-
Release v1.0.2 Stable
released this
2026-05-18 14:16:42 -06:00 | 0 commits to main since this releasev1.0.2
code.nochebuena.dev/go/httpauthOverview
v1.0.2 closes three gaps discovered during integration testing of RBAC-guarded
endpoints: wildcard resource support inClaimsPermissionProvider, exact numeric
precision formath.MaxInt64permission masks, and JSON-formatted error responses
across the fullhttpauth-*middleware stack.No breaking changes. All v1.0.x consumers can upgrade with
go get.What Changed Since v1.0.1
Wildcard resource fallback in ClaimsPermissionProvider
ResolveMasknow checks the requested resource key first, then falls back to"*"if
the resource is absent from the JWT masks claim:// JWT masks claim: {"*": 9223372036854775807} provider := httpauth.NewClaimsPermissionProvider("masks") mask, _ := provider.ResolveMask(ctx, uid, "any_resource") // returns MaxInt64 — wildcard hitThis enables the
ADMINsystem role to carry a single wildcard entry and pass every
endpoint guard without enumerating resources. Per-resource entries take precedence over
"*"when both are present.json.Number precision for high-bit masks
ResolveMasknow handles three numeric types from JWT claims:Type Source math.MaxInt64safe?int64Go construction ✓ float64Standard JWT parsing (no option) ✗ (rounds to 2^63) json.Numberjwt.WithJSONNumber()✓ (decimal string parse) httpauth-jwtv1.0.2 usesjwt.WithJSONNumber()in allVerifyimplementations,
so thejson.Numberpath is now active for all tokens in the standard stack.Unified JSON error bodies —
WriteJSONErrorNew exported function:
func WriteJSONError(w http.ResponseWriter, status int, code, message string)Writes a structured JSON error body matching the
httputil.Errorformat:
Content-Type: application/jsonwith body{"code":"...","message":"..."}.All three auth middlewares in the stack now use this function:
Middleware Condition Status Code httpauth-jwtAuthMiddlewareMissing/invalid/expired token 401 UNAUTHENTICATEDEnrichmentMiddlewareNo uid in context 401 UNAUTHENTICATEDEnrichmentMiddlewareEnricher returns error 500 INTERNALAuthzMiddlewareNo identity in context 401 UNAUTHENTICATEDAuthzMiddlewarePermission denied or provider error 403 PERMISSION_DENIEDPreviously all three used
http.Errorwhich writestext/plain.AuthzMiddleware
also had the wrong code stringUNAUTHORIZEDinstead ofUNAUTHENTICATED.Dependency
Added
code.nochebuena.dev/go/xerrors v1.0.1for the code constants.Migration
No breaking changes.
go get code.nochebuena.dev/go/httpauth@v1.0.2Downloads