feat: add auth method claim (amr) to tokens (#1433)

2026-05-18 10:59:53 +00:00 · 2026-04-18 22:31:24 +02:00
parent c5a4ffa523
commit 5c4d7ff877
19 changed files with 355 additions and 91 deletions
--- a/backend/internal/middleware/auth_middleware.go
+++ b/backend/internal/middleware/auth_middleware.go
@@ -74,10 +74,11 @@ func (m *AuthMiddleware) WithApiKeyAuthDisabled() *AuthMiddleware {

 func (m *AuthMiddleware) Add() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		userID, isAdmin, err := m.jwtMiddleware.Verify(c, m.options.AdminRequired)
+		userID, isAdmin, authenticationMethod, err := m.jwtMiddleware.Verify(c, m.options.AdminRequired)
 		if err == nil {
 			c.Set("userID", userID)
 			c.Set("userIsAdmin", isAdmin)
+			c.Set("authenticationMethod", authenticationMethod)
 			if c.IsAborted() {
 				return
 			}
--- a/backend/internal/middleware/auth_middleware_test.go
+++ b/backend/internal/middleware/auth_middleware_test.go
@@ -44,7 +44,7 @@ func TestWithApiKeyAuthDisabled(t *testing.T) {
 	authMiddleware := NewAuthMiddleware(apiKeyService, userService, jwtService)

 	user := createUserForAuthMiddlewareTest(t, db)
-	jwtToken, err := jwtService.GenerateAccessToken(user)
+	jwtToken, err := jwtService.GenerateAccessToken(user, "")
 	require.NoError(t, err)

 	_, apiKeyToken, err := apiKeyService.CreateApiKey(t.Context(), user.ID, dto.ApiKeyCreateDto{
--- a/backend/internal/middleware/jwt_auth.go
+++ b/backend/internal/middleware/jwt_auth.go
@@ -20,7 +20,7 @@ func NewJwtAuthMiddleware(jwtService *service.JwtService, userService *service.U

 func (m *JwtAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		userID, isAdmin, err := m.Verify(c, adminRequired)
+		userID, isAdmin, authenticationMethod, err := m.Verify(c, adminRequired)
 		if err != nil {
 			c.Abort()
 			_ = c.Error(err)
@@ -29,11 +29,12 @@ func (m *JwtAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {

 		c.Set("userID", userID)
 		c.Set("userIsAdmin", isAdmin)
+		c.Set("authenticationMethod", authenticationMethod)
 		c.Next()
 	}
 }

-func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (subject string, isAdmin bool, err error) {
+func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (subject string, isAdmin bool, authenticationMethod string, err error) {
 	// Extract the token from the cookie
 	accessToken, err := c.Cookie(cookie.AccessTokenCookieName)
 	if err != nil {
@@ -41,33 +42,37 @@ func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (subject
 		var ok bool
 		_, accessToken, ok = strings.Cut(c.GetHeader("Authorization"), " ")
 		if !ok || accessToken == "" {
-			return "", false, &common.NotSignedInError{}
+			return "", false, "", &common.NotSignedInError{}
 		}
 	}

 	token, err := m.jwtService.VerifyAccessToken(accessToken)
 	if err != nil {
-		return "", false, &common.NotSignedInError{}
+		return "", false, "", &common.NotSignedInError{}
+	}
+	authenticationMethod, err = service.GetAuthenticationMethod(token)
+	if err != nil {
+		return "", false, "", &common.NotSignedInError{}
 	}

 	subject, ok := token.Subject()
 	if !ok {
 		_ = c.Error(&common.TokenInvalidError{})
-		return
+		return "", false, "", &common.TokenInvalidError{}
 	}

 	user, err := m.userService.GetUser(c, subject)
 	if err != nil {
-		return "", false, &common.NotSignedInError{}
+		return "", false, "", &common.NotSignedInError{}
 	}

 	if user.Disabled {
-		return "", false, &common.UserDisabledError{}
+		return "", false, "", &common.UserDisabledError{}
 	}

 	if adminRequired && !user.IsAdmin {
-		return "", false, &common.MissingPermissionError{}
+		return "", false, "", &common.MissingPermissionError{}
 	}

-	return subject, isAdmin, nil
+	return subject, user.IsAdmin, authenticationMethod, nil
 }