middleware

package
v1.0.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 5, 2026 License: MIT Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// DummyUserID is the fixed external identity ID for dummy auth mode.
	DummyUserID = "00000000-0000-0000-0000-000000000001"
	// DummyUserEmail is the fixed email for dummy auth mode.
	DummyUserEmail = "admin@pdfforge.local"
	// DummyUserName is the fixed name for dummy auth mode.
	DummyUserName = "PDF Forge Admin"
)
View Source 
const (
	// OperationIDHeader is the header name for the operation ID.
	OperationIDHeader = "X-Operation-ID"
)
View Source 
const (
	// TenantIDHeader is the header name for the tenant ID.
	TenantIDHeader = "X-Tenant-ID"
)
View Source 
const (
	// WorkspaceIDHeader is the header name for the workspace ID.
	WorkspaceIDHeader = "X-Workspace-ID"
)

Variables

This section is empty.

Functions

func AuthorizeRole 

func AuthorizeRole(requiredRole entity.WorkspaceRole) gin.HandlerFunc

AuthorizeRole creates a middleware that checks if the user has at least the required role. This middleware must be applied after WorkspaceContext.

func AuthorizeSystemRole 

func AuthorizeSystemRole(requiredRole entity.SystemRole) gin.HandlerFunc

AuthorizeSystemRole creates a middleware that checks if the user has at least the required system role. This middleware must be applied after SystemRoleContext.

func AuthorizeTenantRole 

func AuthorizeTenantRole(requiredRole entity.TenantRole) gin.HandlerFunc

AuthorizeTenantRole creates a middleware that checks if the user has at least the required tenant role. This middleware must be applied after TenantContext.

func CustomRenderAuth 

func CustomRenderAuth(auth port.RenderAuthenticator) gin.HandlerFunc

CustomRenderAuth creates middleware using a custom RenderAuthenticator. Claims are stored in context using the same keys as OIDC for compatibility.

func DummyAuth 

func DummyAuth() gin.HandlerFunc

DummyAuth creates a middleware that bypasses JWT validation and injects a fixed superadmin identity. Used when no auth config is provided (dev mode).

func DummyIdentityAndRoles 

func DummyIdentityAndRoles(internalUserID string) gin.HandlerFunc

DummyIdentityAndRoles creates a middleware that sets the internal user ID and grants SUPERADMIN system role. Used in dummy auth mode to bypass IdentityContext and SystemRoleContext middlewares.

func GetInternalUserID 

func GetInternalUserID(c *gin.Context) (string, bool)

GetInternalUserID retrieves the internal user ID from the Gin context.

func GetOIDCProvider 

func GetOIDCProvider(c *gin.Context) (string, bool)

GetOIDCProvider retrieves the matched OIDC provider name from the Gin context.

func GetOperationID 

func GetOperationID(c *gin.Context) string

GetOperationID retrieves the operation ID from the Gin context.

func GetRenderAuthExtra 

func GetRenderAuthExtra(c *gin.Context) map[string]any

GetRenderAuthExtra retrieves extra claims from custom render auth. Returns nil if not using custom auth or if Extra was not set.

func GetSystemRole 

func GetSystemRole(c *gin.Context) (entity.SystemRole, bool)

GetSystemRole retrieves the user's system role from the Gin context.

func GetTenantID 

func GetTenantID(c *gin.Context) (string, bool)

GetTenantID retrieves the current tenant ID from the Gin context.

func GetTenantIDFromHeader 

func GetTenantIDFromHeader(c *gin.Context) (string, bool)

GetTenantIDFromHeader retrieves the tenant ID directly from the X-Tenant-ID header. Use this when you need to check the header without requiring full TenantContext middleware. Returns false if the header is missing or contains an invalid UUID.

func GetTenantRole 

func GetTenantRole(c *gin.Context) (entity.TenantRole, bool)

GetTenantRole retrieves the user's role in the current tenant.

func GetUserEmail 

func GetUserEmail(c *gin.Context) (string, bool)

GetUserEmail retrieves the authenticated user email from the Gin context.

func GetUserID 

func GetUserID(c *gin.Context) (string, bool)

GetUserID retrieves the authenticated user ID from the Gin context.

func GetUserName 

func GetUserName(c *gin.Context) (string, bool)

GetUserName retrieves the authenticated user name from the Gin context.

func GetWorkspaceID 

func GetWorkspaceID(c *gin.Context) (string, bool)

GetWorkspaceID retrieves the current workspace ID from the Gin context.

func GetWorkspaceIDFromHeader 

func GetWorkspaceIDFromHeader(c *gin.Context) (string, bool)

GetWorkspaceIDFromHeader retrieves the workspace ID directly from the X-Workspace-ID header. Use this when you need to check the header without requiring full WorkspaceContext middleware.

func GetWorkspaceRole 

func GetWorkspaceRole(c *gin.Context) (entity.WorkspaceRole, bool)

GetWorkspaceRole retrieves the user's role in the current workspace.

func HasSystemRole 

func HasSystemRole(c *gin.Context) bool

HasSystemRole checks if the user has any system role.

func IdentityContext 

func IdentityContext(pool *pgxpool.Pool, bootstrapEnabled bool, userRepo port.UserRepository) gin.HandlerFunc

IdentityContext creates a middleware that syncs the user from IdP and loads workspace context. It requires JWTAuth middleware to be applied before this. If bootstrapEnabled is true and no users exist in the database, the first user to login will be automatically created as SUPERADMIN.

func MultiOIDCAuth 

func MultiOIDCAuth(providers []config.OIDCProvider) gin.HandlerFunc

MultiOIDCAuth creates middleware supporting multiple OIDC providers. Matches incoming token's issuer against configured providers. Returns 401 if issuer is not in the configured list.

