Fix up auth middleware

Author: raymondjacobson

api/auth_middleware.go

@@ -100,37 +100,57 @@ func (app *ApiServer) getAuthedWallet(c *fiber.Ctx) string {
 }
 
 // Middleware to set authedUserId and authedWallet in context
+// Returns a 403 if either
+// - the user is not authorized to act on behalf of "myId"
+// - the user is not authorized to act on behalf of "requestedWallet"
 func (app *ApiServer) authMiddleware(c *fiber.Ctx) error {
 	userId, wallet := app.recoverAuthorityFromSignatureHeaders(c)
 	c.Locals("authedUserId", userId)
 	c.Locals("authedWallet", wallet)
+	fmt.Println("authMiddleware", userId, wallet)
+
+	myId := app.getMyId(c)
+	requestedWallet := c.Params("wallet")
+
+	// Not authorized to act on behalf of myId
+	if myId != 0 {
+		if userId != myId && !app.isAuthorizedRequest(c.Context(), myId, wallet) {
+			return fiber.NewError(
+				fiber.StatusForbidden,
+				fmt.Sprintf(
+					"You are not authorized to make this request authedUserId=%d authedWallet=%s myId=%d",
+					userId,
+					wallet,
+					myId,
+				),
+			)
+		}
+	}
+
+	// Not authorized to act on behalf of requestedWallet
+	if requestedWallet != "" && wallet != "" {
+		if !strings.EqualFold(requestedWallet, wallet) {
+			return fiber.NewError(
+				fiber.StatusForbidden,
+				fmt.Sprintf(
+					"You are not authorized to make this request authedUserId=%d authedWallet=%s requestedWallet=%s",
+					userId,
+					wallet,
+					requestedWallet,
+				),
+			)
+		}
+	}
 
 	return c.Next()
 }
 
-// Middleware that asserts the authedUserId is valid and is the same as the userId in
-// the request path or a managed user of the authedUserId
+// Middleware that asserts that there is an authedUserId
 func (app *ApiServer) requireAuthMiddleware(c *fiber.Ctx) error {
 	authedUserId := app.getAuthedUserId(c)
-	authedWallet := app.getAuthedWallet(c)
-	myId := app.getMyId(c)
-	wallet := c.Params("wallet")
 	if authedUserId == 0 {
 		return fiber.NewError(fiber.StatusUnauthorized, "You must be logged in to make this request")
 	}
 
-	if myId != 0 && myId == authedUserId {
-		return c.Next()
-	}
-
-	if wallet != "" && strings.EqualFold(wallet, authedWallet) {
-		return c.Next()
-	}
-
-	if app.isAuthorizedRequest(c.Context(), myId, authedWallet) {
-		return c.Next()
-	}
-
-	msg := fmt.Sprintf("You are not authorized to make this request authedUserId=%d authedWallet=%s myId=%d wallet=%s", authedUserId, authedWallet, myId, wallet)
-	return fiber.NewError(fiber.StatusForbidden, msg)
+	return c.Next()
 }

api/auth_middleware_test.go

@@ -29,52 +29,81 @@ func TestRecoverAuthorityFromSignatureHeaders(t *testing.T) {
 	assert.Equal(t, "0x7d273271690538cf855e5b3002a0dd8c154bb060", wallet)
 }
 
-func TestRequireAuthMiddleware(t *testing.T) {
-	// Create a dummy endpoint to test the requireAuthMiddleware
+func TestAuthorized(t *testing.T) {
+	// Create a dummy endpoint to test the authMiddleware
 	testApp := fiber.New()
-	testApp.Get("/", app.resolveMyIdMiddleware, app.authMiddleware, app.requireAuthMiddleware, func(c *fiber.Ctx) error {
+	testApp.Get("/", app.resolveMyIdMiddleware, app.authMiddleware, func(c *fiber.Ctx) error {
+		return c.SendStatus(fiber.StatusOK)
+	})
+	testApp.Get("/account/:wallet", app.resolveMyIdMiddleware, app.authMiddleware, func(c *fiber.Ctx) error {
 		return c.SendStatus(fiber.StatusOK)
 	})
-
-	// Unauthorized when no auth headers
-	req1 := httptest.NewRequest("GET", "/", nil)
-	res, err := testApp.Test(req1, -1)
-	assert.NoError(t, err)
-	assert.Equal(t, fiber.StatusUnauthorized, res.StatusCode)
 
