fix: Admin users could not access orders

gustaavik · gustaavik · commit f797e2828b68 · 2025-06-25T13:30:11.000+02:00
diff --git a/internal/interfaces/api/handler/order_handler.go b/internal/interfaces/api/handler/order_handler.go
@@ -10,6 +10,7 @@ import (
 	"github.com/zenfulcode/commercify/internal/domain/entity"
 	"github.com/zenfulcode/commercify/internal/dto"
 	"github.com/zenfulcode/commercify/internal/infrastructure/logger"
+	"github.com/zenfulcode/commercify/internal/interfaces/api/middleware"
 )
 
 // OrderHandler handles order-related HTTP requests
@@ -29,7 +30,10 @@ func NewOrderHandler(orderUseCase *usecase.OrderUseCase, logger logger.Logger) *
 // GetOrder handles getting an order by ID
 func (h *OrderHandler) GetOrder(w http.ResponseWriter, r *http.Request) {
 	// Get user ID from context
-	userID, ok := r.Context().Value("user_id").(uint)
+	userID, ok := r.Context().Value(middleware.UserIDKey).(uint)
+
+	h.logger.Debug("User ID from context: %d", userID)
+
 	if !ok {
 		h.logger.Error("Unauthorized access attempt")
 		http.Error(w, "Unauthorized", http.StatusUnauthorized)
@@ -58,8 +62,8 @@ func (h *OrderHandler) GetOrder(w http.ResponseWriter, r *http.Request) {
 
 	// Check if the user is authorized to view this order
 	if order.UserID != userID {
-		role, ok := r.Context().Value("role").(string)
-		if !ok || role != "admin" {
+		role, ok := r.Context().Value(middleware.RoleKey).(string)
+		if !ok || role != string(entity.RoleAdmin) {
 			h.logger.Error("Unauthorized access to order %d by user %d", order.ID, userID)
 			response := dto.ErrorResponse("You are not authorized to view this order")
 			w.Header().Set("Content-Type", "application/json")
diff --git a/internal/interfaces/api/middleware/auth_middleware.go b/internal/interfaces/api/middleware/auth_middleware.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/zenfulcode/commercify/internal/domain/entity"
 	"github.com/zenfulcode/commercify/internal/infrastructure/auth"
 	"github.com/zenfulcode/commercify/internal/infrastructure/logger"
 )
@@ -20,7 +21,7 @@ type contextKey string
 const (
 	UserIDKey contextKey = "user_id"
 	emailKey  contextKey = "email"
-	roleKey   contextKey = "role"
+	RoleKey   contextKey = "role"
 )
 
 // NewAuthMiddleware creates a new AuthMiddleware
@@ -61,7 +62,10 @@ func (m *AuthMiddleware) Authenticate(next http.Handler) http.Handler {
 		// Add user info to request context
 		ctx := context.WithValue(r.Context(), UserIDKey, claims.UserID)
 		ctx = context.WithValue(ctx, emailKey, claims.Email)
-		ctx = context.WithValue(ctx, roleKey, claims.Role)
+		ctx = context.WithValue(ctx, RoleKey, claims.Role)
+
+		// print user ID and role for debugging
+		m.logger.Debug("Authenticated user ID: %d, Role: %s", claims.UserID, claims.Role)
 
 		// Call the next handler with the updated context
 		next.ServeHTTP(w, r.WithContext(ctx))
@@ -72,8 +76,8 @@ func (m *AuthMiddleware) Authenticate(next http.Handler) http.Handler {
 func AdminOnly(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Get role from context
-		role, ok := r.Context().Value(roleKey).(string)
-		if !ok || role != "admin" {
+		role, ok := r.Context().Value(RoleKey).(string)
+		if !ok || role != string(entity.RoleAdmin) {
 			http.Error(w, "Admin access required", http.StatusForbidden)
 			return
 		}
