go-modules

common-go

Shared platform library for Tupic Go services. Capability-based packages — not a layered application: each package is one platform concern with its contract and implementation together.

config, echo, nats, and sentry wrap a same-named third-party package (labstack echo, nats.go, sentry-go, config loading) that services also import in the same files. Where both appear in one file, alias the upstream import (labecho, natslib); the wrapper keeps the clean name.

Auth architecture

Authentication (authentication) answers who is calling; authorization (authorization) answers may they do this. They meet in authorization.Actor.

HTTP request with "Authorization: Bearer <token>"
    │
    ▼
echo.AuthMiddleware ───────────────── marks admin routes for role hydration,
    │                                 continues anonymously on bad tokens
    ▼
authentication.Authenticator[U].Authenticate    U = the service's user entity
    │
    ├─ iam driver (production):       validate JWT against JWKS (RS256,
    │                                 issuer, expiry; refetch rate-limited)
    │                                   ├─ service-account token → service Actor, no user
    │                                   └─ user token → UserResolver[U] (service-owned
    │                                      find-or-provision) → user Actor + *U
    │
    └─ dummy driver (tests/local):    token is base64 JSON Actor
    │
    ▼
Actor + user stored in request context
    │
    ▼
echo.RequireUser / RequireAdmin / RequireService   (route guards)
    │
    ▼
use case calls authorization.Authorizer.Authorize(actor, permissions...)
                                      (scope + permission policy: exact,
                                       admin-prefixed, or service wildcard)

What a service implements

Only its user resolver — everything else is shared:

// 1. The resolver: validated claims → the service's user entity.
type userResolver struct{ /* repo, clock, ... */ }

func (r *userResolver) Resolve(ctx context.Context, c *iam.Claims) (*myservice.User, error) {
    // find-or-provision; this is where per-service rules live
}

// 2. Wiring: one call.
authn, err := authentication.New(
    authentication.Config{Driver: cfg.Auth.Driver, IAM: iam.Config{
        Issuer: cfg.Auth.Issuer, JwksURL: cfg.Auth.JwksURL, ServiceName: "MyService",
    }},
    newUserResolver(...),
    repo.FindByID, // dummy-driver lookup
)

// 3. HTTP middleware: one struct.
echo.AuthMiddleware(echo.AuthConfig[myservice.User]{
    Authenticate:    authn.Authenticate,
    WithUser:        myservice.ContextWithUser,
    AdminPathPrefix: "/myservice/v1/admin",
})

Extending

• Custom driver (API keys, another IdP): implement the one-method authentication.Authenticator[U] interface — or wrap a closure in authentication.Func[U] — and skip authentication.New. The middleware and guards only see the interface.
• Function-only resolver: iam.UserResolverFunc[U] adapts a closure.
• Test wiring: iam.WithHTTPClient injects an in-process round-tripper; iam.WithJWKSCooldown tunes (or disables) the JWKS refetch rate limit.
• Permissions: fully qualified "<service>:<resource>.<action>" (e.g. "assets:assets.write"). The shared TokenAuthorizer matches the exact form, the admin:-prefixed form, and service wildcards (assets:*, admin:assets:*).

Consumption pattern

Services keep thin facade packages re-exporting shared contracts via type aliases (internal/domain/common, internal/application/port, …) so domain and application code never imports common-go directly, plus one bootstrap/modules.go mapping service config to the narrow shared config types (logger.Config, nats.Config, persistence/config.Config, …).

Until the GitHub repo exists, services use replace github.com/tupicapp/common-go => ../common-go.

License

Released under the MIT License.