This changes the JWT creation/validation to use a server-wide secret
token instead of the users' private key. This allows the server to
validate a request as being on behalf of a user without needing a
database call.
It also adds three middleware functions:
ExtractUsername: Checks for an auth header and, if one is present,
decodes the username. It doesn't error if one doesn't exist. This allows
downstream handlers to see if a request is on behalf of an authenticated
user or not.
Authenticated: This checks for the username populated in
ExtractUsername and returns a 401 if it's not present. Use this to
require authentication on a handler.
WithUserModel: This will use the username populated in ExtractUsername
and, if present, populate the context with the model.User object. If one
is not present it does not throw an error, as inbox/outbox handlers do
their own auth checking.
This changes the JWT creation/validation to use a server-wide secret token instead of the users' private key. This allows the server to validate a request as being on behalf of a user without needing a database call.
It also adds three middleware functions:
ExtractUsername: Checks for an auth header and, if one is present, decodes the username. It doesn't error if one doesn't exist. This allows downstream handlers to see if a request is on behalf of an authenticated user or not.
Authenticated: This checks for the username populated in ExtractUsername and returns a 401 if it's not present. Use this to require authentication on a handler.
WithUserModel: This will use the username populated in ExtractUsername and, if present, populate the context with the model.User object. If one is not present it does not throw an error, as inbox/outbox handlers do their own auth checking.
Closes #1. Contains the backend portion of #34.