 	// Forbidden when not authorized
-	req2 := httptest.NewRequest("GET", "/?user_id=1", nil)
+	req := httptest.NewRequest("GET", "/?user_id=7eP5n", nil)
 	// wallet: 0x681c616ae836ceca1effe00bd07f2fdbf9a082bc
-	req2.Header.Set("Encoded-Data-Message", "signature:1745543704165")
-	req2.Header.Set("Encoded-Data-Signature", "0x4af765948dccd72026f1059a59c7a6a1172628255d7d387d1590c0fe43961c5908fc6011443805ca0dbd39156300c04dc21bbfa9adce50acea9ad29a7e2fde2a1b")
-	res, err = testApp.Test(req2, -1)
+	req.Header.Set("Encoded-Data-Message", "signature:1745543704165")
+	req.Header.Set("Encoded-Data-Signature", "0x4af765948dccd72026f1059a59c7a6a1172628255d7d387d1590c0fe43961c5908fc6011443805ca0dbd39156300c04dc21bbfa9adce50acea9ad29a7e2fde2a1b")
+	res, err := testApp.Test(req, -1)
 	assert.NoError(t, err)
 	assert.Equal(t, fiber.StatusForbidden, res.StatusCode)
 
 	// Forbidden when grant is revoked
-	req3 := httptest.NewRequest("GET", "/?user_id=1", nil)
+	req = httptest.NewRequest("GET", "/?user_id=7eP5n", nil)
 	// wallet: 0xc451c1f8943b575158310552b41230c61844a1c1
-	req3.Header.Set("Encoded-Data-Message", "signature:1745542789211")
-	req3.Header.Set("Encoded-Data-Signature", "0xffd5f92c0d253c7222cd407cf3398fac664530ef968bd4435ea698ba1daee1d73353330848b65d212eeeaae9f41e177e49078c4efa1131e5e517090626f6dd961c")
-	res, err = testApp.Test(req3, -1)
+	req.Header.Set("Encoded-Data-Message", "signature:1745542789211")
+	req.Header.Set("Encoded-Data-Signature", "0xffd5f92c0d253c7222cd407cf3398fac664530ef968bd4435ea698ba1daee1d73353330848b65d212eeeaae9f41e177e49078c4efa1131e5e517090626f6dd961c")
+	res, err = testApp.Test(req, -1)
 	assert.NoError(t, err)
 	assert.Equal(t, fiber.StatusForbidden, res.StatusCode)
 
 	// Authorized when grant is approved
-	req4 := httptest.NewRequest("GET", "/?user_id=1", nil)
+	req = httptest.NewRequest("GET", "/?user_id=7eP5n", nil)
 	// wallet: 0x5f1a372b28956c8363f8bc3a231a6e9e1186ead8
-	req4.Header.Set("Encoded-Data-Message", "signature:1745544459796")
-	req4.Header.Set("Encoded-Data-Signature", "0x1c9cb405d8437d28ff5596918551f7a45f981e81618d65ee10892313292a8c7a325af002231d115b28ca2d244b082abe1bde4a7d9610f8140d3738a9be5c4fd91b")
-	res, err = testApp.Test(req4, -1)
+	req.Header.Set("Encoded-Data-Message", "signature:1745544459796")
+	req.Header.Set("Encoded-Data-Signature", "0x1c9cb405d8437d28ff5596918551f7a45f981e81618d65ee10892313292a8c7a325af002231d115b28ca2d244b082abe1bde4a7d9610f8140d3738a9be5c4fd91b")
+	res, err = testApp.Test(req, -1)
 	assert.NoError(t, err)
 	assert.Equal(t, fiber.StatusOK, res.StatusCode)
 
