feat: V2 microservices stack — backend services, gateway, JWT auth
Add full V2 architecture: identity, content, studio (.NET 10) and file, render, notification, gateway (Go) services with vendored deps, plus DB migrations, event/API contracts, and an init-db script. Wire the Next.js frontend to the gateway: server-side JWT auth routes (login/register/refresh/logout/me), gateway fetch helper, and session/ cookie/jwt helpers under src/lib. Containerize the stack via docker-compose.v2.yml and per-service Dockerfiles. Base images resolve through a Nexus mirror (Docker Hub) and MCR directly; npm/NuGet pull from Nexus groups. Self-host fonts via next/font/local to avoid Google Fonts (geo-blocked). Add CI workflow and ignore .env.v2, *.stackdump, and .NET bin/obj. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
@@ -0,0 +1,79 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"github.com/flatrender/file-svc/internal/models"
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
const (
|
||||
KeyUserID = "user_id"
|
||||
KeyTenantID = "tenant_id"
|
||||
KeyIsAdmin = "is_admin"
|
||||
)
|
||||
|
||||
func Auth(jwtSecret string) gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
header := c.GetHeader("Authorization")
|
||||
if !strings.HasPrefix(header, "Bearer ") {
|
||||
c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
|
||||
Error: models.APIError{Code: "unauthorized", Message: "missing bearer token"},
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
tokenStr := strings.TrimPrefix(header, "Bearer ")
|
||||
token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (any, error) {
|
||||
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, jwt.ErrSignatureInvalid
|
||||
}
|
||||
return []byte(jwtSecret), nil
|
||||
})
|
||||
if err != nil || !token.Valid {
|
||||
c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
|
||||
Error: models.APIError{Code: "unauthorized", Message: "invalid token"},
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
claims, ok := token.Claims.(jwt.MapClaims)
|
||||
if !ok {
|
||||
c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
|
||||
Error: models.APIError{Code: "unauthorized", Message: "invalid claims"},
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
userID, err := uuid.Parse(claims["sub"].(string))
|
||||
if err != nil {
|
||||
c.AbortWithStatusJSON(http.StatusUnauthorized, models.ErrorResponse{
|
||||
Error: models.APIError{Code: "unauthorized", Message: "invalid sub claim"},
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
tenantID, _ := uuid.Parse(claims["tenant_id"].(string))
|
||||
isAdmin, _ := claims["is_admin"].(bool)
|
||||
|
||||
c.Set(KeyUserID, userID)
|
||||
c.Set(KeyTenantID, tenantID)
|
||||
c.Set(KeyIsAdmin, isAdmin)
|
||||
c.Next()
|
||||
}
|
||||
}
|
||||
|
||||
func AdminOnly() gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
if isAdmin, _ := c.Get(KeyIsAdmin); isAdmin != true {
|
||||
c.AbortWithStatusJSON(http.StatusForbidden, models.ErrorResponse{
|
||||
Error: models.APIError{Code: "forbidden", Message: "admin only"},
|
||||
})
|
||||
return
|
||||
}
|
||||
c.Next()
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user