From 4691808fa64d0bd86dd066e3f383f2e867b77a2d Mon Sep 17 00:00:00 2001
From: Oliver Gorwits <oliver@cpan.org>
Date: Mon, 31 Dec 2018 19:30:41 +0000
Subject: [PATCH] add api user role and fix api auth failure response

---
 lib/App/Netdisco/DB/Result/Virtual/UserRole.pm |  3 +++
 lib/App/Netdisco/Web/AuthN.pm                  | 11 ++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/App/Netdisco/DB/Result/Virtual/UserRole.pm b/lib/App/Netdisco/DB/Result/Virtual/UserRole.pm
index bd24737c..7746112e 100644
--- a/lib/App/Netdisco/DB/Result/Virtual/UserRole.pm
+++ b/lib/App/Netdisco/DB/Result/Virtual/UserRole.pm
@@ -19,6 +19,9 @@ __PACKAGE__->result_source_instance->view_definition(<<ENDSQL
   UNION
   SELECT username, 'ldap' AS role FROM users
     WHERE ldap
+  UNION
+  SELECT username, 'api', AS role FROM users
+    WHERE token AND token_from
 ENDSQL
 );
 
diff --git a/lib/App/Netdisco/Web/AuthN.pm b/lib/App/Netdisco/Web/AuthN.pm
index 6ca382ff..d8bd6613 100644
--- a/lib/App/Netdisco/Web/AuthN.pm
+++ b/lib/App/Netdisco/Web/AuthN.pm
@@ -59,7 +59,16 @@ hook 'before' => sub {
 };
 
 get qr{^/(?:login(?:/denied)?)?} => sub {
-    template 'index', { return_url => param('return_url') };
+    if (param('return_url') and param('return_url') =~ m{^/api/}) {
+      status 403;
+      return to_json {
+        error => 'not authorized',
+        return_url => param('return_url'),
+      };
+    }
+    else {
+      template 'index', { return_url => param('return_url') };
+    }
 };
 
 # override default login_handler so we can log access in the database