middleware/auth.go

package middleware

import (
	"context"
	"fmt"
	"net/http"

	"github.com/99designs/gqlgen/graphql"
	"github.com/golang-jwt/jwt/v5"

	"gitlab.com/unboundsoftware/schemas/domain"
)

const (
	UserKey         = ContextKey("user")
	OrganizationKey = ContextKey("organization")
)

type Cache interface {
	OrganizationByAPIKey(apiKey string) *domain.Organization
}

func NewAuth(cache Cache) *AuthMiddleware {
	return &AuthMiddleware{
		cache: cache,
	}
}

type AuthMiddleware struct {
	cache Cache
}

func (m *AuthMiddleware) Handler(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		ctx := r.Context()
		token, err := TokenFromContext(r.Context())
		if err != nil {
			w.WriteHeader(http.StatusInternalServerError)
			_, _ = w.Write([]byte("Invalid JWT token format"))
			return
		}
		if token != nil {
			ctx = context.WithValue(ctx, UserKey, token.Claims.(jwt.MapClaims)["sub"])
		}
		apiKey, err := ApiKeyFromContext(r.Context())
		if err != nil {
			w.WriteHeader(http.StatusInternalServerError)
			_, _ = w.Write([]byte("Invalid API Key format"))
			return
		}
		// Cache handles hash comparison internally
		organization := m.cache.OrganizationByAPIKey(apiKey)
		if organization != nil {
			ctx = context.WithValue(ctx, OrganizationKey, *organization)
		}

		next.ServeHTTP(w, r.WithContext(ctx))
	})
}

func UserFromContext(ctx context.Context) string {
	if value := ctx.Value(UserKey); value != nil {
		if u, ok := value.(string); ok {
			return u
		}
	}
	return ""
}

func UserHasRole(ctx context.Context, role string) bool {
	token, err := TokenFromContext(ctx)
	if err != nil || token == nil {
		return false
	}

	claims, ok := token.Claims.(jwt.MapClaims)
	if !ok {
		return false
	}

	// Check the custom roles claim
	rolesInterface, ok := claims["https://unbound.se/roles"]
	if !ok {
		return false
	}

	roles, ok := rolesInterface.([]interface{})
	if !ok {
		return false
	}

	for _, r := range roles {
		if roleStr, ok := r.(string); ok && roleStr == role {
			return true
		}
	}

	return false
}

func OrganizationFromContext(ctx context.Context) string {
	if value := ctx.Value(OrganizationKey); value != nil {
		if u, ok := value.(domain.Organization); ok {
			return u.ID.String()
		}
	}
	return ""
}

func (m *AuthMiddleware) Directive(ctx context.Context, _ interface{}, next graphql.Resolver, user *bool, organization *bool) (res interface{}, err error) {
	userRequired := user != nil && *user
	orgRequired := organization != nil && *organization

	u := UserFromContext(ctx)
	orgId := OrganizationFromContext(ctx)

	fmt.Printf("[Auth Directive] userRequired=%v, orgRequired=%v, hasUser=%v, hasOrg=%v\n",
		userRequired, orgRequired, u != "", orgId != "")

	// If both are required, it means EITHER is acceptable (OR logic)
	if userRequired && orgRequired {
		if u == "" && orgId == "" {
			fmt.Printf("[Auth Directive] REJECTED: Neither user nor organization available\n")
			return nil, fmt.Errorf("authentication required: provide either user token or organization API key")
		}
		fmt.Printf("[Auth Directive] ACCEPTED: Has user=%v OR organization=%v\n", u != "", orgId != "")
		return next(ctx)
	}

	// Only user required
	if userRequired {
		if u == "" {
			fmt.Printf("[Auth Directive] REJECTED: No user available\n")
			return nil, fmt.Errorf("no user available in request")
		}
		fmt.Printf("[Auth Directive] ACCEPTED: User authenticated\n")
	}

	// Only organization required
	if orgRequired {
		if orgId == "" {
			fmt.Printf("[Auth Directive] REJECTED: No organization available\n")
			return nil, fmt.Errorf("no organization available in request")
		}
		fmt.Printf("[Auth Directive] ACCEPTED: Organization authenticated\n")
	}

	return next(ctx)
}
feat: organizations and API keys 2023-04-27 07:09:10 +02:00			`package middleware`

