auth.go

package authjwt

import (
	"encoding/json"
	"net/http"
	"path"
	"strings"

	"github.com/golang-jwt/jwt/v5"

	"code.nochebuena.dev/einherjar/auth/authmw"
	"code.nochebuena.dev/einherjar/contracts/logging"
	"code.nochebuena.dev/einherjar/core/xerrors"
)

// AuthMiddleware verifies the Bearer access token and injects uid + claims into context
// via authmw.SetTokenData. Downstream authmw.EnrichmentMiddleware reads them transparently.
//
// Accepts a Verifier — pass a Signer when the service issues tokens, or a
// NewRSAPublicKeyVerifier/NewECPublicKeyVerifier when it only verifies.
//
// Requests to publicPaths are skipped without verification (path.Match wildcards supported).
// Returns 401 on missing, invalid, or expired tokens.
func AuthMiddleware(logger logging.Logger, verifier Verifier, publicPaths []string) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			for _, pattern := range publicPaths {
				if matched, _ := path.Match(pattern, r.URL.Path); matched {
					next.ServeHTTP(w, r)
					return
				}
			}

			authHeader := r.Header.Get("Authorization")
			if !strings.HasPrefix(authHeader, "Bearer ") {
				writeUnauthorized(logger, w, r)
				return
			}
			tokenStr := strings.TrimPrefix(authHeader, "Bearer ")

			token, err := verifier.Verify(tokenStr)
			if err != nil {
				writeUnauthorized(logger, w, r)
				return
			}

			claims, ok := token.Claims.(jwt.MapClaims)
			if !ok {
				writeUnauthorized(logger, w, r)
				return
			}

			uid, _ := claims["sub"].(string)
			if uid == "" {
				writeUnauthorized(logger, w, r)
				return
			}

			ctx := authmw.SetTokenData(r.Context(), uid, map[string]any(claims))
			next.ServeHTTP(w, r.WithContext(ctx))
		})
	}
}

func writeUnauthorized(logger logging.Logger, w http.ResponseWriter, r *http.Request) {
	logger.WithContext(r.Context()).Warn("auth-jwt: unauthorized",
		"error_code", string(xerrors.ErrUnauthorized),
		"status", http.StatusUnauthorized,
	)
	w.Header().Set("Content-Type", "application/json")
	w.WriteHeader(http.StatusUnauthorized)
	_ = json.NewEncoder(w).Encode(map[string]any{
		"code":    string(xerrors.ErrUnauthorized),
		"message": "unauthorized",
	})
}
feat(auth-jwt): initial implementation — JWT lifecycle and AuthMiddleware (v1.0.0) Introduces code.nochebuena.dev/einherjar/auth-jwt — JWT authentication middleware and token lifecycle management for the Einherjar framework. Absorbs httpauth-jwt from micro-lib with three changes: logger parameter on AuthMiddleware, httputil.Error for consistent 401 responses, and added ECDSA support. Signers and Verifiers (one file per implementation — CT-6 compliant): - Verifier interface — Verify(tokenString string) (*jwt.Token, error) - Signer interface — extends Verifier; adds Sign(claims jwt.Claims) (string, error) - signer_hmac.go — NewHMACSigner(secret) → HS256; jwt.WithJSONNumber() on Verify - signer_rsa.go — NewRSASigner(key) + NewRSASignerFromPEM(pem) → RS256 - verifier_rsa.go — NewRSAPublicKeyVerifier + NewRSAPublicKeyVerifierFromPEM → RS256 verify-only - signer_ec.go — NewECSigner(key) + NewECSignerFromPEM(pem) → ES256/384/512; algorithm auto-detected from key curve (P-256→ES256, P-384→ES384, P-521→ES512) - verifier_ec.go — NewECPublicKeyVerifier + NewECPublicKeyVerifierFromPEM → EC verify-only Token lifecycle: - TokenConfig struct — AccessTTL, RefreshTTL, Issuer - TokenPair struct — AccessToken, RefreshToken, ExpiresIn - IssueTokenPair — access + refresh pair; customClaims merged at top level; refresh carries only sub/iss/iat/exp/jti/fam; jwt.WithJSONNumber() preserves int64 bitmasks - Blacklist interface — IsRevoked + Revoke; satisfied by cache-valkey via duck typing - ErrTokenRevoked — errors.New sentinel; errors.Is pattern for replay-attack detection - RefreshTokenPair — verifies token, checks blacklist, revokes old JTI, issues new pair HTTP middleware: - AuthMiddleware(logger, verifier, publicPaths) — verifies Bearer tokens; calls authmw.SetTokenData on success; 401 routed through httputil.Error (Warn level); publicPaths use path.Match wildcards; accepts Verifier (not Signer) to enforce narrowest-interface principle for verify-only services Compliance test (package authjwt_test) enforces CT-6 (≤1 exported TypeSpec/file), compile-time interface satisfaction, and behavioural coverage: HMAC/RSA/EC sign+verify, algorithm mismatch rejection, IssueTokenPair claims/jti/fam, RefreshTokenPair success/ revoked/blacklist-error/custom-claims, MaxInt64 json.Number precision, AuthMiddleware valid/invalid/expired/missing/public-path/wildcard/JSON-body/RSA-verifier/SetTokenData. Depends on auth v1.0.0, contracts v1.0.0, core v1.0.0, web v1.0.0, jwt/v5 v5.2.1. - identifiable.go: package-level Module variable (observability.Identifiable) for version identification — auth-jwt is a function library; not registered with the launcher 2026-05-29 16:13:01 +00:00			`package authjwt`

