Conversation
## [2.8.0-beta.5](v2.8.0-beta.4...v2.8.0-beta.5) (2026-05-18)
Backmerge of post-hotfix Narvi changes from main into develop. CHANGELOG.md conflict resolved by keeping both main releases and develop beta entries. Requested-by: @qnen
chore: backmerge main → develop
## [2.8.2-beta.1](v2.8.1...v2.8.2-beta.1) (2026-06-17)
checkAuthorization now takes the product owning the route and derives the subject internally: M2M tokens map to the product's editor role, while normal users are identified by their JWT (owner/userId). The product is forwarded as "product" for normal-user tokens only, so the auth service can isolate permissions by product. Empty product preserves the previous behavior, enabling incremental adoption. X-Lerian-Ref: 0x1
feat(middleware): forward product on user-flow authorization
## [2.9.0-beta.1](v2.8.2-beta.1...v2.9.0-beta.1) (2026-06-23) ### Features * **middleware:** forward product on user-flow authorization ([e597ae2](e597ae2))
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe middleware authorization path now accepts a ChangesAuthorization product forwarding
Sequence DiagramsequenceDiagram
participant AuthClient.Authorize
participant checkAuthorization
participant auth service
AuthClient.Authorize->>checkAuthorization: product, resource, action
checkAuthorization->>auth service: subject and optional product
auth service-->>checkAuthorization: authorization result
checkAuthorization-->>AuthClient.Authorize: handler outcome
Possibly related PRs
✨ Finishing Touches✨ Simplify code
Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@auth/middleware/middleware_test.go`:
- Around line 104-116: Add regression coverage in
auth/middleware/middleware_test.go for the edge cases around checkAuthorization:
extend the existing test setup around auth.checkAuthorization to assert that an
empty product preserves the prior request behavior, and add a normal-user token
case that verifies tokens missing the JWT sub are rejected. Use the existing
checkAuthorization test helpers and capturedBody assertions so the new cases are
pinned to the auth contract without relying on line numbers.
In `@auth/middleware/middleware.go`:
- Around line 264-267: The new product parameter in
AuthClient.checkAuthorization must not be fed by the old sub resolver on the
gRPC path without updating middlewareGRPC.go. Update middlewareGRPC.go so the
second argument passed into checkAuthorization is an actual product identifier
(or empty when intended), and keep cfg.SubResolver only for subject derivation
where needed. Ensure the gRPC call sites around AuthClient.checkAuthorization
and the M2M role-building logic still preserve the empty-product fallback
instead of producing admin/-editor-role.
- Around line 319-320: The normal-user JWT handling in the middleware is
currently accepting a missing or non-string `sub` claim and still building a
shared principal with an empty user segment. Update the logic around the
`claims["sub"]` parsing in the middleware path that sets `sub` so it validates
the claim is present and a string, and reject the request if it is not. Ensure
the existing owner-based subject construction only happens after a valid `sub`
has been confirmed, so malformed tokens fail closed instead of being forwarded.
In `@CHANGELOG.md`:
- Around line 1-6: Mark the AuthClient.Authorize signature change as breaking in
the changelog entry: update the release notes around the middleware feature so
it is categorized as a breaking change, and mention that product now replaces
sub in the Authorize API. Use the Authorize and AuthClient symbols to locate the
affected release note and ensure downstream Fiber integrations are warned about
the source-level update.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 6cb355d5-4b19-4bd5-83ed-2bf791ef3a1b
📒 Files selected for processing (3)
CHANGELOG.mdauth/middleware/middleware.goauth/middleware/middleware_test.go
The shared checkAuthorization parameter was renamed sub->product in the user-flow product-isolation work, but the gRPC unary/stream interceptors still named their local "sub" while passing it into the product slot. Rename the local to product and clarify PolicyConfig/SubResolver docs so the resolved value's role is explicit: it is the product identifier (e.g. "midaz") that becomes the M2M subject "admin/<product>-editor-role" and the normal-user isolation key. No behavior change — the same value is forwarded; verified against a real M2M call (admin/<product>-editor-role emitted identically to v2.8.0). X-Lerian-Ref: 0x1
A normal-user token missing the "sub" claim previously produced the subject "<owner>/" and was sent to the auth service as a degenerate, identity-less principal. Reject it with 401 (mirroring the existing missing-owner guard) so malformed tokens fail closed. Also pin two auth-contract edges flagged in review: - normal-user without "sub" is rejected; - an empty product preserves prior behavior (subject unchanged, no product forwarded) — the gate-by-presence contract. X-Lerian-Ref: 0x1
