Certificates Renewal + SSE

- Certificate renewal is just a re-request as it's forced already - Rejig the routes for readability - Added Server Side Events so that the UI would invalidate the cache when changes happen on the backend, such as certs being provided or failing - Added a SSE Token, which has the same shelf life as normal token but can't be used interchangeably. The reason for this is, the SSE endpoint needs a token for auth as a Query param, so it would be stored in log files. If someone where to get a hold of that, it's pretty useless as it can't be used to change anything, only to listen for events until it expires - Added test endpoint for SSE testing only availabe in debug mode
2025-06-18 18:16:26 +00:00 · 2023-03-07 16:42:26 +10:00
parent 35550082bf
commit 215083f6cf
29 changed files with 665 additions and 197 deletions
--- a/backend/internal/api/middleware/sse_auth.go
+++ b/backend/internal/api/middleware/sse_auth.go
@ -0,0 +1,34 @@
+package middleware
+
+import (
+	"net/http"
+
+	h "npm/internal/api/http"
+	"npm/internal/entity/user"
+
+	"github.com/go-chi/jwtauth"
+)
+
+// SSEAuth will validate that the jwt token provided to get this far is a SSE token
+// and that the user is enabled
+func SSEAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+
+		token, claims, err := jwtauth.FromContext(ctx)
+		if err != nil {
+			h.ResultErrorJSON(w, r, http.StatusUnauthorized, err.Error(), nil)
+			return
+		}
+
+		userID := int(claims["uid"].(float64))
+		_, enabled := user.IsEnabled(userID)
+		if token == nil || !token.Valid || !enabled || !claims.VerifyIssuer("sse", true) {
+			h.ResultErrorJSON(w, r, http.StatusUnauthorized, "Unauthorised", nil)
+			return
+		}
+
+		// Should be all good now
+		next.ServeHTTP(w, r)
+	})
+}