Documentation
¶
Overview ¶
Package iammiddleware provides Gin middleware for validating Hanzo IAM (hanzo.id) JWT tokens. It uses the existing auth.IAMClient for JWKS-based token validation and sets IAM claims in the Gin context for downstream handlers.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetIAMClaims ¶
GetIAMClaims returns the IAM claims from context, or nil if not IAM-authenticated.
func GetIAMTier ¶ added in v1.36.4
GetIAMTier returns the user's billing tier from context. Returns an empty string if the request is not IAM-authenticated or no tier is set.
func IAMTokenRequired ¶
func IAMTokenRequired() gin.HandlerFunc
IAMTokenRequired validates hanzo.id JWT tokens via JWKS. If a valid IAM token is found, it resolves the org from the token's "owner" claim and sets both IAM context keys and the standard "organization" + "permissions" keys that downstream handlers expect.
Auth guard behavior:
- IAM enabled but client initialization failed: 503 Service Unavailable
- Bearer token present but invalid: 401 Unauthorized (no fallthrough)
- No Bearer token present: fall through to legacy org-token auth
func Init ¶
Init initializes the IAM middleware with the given configuration. Must be called before IAMTokenRequired() middleware is used. Safe to call multiple times; last call wins.
func InitKV ¶ added in v1.36.4
func InitKV(kv KVCache)
InitKV wires a KV client for caching IAM org lookups. Call from app.Bootstrap() after infra is connected. Passing nil is safe and disables KV caching.
func IsIAMAuthenticated ¶
IsIAMAuthenticated checks whether the current request was authenticated via IAM.
Types ¶
type KVCache ¶ added in v1.36.4
type KVCache interface {
Get(ctx context.Context, key string) (string, error)
Set(ctx context.Context, key string, value string, ttl time.Duration) error
Delete(ctx context.Context, keys ...string) error
}
KVCache is the minimal interface required for org-lookup caching. *infra.KVClient satisfies this interface.
Source Files