Updated auth to use generated keys

2024-01-29 21:24:10 -05:00
parent f2acb585c0
commit 4609be84a8
19 changed files with 213 additions and 87 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 .env
 target/
 .idea/
 keys/
 **/Cargo.lock
 .DS_Store
--- a/README.md
+++ b/README.md
@@ -69,3 +69,8 @@ The application can also be tested from within a Docker container:
 docker build -t siren:latest .
 docker run --env-file .env -it --rm --name siren siren:latest
 ```
 ### Authentication
 The Siren service uses a JWT/session based authentication system, in that JWT tokens are issued and used, but a state is also kept server-side. This is to allow for the ability to revoke and expire tokens, as well as to allow for the ability to have multiple tokens per user.
 Public/Private keys can be generated with `make generate`. These keys should be located within a `/keys` directory in the root of the project.
--- a/service/.env.TEMPLATE
+++ b/service/.env.TEMPLATE
@@ -6,12 +6,8 @@ DATABASE_NAME=siren
 DATABASE_HOST=localhost
 DATABASE_PORT=5432
-ACCESS_TOKEN_PRIVATE_KEY=
+KEYS_DIR_PATH=
 ACCESS_TOKEN_PUBLIC_KEY=
 ACCESS_TOKEN_MAXAGE=5
 REFRESH_TOKEN_PRIVATE_KEY=
 REFRESH_TOKEN_PUBLIC_KEY=
 REFRESH_TOKEN_MAXAGE=30
 REDIS_HOST=localhost
--- a/service/Dockerfile
+++ b/service/Dockerfile
@@ -11,6 +11,18 @@ COPY Cargo.toml ./
 RUN apt-get update && apt-get install -y cmake
 RUN cargo build --release
 # ======
 #  Keys
 # ======
 FROM debian:bookworm-slim as keys
 WORKDIR /keys
 RUN apt-get update && apt-get install -y openssl libpq-dev
 RUN openssl genrsa -out access.pem 4096
 RUN openssl rsa -in access.pem -pubout -outform PEM -out access.pem.pub
 RUN openssl genrsa -out refresh.pem 4096
 RUN openssl rsa -in refresh.pem -pubout -outform PEM -out refresh.pem.pub
 # ==========
 #  Packages
 # ==========
@@ -51,6 +63,7 @@ USER root
 COPY --from=builder /builder/target/release/service /usr/local/bin/service
 COPY --from=packages /packages /usr/bin
 COPY --from=keys /keys /keys
 RUN apt-get update && apt-get install -y libc6 libc6-dev libopus-dev libpq5 libpq-dev python3-pip ffmpeg
--- a/service/Makefile
+++ b/service/Makefile
@@ -29,3 +29,10 @@ clean:
 	docker image rm siren-service || \
 	docker network rm siren_frontend || \
 	docker network rm siren-backend
 generate: ## Generate RSA keys
 	mkdir keys
 	openssl genrsa -out keys/access_private_key.pem 4096
 	openssl rsa -in keys/access_private_key.pem -pubout -outform PEM -out keys/access_public_key.pem
 	openssl genrsa -out keys/refresh_private_key.pem 4096
 	openssl rsa -in keys/refresh_private_key.pem -pubout -outform PEM -out keys/refresh_public_key.pem
--- a/service/docker-compose.yml
+++ b/service/docker-compose.yml
@@ -24,6 +24,7 @@ services:
      SERVICE_HOST: service
      SERVICE_PORT: 5000
      DATA_DIR_PATH: /data
      KEYS_DIR_PATH: /keys
    volumes:
      - ${DATA_DIR_PATH}:/data
    ports:
--- a/service/src/auth/mod.rs
+++ b/service/src/auth/mod.rs
@@ -1,7 +1,6 @@
 use std::env;
 use argon2::{password_hash::{rand_core::OsRng, PasswordHasher, PasswordVerifier, SaltString, Error as HashError}, Argon2, PasswordHash};
 use base64::{engine::general_purpose, Engine as _};
 use jsonwebtoken::{DecodingKey, EncodingKey, Header, encode, decode, Validation, Algorithm};
 use serde::{Deserialize, Serialize};
@@ -14,62 +13,113 @@ use siren::ServiceError;
 #[derive(Debug, Serialize, Deserialize)]
 struct TokenClaims {
-    sub: String, // Subject
+    sub: String, // Subject (User)
    token_uuid: String, // Token UUID
-    iss: String, // Issuer
+    iss: String, // Issuer (Service)
    exp: i64, // Expiration time
    iat: i64, // Issued At
    nbf: i64 // Not Before
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub enum TokenType {
  #[serde(rename = "access")]
  Access,
  #[serde(rename = "refresh")]
  Refresh,
  #[serde(rename = "none")]
  None
 }
 impl std::fmt::Display for TokenType {
  fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
    match self {
      TokenType::Access => write!(f, "access"),
      TokenType::Refresh => write!(f, "refresh"),
      TokenType::None => write!(f, "none")
    }
  }
 }
 impl std::str::FromStr for TokenType {
  type Err = ServiceError;
  fn from_str(s: &str) -> Result<Self, Self::Err> {
    match s {
      "access" => Ok(TokenType::Access),
      "refresh" => Ok(TokenType::Refresh),
      "none" => Ok(TokenType::None),
      _ => Err(ServiceError::new(400, "Invalid token type".to_string()))
    }
  }
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub struct TokenDetails {
    pub token: Option<String>,
    pub token_uuid: uuid::Uuid,
    pub email: String,
    pub token_type: TokenType,
    pub expires_in: Option<i64>
 }
-// https://codevoweb.com/rust-actix-web-jwt-access-and-refresh-tokens/
+impl std::fmt::Display for TokenDetails {
-// https://github.com/wpcodevo/rust-jwt-rs256/blob/master/src/main.rs
+  fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
    write!(f, "{}:{}:{}", self.token_type.to_string(), self.email, self.token_uuid.to_string())
  }
 }
 impl std::str::FromStr for TokenDetails {
  type Err = ServiceError;
  fn from_str(s: &str) -> Result<Self, Self::Err> {
    let parts: Vec<&str> = s.split(":").collect();
    if parts.len() != 2 {
      return Err(ServiceError::new(400, "Invalid token".to_string()));
    }
    let token_type = parts[0].parse::<TokenType>()?;
    let email = parts[1].to_string();
    let uuid = uuid::Uuid::parse_str(parts[2])?;
    Ok(TokenDetails { token: None, token_uuid: uuid, email, token_type, expires_in: None })
  }
 }
 pub fn verify_token(token: &str, public_key: &str) -> Result<TokenDetails, ServiceError> {
-  let bytes_public_key = general_purpose::STANDARD.decode(public_key).unwrap();
+  let key = DecodingKey::from_rsa_pem(public_key.as_bytes())?;
  let decoded_public_key = String::from_utf8(bytes_public_key).unwrap();
  let key = DecodingKey::from_rsa_pem(decoded_public_key.as_bytes())?;
  let validation = Validation::new(Algorithm::RS256);
  let decoded = decode::<TokenClaims>(token, &key, &validation)?;
  let email = decoded.claims.sub;
  let token_uuid = uuid::Uuid::parse_str(decoded.claims.token_uuid.as_str()).unwrap();
-  Ok(TokenDetails { token: None, token_uuid, email, expires_in: None })
+  Ok(TokenDetails { token: None, token_uuid, email, token_type: TokenType::None, expires_in: None })
 }
 pub fn generate_access_token(email: &str) -> Result<TokenDetails, ServiceError> {
  let access_token_max_age = env::var("ACCESS_TOKEN_MAXAGE")
-        .expect("ACCESS_TOKEN_MAXAGE must be set")
+    .expect("ACCESS_TOKEN_MAXAGE must be set")
-        .parse::<i64>()
+    .parse::<i64>()
-        .expect("ACCESS_TOKEN_MAXAGE must be an integer");
+    .expect("ACCESS_TOKEN_MAXAGE must be an integer");
-      let access_private_key = env::var("ACCESS_TOKEN_PRIVATE_KEY")
+  let keys_dir = env::var("KEYS_DIR_PATH")?;
-        .expect("ACCESS_TOKEN_PRIVATE_KEY must be set");
+  let access_private_key = std::fs::read_to_string(format!("{}/access_private_key.pem", keys_dir))?;
-  generate_token(&email, access_token_max_age, &access_private_key)
+  generate_token(&email, TokenType::Refresh, access_token_max_age, &access_private_key)
 }
 pub fn generate_refresh_token(email: &str) -> Result<TokenDetails, ServiceError> {
  let refresh_token_max_age = env::var("REFRESH_TOKEN_MAXAGE")
-        .expect("REFRESH_TOKEN_MAXAGE must be set")
+    .expect("REFRESH_TOKEN_MAXAGE must be set")
-        .parse::<i64>()
+    .parse::<i64>()
-        .expect("REFRESH_TOKEN_MAXAGE must be an integer");
+    .expect("REFRESH_TOKEN_MAXAGE must be an integer");
-      let refresh_private_key = env::var("REFRESH_TOKEN_PRIVATE_KEY")
+  let keys_dir = env::var("KEYS_DIR_PATH")?;
-        .expect("REFRESH_TOKEN_PRIVATE_KEY must be set");
+  let refresh_private_key = std::fs::read_to_string(format!("{}/refresh_private_key.pem", keys_dir))?;
-  generate_token(&email, refresh_token_max_age, &refresh_private_key)
+  generate_token(&email, TokenType::Access, refresh_token_max_age, &refresh_private_key)
 }
-pub fn generate_token(email: &str, ttl: i64, private_key: &str) -> Result<TokenDetails, ServiceError> {
+fn generate_token(email: &str, token_type: TokenType, ttl: i64, private_key: &str) -> Result<TokenDetails, ServiceError> {
  let now = chrono::Utc::now();
  let mut token_details = TokenDetails {
    token: None,
    token_uuid: uuid::Uuid::new_v4(),
    email: email.to_string(),
    token_type,
    expires_in: Some((now + chrono::Duration::minutes(ttl)).timestamp())
  };
  let claims = TokenClaims {
@@ -81,9 +131,7 @@ pub fn generate_token(email: &str, ttl: i64, private_key: &str) -> Result<TokenD
    nbf: now.timestamp()
  };
  let header = Header::new(Algorithm::RS256);
-  let bytes_private_key = general_purpose::STANDARD.decode(private_key).unwrap();
+  let key = EncodingKey::from_rsa_pem(private_key.as_bytes())?;
  let decoded_private_key = String::from_utf8(bytes_private_key).unwrap();
  let key = EncodingKey::from_rsa_pem(decoded_private_key.as_bytes())?;
  let token = encode(&header, &claims, &key)?;
  token_details.token = Some(token);
  Ok(token_details)
--- a/service/src/auth/model.rs
+++ b/service/src/auth/model.rs
@@ -145,8 +145,8 @@ impl FromRequest for JwtAuth {
        })))
      };
-    let public_key = env::var("ACCESS_TOKEN_PUBLIC_KEY")
+    let keys_dir = env::var("KEYS_DIR_PATH").expect("KEYS_DIR_PATH must be set");
-      .expect("ACCESS_TOKEN_PUBLIC_KEY must be set");
+    let public_key = std::fs::read_to_string(format!("{}/access_public_key.pem", keys_dir)).expect("Failed to read access public key");
    let access_token_details = match verify_token(&access_token, &public_key) {
      Ok(token_details) => token_details,
--- a/service/src/auth/routes.rs
+++ b/service/src/auth/routes.rs
@@ -76,7 +76,7 @@ async fn login(request: web::Json<LoginRequest>) -> HttpResponse {
        .parse::<i64>()
        .expect("REFRESH_TOKEN_MAXAGE must be an integer");
-      let access_result: redis::RedisResult<()> = conn.set_ex(access_token_details.token_uuid.to_string(), &email, (access_token_max_age * 60) as usize).await;
+      let access_result: redis::RedisResult<()> = conn.set_ex(access_token_details.token_uuid.to_string(), &access_token_details.to_string(), (access_token_max_age * 60) as usize).await;
      if let Err(err) = access_result {
        error!("Failed to set access token in redis: {}", err);
        return ResponseError::error_response(&ServiceError {
@@ -85,7 +85,7 @@ async fn login(request: web::Json<LoginRequest>) -> HttpResponse {
        })
      };
-      let refresh_result: redis::RedisResult<()> = conn.set_ex(refresh_token_details.token_uuid.to_string(), &email, (refresh_token_max_age * 60) as usize).await;
+      let refresh_result: redis::RedisResult<()> = conn.set_ex(refresh_token_details.token_uuid.to_string(), &refresh_token_details.to_string(), (refresh_token_max_age * 60) as usize).await;
      if let Err(err) = refresh_result {
        error!("Failed to set refresh token in redis: {}", err);
        return ResponseError::error_response(&ServiceError {
@@ -150,8 +150,9 @@ async fn refresh(req: HttpRequest) -> HttpResponse {
    })
  };
-  let public_key = env::var("REFRESH_TOKEN_PUBLIC_KEY")
+  let keys_dir = env::var("KEYS_DIR_PATH").expect("KEYS_DIR_PATH must be set");
-    .expect("REFRESH_TOKEN_PUBLIC_KEY must be set");
+  let public_key = std::fs::read_to_string(format!("{}/refresh_public_key.pem", keys_dir))
    .expect("Unable to read refresh public key");
  let refresh_token_details = match verify_token(&refresh_token, &public_key) {
    Ok(token_details) => token_details,
    Err(err) => return ResponseError::error_response(&err)
@@ -177,12 +178,12 @@ async fn refresh(req: HttpRequest) -> HttpResponse {
