mikkel/felt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
felt/internal/server/middleware/auth.go
Mikkel Georgsen dd2f9bbfd9 feat(01-03): implement PIN auth routes, JWT HS256 enforcement, and auth tests 
- Add auth HTTP handlers (login, me, logout) with proper JSON responses
- Enforce HS256 via jwt.WithValidMethods to prevent algorithm confusion attacks
- Add context helpers for extracting operator ID and role from JWT claims
- Add comprehensive auth test suite (11 unit tests + 6 integration tests)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-01 03:59:05 +01:00

110 lines
3.4 KiB
Go
Raw Blame History

// Package middleware provides HTTP middleware for the Felt tournament engine.
package middleware
import (
"context"
"net/http"
"strings"
"github.com/golang-jwt/jwt/v5"
)
// contextKey is a private type for context keys to avoid collisions.
type contextKey string
const (
// OperatorIDKey is the context key for the authenticated operator ID.
OperatorIDKey contextKey = "operator_id"
// OperatorRoleKey is the context key for the authenticated operator role.
OperatorRoleKey contextKey = "operator_role"
)
// JWTAuth returns middleware that validates JWT tokens from the Authorization header.
// Tokens must be in the format: Bearer <token>
// Enforces HS256 via WithValidMethods to prevent algorithm confusion attacks.
func JWTAuth(signingKey []byte) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
authHeader := r.Header.Get("Authorization")
if authHeader == "" {
http.Error(w, `{"error":"missing authorization header"}`, http.StatusUnauthorized)
return
}
parts := strings.SplitN(authHeader, " ", 2)
if len(parts) != 2 || !strings.EqualFold(parts[0], "bearer") {
http.Error(w, `{"error":"invalid authorization format"}`, http.StatusUnauthorized)
return
}
tokenStr := parts[1]
operatorID, role, err := ValidateJWT(tokenStr, signingKey)
if err != nil {
http.Error(w, `{"error":"invalid or expired token"}`, http.StatusUnauthorized)
return
}
// Add operator info to request context
ctx := context.WithValue(r.Context(), OperatorIDKey, operatorID)
ctx = context.WithValue(ctx, OperatorRoleKey, role)
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}
// ValidateJWT parses and validates a JWT token string, returning the
// operator ID and role from claims. Enforces HS256 via WithValidMethods
// to prevent algorithm confusion attacks.
func ValidateJWT(tokenStr string, signingKey []byte) (operatorID string, role string, err error) {
token, err := jwt.Parse(tokenStr, func(token *jwt.Token) (interface{}, error) {
// Verify signing method is HMAC (belt AND suspenders with WithValidMethods)
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, jwt.ErrSignatureInvalid
}
return signingKey, nil
}, jwt.WithValidMethods([]string{"HS256"}))
if err != nil {
return "", "", err
}
claims, ok := token.Claims.(jwt.MapClaims)
if !ok || !token.Valid {
return "", "", jwt.ErrSignatureInvalid
}
operatorID, _ = claims["sub"].(string)
role, _ = claims["role"].(string)
if operatorID == "" {
return "", "", jwt.ErrSignatureInvalid
}
if role == "" {
role = "viewer" // Default role
}
return operatorID, role, nil
}
// OperatorID extracts the operator ID from the request context.
func OperatorID(r *http.Request) string {
id, _ := r.Context().Value(OperatorIDKey).(string)
return id
}
// OperatorRole extracts the operator role from the request context.
func OperatorRole(r *http.Request) string {
role, _ := r.Context().Value(OperatorRoleKey).(string)
return role
}
// OperatorIDFromCtx extracts the operator ID from a context directly.
func OperatorIDFromCtx(ctx context.Context) string {
id, _ := ctx.Value(OperatorIDKey).(string)
return id
}
// OperatorRoleFromCtx extracts the operator role from a context directly.
func OperatorRoleFromCtx(ctx context.Context) string {
role, _ := ctx.Value(OperatorRoleKey).(string)
return role
}
Reference in a new issue View git blame Copy permalink