Add full monorepo: virtual-banker, backend, frontend, docs, scripts, deployment

Co-authored-by: Cursor <cursoragent@cursor.com>

backend/api/middleware/auth.go

@@ -0,0 +1,123 @@
+package middleware
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/explorer/backend/auth"
+	"github.com/explorer/backend/featureflags"
+)
+
+// AuthMiddleware handles authentication and authorization
+type AuthMiddleware struct {
+	walletAuth *auth.WalletAuth
+}
+
+// NewAuthMiddleware creates a new auth middleware
+func NewAuthMiddleware(walletAuth *auth.WalletAuth) *AuthMiddleware {
+	return &AuthMiddleware{
+		walletAuth: walletAuth,
+	}
+}
+
+// RequireAuth is middleware that requires authentication
+func (m *AuthMiddleware) RequireAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		address, track, err := m.extractAuth(r)
+		if err != nil {
+			writeUnauthorized(w)
+			return
+		}
+
+		// Add user context
+		ctx := context.WithValue(r.Context(), "user_address", address)
+		ctx = context.WithValue(ctx, "user_track", track)
+		ctx = context.WithValue(ctx, "authenticated", true)
+
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+// RequireTrack is middleware that requires a specific track level
+func (m *AuthMiddleware) RequireTrack(requiredTrack int) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Extract track from context (set by RequireAuth or OptionalAuth)
+			track, ok := r.Context().Value("user_track").(int)
+			if !ok {
+				track = 1 // Default to Track 1 (public)
+			}
+
+			if !featureflags.HasAccess(track, requiredTrack) {
+				writeForbidden(w, requiredTrack)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// OptionalAuth is middleware that optionally authenticates (for Track 1 endpoints)
+func (m *AuthMiddleware) OptionalAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		address, track, err := m.extractAuth(r)
+		if err != nil {
+			// No auth provided, default to Track 1 (public)
+			ctx := context.WithValue(r.Context(), "user_address", "")
+			ctx = context.WithValue(ctx, "user_track", 1)
+			ctx = context.WithValue(ctx, "authenticated", false)
+			next.ServeHTTP(w, r.WithContext(ctx))
+			return
+		}
+
+		// Auth provided, add user context
+		ctx := context.WithValue(r.Context(), "user_address", address)
+		ctx = context.WithValue(ctx, "user_track", track)
+		ctx = context.WithValue(ctx, "authenticated", true)
+
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+// extractAuth extracts authentication information from request
+func (m *AuthMiddleware) extractAuth(r *http.Request) (string, int, error) {
+	// Get Authorization header
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		return "", 0, http.ErrMissingFile
+	}
+
+	// Check for Bearer token
+	parts := strings.Split(authHeader, " ")
+	if len(parts) != 2 || parts[0] != "Bearer" {
+		return "", 0, http.ErrMissingFile
+	}
+
+	token := parts[1]
+
+	// Validate JWT token
+	address, track, err := m.walletAuth.ValidateJWT(token)
+	if err != nil {
+		return "", 0, err
+	}
+
+	return address, track, nil
+}
+
+// writeUnauthorized writes a 401 Unauthorized response
+func writeUnauthorized(w http.ResponseWriter) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusUnauthorized)
+	w.Write([]byte(`{"error":{"code":"unauthorized","message":"Authentication required"}}`))
+}
+
+// writeForbidden writes a 403 Forbidden response
+func writeForbidden(w http.ResponseWriter, requiredTrack int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusForbidden)
+	w.Write([]byte(`{"error":{"code":"forbidden","message":"Insufficient permissions","required_track":` + fmt.Sprintf("%d", requiredTrack) + `}}`))
+}
+