refactor(services): rename Go services, remove -go suffix

mana-search-go → mana-search mana-notify-go → mana-notify mana-crawler-go → mana-crawler mana-api-gateway-go → mana-api-gateway Legacy NestJS versions are deleted, suffix no longer needed. Updated all references in docker-compose, CLAUDE.md, package.json, Forgejo workflows, and service package.json files. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-25 09:54:38 +02:00 · 2026-03-28 10:18:40 +01:00 · 2026-03-28 10:18:40 +01:00 · 7e931b1c6d
commit 7e931b1c6d
parent 79080d6654
90 changed files with 41 additions and 38 deletions
--- a/services/mana-api-gateway/internal/middleware/apikey.go
+++ b/services/mana-api-gateway/internal/middleware/apikey.go
@ -0,0 +1,106 @@
+package middleware
+
+import (
+	"context"
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/manacore/mana-api-gateway/internal/service"
+)
+
+type contextKey string
+
+const ApiKeyContextKey contextKey = "apiKey"
+
+var endpointRegex = regexp.MustCompile(`/v1/(\w+)`)
+
+// ApiKeyMiddleware validates X-API-Key header and attaches key data to context.
+func ApiKeyMiddleware(apiKeyService *service.ApiKeyService) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			rawKey := r.Header.Get("X-API-Key")
+			if rawKey == "" {
+				writeJSON(w, http.StatusUnauthorized, map[string]string{
+					"error": "API key required. Use X-API-Key header.",
+				})
+				return
+			}
+
+			keyData, err := apiKeyService.ValidateKey(r.Context(), rawKey)
+			if err != nil {
+				slog.Debug("invalid api key", "error", err)
+				writeJSON(w, http.StatusUnauthorized, map[string]string{
+					"error": "Invalid API key",
+				})
+				return
+			}
+
+			if !keyData.Active {
+				writeJSON(w, http.StatusUnauthorized, map[string]string{
+					"error": "API key is disabled",
+				})
+				return
+			}
+
+			if keyData.ExpiresAt != nil && time.Now().After(*keyData.ExpiresAt) {
+				writeJSON(w, http.StatusUnauthorized, map[string]string{
+					"error": "API key has expired",
+				})
+				return
+			}
+
+			// Check endpoint permission
+			endpoint := extractEndpoint(r.URL.Path)
+			if !hasEndpointPermission(keyData, endpoint) {
+				writeJSON(w, http.StatusForbidden, map[string]string{
+					"error": "Endpoint '" + endpoint + "' not allowed for this API key. Upgrade your plan.",
+				})
+				return
+			}
+
+			// Attach key data to context
+			ctx := context.WithValue(r.Context(), ApiKeyContextKey, keyData)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+// GetApiKey retrieves the API key data from the request context.
+func GetApiKey(r *http.Request) *service.ApiKeyData {
+	data, _ := r.Context().Value(ApiKeyContextKey).(*service.ApiKeyData)
+	return data
+}
+
+func extractEndpoint(path string) string {
+	m := endpointRegex.FindStringSubmatch(path)
+	if len(m) >= 2 {
+		return m[1]
+	}
+	return "unknown"
+}
+
+func hasEndpointPermission(keyData *service.ApiKeyData, endpoint string) bool {
+	if keyData.AllowedEndpoints == "" {
+		return true
+	}
+	var allowed []string
+	if err := json.Unmarshal([]byte(keyData.AllowedEndpoints), &allowed); err != nil {
+		return true
+	}
+	for _, e := range allowed {
+		if e == endpoint || strings.HasPrefix(endpoint, e) {
+			return true
+		}
+	}
+	return false
+}
+
+func writeJSON(w http.ResponseWriter, status int, data any) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	json.NewEncoder(w).Encode(data)
+}
--- a/services/mana-api-gateway/internal/middleware/jwt.go
+++ b/services/mana-api-gateway/internal/middleware/jwt.go
@ -0,0 +1,101 @@
+package middleware
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type jwtContextKey string
+
+const UserIDContextKey jwtContextKey = "userID"
+const UserRoleContextKey jwtContextKey = "userRole"
+
+// JWTClaims holds the JWT token claims.
+type JWTClaims struct {
+	Sub   string `json:"sub"`
+	Email string `json:"email"`
+	Role  string `json:"role"`
+	jwt.RegisteredClaims
+}
+
+// JWTMiddleware validates Bearer JWT tokens for management endpoints.
+// Uses JWKS from mana-core-auth (simplified: accepts any valid JWT structure for now).
