feat(todo-api): add full-stack POC demonstrating micro-lib v0.9.0

Runnable REST API exercising every micro-lib tier in a containerless setup: N-layer architecture, SQLite persistence, header-based auth simulating Firebase output, and bit-mask RBAC enforcement. What's included: - cmd/todo-api: minimal main delegating to application.Run - internal/application: full object graph wiring — launcher, sqlite, httpserver, httpmw stack, routes in BeforeStart - internal/domain: User entity, ResourceTodos constant, PermReadTodo/PermWriteTodo bit positions - internal/repository: TodoRepository, UserRepository, DBPermissionProvider (SQLite via modernc) - internal/service: TodoService, UserService with interface-based dependencies - internal/handler: TodoHandler, UserHandler using httputil adapters and valid for input validation - internal/middleware: Auth (X-User-ID → rbac.Identity) and Require (bit-mask permission gate) - logAdapter: bridges logz.Logger.With return type to httpmw.Logger interface - SQLite schema: users, user_role (bitmask), todos; migrations run in BeforeStart - Routes: POST /users (open), GET+POST /todos (RBAC), GET /users (RBAC) Tested-via: todo-api POC integration Reviewed-against: docs/adr/
2026-03-19 13:55:08 +00:00
commit 3fcba82448
23 changed files with 1143 additions and 0 deletions
--- a/internal/middleware/auth.go
+++ b/internal/middleware/auth.go
@@ -0,0 +1,37 @@
+package middleware
+
+import (
+	"net/http"
+
+	"code.nochebuena.dev/go/rbac"
+	"code.nochebuena.dev/go/todo-api/internal/repository"
+)
+
+// Auth reads the X-User-ID request header, looks up the user in the database,
+// and stores an rbac.Identity in the context.
+//
+// Returns 401 if the header is absent or the user ID is not found — the two
+// cases are intentionally indistinguishable to callers.
+func Auth(userRepo repository.UserRepository) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			uid := r.Header.Get("X-User-ID")
+			if uid == "" {
+				http.Error(w, `{"code":"UNAUTHENTICATED","message":"missing X-User-ID header"}`,
+					http.StatusUnauthorized)
+				return
+			}
+
+			user, err := userRepo.FindByID(r.Context(), uid)
+			if err != nil {
+				http.Error(w, `{"code":"UNAUTHENTICATED","message":"user not found"}`,
+					http.StatusUnauthorized)
+				return
+			}
+
+			identity := rbac.NewIdentity(user.ID, user.Name, user.Email)
+			ctx := rbac.SetInContext(r.Context(), identity)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
--- a/internal/middleware/rbac.go
+++ b/internal/middleware/rbac.go
@@ -0,0 +1,42 @@
+package middleware
+
+import (
+	"net/http"
+
+	"code.nochebuena.dev/go/rbac"
+)
+
+// Require guards a handler: it reads the rbac.Identity from context (set by Auth),
+// resolves the permission mask from the provider, and rejects the request with 403
+// if any of the required permission bits are not set.
+//
+// Must be chained after Auth so that an identity is guaranteed in context.
+func Require(provider rbac.PermissionProvider, resource string, perms ...rbac.Permission) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			identity, ok := rbac.FromContext(r.Context())
+			if !ok {
+				http.Error(w, `{"code":"PERMISSION_DENIED","message":"no identity in context"}`,
+					http.StatusForbidden)
+				return
+			}
+
+			mask, err := provider.ResolveMask(r.Context(), identity.UID, resource)
+			if err != nil {
+				http.Error(w, `{"code":"INTERNAL","message":"could not resolve permissions"}`,
+					http.StatusInternalServerError)
+				return
+			}
+
+			for _, p := range perms {
+				if !mask.Has(p) {
+					http.Error(w, `{"code":"PERMISSION_DENIED","message":"insufficient permissions"}`,
+						http.StatusForbidden)
+					return
+				}
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}