iammiddleware

func Client ¶ added in v1.39.1

func Client() *auth.IAMClient

Client returns the initialized IAM client, or nil if IAM is disabled or Init() has not been called. Consumers outside the middleware chain (e.g. SPA handlers with their own auth gate) use this to validate bearer tokens against the same JWKS the /v1 middleware uses. Fail-closed: a nil return means "treat every request as unauthenticated".

func GetIAMClaims ¶

func GetIAMClaims(c *gin.Context) *auth.IAMClaims

GetIAMClaims returns the IAM claims from context, or nil if not IAM-authenticated.

func GetIAMTier ¶ added in v1.36.4

func GetIAMTier(c *gin.Context) string

GetIAMTier returns the user's billing tier from context. Returns an empty string if the request is not IAM-authenticated or no tier is set.

func IAMTokenRequired ¶

func IAMTokenRequired() gin.HandlerFunc

IAMTokenRequired validates hanzo.id JWT tokens via JWKS. If a valid IAM token is found, it resolves the org from the token's "owner" claim and sets both IAM context keys and the standard "organization" + "permissions" keys that downstream handlers expect.

Auth guard behavior:

• IAM enabled but client initialization failed: 503 Service Unavailable
• Bearer token present but invalid: 401 Unauthorized (no fallthrough)
• No Bearer token present: fall through to legacy org-token auth

func Init ¶

func Init(cfg *auth.IAMConfig) error

Init initializes the IAM middleware with the given configuration. Must be called before IAMTokenRequired() middleware is used. Safe to call multiple times; last call wins.

func InitKV ¶ added in v1.36.4

func InitKV(kv KVCache)

InitKV wires a KV client for caching IAM org lookups. Call from app.Bootstrap() after infra is connected. Passing nil is safe and disables KV caching.

func IsIAMAuthenticated ¶

func IsIAMAuthenticated(c *gin.Context) bool

IsIAMAuthenticated checks whether the current request was authenticated via IAM.