+func JWTMiddleware(authURL string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			authHeader := r.Header.Get("Authorization")
+			if authHeader == "" || !strings.HasPrefix(authHeader, "Bearer ") {
+				writeJSON(w, http.StatusUnauthorized, map[string]string{
+					"error": "Authorization header required. Use Bearer <JWT>.",
+				})
+				return
+			}
+
+			tokenStr := strings.TrimPrefix(authHeader, "Bearer ")
+
+			// Validate JWT via auth service
+			userID, role, err := validateJWT(r.Context(), authURL, tokenStr)
+			if err != nil {
+				writeJSON(w, http.StatusUnauthorized, map[string]string{
+					"error": "Invalid or expired token",
+				})
+				return
+			}
+
+			ctx := context.WithValue(r.Context(), UserIDContextKey, userID)
+			ctx = context.WithValue(ctx, UserRoleContextKey, role)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+// GetUserID returns the authenticated user ID from context.
+func GetUserID(r *http.Request) string {
+	id, _ := r.Context().Value(UserIDContextKey).(string)
+	return id
+}
+
+// GetUserRole returns the user role from context.
+func GetUserRole(r *http.Request) string {
+	role, _ := r.Context().Value(UserRoleContextKey).(string)
+	return role
+}
+
+// validateJWT calls mana-core-auth /api/v1/auth/validate to verify the token.
+func validateJWT(ctx context.Context, authURL, token string) (userID, role string, err error) {
+	req, err := http.NewRequestWithContext(ctx, "POST", authURL+"/api/v1/auth/validate", strings.NewReader(`{"token":"`+token+`"}`))
+	if err != nil {
+		return "", "", err
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return "", "", fmt.Errorf("auth service: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", "", fmt.Errorf("auth validation failed: %d", resp.StatusCode)
+	}
+
+	var result struct {
+		Valid   bool   `json:"valid"`
+		UserID  string `json:"userId"`
+		Role    string `json:"role"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return "", "", err
+	}
+
+	if !result.Valid {
+		return "", "", fmt.Errorf("token not valid")
+	}
+
+	return result.UserID, result.Role, nil
+}
--- a/services/mana-api-gateway/internal/middleware/ratelimit.go
+++ b/services/mana-api-gateway/internal/middleware/ratelimit.go
@ -0,0 +1,99 @@
+package middleware
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/manacore/mana-api-gateway/internal/service"
+	"github.com/redis/go-redis/v9"
+)
+
+// RateLimitMiddleware enforces per-key sliding window rate limits using Redis.
+func RateLimitMiddleware(rdb *redis.Client, prefix string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			keyData := GetApiKey(r)
+			if keyData == nil {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			ctx := r.Context()
+			key := prefix + "ratelimit:" + keyData.ID
+			limit := keyData.RateLimit
+			window := int64(60) // 60 seconds
+
+			now := time.Now().UnixMilli()
+			windowStart := now - window*1000
+
+			pipe := rdb.Pipeline()
+			pipe.ZRemRangeByScore(ctx, key, "0", strconv.FormatInt(windowStart, 10))
+			countCmd := pipe.ZCard(ctx, key)
+			pipe.Exec(ctx)
+
+			count := countCmd.Val()
+
+			if count >= int64(limit) {
+				w.Header().Set("X-RateLimit-Limit", strconv.Itoa(limit))
+				w.Header().Set("X-RateLimit-Remaining", "0")
+				w.Header().Set("Retry-After", "60")
+				writeJSON(w, http.StatusTooManyRequests, map[string]any{
+					"error":      "Rate limit exceeded",
+					"limit":      limit,
+					"remaining":  0,
+					"retryAfter": 60,
+				})
+				return
+			}
+
+			// Add current request
+			rdb.ZAdd(ctx, key, redis.Z{Score: float64(now), Member: fmt.Sprintf("%d", now)})
+			rdb.Expire(ctx, key, time.Duration(window)*time.Second)
+
+			remaining := int64(limit) - count - 1
+			if remaining < 0 {
+				remaining = 0
+			}
+
+			w.Header().Set("X-RateLimit-Limit", strconv.Itoa(limit))
+			w.Header().Set("X-RateLimit-Remaining", strconv.FormatInt(remaining, 10))
+			w.Header().Set("X-RateLimit-Reset", strconv.FormatInt(now/1000+window, 10))
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// CreditsMiddleware checks if the API key has enough credits.
+func CreditsMiddleware(apiKeyService *service.ApiKeyService) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			keyData := GetApiKey(r)
+			if keyData == nil {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			endpoint := extractEndpoint(r.URL.Path)
+			estimatedCredits := service.CreditCosts[endpoint]
+			if estimatedCredits == 0 {
+				estimatedCredits = 1
+			}
+
+			ok, err := apiKeyService.HasEnoughCredits(r.Context(), keyData.ID, estimatedCredits)
+			if err != nil || !ok {
+				writeJSON(w, http.StatusPaymentRequired, map[string]any{
+					"error":           "Insufficient credits",
+					"creditsRequired": estimatedCredits,
+					"creditsUsed":     keyData.CreditsUsed,
+					"monthlyCredits":  keyData.MonthlyCredits,
+				})
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}