Prototype with single host server and no admin panel (#2)

Reviewed-on: wrenn/sandbox#2 Co-authored-by: pptx704 <rafeed@omukk.dev> Co-committed-by: pptx704 <rafeed@omukk.dev>
2026-03-22 21:01:23 +00:00
parent bd78cc068c
commit 32e5a5a715
293 changed files with 46885 additions and 1033 deletions
--- a/internal/api/middleware_jwt.go
+++ b/internal/api/middleware_jwt.go
@ -0,0 +1,36 @@
+package api
+
+import (
+	"net/http"
+	"strings"
+
+	"git.omukk.dev/wrenn/sandbox/internal/auth"
+)
+
+// requireJWT validates the Authorization: Bearer <token> header, verifies the JWT
+// signature and expiry, and stamps UserID + TeamID + Email into the request context.
+func requireJWT(secret []byte) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			header := r.Header.Get("Authorization")
+			if !strings.HasPrefix(header, "Bearer ") {
+				writeError(w, http.StatusUnauthorized, "unauthorized", "Authorization: Bearer <token> required")
+				return
+			}
+
+			tokenStr := strings.TrimPrefix(header, "Bearer ")
+			claims, err := auth.VerifyJWT(secret, tokenStr)
+			if err != nil {
+				writeError(w, http.StatusUnauthorized, "unauthorized", "invalid or expired token")
+				return
+			}
+
+			ctx := auth.WithAuthContext(r.Context(), auth.AuthContext{
+				TeamID: claims.TeamID,
+				UserID: claims.Subject,
+				Email:  claims.Email,
+			})
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}