✨ auth

src/herd_core/route.rs

@@ -16,6 +16,7 @@ use axum_client_ip::ClientIp;
 use axum_extra::TypedHeader;
 use axum_extra::headers::Authorization;
 use axum_extra::headers::authorization::Bearer;
+use based_auth::APIUser;
 use based_auth::Sessions;
 use based_auth::User;
 use owl::get;
@@ -30,12 +31,23 @@ use sheepd::DeviceList;
 use super::mqtt::is_within_80_seconds;
 use super::mqtt::send_msg;
 
+macro_rules! check_admin {
+    ($user:ident) => {
+        if !$user.read().is_admin() {
+            return (
+                StatusCode::UNAUTHORIZED,
+                Json(api::Result::Err("Invalid credentials")),
+            );
+        }
+    };
+}
+
 pub async fn device_shell_cmd(
     Path(device_id): Path<String>,
-    TypedHeader(session): TypedHeader<Authorization<Bearer>>,
+    APIUser(user): APIUser,
     Json(payload): Json<api::ShellParam>,
 ) -> (StatusCode, Json<api::Result<ShellResponse>>) {
-    // TODO : check auth
+    check_admin!(user);
 
     let machine: Option<Model<Machine>> = get!(device_id);
 
@@ -65,9 +77,9 @@ pub async fn device_shell_cmd(
 
 pub async fn device_get_api(
     Path(device_id): Path<String>,
-    session: TypedHeader<Authorization<Bearer>>,
+    APIUser(user): APIUser,
 ) -> (StatusCode, Json<api::Result<DeviceEntry>>) {
-    // TODO : check auth
+    check_admin!(user);
 
     let machine: Option<Model<Machine>> = get!(device_id.clone());
 
@@ -94,10 +106,9 @@ pub fn device_online(id: &String) -> bool {
         .unwrap_or(false)
 }
 
-pub async fn devices_list(
-    session: TypedHeader<Authorization<Bearer>>,
-) -> (StatusCode, Json<api::Result<DeviceList>>) {
-    // TODO : auth?
+pub async fn devices_list(APIUser(user): APIUser) -> (StatusCode, Json<api::Result<DeviceList>>) {
+    check_admin!(user);
+
     let machines: Vec<Model<Machine>> = query!(|_| true);
 
     let mut ret = vec![];