lti-api/internal/middleware/permissions.go

package middleware

import (
	"strings"

	"github.com/gofiber/fiber/v2"
)

// RequirePermissions ensures the authenticated user possesses all specified permissions.
func RequirePermissions(perms ...string) fiber.Handler {
	required := canonicalPermissions(perms)
	return func(c *fiber.Ctx) error {
		if len(required) == 0 {
			return c.Next()
		}

		ctx, ok := AuthDetails(c)
		if !ok || ctx == nil {
			return fiber.NewError(fiber.StatusUnauthorized, "Please authenticate")
		}

		userPerms := ctx.permissionSet()
		if len(userPerms) == 0 {
			return fiber.NewError(fiber.StatusForbidden, "Insufficient permission")
		}

		for _, perm := range required {
			if _, has := userPerms[perm]; !has {
				return fiber.NewError(fiber.StatusForbidden, "Insufficient permission")
			}
		}

		return c.Next()
	}
}

// HasPermission reports whether the current request context includes the given permission.
func HasPermission(c *fiber.Ctx, perm string) bool {
	ctx, ok := AuthDetails(c)
	if !ok || ctx == nil {
		return false
	}
	perm = canonicalPermission(perm)
	if perm == "" {
		return false
	}
	_, has := ctx.permissionSet()[perm]
	return has
}

func (a *AuthContext) permissionSet() map[string]struct{} {
	if a == nil || a.Permissions == nil {
		return nil
	}
	return a.Permissions
}

func canonicalPermissions(perms []string) []string {
	out := make([]string, 0, len(perms))
	seen := make(map[string]struct{}, len(perms))
	for _, perm := range perms {
		if canonical := canonicalPermission(perm); canonical != "" {
			if _, ok := seen[canonical]; ok {
				continue
			}
			seen[canonical] = struct{}{}
			out = append(out, canonical)
		}
	}
	return out
}

func canonicalPermission(perm string) string {
	return strings.ToLower(strings.TrimSpace(perm))
}