Ролевая модель и аудит Часть 1.
This commit is contained in:
@@ -95,7 +95,7 @@ update_banned_word(Word, Req) ->
|
||||
auth_admin(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true -> {ok, AdminId, Req1};
|
||||
false -> {error, 403, <<"Admin access required">>, Req1}
|
||||
end;
|
||||
@@ -103,15 +103,6 @@ auth_admin(Req) ->
|
||||
{error, Code, Message, Req1}
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} ->
|
||||
Role = User#user.role,
|
||||
Role =:= admin orelse Role =:= superadmin orelse
|
||||
Role =:= moderator orelse Role =:= support;
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
banned_word_to_json(BW) ->
|
||||
#{
|
||||
id => BW#banned_word.id,
|
||||
|
||||
@@ -1,15 +1,18 @@
|
||||
-module(admin_handler_health).
|
||||
|
||||
-behaviour(cowboy_handler).
|
||||
-export([init/2]).
|
||||
|
||||
init(Req, _Opts) ->
|
||||
init(Req, State) ->
|
||||
case cowboy_req:method(Req) of
|
||||
<<"GET">> ->
|
||||
Body = jsx:encode(#{status => <<"ok">>}),
|
||||
Req1 = cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, Body, Req),
|
||||
{ok, Req1, []};
|
||||
Req2 = cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, Body, Req),
|
||||
{ok, Req2, State};
|
||||
_ ->
|
||||
Body = jsx:encode(#{error => <<"Method not allowed">>}),
|
||||
Req1 = cowboy_req:reply(405, #{<<"content-type">> => <<"application/json">>}, Body, Req),
|
||||
{ok, Req1, []}
|
||||
end.
|
||||
send_error(Req, 405, <<"Method not allowed">>)
|
||||
end.
|
||||
|
||||
send_error(Req, Status, Message) ->
|
||||
Body = jsx:encode(#{error => Message}),
|
||||
Req2 = cowboy_req:reply(Status, #{<<"content-type">> => <<"application/json">>}, Body, Req),
|
||||
{ok, Req2, []}.
|
||||
@@ -12,13 +12,18 @@ init(Req0, State) ->
|
||||
#{<<"email">> := Email, <<"password">> := Password} ->
|
||||
case eventhub_auth:authenticate_admin_request(Req1, Email, Password) of
|
||||
{ok, Token, User} ->
|
||||
% Генерация refresh-токена для администратора
|
||||
{RefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(maps:get(id, User)),
|
||||
% Сохранение refresh-токена в admin_session
|
||||
core_admin_session:create(maps:get(id, User), RefreshToken),
|
||||
Resp = jsx:encode(#{
|
||||
<<"token">> => Token,
|
||||
<<"user">> => #{
|
||||
<<"id">> => maps:get(id, User),
|
||||
<<"email">> => maps:get(email, User),
|
||||
<<"role">> => maps:get(role, User)
|
||||
}
|
||||
},
|
||||
<<"refresh_token">> => RefreshToken
|
||||
}),
|
||||
Req2 = cowboy_req:reply(200, #{
|
||||
<<"content-type">> => <<"application/json">>,
|
||||
@@ -26,14 +31,16 @@ init(Req0, State) ->
|
||||
}, Resp, Req1),
|
||||
{ok, Req2, State};
|
||||
{error, insufficient_permissions} ->
|
||||
error_response(403, insufficient_permissions, Req1, State);
|
||||
error_response(403, <<"insufficient_permissions">>, Req1, State);
|
||||
{error, Reason} when is_atom(Reason) ->
|
||||
error_response(401, atom_to_binary(Reason, utf8), Req1, State);
|
||||
{error, Reason} ->
|
||||
error_response(401, Reason, Req1, State)
|
||||
end;
|
||||
_ ->
|
||||
error_response(400, <<"invalid_request">>, Req1, State)
|
||||
error_response(400, <<"Missing email or password">>, Req1, State)
|
||||
catch
|
||||
_:_ -> error_response(400, <<"invalid_request">>, Req1, State)
|
||||
_:_ -> error_response(400, <<"Invalid JSON">>, Req1, State)
|
||||
end;
|
||||
false ->
|
||||
error_response(400, <<"Missing request body">>, Req0, State)
|
||||
|
||||
