niuniu/ai-customer-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: document authz trust boundary and annotate RequireRoles

Browse Source
This commit is contained in:
Your Name
2026-05-11 12:23:16 +08:00
parent 781deae0b9
commit 000c82747c
2 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
internal/http/middleware/authz.go
View File

@@ -39,6 +39,9 @@ func ActorFromContext(ctx context.Context) (Actor, bool) {
return actor, true
}
// RequireRoles enforces RBAC allow-listing. It does NOT authenticate the actor headers.
// SECURITY: This middleware trusts the upstream gateway to authenticate the actor headers.
// In production, an API Gateway or JWT middleware must run before this layer.
func RequireRoles(next http.Handler, allowedRoles ...string) http.Handler {
allowed := make(map[string]struct{}, len(allowedRoles))
for _, role := range allowedRoles {