feat: add ADMIN_USER_ROLE for user access admin panel (#363)

2026-05-11 09:59:46 +08:00 · 2024-07-27 22:04:18 +08:00
parent a0805bc0ce
commit 5faae8796d
21 changed files with 81 additions and 56 deletions
--- a/worker/src/constants.ts
+++ b/worker/src/constants.ts
@@ -1,5 +1,5 @@
 export const CONSTANTS = {
-    VERSION: 'v0.6.1',
+    VERSION: 'v0.7.0',

    // DB settings
    ADDRESS_BLOCK_LIST_KEY: 'address_block_list',
--- a/worker/src/types.d.ts
+++ b/worker/src/types.d.ts
@@ -19,6 +19,7 @@ export type Bindings = {
    MAX_ADDRESS_LEN: string | number | undefined
    DEFAULT_DOMAINS: string | string[] | undefined
    DOMAINS: string | string[] | undefined
+    ADMIN_USER_ROLE: string | undefined
    USER_DEFAULT_ROLE: string | UserRole | undefined
    USER_ROLES: string | UserRole[] | undefined
    DOMAIN_LABELS: string | string[] | undefined
--- a/worker/src/user_api/settings.ts
+++ b/worker/src/user_api/settings.ts
@@ -5,6 +5,7 @@ import { UserSettings } from "../models";
 import { getJsonSetting, getUserRoles } from "../utils"
 import { CONSTANTS } from "../constants";
 import { commonGetUserRole } from "../common";
+import { Jwt } from "hono/utils/jwt";

 export default {
    openSettings: async (c: Context<HonoCustomType>) => {
@@ -25,8 +26,23 @@ export default {
            return c.text("User not found", 400);
        }
        const user_role = await commonGetUserRole(c, db_user_id);
+        const is_admin = (
+            c.env.ADMIN_USER_ROLE
+            &&
+            c.env.ADMIN_USER_ROLE === user_role?.role
+        );
+        const access_token = is_admin ? await Jwt.sign({
+            user_email: user.user_email,
+            user_id: user.user_id,
+            user_role: user_role?.role,
+            iat: Math.floor(Date.now() / 1000),
+            // 1 hour
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        }, c.env.JWT_SECRET, "HS256") : null;
        return c.json({
            ...user,
+            is_admin: is_admin,
+            access_token: access_token,
            user_role: user_role
        });
    },
--- a/worker/src/worker.ts
+++ b/worker/src/worker.ts
@@ -136,6 +136,26 @@ app.use('/admin/*', async (c, next) => {
 			return;
 		}
 	}
+	// check if user is admin
+	const access_token = c.req.raw.headers.get("x-user-access-token");
+	if (c.env.ADMIN_USER_ROLE && access_token) {
+		try {
+			const payload = await Jwt.verify(access_token, c.env.JWT_SECRET, "HS256");
+			// check expired
+			if (!payload.exp) return c.text("Invalid Token", 401);
+			// exp is in seconds
+			if (payload.exp < Math.floor(Date.now() / 1000)) {
+				return c.text("Token Expired", 401)
+			}
+			if (payload.user_role !== c.env.ADMIN_USER_ROLE) {
+				return c.text("Need Admin Role", 401)
+			}
+			await next();
+			return;
+		} catch (e) {
+			console.error(e);
+		}
+	}
 	return c.text("Need Admin Password", 401)
 });

--- a/worker/wrangler.toml.template
+++ b/worker/wrangler.toml.template
@@ -33,6 +33,7 @@ DOMAINS = ["xxx.xxx1" , "xxx.xxx2"] # all domain names
 # For chinese domain name, you can use DOMAIN_LABELS to show chinese domain name
 # DOMAIN_LABELS = ["中文.xxx", "xxx.xxx2"]
 # USER_DEFAULT_ROLE = "vip" # default role for new users(only when enable mail verification)
+# ADMIN_USER_ROLE = "admin" # the role which can access admin panel
 # User roles configuration, if domains is empty will use default_domains, if prefix is null will use default prefix, if prefix is empty string will not use prefix
 # USER_ROLES = [
 #    { domains = ["xxx.xxx1" , "xxx.xxx2"], role = "vip", prefix = "vip" },