@@ -99,7 +99,7 @@ handle_user(_Id, _Action, Req) ->
|
||||
auth_admin(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true -> {ok, AdminId, Req1};
|
||||
false -> {error, 403, <<"Admin access required">>, Req1}
|
||||
end;
|
||||
@@ -107,15 +107,6 @@ auth_admin(Req) ->
|
||||
{error, Code, Message, Req1}
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} ->
|
||||
Role = User#user.role,
|
||||
Role =:= admin orelse Role =:= superadmin orelse
|
||||
Role =:= moderator orelse Role =:= support;
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
calendar_to_json(C) ->
|
||||
#{
|
||||
id => C#calendar.id,
|
||||
|
||||
@@ -14,7 +14,7 @@ init(Req, _Opts) ->
|
||||
get_report(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
ReportId = cowboy_req:binding(id, Req1),
|
||||
case core_report:get_by_id(ReportId) of
|
||||
@@ -33,7 +33,7 @@ get_report(Req) ->
|
||||
update_report(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
ReportId = cowboy_req:binding(id, Req1),
|
||||
{ok, Body, Req2} = cowboy_req:read_body(Req1),
|
||||
@@ -60,15 +60,6 @@ update_report(Req) ->
|
||||
send_error(Req1, Code, Message)
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} ->
|
||||
Role = User#user.role,
|
||||
Role =:= admin orelse Role =:= superadmin orelse
|
||||
Role =:= moderator orelse Role =:= support;
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
report_to_json(R) ->
|
||||
#{
|
||||
id => R#report.id,
|
||||
|
||||
@@ -8,13 +8,13 @@ init(Req, _Opts) ->
|
||||
case cowboy_req:method(Req) of
|
||||
<<"GET">> -> list_reports(Req);
|
||||
<<"PUT">> -> update_report(Req);
|
||||
_ -> send_error(Req, 405, <<"Method not allowed">>)
|
||||
_ -> send_error(Req, 405, <<"Method not allowed">>)
|
||||
end.
|
||||
|
||||
list_reports(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
{ok, Reports} = core_report:list_all(),
|
||||
send_json(Req1, 200, [report_to_json(R) || R <- Reports]);
|
||||
@@ -28,7 +28,7 @@ list_reports(Req) ->
|
||||
update_report(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
ReportId = cowboy_req:binding(id, Req1),
|
||||
{ok, Body, Req2} = cowboy_req:read_body(Req1),
|
||||
@@ -54,15 +54,6 @@ update_report(Req) ->
|
||||
send_error(Req1, Code, Message)
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} ->
|
||||
Role = User#user.role,
|
||||
Role =:= admin orelse Role =:= superadmin orelse
|
||||
Role =:= moderator orelse Role =:= support;
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
report_to_json(R) ->
|
||||
#{
|
||||
id => R#report.id,
|
||||
|
||||
@@ -14,7 +14,7 @@ init(Req, _Opts) ->
|
||||
get_review(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
ReviewId = cowboy_req:binding(id, Req1),
|
||||
case core_review:get_by_id(ReviewId) of
|
||||
@@ -33,7 +33,7 @@ get_review(Req) ->
|
||||
update_review(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
ReviewId = cowboy_req:binding(id, Req1),
|
||||
{ok, Body, Req2} = cowboy_req:read_body(Req1),
|
||||
@@ -59,15 +59,6 @@ update_review(Req) ->
|
||||
send_error(Req1, Code, Message)
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} ->
|
||||
Role = User#user.role,
|
||||
Role =:= admin orelse Role =:= superadmin orelse
|
||||
Role =:= moderator orelse Role =:= support;
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
review_to_json(R) ->
|
||||
#{
|
||||
id => R#review.id,
|
||||
|
||||
@@ -1,14 +1,8 @@
|
||||
-module(admin_handler_stats).
|
||||
-include("records.hrl").
