Documentation
¶
Overview ¶
Package middleware contains middleware functions for authentication and authorization.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func RequireGoogleServiceAccount ¶
func RequireGoogleServiceAccount(expectedEmail string, audienceOption AudienceOption) func(http.Handler) http.Handler
RequireGoogleServiceAccount is a middleware that verifies incoming HTTP requests are authenticated by a specific Google Service Account.
It extracts the OIDC token from the "Authorization: Bearer" header and validates it using Google's public certificates. The validation ensures that: 1. The token is properly signed and not expired. 2. The token's audience matches the specified AudienceOption (based on the request URL/host). 3. The token contains a verified email claim. 4. The verified email exactly matches the expectedEmail parameter.
If validation fails at any step, the middleware intercepts the request and returns an HTTP 401 Unauthorized response. Otherwise, it delegates to the next handler in the chain.
For environments where the application sits behind a load balancer or proxy that does not pass through the original host in http.Request.Host, you can override the Host value used for token audience validation by setting the environment variable APPLICATION_HOST.
Types ¶
type AudienceOption ¶
type AudienceOption int
AudienceOption is the type for the audience options
const ( // AudienceHostOnly will validate only the host name e.g., "example.com" AudienceHostOnly AudienceOption = iota // AudienceHostURL will validate the host url e.g., "https://example.com" AudienceHostURL // AudienceFullURL will validate the full url e.g., "https://example.com/path" AudienceFullURL )
Source Files