rede5/gohorsejobs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
gohorsejobs/backend/internal/middleware
History
Tiago Yamamoto 6fbd1f5ffc feat: implement full auth system with HTTPOnly cookies + JWT, fix migrations to UUID v7, remove mock data from frontend 
Backend:
- Fix migrations 037-041 to use UUID v7 (uuid_generate_v7)
- Fix CORS defaults to include localhost:8963
- Fix FRONTEND_URL default to localhost:8963
- Update superadmin password hash with pepper
- Add PASSWORD_PEPPER environment variable

Frontend:
- Replace mockJobs with real API calls in home page
- Replace mockNotifications with notificationsApi in context
- Replace mockApplications with applicationsApi in dashboard
- Fix register/user page to call real registerCandidate API
- Fix hardcoded values in backoffice and messages pages

Auth:
- Support both HTTPOnly cookie and Bearer token authentication
- Login returns token + sets HTTPOnly cookie
- Logout clears HTTPOnly cookie
- Token valid for 24h
2026-02-16 05:20:46 -06:00
..
auth.go
cors.go feat: implement full auth system with HTTPOnly cookies + JWT, fix migrations to UUID v7, remove mock data from frontend 2026-02-16 05:20:46 -06:00
logging.go
middleware_test.go fix(backend): fix AdminService tests and expand CoreHandlers coverage 2025-12-28 02:32:57 -03:00
rate_limit.go
README.md refactor(roles): rename companyAdmin->admin and jobSeeker->candidate 2025-12-24 13:30:50 -03:00
sanitizer.go feat: security refactor, server-side pagination, and docs update 2025-12-23 00:50:51 -03:00
security_headers.go

README.md

Middleware - Security Layer

Middlewares de segurança aplicados a todas as requisições HTTP.

📦 Middlewares Disponíveis

auth.go - Autenticação JWT

Valida tokens JWT e extrai claims do usuário.

// Uso em rotas protegidas
mux.Handle("/protected", AuthMiddleware(handler))

// Com verificação de role
mux.Handle("/admin", AuthMiddleware(RequireRole("superadmin")(handler)))

Claims extraídas:

  • UserID - ID do usuário
  • Role - Papel (superadmin, admin, recruiter, candidate)
  • CompanyID - ID da empresa (se aplicável)

cors.go - Cross-Origin Resource Sharing

Configura origens permitidas via variável de ambiente.

CORS_ORIGINS=http://localhost:3000,https://gohorsejobs.com

Headers configurados:

  • Access-Control-Allow-Origin (whitelist)
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers
  • Access-Control-Allow-Credentials

rate_limit.go - Rate Limiting

Limita requisições por IP para prevenir abusos.

Configuração padrão:

  • 100 requisições por minuto por IP
  • Retorna 429 Too Many Requests quando excedido

Headers de resposta:

  • Retry-After: 60 (quando limitado)

security_headers.go - Security Headers (OWASP)

Adiciona headers de segurança recomendados pela OWASP.

Header Valor Proteção
X-Frame-Options DENY Clickjacking
X-Content-Type-Options nosniff MIME sniffing
X-XSS-Protection 1; mode=block XSS
Referrer-Policy strict-origin-when-cross-origin Vazamento de referrer
Content-Security-Policy (configurado) Injeção de conteúdo
Permissions-Policy (configurado) APIs perigosas

logging.go - Request Logging

Loga todas as requisições com método, path e duração.

🔗 Ordem de Aplicação

Os middlewares são aplicados na seguinte ordem (de fora para dentro):

  1. Security Headers - Headers de segurança
  2. Rate Limiting - Limitação de taxa
  3. CORS - Cross-origin
  4. Logging - Log de requisições
  5. Auth - Autenticação (quando aplicável)
// Em router.go
handler = CORSMiddleware(handler)
handler = RateLimitMiddleware(100, time.Minute)(handler)
handler = SecurityHeadersMiddleware(handler)