| package auth |
|
|
| import ( |
| "encoding/json" |
| "net/http" |
| "os" |
| "strings" |
| "time" |
|
|
| authn "ds2api/internal/auth" |
| ) |
|
|
| func (h *Handler) requireAdmin(next http.Handler) http.Handler { |
| return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| if err := authn.VerifyAdminRequestWithStore(r, h.Store); err != nil { |
| writeJSON(w, http.StatusUnauthorized, map[string]any{"detail": err.Error()}) |
| return |
| } |
| next.ServeHTTP(w, r) |
| }) |
| } |
|
|
| func (h *Handler) login(w http.ResponseWriter, r *http.Request) { |
| var req map[string]any |
| _ = json.NewDecoder(r.Body).Decode(&req) |
| adminKey, _ := req["admin_key"].(string) |
| expireHours := intFrom(req["expire_hours"]) |
| if !authn.VerifyAdminCredential(adminKey, h.Store) { |
| writeJSON(w, http.StatusUnauthorized, map[string]any{"detail": "Invalid admin key"}) |
| return |
| } |
| token, err := authn.CreateJWTWithStore(expireHours, h.Store) |
| if err != nil { |
| writeJSON(w, http.StatusInternalServerError, map[string]any{"detail": err.Error()}) |
| return |
| } |
| if expireHours <= 0 { |
| expireHours = h.Store.AdminJWTExpireHours() |
| } |
| writeJSON(w, http.StatusOK, map[string]any{"success": true, "token": token, "expires_in": expireHours * 3600}) |
| } |
|
|
| func (h *Handler) verify(w http.ResponseWriter, r *http.Request) { |
| header := strings.TrimSpace(r.Header.Get("Authorization")) |
| if !strings.HasPrefix(strings.ToLower(header), "bearer ") { |
| writeJSON(w, http.StatusUnauthorized, map[string]any{"detail": "No credentials provided"}) |
| return |
| } |
| token := strings.TrimSpace(header[7:]) |
| payload, err := authn.VerifyJWTWithStore(token, h.Store) |
| if err != nil { |
| writeJSON(w, http.StatusUnauthorized, map[string]any{"detail": err.Error()}) |
| return |
| } |
| exp, _ := payload["exp"].(float64) |
| remaining := int64(exp) - time.Now().Unix() |
| if remaining < 0 { |
| remaining = 0 |
| } |
| writeJSON(w, http.StatusOK, map[string]any{"valid": true, "expires_at": int64(exp), "remaining_seconds": remaining}) |
| } |
|
|
| func (h *Handler) getVercelConfig(w http.ResponseWriter, _ *http.Request) { |
| saved := h.Store.Snapshot().Vercel |
| token, tokenSource := firstConfiguredValue( |
| [2]string{"env", os.Getenv("VERCEL_TOKEN")}, |
| [2]string{"config", saved.Token}, |
| ) |
| projectID, _ := firstConfiguredValue( |
| [2]string{"env", os.Getenv("VERCEL_PROJECT_ID")}, |
| [2]string{"config", saved.ProjectID}, |
| ) |
| teamID, _ := firstConfiguredValue( |
| [2]string{"env", os.Getenv("VERCEL_TEAM_ID")}, |
| [2]string{"config", saved.TeamID}, |
| ) |
| writeJSON(w, http.StatusOK, map[string]any{ |
| "has_token": token != "", |
| "token_preview": maskSecretPreview(token), |
| "token_source": nilIfEmpty(tokenSource), |
| "project_id": projectID, |
| "team_id": nilIfEmpty(teamID), |
| }) |
| } |
|
|
| func firstConfiguredValue(values ...[2]string) (string, string) { |
| for _, pair := range values { |
| value := strings.TrimSpace(pair[1]) |
| if value != "" { |
| return value, strings.TrimSpace(pair[0]) |
| } |
| } |
| return "", "" |
| } |
|
|
