feat(api): relocate authorizations outside of JWT (#3079)

* feat(api): relocate authorizations outside of JWT * fix(api): update user authorization after enabling the RBAC extension * feat(api): add PortainerEndpointList operation in the default portainer authorizations * feat(auth): retrieve authorization from API instead of JWT * refactor(auth): move permissions retrieval to function * refactor(api): document authorizations methods
2025-07-19 13:29:41 +02:00 · 2019-09-10 10:58:26 +12:00 · 2019-09-10 10:58:26 +12:00 · 7d76bc89e7
commit 7d76bc89e7
parent 7ebb3e62dd
29 changed files with 472 additions and 303 deletions
--- a/api/jwt/jwt.go
+++ b/api/jwt/jwt.go
@ -16,11 +16,9 @@ type Service struct {
 }

 type claims struct {
-	UserID                  int                              `json:"id"`
-	Username                string                           `json:"username"`
-	Role                    int                              `json:"role"`
-	EndpointAuthorizations  portainer.EndpointAuthorizations `json:"endpointAuthorizations"`
-	PortainerAuthorizations portainer.Authorizations         `json:"portainerAuthorizations"`
+	UserID   int    `json:"id"`
+	Username string `json:"username"`
+	Role     int    `json:"role"`
 	jwt.StandardClaims
 }

@ -40,12 +38,10 @@ func NewService() (*Service, error) {
 func (service *Service) GenerateToken(data *portainer.TokenData) (string, error) {
 	expireToken := time.Now().Add(time.Hour * 8).Unix()
 	cl := claims{
-		int(data.ID),
-		data.Username,
-		int(data.Role),
-		data.EndpointAuthorizations,
-		data.PortainerAuthorizations,
-		jwt.StandardClaims{
+		UserID:   int(data.ID),
+		Username: data.Username,
+		Role:     int(data.Role),
+		StandardClaims: jwt.StandardClaims{
 			ExpiresAt: expireToken,
 		},
 	}
@ -71,11 +67,9 @@ func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData,
 	if err == nil && parsedToken != nil {
 		if cl, ok := parsedToken.Claims.(*claims); ok && parsedToken.Valid {
 			tokenData := &portainer.TokenData{
-				ID:                      portainer.UserID(cl.UserID),
-				Username:                cl.Username,
-				Role:                    portainer.UserRole(cl.Role),
-				EndpointAuthorizations:  cl.EndpointAuthorizations,
-				PortainerAuthorizations: cl.PortainerAuthorizations,
+				ID:       portainer.UserID(cl.UserID),
+				Username: cl.Username,
+				Role:     portainer.UserRole(cl.Role),
 			}
 			return tokenData, nil
 		}