Added token validation to authenticated functions

Author: munjoonteo

server/category.go

@@ -8,7 +8,11 @@ import (
 	"go.mongodb.org/mongo-driver/mongo"
 )
 
-func GetCat(collection *mongo.Collection, id int) *Category {
+// GetCat - Retrieve a category from the database
+func GetCat(collection *mongo.Collection, id int, token string) *Category {
+	if !validToken(token) {
+		return nil
+	}
 
 	var result *Category
 	filter := bson.D{{"categoryID", id}}
@@ -22,7 +26,12 @@ func GetCat(collection *mongo.Collection, id int) *Category {
 	return result
 }
 
-func NewCat(collection *mongo.Collection, catID int, index int, name string) {
+// NewCat - Add a new category
+func NewCat(collection *mongo.Collection, catID int, index int, name string, token string) {
+	if !validToken(token) {
+		return
+	}
+
 	category := Category{
 		categoryID:   catID,
 		categoryName: name,
@@ -35,7 +44,12 @@ func NewCat(collection *mongo.Collection, catID int, index int, name string) {
 	}
 }
 
-func PatchCat(collection *mongo.Collection, catID int, name string, index int) {
+// PatchCat - Update a category with new information
+func PatchCat(collection *mongo.Collection, catID int, name string, index int, token string) {
+	if !validToken(token) {
+		return
+	}
+
 	filter := bson.D{{"categoryID", catID}}
 	update := bson.D{
 		{"$set", bson.D{
@@ -51,7 +65,12 @@ func PatchCat(collection *mongo.Collection, catID int, name string, index int) {
 	}
 }
 
-func DeleteCat(collection *mongo.Collection, id int) {
+// DeleteCat - Delete a category from the database
+func DeleteCat(collection *mongo.Collection, id int, token string) {
+	if !validToken(token) {
+		return
+	}
+
 	filter := bson.D{{"categoryID", id}}
 
 	// Find a category by id and delete it

server/login.go

@@ -12,7 +12,10 @@ import (
 	"gopkg.in/ldap.v2"
 )
 
-func auth(collection *mongo.Collection, zid string, password string) string {
+var jwtKey = []byte("secret_text")
+
+// Auth - to login
+func Auth(collection *mongo.Collection, zid string, password string, permissions string) string {
 	// Connect to UNSW LDAP server
 	l, err := ldap.Dial("tcp", "ad.unsw.edu.au")
 	if err != nil {
@@ -47,12 +50,13 @@ func auth(collection *mongo.Collection, zid string, password string) string {
 	}
 
 	// Encode user details into a JWT and turn it into a string
-	jwtKey := []byte("secret_text")
+
 	userFound := searchResult.Entries[0]
 	expirationTime := time.Now().Add(time.Hour * 24)
 	claims := &Claims{
-		hashedZID: hashedZID,
-		firstName: userFound.GetAttributeValue("firstName"),
+		hashedZID:   hashedZID,
+		firstName:   userFound.GetAttributeValue("firstName"),
+		permissions: permissions,
 		StandardClaims: jwt.StandardClaims{
 			ExpiresAt: expirationTime.Unix(),
 		},
@@ -100,3 +104,23 @@ func auth(collection *mongo.Collection, zid string, password string) string {
 
 	return tokenString
 }
+
+// validToken - returns
+func validToken(tokenString string) bool {
+	claims := &Claims{}
+	tkn, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
+		return jwtKey, nil
+	})
+
+	if err != nil {
+		if err == jwt.ErrSignatureInvalid {
+			return false
+		}
+	}
+
+	if !tkn.Valid || claims.permissions != "staff" {
+		return false
+	}
+
+	return true
+}

server/post.go

@@ -10,6 +10,7 @@ import (
 	"go.mongodb.org/mongo-driver/mongo/options"
 )
 
+// GetPost - Retrieve a post from the database
 func GetPost(collection *mongo.Collection, id int, category string) *Post {
 	var result *Post
 
@@ -23,6 +24,7 @@ func GetPost(collection *mongo.Collection, id int, category string) *Post {
 	return result
 }
 
+// GetAllPosts - Retrieve all posts
 func GetAllPosts(collection *mongo.Collection, count int, cat string) []*Post {
 	findOptions := options.Find()
 	if count != 10 {
@@ -60,6 +62,7 @@ func GetAllPosts(collection *mongo.Collection, count int, cat string) []*Post {
 	return posts
 }
 
+// NewPost - Add a new post
 func NewPost(collection *mongo.Collection, id int, category int, showInMenu bool, title string, subtitle string, postType string, content string, github string, fb string) {
 	post := Post{
 		postID:           id,
@@ -81,6 +84,7 @@ func NewPost(collection *mongo.Collection, id int, category int, showInMenu bool
 	}
 }
 
+// UpdatePost - Update a post with new information
 func UpdatePost(collection *mongo.Collection, id int, category int, showInMenu bool, title string, subtitle string, postType string, content string, github string, fb string) {
 	filter := bson.D{{"postID", id}}
 	update := bson.D{
@@ -104,6 +108,7 @@ func UpdatePost(collection *mongo.Collection, id int, category int, showInMenu b
 	}
 }
 
