einherjar/auth
2
0
Fork 0
Code Issues Pull Requests Packages Releases 1 Activity
Files
main
auth/CLA.md
Rene Nochebuena 8a306abed0 feat(auth): initial implementation — authmw and rbac (v1.0.0) 
Introduces code.nochebuena.dev/einherjar/auth — the provider-agnostic HTTP
authentication and authorization layer of the Einherjar framework. Absorbs
two micro-lib packages (httpauth, rbac) as sub-packages, replacing the
Identity-only context model with a SecurityBag-native design and adding a
composable enrichment chain.

authmw:
- BagEnricher function type — enriches the request-scoped SecurityBag after
  the base Identity is built; registered via WithBagEnricher; multiple
  enrichers run in order, each receiving the bag from the previous
- IdentityEnricher interface — application-layer contract for loading user
  data from uid+claims
- EnrichmentMiddleware — builds SecurityBag from uid+claims, runs enricher
  chain, stores via security.SetBagInContext; 401 on missing uid, 500 on
  enricher error; routes all errors through httputil.Error
- AuthzMiddleware — per-route permission gate; 401 on missing identity,
  403 on provider error (fail-closed) or insufficient permissions
- EnrichOpt type + WithTenantHeader (reads TenantID from header, implemented
  as a BagEnricher) + WithBagEnricher (registers custom enrichers for
  hardware IDs, grant codes, or any bag attribute)
- SetTokenData / GetClaims — integration contract for auth-jwt / auth-firebase

rbac:
- NewClaimsPermissionProvider — reads flat JWT claim bitmasks from context;
  wildcard "*" fallback; handles int64/float64/json.Number; zero DB calls
- NewCachedPermissionProvider — TTL cache wrapping any PermissionProvider;
  default key "rbac:{uid}:{resource}" or "rbac:{tenantID}:{uid}:{resource}";
  TenantID sourced from SecurityBag automatically; accepts ...CachedOpt
- CachedOpt type + WithCacheKey — overrides the key function for extra
  dimensions (hardware IDs, grant codes read from bag attributes)
- NewChainPermissionProvider — tries providers in order; first non-zero wins;
  errors short-circuit; typical pattern: claims → cached DB fallback
- Cache interface — pluggable backend satisfied by cache-valkey via duck typing

Compliance test (package auth_test) enforces CT-6 (≤1 exported TypeSpec/file),
compile-time interface satisfaction, and behavioural coverage across the full
middleware and provider surface: enrichment success/failure, tenant header,
custom BagEnricher, bag-in-context, authz allowed/denied/error, claims
hit/wildcard/missing/float64, cached hit/miss/error/tenant-key/custom-key,
chain first-non-zero/fallthrough/error.

Depends on contracts v1.0.0, core v1.0.0, web v1.0.0.

- identifiable.go: package-level Module variable (observability.Identifiable) for version
  identification — auth is middleware-only; not registered with the launcher
2026-05-29 16:11:21 +00:00

4.7 KiB
Raw Permalink Blame History

Contributor License Agreement

By contributing to any Einherjar repository, you agree to the terms of this Contributor License Agreement ("Agreement"). Please read it carefully before submitting your first Pull Request.

1. Definitions

Term Meaning
You The individual or legal entity submitting a Contribution
Contribution Any original work — source code, documentation, tests, configuration — submitted to an Einherjar repository
Project The Einherjar framework and all repositories under code.nochebuena.dev/einherjar/
Maintainers The individuals responsible for maintaining the Project

2. You Retain Ownership

This Agreement does not transfer your copyright to the Maintainers. You remain the legal owner of your Contribution. What you grant here is a broad license to use it — not ownership of it.

3. Copyright License Grant

You grant the Maintainers and all recipients of the Project a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license to:

  • Reproduce, modify, and create derivative works of your Contribution
  • Publicly display and perform your Contribution
  • Distribute your Contribution and derivative works, in source or compiled form, under any terms
  • Sublicense the above rights to third parties
  • Relicense your Contribution under a different open-source or commercial license at the Maintainers' sole discretion

The Maintainers commit to keeping the Project available under at least one OSI-approved open-source license at all times.

4. Patent License Grant

You grant the Maintainers and all recipients of the Project a perpetual, worldwide, non-exclusive, royalty-free, irrevocable patent license to make, use, sell, offer for sale, import, and distribute your Contribution — limited to patent claims you own or control that are necessarily infringed by your Contribution alone, or in combination with the Project to which you submitted it.

5. Your Representations

By submitting a Contribution, you confirm that:

  1. Original work. The Contribution is your original work, or you have the legal right to submit it under these terms.
  2. No infringement. To your knowledge, the Contribution does not infringe any third-party intellectual property rights, including patents, copyrights, and trade secrets.
  3. Employer rights. If your employer holds rights over intellectual property you create, you have obtained written permission to submit the Contribution on behalf of that employer, or your employer has explicitly waived such rights for contributions to open-source projects.
  4. No warranty implied. You understand that your Contribution may or may not be included in the Project, and the Maintainers are under no obligation to use it.

6. No Support Obligation

You are not required to provide maintenance, support, or updates for your Contributions. They are accepted "as-is", without any warranty of fitness for a particular purpose or correctness.

7. How to Sign

Consent is given by posting a comment on your Pull Request with the following exact text:

I have read the Einherjar Contributor License Agreement (CLA.md) and I agree to all its terms.
I confirm this Contribution is my original work. I grant the Maintainers the rights described
therein, including the right to relicense, and I retain ownership of my copyright.
This agreement covers all future Contributions I submit to any Einherjar repository under
this account.

Why a comment and not a checkbox? PR description checkboxes can be silently toggled on and off by anyone with write access to the branch at any time. A comment creates a timestamped, author-attributed record in the PR activity log — it cannot be quietly retracted. If a comment is deleted, the deletion itself is visible in the activity log.

No handwritten or electronic signature is required beyond the comment above. A Maintainer will verify the comment before merging. PRs without the comment will not be merged.

If you are contributing on behalf of a company or organization, ensure that an authorized representative of that entity has reviewed and accepted these terms before submitting. The comment must be posted by the account that owns the Contribution.

8. Governing Terms

This Agreement is intended to be simple and broadly fair. It follows the model established by widely adopted CLAs from the Apache Software Foundation, Google, and MongoDB — granting the Project the flexibility to evolve while fully preserving your ownership of what you wrote.

If any provision of this Agreement is found unenforceable, the remaining provisions continue in full effect.

For those who come after. — The Einherjar Maintainers

Reference in New Issue View Git Blame Copy Permalink