~sircmpwn/gql.sr.ht

ref: 1fd9e352177eb4f56583e66123eba997931321dc gql.sr.ht/directives.go -rw-r--r-- 1.0 KiB
1fd9e352Drew DeVault s/Scopes/Grants/g a month ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package gql

import (
	"context"
	"fmt"

	"github.com/99designs/gqlgen/graphql"

	"git.sr.ht/~sircmpwn/gql.sr.ht/auth"
)

func Internal(ctx context.Context, obj interface{},
	next graphql.Resolver) (interface{}, error) {

	if auth.ForContext(ctx).AuthMethod != auth.AUTH_INTERNAL {
		return nil, fmt.Errorf("Access denied")
	}

	return next(ctx)
}

func Access(ctx context.Context, obj interface{}, next graphql.Resolver,
	scope string, kind string) (interface{}, error) {

	authctx := auth.ForContext(ctx)

	switch authctx.AuthMethod {
	case auth.AUTH_INTERNAL:
	case auth.AUTH_COOKIE:
		return next(ctx)
	case auth.AUTH_OAUTH_LEGACY:
		if kind == "RO" {
			// Only legacy tokens with "*" scopes ever get this far
			return next(ctx)
		}
	case auth.AUTH_OAUTH2:
		if authctx.Access == nil {
			return next(ctx)
		}
		if access, ok := authctx.Access[scope]; !ok {
			break
		} else if access == "RO" && kind == "RW" {
			break
		}
		return next(ctx)
	default:
		panic(fmt.Errorf("Unknown auth method for access check"))
	}

	return nil, fmt.Errorf("Access denied")
}