        }
      };
-      // Delete old auth token if it exists
+      // Delete old access token if it exists
      match req.cookie("access_token") {
        Some(cookie) => {
          let access_token = cookie.value().to_string();
-          let public_key = env::var("ACCESS_TOKEN_PUBLIC_KEY")
+          let public_key = std::fs::read_to_string(format!("{}/access_public_key.pem", keys_dir))
-            .expect("ACCESS_TOKEN_PUBLIC_KEY must be set");
+            .expect("Unable to read access public key");
          match verify_token(&access_token, &public_key) {
            Ok(token_details) => {
              let _: redis::RedisResult<()> = conn.del(token_details.token_uuid.to_string()).await;  
@@ -199,7 +200,7 @@ async fn refresh(req: HttpRequest) -> HttpResponse {
        .parse::<i64>()
        .expect("ACCESS_TOKEN_MAXAGE must be an integer");
-      let access_result: redis::RedisResult<()> = conn.set_ex(access_token_details.token_uuid.to_string(), &email, (access_token_max_age * 60) as usize).await;
+      let access_result: redis::RedisResult<()> = conn.set_ex(access_token_details.token_uuid.to_string(), &access_token_details.to_string(), (access_token_max_age * 60) as usize).await;
      if let Err(err) = access_result {
        error!("Failed to set access token in redis: {}", err);
        return ResponseError::error_response(&ServiceError {
@@ -244,7 +245,7 @@ async fn refresh(req: HttpRequest) -> HttpResponse {
          .parse::<i64>()
          .expect("REFRESH_TOKEN_MAXAGE must be an integer");
-        let refresh_result: redis::RedisResult<()> = conn.set_ex(refresh_token_details.token_uuid.to_string(), &refresh_token_details.email, (refresh_token_max_age * 60) as usize).await;
+        let refresh_result: redis::RedisResult<()> = conn.set_ex(refresh_token_details.token_uuid.to_string(), &refresh_token_details.to_string(), (refresh_token_max_age * 60) as usize).await;
        if let Err(err) = refresh_result {
          error!("Failed to set refresh token in redis: {}", err);
          return ResponseError::error_response(&ServiceError {
@@ -278,6 +279,7 @@ async fn refresh(req: HttpRequest) -> HttpResponse {
 #[post("/logout")]
 async fn logout(req: HttpRequest, auth: JwtAuth) -> HttpResponse {
  let keys_dir = env::var("KEYS_DIR_PATH").expect("KEYS_DIR_PATH must be set");
  let refresh_token = match req.cookie("refresh_token") {
    Some(cookie) => cookie.value().to_string(),
    None => return ResponseError::error_response(&ServiceError {
@@ -285,8 +287,8 @@ async fn logout(req: HttpRequest, auth: JwtAuth) -> HttpResponse {
      message: "Refresh token not found".to_string()
    })
  };
-  let public_key = env::var("REFRESH_TOKEN_PUBLIC_KEY")
+  let public_key = std::fs::read_to_string(format!("{}/refresh_public_key.pem", keys_dir))
-    .expect("REFRESH_TOKEN_PUBLIC_KEY must be set");
+    .expect("Unable to read refresh public key");
  let refresh_token_details = match verify_token(&refresh_token, &public_key) {
    Ok(token_details) => token_details,
    Err(err) => return ResponseError::error_response(&err)
@@ -342,12 +344,13 @@ async fn me(auth: JwtAuth) -> HttpResponse {
 #[get("/check-session")]
 async fn check_session(req: HttpRequest) -> HttpResponse {
  let keys_dir = env::var("KEYS_DIR_PATH").expect("KEYS_DIR_PATH must be set");
  // If there is a access_token cookie, check if it is valid
  let has_session = match req.cookie("access_token") {
    Some(cookie) => {
      let access_token = cookie.value().to_string();
-      let public_key = env::var("ACCESS_TOKEN_PUBLIC_KEY")
+      let public_key = std::fs::read_to_string(format!("{}/access_public_key.pem", keys_dir))
-        .expect("ACCESS_TOKEN_PUBLIC_KEY must be set");
+        .expect("Unable to read access public key");
      match verify_token(&access_token, &public_key) {
        Ok(_) => true,
        Err(_) => false
