mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-21 01:06:42 +02:00
refactor(shared-go): extract shared auth package from 3 Go services
Create packages/shared-go/authutil/ with two JWT validator implementations: - JWKSValidator: EdDSA JWKS validation with key caching (extracted from mana-sync) - RemoteValidator: delegates to mana-core-auth /api/v1/auth/validate (from mana-notify/gateway) Plus shared types (Claims, User), middleware factories (JWTMiddleware, ServiceKeyMiddleware), context helpers (GetUser, GetUserID, GetUserRole), and token extraction. Migrated services: - mana-sync: internal/auth/jwt.go now wraps authutil.JWKSValidator - mana-notify: internal/auth/auth.go now wraps authutil.RemoteValidator + ServiceKeyMiddleware - mana-api-gateway: internal/middleware/jwt.go now wraps authutil.RemoteValidator All 3 services compile and pass tests. Service-level packages re-export types for backward compatibility so no consumer code changes are needed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Till JS
parent
509a541b70
commit
4f70e1ca6c
14 changed files with 466 additions and 385 deletions
111
packages/shared-go/authutil/validator_remote.go
Normal file
111
packages/shared-go/authutil/validator_remote.go
Normal file
|
|
@ -0,0 +1,111 @@
|
|||
package authutil
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
)
|
||||
|
||||
// RemoteValidator validates JWTs by calling mana-core-auth's validation endpoint.
|
||||
// Simpler than JWKS (no key management), but requires the auth service to be available.
|
||||
type RemoteValidator struct {
|
||||
authURL string
|
||||
client *http.Client
|
||||
}
|
||||
|
||||
// NewRemoteValidator creates a validator that delegates to mana-core-auth.
|
||||
// authURL should be the base URL of mana-core-auth (e.g., "http://localhost:3001").
|
||||
func NewRemoteValidator(authURL string) *RemoteValidator {
|
||||
return &RemoteValidator{
|
||||
authURL: authURL,
|
||||
client: &http.Client{Timeout: 5 * time.Second},
|
||||
}
|
||||
}
|
||||
|
||||
// ValidateToken validates a JWT by calling the auth service and returns claims.
|
||||
// Claims are extracted from the token locally (unverified parse), while the auth
|
||||
// service confirms the token's validity.
|
||||
func (v *RemoteValidator) ValidateToken(tokenStr string) (*Claims, error) {
|
||||
return v.ValidateTokenWithContext(context.Background(), tokenStr)
|
||||
}
|
||||
|
||||
// ValidateTokenWithContext validates a JWT with a context for cancellation.
|
||||
func (v *RemoteValidator) ValidateTokenWithContext(ctx context.Context, tokenStr string) (*Claims, error) {
|
||||
// Parse without verification to extract claims
|
||||
parser := jwt.NewParser(jwt.WithoutClaimsValidation())
|
||||
token, _, err := parser.ParseUnverified(tokenStr, jwt.MapClaims{})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("parse token: %w", err)
|
||||
}
|
||||
|
||||
mapClaims, ok := token.Claims.(jwt.MapClaims)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("invalid claims")
|
||||
}
|
||||
|
||||
// Validate via auth service
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodPost,
|
||||
v.authURL+"/api/v1/auth/validate",
|
||||
strings.NewReader(`{"token":"`+tokenStr+`"}`))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("create request: %w", err)
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
|
||||
resp, err := v.client.Do(req)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("auth service unavailable: %w", err)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return nil, fmt.Errorf("token validation failed: %d", resp.StatusCode)
|
||||
}
|
||||
|
||||
var result struct {
|
||||
Valid bool `json:"valid"`
|
||||
}
|
||||
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
|
||||
return nil, fmt.Errorf("decode response: %w", err)
|
||||
}
|
||||
if !result.Valid {
|
||||
return nil, fmt.Errorf("token invalid")
|
||||
}
|
||||
|
||||
// Build claims from the unverified token (auth service confirmed validity)
|
||||
sub, _ := mapClaims["sub"].(string)
|
||||
email, _ := mapClaims["email"].(string)
|
||||
role, _ := mapClaims["role"].(string)
|
||||
sid, _ := mapClaims["sid"].(string)
|
||||
|
||||
return &Claims{
|
||||
RegisteredClaims: jwt.RegisteredClaims{Subject: sub},
|
||||
Email: email,
|
||||
Role: role,
|
||||
SID: sid,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// UserIDFromRequest validates the token from the request and returns the user ID.
|
||||
func (v *RemoteValidator) UserIDFromRequest(r *http.Request) (string, error) {
|
||||
token := ExtractToken(r)
|
||||
if token == "" {
|
||||
return "", fmt.Errorf("no authorization header")
|
||||
}
|
||||
|
||||
claims, err := v.ValidateTokenWithContext(r.Context(), token)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
if claims.Subject == "" {
|
||||
return "", fmt.Errorf("missing sub claim")
|
||||
}
|
||||
|
||||
return claims.Subject, nil
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue