services/file/internal/middleware/auth.go

package middleware

import (
	"net/http"
	"strings"

	"github.com/flatrender/file-svc/internal/models"
	"github.com/gin-gonic/gin"
	"github.com/golang-jwt/jwt/v5"
	"github.com/google/uuid"
)

const (
	KeyUserID   = "user_id"
	KeyTenantID = "tenant_id"
	KeyIsAdmin  = "is_admin"
)

func Auth(jwtSecret string) gin.HandlerFunc {
	return func(c *gin.Context) {
		header := c.GetHeader("Authorization")
		if !strings.HasPrefix(header, "Bearer ") {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
				Error: models.APIError{Code: "unauthorized", Message: "missing bearer token"},
			})
			return
		}

		tokenStr := strings.TrimPrefix(header, "Bearer ")
		token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (any, error) {
			if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
				return nil, jwt.ErrSignatureInvalid
			}
			return []byte(jwtSecret), nil
		})
		if err != nil || !token.Valid {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
				Error: models.APIError{Code: "unauthorized", Message: "invalid token"},
			})
			return
		}

		claims, ok := token.Claims.(jwt.MapClaims)
		if !ok {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
				Error: models.APIError{Code: "unauthorized", Message: "invalid claims"},
			})
			return
		}

		userID, err := uuid.Parse(claims["sub"].(string))
		if err != nil {
			c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
				Error: models.APIError{Code: "unauthorized", Message: "invalid sub claim"},
			})
			return
		}

		tenantID, _ := uuid.Parse(claims["tenant_id"].(string))
		isAdmin, _ := claims["is_admin"].(bool)

		c.Set(KeyUserID, userID)
		c.Set(KeyTenantID, tenantID)
		c.Set(KeyIsAdmin, isAdmin)
		c.Next()
	}
}

func AdminOnly() gin.HandlerFunc {
	return func(c *gin.Context) {
		if isAdmin, _ := c.Get(KeyIsAdmin); isAdmin != true {
			c.AbortWithStatusJSON(http.StatusForbidden, models.ErrorResponse{
				Error: models.APIError{Code: "forbidden", Message: "admin only"},
			})
			return
		}
		c.Next()
	}
}
feat: V2 microservices stack — backend services, gateway, JWT auth 2026-05-29 23:29:31 +03:30			`package middleware`

			`import (`
			`"net/http"`
			`"strings"`

			`"github.com/flatrender/file-svc/internal/models"`
			`"github.com/gin-gonic/gin"`
			`"github.com/golang-jwt/jwt/v5"`
			`"github.com/google/uuid"`
			`)`

			`const (`
			`KeyUserID = "user_id"`
			`KeyTenantID = "tenant_id"`
			`KeyIsAdmin = "is_admin"`
			`)`

			`func Auth(jwtSecret string) gin.HandlerFunc {`
			`return func(c *gin.Context) {`
			`header := c.GetHeader("Authorization")`
			`if !strings.HasPrefix(header, "Bearer ") {`
			`c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{`
			`Error: models.APIError{Code: "unauthorized", Message: "missing bearer token"},`
			`})`
			`return`
			`}`

			`tokenStr := strings.TrimPrefix(header, "Bearer ")`
			`token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (any, error) {`
			`if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {`
			`return nil, jwt.ErrSignatureInvalid`
			`}`
			`return []byte(jwtSecret), nil`
			`})`
			`if err != nil \|\| !token.Valid {`
			`c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{`
			`Error: models.APIError{Code: "unauthorized", Message: "invalid token"},`
			`})`
			`return`
			`}`

			`claims, ok := token.Claims.(jwt.MapClaims)`
			`if !ok {`
			`c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{`
			`Error: models.APIError{Code: "unauthorized", Message: "invalid claims"},`
			`})`
			`return`
			`}`

			`userID, err := uuid.Parse(claims["sub"].(string))`
			`if err != nil {`
			`c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{`
			`Error: models.APIError{Code: "unauthorized", Message: "invalid sub claim"},`
			`})`
			`return`
			`}`

			`tenantID, _ := uuid.Parse(claims["tenant_id"].(string))`
			`isAdmin, _ := claims["is_admin"].(bool)`

			`c.Set(KeyUserID, userID)`
			`c.Set(KeyTenantID, tenantID)`
			`c.Set(KeyIsAdmin, isAdmin)`
			`c.Next()`
			`}`
			`}`

			`func AdminOnly() gin.HandlerFunc {`
			`return func(c *gin.Context) {`
			`if isAdmin, _ := c.Get(KeyIsAdmin); isAdmin != true {`
			`c.AbortWithStatusJSON(http.StatusForbidden, models.ErrorResponse{`
			`Error: models.APIError{Code: "forbidden", Message: "admin only"},`
			`})`
			`return`
			`}`
			`c.Next()`
			`}`
			`}`