 	// Authorized when own user
-	req5 := httptest.NewRequest("GET", "/?user_id=1", nil)
+	req = httptest.NewRequest("GET", "/?user_id=7eP5n", nil)
 	// wallet: 0x7d273271690538cf855e5b3002a0dd8c154bb060
-	req5.Header.Set("Encoded-Data-Message", "signature:1744763856446")
-	req5.Header.Set("Encoded-Data-Signature", "0xbb202be3a7f3a0aa22c1458ef6a3f2f8360fb86791c7b137e8562df0707825c11fa1db01096efd2abc5e6613c4d1e8d4ae1e2b993abdd555fe270c1b17bff0d21c")
-	res, err = testApp.Test(req5, -1)
+	req.Header.Set("Encoded-Data-Message", "signature:1744763856446")
+	req.Header.Set("Encoded-Data-Signature", "0xbb202be3a7f3a0aa22c1458ef6a3f2f8360fb86791c7b137e8562df0707825c11fa1db01096efd2abc5e6613c4d1e8d4ae1e2b993abdd555fe270c1b17bff0d21c")
+	res, err = testApp.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, fiber.StatusOK, res.StatusCode)
+
+	// Forbidden when not authorized to act on behalf of requested wallet
+	req = httptest.NewRequest("GET", "/account/0x111c616ae836ceca1effe00bd07f2fdbf9a082bc", nil)
+	// wallet: 0x681c616ae836ceca1effe00bd07f2fdbf9a082bc
+	req.Header.Set("Encoded-Data-Message", "signature:1745543704165")
+	req.Header.Set("Encoded-Data-Signature", "0x4af765948dccd72026f1059a59c7a6a1172628255d7d387d1590c0fe43961c5908fc6011443805ca0dbd39156300c04dc21bbfa9adce50acea9ad29a7e2fde2a1b")
+	res, err = testApp.Test(req, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, fiber.StatusForbidden, res.StatusCode)
+
+	// Authorized when requesting wallet matches authed wallet
+	req = httptest.NewRequest("GET", "/account/0x681c616ae836ceca1effe00bd07f2fdbf9a082bc", nil)
+	// wallet: 0x681c616ae836ceca1effe00bd07f2fdbf9a082bc
+	req.Header.Set("Encoded-Data-Message", "signature:1745543704165")
+	req.Header.Set("Encoded-Data-Signature", "0x4af765948dccd72026f1059a59c7a6a1172628255d7d387d1590c0fe43961c5908fc6011443805ca0dbd39156300c04dc21bbfa9adce50acea9ad29a7e2fde2a1b")
+	res, err = testApp.Test(req, -1)
 	assert.NoError(t, err)
 	assert.Equal(t, fiber.StatusOK, res.StatusCode)
 }
+
+func TestRequireAuthMiddleware(t *testing.T) {
+	// Create a dummy endpoint to test the requireAuthMiddleware
+	testApp := fiber.New()
+	testApp.Get("/", app.resolveMyIdMiddleware, app.authMiddleware, app.requireAuthMiddleware, func(c *fiber.Ctx) error {
+		return c.SendStatus(fiber.StatusOK)
+	})
+
+	// Unauthorized when no auth headers
+	req1 := httptest.NewRequest("GET", "/", nil)
+	res, err := testApp.Test(req1, -1)
+	assert.NoError(t, err)
+	assert.Equal(t, fiber.StatusUnauthorized, res.StatusCode)
+}

api/dbv1/access.go

@@ -2,6 +2,7 @@ package dbv1
 
 import (
 	"context"
+	"fmt"
 )
 
 type Access struct {
@@ -12,31 +13,28 @@ type Access struct {
 func (q *Queries) GetTrackAccess(
 	ctx context.Context,
 	myId int32,
-	authedUserId int32,
-	authedWallet string,
-	isAuthorizedRequest func(ctx context.Context, userId int32, authedWallet string) bool,
 	conditions *AccessGate,
 	track *GetTracksRow,
 	user *FullUser,
 ) bool {
-	// No track? no access.
+	fmt.Println("GetTrackAccess", myId, user.UserID)
+	// No track? no access
 	if track == nil || user == nil {
 		return false
 	}
 
-	// no conditions means open access
+	// No conditions means open access
 	if conditions == nil {
 		return true
 	}
 
-	// I always have access to my own content
-	if authedUserId != 0 && authedUserId == myId {
-		return true
+	// No myId? no access. we need to know who you are if there are conditions.
+	if myId == 0 {
+		return false
 	}
 
