Commit Graph

4 Commits

Author SHA1 Message Date
1faab9a604 fix(httpauth-jwt): WithJSONNumber in Verify, JSON errors in AuthMiddleware, bump httpauth v1.0.2
Pass jwt.WithJSONNumber() to jwt.Parse in hmacSigner.Verify, rsaSigner.Verify, and
rsaPublicVerifier.Verify. JWT numbers (including permission bitmasks) are now decoded
as json.Number instead of float64 — exact parsing for all integers including
math.MaxInt64 (the ADMIN wildcard mask). Float64 would round MaxInt64 to 2^63 and
overflow back to math.MinInt64 on cast to int64.

AuthMiddleware now calls httpauth.WriteJSONError for all 401 responses instead of
http.Error. Standardizes the error format across the full httpauth-* middleware stack:
AuthMiddleware (httpauth-jwt), EnrichmentMiddleware, and AuthzMiddleware (httpauth)
all produce {"code":"UNAUTHENTICATED"|"PERMISSION_DENIED"|"INTERNAL","message":"..."}.

Update two existing tests (TestIssueTokenPair_CustomClaims,
TestRefreshTokenPair_CustomClaimsInNewToken) to assert json.Number instead of float64
— they were correct before WithJSONNumber, now reflect the actual decoded type.

Add TestVerify_JSONNumberPreservesMaxInt64: issues a token with math.MaxInt64 as a
bitmask, verifies it, and asserts the decoded value is exactly math.MaxInt64 via
json.Number.Int64() — proving no float64 round-trip occurs.

Add TestAuthMiddleware_UnauthorizedJSON: asserts the 401 response is
Content-Type: application/json with body {"code":"UNAUTHENTICATED","message":"..."}.

Bump httpauth dependency to v1.0.2.
2026-05-18 14:38:28 -06:00
9e29f60f67 chore: bump go directive from 1.25 to 1.26 2026-05-12 02:06:47 +00:00
b9a5cc2f92 fix(httpauth-jwt)!: rename package httpauthjwt, bump httpauth and rbac to v1.0.0
Rename package from jwtauth to httpauthjwt to follow ecosystem convention
(repo name = package name, hyphens removed). Bump httpauth dependency from
v0.1.0 to v1.0.0 and rbac indirect dependency from v0.9.0 to v1.0.0.

BREAKING CHANGE: import path unchanged (code.nochebuena.dev/go/httpauth-jwt)
but package identifier changes from jwtauth to httpauthjwt — update all usages
accordingly.
2026-05-07 23:51:16 -06:00
d8773b0f9f feat(httpauth-jwt): initial release — self-issued JWT auth middleware v1.0.0
Provides AuthMiddleware (calls httpauth.SetTokenData, accepts Verifier or Signer),
IssueTokenPair (access + refresh tokens as jwt.MapClaims, custom claims at top
level for ClaimsPermissionProvider compatibility), RefreshTokenPair (blacklist
check + rotation + re-issue), and Signer/Verifier implementations for HMAC-SHA256
and RSA-SHA256 including PEM loaders and a public-key-only Verifier for read-only
microservices.
2026-05-07 22:18:04 -06:00