
--- a/server/constants/env.go
+++ b/server/constants/env.go
@@ -10,6 +10,7 @@ import (
 )
 
 var (
+	YAUTH_ADMIN_SECRET   = ""
 	ENV                  = ""
 	DB_TYPE              = ""
 	DB_URL               = ""
@@ -38,7 +39,7 @@ func init() {
 	if err != nil {
 		log.Println("Error loading .env file")
 	}
-
+	YAUTH_ADMIN_SECRET = os.Getenv("YAUTH_ADMIN_SECRET")
 	ENV = os.Getenv("ENV")
 	DB_TYPE = os.Getenv("DB_TYPE")
 	DB_URL = os.Getenv("DB_URL")
@@ -60,6 +61,10 @@ func init() {
 	// FACEBOOK_CLIENT_ID = os.Getenv("FACEBOOK_CLIENT_ID")
 	// FACEBOOK_CLIENT_SECRET = os.Getenv("FACEBOOK_CLIENT_SECRET")
 
+	if YAUTH_ADMIN_SECRET == "" {
+		panic("Yauth admin secret is required")
+	}
+
 	if ENV == "" {
 		ENV = "production"
 	}
diff --git a/server/resolvers/users.go b/server/resolvers/users.go
index 6792c22..06ae7b4 100644
--- a/server/resolvers/users.go
+++ b/server/resolvers/users.go
@@ -6,10 +6,20 @@ import (
 
 	"github.com/yauthdev/yauth/server/db"
 	"github.com/yauthdev/yauth/server/graph/model"
+	"github.com/yauthdev/yauth/server/utils"
 )
 
 func Users(ctx context.Context) ([]*model.User, error) {
+	gc, err := utils.GinContextFromContext(ctx)
 	var res []*model.User
+	if err != nil {
+		return res, err
+	}
+
+	if !utils.IsSuperAdmin(gc) {
+		return res, fmt.Errorf("unauthorized")
+	}
+
 	users, err := db.Mgr.GetUsers()
 	if err != nil {
 		return res, err
diff --git a/server/utils/validateSuperAdmin.go b/server/utils/validateSuperAdmin.go
new file mode 100644
index 0000000..db9a1cb
--- /dev/null
+++ b/server/utils/validateSuperAdmin.go
@@ -0,0 +1,15 @@
+package utils
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yauthdev/yauth/server/constants"
+)
+
+func IsSuperAdmin(gc *gin.Context) bool {
+	secret := gc.Request.Header.Get("x-yauth-admin-secret")
+	if secret == "" {
+		return false
+	}
+
+	return secret == constants.YAUTH_ADMIN_SECRET
+}