Phase 0 scaffold: arcadia-cloud Phoenix service
API-only Phoenix 1.8 project for cloud-ops, inventory, billing, and provisioning sagas. Validates arcadia JWTs via shared Guardian secret (verify-only; arcadia-app remains the issuer). Deps beyond default Phoenix: guardian, cors_plug, oban, req. Postgres on local port 5433 per arcadia stack convention. Endpoint runs on :4005. Endpoints: - GET /api/health — public, returns service identifier - GET /api/v1/inventory — auth-gated, returns empty list (phase 0 stub) Oban configured with the queues phase 1+ will need: provisioning / cloud_sync_fast|full|slow / cloud_billing / metering. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
34
lib/arcadia_cloud_web/plugs/require_auth.ex
Normal file
34
lib/arcadia_cloud_web/plugs/require_auth.ex
Normal file
@@ -0,0 +1,34 @@
|
||||
defmodule ArcadiaCloudWeb.Plugs.RequireAuth do
|
||||
@moduledoc """
|
||||
Validates a Bearer JWT issued by arcadia-app and assigns the resulting
|
||||
identity + raw claims onto the conn. Halts with 401 on any failure.
|
||||
|
||||
Downstream controllers read `conn.assigns.current_identity` and, if
|
||||
needed, `conn.assigns.current_claims`.
|
||||
"""
|
||||
|
||||
import Plug.Conn
|
||||
|
||||
alias ArcadiaCloud.Guardian
|
||||
|
||||
def init(opts), do: opts
|
||||
|
||||
def call(conn, _opts) do
|
||||
with ["Bearer " <> token] <- get_req_header(conn, "authorization"),
|
||||
{:ok, claims} <- Guardian.decode_and_verify(token),
|
||||
{:ok, identity} <- Guardian.resource_from_claims(claims) do
|
||||
conn
|
||||
|> assign(:current_identity, identity)
|
||||
|> assign(:current_claims, claims)
|
||||
else
|
||||
_ -> unauthorized(conn)
|
||||
end
|
||||
end
|
||||
|
||||
defp unauthorized(conn) do
|
||||
conn
|
||||
|> put_resp_content_type("application/json")
|
||||
|> send_resp(401, Jason.encode!(%{error: "unauthorized"}))
|
||||
|> halt()
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user