claims

package

v0.43.0 Latest Latest Go to latest Published: Apr 19, 2026 License: MIT Imports: 2 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hanzoai/base

Links

Open Source Insights

Documentation ¶

Overview ¶

Package claims provides the canonical 3-header identity contract for every Base-derived service. There is exactly ONE way to read the authenticated caller's identity: FromHeaders.

The Hanzo Gateway validates the IAM JWT upstream and re-emits exactly three headers on the forwarded request. Services MUST NOT read any other variant (no X-Hanzo-*, no X-IAM-*, no singular X-User-Role, no X-Tenant-Id alias):

X-User-Id <- JWT "sub"
X-Org-Id  <- JWT "owner"
X-Roles   <- JWT "roles" (comma-joined if array)

Services MUST call StripIdentityHeaders on every inbound request before the JWT middleware re-injects trusted values. A client that sets any of these headers directly is rejected at the gateway; services defend in depth by stripping again locally in case a sidecar/mesh bypasses the gateway.

Index ¶

Constants
func Strip(next http.Handler) http.Handler
func StripIdentityHeaders(h http.Header)
type Claims
- func FromHeaders(r *http.Request) Claims
- func (c Claims) HasRole(wanted ...string) bool

Constants ¶

View Source

const (
	HeaderUserID = "X-User-Id"
	HeaderOrgID  = "X-Org-Id"
	HeaderRoles  = "X-Roles"
)

The canonical 3 identity headers. These are the ONLY headers a handler may read to determine the authenticated principal.

Variables ¶

This section is empty.

Functions ¶

func Strip ¶

func Strip(next http.Handler) http.Handler

Strip is a net/http middleware that calls StripIdentityHeaders on every inbound request before delegating to next. Use at the outermost layer of a service, before any JWT middleware that populates the canonical 3 headers.

func StripIdentityHeaders ¶

func StripIdentityHeaders(h http.Header)

StripIdentityHeaders removes every inbound identity-bearing header from h. Call this before JWT validation re-injects the canonical values. It also unconditionally drops every header whose name starts with "X-Hanzo-" or "X-IAM-" (case-insensitive), closing the "clever-new-prefix" attack vector.

Types ¶

type Claims ¶

type Claims struct {
	UserID string
	OrgID  string
	Roles  []string
}

Claims is the verified identity of the current request as asserted by the upstream gateway's JWT validation. All three fields may be empty strings / empty slices when the request is unauthenticated (public endpoints).

func FromHeaders ¶

func FromHeaders(r *http.Request) Claims

FromHeaders returns the canonical Claims for the request. It reads ONLY the three canonical headers; any legacy variant set by a client is ignored by design (and should have been stripped upstream).

Roles are decoded from a comma-separated list; empty roles are dropped.

func (Claims) HasRole ¶

func (c Claims) HasRole(wanted ...string) bool

HasRole reports whether the caller holds any of the requested roles. Role names are matched exactly (case-sensitive); empty inputs return false.

Source Files ¶

View all Source files

claims.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL