add authorization to gRPC update user API (techschool#60)

Co-authored-by: phamlequang <[email protected]>
Eagalon · Sep 14, 2022 · 68ef8aa · 68ef8aa
1 parent c335fd5
commit 68ef8aa
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 1 deletion.
diff --git a/gapi/authorization.go b/gapi/authorization.go
@@ -0,0 +1,46 @@
+package gapi
+
+import (
+ "context"
+ "fmt"
+ "strings"
+
+ "github.com/techschool/simplebank/token"
+ "google.golang.org/grpc/metadata"
+)
+
+const (
+ authorizationHeader = "authorization"
+ authorizationBearer = "bearer"
+)
+
+func (server *Server) authorizeUser(ctx context.Context) (*token.Payload, error) {
+ md, ok := metadata.FromIncomingContext(ctx)
+ if !ok {
+ return nil, fmt.Errorf("missing metadata")
+ }
+
+ values := md.Get(authorizationHeader)
+ if len(values) == 0 {
+ return nil, fmt.Errorf("missing authorization header")
+ }
+
+ authHeader := values[0]
+ fields := strings.Fields(authHeader)
+ if len(fields) < 2 {
+ return nil, fmt.Errorf("invalid authorization header format")
+ }
+
+ authType := strings.ToLower(fields[0])
+ if authType != authorizationBearer {
+ return nil, fmt.Errorf("unsupported authorization type: %s", authType)
+ }
+
+ accessToken := fields[1]
+ payload, err := server.tokenMaker.VerifyToken(accessToken)
+ if err != nil {
+ return nil, fmt.Errorf("invalid access token: %s", err)
+ }
+
+ return payload, nil
+}
diff --git a/gapi/error.go b/gapi/error.go
@@ -24,3 +24,7 @@ func invalidArgumentError(violations []*errdetails.BadRequest_FieldViolation) er
 
  return statusDetails.Err()
 }
+
+func unauthenticatedError(err error) error {
+ return status.Errorf(codes.Unauthenticated, "unauthorized: %s", err)
+}
diff --git a/gapi/rpc_update_user.go b/gapi/rpc_update_user.go
@@ -15,13 +15,20 @@ import (
 )
 
 func (server *Server) UpdateUser(ctx context.Context, req *pb.UpdateUserRequest) (*pb.UpdateUserResponse, error) {
- // TODO: add authorization
+ authPayload, err := server.authorizeUser(ctx)
+ if err != nil {
+ return nil, unauthenticatedError(err)
+ }
 
  violations := validateUpdateUserRequest(req)
  if violations != nil {
  return nil, invalidArgumentError(violations)
  }
 
+ if authPayload.Username != req.GetUsername() {
+ return nil, status.Errorf(codes.PermissionDenied, "cannot update other user's info")
+ }
+
  arg := db.UpdateUserParams{
  Username: req.GetUsername(),
  FullName: sql.NullString{