Skip to content

refactor(middleware): cut checkAuthorization cyclomatic complexity#117

Merged
rodrigodh merged 2 commits into
developfrom
fix/checkauth-cyclomatic
Jun 25, 2026
Merged

refactor(middleware): cut checkAuthorization cyclomatic complexity#117
rodrigodh merged 2 commits into
developfrom
fix/checkauth-cyclomatic

Conversation

@rodrigodh

Copy link
Copy Markdown
Contributor

Pull Request Type

  • Refactor

Summary

CI lint (gocyclo via reviewdog) flagged (*AuthClient).checkAuthorization at cyclomatic complexity 17 (> 16) after the fail-closed sub guard landed in #116.

This extracts the subject-derivation branch (M2M editor-role vs normal-user identity, including the owner/sub fail-closed guards) into a new helper deriveSubject, bringing checkAuthorization back to 15.

Why a separate PR

#116 was already merged into develop (and v2.9.0-beta.2 was cut) before the lint fix was ready, so it lands as a small follow-up.

Guarantees

  • No behavior change — pure extraction; same branches, same 401 fail-closed semantics.
  • gocyclo -over 16 → clean.
  • Build + full middleware test suite green (the existing MissingSubClaim / MissingOwnerClaim / empty-product tests still pass against the extracted helper).

Notes

Should land in develop before promoting v2.9.0 to stable (PR #115), so the release line is lint-clean.

… complexity

The fail-closed sub guard pushed checkAuthorization to gocyclo 17 (> 16).
Extract the subject-derivation branch (M2M role vs normal-user identity,
with the owner/sub guards) into deriveSubject, bringing checkAuthorization
back to 15. No behavior change.

X-Lerian-Ref: 0x1
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d4cf3f8a-89ad-4b5c-91f7-9147d92b0e0a

📥 Commits

Reviewing files that changed from the base of the PR and between e680c42 and 72eb677.

📒 Files selected for processing (1)
  • auth/middleware/middleware_test.go

📝 Walkthrough

Walkthrough

The middleware now derives authorization subjects from JWT claims in a helper and uses that helper during authorization checks. The missing-sub test now asserts the auth backend is not contacted.

Changes

Authorization subject derivation

Layer / File(s) Summary
Subject helper and checkAuthorization update
auth/middleware/middleware.go
Adds deriveSubject for JWT claim-based subject construction, imports OpenTelemetry trace support, and updates checkAuthorization to use the helper and return its status on failure.
Missing-sub test coverage
auth/middleware/middleware_test.go
Updates the missing-sub test to fail if the auth backend is called and to assert rejection happens before any backend request.

Possibly related PRs

  • LerianStudio/lib-auth#116: Also changes auth/middleware/middleware.go subject derivation and missing-claim handling in checkAuthorization.
✨ Finishing Touches
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch fix/checkauth-cyclomatic

Comment @coderabbitai help to get the list of available commands.

…ckend

TestCheckAuthorization_MissingSubClaim asserted the 401 result but not the
fail-closed guarantee. Replace the permissive mock with a handler that fails
the test if hit, proving a missing-sub normal-user token is rejected before
any request to the auth service.

X-Lerian-Ref: 0x1
@rodrigodh rodrigodh merged commit c88df4e into develop Jun 25, 2026
3 checks passed
@rodrigodh rodrigodh deleted the fix/checkauth-cyclomatic branch June 25, 2026 17:34
@lerian-studio-midaz-push-bot

Copy link
Copy Markdown

🎉 This PR is included in version 2.9.0-beta.3 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@lerian-studio-midaz-push-bot

Copy link
Copy Markdown

🎉 This PR is included in version 2.9.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant