refactor(auth): split IAM module and add access/refresh session flow

2026-03-01 21:26:37 +08:00
parent 6a2d2c9724
commit 57c27e9102
13 changed files with 1377 additions and 345 deletions
--- a/internal/iam/middleware.go
+++ b/internal/iam/middleware.go
@@ -0,0 +1,40 @@
+package iam
+
+import (
+	"errors"
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+func (s *Service) RequireAccess() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		token := extractBearerToken(c.GetHeader("Authorization"))
+		if token == "" {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing authorization"})
+			return
+		}
+		claims, err := s.ValidateAccessToken(c.Request.Context(), token)
+		if err != nil {
+			status := http.StatusUnauthorized
+			if errors.Is(err, errSessionRevoked) {
+				status = http.StatusUnauthorized
+			}
+			c.AbortWithStatusJSON(status, gin.H{"error": "invalid token"})
+			return
+		}
+		c.Set(ContextUserIDKey, claims.UserID)
+		c.Set(ContextSessionIDKey, claims.SessionID)
+		c.Set(ContextJTIKey, claims.JTI)
+		c.Next()
+	}
+}
+
+func extractBearerToken(header string) string {
+	authHeader := strings.TrimSpace(header)
+	if strings.HasPrefix(authHeader, "Bearer ") {
+		return strings.TrimSpace(authHeader[7:])
+	}
+	return authHeader
+}