wg-portal/internal/app/auth/oauth_common.go

package auth

import (
	"strings"

	"github.com/h44z/wg-portal/internal"
	"github.com/h44z/wg-portal/internal/config"
	"github.com/h44z/wg-portal/internal/domain"
)

// parseOauthUserInfo parses the raw user info from the oauth provider and maps it to the internal user info struct
func parseOauthUserInfo(
	mapping config.OauthFields,
	adminMapping *config.OauthAdminMapping,
	raw map[string]interface{},
) (*domain.AuthenticatorUserInfo, error) {
	var isAdmin bool

	// first try to match the is_admin field against the given regex
	if mapping.IsAdmin != "" {
		re := adminMapping.GetAdminValueRegex()
		if re.MatchString(strings.TrimSpace(internal.MapDefaultString(raw, mapping.IsAdmin, ""))) {
			isAdmin = true
		}
	}

	// next try to parse the user's groups
	if !isAdmin && mapping.UserGroups != "" && adminMapping.AdminGroupRegex != "" {
		userGroups := internal.MapDefaultStringSlice(raw, mapping.UserGroups, nil)
		re := adminMapping.GetAdminGroupRegex()
		for _, group := range userGroups {
			if re.MatchString(strings.TrimSpace(group)) {
				isAdmin = true
				break
			}
		}
	}

	userInfo := &domain.AuthenticatorUserInfo{
		Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, mapping.UserIdentifier, "")),
		Email:      internal.MapDefaultString(raw, mapping.Email, ""),
		Firstname:  internal.MapDefaultString(raw, mapping.Firstname, ""),
		Lastname:   internal.MapDefaultString(raw, mapping.Lastname, ""),
		Phone:      internal.MapDefaultString(raw, mapping.Phone, ""),
		Department: internal.MapDefaultString(raw, mapping.Department, ""),
		IsAdmin:    isAdmin,
	}

	return userInfo, nil
}

// getOauthFieldMapping returns the default field mapping for the oauth provider
func getOauthFieldMapping(f config.OauthFields) config.OauthFields {
	defaultMap := config.OauthFields{
		BaseFields: config.BaseFields{
			UserIdentifier: "sub",
			Email:          "email",
			Firstname:      "given_name",
			Lastname:       "family_name",
			Phone:          "phone",
			Department:     "department",
		},
		IsAdmin:    "admin_flag",
		UserGroups: "", // by default, do not use user groups
	}
	if f.UserIdentifier != "" {
		defaultMap.UserIdentifier = f.UserIdentifier
	}
	if f.Email != "" {
		defaultMap.Email = f.Email
	}
	if f.Firstname != "" {
		defaultMap.Firstname = f.Firstname
	}
	if f.Lastname != "" {
		defaultMap.Lastname = f.Lastname
	}
	if f.Phone != "" {
		defaultMap.Phone = f.Phone
	}
	if f.Department != "" {
		defaultMap.Department = f.Department
	}
	if f.IsAdmin != "" {
		defaultMap.IsAdmin = f.IsAdmin
	}
	if f.UserGroups != "" {
		defaultMap.UserGroups = f.UserGroups
	}

	return defaultMap
}
Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`package auth`

			`import (`
			`"strings"`

			`"github.com/h44z/wg-portal/internal"`
			`"github.com/h44z/wg-portal/internal/config"`
			`"github.com/h44z/wg-portal/internal/domain"`
			`)`

			`// parseOauthUserInfo parses the raw user info from the oauth provider and maps it to the internal user info struct`
			`func parseOauthUserInfo(`
			`mapping config.OauthFields,`
			`adminMapping *config.OauthAdminMapping,`
			`raw map[string]interface{},`
			`) (*domain.AuthenticatorUserInfo, error) {`
			`var isAdmin bool`

			`// first try to match the is_admin field against the given regex`
			`if mapping.IsAdmin != "" {`
			`re := adminMapping.GetAdminValueRegex()`
			`if re.MatchString(strings.TrimSpace(internal.MapDefaultString(raw, mapping.IsAdmin, ""))) {`
			`isAdmin = true`
			`}`
			`}`

			`// next try to parse the user's groups`
			`if !isAdmin && mapping.UserGroups != "" && adminMapping.AdminGroupRegex != "" {`
			`userGroups := internal.MapDefaultStringSlice(raw, mapping.UserGroups, nil)`
			`re := adminMapping.GetAdminGroupRegex()`
			`for _, group := range userGroups {`
			`if re.MatchString(strings.TrimSpace(group)) {`
			`isAdmin = true`
			`break`
			`}`
			`}`
			`}`

			`userInfo := &domain.AuthenticatorUserInfo{`
			`Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, mapping.UserIdentifier, "")),`
			`Email: internal.MapDefaultString(raw, mapping.Email, ""),`
			`Firstname: internal.MapDefaultString(raw, mapping.Firstname, ""),`
			`Lastname: internal.MapDefaultString(raw, mapping.Lastname, ""),`
			`Phone: internal.MapDefaultString(raw, mapping.Phone, ""),`
			`Department: internal.MapDefaultString(raw, mapping.Department, ""),`
			`IsAdmin: isAdmin,`
			`}`

			`return userInfo, nil`
			`}`

			`// getOauthFieldMapping returns the default field mapping for the oauth provider`
			`func getOauthFieldMapping(f config.OauthFields) config.OauthFields {`
			`defaultMap := config.OauthFields{`
			`BaseFields: config.BaseFields{`
			`UserIdentifier: "sub",`
			`Email: "email",`
			`Firstname: "given_name",`
			`Lastname: "family_name",`
			`Phone: "phone",`
			`Department: "department",`
			`},`
fix user group parsing for OAuth login (#317) 2025-01-21 16:33:01 +00:00			`IsAdmin: "admin_flag",`
			`UserGroups: "", // by default, do not use user groups`
Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`}`
			`if f.UserIdentifier != "" {`
			`defaultMap.UserIdentifier = f.UserIdentifier`
			`}`
			`if f.Email != "" {`
			`defaultMap.Email = f.Email`
			`}`
			`if f.Firstname != "" {`
			`defaultMap.Firstname = f.Firstname`
			`}`
			`if f.Lastname != "" {`
			`defaultMap.Lastname = f.Lastname`
			`}`
			`if f.Phone != "" {`
			`defaultMap.Phone = f.Phone`
			`}`
			`if f.Department != "" {`
			`defaultMap.Department = f.Department`
			`}`
			`if f.IsAdmin != "" {`
			`defaultMap.IsAdmin = f.IsAdmin`
			`}`
fix user group parsing for OAuth login (#317) 2025-01-21 16:33:01 +00:00			`if f.UserGroups != "" {`
			`defaultMap.UserGroups = f.UserGroups`
			`}`
Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00
			`return defaultMap`
			`}`