feat/role based access (#50)

* feat: add roles based access

* feat: update roles env + todo

* feat: add roles to update profile

* feat: add role based oauth

* feat: validate role for a given token

Author: lakhansamani

.env.sample

@@ -4,4 +4,7 @@ DATABASE_TYPE=sqlite
 ADMIN_SECRET=admin
 DISABLE_EMAIL_VERIFICATION=true
 JWT_SECRET=random_string
-JWT_TYPE=HS256
+JWT_TYPE=HS256
+ROLES=user,admin
+DEFAULT_ROLE=user
+JWT_ROLE_CLAIM=role

TODO.md

@@ -0,0 +1,16 @@
+# Task List
+
+# Feature roles
+
+For the first version we will only support setting roles master list via env
+
+- [x] Support following ENV
+  - [x] `ROLES` -> comma separated list of role names
+  - [x] `DEFAULT_ROLE` -> default role to assign to users
+- [x] Add roles input for signup
+- [x] Add roles to update profile mutation
+- [x] Add roles input for login
+- [x] Return roles to user
+- [x] Return roles in users list for super admin
+- [x] Add roles to the JWT token generation
+- [x] Validate token should also validate the role, if roles to validate again is present in request

server/constants/constants.go

@@ -23,6 +23,11 @@ var (
 	DISABLE_EMAIL_VERIFICATION   = "false"
 	DISABLE_BASIC_AUTHENTICATION = "false"
 
+	// ROLES
+	ROLES          = []string{}
+	DEFAULT_ROLE   = ""
+	JWT_ROLE_CLAIM = "role"
+
 	// OAuth login
 	GOOGLE_CLIENT_ID       = ""
 	GOOGLE_CLIENT_SECRET   = ""

server/db/db.go

@@ -24,6 +24,7 @@ type Manager interface {
 	GetVerificationRequests() ([]VerificationRequest, error)
 	GetVerificationByEmail(email string) (VerificationRequest, error)
 	DeleteUser(email string) error
+	SaveRoles(roles []Role) error
 }
 
 type manager struct {
@@ -53,7 +54,7 @@ func InitDB() {
 	if err != nil {
 		log.Fatal("Failed to init db:", err)
 	} else {
-		db.AutoMigrate(&User{}, &VerificationRequest{})
+		db.AutoMigrate(&User{}, &VerificationRequest{}, &Role{})
 	}
 
 	Mgr = &manager{db: db}

server/db/roles.go

@@ -0,0 +1,19 @@
+package db
+
+import "log"
+
+type Role struct {
+	ID   uint `gorm:"primaryKey"`
+	Role string
+}
+
+// SaveRoles function to save roles
+func (mgr *manager) SaveRoles(roles []Role) error {
+	res := mgr.db.Create(&roles)
+	if res.Error != nil {
+		log.Println(`Error saving roles`)
+		return res.Error
+	}
+
+	return nil
+}

server/db/user.go

@@ -17,6 +17,7 @@ type User struct {
 	CreatedAt       int64 `gorm:"autoCreateTime"`
 	UpdatedAt       int64 `gorm:"autoUpdateTime"`
 	Image           string
+	Roles           string
 }
 
 // SaveUser function to add user even with email conflict

server/env.go

@@ -73,6 +73,8 @@ func InitEnv() {
 	constants.RESET_PASSWORD_URL = strings.TrimPrefix(os.Getenv("RESET_PASSWORD_URL"), "/")
 	constants.DISABLE_BASIC_AUTHENTICATION = os.Getenv("DISABLE_BASIC_AUTHENTICATION")
 	constants.DISABLE_EMAIL_VERIFICATION = os.Getenv("DISABLE_EMAIL_VERIFICATION")
+	constants.DEFAULT_ROLE = os.Getenv("DEFAULT_ROLE")
+	constants.JWT_ROLE_CLAIM = os.Getenv("JWT_ROLE_CLAIM")
 
 	if constants.ADMIN_SECRET == "" {
 		panic("root admin secret is required")
@@ -143,4 +145,33 @@ func InitEnv() {
 			constants.DISABLE_EMAIL_VERIFICATION = "false"
 		}
 	}
+
+	rolesSplit := strings.Split(os.Getenv("ROLES"), ",")
+	roles := []string{}
+	defaultRole := ""
+
+	for _, val := range rolesSplit {
+		trimVal := strings.TrimSpace(val)
+		if trimVal != "" {
+			roles = append(roles, trimVal)
+		}
+
+		if trimVal == constants.DEFAULT_ROLE {
+			defaultRole = trimVal
+		}
+	}
+	if len(roles) > 0 && defaultRole == "" {
+		panic(`Invalid DEFAULT_ROLE environment variable. It can be one from give ROLES environment variable value`)
+	}
+
+	if len(roles) == 0 {
+		roles = []string{"user", "admin"}
+		constants.DEFAULT_ROLE = "user"
+	}
+
+	constants.ROLES = roles
+
+	if constants.JWT_ROLE_CLAIM == "" {
+		constants.JWT_ROLE_CLAIM = "role"
+	}
 }