feat: gen staff token (#32)

* feat: gen staff token * fix: change gen-staff-token to .sh * feat: add faculty-wide
isd-sgcu · Jan 11, 2024 · ec4199e · ec4199e
1 parent b76befd
commit ec4199e
Show file tree

Hide file tree

Showing 6 changed files with 86 additions and 3 deletions.
diff --git a/.env.example b/.env.example
@@ -14,3 +14,5 @@ OAUTH2_REDIRECT_URL=http://localhost:3000/auth/callback
 OAUTH2_SCOPES=openid,email
 
 CORS_ORIGINS=https://openhouse.chula.ac.th,https://isd-sgcu.in.th,https://openhouse.isd-sgcu.in.th
+
+JWT_SECRET_KEY=secret
diff --git a/cfgldr/cfgldr.go b/cfgldr/cfgldr.go
@@ -9,6 +9,7 @@ type Config struct {
 	AppConfig      AppConfig
 	RedisConfig    RedisConfig
 	OAuth2Config   OAuth2Config
+	JWTConfig      JWTConfig
 	CorsConfig     CorsConfig
 }
 
@@ -34,6 +35,9 @@ type OAuth2Config struct {
 	ClientSecret string   `mapstructure:"CLIENT_SECRET"`
 	Scopes       []string `mapstructure:"SCOPES"`
 }
+type JWTConfig struct {
+	SecretKey string `mapstructure:"SECRET_KEY"`
+}
 
 type CorsConfig struct {
 	AllowOrigins string `mapstructure:"ORIGINS"`
@@ -76,6 +80,15 @@ func LoadConfig() (*Config, error) {
 		return nil, err
 	}
 
+	jwtCfgLdr := viper.New()
+	jwtCfgLdr.SetEnvPrefix("JWT")
+	jwtCfgLdr.AutomaticEnv()
+	jwtCfgLdr.AllowEmptyEnv(false)
+	jwtConfig := JWTConfig{}
+	if err := jwtCfgLdr.Unmarshal(&jwtConfig); err != nil {
+		return nil, err
+	}
+
 	corsConfigLdr := viper.New()
 	corsConfigLdr.SetEnvPrefix("CORS")
 	corsConfigLdr.AutomaticEnv()
@@ -90,6 +103,7 @@ func LoadConfig() (*Config, error) {
 		AppConfig:      appConfig,
 		RedisConfig:    redisConfig,
 		OAuth2Config:   oauth2Config,
+		JWTConfig:      jwtConfig,
 		CorsConfig:     corsConfig,
 	}, nil
 }

diff --git a/go.mod b/go.mod
@@ -31,6 +31,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d // indirect
 	github.com/chenzhuoyu/iasm v0.9.1 // indirect
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect

diff --git a/go.sum b/go.sum
@@ -30,6 +30,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=

diff --git a/internal/middleware/auth.middleware.go b/internal/middleware/auth.middleware.go
@@ -3,6 +3,7 @@ package middleware
 import (
 	"strings"
 
+	"github.com/dgrijalva/jwt-go"
 	"github.com/gin-gonic/gin"
 	"github.com/isd-sgcu/oph66-backend/apperror"
 	"github.com/isd-sgcu/oph66-backend/cfgldr"
@@ -31,9 +32,26 @@ func NewAuthMiddleware(userRepo auth.Repository, cfg *cfgldr.Config) AuthMiddlew
 		token, err := idtoken.Validate(c, tokenString, cfg.OAuth2Config.ClientId)
 
 		if err != nil {
-			utils.ReturnError(c, apperror.InvalidToken)
-			c.Abort()
-			return
+			SecretKey := cfg.JWTConfig.SecretKey
+			staffToken, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+				return []byte(SecretKey), nil
+			})
+			if err != nil {
+				utils.ReturnError(c, apperror.InvalidToken)
+				c.Abort()
+				return
+			}
+			if staffToken.Valid && staffToken.Claims.(jwt.MapClaims)["role"] == "staff" {
+				c.Set("faculty", staffToken.Claims.(jwt.MapClaims)["faculty"])
+				c.Set("department", staffToken.Claims.(jwt.MapClaims)["department"])
+				c.Set("faculty-wide", staffToken.Claims.(jwt.MapClaims)["faculty-wide"])
+				c.Next()
+				return
+			} else {
+				utils.ReturnError(c, apperror.InvalidToken)
+				c.Abort()
+				return
+			}
 		}
 
 		if email, ok := token.Claims["email"].(string); ok {

diff --git a/tools/gen-staff-token.sh b/tools/gen-staff-token.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+## Usage:
+##   ./tools/gen-staff-token.sh <faculty> <department> <faculty-wide>
+##   ./tools/gen-staff-token.sh 23 0 true
+
+if [ -f .env ]; then
+    source .env
+else
+    echo "Error: .env file not found!"
+    exit 1
+fi
+
+if [ "$#" -ne 3 ]; then
+    echo "Usage: $0 <faculty> <department> <faculty-wide>"
+    exit 1
+fi
+
+faculty=$1
+department=$2
+faculty_wide=$3
+
+if [ -z "$faculty" ] || [ -z "$department" ]; then
+    echo "Invalid input. Faculty and Department cannot be empty."
+    exit 1
+fi
+
+if [ -z "$JWT_SECRET_KEY" ]; then
+    echo "Error: JWT_SECRET_KEY is not set in .env file!"
+    exit 1
+fi
+
+SECRET_KEY="$JWT_SECRET_KEY"
+
+HEADER="{\"alg\":\"HS256\",\"typ\":\"JWT\"}"
+
+PAYLOAD="{\"role\":\"staff\",\"faculty\":$faculty,\"department\":$department,\"faculty-wide\":$faculty_wide}"
+
+HEADER_ENCODED=$(echo -n "$HEADER" | base64 | tr -d '=' | tr '/+' '_-')
+PAYLOAD_ENCODED=$(echo -n "$PAYLOAD" | base64 | tr -d '=' | tr '/+' '_-')
+
+TOKEN="$HEADER_ENCODED.$PAYLOAD_ENCODED"
+
+SIGNATURE=$(echo -n "$TOKEN" | openssl dgst -sha256 -hmac "$SECRET_KEY" -binary | base64 | tr -d '=' | tr '/+' '_-')
+
+echo "Token: $TOKEN.$SIGNATURE"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -14,3 +14,5 @@ OAUTH2_REDIRECT_URL=http://localhost:3000/auth/callback
		OAUTH2_SCOPES=openid,email

		CORS_ORIGINS=https://openhouse.chula.ac.th,https://isd-sgcu.in.th,https://openhouse.isd-sgcu.in.th

		JWT_SECRET_KEY=secret