33 lines
910 B
Go
33 lines
910 B
Go
package permission
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
)
|
|
|
|
type actorKey struct{}
|
|
|
|
// Actor identifies the calling tenant member (Bearer JWT or dev headers).
|
|
// Permission logic always needs (tenant_id, uid) so the auth → permission
|
|
// boundary is explicit; pulling from headers is dev-only.
|
|
type Actor struct {
|
|
TenantID string
|
|
UID string
|
|
}
|
|
|
|
// WithActor stores tenant/uid on the context for permission logic
|
|
// handlers.
|
|
func WithActor(ctx context.Context, tenantID, uid string) context.Context {
|
|
return context.WithValue(ctx, actorKey{}, Actor{TenantID: tenantID, UID: uid})
|
|
}
|
|
|
|
// ActorFromContext reads the actor injected by JWT middleware or dev
|
|
// headers.
|
|
func ActorFromContext(ctx context.Context) (Actor, error) {
|
|
v, ok := ctx.Value(actorKey{}).(Actor)
|
|
if !ok || v.TenantID == "" || v.UID == "" {
|
|
return Actor{}, fmt.Errorf("missing bearer token or X-Tenant-ID/X-UID headers")
|
|
}
|
|
return v, nil
|
|
}
|