Merge pull request #116 from Gaucho-Racing/bk1031/refactor-auth

Refactor auth service + add SkipAuthCheck for local dev

Author: BK1031

.github/workflows/auth.yml

@@ -0,0 +1,153 @@
+name: auth
+run-name: Triggered by ${{ github.event_name }} to ${{ github.ref }} by @${{ github.actor }}
+
+on:
+  push:
+    branches:
+      - "**"
+    tags:
+      - "**"
+
+jobs:
+  build:
+    runs-on: ${{ matrix.runner }}
+    name: Build ${{ matrix.platform }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-24.04
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate platform pair
+        id: platform
+        run: |
+          platform=${{ matrix.platform }}
+          echo "pair=${platform//\//-}" >> $GITHUB_OUTPUT
+
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          context: auth
+          platforms: ${{ matrix.platform }}
+          outputs: type=image,name=ghcr.io/gaucho-racing/mapache/auth,push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha,scope=build-${{ steps.platform.outputs.pair }}
+          cache-to: type=gha,scope=build-${{ steps.platform.outputs.pair }},mode=max
+
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ steps.platform.outputs.pair }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    name: Merge manifests
+    needs: build
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check if this commit has a release tag
+        id: release
+        run: |
+          tag=$(git tag --points-at HEAD | grep '^v' | head -n1)
+          if [ -n "$tag" ]; then
+            echo "Found tag: $tag"
+            if gh release view "$tag" --json tagName > /dev/null 2>&1; then
+              echo "release_tag=$tag" >> $GITHUB_OUTPUT
+              echo "is_release=true" >> $GITHUB_OUTPUT
+              exit 0
+            fi
+          fi
+          echo "is_release=false" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate tag list
+        id: tags
+        shell: bash
+        run: |
+          TAGS="type=sha"
+
+          if [ "${GITHUB_REF_TYPE}" = "branch" ] && [ "${GITHUB_REF_NAME}" = "main" ]; then
+            TAGS="${TAGS}\ntype=raw,value=latest"
+          fi
+
+          if [ "${{ steps.release.outputs.is_release }}" = "true" ]; then
+            CLEAN_TAG=$(echo "${{ steps.release.outputs.release_tag }}" | sed 's/^v//')
+            TAGS="${TAGS}\ntype=raw,value=${CLEAN_TAG}"
+          fi
+
+          echo -e "tags<<EOF\n$TAGS\nEOF" >> $GITHUB_OUTPUT
+
+      - name: Extract image metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/gaucho-racing/mapache/auth
+          tags: ${{ steps.tags.outputs.tags }}
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'ghcr.io/gaucho-racing/mapache/auth@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ghcr.io/gaucho-racing/mapache/auth:${{ steps.meta.outputs.version }}

.github/workflows/build.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.22.0"
+          go-version: "1.26.0"
       - name: Build Auth
         run: |
           cd auth

auth/.air.toml

@@ -0,0 +1,21 @@
+root = "."
+tmp_dir = "tmp"
+
+[build]
+  bin = "./tmp/main"
+  cmd = "go mod tidy && go build -o ./tmp/main ."
+  delay = 1000
+  exclude_dir = ["tmp", "vendor"]
+  exclude_regex = ["_test.go"]
+  include_ext = ["go", "toml"]
+  kill_delay = "0s"
+  send_interrupt = false
+  poll = true
+  poll_interval = 500
+  stop_on_error = true
+
+[log]
+  time = false
+
+[misc]
+  clean_on_exit = true

auth/.gitignore

@@ -1,4 +1,5 @@
 .env
+tmp/
 
 ### VisualStudioCode template
 .vscode/*

auth/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS builder
 
 RUN apk --no-cache add ca-certificates
 RUN apk add --no-cache tzdata
@@ -12,18 +12,18 @@ RUN go mod download
 COPY . ./
 ARG TARGETOS
 ARG TARGETARCH
-RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /auth
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /app
 
 ##
 ## Deploy
 ##
-FROM alpine:3.21
+FROM alpine:3.19
 
 WORKDIR /
 
-COPY --from=builder /auth /auth
+COPY --from=builder /app /app
 
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 ENV TZ=America/Los_Angeles
 
-ENTRYPOINT ["/auth"]
+ENTRYPOINT ["/app"]

auth/Dockerfile.dev

@@ -0,0 +1,7 @@
+FROM golang:1.26-alpine
+
+RUN go install github.com/air-verse/air@latest
+
+WORKDIR /app/auth
+
+CMD ["air", "-c", ".air.toml"]

auth/Makefile

@@ -1,19 +1,29 @@
 package api
 
 import (
-	"auth/config"
-	"auth/service"
-	"auth/utils"
+	"fmt"
 	"net/http"
 	"strings"
 	"time"
 
+	"github.com/gaucho-racing/mapache/auth/config"
+	"github.com/gaucho-racing/mapache/auth/pkg/logger"
+	"github.com/gaucho-racing/mapache/auth/service"
 	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
 )
 