|
||||
-export([init/2]).
|
||||
-export([count_users/0, count_calendars/0, count_events/0, count_bookings/0,
|
||||
count_reviews/0, count_reports/0, count_tickets/0, count_subscriptions/0]).
|
||||
-export([is_admin/1]).
|
||||
|
||||
init(Req, Opts) ->
|
||||
handle(Req, Opts).
|
||||
|
||||
handle(Req, _Opts) ->
|
||||
init(Req, _Opts) ->
|
||||
case cowboy_req:method(Req) of
|
||||
<<"GET">> -> get_stats(Req);
|
||||
_ -> send_error(Req, 405, <<"Method not allowed">>)
|
||||
@@ -17,7 +11,7 @@ handle(Req, _Opts) ->
|
||||
get_stats(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
Stats = #{
|
||||
users => count_users(),
|
||||
@@ -37,16 +31,6 @@ get_stats(Req) ->
|
||||
send_error(Req1, Code, Message)
|
||||
end.
|
||||
|
||||
%% Вспомогательные функции
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} ->
|
||||
Role = User#user.role,
|
||||
Role =:= admin orelse Role =:= superadmin orelse
|
||||
Role =:= moderator orelse Role =:= support;
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
count_users() -> length(mnesia:dirty_match_object(#user{_ = '_'})).
|
||||
count_calendars() -> length(mnesia:dirty_match_object(#calendar{_ = '_'})).
|
||||
count_events() -> length(mnesia:dirty_match_object(#event{is_instance = false, _ = '_'})).
|
||||
|
||||
@@ -114,7 +114,7 @@ delete_subscription(SubscriptionId, Req) ->
|
||||
auth_admin(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true -> {ok, AdminId, Req1};
|
||||
false -> {error, 403, <<"Admin access required">>, Req1}
|
||||
end;
|
||||
@@ -122,15 +122,6 @@ auth_admin(Req) ->
|
||||
{error, Code, Message, Req1}
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} ->
|
||||
Role = User#user.role,
|
||||
Role =:= admin orelse Role =:= superadmin orelse
|
||||
Role =:= moderator orelse Role =:= support;
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
subscription_to_json(S) ->
|
||||
#{
|
||||
id => S#subscription.id,
|
||||
|
||||
@@ -67,7 +67,7 @@ delete_ticket(Req) ->
|
||||
auth_admin(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true -> {ok, AdminId, Req1};
|
||||
false -> {error, 403, <<"Admin access required">>, Req1}
|
||||
end;
|
||||
@@ -75,15 +75,6 @@ auth_admin(Req) ->
|
||||
{error, Code, Message, Req1}
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} ->
|
||||
Role = User#user.role,
|
||||
Role =:= admin orelse Role =:= superadmin orelse
|
||||
Role =:= moderator orelse Role =:= support;
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
ticket_to_json(T) ->
|
||||
#{
|
||||
id => T#ticket.id,
|
||||
|
||||
@@ -22,7 +22,7 @@ get_stats(Req) ->
|
||||
auth_admin(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true -> {ok, AdminId, Req1};
|
||||
false -> {error, 403, <<"Admin access required">>, Req1}
|
||||
end;
|
||||
@@ -30,15 +30,6 @@ auth_admin(Req) ->
|
||||
{error, Code, Message, Req1}
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} ->
|
||||
Role = User#user.role,
|
||||
Role =:= admin orelse Role =:= superadmin orelse
|
||||
Role =:= moderator orelse Role =:= support;
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
send_json(Req, Status, Data) ->
|
||||
Body = jsx:encode(Data),
|
||||
cowboy_req:reply(Status, #{<<"content-type">> => <<"application/json">>}, Body, Req),
|
||||
|
||||
@@ -112,7 +112,7 @@ delete_ticket(TicketId, Req) ->
|
||||
auth_admin(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true -> {ok, AdminId, Req1};
|
||||
false -> {error, 403, <<"Admin access required">>, Req1}
|
||||
end;
|
||||
@@ -120,15 +120,6 @@ auth_admin(Req) ->
|
||||
{error, Code, Message, Req1}
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} ->
|
||||
Role = User#user.role,
|
||||
Role =:= admin orelse Role =:= superadmin orelse
|
||||
Role =:= moderator orelse Role =:= support;
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
ticket_to_json(T) ->
|
||||
#{
|
||||
id => T#ticket.id,
|
||||
|
||||
@@ -1,28 +1,22 @@
|
||||
-module(admin_handler_user_by_id).
