From 97020c65c5a94ae21398e87445415778edfb35bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Pailharey?= <rpailharey@grandlyon.com>
Date: Thu, 28 Oct 2021 15:46:45 +0200
Subject: [PATCH] feat(oauth2): check if the connected user has the correct
 role

---
 internal/auth/oauth2.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/internal/auth/oauth2.go b/internal/auth/oauth2.go
index 870b2de..e66f365 100644
--- a/internal/auth/oauth2.go
+++ b/internal/auth/oauth2.go
@@ -121,10 +121,22 @@ func (m Manager) HandleOAuth2Callback() http.Handler {
 			http.Error(w, err.Error(), http.StatusBadRequest)
 			return
 		}
+
 		// Trim the user roles in case they come from LDAP
 		for key, role := range user.Roles {
 			user.Roles[key] = strings.TrimPrefix(strings.Split(role, ",")[0], "CN=")
 		}
+
+		// Check if user has the correct role
+		err = checkUserHasRole(TokenData{User: user}, []string{AdminRole})
+
+		if err != nil {
+			// Log the connexion attempt
+			log.Printf("| %v (%v %v) | Login failed (Unauthorized user) | %v", user.Login, user.Name, user.Surname, req.RemoteAddr)
+			http.Redirect(w, r, "/", http.StatusFound)
+			return
+		}
+
 		// Store the user in cookie
 		// Generate
 		xsrfToken, err := common.GenerateRandomString(16)
-- 
GitLab