-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathmain.go
More file actions
118 lines (98 loc) · 3.15 KB
/
Copy pathmain.go
File metadata and controls
118 lines (98 loc) · 3.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package main
import (
"context"
"fmt"
"log/slog"
"net/http"
"os"
"time"
"github.com/caarlos0/env/v11"
"github.com/gin-gonic/gin"
"github.com/nats-io/nkeys"
"github.com/hmchangw/chat/pkg/ginutil"
pkgoidc "github.com/hmchangw/chat/pkg/oidc"
"github.com/hmchangw/chat/pkg/shutdown"
)
type config struct {
Port string `env:"PORT" envDefault:"8080"`
DevMode bool `env:"DEV_MODE" envDefault:"false"`
AuthScopedSigningKey string `env:"AUTH_SCOPED_SIGNING_KEY,required"`
NATSJWTExpiry time.Duration `env:"NATS_JWT_EXPIRY" envDefault:"2h"`
NATSJWTExpiryJitter float64 `env:"NATS_JWT_EXPIRY_JITTER" envDefault:"0.1"`
// OIDC settings — required when DEV_MODE is false.
OIDCIssuerURL string `env:"OIDC_ISSUER_URL"`
OIDCAudiences []string `env:"OIDC_AUDIENCES" envSeparator:","`
TLSSkipVerify bool `env:"TLS_SKIP_VERIFY" envDefault:"false"`
}
func main() {
slog.SetDefault(slog.New(slog.NewJSONHandler(os.Stdout, nil)))
if err := run(); err != nil {
slog.Error("fatal error", "error", err)
os.Exit(1)
}
}
func run() error {
cfg, err := env.ParseAs[config]()
if err != nil {
return fmt.Errorf("parse config: %w", err)
}
signingKP, err := nkeys.FromSeed([]byte(cfg.AuthScopedSigningKey))
if err != nil {
return fmt.Errorf("parse signing key: %w", err)
}
ctx := context.Background()
opts := []Option{WithJitter(cfg.NATSJWTExpiryJitter)}
var handler *AuthHandler
if cfg.DevMode {
slog.Warn("dev mode enabled — OIDC validation disabled")
handler = NewAuthHandler(nil, signingKP, cfg.NATSJWTExpiry, true, opts...)
} else {
if cfg.OIDCIssuerURL == "" || len(cfg.OIDCAudiences) == 0 {
return fmt.Errorf("OIDC_ISSUER_URL and OIDC_AUDIENCES are required when DEV_MODE is false")
}
// Initialize OIDC validator — connects to issuer and fetches JWKS keys.
oidcValidator, err := pkgoidc.NewValidator(ctx, pkgoidc.Config{
IssuerURL: cfg.OIDCIssuerURL,
Audiences: cfg.OIDCAudiences,
TLSSkipVerify: cfg.TLSSkipVerify,
})
if err != nil {
return fmt.Errorf("create oidc validator: %w", err)
}
slog.Info("oidc validator initialized", "issuer", cfg.OIDCIssuerURL)
handler = NewAuthHandler(oidcValidator, signingKP, cfg.NATSJWTExpiry, false, opts...)
}
gin.SetMode(gin.ReleaseMode)
r := gin.New()
r.Use(gin.Recovery())
r.Use(ginutil.RequestID())
r.Use(ginutil.AccessLog())
r.Use(ginutil.CORS())
registerRoutes(r, handler)
addr := fmt.Sprintf(":%s", cfg.Port)
srv := &http.Server{
Addr: addr,
Handler: r,
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
}
srvErr := make(chan error, 1)
go func() {
slog.Info("auth service starting", "addr", addr)
srvErr <- srv.ListenAndServe()
}()
shutdownDone := make(chan struct{})
go func() {
defer close(shutdownDone)
shutdown.Wait(ctx, 25*time.Second, func(ctx context.Context) error {
slog.Info("shutting down auth service")
return srv.Shutdown(ctx)
})
}()
err = <-srvErr
if err != nil && err != http.ErrServerClosed {
return fmt.Errorf("listen auth server: %w", err)
}
<-shutdownDone
return nil
}