			`import (`
			`"context"`
			`"fmt"`
			`"net/http"`

			`"github.com/99designs/gqlgen/graphql"`
fix(deps): update module github.com/golang-jwt/jwt/v4 to v5 2024-03-01 19:53:09 +00:00			`"github.com/golang-jwt/jwt/v5"`
feat: organizations and API keys 2023-04-27 07:09:10 +02:00
			`"gitlab.com/unboundsoftware/schemas/domain"`
			`)`

			`const (`
			`UserKey = ContextKey("user")`
			`OrganizationKey = ContextKey("organization")`
			`)`

			`type Cache interface {`
			`OrganizationByAPIKey(apiKey string) *domain.Organization`
			`}`

			`func NewAuth(cache Cache) *AuthMiddleware {`
			`return &AuthMiddleware{`
			`cache: cache,`
			`}`
			`}`

			`type AuthMiddleware struct {`
			`cache Cache`
			`}`

			`func (m *AuthMiddleware) Handler(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`ctx := r.Context()`
			`token, err := TokenFromContext(r.Context())`
			`if err != nil {`
			`w.WriteHeader(http.StatusInternalServerError)`
			`_, _ = w.Write([]byte("Invalid JWT token format"))`
			`return`
			`}`
			`if token != nil {`
			`ctx = context.WithValue(ctx, UserKey, token.Claims.(jwt.MapClaims)["sub"])`
			`}`
			`apiKey, err := ApiKeyFromContext(r.Context())`
			`if err != nil {`
			`w.WriteHeader(http.StatusInternalServerError)`
			`_, _ = w.Write([]byte("Invalid API Key format"))`
			`return`
			`}`
feat(cache): implement hashed API key storage and retrieval Adds a new hashed key storage mechanism for API keys in the cache. Replaces direct mapping to API keys with composite keys based on organizationId and name. Implements searching of API keys using hash comparisons for improved security. Updates related tests to ensure correct functionality and validate the hashing. Also, adds support for a new dependency `golang.org/x/crypto`. 2025-11-20 22:11:17 +01:00			`// Cache handles hash comparison internally`
			`organization := m.cache.OrganizationByAPIKey(apiKey)`
fix: enhance API key handling and logging in middleware Refactor API key processing to improve clarity and reduce code duplication. Introduce detailed logging for schema updates and initializations, capturing relevant context information. Use background context for async operations to avoid blocking. Implement organization lookup logic in the WebSocket init function for consistent API key handling across connections. 2025-11-20 08:09:00 +01:00			`if organization != nil {`
feat: organizations and API keys 2023-04-27 07:09:10 +02:00			`ctx = context.WithValue(ctx, OrganizationKey, *organization)`
			`}`

			`next.ServeHTTP(w, r.WithContext(ctx))`
			`})`
			`}`

			`func UserFromContext(ctx context.Context) string {`
			`if value := ctx.Value(UserKey); value != nil {`
			`if u, ok := value.(string); ok {`
			`return u`
			`}`
			`}`
			`return ""`
			`}`

feat: add commands for managing organizations and users Introduce `AddUserToOrganization`, `RemoveAPIKey`, and `RemoveOrganization` commands to enhance organization management. Implement validation for user addition and API key removal. Update GraphQL schema to support new mutations and add caching for the new events, ensuring that organizations and their relationships are accurately represented in the cache. 2025-11-22 18:37:07 +01:00			`func UserHasRole(ctx context.Context, role string) bool {`
			`token, err := TokenFromContext(ctx)`
			`if err != nil \|\| token == nil {`
			`return false`
			`}`

			`claims, ok := token.Claims.(jwt.MapClaims)`
			`if !ok {`
			`return false`
			`}`

			`// Check the custom roles claim`
			`rolesInterface, ok := claims["https://unbound.se/roles"]`
			`if !ok {`
			`return false`
			`}`

			`roles, ok := rolesInterface.([]interface{})`
			`if !ok {`
			`return false`
			`}`

			`for _, r := range roles {`
			`if roleStr, ok := r.(string); ok && roleStr == role {`
			`return true`
			`}`
			`}`

