Feature/33 login in api

api/.env

@@ -7,4 +7,4 @@ MYSQL_ROOT_PASSWORD="Root#123"
 MYSQL_HOST="localhost"
 MYSQL_PORT=3306
 
-
+OAUTH_CLIENT=''

api/.env.deployment

@@ -7,3 +7,5 @@ MYSQL_ROOT_PASSWORD="changeme" #TODO change me.
 MYSQL_HOST="mysql"
 MYSQL_PORT="3306"
 
+OAUTH_CLIENT='' #TODO set me
+

api/README.md

@@ -7,14 +7,14 @@ The api will be exposed to port 8080, access it with `localhost:8080`.
 ## Environment variables
 The docker image will use the following environment variables:
 
-| Key                                                | Default Value | Options            |
-|----------------------------------------------------|---------------|--------------------|
-| PORT                                               | "8080"        |            |
-| GIN_MODE                                           | "release"     | "release", "debug" |
-| MYSQL_HOST                                         | "mysql"       |            |
-| MYSQL_PORT                                         | "3306"        |            |
-| MYSQL_DATABASE                                     | "api"         |          |
-| MYSQL_ROOT_USER                                    | "root"        |                    |
-| <span style="color:red">MYSQL_ROOT_PASSWORD</span> | <span style="color:red">"changeme"</span>    |                    |
-
+| Key                                                | Default Value | Options                |
+|----------------------------------------------------|---------------|------------------------|
+| PORT                                               | "8080"        |                        |
+| GIN_MODE                                           | "release"     | "release", "debug"     |
+| MYSQL_HOST                                         | "mysql"       |                        |
+| MYSQL_PORT                                         | "3306"        |                        |
+| MYSQL_DATABASE                                     | "api"         |                        |
+| MYSQL_ROOT_USER                                    | "root"        |                        |
+| <span style="color:red">MYSQL_ROOT_PASSWORD</span> | <span style="color:red">"changeme"</span>    |                        |
+| OAUTH_CLIENT                                    |         | Google OAuth Client ID |
 If you use the docker image directly (without our provided docker-compose), you must specify them.

api/cmd/main.go

@@ -24,19 +24,21 @@ func setupRouter(db *sql.DB) *gin.Engine {
 	gamesService := services.GameService(gamesRepository)
 	gamesController := controllers.GameController(gamesService)
 
+	authService := services.AuthService()
+
 	// Ping test
 	r.GET("/ping", func(c *gin.Context) {
 		c.String(http.StatusOK, "pong")
 	})
 
 	//Upload a game
-	r.POST("/games/", CorsHeader, gamesController.UploadGame)
+	r.POST("/games/", CorsHeader, authService.Authorize, gamesController.UploadGame)
 	//Get all uploaded games
-	r.GET("/games/", CorsHeader, gamesController.GetAllGames)
+	r.GET("/games", CorsHeader, authService.Authorize, gamesController.GetAllGames)
 	//Get a specific game by its id
-	r.GET("/games/:id", CorsHeader, gamesController.GetGameById)
+	r.GET("/games/:id", CorsHeader, authService.Authorize, gamesController.GetGameById)
 	//Delete a specific game, identified by its id
-	r.DELETE("/games/:id", CorsHeader, gamesController.DeleteGameById)
+	r.DELETE("/games/:id", CorsHeader, authService.Authorize, gamesController.DeleteGameById)
 
 	return r
 }

api/controllers/gameController.go

@@ -8,6 +8,7 @@ import (
 	"github.com/dranikpg/dto-mapper"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
+	"log"
 	"net/http"
 )
 
@@ -24,21 +25,22 @@ type gameController struct {
 
 func (g gameController) GetAllGames(c *gin.Context) {
 	//Get Games
-	games, err := g.service.FindAll()
+	games, err := g.service.FindAllByOwner(c.GetString("subject"))
 	if err != nil { //TODO handle different errors
-		c.JSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
+		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
 		return
 	}
 
 	//Map to dto
 	resultDto := []dtos.GetGameByIdResponseBody{}
 	err = dto.Map(&resultDto, games)
 	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
+		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
 		return
 	}
 
 	c.IndentedJSON(http.StatusOK, resultDto)
+	return
 }
 
 func (g gameController) GetGameById(c *gin.Context) {
@@ -47,64 +49,96 @@ func (g gameController) GetGameById(c *gin.Context) {
 		//Get game by uuid
 		game, err := g.service.FindByID(_uuid)
 		if err != nil { //TODO handle different errors
-			c.JSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
+			return
+		}
+		if game.Owner != c.GetString("subject") {
+			log.Print(fmt.Printf("%s tried to access an resource of %s", c.GetString("subject"), game.Owner))
+			c.AbortWithStatusJSON(
+				http.StatusForbidden,
+				gin.H{"message": "You don't have permission to access this resource"})
 			return
 		}
 		if game == nil {
-			c.JSON(http.StatusNotFound, gin.H{"message": "Game not found"})
+			c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"message": "Game not found"})
 			return
 		}
 
