auth.go

package httpauthjwt

import (
	"net/http"
	"path"
	"strings"

	"github.com/golang-jwt/jwt/v5"

	httpauthmw "code.nochebuena.dev/go/httpauth"
)

// AuthMiddleware verifies the Bearer access token and injects uid + claims into
// the request context via httpauth.SetTokenData. Downstream middleware
// (EnrichmentMiddleware, AuthzMiddleware, ClaimsPermissionProvider) from
// code.nochebuena.dev/go/httpauth reads them transparently.
//
// Accepts a Verifier — pass a Signer or a NewRSAPublicKeyVerifier depending on
// whether the service issues tokens.
//
// Requests to publicPaths are skipped without token verification (wildcards
// supported via path.Match). Returns 401 on missing, invalid, or expired tokens.
func AuthMiddleware(verifier Verifier, publicPaths []string) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			for _, pattern := range publicPaths {
				if matched, _ := path.Match(pattern, r.URL.Path); matched {
					next.ServeHTTP(w, r)
					return
				}
			}

			authHeader := r.Header.Get("Authorization")
			if !strings.HasPrefix(authHeader, "Bearer ") {
				http.Error(w, "unauthorized", http.StatusUnauthorized)
				return
			}
			tokenStr := strings.TrimPrefix(authHeader, "Bearer ")

			token, err := verifier.Verify(tokenStr)
			if err != nil {
				http.Error(w, "unauthorized", http.StatusUnauthorized)
				return
			}

			claims, ok := token.Claims.(jwt.MapClaims)
			if !ok {
				http.Error(w, "unauthorized", http.StatusUnauthorized)
				return
			}

			uid, _ := claims["sub"].(string)
			if uid == "" {
				http.Error(w, "unauthorized", http.StatusUnauthorized)
				return
			}

			ctx := httpauthmw.SetTokenData(r.Context(), uid, map[string]any(claims))
			next.ServeHTTP(w, r.WithContext(ctx))
		})
	}
}
fix(httpauth-jwt)!: rename package httpauthjwt, bump httpauth and rbac to v1.0.0 Rename package from jwtauth to httpauthjwt to follow ecosystem convention (repo name = package name, hyphens removed). Bump httpauth dependency from v0.1.0 to v1.0.0 and rbac indirect dependency from v0.9.0 to v1.0.0. BREAKING CHANGE: import path unchanged (code.nochebuena.dev/go/httpauth-jwt) but package identifier changes from jwtauth to httpauthjwt — update all usages accordingly. 2026-05-07 23:51:16 -06:00			`package httpauthjwt`
feat(httpauth-jwt): initial release — self-issued JWT auth middleware v1.0.0 Provides AuthMiddleware (calls httpauth.SetTokenData, accepts Verifier or Signer), IssueTokenPair (access + refresh tokens as jwt.MapClaims, custom claims at top level for ClaimsPermissionProvider compatibility), RefreshTokenPair (blacklist check + rotation + re-issue), and Signer/Verifier implementations for HMAC-SHA256 and RSA-SHA256 including PEM loaders and a public-key-only Verifier for read-only microservices. 2026-05-07 22:18:04 -06:00
			`import (`
			`"net/http"`
			`"path"`
			`"strings"`

			`"github.com/golang-jwt/jwt/v5"`

			`httpauthmw "code.nochebuena.dev/go/httpauth"`
			`)`

			`// AuthMiddleware verifies the Bearer access token and injects uid + claims into`
			`// the request context via httpauth.SetTokenData. Downstream middleware`
			`// (EnrichmentMiddleware, AuthzMiddleware, ClaimsPermissionProvider) from`
			`// code.nochebuena.dev/go/httpauth reads them transparently.`
			`//`
			`// Accepts a Verifier — pass a Signer or a NewRSAPublicKeyVerifier depending on`
			`// whether the service issues tokens.`
			`//`
			`// Requests to publicPaths are skipped without token verification (wildcards`
			`// supported via path.Match). Returns 401 on missing, invalid, or expired tokens.`
			`func AuthMiddleware(verifier Verifier, publicPaths []string) func(http.Handler) http.Handler {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`for _, pattern := range publicPaths {`
			`if matched, _ := path.Match(pattern, r.URL.Path); matched {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
			`}`

			`authHeader := r.Header.Get("Authorization")`
			`if !strings.HasPrefix(authHeader, "Bearer ") {`
			`http.Error(w, "unauthorized", http.StatusUnauthorized)`
			`return`
			`}`
			`tokenStr := strings.TrimPrefix(authHeader, "Bearer ")`

			`token, err := verifier.Verify(tokenStr)`
			`if err != nil {`
			`http.Error(w, "unauthorized", http.StatusUnauthorized)`
			`return`
			`}`

			`claims, ok := token.Claims.(jwt.MapClaims)`
			`if !ok {`
			`http.Error(w, "unauthorized", http.StatusUnauthorized)`
			`return`
			`}`

			`uid, _ := claims["sub"].(string)`
			`if uid == "" {`
			`http.Error(w, "unauthorized", http.StatusUnauthorized)`
			`return`
			`}`

			`ctx := httpauthmw.SetTokenData(r.Context(), uid, map[string]any(claims))`
			`next.ServeHTTP(w, r.WithContext(ctx))`
			`})`
			`}`
			`}`