feat: add database schema and backend foundation
Part 1 - Database (kanzlai schema in Supabase): - Tenant-scoped tables: tenants, user_tenants, cases, parties, deadlines, appointments, documents, case_events - Global reference tables: proceeding_types, deadline_rules, holidays - RLS policies on all tenant-scoped tables - Seed: UPC proceeding types, 32 deadline rules (INF/CCR/REV/PI/APP), ZPO civil rules (Berufung, Revision, Einspruch), 2026 holidays Part 2 - Backend skeleton: - config: env var loading (DATABASE_URL, SUPABASE_*, ANTHROPIC_API_KEY) - db: sqlx connection pool with kanzlai search_path - auth: JWT verification middleware adapted from youpc.org, context helpers - models: Go structs for all tables with sqlx/json tags - router: route registration with auth middleware, /health + placeholder API routes - Updated main.go to wire everything together
This commit is contained in:
m
89
backend/internal/auth/middleware.go
Normal file
89
backend/internal/auth/middleware.go
Normal file
@@ -0,0 +1,89 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
type Middleware struct {
|
||||
jwtSecret []byte
|
||||
}
|
||||
|
||||
func NewMiddleware(jwtSecret string) *Middleware {
|
||||
return &Middleware{jwtSecret: []byte(jwtSecret)}
|
||||
}
|
||||
|
||||
func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
token := extractBearerToken(r)
|
||||
if token == "" {
|
||||
http.Error(w, "missing authorization token", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
userID, err := m.verifyJWT(token)
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("invalid token: %v", err), http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
ctx := ContextWithUserID(r.Context(), userID)
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
})
|
||||
}
|
||||
|
||||
func (m *Middleware) verifyJWT(tokenStr string) (uuid.UUID, error) {
|
||||
parsedToken, err := jwt.Parse(tokenStr, func(t *jwt.Token) (interface{}, error) {
|
||||
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
|
||||
}
|
||||
return m.jwtSecret, nil
|
||||
})
|
||||
if err != nil {
|
||||
return uuid.Nil, fmt.Errorf("parsing JWT: %w", err)
|
||||
}
|
||||
|
||||
if !parsedToken.Valid {
|
||||
return uuid.Nil, fmt.Errorf("invalid JWT token")
|
||||
}
|
||||
|
||||
claims, ok := parsedToken.Claims.(jwt.MapClaims)
|
||||
if !ok {
|
||||
return uuid.Nil, fmt.Errorf("extracting JWT claims")
|
||||
}
|
||||
|
||||
if exp, ok := claims["exp"].(float64); ok {
|
||||
if time.Now().Unix() > int64(exp) {
|
||||
return uuid.Nil, fmt.Errorf("JWT token has expired")
|
||||
}
|
||||
}
|
||||
|
||||
sub, ok := claims["sub"].(string)
|
||||
if !ok {
|
||||
return uuid.Nil, fmt.Errorf("missing sub claim in JWT")
|
||||
}
|
||||
|
||||
userID, err := uuid.Parse(sub)
|
||||
if err != nil {
|
||||
return uuid.Nil, fmt.Errorf("invalid user ID format: %w", err)
|
||||
}
|
||||
|
||||
return userID, nil
|
||||
}
|
||||
|
||||
func extractBearerToken(r *http.Request) string {
|
||||
auth := r.Header.Get("Authorization")
|
||||
if auth == "" {
|
||||
return ""
|
||||
}
|
||||
parts := strings.SplitN(auth, " ", 2)
|
||||
if len(parts) != 2 || !strings.EqualFold(parts[0], "bearer") {
|
||||
return ""
|
||||
}
|
||||
return parts[1]
|
||||
}
|
||||
Reference in New Issue
Block a user