einherjar/auth
2
0
Fork 0
Code Issues Pull Requests Packages Releases 1 Activity
Files
8a306abed034fba3031e39147ae451ef4090a2bf
auth/authmw/enrichment.go

57 lines
1.7 KiB
Go
Raw Normal View History

feat(auth): initial implementation — authmw and rbac (v1.0.0) Introduces code.nochebuena.dev/einherjar/auth — the provider-agnostic HTTP authentication and authorization layer of the Einherjar framework. Absorbs two micro-lib packages (httpauth, rbac) as sub-packages, replacing the Identity-only context model with a SecurityBag-native design and adding a composable enrichment chain. authmw: - BagEnricher function type — enriches the request-scoped SecurityBag after the base Identity is built; registered via WithBagEnricher; multiple enrichers run in order, each receiving the bag from the previous - IdentityEnricher interface — application-layer contract for loading user data from uid+claims - EnrichmentMiddleware — builds SecurityBag from uid+claims, runs enricher chain, stores via security.SetBagInContext; 401 on missing uid, 500 on enricher error; routes all errors through httputil.Error - AuthzMiddleware — per-route permission gate; 401 on missing identity, 403 on provider error (fail-closed) or insufficient permissions - EnrichOpt type + WithTenantHeader (reads TenantID from header, implemented as a BagEnricher) + WithBagEnricher (registers custom enrichers for hardware IDs, grant codes, or any bag attribute) - SetTokenData / GetClaims — integration contract for auth-jwt / auth-firebase rbac: - NewClaimsPermissionProvider — reads flat JWT claim bitmasks from context; wildcard "*" fallback; handles int64/float64/json.Number; zero DB calls - NewCachedPermissionProvider — TTL cache wrapping any PermissionProvider; default key "rbac:{uid}:{resource}" or "rbac:{tenantID}:{uid}:{resource}"; TenantID sourced from SecurityBag automatically; accepts ...CachedOpt - CachedOpt type + WithCacheKey — overrides the key function for extra dimensions (hardware IDs, grant codes read from bag attributes) - NewChainPermissionProvider — tries providers in order; first non-zero wins; errors short-circuit; typical pattern: claims → cached DB fallback - Cache interface — pluggable backend satisfied by cache-valkey via duck typing Compliance test (package auth_test) enforces CT-6 (≤1 exported TypeSpec/file), compile-time interface satisfaction, and behavioural coverage across the full middleware and provider surface: enrichment success/failure, tenant header, custom BagEnricher, bag-in-context, authz allowed/denied/error, claims hit/wildcard/missing/float64, cached hit/miss/error/tenant-key/custom-key, chain first-non-zero/fallthrough/error. Depends on contracts v1.0.0, core v1.0.0, web v1.0.0. - identifiable.go: package-level Module variable (observability.Identifiable) for version identification — auth is middleware-only; not registered with the launcher
2026-05-29 16:11:21 +00:00
package authmw
import (
"net/http"
"code.nochebuena.dev/einherjar/contracts/logging"
"code.nochebuena.dev/einherjar/contracts/security"
"code.nochebuena.dev/einherjar/core/xerrors"
"code.nochebuena.dev/einherjar/web/httputil"
)
type enrichConfig struct {
enrichers []BagEnricher
}
// EnrichmentMiddleware builds a [security.SecurityBag] from the uid and claims
// injected by an upstream provider AuthMiddleware via [SetTokenData], then runs
// all registered [BagEnricher] functions in order.
//
// Returns 401 if no uid is present in context; 500 if the application
// [IdentityEnricher] returns an error.
//
// The resulting bag is stored via [security.SetBagInContext]. Downstream
// handlers can retrieve it with [security.BagFromContext] (full bag) or
// [security.FromContext] (Identity only).
func EnrichmentMiddleware(logger logging.Logger, enricher IdentityEnricher, opts ...EnrichOpt) func(http.Handler) http.Handler {
cfg := &enrichConfig{}
for _, o := range opts {
o(cfg)
}
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
uid, ok := getUID(r.Context())
if !ok {
httputil.Error(logger, w, r, xerrors.Unauthorized("missing token"))
return
}
claims := getClaims(r.Context())
identity, err := enricher.Enrich(r.Context(), uid, claims)
if err != nil {
httputil.Error(logger, w, r, xerrors.Internal("enrichment failed").WithError(err))
return
}
bag := security.NewSecurityBag(identity)
for _, fn := range cfg.enrichers {
bag = fn(bag, r)
}
ctx := security.SetBagInContext(r.Context(), bag)
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}
Reference in New Issue Copy Permalink