(ctx context.Context, req *adminv1.IssueUserAuthTokenRequest)
| 254 | } |
| 255 | |
| 256 | func (s *Server) IssueUserAuthToken(ctx context.Context, req *adminv1.IssueUserAuthTokenRequest) (*adminv1.IssueUserAuthTokenResponse, error) { |
| 257 | observability.AddRequestAttributes(ctx, |
| 258 | attribute.String("args.user_id", req.UserId), |
| 259 | attribute.String("args.client_id", req.ClientId), |
| 260 | attribute.String("args.display_name", req.DisplayName), |
| 261 | attribute.Int64("args.ttl_minutes", req.TtlMinutes), |
| 262 | attribute.Bool("args.has_represent_email", req.RepresentEmail != ""), |
| 263 | ) |
| 264 | |
| 265 | claims := auth.GetClaims(ctx) |
| 266 | forceAccess := claims.Superuser(ctx) && req.SuperuserForceAccess |
| 267 | |
| 268 | userID := req.UserId |
| 269 | if userID == "current" { // Special alias for the current user |
| 270 | if claims.OwnerType() != auth.OwnerTypeUser { |
| 271 | return nil, status.Error(codes.Unauthenticated, "not authenticated as a user") |
| 272 | } |
| 273 | userID = claims.OwnerID() |
| 274 | } |
| 275 | if userID != claims.OwnerID() && !forceAccess { |
| 276 | return nil, status.Error(codes.PermissionDenied, "not authorized to issue auth tokens for other users") |
| 277 | } |
| 278 | |
| 279 | var ttl *time.Duration |
| 280 | if req.TtlMinutes > 0 { |
| 281 | ttl = new(time.Duration) |
| 282 | *ttl = time.Duration(req.TtlMinutes) * time.Minute |
| 283 | } |
| 284 | |
| 285 | var representingUserID *string |
| 286 | if req.RepresentEmail != "" { |
| 287 | if !forceAccess { |
| 288 | return nil, status.Error(codes.PermissionDenied, "not authorized to represent other users") |
| 289 | } |
| 290 | u, err := s.admin.DB.FindUserByEmail(ctx, req.RepresentEmail) |
| 291 | if err != nil { |
| 292 | return nil, err |
| 293 | } |
| 294 | if u.ID == userID { |
| 295 | return nil, status.Error(codes.InvalidArgument, "cannot represent yourself") |
| 296 | } |
| 297 | representingUserID = &u.ID |
| 298 | } |
| 299 | |
| 300 | authToken, err := s.admin.IssueUserAuthToken(ctx, userID, req.ClientId, req.DisplayName, representingUserID, ttl, false) |
| 301 | if err != nil { |
| 302 | return nil, err |
| 303 | } |
| 304 | |
| 305 | return &adminv1.IssueUserAuthTokenResponse{ |
| 306 | Token: authToken.Token().String(), |
| 307 | }, nil |
| 308 | } |
| 309 | |
| 310 | func (s *Server) RevokeUserAuthToken(ctx context.Context, req *adminv1.RevokeUserAuthTokenRequest) (*adminv1.RevokeUserAuthTokenResponse, error) { |
| 311 | observability.AddRequestAttributes(ctx, |
nothing calls this directly
no test coverage detected