From 8fbfc0c8a015daaf053142a21906315246c7c4fd Mon Sep 17 00:00:00 2001
From: Taras Madan <tarasmadan@google.com>
Date: Thu, 10 Oct 2024 10:23:40 +0200
Subject: dashboard/app: authenticate by the gcloud generated token

Closes #5377
---
 dashboard/app/access.go | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'dashboard/app')

diff --git a/dashboard/app/access.go b/dashboard/app/access.go
index 0e746aa20..79165bb16 100644
--- a/dashboard/app/access.go
+++ b/dashboard/app/access.go
@@ -59,6 +59,24 @@ func emailInAuthDomains(email string, authDomains []string) bool {
 	return false
 }
 
+func currentUser(c context.Context, r *http.Request) *user.User {
+	u := user.Current(c)
+	if u != nil {
+		return u
+	}
+	// Let's ignore err here. In case of the wrong token we'll return nil here (it means AccessPublic).
+	// Bad or expired tokens will also enable throttling and make the authorization problem visible.
+	u, _ = user.CurrentOAuth(c, "https://www.googleapis.com/auth/userinfo.email")
+	return u
+}
+
+// accessLevel supports 2 authorization mechanisms.
+// They're checked in the following order:
+// 1. AppEngine authorization. To authenticate yourself, click "Sign-in" on the dashboard page.
+// 2. OAuth2 bearer token generated by "gcloud auth print-access-token" call.
+//
+// OAuth2 token is expected to be present in "Authorization" header.
+// Example: "Authorization: Bearer $(gcloud auth print-access-token)".
 func accessLevel(c context.Context, r *http.Request) AccessLevel {
 	if user.IsAdmin(c) {
 		switch r.FormValue("access") {
@@ -69,7 +87,7 @@ func accessLevel(c context.Context, r *http.Request) AccessLevel {
 		}
 		return AccessAdmin
 	}
-	u := user.Current(c)
+	u := currentUser(c, r)
 	if u == nil ||
 		// Devappserver does not pass AuthDomain.
 		u.AuthDomain != "gmail.com" && !isBrokenAuthDomainInTest ||
-- 
cgit mrf-deployment