watch-party/backend/internal/http/middleware.go

package httpapi

import (
	"net/http"
	"strings"

	"watch-party-backend/internal/auth"

	"github.com/gin-gonic/gin"
)

// AuthMiddleware validates Bearer tokens with the provided verifier.
func AuthMiddleware(verifier auth.TokenVerifier) gin.HandlerFunc {
	return func(c *gin.Context) {
		header := c.GetHeader("Authorization")
		if header == "" || !strings.HasPrefix(header, "Bearer ") {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing or invalid authorization header"})
			return
		}
		raw := strings.TrimSpace(strings.TrimPrefix(header, "Bearer"))
		if raw == "" {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing token"})
			return
		}
		token, err := verifier.Verify(c.Request.Context(), raw)
		if err != nil {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
			return
		}
		c.Set("firebaseToken", token)
		c.Next()
	}
}