Files
geo/server/internal/shared/auth/middleware.go
T
root de30497f59 feat: add tenant and user management with migrations, handlers, and tests
- Implemented tenant and user management features including:
  - Tenant creation and management with associated migrations.
  - User creation and management with associated migrations.
  - Tenant membership management with associated migrations.
  - Platform user roles management with associated migrations.
  - Quota management with associated migrations.
  - Article and template management with associated migrations.
- Added HTTP handlers for templates and workspaces.
- Created tests for protected and public routes.
- Introduced a script to check tenant scope in SQL queries.
- Documented task plan for backend completion and frontend foundation.
2026-04-01 00:58:42 +08:00

51 lines
1.3 KiB
Go

package auth
import (
"strings"
"github.com/gin-gonic/gin"
"github.com/geo-platform/tenant-api/internal/shared/response"
)
func Middleware(jwtMgr *Manager, sessions *SessionStore) gin.HandlerFunc {
return func(c *gin.Context) {
raw, err := bearerToken(c.GetHeader("Authorization"))
if err != nil {
response.Error(c, response.ErrUnauthorized(40101, "missing_bearer_token", "Authorization header is required"))
c.Abort()
return
}
claims, err := jwtMgr.Parse(raw)
if err != nil || claims.Subject != "access" {
response.Error(c, response.ErrUnauthorized(40102, "invalid_access_token", "token is invalid or expired"))
c.Abort()
return
}
revoked, _ := sessions.IsBlacklisted(c.Request.Context(), claims.ID)
if revoked {
response.Error(c, response.ErrUnauthorized(40103, "token_revoked", "token has been logged out"))
c.Abort()
return
}
actor := Actor{
UserID: claims.UserID,
TenantID: claims.TenantID,
Role: claims.Role,
}
c.Request = c.Request.WithContext(WithActor(c.Request.Context(), actor))
c.Next()
}
}
func bearerToken(header string) (string, error) {
parts := strings.SplitN(header, " ", 2)
if len(parts) != 2 || !strings.EqualFold(parts[0], "bearer") {
return "", response.ErrUnauthorized(40101, "missing_bearer_token", "Authorization header is required")
}
return parts[1], nil
}