Endpoint auth middleware overhaul

config/config.go

@@ -5,7 +5,7 @@ import (
 	"os"
 )
 
-var Version = "3.3.2"
+var Version = "3.4.0"
 var Env = os.Getenv("ENV")
 var Port = os.Getenv("PORT")
 var Prefix = os.Getenv("PREFIX")

controller/auth_controller.go

@@ -15,7 +15,7 @@ func GetJWKS(c *gin.Context) {
 }
 
 func RegisterAccountPassword(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"))
+	Require(c, RequestTokenHasScope(c, "sentinel:all"))
 
 	var input model.UserAuth
 	if err := c.ShouldBindJSON(&input); err != nil {
@@ -27,7 +27,8 @@ func RegisterAccountPassword(c *gin.Context) {
 		c.JSON(http.StatusInternalServerError, gin.H{"message": "No account with this email exists. Make sure to verify your account on the discord server first!"})
 		return
 	}
-	RequireAny(c, RequestUserHasID(c, user.ID), RequestUserHasRole(c, "d_admin"))
+
+	Require(c, Any(RequestUserHasID(c, user.ID), RequestUserHasRole(c, "d_admin")))
 
 	token, err := service.RegisterEmailPassword(input.Email, input.Password)
 	if err != nil {
@@ -55,7 +56,7 @@ func RegisterAccountPassword(c *gin.Context) {
 }
 
 func ResetAccountPassword(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"))
+	Require(c, RequestTokenHasScope(c, "sentinel:all"))
 
 	userID := c.Param("userID")
 	user := service.GetUserByID(userID)
@@ -64,7 +65,7 @@ func ResetAccountPassword(c *gin.Context) {
 		return
 	}
 
-	RequireAny(c, RequestUserHasID(c, user.ID), RequestUserHasRole(c, "d_admin"))
+	Require(c, Any(RequestUserHasID(c, user.ID), RequestUserHasRole(c, "d_admin")))
 
 	auth := service.GetUserAuthByID(userID)
 	if auth.ID == "" {
@@ -154,8 +155,10 @@ func LoginDiscord(c *gin.Context) {
 }
 
 func GetAuthForUser(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"))
-	RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin"))
+	Require(c, All(
+		RequestTokenHasScope(c, "sentinel:all"),
+		Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")),
+	))
 
 	userID := c.Param("userID")
 	user := service.GetUserByID(userID)

controller/drive_controller.go

@@ -10,8 +10,13 @@ import (
 )
 
 func GetDriveStatusForUser(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "drive:read"))
-	RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin"))
+	Require(c, Any(
+		RequestTokenHasScope(c, "sentinel:all"),
+		All(
+			RequestTokenHasScope(c, "drive:read"),
+			Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")),
+		),
+	))
 
 	userID := c.Param("userID")
 	user := service.GetUserByID(userID)
@@ -31,8 +36,13 @@ func GetDriveStatusForUser(c *gin.Context) {
 }
 
 func AddUserToDrive(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "drive:write"))
-	RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin"))
+	Require(c, Any(
+		RequestTokenHasScope(c, "sentinel:all"),
+		All(
+			RequestTokenHasScope(c, "drive:write"),
+			Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")),
+		),
+	))
 
 	userID := c.Param("userID")
 	user := service.GetUserByID(userID)
@@ -53,8 +63,13 @@ func AddUserToDrive(c *gin.Context) {
 }
 
 func RemoveUserFromDrive(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "drive:write"))
-	RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin"))
+	Require(c, Any(
+		RequestTokenHasScope(c, "sentinel:all"),
+		All(
+			RequestTokenHasScope(c, "drive:write"),
+			Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")),
+		),
+	))
 
 	userID := c.Param("userID")
 	user := service.GetUserByID(userID)

controller/github_controller.go

@@ -9,8 +9,13 @@ import (
 )
 
