Block user through HTTP API (#846)

The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2026-04-20 17:26:40 +00:00 · 2023-05-11 18:09:36 +02:00
parent 9f758b2015
commit e3d2b6a408
13 changed files with 505 additions and 155 deletions
--- a/management/server/http/middleware/access_control.go
+++ b/management/server/http/middleware/access_control.go
@@ -6,28 +6,30 @@ import (

 	log "github.com/sirupsen/logrus"

+	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/status"

 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 )

-type IsUserAdminFunc func(claims jwtclaims.AuthorizationClaims) (bool, error)
+// GetUser function defines a function to fetch user from Account by jwtclaims.AuthorizationClaims
+type GetUser func(claims jwtclaims.AuthorizationClaims) (*server.User, error)

 // AccessControl middleware to restrict to make POST/PUT/DELETE requests by admin only
 type AccessControl struct {
-	isUserAdmin   IsUserAdminFunc
 	claimsExtract jwtclaims.ClaimsExtractor
+	getUser       GetUser
 }

 // NewAccessControl instance constructor
-func NewAccessControl(audience, userIDClaim string, isUserAdmin IsUserAdminFunc) *AccessControl {
+func NewAccessControl(audience, userIDClaim string, getUser GetUser) *AccessControl {
 	return &AccessControl{
-		isUserAdmin: isUserAdmin,
 		claimsExtract: *jwtclaims.NewClaimsExtractor(
 			jwtclaims.WithAudience(audience),
 			jwtclaims.WithUserIDClaim(userIDClaim),
 		),
+		getUser: getUser,
 	}
 }

@@ -37,23 +39,29 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		claims := a.claimsExtract.FromRequestContext(r)

-		ok, err := a.isUserAdmin(claims)
+		user, err := a.getUser(claims)
 		if err != nil {
 			util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)
 			return
 		}
-		if !ok {
+
+		if user.IsBlocked() {
+			util.WriteError(status.Errorf(status.PermissionDenied, "the user has no access to the API or is blocked"), w)
+			return
+		}
+
+		if !user.IsAdmin() {
 			switch r.Method {
 			case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:

 				ok, err := regexp.MatchString(`^.*/api/users/.*/tokens.*$`, r.URL.Path)
 				if err != nil {
-					log.Debugf("Regex failed")
+					log.Debugf("regex failed")
 					util.WriteError(status.Errorf(status.Internal, ""), w)
 					return
 				}
 				if ok {
-					log.Debugf("Valid Path")
+					log.Debugf("valid Path")
 					h.ServeHTTP(w, r)
 					return
 				}