			`import (`
			`"encoding/json"`
			`"net/http"`
			`"path"`
			`"strings"`

			`"github.com/golang-jwt/jwt/v5"`

			`"code.nochebuena.dev/einherjar/auth/authmw"`
			`"code.nochebuena.dev/einherjar/contracts/logging"`
			`"code.nochebuena.dev/einherjar/core/xerrors"`
			`)`

			`// AuthMiddleware verifies the Bearer access token and injects uid + claims into context`
			`// via authmw.SetTokenData. Downstream authmw.EnrichmentMiddleware reads them transparently.`
			`//`
			`// Accepts a Verifier — pass a Signer when the service issues tokens, or a`
			`// NewRSAPublicKeyVerifier/NewECPublicKeyVerifier when it only verifies.`
			`//`
			`// Requests to publicPaths are skipped without verification (path.Match wildcards supported).`
			`// Returns 401 on missing, invalid, or expired tokens.`
			`func AuthMiddleware(logger logging.Logger, verifier Verifier, publicPaths []string) func(http.Handler) http.Handler {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`for _, pattern := range publicPaths {`
			`if matched, _ := path.Match(pattern, r.URL.Path); matched {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
			`}`

			`authHeader := r.Header.Get("Authorization")`
			`if !strings.HasPrefix(authHeader, "Bearer ") {`
			`writeUnauthorized(logger, w, r)`
			`return`
			`}`
			`tokenStr := strings.TrimPrefix(authHeader, "Bearer ")`

			`token, err := verifier.Verify(tokenStr)`
			`if err != nil {`
			`writeUnauthorized(logger, w, r)`
			`return`
			`}`

			`claims, ok := token.Claims.(jwt.MapClaims)`
			`if !ok {`
			`writeUnauthorized(logger, w, r)`
			`return`
			`}`

			`uid, _ := claims["sub"].(string)`
			`if uid == "" {`
			`writeUnauthorized(logger, w, r)`
			`return`
			`}`

			`ctx := authmw.SetTokenData(r.Context(), uid, map[string]any(claims))`
			`next.ServeHTTP(w, r.WithContext(ctx))`
			`})`
			`}`
			`}`

			`func writeUnauthorized(logger logging.Logger, w http.ResponseWriter, r *http.Request) {`
			`logger.WithContext(r.Context()).Warn("auth-jwt: unauthorized",`
			`"error_code", string(xerrors.ErrUnauthorized),`
			`"status", http.StatusUnauthorized,`
			`)`
			`w.Header().Set("Content-Type", "application/json")`
			`w.WriteHeader(http.StatusUnauthorized)`
			`_ = json.NewEncoder(w).Encode(map[string]any{`
			`"code": string(xerrors.ErrUnauthorized),`
			`"message": "unauthorized",`
			`})`
			`}`