internal/middleware/auth.go

package middleware

import (
	"net/http"

	"code.nochebuena.dev/go/rbac"
	"code.nochebuena.dev/go/todo-api/internal/repository"
)

// Auth reads the X-User-ID request header, looks up the user in the database,
// and stores an rbac.Identity in the context.
//
// Returns 401 if the header is absent or the user ID is not found — the two
// cases are intentionally indistinguishable to callers.
func Auth(userRepo repository.UserRepository) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			uid := r.Header.Get("X-User-ID")
			if uid == "" {
				http.Error(w, `{"code":"UNAUTHENTICATED","message":"missing X-User-ID header"}`,
					http.StatusUnauthorized)
				return
			}

			user, err := userRepo.FindByID(r.Context(), uid)
			if err != nil {
				http.Error(w, `{"code":"UNAUTHENTICATED","message":"user not found"}`,
					http.StatusUnauthorized)
				return
			}

			identity := rbac.NewIdentity(user.ID, user.Name, user.Email)
			ctx := rbac.SetInContext(r.Context(), identity)
			next.ServeHTTP(w, r.WithContext(ctx))
		})
	}
}
feat(todo-api): add full-stack POC demonstrating micro-lib v0.9.0 Runnable REST API exercising every micro-lib tier in a containerless setup: N-layer architecture, SQLite persistence, header-based auth simulating Firebase output, and bit-mask RBAC enforcement. What's included: - cmd/todo-api: minimal main delegating to application.Run - internal/application: full object graph wiring — launcher, sqlite, httpserver, httpmw stack, routes in BeforeStart - internal/domain: User entity, ResourceTodos constant, PermReadTodo/PermWriteTodo bit positions - internal/repository: TodoRepository, UserRepository, DBPermissionProvider (SQLite via modernc) - internal/service: TodoService, UserService with interface-based dependencies - internal/handler: TodoHandler, UserHandler using httputil adapters and valid for input validation - internal/middleware: Auth (X-User-ID → rbac.Identity) and Require (bit-mask permission gate) - logAdapter: bridges logz.Logger.With return type to httpmw.Logger interface - SQLite schema: users, user_role (bitmask), todos; migrations run in BeforeStart - Routes: POST /users (open), GET+POST /todos (RBAC), GET /users (RBAC) Tested-via: todo-api POC integration Reviewed-against: docs/adr/ 2026-03-19 13:55:08 +00:00			`package middleware`

			`import (`
			`"net/http"`

			`"code.nochebuena.dev/go/rbac"`
			`"code.nochebuena.dev/go/todo-api/internal/repository"`
			`)`

			`// Auth reads the X-User-ID request header, looks up the user in the database,`
			`// and stores an rbac.Identity in the context.`
			`//`
			`// Returns 401 if the header is absent or the user ID is not found — the two`
			`// cases are intentionally indistinguishable to callers.`
			`func Auth(userRepo repository.UserRepository) func(http.Handler) http.Handler {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`uid := r.Header.Get("X-User-ID")`
			`if uid == "" {`
			http.Error(w, `{"code":"UNAUTHENTICATED","message":"missing X-User-ID header"}`,
			`http.StatusUnauthorized)`
			`return`
			`}`

			`user, err := userRepo.FindByID(r.Context(), uid)`
			`if err != nil {`
			http.Error(w, `{"code":"UNAUTHENTICATED","message":"user not found"}`,
			`http.StatusUnauthorized)`
			`return`
			`}`

			`identity := rbac.NewIdentity(user.ID, user.Name, user.Email)`
			`ctx := rbac.SetInContext(r.Context(), identity)`
			`next.ServeHTTP(w, r.WithContext(ctx))`
			`})`
			`}`
			`}`