func Operation 

func Operation() gin.HandlerFunc

Operation creates a middleware that generates a unique operation ID for each request. The operation ID is used for request tracing and logging.

func PanelAuth 

func PanelAuth(cfg *config.Config) gin.HandlerFunc

PanelAuth creates middleware for panel (login/UI) authentication. Uses only the panel OIDC provider configured in auth.panel.

func RenderAuth 

func RenderAuth(cfg *config.Config) gin.HandlerFunc

RenderAuth creates middleware for render endpoint authentication. Accepts panel provider plus any additional render-only providers.

func RenderClaimsContext 

func RenderClaimsContext() gin.HandlerFunc

RenderClaimsContext is a pass-through middleware for render endpoints. Claims are already set by RenderAuth; this skips DB identity lookup.

func RequireAdmin 

func RequireAdmin() gin.HandlerFunc

RequireAdmin is a convenience middleware that requires at least ADMIN role.

func RequireEditor 

func RequireEditor() gin.HandlerFunc

RequireEditor is a convenience middleware that requires at least EDITOR role.

func RequireOperator 

func RequireOperator() gin.HandlerFunc

RequireOperator is a convenience middleware that requires at least OPERATOR role.

func RequireOwner 

func RequireOwner() gin.HandlerFunc

RequireOwner is a convenience middleware that requires OWNER role.

func RequirePlatformAdmin 

func RequirePlatformAdmin() gin.HandlerFunc

RequirePlatformAdmin is a convenience middleware that requires at least PLATFORM_ADMIN role.

func RequireSuperAdmin 

func RequireSuperAdmin() gin.HandlerFunc

RequireSuperAdmin is a convenience middleware that requires SUPERADMIN role.

func RequireTenantAccess 

func RequireTenantAccess() gin.HandlerFunc

RequireTenantAccess creates a middleware that ensures the user has access to the tenant. This is a simpler check - it just verifies the user is a member.

func RequireTenantAdmin 

func RequireTenantAdmin() gin.HandlerFunc

RequireTenantAdmin is a convenience middleware that requires at least TENANT_ADMIN role.

func RequireTenantOwner 

func RequireTenantOwner() gin.HandlerFunc

RequireTenantOwner is a convenience middleware that requires TENANT_OWNER role.

func RequireViewer 

func RequireViewer() gin.HandlerFunc

RequireViewer is a convenience middleware that requires at least VIEWER role.

func RequireWorkspaceAccess 

func RequireWorkspaceAccess() gin.HandlerFunc

RequireWorkspaceAccess creates a middleware that ensures the user has access to the workspace. This is a simpler check than AuthorizeRole - it just verifies the user is a member.

func SystemRoleContext 

func SystemRoleContext(systemRoleRepo port.SystemRoleRepository) gin.HandlerFunc

SystemRoleContext creates a middleware that loads the user's system role if they have one. This middleware is optional - it does not fail if the user has no system role. It should be applied after IdentityContext.

func TenantContext 

func TenantContext(tenantMemberRepo port.TenantMemberRepository) gin.HandlerFunc

TenantContext creates a middleware that requires and loads the user's role for a specific tenant. The tenant ID must come from the X-Tenant-ID header. This middleware should only be applied to routes that require tenant context. Users with system roles (SUPERADMIN) get automatic access as TENANT_OWNER.

func WorkspaceContext 

func WorkspaceContext(
	workspaceRepo port.WorkspaceRepository,
	workspaceMemberRepo port.WorkspaceMemberRepository,
	tenantMemberRepo port.TenantMemberRepository,
) gin.HandlerFunc

WorkspaceContext creates a middleware that requires and loads the user's role for a specific workspace. The workspace ID must come from the X-Workspace-ID header. This middleware should only be applied to routes that require workspace context. Users with system roles (SUPERADMIN) get automatic access as OWNER. Users with tenant roles (TENANT_OWNER) get automatic access as ADMIN for workspaces in their tenant.

Types

type OIDCClaims 

type OIDCClaims struct {
	jwt.RegisteredClaims
	Email         string `json:"email,omitempty"`
	EmailVerified bool   `json:"email_verified,omitempty"`
	Name          string `json:"name,omitempty"`
	PreferredUser string `json:"preferred_username,omitempty"`
}

OIDCClaims represents standard OIDC JWT claims.

type Provider 

type Provider struct {
	// contains filtered or unexported fields
}

Provider centralizes middleware construction with their required dependencies. This avoids passing repositories through multiple layers just to initialize middlewares.

func NewProvider 

func NewProvider(
	pool *pgxpool.Pool,
	bootstrapEnabled bool,
	userRepo port.UserRepository,
	systemRoleRepo port.SystemRoleRepository,
	workspaceRepo port.WorkspaceRepository,
	workspaceMemberRepo port.WorkspaceMemberRepository,
	tenantMemberRepo port.TenantMemberRepository,
) *Provider

NewProvider creates a new middleware provider with all required repositories.

func (*Provider) IdentityContext 

func (p *Provider) IdentityContext() gin.HandlerFunc

IdentityContext returns a middleware that loads user identity from the database. If bootstrap is enabled and no users exist, creates the first user as SUPERADMIN.

func (*Provider) SystemRoleContext 

func (p *Provider) SystemRoleContext() gin.HandlerFunc

SystemRoleContext returns a middleware that loads the user's system role if they have one.

func (*Provider) TenantContext 

func (p *Provider) TenantContext() gin.HandlerFunc

TenantContext returns a middleware that loads tenant context and user's role.

func (*Provider) WorkspaceContext 

func (p *Provider) WorkspaceContext() gin.HandlerFunc

WorkspaceContext returns a middleware that loads workspace context and user's role.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.