Implement JWT authentication and app passkey support

- Add JWT token generation and validation
- Implement bcrypt password hashing
- Create auth service with register/login/refresh/logout
- Add app passkey generation and management
- Implement protected routes and auth middleware
- Add comprehensive tests for new functionality

internal/middleware/auth.go

@@ -0,0 +1,52 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/dhao2001/mygo/internal/api"
+	"github.com/dhao2001/mygo/internal/auth"
+)
+
+const userIDKey = "user_id"
+
+// AuthRequired returns a Gin middleware that validates JWT access tokens.
+// On success, it injects the user ID into the context via c.Get("user_id").
+func AuthRequired(jwtSecret []byte) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		header := c.GetHeader("Authorization")
+		if header == "" {
+			api.Error(c, http.StatusUnauthorized, "missing authorization header")
+			c.Abort()
+			return
+		}
+
+		parts := strings.SplitN(header, " ", 2)
+		if len(parts) != 2 || !strings.EqualFold(parts[0], "bearer") {
+			api.Error(c, http.StatusUnauthorized, "invalid authorization header format")
+			c.Abort()
+			return
+		}
+
+		claims, err := auth.ParseToken(parts[1], jwtSecret)
+		if err != nil {
+			api.Error(c, http.StatusUnauthorized, "invalid or expired token")
+			c.Abort()
+			return
+		}
+
+		c.Set(userIDKey, claims.UserID)
+		c.Next()
+	}
+}
+
+// GetUserID extracts the user ID injected by AuthRequired.
+func GetUserID(c *gin.Context) string {
+	v, _ := c.Get(userIDKey)
+	if v == nil {
+		return ""
+	}
+	return v.(string)
+}

internal/middleware/auth_test.go

@@ -0,0 +1,139 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/dhao2001/mygo/internal/auth"
+)
+
+func setupTestRouter(secret []byte) *gin.Engine {
+	gin.SetMode(gin.TestMode)
+	r := gin.New()
+	r.Use(AuthRequired(secret))
+	r.GET("/protected", func(c *gin.Context) {
+		c.JSON(http.StatusOK, gin.H{"user_id": GetUserID(c)})
+	})
+	return r
+}
+
+func TestAuthRequiredNoHeader(t *testing.T) {
+	r := setupTestRouter([]byte("test-secret"))
+
+	req := httptest.NewRequest(http.MethodGet, "/protected", nil)
+	rec := httptest.NewRecorder()
+	r.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Errorf("status = %d, want %d", rec.Code, http.StatusUnauthorized)
+	}
+}
+
+func TestAuthRequiredInvalidFormat(t *testing.T) {
+	r := setupTestRouter([]byte("test-secret"))
+
+	req := httptest.NewRequest(http.MethodGet, "/protected", nil)
+	req.Header.Set("Authorization", "invalid")
+	rec := httptest.NewRecorder()
+	r.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Errorf("status = %d, want %d", rec.Code, http.StatusUnauthorized)
+	}
+}
+
+func TestAuthRequiredNotBearer(t *testing.T) {
+	r := setupTestRouter([]byte("test-secret"))
+
+	req := httptest.NewRequest(http.MethodGet, "/protected", nil)
+	req.Header.Set("Authorization", "Basic dXNlcjpwYXNz")
+	rec := httptest.NewRecorder()
+	r.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Errorf("status = %d, want %d", rec.Code, http.StatusUnauthorized)
+	}
+}
+
+func TestAuthRequiredExpiredToken(t *testing.T) {
+	secret := []byte("test-secret")
+	token, err := auth.GenerateAccessToken("user-1", secret, -1*time.Minute)
+	if err != nil {
+		t.Fatalf("GenerateAccessToken = %v", err)
+	}
+
+	r := setupTestRouter(secret)
+	req := httptest.NewRequest(http.MethodGet, "/protected", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	rec := httptest.NewRecorder()
+	r.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Errorf("status = %d, want %d", rec.Code, http.StatusUnauthorized)
+	}
+}
+
+func TestAuthRequiredValidToken(t *testing.T) {
+	secret := []byte("test-secret")
+	token, err := auth.GenerateAccessToken("user-1", secret, 15*time.Minute)
+	if err != nil {
+		t.Fatalf("GenerateAccessToken = %v", err)
+	}
+
+	r := setupTestRouter(secret)
+	req := httptest.NewRequest(http.MethodGet, "/protected", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	rec := httptest.NewRecorder()
+	r.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", rec.Code, http.StatusOK)
+	}
+}
+
+func TestGetUserID(t *testing.T) {
+	secret := []byte("test-secret")
+	token, err := auth.GenerateAccessToken("alice-42", secret, 15*time.Minute)
+	if err != nil {
+		t.Fatalf("GenerateAccessToken = %v", err)
+	}
+
+	r := setupTestRouter(secret)
+	req := httptest.NewRequest(http.MethodGet, "/protected", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	rec := httptest.NewRecorder()
+	r.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d", rec.Code)
+	}
+
+	body := rec.Body.String()
+	if !strings.Contains(body, "alice-42") {
+		t.Errorf("response body %q does not contain user id", body)
+	}
+}
+
+func TestAuthRequiredWrongSecret(t *testing.T) {
+	secret := []byte("test-secret")
+	token, err := auth.GenerateAccessToken("user-1", secret, 15*time.Minute)
+	if err != nil {
+		t.Fatalf("GenerateAccessToken = %v", err)
+	}
+
+	// Use a different secret for the middleware
+	r := setupTestRouter([]byte("different-secret"))
+	req := httptest.NewRequest(http.MethodGet, "/protected", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	rec := httptest.NewRecorder()
+	r.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Errorf("status = %d, want %d", rec.Code, http.StatusUnauthorized)
+	}
+}