 		//Map to dto
 		resultDto := dtos.GetGameByIdResponseBody{}
 		err = dto.Map(&resultDto, game)
 		if err != nil {
-			c.JSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
 			return
 		}
 
 		c.IndentedJSON(http.StatusOK, resultDto)
+		return
 	}
 }
 
 func (g gameController) UploadGame(c *gin.Context) {
 
 	title := c.Query("title")
 	if len(title) == 0 {
-		c.JSON(http.StatusBadRequest, gin.H{"message": "Title is required"})
+		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"message": "Title is required"})
+		return
 	}
 
 	file, err := c.FormFile("file")
 	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"message": err.Error()})
+		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"message": err.Error()})
+		return
+	}
+
+	sub := c.GetString("subject")
+	if len(sub) == 0 {
+		c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "IdToken is invalid, sub is missing"})
+		return
 	}
 
-	_, err = g.service.Save(file, title)
+	_, err = g.service.Save(file, title, sub)
 
 	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
+		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
+		return
 	}
 
 	c.Header("content-location", fmt.Sprintf("%s/games/%s", c.Request.Host, file.Filename))
-	c.String(http.StatusCreated, "")
+	c.AbortWithStatus(http.StatusCreated)
+	return
 }
 
 func (g gameController) DeleteGameById(c *gin.Context) {
 	_uuid := getUUIDFromRequest(c)
 	if _uuid != uuid.Nil {
-		err := g.service.Delete(_uuid)
-		if err != nil { //TODO handle different errors
+
+		//Check if the user has access to the game
+		authorized, err := g.hasAccessToGame(c)
+
+		if err != nil {
 			if err == sql.ErrNoRows {
-				c.JSON(http.StatusNotFound, gin.H{"message": "Game not found"})
+				c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"message": "Game not found"})
+				return
 			}
-			c.JSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
+			return
+		}
+
+		if !authorized {
+			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"message": "You don't have permission to access this resource"})
+			return
+		}
+
+		err = g.service.Delete(_uuid)
+		if err != nil { //TODO handle different errors
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": err.Error()})
+			return
 		} else {
-			c.Status(http.StatusNoContent)
+			c.AbortWithStatus(http.StatusNoContent)
+			return
 		}
 	}
-
-	//TODO Implement delete game
-	c.String(http.StatusNoContent, "")
 }
 
 func GameController(service services.IGameService) IGameController {
@@ -118,11 +152,22 @@ func GameController(service services.IGameService) IGameController {
 func getUUIDFromRequest(c *gin.Context) uuid.UUID {
 	_uuid, err := uuid.Parse(c.Param("id"))
 	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"message": "Invalid game ID"})
+		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"message": "Invalid game ID"})
 		return uuid.Nil
 	} else if _uuid == uuid.Nil {
-		c.JSON(http.StatusBadRequest, gin.H{"message": "Invalid game ID"})
+		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"message": "Invalid game ID"})
 		return uuid.Nil
 	}
 	return _uuid
 }
+
+// Returns true if the owner the user who is logged-in has the same subject-id as the game owner.
+// Returns false and error if any other error occurred.
+func (g gameController) hasAccessToGame(c *gin.Context) (bool, error) {
+	owner, err := g.service.ReadOwner(getUUIDFromRequest(c))
+	if err != nil {
+		return false, err
+	}
+
+	return owner == c.GetString("subject"), nil
+}

api/go.mod

@@ -7,21 +7,32 @@ require (
 	github.com/dranikpg/dto-mapper v0.2.1
 	github.com/gin-gonic/gin v1.9.1
 	github.com/go-sql-driver/mysql v1.8.1
-	github.com/google/uuid v1.4.0
+	github.com/google/uuid v1.6.0
+	google.golang.org/api v0.182.0
 )
 
 require (
+	cloud.google.com/go/auth v0.4.2 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/bytedance/sonic v1.11.4 // indirect
 	github.com/cloudwego/base64x v0.1.1 // indirect
 	github.com/cloudwego/iasm v0.1.1 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.19.0 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -42,15 +53,23 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/arch v0.7.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
-	golang.org/x/net v0.24.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/oauth2 v0.20.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e // indirect
+	google.golang.org/grpc v1.64.0 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect