go/httpauth-firebase
2
0
Fork 0
Code Issues Pull Requests Packages Releases 2 Activity
Files
34c5fa7ded60eb692dadd7bdb6c0a4531445884d
httpauth-firebase/CHANGELOG.md
Rene Nochebuena 34c5fa7ded fix(httpauth-firebase)!: rename package httpauthfirebase, bump httpauth and rbac to v1.0.0 
Rename package from httpauth to httpauthfirebase to follow ecosystem convention
(repo name = package name, hyphens removed). Bump httpauth dependency from
v0.1.0 to v1.0.0 and rbac indirect dependency from v0.9.0 to v1.0.0.

BREAKING CHANGE: import path unchanged (code.nochebuena.dev/go/httpauth-firebase)
but package identifier changes from httpauth to httpauthfirebase — remove any
import alias previously used to disambiguate from code.nochebuena.dev/go/httpauth.
2026-05-07 23:46:59 -06:00

46 lines
4.1 KiB
Markdown
Raw Blame History

# Changelog
All notable changes to this module will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this module adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [1.0.0] - 2026-05-08
### Changed
- Package renamed from `httpauth` to `httpauthfirebase` — follows ecosystem convention
(`repo name = package name`, hyphens removed); import path is unchanged
(`code.nochebuena.dev/go/httpauth-firebase`); remove any alias previously used to
disambiguate from `code.nochebuena.dev/go/httpauth`
- `EnrichmentMiddleware`, `AuthzMiddleware`, `IdentityEnricher`, `PermissionProvider`,
`WithTenantHeader`, and `EnrichOpt` removed; they now live in
`code.nochebuena.dev/go/httpauth` (provider-agnostic middleware layer)
- `AuthMiddleware` updated to call `httpauth.SetTokenData` — fulfills the integration
contract between provider-specific auth and generic middleware
- Dependency `code.nochebuena.dev/go/httpauth` bumped to v1.0.0
- Dependency `code.nochebuena.dev/go/rbac` bumped to v1.0.0 (indirect)
[1.0.0]: https://code.nochebuena.dev/go/httpauth-firebase/releases/tag/v1.0.0
## [0.9.0] - 2026-03-18
### Added
- `TokenVerifier` interface — abstracts `*auth.Client` for unit-test mockability; `*auth.Client` satisfies it directly in production via its `VerifyIDTokenAndCheckRevoked` method
- `IdentityEnricher` interface — application-implemented; receives `uid string` and `claims map[string]any`, returns `rbac.Identity`; called by `EnrichmentMiddleware` on every request
- `PermissionProvider` interface — application-implemented; receives `uid` and `resource` string, returns `rbac.PermissionMask`; called by `AuthzMiddleware` on every request
- `EnrichOpt` functional option type for configuring `EnrichmentMiddleware`
- `WithTenantHeader(header string) EnrichOpt` — reads a tenant ID from the named request header and attaches it to the identity via `rbac.Identity.WithTenant`; absent header leaves `TenantID` as an empty string with no error
- `AuthMiddleware(verifier TokenVerifier, publicPaths []string) func(http.Handler) http.Handler` — verifies `Authorization: Bearer <token>` via Firebase JWT verification and injects the verified `uid` and raw claims into the request context under unexported typed keys; paths matching any pattern in `publicPaths` bypass token verification (glob patterns via `path.Match`, `*` wildcard supported); returns 401 on missing or invalid tokens
- `EnrichmentMiddleware(enricher IdentityEnricher, opts ...EnrichOpt) func(http.Handler) http.Handler` — reads the uid and claims stored by `AuthMiddleware`, calls `enricher.Enrich`, and stores the resulting `rbac.Identity` in context via `rbac.SetInContext`; returns 401 if `AuthMiddleware` has not run upstream; returns 500 if the enricher fails
- `AuthzMiddleware(provider PermissionProvider, resource string, required rbac.Permission) func(http.Handler) http.Handler` — reads `rbac.Identity` from context via `rbac.FromContext`, resolves the permission mask for the identity's UID on `resource`, and gates the request against the required permission bit; returns 401 if no identity is in context; returns 403 if the permission check fails or the provider returns an error
### Design Notes
- The three middleware functions are intentionally separate so they can be applied at different scopes: `AuthMiddleware` at the root router, `EnrichmentMiddleware` on authenticated route groups, and `AuthzMiddleware` per-route or per-group with different resource and permission arguments
- The module is named `httpauth-firebase` rather than `httpauth` because it imports the Firebase SDK directly; other providers (`httpauth-auth0`, `httpauth-jwt`, etc.) are separate sibling modules that all converge on the same `rbac.Identity` output contract, which means downstream handlers and business logic never depend on a specific auth provider
- No logger parameter is accepted; errors are returned as plain-text HTTP responses, keeping the dependency surface to `rbac` and `firebase.google.com/go/v4` only
[0.9.0]: https://code.nochebuena.dev/go/httpauth-firebase/releases/tag/v0.9.0
Reference in New Issue View Git Blame Copy Permalink