|
||||
-include("records.hrl").
|
||||
-export([init/2]).
|
||||
-export([user_to_json/1, convert_updates/1]).
|
||||
|
||||
init(Req, Opts) ->
|
||||
handle(Req, Opts).
|
||||
|
||||
handle(Req, _Opts) ->
|
||||
init(Req, _Opts) ->
|
||||
case cowboy_req:method(Req) of
|
||||
<<"GET">> -> get_user(Req);
|
||||
<<"PUT">> -> update_user(Req);
|
||||
<<"GET">> -> get_user(Req);
|
||||
<<"PUT">> -> update_user(Req);
|
||||
<<"DELETE">> -> delete_user(Req);
|
||||
_ -> send_error(Req, 405, <<"Method not allowed">>)
|
||||
_ -> send_error(Req, 405, <<"Method not allowed">>)
|
||||
end.
|
||||
|
||||
get_user(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
UserId = cowboy_req:binding(id, Req1),
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} when User#user.status =:= deleted ->
|
||||
send_error(Req1, 404, <<"User not found">>);
|
||||
{ok, User} ->
|
||||
send_json(Req1, 200, user_to_json(User));
|
||||
{error, not_found} ->
|
||||
@@ -38,7 +32,7 @@ get_user(Req) ->
|
||||
update_user(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
UserId = cowboy_req:binding(id, Req1),
|
||||
{ok, Body, Req2} = cowboy_req:read_body(Req1),
|
||||
@@ -69,7 +63,7 @@ update_user(Req) ->
|
||||
delete_user(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case is_admin(AdminId) of
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
UserId = cowboy_req:binding(id, Req1),
|
||||
case core_user:delete(UserId) of
|
||||
@@ -85,12 +79,6 @@ delete_user(Req) ->
|
||||
send_error(Req1, Code, Message)
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} -> User#user.role =:= admin;
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
user_to_json(User) ->
|
||||
#{
|
||||
id => User#user.id,
|
||||
|
||||
@@ -1,35 +1,40 @@
|
||||
-module(admin_handler_users).
|
||||
-behaviour(cowboy_handler).
|
||||
-include("records.hrl").
|
||||
-export([init/2]).
|
||||
|
||||
init(Req, _Opts) ->
|
||||
case cowboy_req:method(Req) of
|
||||
<<"GET">> ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, _UserId, Req1} ->
|
||||
{ok, Users} = core_user:list_users(),
|
||||
Response = [user_to_map(U) || U <- Users],
|
||||
send_json(Req1, 200, Response);
|
||||
{error, Code, Message, Req1} ->
|
||||
send_error(Req1, Code, Message)
|
||||
end;
|
||||
_ ->
|
||||
send_error(Req, 405, <<"Method not allowed">>)
|
||||
<<"GET">> -> list_users(Req);
|
||||
_ -> send_error(Req, 405, <<"Method not allowed">>)
|
||||
end.
|
||||
|
||||
user_to_map(User) ->
|
||||
list_users(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
Users = core_user:list_users(),
|
||||
send_json(Req1, 200, [user_to_json(U) || U <- Users]);
|
||||
false ->
|
||||
send_error(Req1, 403, <<"Admin access required">>)
|
||||
end;
|
||||
{error, Code, Message, Req1} ->
|
||||
send_error(Req1, Code, Message)
|
||||
end.
