arcodange/dance-lessons-coach
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
07f8bd65b7d175f46b30918fe21f58f21bd57eb7
dance-lessons-coach/pkg/user/api/admin_handler.go
Gabriel Radureau 07f8bd65b7
All checks were successful
CI/CD Pipeline / Build Docker Cache (push) Successful in 11s
Details
CI/CD Pipeline / CI Pipeline (push) Successful in 4m32s
Details
🧪 test: implement JWT secret rotation BDD tests 
- Fix admin handler to handle flexible boolean parsing

- Modify GenerateJWT to use latest secret for signing

- Update JWT secret manager for proper expiration handling

- Fix BDD test steps to use actual tokens instead of hardcoded ones

- Add comprehensive debug logging for JWT operations

Resolves JWT secret rotation feature implementation

Generated by Mistral Vibe.

Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
2026-04-09 16:14:31 +02:00

150 lines
4.7 KiB
Go
Raw Blame History

package api
import (
"encoding/json"
"net/http"
"time"
"dance-lessons-coach/pkg/user"
"github.com/go-chi/chi/v5"
)
// AdminHandler handles admin-related HTTP requests
type AdminHandler struct {
authService user.AuthService
}
// NewAdminHandler creates a new admin handler
func NewAdminHandler(authService user.AuthService) *AdminHandler {
return &AdminHandler{
authService: authService,
}
}
// RegisterRoutes registers admin routes
func (h *AdminHandler) RegisterRoutes(router chi.Router) {
router.Route("/jwt", func(r chi.Router) {
r.Post("/secrets", h.handleAddJWTSecret)
r.Post("/secrets/rotate", h.handleRotateJWTSecret)
})
}
// AddJWTSecretRequest represents a request to add a new JWT secret
type AddJWTSecretRequest struct {
Secret string `json:"secret" validate:"required,min=16"`
IsPrimary bool `json:"is_primary"`
ExpiresIn int64 `json:"expires_in"` // Expiration time in hours
}
// handleAddJWTSecret godoc
//
// @Summary Add JWT secret
// @Description Add a new JWT secret for rotation purposes
// @Tags API/v1/Admin
// @Accept json
// @Produce json
// @Param request body AddJWTSecretRequest true "JWT secret details"
// @Success 200 {object} map[string]string "Secret added successfully"
// @Failure 400 {object} map[string]string "Invalid request"
// @Failure 401 {object} map[string]string "Unauthorized"
// @Failure 500 {object} map[string]string "Server error"
// @Router /v1/admin/jwt/secrets [post]
func (h *AdminHandler) handleAddJWTSecret(w http.ResponseWriter, r *http.Request) {
// Decode request body into a map to handle flexible boolean parsing
var body map[string]interface{}
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
http.Error(w, `{"error":"invalid_request","message":"Invalid JSON request body"}`, http.StatusBadRequest)
return
}
// Extract and validate fields
secret, ok := body["secret"].(string)
if !ok || secret == "" {
http.Error(w, `{"error":"invalid_request","message":"secret is required and must be a string"}`, http.StatusBadRequest)
return
}
// Handle is_primary as either bool or string
isPrimary := false // default
if val, exists := body["is_primary"]; exists {
switch v := val.(type) {
case bool:
isPrimary = v
case string:
isPrimary = v == "true"
default:
http.Error(w, `{"error":"invalid_request","message":"is_primary must be a boolean or string"}`, http.StatusBadRequest)
return
}
}
// Handle expires_in as either int64 or float64 (JSON numbers)
expiresInHours := int64(0)
if val, exists := body["expires_in"]; exists {
switch v := val.(type) {
case int64:
expiresInHours = v
case float64:
expiresInHours = int64(v)
default:
http.Error(w, `{"error":"invalid_request","message":"expires_in must be a number"}`, http.StatusBadRequest)
return
}
}
// Convert expires_in from hours to time.Duration
expiresIn := time.Duration(expiresInHours) * time.Hour
if expiresIn <= 0 {
// If expires_in is 0 or not provided, set to no expiration for secondary secrets
// For primary secrets, use a reasonable default
if isPrimary {
expiresIn = 24 * 365 * time.Hour // 1 year for primary secrets
} else {
expiresIn = 0 // No expiration for secondary secrets
}
}
// Add the secret to the manager
h.authService.AddJWTSecret(secret, isPrimary, expiresIn)
// Return success
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(map[string]string{"message": "JWT secret added successfully"})
}
// RotateJWTSecretRequest represents a request to rotate JWT secrets
type RotateJWTSecretRequest struct {
NewSecret string `json:"new_secret" validate:"required,min=16"`
}
// handleRotateJWTSecret godoc
//
// @Summary Rotate JWT secret
// @Description Rotate to a new primary JWT secret
// @Tags API/v1/Admin
// @Accept json
// @Produce json
// @Param request body RotateJWTSecretRequest true "New JWT secret"
// @Success 200 {object} map[string]string "Secret rotated successfully"
// @Failure 400 {object} map[string]string "Invalid request"
// @Failure 401 {object} map[string]string "Unauthorized"
// @Failure 500 {object} map[string]string "Server error"
// @Router /v1/admin/jwt/secrets/rotate [post]
func (h *AdminHandler) handleRotateJWTSecret(w http.ResponseWriter, r *http.Request) {
var req RotateJWTSecretRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
http.Error(w, `{"error":"invalid_request","message":"Invalid JSON request body"}`, http.StatusBadRequest)
return
}
// Rotate to the new secret
h.authService.RotateJWTSecret(req.NewSecret)
// Return success
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(map[string]string{"message": "JWT secret rotated successfully"})
}
Reference in New Issue View Git Blame Copy Permalink