interceptor

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 29, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package interceptor implements the gRPC interceptor chain for the token-engine service. It does not implement the correlation interceptor — that lives in internal/observability. Chain order (maintained in main.go): otelgrpc → correlation → auth → caller auth → idempotency → validation. Primary dependencies: internal/observability for Logger and context key functions, internal/registry for CallerRegistry, internal/store for IdempotencyStore.

Index

Constants

This section is empty.

Variables

View Source 
var ReservedClaimKeys = map[string]struct{}{
	"sub": {}, "iss": {}, "aud": {}, "exp": {}, "iat": {}, "nbf": {}, "jti": {},
}

ReservedClaimKeys is the set of JWT claim keys the validation interceptor rejects.

Functions

func NewAuthInterceptor 

func NewAuthInterceptor(auth Authenticator, logger observability.Logger) grpc.UnaryServerInterceptor

NewAuthInterceptor returns a gRPC unary server interceptor that authenticates requests. On success, the caller identity is bound to the context via WithCallerIdentity. On authentication failure, the error is returned without calling the handler.

func NewCallerAuthorizationInterceptor 

func NewCallerAuthorizationInterceptor(reg registry.CallerRegistry, logger observability.Logger) grpc.UnaryServerInterceptor

NewCallerAuthorizationInterceptor returns a gRPC unary server interceptor for caller authorization. v0.1–v0.4: stub — return handler(ctx, req). registry and logger accepted but unused. v0.5: real implementation — registry lookup against caller identity and tenant_id.

func NewIdempotencyInterceptor 

func NewIdempotencyInterceptor(st store.IdempotencyStore, logger observability.Logger, metrics observability.Metrics) grpc.UnaryServerInterceptor

NewIdempotencyInterceptor returns a gRPC unary server interceptor for idempotency handling. v0.1–v0.3: stub — return handler(ctx, req). store, logger, metrics accepted but unused. v0.4: real implementation — check store before handler, cache response after.

func NewValidationInterceptor 

func NewValidationInterceptor(logger observability.Logger) grpc.UnaryServerInterceptor

NewValidationInterceptor returns a gRPC unary server interceptor for request validation. Enforces non-empty sub on IssueToken and rejects reserved JWT claim keys on IssueToken and RefreshToken. All other methods pass through unchanged.

Types

type Authenticator 

type Authenticator interface {
	// Authenticate extracts a verified caller identity from the gRPC request context.
	// Returns the caller identity string on success.
	// Returns a gRPC status error directly — callers must not wrap the error.
	Authenticate(ctx context.Context) (callerIdentity string, err error)
}

Authenticator extracts and verifies a caller identity from the gRPC request context.

type StaticKeyAuthenticator 

type StaticKeyAuthenticator struct {
	// contains filtered or unexported fields
}

StaticKeyAuthenticator authenticates requests using a static mapping of API keys to caller identities.

func NewStaticKeyAuthenticator 

func NewStaticKeyAuthenticator(keys map[string]string) *StaticKeyAuthenticator

NewStaticKeyAuthenticator returns a new StaticKeyAuthenticator with the given key→identity mapping.

func (*StaticKeyAuthenticator) Authenticate 

func (a *StaticKeyAuthenticator) Authenticate(ctx context.Context) (string, error)

Authenticate extracts the API key from gRPC metadata and returns the mapped caller identity. If the key is absent or not found in the map, returns codes.Unauthenticated.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.