|
||||
|
||||
user_to_json(U) ->
|
||||
#{
|
||||
id => maps:get(id, User),
|
||||
email => maps:get(email, User),
|
||||
role => maps:get(role, User),
|
||||
status => maps:get(status, User),
|
||||
created_at => datetime_to_iso8601(maps:get(created_at, User)),
|
||||
updated_at => datetime_to_iso8601(maps:get(updated_at, User))
|
||||
id => U#user.id,
|
||||
email => U#user.email,
|
||||
role => U#user.role,
|
||||
status => U#user.status,
|
||||
created_at => datetime_to_iso8601(U#user.created_at),
|
||||
updated_at => datetime_to_iso8601(U#user.updated_at)
|
||||
}.
|
||||
|
||||
datetime_to_iso8601({{Year, Month, Day}, {Hour, Minute, Second}}) ->
|
||||
iolist_to_binary(io_lib:format("~4..0B-~2..0B-~2..0BT~2..0B:~2..0B:~2..0BZ",
|
||||
[Year, Month, Day, Hour, Minute, Second])).
|
||||
datetime_to_iso8601({{Y,M,D},{H,Min,S}}) ->
|
||||
iolist_to_binary(io_lib:format("~4..0B-~2..0B-~2..0BT~2..0B:~2..0B:~2..0BZ", [Y,M,D,H,Min,S]));
|
||||
datetime_to_iso8601(_) -> null.
|
||||
|
||||
send_json(Req, Status, Data) ->
|
||||
Body = jsx:encode(Data),
|
||||
|
||||
@@ -22,7 +22,7 @@ init(Req, _Opts) ->
|
||||
case logic_auth:verify_jwt(Token) of
|
||||
{ok, UserId, Role} ->
|
||||
io:format("[ADMIN_WS] UserId: ~s, Role: ~s~n", [UserId, Role]),
|
||||
case is_admin_role(Role) of
|
||||
case admin_utils:is_admin(Role) of
|
||||
true ->
|
||||
io:format("[ADMIN_WS] Admin access granted~n"),
|
||||
{cowboy_websocket, Req, #state{admin_id = UserId}};
|
||||
@@ -81,7 +81,4 @@ websocket_info(_Info, State) ->
|
||||
|
||||
terminate(_Reason, _Req, _State) ->
|
||||
pg:leave(eventhub_admin_ws, self()),
|
||||
ok.
|
||||
|
||||
is_admin_role(Role) ->
|
||||
lists:member(Role, [<<"admin">>, <<"superadmin">>, <<"moderator">>, <<"support">>]).
|
||||
ok.
|
||||
@@ -2,7 +2,7 @@
|
||||
-behaviour(cowboy_handler).
|
||||
-export([init/2]).
|
||||
|
||||
-include("records.hrl"). %% ← необходим для #session{}
|
||||
-include("records.hrl").
|
||||
|
||||
init(Req0, State) ->
|
||||
handle(Req0, State).
|
||||
@@ -21,8 +21,8 @@ handle(Req, _Opts) ->
|
||||
#{<<"email">> := Email, <<"password">> := Password} ->
|
||||
case eventhub_auth:authenticate_user_request(Req1, Email, Password) of
|
||||
{ok, Token, User} ->
|
||||
{RefreshToken, ExpiresAt} = eventhub_auth:generate_refresh_token(maps:get(id, User)),
|
||||
save_refresh_token(maps:get(id, User), RefreshToken, ExpiresAt),
|
||||
{RefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(maps:get(id, User)),
|
||||
core_session:create(maps:get(id, User), RefreshToken),
|
||||
Response = #{
|
||||
user => #{
|
||||
id => maps:get(id, User),
|
||||
@@ -53,15 +53,6 @@ handle(Req, _Opts) ->
|
||||
send_error(Req, 405, <<"Method not allowed">>)
|
||||
end.
|
||||
|
||||
save_refresh_token(UserId, Token, ExpiresAt) ->
|
||||
Session = #session{ %% record определён в records.hrl
|
||||
token = Token,
|
||||
user_id = UserId,
|
||||
expires_at = ExpiresAt,
|
||||
type = refresh
|
||||
},
|
||||
mnesia:dirty_write(Session).
