fix(httpauth): wildcard resource fallback, json.Number precision, xerrors JSON error bodies #1
Reference in New Issue
Block a user
Delete Branch "fix/httpauth-v1.0.2"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
ClaimsPermissionProvider.ResolveMask now falls back to the "" resource key when the
exact resource is absent in the JWT masks claim. Specific resource takes precedence;
wildcard is the fallback. Enables ADMIN wildcard masks ({"": MaxInt64}) to pass every
endpoint guard without per-resource entries.
Add json.Number handling alongside existing int64/float64 paths. json.Number is
produced by jwt.WithJSONNumber() (httpauth-jwt) and preserves math.MaxInt64 exactly —
float64 would round to 2^63 and overflow on cast back to int64.
Export WriteJSONError(w, status, code, message) — shared JSON error helper for all
httpauth-* provider packages. Ensures a consistent {"code":"...","message":"..."} body
and Content-Type: application/json across the full middleware stack.
AuthzMiddleware and EnrichmentMiddleware now use WriteJSONError with xerrors code
constants (UNAUTHENTICATED, PERMISSION_DENIED, INTERNAL) instead of http.Error which
writes text/plain. AuthzMiddleware also fixes a wrong code string: UNAUTHORIZED →
UNAUTHENTICATED (stable gRPC-aligned name, matching xerrors.ErrUnauthorized).
Add xerrors v1.0.1 as a direct dependency for the code constants.
ClaimsPermissionProvider.ResolveMask now falls back to the "*" resource key when the exact resource is absent in the JWT masks claim. Specific resource takes precedence; wildcard is the fallback. Enables ADMIN wildcard masks ({"*": MaxInt64}) to pass every endpoint guard without per-resource entries. Add json.Number handling alongside existing int64/float64 paths. json.Number is produced by jwt.WithJSONNumber() (httpauth-jwt) and preserves math.MaxInt64 exactly — float64 would round to 2^63 and overflow on cast back to int64. Export WriteJSONError(w, status, code, message) — shared JSON error helper for all httpauth-* provider packages. Ensures a consistent {"code":"...","message":"..."} body and Content-Type: application/json across the full middleware stack. AuthzMiddleware and EnrichmentMiddleware now use WriteJSONError with xerrors code constants (UNAUTHENTICATED, PERMISSION_DENIED, INTERNAL) instead of http.Error which writes text/plain. AuthzMiddleware also fixes a wrong code string: UNAUTHORIZED → UNAUTHENTICATED (stable gRPC-aligned name, matching xerrors.ErrUnauthorized). Add xerrors v1.0.1 as a direct dependency for the code constants.