add authorization to gRPC update user API (techschool#60)

Co-authored-by: phamlequang <phamlequang@gmail.com>
hhwangS27 · Sep 14, 2022 · 68ef8aa · 68ef8aa
1 parent c335fd5
commit 68ef8aa
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 1 deletion.
diff --git a/gapi/authorization.go b/gapi/authorization.go
@@ -0,0 +1,46 @@
+package gapi
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/techschool/simplebank/token"
+	"google.golang.org/grpc/metadata"
+)
+
+const (
+	authorizationHeader = "authorization"
+	authorizationBearer = "bearer"
+)
+
+func (server *Server) authorizeUser(ctx context.Context) (*token.Payload, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return nil, fmt.Errorf("missing metadata")
+	}
+
+	values := md.Get(authorizationHeader)
+	if len(values) == 0 {
+		return nil, fmt.Errorf("missing authorization header")
+	}
+
+	authHeader := values[0]
+	fields := strings.Fields(authHeader)
+	if len(fields) < 2 {
+		return nil, fmt.Errorf("invalid authorization header format")
+	}
+
+	authType := strings.ToLower(fields[0])
+	if authType != authorizationBearer {
+		return nil, fmt.Errorf("unsupported authorization type: %s", authType)
+	}
+
+	accessToken := fields[1]
+	payload, err := server.tokenMaker.VerifyToken(accessToken)
+	if err != nil {
+		return nil, fmt.Errorf("invalid access token: %s", err)
+	}
+
+	return payload, nil
+}
diff --git a/gapi/error.go b/gapi/error.go
@@ -24,3 +24,7 @@ func invalidArgumentError(violations []*errdetails.BadRequest_FieldViolation) er
 
 	return statusDetails.Err()
 }
+
+func unauthenticatedError(err error) error {
+	return status.Errorf(codes.Unauthenticated, "unauthorized: %s", err)
+}
diff --git a/gapi/rpc_update_user.go b/gapi/rpc_update_user.go
@@ -15,13 +15,20 @@ import (
 )
 
 func (server *Server) UpdateUser(ctx context.Context, req *pb.UpdateUserRequest) (*pb.UpdateUserResponse, error) {
-	// TODO: add authorization
+	authPayload, err := server.authorizeUser(ctx)
+	if err != nil {
+		return nil, unauthenticatedError(err)
+	}
 
 	violations := validateUpdateUserRequest(req)
 	if violations != nil {
 		return nil, invalidArgumentError(violations)
 	}
 
+	if authPayload.Username != req.GetUsername() {
+		return nil, status.Errorf(codes.PermissionDenied, "cannot update other user's info")
+	}
+
 	arg := db.UpdateUserParams{
 		Username: req.GetUsername(),
 		FullName: sql.NullString{