v0.0.1 (#8)

Co-authored-by: Tasnim Kabir Sadik <tksadik92@gmail.com> Reviewed-on: wrenn/sandbox#8
2026-04-09 19:24:49 +00:00
parent 32e5a5a715
commit d3e4812e46
199 changed files with 24552 additions and 2776 deletions
--- a/internal/api/middleware_auth.go
+++ b/internal/api/middleware_auth.go
@ -7,6 +7,7 @@ import (

 	"git.omukk.dev/wrenn/sandbox/internal/auth"
 	"git.omukk.dev/wrenn/sandbox/internal/db"
+	"git.omukk.dev/wrenn/sandbox/internal/id"
 )

 // requireAPIKeyOrJWT accepts either X-API-Key header or Authorization: Bearer JWT.
@ -19,15 +20,20 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 				hash := auth.HashAPIKey(key)
 				row, err := queries.GetAPIKeyByHash(r.Context(), hash)
 				if err != nil {
+					slog.Warn("api key auth failed", "prefix", auth.APIKeyPrefix(key), "ip", r.RemoteAddr)
 					writeError(w, http.StatusUnauthorized, "unauthorized", "invalid API key")
 					return
 				}

 				if err := queries.UpdateAPIKeyLastUsed(r.Context(), row.ID); err != nil {
-					slog.Warn("failed to update api key last_used", "key_id", row.ID, "error", err)
+					slog.Warn("failed to update api key last_used", "key_id", id.FormatAPIKeyID(row.ID), "error", err)
 				}

-				ctx := auth.WithAuthContext(r.Context(), auth.AuthContext{TeamID: row.TeamID})
+				ctx := auth.WithAuthContext(r.Context(), auth.AuthContext{
+					TeamID:     row.TeamID,
+					APIKeyID:   row.ID,
+					APIKeyName: row.Name,
+				})
 				next.ServeHTTP(w, r.WithContext(ctx))
 				return
 			}
@ -37,14 +43,28 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 				tokenStr := strings.TrimPrefix(header, "Bearer ")
 				claims, err := auth.VerifyJWT(jwtSecret, tokenStr)
 				if err != nil {
+					slog.Warn("jwt auth failed", "error", err, "ip", r.RemoteAddr)
 					writeError(w, http.StatusUnauthorized, "unauthorized", "invalid or expired token")
 					return
 				}

+				teamID, err := id.ParseTeamID(claims.TeamID)
+				if err != nil {
+					writeError(w, http.StatusUnauthorized, "unauthorized", "invalid team ID in token")
+					return
+				}
+				userID, err := id.ParseUserID(claims.Subject)
+				if err != nil {
+					writeError(w, http.StatusUnauthorized, "unauthorized", "invalid user ID in token")
+					return
+				}
+
 				ctx := auth.WithAuthContext(r.Context(), auth.AuthContext{
-					TeamID: claims.TeamID,
-					UserID: claims.Subject,
+					TeamID: teamID,
+					UserID: userID,
 					Email:  claims.Email,
+					Name:   claims.Name,
+					Role:   claims.Role,
 				})
 				next.ServeHTTP(w, r.WithContext(ctx))
 				return