fix(httpauth): wildcard resource fallback, json.Number precision, xerrors JSON error bodies (#1)
ClaimsPermissionProvider.ResolveMask now falls back to the "*" resource key when the
exact resource is absent in the JWT masks claim. Specific resource takes precedence;
wildcard is the fallback. Enables ADMIN wildcard masks ({"*": MaxInt64}) to pass every
endpoint guard without per-resource entries.
Add json.Number handling alongside existing int64/float64 paths. json.Number is
produced by jwt.WithJSONNumber() (httpauth-jwt) and preserves math.MaxInt64 exactly —
float64 would round to 2^63 and overflow on cast back to int64.
Export WriteJSONError(w, status, code, message) — shared JSON error helper for all
httpauth-* provider packages. Ensures a consistent {"code":"...","message":"..."} body
and Content-Type: application/json across the full middleware stack.
AuthzMiddleware and EnrichmentMiddleware now use WriteJSONError with xerrors code
constants (UNAUTHENTICATED, PERMISSION_DENIED, INTERNAL) instead of http.Error which
writes text/plain. AuthzMiddleware also fixes a wrong code string: UNAUTHORIZED →
UNAUTHENTICATED (stable gRPC-aligned name, matching xerrors.ErrUnauthorized).
Add xerrors v1.0.1 as a direct dependency for the code constants.
Reviewed-on: #1
Co-authored-by: Rene Nochebuena Guerrero <rene@nochebuena.dev>
Co-committed-by: Rene Nochebuena Guerrero <rene@nochebuena.dev>
This commit was merged in pull request #1.
This commit is contained in:
32
CHANGELOG.md
32
CHANGELOG.md
@@ -5,6 +5,38 @@ All notable changes to this module will be documented in this file.
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
and this module adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [1.0.2] — 2026-05-18
|
||||
|
||||
### Added
|
||||
|
||||
- `ClaimsPermissionProvider.ResolveMask` now supports a wildcard resource key `"*"` as
|
||||
a fallback when the requested resource is not present in the JWT masks claim. Specific
|
||||
resource key takes precedence; wildcard is consulted only when the exact key is absent.
|
||||
Primary use case: `ADMIN` role carries `{"*": MaxInt64}` — one JWT entry grants access
|
||||
to every resource without per-resource enumeration.
|
||||
- `ClaimsPermissionProvider.ResolveMask` now handles `json.Number` mask values in
|
||||
addition to the existing `int64` and `float64` paths. `json.Number` is produced by
|
||||
`jwt.WithJSONNumber()` (used in `httpauth-jwt`); it preserves `math.MaxInt64` exactly
|
||||
where float64 would overflow.
|
||||
- `WriteJSONError(w http.ResponseWriter, status int, code, message string)` — exported
|
||||
helper that writes a structured JSON error body (`Content-Type: application/json`,
|
||||
`{"code":"...","message":"..."}`). Intended for use by all `httpauth-*` provider
|
||||
packages so the error format is enforced in one place.
|
||||
|
||||
### Fixed
|
||||
|
||||
- `AuthzMiddleware` and `EnrichmentMiddleware` now return JSON error bodies instead of
|
||||
plain-text `http.Error` responses. Error codes are stable gRPC-aligned names from
|
||||
`xerrors`: `UNAUTHENTICATED` (401), `PERMISSION_DENIED` (403), `INTERNAL` (500).
|
||||
Previously `AuthzMiddleware` also used the wrong code `UNAUTHORIZED` for 401 responses
|
||||
(correct value is `UNAUTHENTICATED`).
|
||||
|
||||
### Dependencies
|
||||
|
||||
- Added `code.nochebuena.dev/go/xerrors v1.0.1` (for code constants in error responses).
|
||||
|
||||
[1.0.2]: https://code.nochebuena.dev/go/httpauth/releases/tag/v1.0.2
|
||||
|
||||
## [1.0.0] — 2026-05-08
|
||||
|
||||
### Added
|
||||
|
||||
Reference in New Issue
Block a user