The Phoenix auth/identity/tenancy backend repo is being renamed arcadia-app → arcadia-core (its primary OTP app is already arcadia_core). Updates prose, doc paths, and git.sky-ai.com repo URLs. Deliberately leaves the Rust crate arcadia-app-client and host arcadia-app.internal (handled separately), and the kept namespace (issuer/release "arcadia"). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
35 lines
960 B
Elixir
35 lines
960 B
Elixir
defmodule ArcadiaCloudWeb.Plugs.RequireAuth do
|
|
@moduledoc """
|
|
Validates a Bearer JWT issued by arcadia-core and assigns the resulting
|
|
identity + raw claims onto the conn. Halts with 401 on any failure.
|
|
|
|
Downstream controllers read `conn.assigns.current_identity` and, if
|
|
needed, `conn.assigns.current_claims`.
|
|
"""
|
|
|
|
import Plug.Conn
|
|
|
|
alias ArcadiaCloud.Guardian
|
|
|
|
def init(opts), do: opts
|
|
|
|
def call(conn, _opts) do
|
|
with ["Bearer " <> token] <- get_req_header(conn, "authorization"),
|
|
{:ok, claims} <- Guardian.decode_and_verify(token),
|
|
{:ok, identity} <- Guardian.resource_from_claims(claims) do
|
|
conn
|
|
|> assign(:current_identity, identity)
|
|
|> assign(:current_claims, claims)
|
|
else
|
|
_ -> unauthorized(conn)
|
|
end
|
|
end
|
|
|
|
defp unauthorized(conn) do
|
|
conn
|
|
|> put_resp_content_type("application/json")
|
|
|> send_resp(401, Jason.encode!(%{error: "unauthorized"}))
|
|
|> halt()
|
|
end
|
|
end
|