refactor(httpauth-firebase)!: delegate enrichment and authz to httpauth v0.1.0

EnrichmentMiddleware, AuthzMiddleware, IdentityEnricher, PermissionProvider, and related types are removed from this module. They now live in code.nochebuena.dev/go/httpauth, the provider-agnostic middleware layer. AuthMiddleware is updated to call httpauth.SetTokenData, fulfilling the integration contract between provider-specific auth and generic middleware. This module now has a single responsibility: Firebase JWT verification. BREAKING CHANGE: IdentityEnricher, PermissionProvider, EnrichmentMiddleware, AuthzMiddleware, and WithTenantHeader are no longer exported from this package. Import code.nochebuena.dev/go/httpauth for those identifiers.
2026-05-07 21:57:01 -06:00
parent d1de096c72
commit 2c90fe22bf
10 changed files with 65 additions and 358 deletions
--- a/httpauth_test.go
+++ b/httpauth_test.go
@@ -8,8 +8,6 @@ import (
 	"testing"

 	"firebase.google.com/go/v4/auth"
-
-	"code.nochebuena.dev/go/rbac"
 )

 // --- mocks ---
@@ -23,46 +21,17 @@ func (m *mockVerifier) VerifyIDTokenAndCheckRevoked(_ context.Context, _ string)
 	return m.token, m.err
 }

-type mockEnricher struct {
-	identity rbac.Identity
-	err      error
-}
-
-func (m *mockEnricher) Enrich(_ context.Context, _ string, _ map[string]any) (rbac.Identity, error) {
-	return m.identity, m.err
-}
-
-type mockProvider struct {
-	mask rbac.PermissionMask
-	err  error
-}
-
-func (m *mockProvider) ResolveMask(_ context.Context, _, _ string) (rbac.PermissionMask, error) {
-	return m.mask, m.err
-}
-
-// testRead is permission bit 0, used in authz tests.
-const testRead rbac.Permission = 0
-
 func chain(mw func(http.Handler) http.Handler, h http.HandlerFunc) http.Handler {
 	return mw(h)
 }

-// injectUID bypasses AuthMiddleware for EnrichmentMiddleware tests.
-func injectUID(uid string, claims map[string]any, next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ctx := setTokenData(r.Context(), uid, claims)
-		next.ServeHTTP(w, r.WithContext(ctx))
-	})
-}
-
 // --- AuthMiddleware ---

 func TestAuthMiddleware_ValidToken(t *testing.T) {
 	mv := &mockVerifier{token: &auth.Token{UID: "uid123", Claims: map[string]any{"name": "Alice"}}}
-	var capturedUID string
+	reached := false
 	h := chain(AuthMiddleware(mv, nil), func(w http.ResponseWriter, r *http.Request) {
-		capturedUID, _ = getUID(r.Context())
+		reached = true
 		w.WriteHeader(http.StatusOK)
 	})
 	req := httptest.NewRequest(http.MethodGet, "/api", nil)
@@ -72,8 +41,8 @@ func TestAuthMiddleware_ValidToken(t *testing.T) {
 	if rec.Code != http.StatusOK {
 		t.Errorf("want 200, got %d", rec.Code)
 	}
-	if capturedUID != "uid123" {
-		t.Errorf("want uid123, got %q", capturedUID)
+	if !reached {
+		t.Error("inner handler was not called")
 	}
 }

