github.com/companieshouse/insolvency-api@v0.0.0-20231024103413-440c973d9e9b/interceptors/insolvency_permissions_interceptor.go (about)

     1  // Package interceptors contains the interceptor middleware that checks for authorisation.
     2  package interceptors
     3  
     4  import (
     5  	"fmt"
     6  	"net/http"
     7  
     8  	"github.com/companieshouse/chs.go/authentication"
     9  	"github.com/companieshouse/chs.go/log"
    10  )
    11  
    12  // InsolvencyPermissionsIntercept checks that the user has the necessary token permissions for an insolvency practitioner
    13  func InsolvencyPermissionsIntercept(next http.Handler) http.Handler {
    14  	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    15  
    16  		tp := &authentication.TokenPermissions{}
    17  		err := tp.DecodeAuthorisedTokenPermissions(r)
    18  		if err != nil {
    19  			log.ErrorR(r, fmt.Errorf("TokenPermissionsAuthInterceptor error decoding token permissions: [%v]", err))
    20  			w.WriteHeader(http.StatusInternalServerError)
    21  			return
    22  		}
    23  
    24  		isReadRequest := http.MethodGet == r.Method
    25  		isUpdateRequest := http.MethodPost == r.Method || http.MethodDelete == r.Method
    26  		hasPermissionInsolvencyRead := tp.HasPermission(authentication.PermissionKeyInsolvencyCases, authentication.PermissionValueRead)
    27  		hasPermissionInsolvencyUpdate := tp.HasPermission(authentication.PermissionKeyInsolvencyCases, authentication.PermissionValueUpdate)
    28  
    29  		switch {
    30  		case hasPermissionInsolvencyRead && isReadRequest:
    31  			next.ServeHTTP(w, r)
    32  		case hasPermissionInsolvencyUpdate && isUpdateRequest:
    33  			next.ServeHTTP(w, r)
    34  		default:
    35  			log.InfoR(r, "InsolvencyPermissionsIntercept unauthorised")
    36  			w.WriteHeader(http.StatusUnauthorized)
    37  			return
    38  		}
    39  	})
    40  }