-func SetupRouter() *gin.Engine {
-	if config.Env == "PROD" {
+func Run() {
+	api := InitializeRouter()
+	InitializeRoutes(api)
+	err := api.Run(":" + config.Port)
+	if err != nil {
+		logger.SugarLogger.Fatalf("Failed to start server: %v", err)
+	}
+}
+
+func InitializeRouter() *gin.Engine {
+	if config.IsProduction() {
 		gin.SetMode(gin.ReleaseMode)
 	}
 	r := gin.Default()
@@ -30,7 +40,7 @@ func SetupRouter() *gin.Engine {
 }
 
 func InitializeRoutes(router *gin.Engine) {
-	router.GET("/auth/ping", Ping)
+	router.GET(fmt.Sprintf("/%s/ping", config.Service.Name), Ping)
 	router.POST("/auth/login", Login)
 	router.GET("/users", GetAllUsers)
 	router.GET("/users/@me", GetCurrentUser)
@@ -39,19 +49,27 @@ func InitializeRoutes(router *gin.Engine) {
 
 func AuthChecker() gin.HandlerFunc {
 	return func(c *gin.Context) {
+		if config.SkipAuthCheck {
+			c.Set("Auth-Token", "mock-token")
+			c.Set("Auth-UserID", "mock-user")
+			c.Set("Auth-Audience", "mock-audience")
+			c.Set("Auth-Scope", "openid profile email")
+			c.Next()
+			return
+		}
 		if c.GetHeader("Authorization") != "" {
 			authHeader := c.GetHeader("Authorization")
 			if strings.HasPrefix(authHeader, "Bearer ") {
 				claims, err := service.ValidateJWT(strings.Split(c.GetHeader("Authorization"), "Bearer ")[1])
 				if err != nil {
-					utils.SugarLogger.Errorln("Failed to validate token: " + err.Error())
+					logger.SugarLogger.Errorln("Failed to validate token: " + err.Error())
 					c.AbortWithStatusJSON(401, gin.H{"message": err.Error()})
 				} else {
-					utils.SugarLogger.Infof("Decoded token: %s", claims.Subject)
-					utils.SugarLogger.Infof("↳ Client ID: %s", claims.Audience[0])
-					utils.SugarLogger.Infof("↳ Scope: %s", claims.Scope)
-					utils.SugarLogger.Infof("↳ Issued at: %s", claims.IssuedAt.String())
-					utils.SugarLogger.Infof("↳ Expires at: %s", claims.ExpiresAt.String())
+					logger.SugarLogger.Infof("Decoded token: %s", claims.Subject)
+					logger.SugarLogger.Infof("↳ Client ID: %s", claims.Audience[0])
+					logger.SugarLogger.Infof("↳ Scope: %s", claims.Scope)
+					logger.SugarLogger.Infof("↳ Issued at: %s", claims.IssuedAt.String())
+					logger.SugarLogger.Infof("↳ Expires at: %s", claims.ExpiresAt.String())
 					c.Set("Auth-Token", strings.Split(c.GetHeader("Authorization"), "Bearer ")[1])
 					c.Set("Auth-UserID", claims.Subject)
 					c.Set("Auth-Audience", claims.Audience[0])
@@ -70,8 +88,7 @@ func UnauthorizedPanicHandler() gin.HandlerFunc {
 				if err == "Unauthorized" {
 					c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"message": "you are not authorized to access this resource"})
 				} else {
-					// Handle other panics
-					utils.SugarLogger.Errorf("Unexpected panic: %v", err)
+					logger.SugarLogger.Errorf("Unexpected panic: %v", err)
 					c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"message": err.(string)})
 				}
 			}
@@ -80,14 +97,12 @@ func UnauthorizedPanicHandler() gin.HandlerFunc {
 	}
 }
 
-// Require checks if a condition is true, otherwise aborts the request
 func Require(c *gin.Context, condition bool) {
 	if !condition {
 		panic("Unauthorized")
 	}
 }
 
-// Any checks if any condition is true, otherwise returns false
 func Any(conditions ...bool) bool {
 	for _, condition := range conditions {
 		if condition {
@@ -97,7 +112,6 @@ func Any(conditions ...bool) bool {
 	return false
 }
 
-// All checks if all conditions are true, otherwise returns false
 func All(conditions ...bool) bool {
 	for _, condition := range conditions {
 		if !condition {

auth/api/api.go

@@ -1,9 +1,9 @@
 package api
 
 import (
-	"auth/service"
 	"net/http"
 
+	"github.com/gaucho-racing/mapache/auth/service"
 	"github.com/gin-gonic/gin"
 )
 
@@ -19,4 +19,4 @@ func Login(c *gin.Context) {
 		return
 	}
 	c.JSON(http.StatusOK, token)
-}
+}

auth/api/auth.go

@@ -1,9 +1,9 @@
 package api
 
 import (
-	"auth/config"
 	"net/http"
 
+	"github.com/gaucho-racing/mapache/auth/config"
 	"github.com/gin-gonic/gin"
 )