andras/reconcile
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Add vault-level access control

Browse source
This commit is contained in:
Andras Schmelczer 2025-03-29 12:25:15 +00:00
parent a8c813b9a7
commit b3e98d32b6
No known key found for this signature in database
GPG key ID: FC8F2C3D3D1A718C
17 changed files with 86 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

23
backend/sync_server/src/server/auth.rs
View file

@ -1,15 +1,26 @@
use crate::{
app_state::AppState,
config::user_config::User,
errors::{SyncServerError, unauthorized_error},
app_state::{AppState, database::models::VaultId},
config::user_config::{AllowListedVaults, User, VaultAccess},
errors::{SyncServerError, permission_denied_error, unauthenticated_error},
};
// TODO: turn this into a middleware
pub fn auth(app_state: &AppState, token: &str) -> Result<User, SyncServerError> {
app_state
pub fn auth(app_state: &AppState, token: &str, vault: &VaultId) -> Result<User, SyncServerError> {
let user = app_state
.config
.users
.get_user(token)
.cloned()
.ok_or_else(|| unauthorized_error(anyhow::anyhow!("Invalid token")))
.ok_or_else(|| unauthenticated_error(anyhow::anyhow!("Invalid token")))?;
if match user.vault_access {
VaultAccess::AllowAccessToAll => true,
VaultAccess::AllowList(AllowListedVaults { ref allowed }) => allowed.contains(vault),
} {
Ok(user)
} else {
Err(permission_denied_error(anyhow::anyhow!(
"Permission denied for vault `{vault}`"
)))
}
}