Ajout d'un filtre de connexion configurable pour l'utilisateur

internal/route/login.go

@@ -1,8 +1,11 @@
 package route
 
 import (
+	"fmt"
 	"net/http"
 
+	"forge.cadoles.com/Cadoles/daddy/internal/auth"
+
 	"forge.cadoles.com/Cadoles/daddy/internal/model"
 	"forge.cadoles.com/Cadoles/daddy/internal/orm"
 
@@ -31,6 +34,7 @@ func handleLoginCallback(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	ctn := container.Must(ctx)
 	conf := config.Must(ctn)
+	auth := auth.Must(ctn)
 
 	idToken, err := oidc.IDToken(w, r)
 	if err != nil {
@@ -65,10 +69,26 @@ func handleLoginCallback(w http.ResponseWriter, r *http.Request) {
 	db := orm.Must(ctn).DB()
 	repo := model.NewUserRepository(db)
 
-	if _, err := repo.CreateOrConnectUser(ctx, claims.Email); err != nil {
+	user, err := repo.CreateOrConnectUser(ctx, claims.Email)
+	if err != nil {
 		panic(errors.Wrap(err, "could not upsert user"))
 	}
 
+	authorized, err := auth.Authorize(user)
+	if err != nil {
+		panic(errors.WithStack(err))
+	}
+
+	if !authorized {
+		message := fmt.Sprintf(
+			"You are not authorized to access this application. Disconnect by navigating to %s.",
+			"http://"+r.Host+"/logout",
+		)
+		http.Error(w, message, http.StatusForbidden)
+
+		return
+	}
+
 	if err := session.SaveUserEmail(w, r, claims.Email); err != nil {
 		panic(errors.WithStack(err))
 	}