go/todo-api
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity
Files
3fcba8244889c52eb1dadd8c208125adfb99fc1d
todo-api/internal/middleware/auth.go
Rene Nochebuena 3fcba82448 feat(todo-api): add full-stack POC demonstrating micro-lib v0.9.0 
Runnable REST API exercising every micro-lib tier in a containerless setup: N-layer architecture, SQLite persistence, header-based auth simulating Firebase output, and bit-mask RBAC enforcement.

What's included:
- cmd/todo-api: minimal main delegating to application.Run
- internal/application: full object graph wiring — launcher, sqlite, httpserver, httpmw stack, routes in BeforeStart
- internal/domain: User entity, ResourceTodos constant, PermReadTodo/PermWriteTodo bit positions
- internal/repository: TodoRepository, UserRepository, DBPermissionProvider (SQLite via modernc)
- internal/service: TodoService, UserService with interface-based dependencies
- internal/handler: TodoHandler, UserHandler using httputil adapters and valid for input validation
- internal/middleware: Auth (X-User-ID → rbac.Identity) and Require (bit-mask permission gate)
- logAdapter: bridges logz.Logger.With return type to httpmw.Logger interface
- SQLite schema: users, user_role (bitmask), todos; migrations run in BeforeStart
- Routes: POST /users (open), GET+POST /todos (RBAC), GET /users (RBAC)

Tested-via: todo-api POC integration
Reviewed-against: docs/adr/
2026-03-19 13:55:08 +00:00

38 lines
1.1 KiB
Go
Raw Blame History

package middleware
import (
"net/http"
"code.nochebuena.dev/go/rbac"
"code.nochebuena.dev/go/todo-api/internal/repository"
)
// Auth reads the X-User-ID request header, looks up the user in the database,
// and stores an rbac.Identity in the context.
//
// Returns 401 if the header is absent or the user ID is not found — the two
// cases are intentionally indistinguishable to callers.
func Auth(userRepo repository.UserRepository) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
uid := r.Header.Get("X-User-ID")
if uid == "" {
http.Error(w, `{"code":"UNAUTHENTICATED","message":"missing X-User-ID header"}`,
http.StatusUnauthorized)
return
}
user, err := userRepo.FindByID(r.Context(), uid)
if err != nil {
http.Error(w, `{"code":"UNAUTHENTICATED","message":"user not found"}`,
http.StatusUnauthorized)
return
}
identity := rbac.NewIdentity(user.ID, user.Name, user.Email)
ctx := rbac.SetInContext(r.Context(), identity)
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}
Reference in New Issue View Git Blame Copy Permalink