defmodule ArcadiaCloudWeb.Plugs.RequireAuth do @moduledoc """ Validates a Bearer JWT issued by arcadia-app and assigns the resulting identity + raw claims onto the conn. Halts with 401 on any failure. Downstream controllers read `conn.assigns.current_identity` and, if needed, `conn.assigns.current_claims`. """ import Plug.Conn alias ArcadiaCloud.Guardian def init(opts), do: opts def call(conn, _opts) do with ["Bearer " <> token] <- get_req_header(conn, "authorization"), {:ok, claims} <- Guardian.decode_and_verify(token), {:ok, identity} <- Guardian.resource_from_claims(claims) do conn |> assign(:current_identity, identity) |> assign(:current_claims, claims) else _ -> unauthorized(conn) end end defp unauthorized(conn) do conn |> put_resp_content_type("application/json") |> send_resp(401, Jason.encode!(%{error: "unauthorized"})) |> halt() end end