			`return false`
			`}`

feat: organizations and API keys 2023-04-27 07:09:10 +02:00			`func OrganizationFromContext(ctx context.Context) string {`
			`if value := ctx.Value(OrganizationKey); value != nil {`
			`if u, ok := value.(domain.Organization); ok {`
			`return u.ID.String()`
			`}`
			`}`
			`return ""`
			`}`

			`func (m AuthMiddleware) Directive(ctx context.Context, _ interface{}, next graphql.Resolver, user bool, organization *bool) (res interface{}, err error) {`
feat: add commands for managing organizations and users Introduce `AddUserToOrganization`, `RemoveAPIKey`, and `RemoveOrganization` commands to enhance organization management. Implement validation for user addition and API key removal. Update GraphQL schema to support new mutations and add caching for the new events, ensuring that organizations and their relationships are accurately represented in the cache. 2025-11-22 18:37:07 +01:00			`userRequired := user != nil && *user`
			`orgRequired := organization != nil && *organization`

			`u := UserFromContext(ctx)`
			`orgId := OrganizationFromContext(ctx)`

			`fmt.Printf("[Auth Directive] userRequired=%v, orgRequired=%v, hasUser=%v, hasOrg=%v\n",`
			`userRequired, orgRequired, u != "", orgId != "")`

			`// If both are required, it means EITHER is acceptable (OR logic)`
			`if userRequired && orgRequired {`
			`if u == "" && orgId == "" {`
			`fmt.Printf("[Auth Directive] REJECTED: Neither user nor organization available\n")`
			`return nil, fmt.Errorf("authentication required: provide either user token or organization API key")`
			`}`
			`fmt.Printf("[Auth Directive] ACCEPTED: Has user=%v OR organization=%v\n", u != "", orgId != "")`
			`return next(ctx)`
			`}`

			`// Only user required`
			`if userRequired {`
			`if u == "" {`
			`fmt.Printf("[Auth Directive] REJECTED: No user available\n")`
feat: organizations and API keys 2023-04-27 07:09:10 +02:00			`return nil, fmt.Errorf("no user available in request")`
			`}`
feat: add commands for managing organizations and users Introduce `AddUserToOrganization`, `RemoveAPIKey`, and `RemoveOrganization` commands to enhance organization management. Implement validation for user addition and API key removal. Update GraphQL schema to support new mutations and add caching for the new events, ensuring that organizations and their relationships are accurately represented in the cache. 2025-11-22 18:37:07 +01:00			`fmt.Printf("[Auth Directive] ACCEPTED: User authenticated\n")`
feat: organizations and API keys 2023-04-27 07:09:10 +02:00			`}`
feat: add commands for managing organizations and users Introduce `AddUserToOrganization`, `RemoveAPIKey`, and `RemoveOrganization` commands to enhance organization management. Implement validation for user addition and API key removal. Update GraphQL schema to support new mutations and add caching for the new events, ensuring that organizations and their relationships are accurately represented in the cache. 2025-11-22 18:37:07 +01:00
			`// Only organization required`
			`if orgRequired {`
			`if orgId == "" {`
			`fmt.Printf("[Auth Directive] REJECTED: No organization available\n")`
feat: organizations and API keys 2023-04-27 07:09:10 +02:00			`return nil, fmt.Errorf("no organization available in request")`
			`}`
feat: add commands for managing organizations and users Introduce `AddUserToOrganization`, `RemoveAPIKey`, and `RemoveOrganization` commands to enhance organization management. Implement validation for user addition and API key removal. Update GraphQL schema to support new mutations and add caching for the new events, ensuring that organizations and their relationships are accurately represented in the cache. 2025-11-22 18:37:07 +01:00			`fmt.Printf("[Auth Directive] ACCEPTED: Organization authenticated\n")`
feat: organizations and API keys 2023-04-27 07:09:10 +02:00			`}`
feat: add commands for managing organizations and users Introduce `AddUserToOrganization`, `RemoveAPIKey`, and `RemoveOrganization` commands to enhance organization management. Implement validation for user addition and API key removal. Update GraphQL schema to support new mutations and add caching for the new events, ensuring that organizations and their relationships are accurately represented in the cache. 2025-11-22 18:37:07 +01:00
feat: organizations and API keys 2023-04-27 07:09:10 +02:00			`return next(ctx)`
			`}`