 func GetGithubStatusForUser(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "github:read"))
-	RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin"))
+	Require(c, Any(
+		RequestTokenHasScope(c, "sentinel:all"),
+		All(
+			RequestTokenHasScope(c, "github:read"),
+			Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")),
+		),
+	))
 
 	userID := c.Param("userID")
 	user := service.GetUserByID(userID)
@@ -27,8 +32,13 @@ func GetGithubStatusForUser(c *gin.Context) {
 }
 
 func AddUserToGithub(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "github:write"))
-	RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin"))
+	Require(c, Any(
+		RequestTokenHasScope(c, "sentinel:all"),
+		All(
+			RequestTokenHasScope(c, "github:write"),
+			Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")),
+		),
+	))
 
 	var input model.GithubInvite
 	if err := c.ShouldBindJSON(&input); err != nil {

controller/login_controller.go

@@ -9,15 +9,20 @@ import (
 )
 
 func GetAllLogins(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"))
+	Require(c, RequestTokenHasScope(c, "sentinel:all"))
 
 	logins := service.GetAllLogins()
 	c.JSON(http.StatusOK, logins)
 }
 
 func GetLoginsForUser(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "logins:read"))
-	RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin"))
+	Require(c, Any(
+		RequestTokenHasScope(c, "sentinel:all"),
+		All(
+			RequestTokenHasScope(c, "logins:read"),
+			Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")),
+		),
+	))
 
 	userID := c.Param("userID")
 	if c.Query("count") != "" {
@@ -35,7 +40,7 @@ func GetLoginsForUser(c *gin.Context) {
 }
 
 func GetLoginsForDestination(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"))
+	Require(c, RequestTokenHasScope(c, "sentinel:all"))
 
 	destination := c.Param("appID")
 	if c.Query("count") != "" {
@@ -60,10 +65,13 @@ func GetLoginByID(c *gin.Context) {
 		return
 	}
 
-	if !RequestTokenHasScope(c, "sentinel:all") {
-		RequireAny(c, RequestTokenHasScope(c, "logins:read"))
-		RequireAny(c, RequestUserHasRole(c, "d_admin"), RequestUserHasID(c, login.UserID))
-	}
+	Require(c, Any(
+		RequestTokenHasScope(c, "sentinel:all"),
+		All(
+			RequestTokenHasScope(c, "logins:read"),
+			Any(RequestUserHasID(c, login.UserID), RequestUserHasRole(c, "d_admin")),
+		),
+	))
 
 	c.JSON(http.StatusOK, login)
 }

controller/oauth_controller.go

@@ -16,15 +16,26 @@ func GetValidOauthScopes(c *gin.Context) {
 }
 
 func GetAllClientApplications(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"))
+	Require(c, Any(
+		RequestTokenHasScope(c, "sentinel:all"),
+		All(
+			RequestTokenHasScope(c, "applications:read"),
+			RequestUserHasRole(c, "d_admin"),
+		),
+	))
 
 	apps := service.GetAllClientApplications()
 	c.JSON(http.StatusOK, apps)
 }
 
 func GetClientApplicationsForUser(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "applications:read"))
-	RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin"))
+	Require(c, Any(
+		RequestTokenHasScope(c, "sentinel:all"),
+		All(
+			RequestTokenHasScope(c, "applications:read"),
+			Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")),
+		),
+	))
 
 	userID := c.Param("userID")
 	apps := service.GetClientApplicationsForUser(userID)
@@ -39,29 +50,36 @@ func GetClientApplicationByID(c *gin.Context) {
 		return
 	}
 
