Add 403 error page and Polytech access control.

2026-01-06 18:56:10 +01:00
parent 91f7b6c022
commit e818051621
4 changed files with 46 additions and 8 deletions
@@ -0,0 +1,12 @@
+import { Head } from "$fresh/runtime.ts";
+
+export default function Error403() {
+  return (
+    <>
+      <Head>
+        <title>403 - Forbidden</title>
+      </Head>
+      <p>403</p>
+    </>
+  );
+}
@@ -44,6 +44,7 @@ export function getKey(user: string): string {
 export const handler: MiddlewareHandler<State>[] = [
  /**
   * Check if user is authenticated and add session to context accordingly.
+   * Only authenticated users who are members of Polytech are allowed.
   * @param request The HTTP incomming request.
   * @param context The Fresh context object with custom `State`.
   * @returns The response from the next middleware.
@@ -55,6 +56,7 @@ export const handler: MiddlewareHandler<State>[] = [
    const cookies = getCookies(request.headers);
    if (!cookies["sessionToken"]) {
      context.state.isAuthenticated = false;
+      context.state.isFromPolytech = false;
      return await context.next();
    }

@@ -69,7 +71,16 @@ export const handler: MiddlewareHandler<State>[] = [
    if (context.state.isAuthenticated) {
      const session: CasContent =
        (getJwtPayload(cookies["sessionToken"]) as LoginJWT).user;
-      context.state.session = session;
+      const isFromPolytech = Object.values(session.memberOf).some(
+        (value) =>
+          typeof value === "string" && value.includes("cn=amu:ufr:polytech"),
+      );
+
+      context.state.isFromPolytech = isFromPolytech;
+
+      if (isFromPolytech) {
+        context.state.session = session;
+      }
    }

    return await context.next();
@@ -87,13 +98,24 @@ export const handler: MiddlewareHandler<State>[] = [
  ): Promise<Response> {
    const url = new URL(request.url);

-    if (!isRoutePublic(url.pathname) && !context.state.isAuthenticated) {
-      return new Response(null, {
-        status: 302,
-        headers: {
-          Location: "/login",
-        },
-      });
+    if (!isRoutePublic(url.pathname)) {
+      if (!context.state.isAuthenticated) {
+        return new Response(null, {
+          status: 302,
+          headers: {
+            Location: "/login",
+          },
+        });
+      }
+
+      if (context.state.isAuthenticated && !context.state.isFromPolytech) {
+        return new Response(null, {
+          status: 403,
+          headers: {
+            Location: "/403",
+          },
+        });
+      }
    }

    return await context.next();