Skip to content

Commit b3be57c

Browse files
0xdcarns0xdcarns
authored
Merge pull request #2158 from gravitl/GRA-1479-user-updates
add checks to user update processing
2 parents b5e6836 + c2a4cb1 commit b3be57c

File tree

2 files changed

+29
-0
lines changed

2 files changed

+29
-0
lines changed

controllers/user.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -331,7 +331,18 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
331331
w.Header().Set("Content-Type", "application/json")
332332
var params = mux.Vars(r)
333333
// start here
334+
jwtUser, _, isadmin, err := logic.VerifyJWT(r.Header.Get("Authorization"))
335+
if err != nil {
336+
logger.Log(0, "verifyJWT error", err.Error())
337+
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
338+
return
339+
}
334340
username := params["username"]
341+
if username != jwtUser && !isadmin {
342+
logger.Log(0, "non-admin user", jwtUser, "attempted to update user", username)
343+
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not authorizied"), "unauthorized"))
344+
return
345+
}
335346
user, err := logic.GetUser(username)
336347
if err != nil {
337348
logger.Log(0, username,
@@ -354,6 +365,11 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
354365
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
355366
return
356367
}
368+
if userchange.IsAdmin && !isadmin {
369+
logger.Log(0, "non-admin user", jwtUser, "attempted get admin privilages")
370+
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not authorizied"), "unauthorized"))
371+
return
372+
}
357373
userchange.Networks = nil
358374
user, err = logic.UpdateUser(&userchange, user)
359375
if err != nil {

logic/jwts.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package logic
33
import (
44
"errors"
55
"fmt"
6+
"strings"
67
"time"
78

89
"github.com/golang-jwt/jwt/v4"
@@ -101,6 +102,18 @@ func CreateUserJWT(username string, networks []string, isadmin bool) (response s
101102
return "", err
102103
}
103104

105+
// VerifyJWT verifies Auth Header
106+
func VerifyJWT(bearerToken string) (username string, networks []string, isadmin bool, err error) {
107+
token := ""
108+
tokenSplit := strings.Split(bearerToken, " ")
109+
if len(tokenSplit) > 1 {
110+
token = tokenSplit[1]
111+
} else {
112+
return "", nil, false, errors.New("invalid auth header")
113+
}
114+
return VerifyUserToken(token)
115+
}
116+
104117
// VerifyUserToken func will used to Verify the JWT Token while using APIS
105118
func VerifyUserToken(tokenString string) (username string, networks []string, isadmin bool, err error) {
106119
claims := &models.UserClaims{}

0 commit comments

Comments
 (0)