senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/veza-backend-api/internal/api/routes_admin_platform.go
senke b0a46040f1
Some checks failed
Backend API CI / test-unit (push) Failing after 0s
Details
Backend API CI / test-integration (push) Failing after 0s
Details
feat(v0.12.6.2): enforce MFA for admin/moderator + align refresh token TTL to 7 days 
TASK-SFIX-001: MFA enforcement for privileged roles
- Add RequireMFA() middleware, TwoFactorChecker interface, SetTwoFactorChecker()
- Apply to all 3 admin route groups (platform, moderation, core)
- Returns 403 "mfa_setup_required" if admin/moderator without 2FA
- Regular users bypass the check
- Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 5

TASK-SFIX-002: Refresh token TTL alignment
- jwt_service.go: RefreshTokenTTL 14d→7d, RememberMeRefreshTokenTTL 30d→7d
- handlers/auth.go: Cookie max-age and session expiresIn → 7d across
  Login, LoginWith2FA, Register, Refresh handlers
- middleware/auth.go: Session auto-refresh default 30d→7d
- Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 4

TASK-SFIX-003: 5 unit tests — all PASS
- TestRequireMFA_AdminWithoutMFA, TestRequireMFA_AdminWithMFA
- TestRequireMFA_RegularUserNotAffected
- TestRefreshTokenTTL_Is7Days, TestAccessTokenTTL_Is5Minutes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 06:53:27 +01:00

42 lines
1.5 KiB
Go
Raw Blame History

package api
import (
admincore "veza-backend-api/internal/core/admin"
"veza-backend-api/internal/services"
"github.com/gin-gonic/gin"
)
// setupAdminPlatformRoutes registers admin platform management routes (v0.11.3 F421-F435)
func (r *APIRouter) setupAdminPlatformRoutes(router *gin.RouterGroup) {
platformService := services.NewAdminPlatformService(r.db.GormDB, r.logger)
platformHandler := admincore.NewPlatformAdminHandler(platformService, r.logger)
admin := router.Group("/admin/platform")
{
if r.config.AuthMiddleware != nil {
admin.Use(r.config.AuthMiddleware.RequireAuth())
admin.Use(r.config.AuthMiddleware.RequireAdmin())
admin.Use(r.config.AuthMiddleware.RequireMFA()) // SFIX-001: MFA obligatoire pour admin
}
// F421: Platform metrics
admin.GET("/metrics", platformHandler.GetPlatformMetrics)
// F422: User management
admin.GET("/users", platformHandler.SearchUsers)
admin.GET("/users/:userId", platformHandler.GetUserDetail)
admin.PUT("/users/:userId/role", platformHandler.UpdateUserRole)
admin.POST("/users/:userId/suspend", platformHandler.SuspendUser)
admin.POST("/users/:userId/unsuspend", platformHandler.UnsuspendUser)
// F423: Content management
admin.GET("/content", platformHandler.SearchContent)
admin.POST("/content/:id/hide", platformHandler.HideContent)
admin.POST("/content/:id/restore", platformHandler.RestoreContent)
// F424: Payment management
admin.GET("/payments", platformHandler.GetPaymentOverview)
admin.POST("/orders/:id/refund", platformHandler.RefundOrder)
}
}
Reference in a new issue View git blame Copy permalink