-	if !RequestTokenHasScope(c, "sentinel:all") {
-		RequireAny(c, RequestTokenHasScope(c, "applications:read"))
-		RequireAny(c, RequestUserHasRole(c, "d_admin"), RequestUserHasID(c, app.UserID))
-	}
+	Require(c, Any(
+		RequestTokenHasScope(c, "sentinel:all"),
+		All(
+			RequestTokenHasScope(c, "applications:read"),
+			Any(RequestUserHasID(c, app.UserID), RequestUserHasRole(c, "d_admin")),
+		),
+	))
 
 	c.JSON(http.StatusOK, app)
 }
 
 func CreateClientApplication(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"))
+	Require(c, RequestTokenHasScope(c, "sentinel:all"))
 
 	var app model.ClientApplication
 	if err := c.ShouldBindJSON(&app); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"message": err.Error()})
 		return
 	}
+
 	if app.ID != "" {
 		existing := service.GetClientApplicationByID(app.ID)
-		RequireAny(c, RequestUserHasID(c, existing.UserID), RequestUserHasRole(c, "d_admin"))
+		Require(c, Any(
+			RequestUserHasID(c, existing.UserID),
+			RequestUserHasRole(c, "d_admin"),
+		))
+	} else {
+		app.UserID = GetRequestUserID(c)
 	}
 
-	app.UserID = GetRequestUserID(c)
-
 	created, err := service.CreateClientApplication(app)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
@@ -78,8 +96,10 @@ func DeleteClientApplication(c *gin.Context) {
 		return
 	}
 
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"))
-	RequireAny(c, RequestUserHasRole(c, "d_admin"), RequestUserHasID(c, app.UserID))
+	Require(c, All(
+		RequestTokenHasScope(c, "sentinel:all"),
+		Any(RequestUserHasID(c, app.UserID), RequestUserHasRole(c, "d_admin")),
+	))
 
 	err := service.DeleteClientApplication(appID)
 	if err != nil {
@@ -90,7 +110,7 @@ func DeleteClientApplication(c *gin.Context) {
 }
 
 func OauthAuthorize(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"))
+	Require(c, RequestTokenHasScope(c, "sentinel:all"))
 
 	clientID := c.Query("client_id")
 	if clientID == "" {

controller/role_controller.go

@@ -7,16 +7,23 @@ import (
 )
 
 func GetAllRolesForUser(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "user:read"))
-	RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin"))
+	Require(c, Any(
+		RequestTokenHasScope(c, "sentinel:all"),
+		All(
+			RequestTokenHasScope(c, "user:read"),
+			Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")),
+		),
+	))
 
 	roles := service.GetRolesForUser(c.Param("userID"))
 	c.JSON(200, roles)
 }
 
 func SetRolesForUser(c *gin.Context) {
-	RequireAny(c, RequestTokenHasScope(c, "sentinel:all"))
-	RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin"))
+	Require(c, All(
+		RequestTokenHasScope(c, "sentinel:all"),
+		RequestUserHasRole(c, "d_admin"),
+	))
 
 	var roles []string
 	if err := c.ShouldBindJSON(&roles); err != nil {

controller/route_controller.go

@@ -106,23 +106,31 @@ func UnauthorizedPanicHandler() gin.HandlerFunc {
 	}
 }
 
-// RequireAll checks if all conditions are true, otherwise aborts the request
-func RequireAll(c *gin.Context, conditions ...bool) {
+// Require checks if a condition is true, otherwise aborts the request
+func Require(c *gin.Context, condition bool) {
+	if !condition {
+		panic("Unauthorized")
+	}
+}
+
+// Any checks if any condition is true, otherwise returns false
+func Any(conditions ...bool) bool {
 	for _, condition := range conditions {
-		if !condition {
-			panic("Unauthorized")
+		if condition {
+			return true
 		}
 	}
+	return false
 }
 
-// RequireAny checks if any condition is true, otherwise aborts the request
-func RequireAny(c *gin.Context, conditions ...bool) {
+// All checks if all conditions are true, otherwise returns false
+func All(conditions ...bool) bool {
 	for _, condition := range conditions {
-		if condition {
-			return
+		if !condition {
+			return false
 		}
 	}
-	panic("Unauthorized")
+	return true
 }
 
 func RequestUserHasID(c *gin.Context, id string) bool {