@@ -360,8 +363,8 @@ async fn check_session(req: HttpRequest) -> HttpResponse {
    match req.cookie("refresh_token") {
      Some(cookie) => {
        let refresh_token = cookie.value().to_string();
-        let public_key = env::var("REFRESH_TOKEN_PUBLIC_KEY")
+        let public_key = std::fs::read_to_string(format!("{}/refresh_public_key.pem", keys_dir))
-          .expect("REFRESH_TOKEN_PUBLIC_KEY must be set");
+          .expect("Unable to read refresh public key");
        match verify_token(&refresh_token, &public_key) {
          Ok(_) => return HttpResponse::Ok().json(true),
          Err(_) => return HttpResponse::Ok().json(false)
@@ -380,6 +383,7 @@ async fn roles() -> HttpResponse {
 }
 pub fn init_routes(config: &mut web::ServiceConfig) {
  // TODO: Remove this when deploying
  let r = RegisterUser {
    email: "admin".to_string(),
    password: "admin".to_string(),
--- a/service/src/lib.rs
+++ b/service/src/lib.rs
@@ -141,6 +141,18 @@ impl From<s3::creds::error::CredentialsError> for ServiceError {
  }
 }
 impl From<uuid::Error> for ServiceError {
  fn from(error: uuid::Error) -> ServiceError {
    ServiceError::new(500, format!("Unknown uuid error: {}", error))
  }
 }
 impl From<std::env::VarError> for ServiceError {
  fn from(error: std::env::VarError) -> ServiceError {
    ServiceError::new(500, format!("Unknown env error: {}", error))
  }
 }
 impl ResponseError for ServiceError {
  fn error_response(&self) -> HttpResponse {
      let status_code = match StatusCode::from_u16(self.status) {
--- a/ui/next.config.js
+++ b/ui/next.config.js
@@ -5,13 +5,6 @@ const nextConfig = {
  eslint: {
    ignoreDuringBuilds: true
  },
  webpackDevMiddleware: (config) => {
    config.watchOptions = {
      poll: 1000,
      aggregateTimeout: 300
    };
    return config;
  },
  publicRuntimeConfig: {
    // remove private variables from processEnv
    processEnv: Object.fromEntries(Object.entries(process.env).filter(([key]) => key.includes('NEXT_PUBLIC_')))
--- a/ui/src/app/admin/page.tsx
+++ b/ui/src/app/admin/page.tsx
@@ -14,6 +14,7 @@ import {
  stopTrack
 } from '@/api/guilds';
 import { GuildChannel, GuildInfo } from '@/api/guilds.types';
 import Auth from '@/components/Auth';
 import { userState } from '@/state/auth';
 import { Button, Card, Grid, Select, Slider, Tabs, TextInput, Textarea } from '@mantine/core';
 import { useForm } from '@mantine/form';
@@ -21,7 +22,7 @@ import { useRouter } from 'next/navigation';
 import React, { useEffect, useState } from 'react';
 import { useRecoilValue } from 'recoil';
-export default function Page() {
+function Page() {
  const user = useRecoilValue(userState);
  const [guilds, setGuilds] = useState<GuildInfo[]>([]);
  const [activeGuild, setActiveGuild] = useState<GuildInfo | null>(null);
@@ -68,6 +69,8 @@ export default function Page() {
  );
 }
 export default Auth(Page);
 function TextChannelCard({ guild }: { guild: GuildInfo | null }) {
  const [textChannels, setTextChannels] = useState<GuildChannel[]>([]);
  const [activeChannel, setActiveChannel] = useState<GuildChannel | null>(null);
--- a/ui/src/app/campaigns/page.tsx
+++ b/ui/src/app/campaigns/page.tsx
@@ -3,15 +3,8 @@
 import { ActionIcon, Tooltip } from '@mantine/core';
 import { FaPlus } from "react-icons/fa";
 import React, { useEffect } from 'react';
 import { getCampigns } from '@/api/campaigns';
 import { Campaign } from '@/api/campaigns.types';
 export default function Page() {
  const [campaigns, setCampaigns] = React.useState<Campaign[]>([]);
  useEffect(() => {
    getCampigns().then((data) => setCampaigns(data));
  }, []);
  return (
    <div>
@@ -21,9 +14,6 @@ export default function Page() {
          <FaPlus />
        </ActionIcon>
      </Tooltip>
        {campaigns && campaigns.map((campaign) => (
          <div key={campaign.id}>{campaign.name}</div>
        ))}
    </div>
  );
 }
--- a/ui/src/app/layout.tsx
