[bugfix/backend] use roles in middleware

2025-02-21 05:58:42 +08:00 · 2025-02-21 05:58:42 +08:00 · 287895347b
commit 287895347b
parent e5fc8691bf
2 changed files with 61 additions and 42 deletions
--- a/backend/internal/middleware/auth.go
+++ b/backend/internal/middleware/auth.go
@ -100,20 +100,30 @@ func AuthMiddleware(jwtSecret string, tokenBlacklist *service.TokenBlacklist) gi
                return
            }
-            // 设置用户 ID
+            // 获取用户角色
-            c.Set("user_id", userIDStr)
+            roles, exists := claims["roles"]
-
+            if !exists {
-            // 设置用户角色
+                log.Error().Msg("Token does not contain roles claim")
-            if role, ok := claims["role"].(string); ok {
+                c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid token format: missing roles"})
                log.Debug().Str("role", role).Msg("Found user role")
                c.Set("user_role", role)
            } else {
                log.Error().Interface("role", claims["role"]).Msg("Invalid or missing role claim")
                c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid role format"})
                c.Abort()
                return
            }
            // 将角色转换为字符串数组
            var roleNames []string
            if rolesArray, ok := roles.([]interface{}); ok {
                for _, r := range rolesArray {
                    if roleStr, ok := r.(string); ok {
                        roleNames = append(roleNames, roleStr)
                    }
                }
            }
            // 设置上下文
            c.Set("user_id", userIDStr)
            c.Set("user_roles", roleNames)  // 存储角色数组
            c.Next()
            return
        } else {
            c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid token"})
            c.Abort()
@ -125,26 +135,36 @@ func AuthMiddleware(jwtSecret string, tokenBlacklist *service.TokenBlacklist) gi
 // RoleMiddleware creates a middleware for role-based authorization
 func RoleMiddleware(roles ...string) gin.HandlerFunc {
    return func(c *gin.Context) {
-        userRole, exists := c.Get("user_role")
+        userRoles, exists := c.Get("user_roles")
        if !exists {
-            c.JSON(http.StatusUnauthorized, gin.H{"error": "User role not found"})
+            log.Error().Msg("User roles not found in context")
            c.JSON(http.StatusUnauthorized, gin.H{"error": "User roles not found"})
            c.Abort()
            return
        }
-        roleStr, ok := userRole.(string)
+        roleNames, ok := userRoles.([]string)
        if !ok {
-            c.JSON(http.StatusInternalServerError, gin.H{"error": "Invalid user role type"})
+            log.Error().Msg("Invalid user roles type")
            c.JSON(http.StatusInternalServerError, gin.H{"error": "Invalid user roles type"})
            c.Abort()
            return
        }
-        for _, role := range roles {
+        // 检查用户是否拥有任一所需角色
-            if role == roleStr {
+        for _, requiredRole := range roles {
            for _, userRole := range roleNames {
                if requiredRole == userRole {
                    c.Next()
                    return
                }
            }
        }
        log.Warn().
            Strs("required_roles", roles).
            Strs("user_roles", roleNames).
