Merge pull request #20 from Leagueify/19-update-league-creation-to-us…

…e-adminrequired 19 update league creation to use adminrequired
Leagueify · Aug 25, 2024 · 2cdc642 · 2cdc642
2 parents e388ae8 + 461664c
commit 2cdc642
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -23,11 +23,14 @@ After starting Leagueify with `make start-dev` you should see the Leagueify bann
 Upon saving changes, [air][air-github] will automatically reload the system, Leagueify will be ready once the banner is again shown.
 
 ```
-'||'      '||''''|      |      ..|'''.|  '||'  '|' '||''''|  '||' '||''''| '||' '|'
- ||        ||  .       |||    .|'     '   ||    |   ||  .     ||   ||  .     || |
- ||        ||''|      |  ||   ||    ....  ||    |   ||''|     ||   ||''|      ||
- ||        ||        .''''|.  '|.    ||   ||    |   ||        ||   ||         ||
-.||.....| .||.....| .|.  .||.  ''|...'|    '|..'   .||.....| .||. .||.       .||.
+leagueify-dev-1  | running...
+leagueify-dev-1  |
+leagueify-dev-1  | '||'      '||''''|      |      ..|'''.|  '||'  '|' '||''''|  '||' '||''''| '||' '|'
+leagueify-dev-1  |  ||        ||  .       |||    .|'     '   ||    |   ||  .     ||   ||  .     || |
+leagueify-dev-1  |  ||        ||''|      |  ||   ||    ....  ||    |   ||''|     ||   ||''|      ||
+leagueify-dev-1  |  ||        ||        .''''|.  '|.    ||   ||    |   ||        ||   ||         ||
+leagueify-dev-1  | .||.....| .||.....| .|.  .||.  ''|...'|    '|..'   .||.....| .||. .||.       .||.
+leagueify-dev-1  | ⇨ http server started on [::]:8888
 ```
 The Leagueify banner was generated using [PatorJK][banner-website].
 

diff --git a/internal/route/api/api_league.go b/internal/route/api/api_league.go
@@ -12,7 +12,7 @@ import (
 )
 
 func leagueEndpoints(e *echo.Group) {
-	e.POST("/leagues", route.AuthRequired(createLeague, "api"))
+	e.POST("/leagues", route.AdminRequired(createLeague, "api"))
 }
 
 func createLeague(ctx echo.Context) error {

diff --git a/internal/route/route.go b/internal/route/route.go
@@ -11,6 +11,46 @@ import (
 	"github.com/labstack/echo/v4"
 )
 
+func AdminRequired(f func(echo.Context) error, aud string) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		var authToken string
+
+		if err := getAuthToken(c, &authToken); err != nil {
+			return response.JSON(c, http.StatusUnauthorized, nil)
+		}
+
+		claims, err := auth.VerifyJWT(authToken)
+		if err != nil {
+			return response.JSON(c, http.StatusUnauthorized, nil)
+		}
+
+		audience, err := claims.GetAudience()
+		if err != nil {
+			return response.JSON(c, http.StatusUnauthorized, nil)
+		}
+
+		result := false
+		for _, a := range audience {
+			if a == aud {
+				result = true
+				break
+			}
+		}
+
+		if !result {
+			return response.JSON(c, http.StatusUnauthorized, nil)
+		}
+
+		if !claims.IsAdmin {
+			return response.JSON(c, http.StatusForbidden, nil)
+		}
+
+		c.Set("user", claims.Subject)
+
+		return f(c)
+	}
+}
+
 func AuthRequired(f func(echo.Context) error, aud string) echo.HandlerFunc {
 	return func(c echo.Context) error {
 		var authToken string