marktvogt.de/backend/internal/middleware/auth.go

package middleware

import (
	"strings"

	"github.com/gin-gonic/gin"

	"marktvogt.de/backend/internal/domain/auth"
	"marktvogt.de/backend/internal/pkg/apierror"
)

func RequireAuth(tokenSvc *auth.TokenService) gin.HandlerFunc {
	return func(c *gin.Context) {
		claims, ok := extractAndValidate(c, tokenSvc)
		if !ok {
			return
		}

		c.Set("user_id", claims.UserID)
		c.Set("user_email", claims.Email)
		c.Set("user_role", claims.Role)
		c.Next()
	}
}

func OptionalAuth(tokenSvc *auth.TokenService) gin.HandlerFunc {
	return func(c *gin.Context) {
		header := c.GetHeader("Authorization")
		if header == "" || !strings.HasPrefix(header, "Bearer ") {
			c.Next()
			return
		}

		claims, _ := extractAndValidate(c, tokenSvc)
		if claims != nil {
			c.Set("user_id", claims.UserID)
			c.Set("user_email", claims.Email)
			c.Set("user_role", claims.Role)
		}
		c.Next()
	}
}

func extractAndValidate(c *gin.Context, tokenSvc *auth.TokenService) (*auth.TokenClaims, bool) {
	header := c.GetHeader("Authorization")
	if header == "" || !strings.HasPrefix(header, "Bearer ") {
		apiErr := apierror.Unauthorized("missing or invalid authorization header")
		c.AbortWithStatusJSON(apiErr.Status, apierror.NewResponse(apiErr))
		return nil, false
	}

	tokenString := strings.TrimPrefix(header, "Bearer ")
	claims, err := tokenSvc.ValidateAccessToken(tokenString)
	if err != nil {
		apiErr := apierror.Unauthorized("invalid or expired token")
		c.AbortWithStatusJSON(apiErr.Status, apierror.NewResponse(apiErr))
		return nil, false
	}

	return claims, true
}