            Msg("Insufficient permissions")
        c.JSON(http.StatusForbidden, gin.H{"error": "Insufficient permissions"})
        c.Abort()
--- a/backend/internal/middleware/auth_test.go
+++ b/backend/internal/middleware/auth_test.go
@ -34,7 +34,7 @@ func TestAuthMiddleware(t *testing.T) {
 		expectedBody   map[string]string
 		checkUserData  bool
 		expectedUserID string
-		expectedRole   string
+		expectedRoles  []string
 	}{
 		{
 			name:           "No Authorization header",
@ -63,7 +63,7 @@ func TestAuthMiddleware(t *testing.T) {
 			setupAuth: func(req *http.Request) {
 				claims := jwt.MapClaims{
 					"sub":   "123",
-					"role": "user",
+					"roles": []string{"admin", "editor"},
 					"exp":   time.Now().Add(time.Hour).Unix(),
 				}
 				token := createTestToken(jwtSecret, claims)
@ -72,14 +72,14 @@ func TestAuthMiddleware(t *testing.T) {
 			expectedStatus: http.StatusOK,
 			checkUserData:  true,
 			expectedUserID: "123",
-			expectedRole:   "user",
+			expectedRoles:  []string{"admin", "editor"},
 		},
 		{
 			name: "Expired token",
 			setupAuth: func(req *http.Request) {
 				claims := jwt.MapClaims{
 					"sub":   "123",
-					"role": "user",
+					"roles": []string{"user"},
 					"exp":   time.Now().Add(-time.Hour).Unix(),
 				}
 				token := createTestToken(jwtSecret, claims)
@ -109,9 +109,9 @@ func TestAuthMiddleware(t *testing.T) {
 					assert.True(t, exists, "user_id should exist in context")
 					assert.Equal(t, tc.expectedUserID, userID, "user_id should match")
-					role, exists := c.Get("user_role")
+					roles, exists := c.Get("user_roles")
-					assert.True(t, exists, "user_role should exist in context")
+					assert.True(t, exists, "user_roles should exist in context")
-					assert.Equal(t, tc.expectedRole, role, "user_role should match")
+					assert.Equal(t, tc.expectedRoles, roles, "user_roles should match")
 				}
 				c.Status(http.StatusOK)
 			})
@ -146,27 +146,27 @@ func TestRoleMiddleware(t *testing.T) {
 		expectedBody   map[string]string
 	}{
 		{
-			name: "No user role",
+			name: "No user roles",
 			setupContext: func(c *gin.Context) {
 				// 不设置用户角色
 			},
 			allowedRoles:   []string{"admin"},
 			expectedStatus: http.StatusUnauthorized,
-			expectedBody:   map[string]string{"error": "User role not found"},
+			expectedBody:   map[string]string{"error": "User roles not found"},
 		},
 		{
-			name: "Invalid role type",
+			name: "Invalid roles type",
 			setupContext: func(c *gin.Context) {
-				c.Set("user_role", 123) // 设置错误类型的角色
+				c.Set("user_roles", 123) // 设置错误类型的角色
 			},
 			allowedRoles:   []string{"admin"},
 			expectedStatus: http.StatusInternalServerError,
-			expectedBody:   map[string]string{"error": "Invalid user role type"},
+			expectedBody:   map[string]string{"error": "Invalid user roles type"},
 		},
 		{
 			name: "Insufficient permissions",
 			setupContext: func(c *gin.Context) {
-				c.Set("user_role", "user")
+				c.Set("user_roles", []string{"user"})
 			},
 			allowedRoles:   []string{"admin"},
 			expectedStatus: http.StatusForbidden,
@ -175,7 +175,7 @@ func TestRoleMiddleware(t *testing.T) {
 		{
 			name: "Allowed role",
 			setupContext: func(c *gin.Context) {
-				c.Set("user_role", "admin")
+				c.Set("user_roles", []string{"admin"})
 			},
 			allowedRoles:   []string{"admin"},
 			expectedStatus: http.StatusOK,
@ -183,7 +183,7 @@ func TestRoleMiddleware(t *testing.T) {
 		{
 			name: "One of multiple allowed roles",
 			setupContext: func(c *gin.Context) {
-				c.Set("user_role", "editor")
+				c.Set("user_roles", []string{"user", "editor"})
 			},
 			allowedRoles:   []string{"admin", "editor", "moderator"},
 			expectedStatus: http.StatusOK,
@ -199,8 +199,7 @@ func TestRoleMiddleware(t *testing.T) {
 			router.Use(func(c *gin.Context) {
 				tc.setupContext(c)
 				c.Next()
-			})
+			}, RoleMiddleware(tc.allowedRoles...))
 			router.Use(RoleMiddleware(tc.allowedRoles...))
 			// 测试路由
 			router.GET("/test", func(c *gin.Context) {
@ -215,13 +214,13 @@ func TestRoleMiddleware(t *testing.T) {
 			router.ServeHTTP(rec, req)
 			// 验证响应
-			assert.Equal(t, tc.expectedStatus, rec.Code)
+			assert.Equal(t, tc.expectedStatus, rec.Code, "HTTP status code should match")
 			if tc.expectedBody != nil {
 				var response map[string]string
 				err := json.NewDecoder(rec.Body).Decode(&response)
-				assert.NoError(t, err)
+				assert.NoError(t, err, "Response body should be valid JSON")
-				assert.Equal(t, tc.expectedBody, response)
+				assert.Equal(t, tc.expectedBody, response, "Response body should match")
 			}
 		})
 	}