-	// If I was granted access to this track (manager, approved app, etc)
-	// I should have access to it.
-	if authedWallet != "" && isAuthorizedRequest(ctx, myId, authedWallet) {
+	// You always have access to your own content
+	if myId == user.UserID {
 		return true
 	}
 
@@ -138,9 +136,6 @@ func (q *Queries) GetTrackAccess(
 func (q *Queries) GetPlaylistAccess(
 	ctx context.Context,
 	myId int32,
-	authedUserId int32,
-	authedWallet string,
-	isAuthorizedRequest func(ctx context.Context, userId int32, authedWallet string) bool,
 	conditions *AccessGate,
 	playlist *GetPlaylistsRow,
 	user *FullUser,
@@ -156,13 +151,7 @@ func (q *Queries) GetPlaylistAccess(
 	}
 
 	// I always have access to my own content
-	if authedUserId != 0 && authedUserId == myId {
-		return true
-	}
-
-	// If I was granted access to this playlist (manager, approved app, etc)
-	// I should have access to it.
-	if authedWallet != "" && isAuthorizedRequest(ctx, myId, authedWallet) {
+	if myId != 0 && myId == user.UserID {
 		return true
 	}
 

api/dbv1/full_playlists.go

@@ -10,9 +10,6 @@ import (
 
 type FullPlaylistsParams struct {
 	GetPlaylistsParams
-	AuthedUserId        int32
-	AuthedWallet        string
-	IsAuthorizedRequest func(ctx context.Context, userId int32, authedWallet string) bool
 }
 
 type FullPlaylist struct {
@@ -98,9 +95,6 @@ func (q *Queries) FullPlaylistsKeyed(ctx context.Context, arg FullPlaylistsParam
 		streamAccess := q.GetPlaylistAccess(
 			ctx,
 			arg.MyID.(int32),
-			arg.AuthedUserId,
-			arg.AuthedWallet,
-			arg.IsAuthorizedRequest,
 			playlist.StreamConditions,
 			&playlist,
 			&user)

api/dbv1/full_tracks.go

@@ -12,9 +12,6 @@ import (
 
 type FullTracksParams struct {
 	GetTracksParams
-	AuthedUserId        int32
-	AuthedWallet        string
-	IsAuthorizedRequest func(ctx context.Context, userId int32, authedWallet string) bool
 }
 
 type FullTrack struct {
@@ -120,9 +117,6 @@ func (q *Queries) FullTracksKeyed(ctx context.Context, arg FullTracksParams) (ma
 		downloadAccess := q.GetTrackAccess(
 			ctx,
 			arg.MyID.(int32),
-			arg.AuthedUserId,
-			arg.AuthedWallet,
-			arg.IsAuthorizedRequest,
 			downloadConditions,
 			&track,
 			&user,
@@ -132,9 +126,6 @@ func (q *Queries) FullTracksKeyed(ctx context.Context, arg FullTracksParams) (ma
 		streamAccess := downloadAccess || q.GetTrackAccess(
 			ctx,
 			arg.MyID.(int32),
-			arg.AuthedUserId,
-			arg.AuthedWallet,
-			arg.IsAuthorizedRequest,
 			track.StreamConditions,
 			&track,
 			&user,

api/dbv1/parallel.go

@@ -7,13 +7,10 @@ import (
 )
 
 type ParallelParams struct {
-	UserIds             []int32
-	TrackIds            []int32
-	PlaylistIds         []int32
-	MyID                int32
-	AuthedUserId        int32
-	AuthedWallet        string
-	IsAuthorizedRequest func(ctx context.Context, userId int32, authedWallet string) bool
+	UserIds     []int32
+	TrackIds    []int32
+	PlaylistIds []int32
+	MyID        int32
 }
 
 type ParallelResult struct {
@@ -48,9 +45,6 @@ func (q *Queries) Parallel(ctx context.Context, arg ParallelParams) (*ParallelRe
 					Ids:  arg.TrackIds,
 					MyID: arg.MyID,
 				},
-				AuthedUserId:        arg.AuthedUserId,
-				AuthedWallet:        arg.AuthedWallet,
-				IsAuthorizedRequest: arg.IsAuthorizedRequest,
 			})
 			return err
 		})
@@ -64,9 +58,6 @@ func (q *Queries) Parallel(ctx context.Context, arg ParallelParams) (*ParallelRe
 					Ids:  arg.PlaylistIds,
 					MyID: arg.MyID,
 				},
-				AuthedUserId:        arg.AuthedUserId,
-				AuthedWallet:        arg.AuthedWallet,
-				IsAuthorizedRequest: arg.IsAuthorizedRequest,
 			})
 			return err
 		})

api/server_test.go

@@ -160,7 +160,7 @@ func Test200UnAuthed(t *testing.T) {
 			u += "?user_id=7eP5n"
 		}
 
