feat: validate role for a given token

TODO.md

@@ -13,4 +13,4 @@ For the first version we will only support setting roles master list via env
 - [x] Return roles to user
 - [x] Return roles in users list for super admin
 - [x] Add roles to the JWT token generation
-- [ ] Validate token should also validate the role, if roles to validate again is present in request
+- [x] Validate token should also validate the role, if roles to validate again is present in request

server/graph/schema.resolvers.go

@@ -56,7 +56,7 @@ func (r *queryResolver) Users(ctx context.Context) ([]*model.User, error) {
 }
 
 func (r *queryResolver) Token(ctx context.Context, role *string) (*model.AuthResponse, error) {
-	return resolvers.Token(ctx)
+	return resolvers.Token(ctx, role)
 }
 
 func (r *queryResolver) Profile(ctx context.Context) (*model.User, error) {
@@ -73,5 +73,7 @@ func (r *Resolver) Mutation() generated.MutationResolver { return &mutationResol
 // Query returns generated.QueryResolver implementation.
 func (r *Resolver) Query() generated.QueryResolver { return &queryResolver{r} }
 
-type mutationResolver struct{ *Resolver }
-type queryResolver struct{ *Resolver }
+type (
+	mutationResolver struct{ *Resolver }
+	queryResolver    struct{ *Resolver }
+)

server/handlers/oauthCallback.go

@@ -61,9 +61,7 @@ func processGoogleUserInfo(code string, role string, c *gin.Context) error {
 		}
 		user.SignupMethod = signupMethod
 		user.Password = existingUser.Password
-		log.Println("=> checking roles...", utils.IsValidRole(strings.Split(existingUser.Roles, ","), role))
 		if !utils.IsValidRole(strings.Split(existingUser.Roles, ","), role) {
-			log.Println("=> invalid role from google oauth")
 			return fmt.Errorf("invalid role")
 		}
 

server/resolvers/token.go

@@ -14,7 +14,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/utils"
 )
 
-func Token(ctx context.Context) (*model.AuthResponse, error) {
+func Token(ctx context.Context, role *string) (*model.AuthResponse, error) {
 	var res *model.AuthResponse
 
 	gc, err := utils.GinContextFromContext(ctx)
@@ -29,12 +29,17 @@ func Token(ctx context.Context) (*model.AuthResponse, error) {
 	claim, accessTokenErr := utils.VerifyAuthToken(token)
 	expiresAt := claim["exp"].(int64)
 	email := fmt.Sprintf("%v", claim["email"])
-	role := fmt.Sprintf("%v", claim[constants.JWT_ROLE_CLAIM])
+
+	claimRole := fmt.Sprintf("%v", claim[constants.JWT_ROLE_CLAIM])
 	user, err := db.Mgr.GetUserByEmail(email)
 	if err != nil {
 		return res, err
 	}
 
+	if role != nil && role != &claimRole {
+		return res, fmt.Errorf(`unauthorized. invalid role for a given token`)
+	}
+
 	userIdStr := fmt.Sprintf("%v", user.ID)
 
 	sessionToken := session.GetToken(userIdStr)
@@ -49,7 +54,7 @@ func Token(ctx context.Context) (*model.AuthResponse, error) {
 	if accessTokenErr != nil || expiresTimeObj.Sub(currentTimeObj).Minutes() <= 5 {
 		// if access token has expired and refresh/session token is valid
 		// generate new accessToken
-		token, expiresAt, _ = utils.CreateAuthToken(user, enum.AccessToken, role)
+		token, expiresAt, _ = utils.CreateAuthToken(user, enum.AccessToken, claimRole)
 	}
 	utils.SetCookie(gc, token)
 	res = &model.AuthResponse{