feat: add internal service-to-service authentication middleware

2026-01-29 22:25:40 +08:00 · 2026-01-29 22:25:40 +08:00 · de5847d1f0
commit de5847d1f0
parent 983c1ef84a
1 changed files with 41 additions and 0 deletions
--- a/internal/auth/middleware.go
+++ b/internal/auth/middleware.go
@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"net/http"
+	"os"
 	"strings"

 	"github.com/gin-gonic/gin"
@ -62,6 +63,46 @@ func (s *TokenService) AuthMiddleware() gin.HandlerFunc {
 	}
 }

+// InternalAuthMiddleware validates internal service-to-service authentication
+// using a shared token from the X-Service-Token header
+func InternalAuthMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		serviceToken := c.GetHeader("X-Service-Token")
+		if serviceToken == "" {
+			c.JSON(http.StatusUnauthorized, gin.H{
+				"error": "missing service token",
+			})
+			c.Abort()
+			return
+		}
+
+		expectedToken := os.Getenv("INTERNAL_SERVICE_TOKEN")
+		if expectedToken == "" {
+			c.JSON(http.StatusInternalServerError, gin.H{
+				"error": "internal service token not configured",
+			})
+			c.Abort()
+			return
+		}
+
+		if serviceToken != expectedToken {
+			c.JSON(http.StatusUnauthorized, gin.H{
+				"error": "invalid service token",
+			})
+			c.Abort()
+			return
+		}
+
+		// Set internal service context
+		ctx := context.WithValue(c.Request.Context(), userIDKey, "system")
+		ctx = context.WithValue(ctx, emailKey, "internal@system.service")
+		ctx = context.WithValue(ctx, rolesKey, []string{"internal_service"})
+		c.Request = c.Request.WithContext(ctx)
+
+		c.Next()
+	}
+}
+
 // RequireMFA is a middleware that requires MFA verification
 func RequireMFA() gin.HandlerFunc {
 	return func(c *gin.Context) {