+++ b/ui/src/app/layout.tsx
@@ -8,7 +8,6 @@ import { Notifications } from '@mantine/notifications';
 import 'styles/globals.css';
 import '@mantine/core/styles.css';
 import '@mantine/notifications/styles.css';
 import Loading from '@/components/Loading';
 export const metadata = {
  title: 'Siren',
@@ -28,10 +27,8 @@ export default function RootLayout({ children }: { children: React.ReactNode })
          <MantineProvider>
            <Notifications />
            <ModalsProvider>
-              <Loading>
+              <Header />
-                <Header />
+              <Box>{children}</Box>
                <Box>{children}</Box>
              </Loading>
            </ModalsProvider>
          </MantineProvider>
        </RecoilRootWrapper>
--- a/ui/src/app/page.tsx
+++ b/ui/src/app/page.tsx
@@ -4,18 +4,18 @@ import React from 'react';
 // Home page for siren
 export default function Page() {
  return (
-    // <div>
+    <div>
-    //   <p>Siren is a Dungeon Master's best friend.</p>
+      <p>Siren is a Dungeon Master's best friend.</p>
-    //   <h2>Features:</h2>
+      <h2>Features:</h2>
-    //   <ul>
+      <ul>
-    //     <li>Manage your campaign and players</li>
+        <li>Manage your campaign and players</li>
-    //     <li>Create battlemaps on the fly and track initiative</li>
+        <li>Create battlemaps on the fly and track initiative</li>
-    //     <li>Connect the Discord Bot to play online with friends</li>
+        <li>Connect the Discord Bot to play online with friends</li>
-    //     <li>Reference Races, Classes, Items, Spells, and more</li>
+        <li>Reference Races, Classes, Items, Spells, and more</li>
-    //   </ul>
+      </ul>
    // </div>
    <div style={{ overflow: 'hidden' }}>
      <TileGrid />
    </div>
    // <div style={{ overflow: 'hidden' }}>
    //   <TileGrid />
    // </div>
  );
 }
--- a/ui/src/components/Auth.tsx
+++ b/ui/src/components/Auth.tsx
@@ -0,0 +1,32 @@
 'use client';
 import { hasUserState, isAdminState } from "@/state/auth";
 import { useRouter } from "next/navigation";
 import { useEffect } from "react";
 import { useRecoilValue } from "recoil";
 export default function Auth(Component: any, adminOnly = false) {
  return function AuthWrapper(props: any) {
    const router = useRouter();
    const hasUser = useRecoilValue(hasUserState);
    const isAdmin = useRecoilValue(isAdminState);
    function isAuthenticated() {
      console.log('hasUser', hasUser, 'adminOnly', adminOnly, 'isAdmin', isAdmin)
      return hasUser && (adminOnly ? isAdmin : true);
    }
    useEffect(() => {
      console.log('isAuthenticated', isAuthenticated());
      if (!isAuthenticated) {
        router.push('/');
      }
    }, []);
    if (!isAuthenticated) {
      return null;
    }
    return <Component {...props} />;
  }
 }
--- a/ui/src/components/Header/index.tsx
+++ b/ui/src/components/Header/index.tsx
@@ -199,6 +199,7 @@ export default function Header() {
        type={modalType}
        toggle={toggle}
        setUser={(u) => {
          console.log(u);
          setUser(u);          
          updateUser(u);
        }}
--- a/ui/src/middleware.ts
+++ b/ui/src/middleware.ts
@@ -0,0 +1,6 @@
 'use client';
 import { NextRequest } from "next/server";
 export default function middleware(request: NextRequest) {
 }
--- a/ui/src/state/auth.ts
+++ b/ui/src/state/auth.ts
@@ -1,7 +1,24 @@
 import { User } from '@/api/auth.types';
-import { atom } from 'recoil';
+import { atom, selector } from 'recoil';
 export const userState = atom({
  key: 'userState',
  default: undefined as User | undefined
 });
 export const hasUserState = selector({
  key: 'hasUserState',
  get: ({ get }) => {
    const user = get(userState);
    return user !== undefined;
  }
 });
 export const isAdminState = selector({
  key: 'isAdminState',
  get: ({ get }) => {
    const user = get(userState);
    return user?.role === 'admin';
  }
 });