go/httpauth-firebase
2
0
Fork 0
Code Issues Pull Requests Packages Releases 2 Activity
Files
2c90fe22bf877bbdbdec7a25fe2615164e5f9886
httpauth-firebase/auth.go
Rene Nochebuena 2c90fe22bf refactor(httpauth-firebase)!: delegate enrichment and authz to httpauth v0.1.0 
EnrichmentMiddleware, AuthzMiddleware, IdentityEnricher, PermissionProvider,
and related types are removed from this module. They now live in
code.nochebuena.dev/go/httpauth, the provider-agnostic middleware layer.

AuthMiddleware is updated to call httpauth.SetTokenData, fulfilling the
integration contract between provider-specific auth and generic middleware.
This module now has a single responsibility: Firebase JWT verification.

BREAKING CHANGE: IdentityEnricher, PermissionProvider, EnrichmentMiddleware,
AuthzMiddleware, and WithTenantHeader are no longer exported from this package.
Import code.nochebuena.dev/go/httpauth for those identifiers.
2026-05-07 21:57:01 -06:00

53 lines
1.6 KiB
Go
Raw Blame History

package httpauth
import (
"context"
"net/http"
"path"
"strings"
"firebase.google.com/go/v4/auth"
httpauthmw "code.nochebuena.dev/go/httpauth"
)
// TokenVerifier abstracts Firebase JWT verification.
// *auth.Client satisfies this interface directly — no adapter needed in production.
// Retained solely for unit-test mockability.
type TokenVerifier interface {
VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken string) (*auth.Token, error)
}
// AuthMiddleware verifies the Bearer token and injects uid + claims into the
// request context via httpauth.SetTokenData. Requests to publicPaths are skipped
// without token verification (wildcards supported via path.Match).
// Returns 401 on missing or invalid tokens.
func AuthMiddleware(verifier TokenVerifier, publicPaths []string) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
for _, pattern := range publicPaths {
if matched, _ := path.Match(pattern, r.URL.Path); matched {
next.ServeHTTP(w, r)
return
}
}
authHeader := r.Header.Get("Authorization")
if !strings.HasPrefix(authHeader, "Bearer ") {
http.Error(w, "unauthorized", http.StatusUnauthorized)
return
}
token := strings.TrimPrefix(authHeader, "Bearer ")
decoded, err := verifier.VerifyIDTokenAndCheckRevoked(r.Context(), token)
if err != nil {
http.Error(w, "unauthorized", http.StatusUnauthorized)
return
}
ctx := httpauthmw.SetTokenData(r.Context(), decoded.UID, decoded.Claims)
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}
Reference in New Issue View Git Blame Copy Permalink