apunkt/gomcp
1
0
Fork 0
mirror of https://github.com/syntrex-lab/gomcp.git synced 2026-04-25 04:16:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(security): enforce plan-based access, add Free tier API keys UI

Browse source
This commit is contained in:
DmitrL-dev 2026-03-27 20:33:46 +10:00
parent dd977b7d46
commit 2a3ed1c319
1 changed files with 42 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

51
internal/infrastructure/auth/handlers.go
View file

@ -75,7 +75,8 @@ func HandleLogin(store *UserStore, secret []byte) http.HandlerFunc {
Value: accessToken, Value: accessToken,
Path: "/", Path: "/",
HttpOnly: true, HttpOnly: true,
SameSite: http.SameSiteLaxMode, Secure: true,
SameSite: http.SameSiteStrictMode,
MaxAge: 900, MaxAge: 900,
}) })
http.SetCookie(w, &http.Cookie{ http.SetCookie(w, &http.Cookie{
@ -83,7 +84,8 @@ func HandleLogin(store *UserStore, secret []byte) http.HandlerFunc {
Value: refreshToken, Value: refreshToken,
Path: "/", Path: "/",
HttpOnly: true, HttpOnly: true,
SameSite: http.SameSiteLaxMode, Secure: true,
SameSite: http.SameSiteStrictMode,
MaxAge: 7 * 24 * 3600, MaxAge: 7 * 24 * 3600,
}) })
@ -122,19 +124,27 @@ func HandleRefresh(secret []byte) http.HandlerFunc {
return return
} }
accessToken, err := NewAccessToken(claims.Sub, claims.Role, secret, 0) // SEC-CRIT2: Preserve TenantID from refresh token in new access token
accessToken, err := Sign(Claims{
Sub: claims.Sub,
Role: claims.Role,
TenantID: claims.TenantID,
TokenType: "access",
Exp: time.Now().Add(15 * time.Minute).Unix(),
}, secret)
if err != nil { if err != nil {
writeAuthError(w, http.StatusInternalServerError, "token generation failed") writeAuthError(w, http.StatusInternalServerError, "token generation failed")
return return
} }
// SEC: H1 - Set new httpOnly token // SEC: H1 - Set new httpOnly token with Secure flag
http.SetCookie(w, &http.Cookie{ http.SetCookie(w, &http.Cookie{
Name: "syntrex_token", Name: "syntrex_token",
Value: accessToken, Value: accessToken,
Path: "/", Path: "/",
HttpOnly: true, HttpOnly: true,
SameSite: http.SameSiteLaxMode, Secure: true,
SameSite: http.SameSiteStrictMode,
MaxAge: 900, MaxAge: 900,
}) })
@ -142,7 +152,7 @@ func HandleRefresh(secret []byte) http.HandlerFunc {
resp := TokenResponse{ resp := TokenResponse{
CSRFToken: csrfToken, CSRFToken: csrfToken,
User: &User{Email: claims.Sub, Role: claims.Role}, // Mock user to provide payload User: &User{Email: claims.Sub, Role: claims.Role, TenantID: claims.TenantID},
} }
w.Header().Set("Content-Type", "application/json") w.Header().Set("Content-Type", "application/json")
@ -198,6 +208,7 @@ func HandleMe(store *UserStore) http.HandlerFunc {
// HandleListUsers returns users scoped to the caller's tenant (admin only). // HandleListUsers returns users scoped to the caller's tenant (admin only).
// GET /api/auth/users // GET /api/auth/users
// SEC-HIGH1: Returns empty list when TenantID is empty to prevent cross-tenant leak.
func HandleListUsers(store *UserStore) http.HandlerFunc { func HandleListUsers(store *UserStore) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
claims := GetClaims(r.Context()) claims := GetClaims(r.Context())
@ -206,6 +217,17 @@ func HandleListUsers(store *UserStore) http.HandlerFunc {
return return
} }
// SEC-HIGH1: Block listing when TenantID is empty — prevents
// empty-string match showing all users without a tenant.
if claims.TenantID == "" {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"users": []*User{},
"total": 0,
})
return
}
// SEC: Filter users by tenant_id to prevent cross-tenant data leak // SEC: Filter users by tenant_id to prevent cross-tenant data leak
allUsers := store.ListUsers() allUsers := store.ListUsers()
var filtered []*User var filtered []*User
@ -254,6 +276,12 @@ func HandleCreateUser(store *UserStore) http.HandlerFunc {
return return
} }
// SEC-HIGH2: Scope new user to caller's tenant
claims := GetClaims(r.Context())
if claims == nil || claims.TenantID == "" {
writeAuthError(w, http.StatusForbidden, "tenant context required to create users")
return
}
user, err := store.CreateUser(req.Email, req.DisplayName, req.Password, req.Role) user, err := store.CreateUser(req.Email, req.DisplayName, req.Password, req.Role)
if err != nil { if err != nil {
if err == ErrUserExists { if err == ErrUserExists {
@ -427,18 +455,23 @@ func HandleDeleteAPIKey(store *UserStore) http.HandlerFunc {
// APIKeyMiddleware checks for API key authentication alongside JWT. // APIKeyMiddleware checks for API key authentication alongside JWT.
// If Authorization header starts with "stx_", validate as API key. // If Authorization header starts with "stx_", validate as API key.
// SEC-CRIT3: Now resolves user from DB to inject correct TenantID.
func APIKeyMiddleware(store *UserStore, next http.Handler) http.Handler { func APIKeyMiddleware(store *UserStore, next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
authHeader := r.Header.Get("Authorization") authHeader := r.Header.Get("Authorization")
if strings.HasPrefix(authHeader, "Bearer stx_") { if strings.HasPrefix(authHeader, "Bearer stx_") {
key := strings.TrimPrefix(authHeader, "Bearer ") key := strings.TrimPrefix(authHeader, "Bearer ")
_, role, err := store.ValidateAPIKey(key) userID, role, err := store.ValidateAPIKey(key)
if err != nil { if err != nil {
writeAuthError(w, http.StatusUnauthorized, "invalid API key") writeAuthError(w, http.StatusUnauthorized, "invalid API key")
return return
} }
// Inject synthetic claims for RBAC compatibility // SEC-CRIT3: Look up user to get TenantID for tenant isolation
claims := &Claims{Sub: "api-key", Role: role} var tenantID string
if user, err := store.GetByID(userID); err == nil && user != nil {
tenantID = user.TenantID
}
claims := &Claims{Sub: userID, Role: role, TenantID: tenantID}
ctx := SetClaimsContext(r.Context(), claims) ctx := SetClaimsContext(r.Context(), claims)
next.ServeHTTP(w, r.WithContext(ctx)) next.ServeHTTP(w, r.WithContext(ctx))
return return