|
||||
|
||||
send_json(Req, Status, Data) ->
|
||||
Body = jsx:encode(Data),
|
||||
cowboy_req:reply(Status, #{
|
||||
|
||||
@@ -8,41 +8,12 @@ init(Req0, _Opts) ->
|
||||
{ok, Body, Req1} = cowboy_req:read_body(Req0),
|
||||
try jsx:decode(Body, [return_maps]) of
|
||||
#{<<"refresh_token">> := RefreshToken} ->
|
||||
case get_session(RefreshToken) of
|
||||
{ok, Session} ->
|
||||
% Проверяем, не истекла ли сессия
|
||||
case Session#session.expires_at > calendar:universal_time() of
|
||||
true ->
|
||||
% Генерируем новый access-токен и refresh-токен
|
||||
User = get_user(Session#session.user_id),
|
||||
NewToken = eventhub_auth:generate_user_token(
|
||||
User#user.id,
|
||||
atom_to_binary(User#user.role, utf8)
|
||||
),
|
||||
{NewRefreshToken, ExpiresAt} =
|
||||
eventhub_auth:generate_refresh_token(User#user.id),
|
||||
% Удаляем старую сессию и сохраняем новую
|
||||
mnesia:dirty_delete_object(Session),
|
||||
NewSession = #session{
|
||||
token = NewRefreshToken,
|
||||
user_id = User#user.id,
|
||||
expires_at = ExpiresAt,
|
||||
type = refresh
|
||||
},
|
||||
mnesia:dirty_write(NewSession),
|
||||
Resp = jsx:encode(#{
|
||||
token => NewToken,
|
||||
refresh_token => NewRefreshToken
|
||||
}),
|
||||
cowboy_req:reply(200, #{
|
||||
<<"content-type">> => <<"application/json">>
|
||||
}, Resp, Req1);
|
||||
false ->
|
||||
mnesia:dirty_delete_object(Session),
|
||||
send_error(Req1, 401, <<"Refresh token expired">>)
|
||||
end;
|
||||
{error, not_found} ->
|
||||
send_error(Req1, 401, <<"Refresh token not found">>)
|
||||
case find_and_refresh(RefreshToken) of
|
||||
{ok, NewTokenPair} ->
|
||||
Resp = jsx:encode(NewTokenPair),
|
||||
cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, Resp, Req1);
|
||||
{error, Reason} ->
|
||||
send_error(Req1, 401, Reason)
|
||||
end;
|
||||
_ ->
|
||||
send_error(Req1, 400, <<"Missing refresh_token field">>)
|
||||
@@ -53,15 +24,50 @@ init(Req0, _Opts) ->
|
||||
send_error(Req0, 405, <<"Method not allowed">>)
|
||||
end.
|
||||
|
||||
get_session(Token) ->
|
||||
case mnesia:dirty_read({session, Token}) of
|
||||
[Session] -> {ok, Session};
|
||||
[] -> {error, not_found}
|
||||
%% --------------------------------------------------------
|
||||
%% Общая логика: проверяет обе таблицы сессий
|
||||
%% --------------------------------------------------------
|
||||
|
||||
find_and_refresh(RefreshToken) ->
|
||||
case core_session:validate(RefreshToken) of
|
||||
{ok, UserId, User} ->
|
||||
user_refresh(UserId, User, RefreshToken);
|
||||
{error, not_found} ->
|
||||
case core_admin_session:validate(RefreshToken) of
|
||||
{ok, AdminId} ->
|
||||
admin_refresh(AdminId, RefreshToken);
|
||||
{error, not_found} ->
|
||||
{error, <<"Refresh token not found">>};
|
||||
{error, expired} ->
|
||||
{error, <<"Refresh token expired">>}
|
||||
end;
|
||||
{error, expired} ->
|
||||
{error, <<"Refresh token expired">>}
|
||||
end.
|
||||
|
||||
get_user(UserId) ->
|
||||
[User] = mnesia:dirty_read({user, UserId}),
|
||||
User.
