feat(httpauth): initial release — provider-agnostic HTTP auth middleware

Provides SetTokenData for upstream AuthMiddleware implementations, EnrichmentMiddleware and AuthzMiddleware compatible with any provider that calls SetTokenData, ClaimsPermissionProvider for JWT-embedded permissions, and CachedPermissionProvider for TTL-backed runtime resolution via any Cache implementation.
2026-05-07 21:37:25 -06:00
commit 18e5a16f7e
16 changed files with 879 additions and 0 deletions
--- a/authz.go
+++ b/authz.go
@@ -0,0 +1,32 @@
+package httpauth
+
+import (
+	"net/http"
+
+	"code.nochebuena.dev/go/rbac"
+)
+
+// AuthzMiddleware reads the rbac.Identity from context (set by EnrichmentMiddleware)
+// and gates the request against the required permission on resource.
+// Uses rbac.PermissionProvider directly — no local redefinition of the interface.
+// Returns 401 if no identity is in context.
+// Returns 403 if the identity lacks the required permission or if the provider errors.
+func AuthzMiddleware(provider rbac.PermissionProvider, resource string, required rbac.Permission) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			identity, ok := rbac.FromContext(r.Context())
+			if !ok {
+				http.Error(w, "unauthorized", http.StatusUnauthorized)
+				return
+			}
+
+			mask, err := provider.ResolveMask(r.Context(), identity.UID, resource)
+			if err != nil || !mask.Has(required) {
+				http.Error(w, "forbidden", http.StatusForbidden)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}