fix(httpauth): wildcard resource fallback, json.Number precision, xerrors JSON error bodies #1

Merged
Rene Nochebuena merged 1 commits from fix/httpauth-v1.0.2 into main 2026-05-18 14:15:12 -06:00

ClaimsPermissionProvider.ResolveMask now falls back to the "" resource key when the
exact resource is absent in the JWT masks claim. Specific resource takes precedence;
wildcard is the fallback. Enables ADMIN wildcard masks ({"
": MaxInt64}) to pass every
endpoint guard without per-resource entries.

Add json.Number handling alongside existing int64/float64 paths. json.Number is
produced by jwt.WithJSONNumber() (httpauth-jwt) and preserves math.MaxInt64 exactly —
float64 would round to 2^63 and overflow on cast back to int64.

Export WriteJSONError(w, status, code, message) — shared JSON error helper for all
httpauth-* provider packages. Ensures a consistent {"code":"...","message":"..."} body
and Content-Type: application/json across the full middleware stack.

AuthzMiddleware and EnrichmentMiddleware now use WriteJSONError with xerrors code
constants (UNAUTHENTICATED, PERMISSION_DENIED, INTERNAL) instead of http.Error which
writes text/plain. AuthzMiddleware also fixes a wrong code string: UNAUTHORIZED →
UNAUTHENTICATED (stable gRPC-aligned name, matching xerrors.ErrUnauthorized).

Add xerrors v1.0.1 as a direct dependency for the code constants.

ClaimsPermissionProvider.ResolveMask now falls back to the "*" resource key when the exact resource is absent in the JWT masks claim. Specific resource takes precedence; wildcard is the fallback. Enables ADMIN wildcard masks ({"*": MaxInt64}) to pass every endpoint guard without per-resource entries. Add json.Number handling alongside existing int64/float64 paths. json.Number is produced by jwt.WithJSONNumber() (httpauth-jwt) and preserves math.MaxInt64 exactly — float64 would round to 2^63 and overflow on cast back to int64. Export WriteJSONError(w, status, code, message) — shared JSON error helper for all httpauth-* provider packages. Ensures a consistent {"code":"...","message":"..."} body and Content-Type: application/json across the full middleware stack. AuthzMiddleware and EnrichmentMiddleware now use WriteJSONError with xerrors code constants (UNAUTHENTICATED, PERMISSION_DENIED, INTERNAL) instead of http.Error which writes text/plain. AuthzMiddleware also fixes a wrong code string: UNAUTHORIZED → UNAUTHENTICATED (stable gRPC-aligned name, matching xerrors.ErrUnauthorized). Add xerrors v1.0.1 as a direct dependency for the code constants.
Rene Nochebuena added 1 commit 2026-05-18 14:14:42 -06:00
ClaimsPermissionProvider.ResolveMask now falls back to the "*" resource key when the
exact resource is absent in the JWT masks claim. Specific resource takes precedence;
wildcard is the fallback. Enables ADMIN wildcard masks ({"*": MaxInt64}) to pass every
endpoint guard without per-resource entries.

Add json.Number handling alongside existing int64/float64 paths. json.Number is
produced by jwt.WithJSONNumber() (httpauth-jwt) and preserves math.MaxInt64 exactly —
float64 would round to 2^63 and overflow on cast back to int64.

Export WriteJSONError(w, status, code, message) — shared JSON error helper for all
httpauth-* provider packages. Ensures a consistent {"code":"...","message":"..."} body
and Content-Type: application/json across the full middleware stack.

AuthzMiddleware and EnrichmentMiddleware now use WriteJSONError with xerrors code
constants (UNAUTHENTICATED, PERMISSION_DENIED, INTERNAL) instead of http.Error which
writes text/plain. AuthzMiddleware also fixes a wrong code string: UNAUTHORIZED →
UNAUTHENTICATED (stable gRPC-aligned name, matching xerrors.ErrUnauthorized).

Add xerrors v1.0.1 as a direct dependency for the code constants.
Rene Nochebuena requested review from CoreDevelopers 2026-05-18 14:14:43 -06:00
Rene Nochebuena requested review from Agents 2026-05-18 14:14:43 -06:00
Rene Nochebuena merged commit 601e6a5144 into main 2026-05-18 14:15:12 -06:00
Rene Nochebuena deleted branch fix/httpauth-v1.0.2 2026-05-18 14:15:13 -06:00
Sign in to join this conversation.
No Reviewers
go/CoreDevelopers
go/Agents
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: go/httpauth#1