authmw/enrich_opt.go

package authmw

import (
	"net/http"

	"code.nochebuena.dev/einherjar/contracts/security"
)

// EnrichOpt configures [EnrichmentMiddleware] behaviour.
type EnrichOpt func(*enrichConfig)

// WithTenantHeader reads the TenantID from the named request header and
// applies it to the Identity inside the bag via [security.Identity.WithTenant].
//
// Equivalent to registering a [BagEnricher] that calls
// bag.WithIdentity(bag.Identity().WithTenant(r.Header.Get(header))).
// Use for multi-tenant deployments where the tenant is identified per request.
func WithTenantHeader(header string) EnrichOpt {
	return WithBagEnricher(func(bag security.SecurityBag, r *http.Request) security.SecurityBag {
		if tenantID := r.Header.Get(header); tenantID != "" {
			return bag.WithIdentity(bag.Identity().WithTenant(tenantID))
		}
		return bag
	})
}

// WithBagEnricher appends fn to the enrichment chain.
// Enrichers run in registration order after the base Identity is built.
// Each enricher receives the bag returned by the previous one.
//
// Use this for any enrichment that does not fit [WithTenantHeader]:
// attaching hardware IDs, grant codes, or any attribute that downstream
// permission providers need to read from the bag.
func WithBagEnricher(fn BagEnricher) EnrichOpt {
	return func(c *enrichConfig) {
		c.enrichers = append(c.enrichers, fn)
	}
}
feat(auth): initial implementation — authmw and rbac (v1.0.0) Introduces code.nochebuena.dev/einherjar/auth — the provider-agnostic HTTP authentication and authorization layer of the Einherjar framework. Absorbs two micro-lib packages (httpauth, rbac) as sub-packages, replacing the Identity-only context model with a SecurityBag-native design and adding a composable enrichment chain. authmw: - BagEnricher function type — enriches the request-scoped SecurityBag after the base Identity is built; registered via WithBagEnricher; multiple enrichers run in order, each receiving the bag from the previous - IdentityEnricher interface — application-layer contract for loading user data from uid+claims - EnrichmentMiddleware — builds SecurityBag from uid+claims, runs enricher chain, stores via security.SetBagInContext; 401 on missing uid, 500 on enricher error; routes all errors through httputil.Error - AuthzMiddleware — per-route permission gate; 401 on missing identity, 403 on provider error (fail-closed) or insufficient permissions - EnrichOpt type + WithTenantHeader (reads TenantID from header, implemented as a BagEnricher) + WithBagEnricher (registers custom enrichers for hardware IDs, grant codes, or any bag attribute) - SetTokenData / GetClaims — integration contract for auth-jwt / auth-firebase rbac: - NewClaimsPermissionProvider — reads flat JWT claim bitmasks from context; wildcard "*" fallback; handles int64/float64/json.Number; zero DB calls - NewCachedPermissionProvider — TTL cache wrapping any PermissionProvider; default key "rbac:{uid}:{resource}" or "rbac:{tenantID}:{uid}:{resource}"; TenantID sourced from SecurityBag automatically; accepts ...CachedOpt - CachedOpt type + WithCacheKey — overrides the key function for extra dimensions (hardware IDs, grant codes read from bag attributes) - NewChainPermissionProvider — tries providers in order; first non-zero wins; errors short-circuit; typical pattern: claims → cached DB fallback - Cache interface — pluggable backend satisfied by cache-valkey via duck typing Compliance test (package auth_test) enforces CT-6 (≤1 exported TypeSpec/file), compile-time interface satisfaction, and behavioural coverage across the full middleware and provider surface: enrichment success/failure, tenant header, custom BagEnricher, bag-in-context, authz allowed/denied/error, claims hit/wildcard/missing/float64, cached hit/miss/error/tenant-key/custom-key, chain first-non-zero/fallthrough/error. Depends on contracts v1.0.0, core v1.0.0, web v1.0.0. - identifiable.go: package-level Module variable (observability.Identifiable) for version identification — auth is middleware-only; not registered with the launcher 2026-05-29 16:11:21 +00:00			`package authmw`

			`import (`
			`"net/http"`

			`"code.nochebuena.dev/einherjar/contracts/security"`
			`)`

			`// EnrichOpt configures [EnrichmentMiddleware] behaviour.`
			`type EnrichOpt func(*enrichConfig)`

			`// WithTenantHeader reads the TenantID from the named request header and`
			`// applies it to the Identity inside the bag via [security.Identity.WithTenant].`
			`//`
			`// Equivalent to registering a [BagEnricher] that calls`
			`// bag.WithIdentity(bag.Identity().WithTenant(r.Header.Get(header))).`
			`// Use for multi-tenant deployments where the tenant is identified per request.`
			`func WithTenantHeader(header string) EnrichOpt {`
			`return WithBagEnricher(func(bag security.SecurityBag, r *http.Request) security.SecurityBag {`
			`if tenantID := r.Header.Get(header); tenantID != "" {`
			`return bag.WithIdentity(bag.Identity().WithTenant(tenantID))`
			`}`
			`return bag`
			`})`
			`}`

			`// WithBagEnricher appends fn to the enrichment chain.`
			`// Enrichers run in registration order after the base Identity is built.`
			`// Each enricher receives the bag returned by the previous one.`
			`//`
			`// Use this for any enrichment that does not fit [WithTenantHeader]:`
			`// attaching hardware IDs, grant codes, or any attribute that downstream`
			`// permission providers need to read from the bag.`
			`func WithBagEnricher(fn BagEnricher) EnrichOpt {`
			`return func(c *enrichConfig) {`
			`c.enrichers = append(c.enrichers, fn)`
			`}`
			`}`