refactor(grpc): name product arg consistently in policy interceptors
## [2.9.0-beta.2](v2.9.0-beta.1...v2.9.0-beta.2) (2026-06-25) ### Bug Fixes * **middleware:** fail closed when normal-user JWT has no sub claim ([bce4655](bce4655))
|
🎉 This PR is included in version 2.9.0-beta.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
auth/middleware/middlewareGRPC.go (1)
29-39: 🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy liftExpose a
ProductResolverinstead of reinterpretingSubResolver.The field name still advertises subject resolution while the contract now requires a product identifier. Existing callers can keep compiling while returning legacy subject values, silently defeating product isolation; consider adding
ProductResolverand keepingSubResolveronly as a deprecated fallback.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@auth/middleware/middlewareGRPC.go` around lines 29 - 39, Rename the gRPC policy hook in PolicyConfig to make the contract explicit: add a ProductResolver field that returns the product identifier used by checkAuthorization, and keep SubResolver only as a deprecated fallback for existing callers. Update the middleware logic in middlewareGRPC.go to prefer ProductResolver when resolving the product argument, and only use SubResolver when ProductResolver is unset so legacy code still compiles without silently bypassing product isolation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@auth/middleware/middleware_test.go`:
- Around line 201-224: The check in AuthClient.checkAuthorization is only
asserting the 401 response, but not that missing-sub normal-user tokens are
never forwarded to the auth backend. Update the test around checkAuthorization
to also verify mockAuthServer is not called for this case (for example by using
the mock’s request count or a request assertion), so the fail-closed behavior is
pinned along with the Unauthorized result.
---
Outside diff comments:
In `@auth/middleware/middlewareGRPC.go`:
- Around line 29-39: Rename the gRPC policy hook in PolicyConfig to make the
contract explicit: add a ProductResolver field that returns the product
identifier used by checkAuthorization, and keep SubResolver only as a deprecated
fallback for existing callers. Update the middleware logic in middlewareGRPC.go
to prefer ProductResolver when resolving the product argument, and only use
SubResolver when ProductResolver is unset so legacy code still compiles without
silently bypassing product isolation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2d28cf78-3200-4f09-bea8-307f3c528dc9
📒 Files selected for processing (4)
CHANGELOG.mdauth/middleware/middleware.goauth/middleware/middlewareGRPC.goauth/middleware/middleware_test.go
… complexity The fail-closed sub guard pushed checkAuthorization to gocyclo 17 (> 16). Extract the subject-derivation branch (M2M role vs normal-user identity, with the owner/sub guards) into deriveSubject, bringing checkAuthorization back to 15. No behavior change. X-Lerian-Ref: 0x1
…ckend TestCheckAuthorization_MissingSubClaim asserted the 401 result but not the fail-closed guarantee. Replace the permissive mock with a handler that fails the test if hit, proving a missing-sub normal-user token is rejected before any request to the auth service. X-Lerian-Ref: 0x1
refactor(middleware): cut checkAuthorization cyclomatic complexity
## [2.9.0-beta.3](v2.9.0-beta.2...v2.9.0-beta.3) (2026-06-25)
|
🎉 This PR is included in version 2.9.0-beta.3 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.9.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Pull Request Type
Summary
Promotes
develop→mainto cut the stablev2.9.0release.The substantive change is the user-flow product-isolation fix (already validated as
v2.9.0-beta.1): the authorization middleware now forwards theproducttoplugin-access-manageron user-flow requests, instead of discarding it. This lets the access manager isolate permissions by product and close the cross-product authorization gap (e.g. apixpermission authorizingmidazroutes via resource-name collision).What's included (
main..develop)feat(middleware): forward product on user-flow authorization(feat(middleware): forward product on user-flow authorization #114) — the only functional change2.9.0-beta.1,2.8.2-beta.1,2.8.0-beta.5, main→develop backmerge) — no behavior changeOn merge, semantic-release analyzes the
feat:commit → minor bump →v2.9.0stable (noBREAKING CHANGE, so it stays minor), generates the changelog/GitHub release, and backmergesmain → develop.Compatibility
Backward compatible in both deploy orderings:
productfield is decoded via Fiber'sBodyParser(noDisallowUnknownFields, no strict validator on/v1/authorize), so an access manager without the isolation fix silently ignores it → legacy behavior, no breakage.productsent → access manager falls back to the legacy path.Isolation only takes effect once both lib-auth ≥ v2.9.0 and the access manager (with the isolation fix) are deployed.
Checklist
Notes
Release promotion PR — intentionally targets
main(notdevelop).