Use middleware to check admin status.

2020-06-12 11:29:17 +01:00 · 2020-06-12 11:29:17 +01:00 · d53676a907
commit d53676a907
parent 2f7c46e5f8
3 changed files with 27 additions and 28 deletions
--- a/webapi/admin.go
+++ b/webapi/admin.go
@ -7,39 +7,16 @@ import (
 	"github.com/gorilla/sessions"
 )

-// adminPage is the handler for "GET /admin". The admin template will be
-// rendered if the current session is authenticated as an admin, otherwise the
-// login template will be rendered.
+// adminPage is the handler for "GET /admin".
 func adminPage(c *gin.Context) {
-	session := c.MustGet("session").(*sessions.Session)
-	admin := session.Values["admin"]
-
-	if admin == nil {
-		c.HTML(http.StatusUnauthorized, "login.html", gin.H{
-			"VspStats": stats,
-		})
-		return
-	}
-
 	c.HTML(http.StatusOK, "admin.html", gin.H{
 		"VspStats": stats,
 	})
 }

 // ticketSearch is the handler for "POST /admin/ticket". The "hash" param will
-// be used to retrieve a ticket from the database if the current session is
-// authenticated as an admin, otherwise the login template will be rendered.
+// be used to retrieve a ticket from the database.
 func ticketSearch(c *gin.Context) {
-	session := c.MustGet("session").(*sessions.Session)
-	admin := session.Values["admin"]
-
-	if admin == nil {
-		c.HTML(http.StatusUnauthorized, "login.html", gin.H{
-			"VspStats": stats,
-		})
-		return
-	}
-
 	hash := c.PostForm("hash")

 	ticket, found, err := db.GetTicketByHash(hash)
@ -82,7 +59,8 @@ func adminLogout(c *gin.Context) {
 	setAdminStatus(nil, c)
 }

-// setAdminStatus stores the authentication status of the current session.
+// setAdminStatus stores the authentication status of the current session and
+// redirects the client to GET /admin.
 func setAdminStatus(admin interface{}, c *gin.Context) {
 	session := c.MustGet("session").(*sessions.Session)
 	session.Values["admin"] = admin
--- a/webapi/middleware.go
+++ b/webapi/middleware.go
@ -47,6 +47,23 @@ func withSession(store *sessions.CookieStore) gin.HandlerFunc {
 	}
 }

+// requireAdmin will only allow the request to proceed if the current session is
+// authenticated as an admin, otherwise it will render the login template.
+func requireAdmin() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		session := c.MustGet("session").(*sessions.Session)
+		admin := session.Values["admin"]
+
+		if admin == nil {
+			c.HTML(http.StatusUnauthorized, "login.html", gin.H{
+				"VspStats": stats,
+			})
+			c.Abort()
+			return
+		}
+	}
+}
+
 // withDcrdClient middleware adds a dcrd client to the request
 // context for downstream handlers to make use of.
 func withDcrdClient(dcrd rpc.DcrdConnect) gin.HandlerFunc {
--- a/webapi/webapi.go
+++ b/webapi/webapi.go
@ -197,11 +197,15 @@ func router(debugMode bool, cookieSecret []byte, dcrd rpc.DcrdConnect, wallets r
 	// Create a cookie store for persisting admin session information.
 	cookieStore := sessions.NewCookieStore(cookieSecret)

-	admin := router.Group("/admin").Use(
+	login := router.Group("/admin").Use(
 		withSession(cookieStore),
 	)
+	login.POST("", adminLogin)
+
+	admin := router.Group("/admin").Use(
+		withSession(cookieStore), requireAdmin(),
+	)
 	admin.GET("", adminPage)
-	admin.POST("", adminLogin)
 	admin.POST("/ticket", ticketSearch)
 	admin.POST("/logout", adminLogout)