unboundsoftware/schemas
6
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 32 Activity
Files
bd80281ced550143a1f08c28ad0c6bf9aacbdcd1
schemas/middleware/auth.go
T
argoyle 817927cb7d
schemas / check-release (pull_request) Successful in 1m57s
Details
schemas / vulnerabilities (pull_request) Successful in 2m48s
Details
schemas / check (pull_request) Successful in 8m17s
Details
pre-commit / pre-commit (pull_request) Successful in 11m38s
Details
schemas / build (pull_request) Successful in 5m31s
Details
schemas / deploy-prod (pull_request) Has been skipped
Details
fix: migrate to go-jwt-middleware v3 API 
- Use validator and jwks packages for JWT validation
- Replace manual JWKS caching with jwks.NewCachingProvider
- Add CustomClaims struct for https://unbound.se/roles claim
- Rename TokenFromContext to ClaimsFromContext
- Update middleware/auth.go to use new claims structure
- Update tests to use core.SetClaims and validator.ValidatedClaims

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 20:31:45 +01:00

133 lines
3.3 KiB
Go
Raw Blame History

package middleware
import (
"context"
"fmt"
"net/http"
"github.com/99designs/gqlgen/graphql"
"gitea.unbound.se/unboundsoftware/schemas/domain"
)
const (
UserKey = ContextKey("user")
OrganizationKey = ContextKey("organization")
)
type Cache interface {
OrganizationByAPIKey(apiKey string) *domain.Organization
}
func NewAuth(cache Cache) *AuthMiddleware {
return &AuthMiddleware{
cache: cache,
}
}
type AuthMiddleware struct {
cache Cache
}
func (m *AuthMiddleware) Handler(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
claims := ClaimsFromContext(r.Context())
if claims != nil {
ctx = context.WithValue(ctx, UserKey, claims.RegisteredClaims.Subject)
}
apiKey, err := ApiKeyFromContext(r.Context())
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
_, _ = w.Write([]byte("Invalid API Key format"))
return
}
// Cache handles hash comparison internally
organization := m.cache.OrganizationByAPIKey(apiKey)
if organization != nil {
ctx = context.WithValue(ctx, OrganizationKey, *organization)
}
next.ServeHTTP(w, r.WithContext(ctx))
})
}
func UserFromContext(ctx context.Context) string {
if value := ctx.Value(UserKey); value != nil {
if u, ok := value.(string); ok {
return u
}
}
return ""
}
func UserHasRole(ctx context.Context, role string) bool {
claims := ClaimsFromContext(ctx)
if claims == nil {
return false
}
customClaims, ok := claims.CustomClaims.(*CustomClaims)
if !ok || customClaims == nil {
return false
}
for _, r := range customClaims.Roles {
if r == role {
return true
}
}
return false
}
func OrganizationFromContext(ctx context.Context) string {
if value := ctx.Value(OrganizationKey); value != nil {
if u, ok := value.(domain.Organization); ok {
return u.ID.String()
}
}
return ""
}
func (m *AuthMiddleware) Directive(ctx context.Context, _ interface{}, next graphql.Resolver, user *bool, organization *bool) (res interface{}, err error) {
userRequired := user != nil && *user
orgRequired := organization != nil && *organization
u := UserFromContext(ctx)
orgId := OrganizationFromContext(ctx)
fmt.Printf("[Auth Directive] userRequired=%v, orgRequired=%v, hasUser=%v, hasOrg=%v\n",
userRequired, orgRequired, u != "", orgId != "")
// If both are required, it means EITHER is acceptable (OR logic)
if userRequired && orgRequired {
if u == "" && orgId == "" {
fmt.Printf("[Auth Directive] REJECTED: Neither user nor organization available\n")
return nil, fmt.Errorf("authentication required: provide either user token or organization API key")
}
fmt.Printf("[Auth Directive] ACCEPTED: Has user=%v OR organization=%v\n", u != "", orgId != "")
return next(ctx)
}
// Only user required
if userRequired {
if u == "" {
fmt.Printf("[Auth Directive] REJECTED: No user available\n")
return nil, fmt.Errorf("no user available in request")
}
fmt.Printf("[Auth Directive] ACCEPTED: User authenticated\n")
}
// Only organization required
if orgRequired {
if orgId == "" {
fmt.Printf("[Auth Directive] REJECTED: No organization available\n")
return nil, fmt.Errorf("no organization available in request")
}
fmt.Printf("[Auth Directive] ACCEPTED: Organization authenticated\n")
}
return next(ctx)
}
Reference in New Issue View Git Blame Copy Permalink