Documentation
¶
Index ¶
- Constants
- func AuthorizeResource(checker *authcasbin.CasbinAuthorizationChecker, ...) echo.MiddlewareFunc
- func BearerOrSession(jwtService authapp.JWTService, sessionAuth func(http.Handler) http.Handler, ...) echo.MiddlewareFunc
- func GetUserRole(ctx context.Context, accountRepo authrepos.AccountRepository) (string, error)
- func Impersonation(store sessions.Store, accountRepo authrepos.AccountRepository, ...) echo.MiddlewareFunc
- func IsAdmin(ctx context.Context, accountRepo authrepos.AccountRepository) (bool, error)
- func Messages() echo.MiddlewareFunc
- func OptionalAuth(sm session.SessionManager, as authapp.AuthenticationService) func(http.Handler) http.Handler
- func SoftAuth(credRepo authrepos.CredentialRepository, agentRepo authrepos.AgentRepository, ...) echo.MiddlewareFunc
- func Static(cfg StaticConfig) echo.MiddlewareFunc
- type StaticConfig
Constants ¶
const ( ImpersonationSessionName = "weos-impersonation" KeyImpersonatedAgentID = "impersonated_agent_id" KeyRealAgentID = "real_agent_id" KeyRealAccountID = "real_account_id" )
Variables ¶
This section is empty.
Functions ¶
func AuthorizeResource ¶
func AuthorizeResource( checker *authcasbin.CasbinAuthorizationChecker, accountRepo authrepos.AccountRepository, logger entities.Logger, ) echo.MiddlewareFunc
AuthorizeResource returns Echo middleware that checks Casbin policies for dynamic resource routes (/:typeSlug and /:typeSlug/:id). Requests without a :typeSlug parameter are passed through (they are static routes).
Fail-closed: nil identity returns 401, missing role returns 403, and any Casbin error returns 500. The only exception is unconfigured roles (zero policies) which are allowed through with a logged warning.
Middleware order is security-critical: RequireAuth must run first to establish identity, then Impersonation to swap identity if active, then this middleware.
func BearerOrSession ¶
func BearerOrSession( jwtService authapp.JWTService, sessionAuth func(http.Handler) http.Handler, baseURL string, ) echo.MiddlewareFunc
BearerOrSession returns Echo middleware that authenticates requests via either a Bearer JWT token or the existing session cookie flow.
When a Bearer token is present, it is validated using the JWTService and an auth.Identity is injected into context. When no Bearer token is present, the request is passed through the sessionAuth middleware (pericarp RequireAuth).
Unauthenticated requests receive a 401 with WWW-Authenticate header per the MCP Authorization spec, pointing to the Protected Resource Metadata endpoint.
func GetUserRole ¶
GetUserRole returns the authenticated user's role in their active account. If no active account is set (legacy sessions), falls back to the first account the user belongs to. Returns ("", nil) when no identity is present or the user has no accounts. Returns a non-nil error only on database/infrastructure failures.
func Impersonation ¶
func Impersonation(store sessions.Store, accountRepo authrepos.AccountRepository, logger entities.Logger) echo.MiddlewareFunc
Impersonation returns Echo middleware that checks for an active impersonation session and, if present, replaces the auth.Identity in the request context with the impersonated user's identity (including their account).
func IsAdmin ¶
IsAdmin checks whether the authenticated user has an admin or owner role in their active account. Returns (false, error) on infrastructure failures so callers can distinguish "not admin" from "cannot determine".
func Messages ¶
func Messages() echo.MiddlewareFunc
Messages returns middleware that injects a message accumulator into the request context. Services can call entities.AddMessage(ctx, msg) to accumulate messages; handlers extract them with entities.GetMessages(ctx).
func OptionalAuth ¶
func OptionalAuth( sm session.SessionManager, as authapp.AuthenticationService, ) func(http.Handler) http.Handler
OptionalAuth loads session identity into the request context when a valid session exists, but passes through anonymously when it does not. Use this for endpoints that behave differently for authenticated vs. anonymous callers (e.g., invite acceptance derives email from the session when available).
func SoftAuth ¶
func SoftAuth( credRepo authrepos.CredentialRepository, agentRepo authrepos.AgentRepository, accountRepo authrepos.AccountRepository, logger entities.Logger, ) echo.MiddlewareFunc
SoftAuth returns Echo middleware for dev mode (OAuth disabled). If the request carries an X-Dev-Agent header with a seeded user's email, the middleware resolves the user and injects auth.Identity into the context. If the header is absent, the request passes through anonymously.
func Static ¶
func Static(cfg StaticConfig) echo.MiddlewareFunc
Static returns Echo middleware that serves embedded static files with SPA fallback. Requests with the /api prefix are skipped and passed to the next handler. For all other paths, the middleware tries to serve the requested file from the embedded filesystem. If the file is not found, it falls back to index.html for client-side SPA routing.
Types ¶
type StaticConfig ¶
type StaticConfig struct {
// Filesystem is the embedded filesystem containing static assets.
Filesystem fs.FS
// Root is the root directory within the filesystem (e.g., "dist").
Root string
}
StaticConfig holds configuration for the static file middleware.
Source Files