-		status, _ = testGet(t, u)
+		status, _ = testGetWithWallet(t, u, "0x7d273271690538cf855e5b3002a0dd8c154bb060")
 		require.Equal(t, 200, status, u+" "+string(body))
 	}
 }

api/testdata/signatures.go

@@ -12,6 +12,18 @@ var TestSignatures = map[string]SignatureData{
 		Message:   "signature:1744763856446",
 		Signature: "0xbb202be3a7f3a0aa22c1458ef6a3f2f8360fb86791c7b137e8562df0707825c11fa1db01096efd2abc5e6613c4d1e8d4ae1e2b993abdd555fe270c1b17bff0d21c",
 	},
+	"0xc3d1d41e6872ffbd15c473d14fc3a9250be5b5e0": {
+		Message:   "signature:1746224298871",
+		Signature: "0x00cc53200e1ee98248cd5556293e4a7ec70bfcde2a1e8e7aedbff471ac0ca8a0354d50e9bc62fbe32ad1d48dfe414ea99711030e88ba788e5bc607fef6c295311b",
+	},
+	"0x4954d18926ba0ed9378938444731be4e622537b2": {
+		Message:   "signature:1746226663660",
+		Signature: "0x8035c0154bc68de4c0e57bfe8b2adc880f04c0754c32677f895f63a15d2b5cb5720f89b5cc9acf079e3058485b10d50ae83a6b2f19080aeafb46890b43e297c51c",
+	},
+	"0x855d28d495ec1b06364bb7a521212753e2190b95": {
+		Message:   "signature:1746226936204",
+		Signature: "0xc2f6fd9c5837b481ac1ee3339a8a83267b36af5a53262d78b759fc810fa814ed0dee8e62a9b911e32b4586ca38f890f31fe83be24fe44f32c9b07d13d1906b2f1b",
+	},
 }
 
 // GetSignatureData returns the message and signature for a given test wallet address

api/testdata/user_fixtures.csv

@@ -1,12 +1,13 @@
 user_id,handle,handle_lc,is_deactivated,wallet,playlist_library
 1,rayjacobson,rayjacobson,f,0x7d273271690538cf855e5b3002a0dd8c154bb060,"{""contents"":[{""type"":""playlist"",""playlist_id"":""123""},{""type"":""explore_playlist"",""playlist_id"":""Audio NFTs""},{""type"":""folder"",""id"":""bbcae31a-7cd2-4a1a-8b54-fdc979a34435"",""name"":""My Nested Playlists"",""contents"":[{""type"":""playlist"",""playlist_id"":""345""}]}]}"
 2,stereosteve,stereosteve,f,0x1234567890abcdef,
-3,someseller,someseller,f,0x234567890abcdef1,
-4,accesstester,accesstester,f,0x34567890abcdef12,
+3,someseller,someseller,f,0xc3d1d41e6872ffbd15c473d14fc3a9250be5b5e0,
+4,accesstester,accesstester,f,0x4954d18926ba0ed9378938444731be4e622537b2,
 5,guyintrending,guyintrending,f,0x34567890abcdef13,
 6,TracksByPermalink,tracksbypermalink,f,0xffffffffff,
 7,PlaylistsByPermalink,playlistsbypermalink,f,0xffffffffff,
 8,AlbumsByPermalink,albumsbypermalink,f,0xffffffffff,
+11,somebuyer,somebuyer,f,0x855d28d495ec1b06364bb7a521212753e2190b95,
 91,badguy,badguy,t,0x4567890abcdef123,
 100,authtest1,authtest1,f,0x681c616ae836ceca1effe00bd07f2fdbf9a082bc,
 101,authtest2,authtest2,f,0xc451c1f8943b575158310552b41230c61844a1c1,