From aacbb4da1fad7a001b2c222c4675d2efb2ab61b5 Mon Sep 17 00:00:00 2001 From: divyam234 Date: Fri, 8 Sep 2023 20:21:54 +0530 Subject: [PATCH] added acl --- README.md | 2 +- services/auth.service.go | 41 +++++++++++++++++++++++++++++++++++++--- utils/config.go | 35 +++++++++++++++++----------------- 3 files changed, 57 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 4c8c4ae..eb5547c 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ Before running the bot, you will need to set up the following mandatory variable ### Optional Vars In addition to the mandatory variables, you can also set the following optional variables: - `HTTPS` : Only needed when frontend is deployed on vercel. - +- `ALLOWED_USERS` : Allow certian telgram usernames including yours to access app.Enter comma seperated telegram usernames here.Needed when your instance is on public cloud and you want to restrict other people to login. - `COOKIE_SAME_SITE` : Only needed when frontend is deployed on vercel. - `MULTI_CLIENT` : Enable or Disable Multi Token mode. If true you have pass atleast one Multi Token - `MULTI_TOKEN[1....]` : Recommended to add atleast 10-12 tokens diff --git a/services/auth.service.go b/services/auth.service.go index 6578c4e..c6d3eab 100644 --- a/services/auth.service.go +++ b/services/auth.service.go @@ -102,12 +102,32 @@ func setCookie(c *gin.Context, key string, value string, age int) { } +func checkUserIsAllowed(userName string) bool { + config := utils.GetConfig() + found := false + if len(config.AllowedUsers) > 0 { + for _, user := range config.AllowedUsers { + if user == userName { + found = true + break + } + } + } else { + found = true + } + return found +} + func (as *AuthService) LogIn(c *gin.Context) (*schemas.Message, *types.AppError) { var session types.TgSession if err := c.ShouldBindJSON(&session); err != nil { return nil, &types.AppError{Error: errors.New("invalid request payload"), Code: http.StatusBadRequest} } + if !checkUserIsAllowed(session.UserName) { + return nil, &types.AppError{Error: errors.New("user not allowed"), Code: http.StatusUnauthorized} + } + now := time.Now().UTC() jwtClaims := &types.JWTClaims{Claims: jwt.Claims{ @@ -276,7 +296,12 @@ func (as *AuthService) HandleMultipleLogin(c *gin.Context) { } user, ok := authorization.User.AsNotEmpty() if !ok { - conn.WriteJSON(map[string]interface{}{"type": "error", "message": errors.New("auth failed")}) + conn.WriteJSON(map[string]interface{}{"type": "error", "message": "auth failed"}) + return + } + if !checkUserIsAllowed(user.Username) { + conn.WriteJSON(map[string]interface{}{"type": "error", "message": "user not allowed"}) + tgClient.API().AuthLogOut(c) return } res, _ := sessionStorage.LoadSession(c) @@ -312,7 +337,12 @@ func (as *AuthService) HandleMultipleLogin(c *gin.Context) { } user, ok := auth.User.AsNotEmpty() if !ok { - conn.WriteJSON(map[string]interface{}{"type": "error", "message": errors.New("auth failed")}) + conn.WriteJSON(map[string]interface{}{"type": "error", "message": "auth failed"}) + return + } + if !checkUserIsAllowed(user.Username) { + conn.WriteJSON(map[string]interface{}{"type": "error", "message": "user not allowed"}) + tgClient.API().AuthLogOut(c) return } res, _ := sessionStorage.LoadSession(c) @@ -332,7 +362,12 @@ func (as *AuthService) HandleMultipleLogin(c *gin.Context) { } user, ok := auth.User.AsNotEmpty() if !ok { - conn.WriteJSON(map[string]interface{}{"type": "error", "message": errors.New("auth failed")}) + conn.WriteJSON(map[string]interface{}{"type": "error", "message": "auth failed"}) + return + } + if !checkUserIsAllowed(user.Username) { + conn.WriteJSON(map[string]interface{}{"type": "error", "message": "user not allowed"}) + tgClient.API().AuthLogOut(c) return } res, _ := sessionStorage.LoadSession(c) diff --git a/utils/config.go b/utils/config.go index b093e95..65ac989 100644 --- a/utils/config.go +++ b/utils/config.go @@ -10,23 +10,24 @@ import ( type MultiToken string type Config struct { - AppId int `envconfig:"APP_ID" required:"true"` - AppHash string `envconfig:"APP_HASH" required:"true"` - ChannelID int64 `envconfig:"CHANNEL_ID" required:"true"` - JwtSecret string `envconfig:"JWT_SECRET" required:"true"` - MultiClient bool `envconfig:"MULTI_CLIENT" default:"false"` - Https bool `envconfig:"HTTPS" default:"false"` - CookieSameSite bool `envconfig:"COOKIE_SAME_SITE" default:"true"` - DatabaseUrl string `envconfig:"DATABASE_URL" required:"true"` - RateLimit bool `envconfig:"RATE_LIMIT" default:"true"` - TgClientDeviceModel string `envconfig:"TG_CLIENT_DEVICE_MODEL" required:"true"` - TgClientSystemVersion string `envconfig:"TG_CLIENT_SYSTEM_VERSION" default:"Win32"` - TgClientAppVersion string `envconfig:"TG_CLIENT_APP_VERSION" default:"2.1.9 K"` - TgClientLangCode string `envconfig:"TG_CLIENT_LANG_CODE" default:"en"` - TgClientSystemLangCode string `envconfig:"TG_CLIENT_SYSTEM_LANG_CODE" default:"en"` - TgClientLangPack string `envconfig:"TG_CLIENT_LANG_PACK" default:"webk"` - RunMigrations bool `envconfig:"RUN_MIGRATIONS" default:"true"` - Port int `envconfig:"PORT" default:"8080"` + AppId int `envconfig:"APP_ID" required:"true"` + AppHash string `envconfig:"APP_HASH" required:"true"` + ChannelID int64 `envconfig:"CHANNEL_ID" required:"true"` + JwtSecret string `envconfig:"JWT_SECRET" required:"true"` + MultiClient bool `envconfig:"MULTI_CLIENT" default:"false"` + Https bool `envconfig:"HTTPS" default:"false"` + CookieSameSite bool `envconfig:"COOKIE_SAME_SITE" default:"true"` + AllowedUsers []string `envconfig:"ALLOWED_USERS"` + DatabaseUrl string `envconfig:"DATABASE_URL" required:"true"` + RateLimit bool `envconfig:"RATE_LIMIT" default:"true"` + TgClientDeviceModel string `envconfig:"TG_CLIENT_DEVICE_MODEL" required:"true"` + TgClientSystemVersion string `envconfig:"TG_CLIENT_SYSTEM_VERSION" default:"Win32"` + TgClientAppVersion string `envconfig:"TG_CLIENT_APP_VERSION" default:"2.1.9 K"` + TgClientLangCode string `envconfig:"TG_CLIENT_LANG_CODE" default:"en"` + TgClientSystemLangCode string `envconfig:"TG_CLIENT_SYSTEM_LANG_CODE" default:"en"` + TgClientLangPack string `envconfig:"TG_CLIENT_LANG_PACK" default:"webk"` + RunMigrations bool `envconfig:"RUN_MIGRATIONS" default:"true"` + Port int `envconfig:"PORT" default:"8080"` ExecDir string }