@@ -126,136 +95,3 @@ func TestAuthMiddleware_PublicPathWildcard(t *testing.T) {
 		t.Errorf("want 200, got %d", rec.Code)
 	}
 }
-
-// --- EnrichmentMiddleware ---
-
-func TestEnrichmentMiddleware_Success(t *testing.T) {
-	me := &mockEnricher{identity: rbac.NewIdentity("uid123", "Alice", "alice@example.com")}
-	var capturedIdentity rbac.Identity
-	inner := EnrichmentMiddleware(me)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		capturedIdentity, _ = rbac.FromContext(r.Context())
-		w.WriteHeader(http.StatusOK)
-	}))
-	h := injectUID("uid123", nil, inner)
-	rec := httptest.NewRecorder()
-	h.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/", nil))
-	if rec.Code != http.StatusOK {
-		t.Errorf("want 200, got %d", rec.Code)
-	}
-	if capturedIdentity.UID != "uid123" {
-		t.Errorf("want uid123, got %q", capturedIdentity.UID)
-	}
-}
-
-func TestEnrichmentMiddleware_NoUID(t *testing.T) {
-	me := &mockEnricher{}
-	h := chain(EnrichmentMiddleware(me), func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	})
-	rec := httptest.NewRecorder()
-	h.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/", nil))
-	if rec.Code != http.StatusUnauthorized {
-		t.Errorf("want 401, got %d", rec.Code)
-	}
-}
-
-func TestEnrichmentMiddleware_EnricherError(t *testing.T) {
-	me := &mockEnricher{err: errors.New("db error")}
-	inner := EnrichmentMiddleware(me)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	}))
-	h := injectUID("uid123", nil, inner)
-	rec := httptest.NewRecorder()
-	h.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/", nil))
-	if rec.Code != http.StatusInternalServerError {
-		t.Errorf("want 500, got %d", rec.Code)
-	}
-}
-
-func TestEnrichmentMiddleware_WithTenant(t *testing.T) {
-	me := &mockEnricher{identity: rbac.NewIdentity("uid123", "", "")}
-	var capturedIdentity rbac.Identity
-	inner := EnrichmentMiddleware(me, WithTenantHeader("X-Tenant-ID"))(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		capturedIdentity, _ = rbac.FromContext(r.Context())
-		w.WriteHeader(http.StatusOK)
-	}))
-	h := injectUID("uid123", nil, inner)
-	req := httptest.NewRequest(http.MethodGet, "/", nil)
-	req.Header.Set("X-Tenant-ID", "tenant-abc")
-	rec := httptest.NewRecorder()
-	h.ServeHTTP(rec, req)
-	if capturedIdentity.TenantID != "tenant-abc" {
-		t.Errorf("want tenant-abc, got %q", capturedIdentity.TenantID)
-	}
-}
-
-func TestEnrichmentMiddleware_NoTenantHeader(t *testing.T) {
-	me := &mockEnricher{identity: rbac.NewIdentity("uid123", "", "")}
-	var capturedIdentity rbac.Identity
-	inner := EnrichmentMiddleware(me, WithTenantHeader("X-Tenant-ID"))(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		capturedIdentity, _ = rbac.FromContext(r.Context())
-		w.WriteHeader(http.StatusOK)
-	}))
-	h := injectUID("uid123", nil, inner)
-	rec := httptest.NewRecorder()
-	h.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/", nil))
-	if capturedIdentity.TenantID != "" {
-		t.Errorf("want empty TenantID, got %q", capturedIdentity.TenantID)
-	}
-}
-
-// --- AuthzMiddleware ---
-
-func TestAuthzMiddleware_Allowed(t *testing.T) {
-	mp := &mockProvider{mask: rbac.PermissionMask(0).Grant(testRead)}
-	inner := AuthzMiddleware(mp, "orders", testRead)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	}))
-	req := httptest.NewRequest(http.MethodGet, "/", nil)
-	ctx := rbac.SetInContext(req.Context(), rbac.NewIdentity("uid123", "", ""))
-	rec := httptest.NewRecorder()
-	inner.ServeHTTP(rec, req.WithContext(ctx))
-	if rec.Code != http.StatusOK {
-		t.Errorf("want 200, got %d", rec.Code)
-	}
-}
-
-func TestAuthzMiddleware_Denied(t *testing.T) {
-	mp := &mockProvider{mask: rbac.PermissionMask(0)} // no permissions granted
-	inner := AuthzMiddleware(mp, "orders", testRead)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	}))
-	req := httptest.NewRequest(http.MethodGet, "/", nil)
-	ctx := rbac.SetInContext(req.Context(), rbac.NewIdentity("uid123", "", ""))
-	rec := httptest.NewRecorder()
-	inner.ServeHTTP(rec, req.WithContext(ctx))
-	if rec.Code != http.StatusForbidden {
-		t.Errorf("want 403, got %d", rec.Code)
-	}
-}
-
-func TestAuthzMiddleware_NoIdentity(t *testing.T) {
-	mp := &mockProvider{}
-	h := chain(AuthzMiddleware(mp, "orders", testRead), func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	})
-	rec := httptest.NewRecorder()
-	h.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/", nil))
-	if rec.Code != http.StatusUnauthorized {
-		t.Errorf("want 401, got %d", rec.Code)
-	}
-}
-
-func TestAuthzMiddleware_ProviderError(t *testing.T) {
-	mp := &mockProvider{err: errors.New("db error")}
-	inner := AuthzMiddleware(mp, "orders", testRead)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	}))
-	req := httptest.NewRequest(http.MethodGet, "/", nil)
-	ctx := rbac.SetInContext(req.Context(), rbac.NewIdentity("uid123", "", ""))
-	rec := httptest.NewRecorder()
-	inner.ServeHTTP(rec, req.WithContext(ctx))
-	if rec.Code != http.StatusForbidden {
-		t.Errorf("want 403, got %d", rec.Code)
-	}
-}