refactor(httpauth-firebase)!: delegate enrichment and authz to httpauth v0.1.0
EnrichmentMiddleware, AuthzMiddleware, IdentityEnricher, PermissionProvider, and related types are removed from this module. They now live in code.nochebuena.dev/go/httpauth, the provider-agnostic middleware layer. AuthMiddleware is updated to call httpauth.SetTokenData, fulfilling the integration contract between provider-specific auth and generic middleware. This module now has a single responsibility: Firebase JWT verification. BREAKING CHANGE: IdentityEnricher, PermissionProvider, EnrichmentMiddleware, AuthzMiddleware, and WithTenantHeader are no longer exported from this package. Import code.nochebuena.dev/go/httpauth for those identifiers.
This commit is contained in:
30
auth.go
30
auth.go
@@ -7,6 +7,8 @@ import (
|
||||
"strings"
|
||||
|
||||
"firebase.google.com/go/v4/auth"
|
||||
|
||||
httpauthmw "code.nochebuena.dev/go/httpauth"
|
||||
)
|
||||
|
||||
// TokenVerifier abstracts Firebase JWT verification.
|
||||
@@ -16,30 +18,10 @@ type TokenVerifier interface {
|
||||
VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken string) (*auth.Token, error)
|
||||
}
|
||||
|
||||
// ctxUIDKey and ctxClaimsKey are unexported typed context keys.
|
||||
// Using distinct types prevents collisions with keys from other packages.
|
||||
type ctxUIDKey struct{}
|
||||
type ctxClaimsKey struct{}
|
||||
|
||||
func setTokenData(ctx context.Context, uid string, claims map[string]any) context.Context {
|
||||
ctx = context.WithValue(ctx, ctxUIDKey{}, uid)
|
||||
ctx = context.WithValue(ctx, ctxClaimsKey{}, claims)
|
||||
return ctx
|
||||
}
|
||||
|
||||
func getUID(ctx context.Context) (string, bool) {
|
||||
uid, ok := ctx.Value(ctxUIDKey{}).(string)
|
||||
return uid, ok && uid != ""
|
||||
}
|
||||
|
||||
func getClaims(ctx context.Context) (map[string]any, bool) {
|
||||
claims, ok := ctx.Value(ctxClaimsKey{}).(map[string]any)
|
||||
return claims, ok
|
||||
}
|
||||
|
||||
// AuthMiddleware verifies the Bearer token and injects uid + claims into the
|
||||
// request context. Requests to publicPaths are skipped without token verification
|
||||
// (wildcards supported via path.Match). Returns 401 on missing or invalid tokens.
|
||||
// request context via httpauth.SetTokenData. Requests to publicPaths are skipped
|
||||
// without token verification (wildcards supported via path.Match).
|
||||
// Returns 401 on missing or invalid tokens.
|
||||
func AuthMiddleware(verifier TokenVerifier, publicPaths []string) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
@@ -63,7 +45,7 @@ func AuthMiddleware(verifier TokenVerifier, publicPaths []string) func(http.Hand
|
||||
return
|
||||
}
|
||||
|
||||
ctx := setTokenData(r.Context(), decoded.UID, decoded.Claims)
|
||||
ctx := httpauthmw.SetTokenData(r.Context(), decoded.UID, decoded.Claims)
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
})
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user