docs(httpauth-firebase): fix rbac tier reference from 1 to 0
rbac is a Tier 0 module (no micro-lib dependencies). The dependency line incorrectly cited it as Tier 1. The module's own tier (4) is unchanged — it remains the auth layer above the transport infrastructure.
This commit is contained in:
82
README.md
Normal file
82
README.md
Normal file
@@ -0,0 +1,82 @@
|
||||
# httpauth-firebase
|
||||
|
||||
Firebase-backed HTTP middleware for authentication, identity enrichment, and RBAC authorization.
|
||||
|
||||
## Overview
|
||||
|
||||
Three composable `func(http.Handler) http.Handler` middleware functions:
|
||||
|
||||
| Middleware | Responsibility |
|
||||
|---|---|
|
||||
| `AuthMiddleware` | Verifies Firebase Bearer token; injects uid + claims into context |
|
||||
| `EnrichmentMiddleware` | Calls app-provided `IdentityEnricher`; stores `rbac.Identity` in context |
|
||||
| `AuthzMiddleware` | Resolves permission mask; gates request |
|
||||
|
||||
All functions accept interfaces — testable without a live Firebase connection.
|
||||
|
||||
## Installation
|
||||
|
||||
```
|
||||
require code.nochebuena.dev/go/httpauth-firebase v0.1.0
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
```go
|
||||
r.Use(httpauth.AuthMiddleware(firebaseAuthClient, []string{"/health", "/public/*"}))
|
||||
r.Use(httpauth.EnrichmentMiddleware(myUserEnricher, httpauth.WithTenantHeader("X-Tenant-ID")))
|
||||
r.Use(httpauth.AuthzMiddleware(myPermProvider, "orders", rbac.Read))
|
||||
```
|
||||
|
||||
## Interfaces
|
||||
|
||||
### TokenVerifier
|
||||
|
||||
```go
|
||||
type TokenVerifier interface {
|
||||
VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken string) (*auth.Token, error)
|
||||
}
|
||||
```
|
||||
|
||||
`*firebase/auth.Client` satisfies this directly. Swap in a mock for tests.
|
||||
|
||||
### IdentityEnricher
|
||||
|
||||
```go
|
||||
type IdentityEnricher interface {
|
||||
Enrich(ctx context.Context, uid string, claims map[string]any) (rbac.Identity, error)
|
||||
}
|
||||
```
|
||||
|
||||
Implement this in your application to load user data from your store and return an `rbac.Identity`.
|
||||
|
||||
### PermissionProvider
|
||||
|
||||
```go
|
||||
type PermissionProvider interface {
|
||||
ResolveMask(ctx context.Context, uid, resource string) (rbac.PermissionMask, error)
|
||||
}
|
||||
```
|
||||
|
||||
Returns the permission bitmask for the user on a given resource.
|
||||
|
||||
## Options
|
||||
|
||||
| Option | Description |
|
||||
|---|---|
|
||||
| `WithTenantHeader(header)` | Reads `TenantID` from the named request header. If absent, `TenantID` remains `""`. |
|
||||
|
||||
## Public paths
|
||||
|
||||
`AuthMiddleware` skips token verification for requests matching any pattern in `publicPaths`. Patterns use `path.Match` semantics (e.g. `"/public/*"`).
|
||||
|
||||
## HTTP status codes
|
||||
|
||||
| Condition | Status |
|
||||
|---|---|
|
||||
| Missing or malformed `Authorization` header | 401 |
|
||||
| Token verification failure | 401 |
|
||||
| No `rbac.Identity` in context (AuthzMiddleware) | 401 |
|
||||
| Missing uid in context (EnrichmentMiddleware) | 401 |
|
||||
| Enricher error | 500 |
|
||||
| Permission denied or provider error | 403 |
|
||||
Reference in New Issue
Block a user