feat: V2 microservices stack — backend services, gateway, JWT auth
Add full V2 architecture: identity, content, studio (.NET 10) and file, render, notification, gateway (Go) services with vendored deps, plus DB migrations, event/API contracts, and an init-db script. Wire the Next.js frontend to the gateway: server-side JWT auth routes (login/register/refresh/logout/me), gateway fetch helper, and session/ cookie/jwt helpers under src/lib. Containerize the stack via docker-compose.v2.yml and per-service Dockerfiles. Base images resolve through a Nexus mirror (Docker Hub) and MCR directly; npm/NuGet pull from Nexus groups. Self-host fonts via next/font/local to avoid Google Fonts (geo-blocked). Add CI workflow and ignore .env.v2, *.stackdump, and .NET bin/obj. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
@@ -0,0 +1,136 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
const (
|
||||
HeaderUserID = "X-User-ID"
|
||||
HeaderTenantID = "X-Tenant-ID"
|
||||
HeaderIsAdmin = "X-Is-Admin"
|
||||
HeaderRole = "X-Role"
|
||||
|
||||
CtxUserID = "user_id"
|
||||
CtxTenantID = "tenant_id"
|
||||
CtxIsAdmin = "is_admin"
|
||||
CtxRole = "role"
|
||||
)
|
||||
|
||||
type ErrorResponse struct {
|
||||
Code string `json:"code"`
|
||||
Message string `json:"message"`
|
||||
}
|
||||
|
||||
// JWTAuth validates the bearer token and injects claims into both gin context and upstream request headers.
|
||||
func JWTAuth(secret string) gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
if validateAndInject(c, secret) {
|
||||
c.Next()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// JWTAuthSkip behaves like JWTAuth but skips authentication entirely when skip(c)
|
||||
// returns true. Used for catch-all routes that mix public and protected sub-paths
|
||||
// (e.g. /payments/* where /callback/* and /webhook/* must stay public) — gin forbids
|
||||
// registering a catch-all alongside static child segments, so the branch lives here.
|
||||
func JWTAuthSkip(secret string, skip func(*gin.Context) bool) gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
if skip(c) {
|
||||
c.Next()
|
||||
return
|
||||
}
|
||||
if validateAndInject(c, secret) {
|
||||
c.Next()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// validateAndInject validates the bearer token and injects claims into the gin context
|
||||
// and upstream request headers. On failure it aborts with 401 and returns false.
|
||||
// It does NOT call c.Next() — the caller decides whether to continue the chain.
|
||||
func validateAndInject(c *gin.Context, secret string) bool {
|
||||
hdr := c.GetHeader("Authorization")
|
||||
if !strings.HasPrefix(hdr, "Bearer ") {
|
||||
c.AbortWithStatusJSON(http.StatusUnauthorized, ErrorResponse{Code: "unauthorized", Message: "missing bearer token"})
|
||||
return false
|
||||
}
|
||||
tokenStr := hdr[7:]
|
||||
token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (interface{}, error) {
|
||||
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, jwt.ErrSignatureInvalid
|
||||
}
|
||||
return []byte(secret), nil
|
||||
})
|
||||
if err != nil || !token.Valid {
|
||||
c.AbortWithStatusJSON(http.StatusUnauthorized, ErrorResponse{Code: "unauthorized", Message: "invalid or expired token"})
|
||||
return false
|
||||
}
|
||||
claims, _ := token.Claims.(jwt.MapClaims)
|
||||
userID, _ := uuid.Parse(fmt.Sprintf("%v", claims["sub"]))
|
||||
tenantID, _ := uuid.Parse(fmt.Sprintf("%v", claims["tenant_id"]))
|
||||
isAdmin, _ := claims["is_admin"].(bool)
|
||||
role, _ := claims["role"].(string)
|
||||
|
||||
c.Set(CtxUserID, userID)
|
||||
c.Set(CtxTenantID, tenantID)
|
||||
c.Set(CtxIsAdmin, isAdmin)
|
||||
c.Set(CtxRole, role)
|
||||
|
||||
// Inject for upstream services
|
||||
c.Request.Header.Set(HeaderUserID, userID.String())
|
||||
c.Request.Header.Set(HeaderTenantID, tenantID.String())
|
||||
if isAdmin {
|
||||
c.Request.Header.Set(HeaderIsAdmin, "true")
|
||||
}
|
||||
if role != "" {
|
||||
c.Request.Header.Set(HeaderRole, role)
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
// OptionalJWTAuth parses the token if present but does not abort on missing/invalid token.
|
||||
func OptionalJWTAuth(secret string) gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
hdr := c.GetHeader("Authorization")
|
||||
if !strings.HasPrefix(hdr, "Bearer ") {
|
||||
c.Next()
|
||||
return
|
||||
}
|
||||
token, err := jwt.Parse(hdr[7:], func(t *jwt.Token) (interface{}, error) {
|
||||
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, jwt.ErrSignatureInvalid
|
||||
}
|
||||
return []byte(secret), nil
|
||||
})
|
||||
if err != nil || !token.Valid {
|
||||
c.Next()
|
||||
return
|
||||
}
|
||||
claims, _ := token.Claims.(jwt.MapClaims)
|
||||
userID, _ := uuid.Parse(fmt.Sprintf("%v", claims["sub"]))
|
||||
tenantID, _ := uuid.Parse(fmt.Sprintf("%v", claims["tenant_id"]))
|
||||
isAdmin, _ := claims["is_admin"].(bool)
|
||||
c.Request.Header.Set(HeaderUserID, userID.String())
|
||||
c.Request.Header.Set(HeaderTenantID, tenantID.String())
|
||||
if isAdmin {
|
||||
c.Request.Header.Set(HeaderIsAdmin, "true")
|
||||
}
|
||||
c.Next()
|
||||
}
|
||||
}
|
||||
|
||||
func GetUserID(c *gin.Context) (uuid.UUID, bool) {
|
||||
v, ok := c.Get(CtxUserID)
|
||||
if !ok {
|
||||
return uuid.Nil, false
|
||||
}
|
||||
id, ok := v.(uuid.UUID)
|
||||
return id, ok && id != uuid.Nil
|
||||
}
|
||||
Reference in New Issue
Block a user