1.0 KiB · text 5af55d9
defmodule GitGudWeb.Plugs.RunnerJwtAuth do
@moduledoc """
Verifies a `RunnerJwt` from the `Authorization: Bearer <token>`
header. On success, assigns:
* `:runner_jwt_claims` — the decoded claims map
* `:runner_job_id` — the job the token is scoped to
On failure, halts with 401 + a Twirp-style error body.
"""
@behaviour Plug
import Plug.Conn
alias GitGud.Workflows.RunnerJwt
@impl true
def init(opts), do: opts
@impl true
def call(conn, _opts) do
with [bearer | _] <- get_req_header(conn, "authorization"),
"Bearer " <> token <- bearer,
{:ok, claims} <- RunnerJwt.verify(token) do
conn
|> assign(:runner_jwt_claims, claims)
|> assign(:runner_job_id, claims["tid"])
|> assign(:runner_run_id, claims["rid"])
else
_ ->
body = Jason.encode!(%{"code" => "unauthenticated", "msg" => "missing or invalid token"})
conn
|> put_resp_content_type("application/json", nil)
|> send_resp(401, body)
|> halt()
end
end
end