|
||||
user_refresh(UserId, User, OldToken) ->
|
||||
% Удаляем старый refresh-токен
|
||||
core_session:delete(OldToken),
|
||||
% Генерируем новый access-токен и refresh-токен
|
||||
Role = atom_to_binary(User#user.role, utf8),
|
||||
NewToken = eventhub_auth:generate_user_token(UserId, Role),
|
||||
{NewRefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(UserId),
|
||||
% Сохраняем новый refresh-токен в таблице session
|
||||
core_session:create(UserId, NewRefreshToken),
|
||||
{ok, #{token => NewToken, refresh_token => NewRefreshToken}}.
|
||||
|
||||
admin_refresh(AdminId, OldToken) ->
|
||||
% Удаляем старый refresh-токен
|
||||
core_admin_session:delete(OldToken),
|
||||
% Получаем роль админа
|
||||
{ok, Admin} = core_admin:get_by_id(AdminId),
|
||||
Role = atom_to_binary(Admin#admin.role, utf8),
|
||||
% Генерируем новый access-токен и refresh-токен
|
||||
NewToken = eventhub_auth:generate_admin_token(AdminId, Role),
|
||||
{NewRefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(AdminId),
|
||||
% Сохраняем новый refresh-токен в таблице admin_session
|
||||
core_admin_session:create(AdminId, NewRefreshToken),
|
||||
{ok, #{token => NewToken, refresh_token => NewRefreshToken}}.
|
||||
|
||||
send_error(Req, Status, Message) ->
|
||||
Body = jsx:encode(#{error => Message}),
|
||||
|
||||
@@ -19,7 +19,7 @@ get_ticket(Req) ->
|
||||
case core_ticket:get_by_id(TicketId) of
|
||||
{ok, Ticket} ->
|
||||
io:format("[TICKET_BY_ID] Found ticket, reporter_id: ~s~n", [Ticket#ticket.reporter_id]),
|
||||
case is_admin(UserId) orelse Ticket#ticket.reporter_id =:= UserId of
|
||||
case Ticket#ticket.reporter_id =:= UserId of
|
||||
true ->
|
||||
io:format("[TICKET_BY_ID] Access granted~n"),
|
||||
send_json(Req1, 200, ticket_to_json(Ticket));
|
||||
@@ -45,7 +45,7 @@ update_ticket(Req) ->
|
||||
Updates when is_map(Updates) ->
|
||||
case core_ticket:get_by_id(TicketId) of
|
||||
{ok, Ticket} ->
|
||||
case is_admin(UserId) orelse Ticket#ticket.reporter_id =:= UserId of
|
||||
case Ticket#ticket.reporter_id =:= UserId of
|
||||
true ->
|
||||
case core_ticket:update_ticket(TicketId, Updates) of
|
||||
{ok, Updated} -> send_json(Req2, 200, ticket_to_json(Updated));
|
||||
@@ -63,12 +63,6 @@ update_ticket(Req) ->
|
||||
send_error(Req1, Code, Message)
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, U} -> lists:member(U#user.role, [admin, superadmin, moderator, support]);
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
ticket_to_json(T) ->
|
||||
#{
|
||||
id => T#ticket.id,
|
||||
|
||||
@@ -17,7 +17,7 @@ handle(Req, _Opts) ->
|
||||
list_tickets(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, UserId, Req1} ->
|
||||
case is_admin(UserId) of
|
||||
case admin_utils:is_admin(UserId) of
|
||||
true ->
|
||||
Tickets = core_ticket:list_all(),
|
||||
send_json(Req1, 200, [ticket_to_json(T) || T <- Tickets]);
|
||||
@@ -51,13 +51,6 @@ create_ticket(Req) ->
|
||||
send_error(Req1, Code, Message)
|
||||
end.
|
||||
|
||||
is_admin(UserId) ->
|
||||
case core_user:get_by_id(UserId) of
|
||||
{ok, User} ->
|
||||
lists:member(User#user.role, [admin, superadmin, moderator, support]);
|
||||
_ -> false
|
||||
end.
|
||||
|
||||
ticket_to_json(T) ->
|
||||
#{
|
||||
id => T#ticket.id,
|
||||
|
||||
Reference in New Issue
Block a user