e0a88b7
e0a88b76fefbfb11dcc8b6a5f297b4b6485db45d4c2a504
75e7fe0| Status | File | + | - |
|---|---|---|---|
| A |
internal/web/middleware/policy.go
|
26 | 0 |
| M |
internal/web/server.go
|
1 | 0 |
internal/web/middleware/policy.goadded@@ -0,0 +1,26 @@ | ||
| 1 | +// SPDX-License-Identifier: AGPL-3.0-or-later | |
| 2 | + | |
| 3 | +package middleware | |
| 4 | + | |
| 5 | +import ( | |
| 6 | + "net/http" | |
| 7 | + | |
| 8 | + "github.com/tenseleyFlow/shithub/internal/auth/policy" | |
| 9 | +) | |
| 10 | + | |
| 11 | +// PolicyCache attaches a per-request memo to ctx so the policy package | |
| 12 | +// can de-duplicate (actor, repo) → role lookups across the handler | |
| 13 | +// chain. Wire this once near the top of the chain, after the request | |
| 14 | +// has been bound to a session. | |
| 15 | +// | |
| 16 | +// Mutations that change collaborator state mid-request must call | |
| 17 | +// policy.InvalidateRepo(ctx, repoID) before re-checking, or the cache | |
| 18 | +// will return a stale role. | |
| 19 | +func PolicyCache() func(http.Handler) http.Handler { | |
| 20 | + return func(next http.Handler) http.Handler { | |
| 21 | + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | |
| 22 | + ctx := policy.WithCache(r.Context()) | |
| 23 | + next.ServeHTTP(w, r.WithContext(ctx)) | |
| 24 | + }) | |
| 25 | + } | |
| 26 | +} | |
internal/web/server.gomodified@@ -133,6 +133,7 @@ func Run(ctx context.Context, opts Options) error { | ||
| 133 | 133 | if pool != nil { |
| 134 | 134 | r.Use(middleware.OptionalUser(usernameLookup(pool))) |
| 135 | 135 | } |
| 136 | + r.Use(middleware.PolicyCache()) | |
| 136 | 137 | |
| 137 | 138 | deps := handlers.Deps{ |
| 138 | 139 | Logger: logger, |