+// DeletePost - Delete a post from the database
 func DeletePost(collection *mongo.Collection, id int) {
 	filter := bson.D{{"postID", id}}
 

server/server.go

@@ -58,8 +58,9 @@ type Sponsor struct {
 
 // Claims - struct to store jwt data
 type Claims struct {
-	hashedZID [32]byte
-	firstName string
+	hashedZID   [32]byte
+	firstName   string
+	permissions string
 	jwt.StandardClaims
 }
 
@@ -140,7 +141,8 @@ func login(collection *mongo.Collection) echo.HandlerFunc {
 	return func(c echo.Context) error {
 		zid := c.FormValue("zid")
 		password := c.FormValue("password")
-		tokenString := auth(collection, zid, password)
+		permissions := c.FormValue("permissions")
+		tokenString := Auth(collection, zid, password, permissions)
 		return c.JSON(http.StatusOK, H{
 			"token": tokenString,
 		})
@@ -211,8 +213,9 @@ func deletePost(collection *mongo.Collection) echo.HandlerFunc {
 
 func getCat(collection *mongo.Collection) echo.HandlerFunc {
 	return func(c echo.Context) error {
+		token := c.FormValue("token")
 		id, _ := strconv.Atoi(c.QueryParam("id"))
-		result := GetCat(collection, id)
+		result := GetCat(collection, id, token)
 		return c.JSON(http.StatusOK, H{
 			"category": result,
 		})
@@ -221,47 +224,52 @@ func getCat(collection *mongo.Collection) echo.HandlerFunc {
 
 func newCat(collection *mongo.Collection) echo.HandlerFunc {
 	return func(c echo.Context) error {
+		token := c.FormValue("token")
 		catID, _ := strconv.Atoi(c.FormValue("id"))
 		index, _ := strconv.Atoi(c.FormValue("index"))
 		name := c.FormValue("name")
-		NewCat(collection, catID, index, name)
+		NewCat(collection, catID, index, name, token)
 		return c.JSON(http.StatusOK, H{})
 	}
 }
 
 func patchCat(collection *mongo.Collection) echo.HandlerFunc {
 	return func(c echo.Context) error {
+		token := c.FormValue("token")
 		catID, _ := strconv.Atoi(c.FormValue("id"))
 		name := c.FormValue("name")
 		index, _ := strconv.Atoi(c.FormValue("index"))
-		PatchCat(collection, catID, name, index)
+		PatchCat(collection, catID, name, index, token)
 		return c.JSON(http.StatusOK, H{})
 	}
 }
 
 func deleteCat(collection *mongo.Collection) echo.HandlerFunc {
 	return func(c echo.Context) error {
+		token := c.FormValue("token")
 		id, _ := strconv.Atoi(c.FormValue("id"))
-		DeleteCat(collection, id)
+		DeleteCat(collection, id, token)
 		return c.JSON(http.StatusOK, H{})
 	}
 }
 
 func newSponsor(collection *mongo.Collection) echo.HandlerFunc {
 	return func(c echo.Context) error {
+		token := c.FormValue("token")
 		expiryStr := c.FormValue("expiry")
 		name := c.FormValue("name")
 		logo := c.FormValue("logo")
 		tier := c.FormValue("tier")
-		NewSponsor(collection, expiryStr, name, logo, tier)
+		NewSponsor(collection, expiryStr, name, logo, tier, token)
 		return c.JSON(http.StatusOK, H{})
 	}
 }
 
 func deleteSponsor(collection *mongo.Collection) echo.HandlerFunc {
 	return func(c echo.Context) error {
+		token := c.FormValue("token")
 		id := c.FormValue("id")
-		DeleteSponsor(collection, id)
+		DeleteSponsor(collection, id, token)
 		return c.JSON(http.StatusOK, H{})
 	}
 }

server/sponsor.go

@@ -10,7 +10,12 @@ import (
 	"go.mongodb.org/mongo-driver/mongo"
 )
 
-func NewSponsor(collection *mongo.Collection, expiryStr string, name string, logo string, tier string) {
+// NewSponsor - Add a new sponsor
+func NewSponsor(collection *mongo.Collection, expiryStr string, name string, logo string, tier string, token string) {
+	if !validToken(token) {
+		return
+	}
+
 	expiryTime, _ := time.Parse(time.RFC3339, expiryStr)
 	id := uuid.New()
 
@@ -28,7 +33,12 @@ func NewSponsor(collection *mongo.Collection, expiryStr string, name string, log
 	}
 }
 
-func DeleteSponsor(collection *mongo.Collection, id string) {
+// DeleteSponsor - Delete a sponsor from the database
+func DeleteSponsor(collection *mongo.Collection, id string, token string) {
+	if !validToken(token) {
+		return
+	}
+
 	parsedID := uuid.Must(uuid.Parse(id))
 
 	// Find a sponsor by ID and delete it