edited custom admin middleware to only handle admin signed requests

Hubtrick-Git · Hubtrick-Git · commit eeba44c71ed5 · 2026-05-07T16:10:26.000+02:00
diff --git a/middlewares/access_control_middlewares.go b/middlewares/access_control_middlewares.go
@@ -23,20 +23,23 @@ import (
 	"github.com/google/uuid"
 	"github.com/l3montree-dev/devguard/accesscontrol"
 	"github.com/l3montree-dev/devguard/database/models"
+	"github.com/l3montree-dev/devguard/dtos"
 	"github.com/l3montree-dev/devguard/shared"
 	"github.com/l3montree-dev/devguard/utils"
 	"github.com/labstack/echo/v4"
 )
 
-func InstanceAdminMiddleware() echo.MiddlewareFunc {
+func InstanceAdminMiddleware(pat shared.PersonalAccessTokenService) echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(ctx echo.Context) error {
-			session := shared.GetSession(ctx)
-			if !session.IsInstanceAdmin() {
-				slog.Error("access denied in InstanceAdminMiddleware - user is not an instance admin", "user", session.GetUserID())
-				return echo.NewHTTPError(403, "you do not have access to this resource")
+			isAdmin, err := pat.VerifyAdminRequest(ctx.Request())
+			if err == nil {
+				if isAdmin {
+					ctx.Set("session", accesscontrol.NewSession("admin", dtos.AllowedScopes, true))
+					return next(ctx)
+				}
 			}
-			return next(ctx)
+			return fmt.Errorf("could not verify admin request: %v", err)
 		}
 	}
 }
diff --git a/mocks/mock_AdminService.go b/mocks/mock_AdminService.go
diff --git a/mocks/mock_PersonalAccessTokenService.go b/mocks/mock_PersonalAccessTokenService.go
diff --git a/router/admin_router.go b/router/admin_router.go
@@ -16,18 +16,20 @@
 package router
 
 import (
+	"github.com/l3montree-dev/devguard/cmd/devguard/api"
 	"github.com/l3montree-dev/devguard/controllers"
 	"github.com/l3montree-dev/devguard/middlewares"
+	"github.com/l3montree-dev/devguard/shared"
 	"github.com/labstack/echo/v4"
 )
 
 type AdminRouter struct {
 	*echo.Group
 }
 
-func NewAdminRouter(sessionRouter SessionRouter, adminController *controllers.AdminController) AdminRouter {
-	adminRouter := sessionRouter.Group.Group("/admin",
-		middlewares.InstanceAdminMiddleware(),
+func NewAdminRouter(server api.Server, adminController *controllers.AdminController, patService shared.PersonalAccessTokenService) AdminRouter {
+	adminRouter := server.Echo.Group("/admin",
+		middlewares.InstanceAdminMiddleware(patService),
 	)
 
 	adminRouter.GET("/", func(ctx echo.Context) error {
diff --git a/services/pat_service.go b/services/pat_service.go
@@ -232,7 +232,7 @@ func (p *PatService) markAsLastUsedNow(ctx context.Context, fingerprint string)
 	return p.patRepository.MarkAsLastUsedNow(ctx, nil, fingerprint)
 }
 
-func (p *PatService) verifyAdminRequest(req *http.Request) (bool, error) {
+func (p *PatService) VerifyAdminRequest(req *http.Request) (bool, error) {
 	verifier, _ := httpsign.NewP256Verifier(p.adminPubKey, nil,
 		httpsign.Headers("@method", "content-digest"))
 
@@ -262,7 +262,7 @@ func (p *PatService) VerifyRequestSignature(ctx context.Context, req *http.Reque
 	fingerprint := req.Header.Get("X-Fingerprint")
 	if fingerprint == "" {
 		// check if it's an admin request
-		isAdmin, err := p.verifyAdminRequest(req)
+		isAdmin, err := p.VerifyAdminRequest(req)
 		if err != nil {
 			return nil, fmt.Errorf("could not verify admin request: %v", err)
 		}
diff --git a/shared/common_interfaces.go b/shared/common_interfaces.go
@@ -70,6 +70,7 @@ type ReleaseService interface {
 
 type PersonalAccessTokenService interface {
 	VerifyRequestSignature(ctx context.Context, req *http.Request) (AuthSession, error)
+	VerifyAdminRequest(req *http.Request) (bool, error)
 	RevokeByPrivateKey(ctx context.Context, privKey string) error
 	ToModel(ctx context.Context, request dtos.PatCreateRequest, userID string) models.PAT
 }

Original file line number	Diff line number	Diff line change
`@@ -23,20 +23,23 @@ import (`
`23`	`23`	`"github.com/google/uuid"`
`24`	`24`	`"github.com/l3montree-dev/devguard/accesscontrol"`
`25`	`25`	`"github.com/l3montree-dev/devguard/database/models"`
	`26`	`+ "github.com/l3montree-dev/devguard/dtos"`
`26`	`27`	`"github.com/l3montree-dev/devguard/shared"`
`27`	`28`	`"github.com/l3montree-dev/devguard/utils"`
`28`	`29`	`"github.com/labstack/echo/v4"`
`29`	`30`	`)`
`30`	`31`
`31`		`-func InstanceAdminMiddleware() echo.MiddlewareFunc {`
	`32`	`+func InstanceAdminMiddleware(pat shared.PersonalAccessTokenService) echo.MiddlewareFunc {`
`32`	`33`	`return func(next echo.HandlerFunc) echo.HandlerFunc {`
`33`	`34`	`return func(ctx echo.Context) error {`
`34`		`- session := shared.GetSession(ctx)`
`35`		`- if !session.IsInstanceAdmin() {`
`36`		`- slog.Error("access denied in InstanceAdminMiddleware - user is not an instance admin", "user", session.GetUserID())`
`37`		`- return echo.NewHTTPError(403, "you do not have access to this resource")`
	`35`	`+ isAdmin, err := pat.VerifyAdminRequest(ctx.Request())`
	`36`	`+ if err == nil {`
	`37`	`+ if isAdmin {`
	`38`	`+ ctx.Set("session", accesscontrol.NewSession("admin", dtos.AllowedScopes, true))`
	`39`	`+ return next(ctx)`
	`40`	`+ }`
`38`	`41`	`}`
`39`		`- return next(ctx)`
	`42`	`+ return fmt.Errorf("could not verify admin request: %v", err)`
`40`	`43`	`}`
`41`	`44`	`}`
`42`	`45`	`}`
Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,7 @@ type ReleaseService interface {`
`70`	`70`
`71`	`71`	`type PersonalAccessTokenService interface {`
`72`	`72`	`VerifyRequestSignature(ctx context.Context, req *http.Request) (AuthSession, error)`
	`73`	`+ VerifyAdminRequest(req *http.Request) (bool, error)`
`73`	`74`	`RevokeByPrivateKey(ctx context.Context, privKey string) error`
`74`	`75`	`ToModel(ctx context.Context, request dtos.PatCreateRequest, userID string) models.PAT`
`75`	`76`	`}`