template-monorepo/internal/middleware/auth_jwt.go

package middleware

import (
	"net/http"
	"strings"

	errs "gateway/internal/library/errors"
	"gateway/internal/library/errors/code"
	logicmember "gateway/internal/logic/member"
	domauth "gateway/internal/model/auth/domain/usecase"
	"gateway/internal/response"

	"github.com/zeromicro/go-zero/rest"
)

// CloudEPJWT parses Bearer access tokens and injects member actor into request context.
// When token is absent or invalid, the request proceeds unchanged (dev headers may still apply on member routes).
func CloudEPJWT(tokens domauth.TokenUseCase) rest.Middleware {
	return func(next http.HandlerFunc) http.HandlerFunc {
		return func(w http.ResponseWriter, r *http.Request) {
			ctx := r.Context()
			raw := bearerToken(r.Header.Get("Authorization"))
			if raw != "" && tokens != nil {
				claims, err := tokens.ParseAccessToken(ctx, raw)
				if err == nil {
					ctx = logicmember.WithActor(ctx, claims.TenantID, claims.UID)
					r = r.WithContext(ctx)
					next(w, r)
					return
				}
				if e := errs.FromError(err); e != nil && e.Category() == code.AuthUnauthorized {
					response.Write(r.Context(), w, nil, err)
					return
				}
			}
			next(w, r)
		}
	}
}

func bearerToken(header string) string {
	const prefix = "Bearer "
	if !strings.HasPrefix(header, prefix) {
		return ""
	}
	return strings.TrimSpace(strings.TrimPrefix(header, prefix))
}
feat(auth): add unified registration/login module with Zitadel + lint cleanup - Introduce auth module: handlers, logic, domain/repository/usecase, JWT middleware, and Zitadel OIDC client (password + authorization code + userinfo + JWKS verification) - Wire member rate-limit, structured errors, and refactored member/ notification usecases (introduce shared errors, drop repo_errors.go) - Bring the codebase to zero golangci-lint issues: * goimports formatting * errcheck on io.ReadAll/Unlock cleanup paths * contextcheck: HandlerContext now takes (ctx, http.Request) gocritic: rename shadowed `max`, use http.NoBody * goconst: extract test fixtures and bsonOpSet * testifylint: switch to assert inside httptest handlers Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 06:45:35 +00:00			`package middleware`

			`import (`
			`"net/http"`
			`"strings"`

			`errs "gateway/internal/library/errors"`
			`"gateway/internal/library/errors/code"`
			`logicmember "gateway/internal/logic/member"`
			`domauth "gateway/internal/model/auth/domain/usecase"`
			`"gateway/internal/response"`

			`"github.com/zeromicro/go-zero/rest"`
			`)`

			`// CloudEPJWT parses Bearer access tokens and injects member actor into request context.`
			`// When token is absent or invalid, the request proceeds unchanged (dev headers may still apply on member routes).`
			`func CloudEPJWT(tokens domauth.TokenUseCase) rest.Middleware {`
			`return func(next http.HandlerFunc) http.HandlerFunc {`
			`return func(w http.ResponseWriter, r *http.Request) {`
			`ctx := r.Context()`
			`raw := bearerToken(r.Header.Get("Authorization"))`
			`if raw != "" && tokens != nil {`
			`claims, err := tokens.ParseAccessToken(ctx, raw)`
			`if err == nil {`
			`ctx = logicmember.WithActor(ctx, claims.TenantID, claims.UID)`
			`r = r.WithContext(ctx)`
			`next(w, r)`
			`return`
			`}`
			`if e := errs.FromError(err); e != nil && e.Category() == code.AuthUnauthorized {`
			`response.Write(r.Context(), w, nil, err)`
			`return`
			`}`
			`}`
			`next(w, r)`
			`}`
			`}`
			`}`

			`func bearerToken(header string) string {`
			`const prefix = "Bearer "`
			`if !strings.HasPrefix(header, prefix) {`
			`return ""`
			`}`
			`return strings.TrimSpace(strings.TrimPrefix(header, prefix))`
			`}`