blob: 7ecbd7cb695c6b5a1c9ab72cedb95266fd2ab824 [file] [log] [blame] [edit]
package twirp_auth2
import (
"context"
"fmt"
"github.com/twitchtv/twirp"
"go.skia.org/infra/go/alogin"
"go.skia.org/infra/go/roles"
)
/*
Helpers for working with Twirp.
*/
// AuthHelper provides methods for authenticating users.
type AuthHelper struct {
}
// New returns an AuthHelper instance.
func New() *AuthHelper {
return &AuthHelper{}
}
// GetViewer returns the email address of the logged-in user or an error if the
// user is not in the set of allowed viewers. Do not wrap the returned error, as
// it is used by Twirp.
func (h *AuthHelper) GetViewer(ctx context.Context) (string, error) {
status := alogin.GetStatus(ctx)
if (status.Roles.Has(roles.Viewer) || status.Roles.Has(roles.Editor)) && (status.EMail != alogin.NotLoggedIn) {
return status.EMail.String(), nil
}
return "", twirp.NewError(twirp.PermissionDenied, fmt.Sprintf("%q is not an authorized viewer", status.EMail))
}
// GetEditor returns the email address of the logged-in user or an error if the
// user is not in the set of allowed editors. Do not wrap the returned error, as
// it is used by Twirp.
func (h *AuthHelper) GetEditor(ctx context.Context) (string, error) {
status := alogin.GetStatus(ctx)
if status.Roles.Has(roles.Editor) && (status.EMail != alogin.NotLoggedIn) {
return status.EMail.String(), nil
}
return "", twirp.NewError(twirp.PermissionDenied, fmt.Sprintf("%q is not an authorized editor", status.EMail))
}