Conversation
New howto/auth.md covering JWT and API key auth interceptors, claims access, health check bypass, and links to grpc-go/authz and golang-jwt/jwt. Updates production.md, interceptors.md, Index.md, and Playwright tests.
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a new Authentication how-to (JWT and API-key examples, env-driven interceptors, claims access), updates interceptor/production docs and index table to reference auth examples, extends Swagger how-to with alternative OpenAPI UI mounting, and adds Playwright tests for the new how-to page. Changes
Sequence Diagram(s)sequenceDiagram
participant Client
participant HTTP as "grpc-gateway / HTTP"
participant gRPC as "gRPC Client"
participant Server as "gRPC Server"
participant Auth as "Auth Interceptor\n(env: JWT_SECRET / API_KEYS)"
participant Handler as "Service Handler"
Client->>HTTP: HTTP request (Authorization / x-api-key)
HTTP->>Server: gRPC request (metadata forwarded)
gRPC->>Server: direct gRPC request (metadata)
Server->>Auth: incoming RPC (metadata)
Auth->>Auth: validate JWT or API key using env vars
Auth-->>Server: attach claims to ctx / allow or reject
Server->>Handler: invoke RPC with context
Handler-->>Client: response
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Adds a new Authentication how-to page and wires it into the docs site navigation/feature listing, with Playwright coverage to ensure the page renders and contains expected content.
Changes:
- Added
howto/auth.mddocumenting JWT/API key auth, claims access, health-check bypass viaServiceAuthFuncOverride, and further references. - Updated existing docs to link to the new auth how-to (
Index.md,howto/production.md,howto/interceptors.md). - Extended Playwright tests to include the new auth page in navigation and content checks.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
howto/auth.md |
New authentication how-to page (JWT/API key, claims, health-check bypass, references). |
howto/interceptors.md |
Adds an Authentication section linking to the new how-to. |
howto/production.md |
Updates security/auth guidance to reference the auth examples/how-to. |
Index.md |
Adds “Auth Examples” row linking to the auth how-to. |
tests/navigation.spec.ts |
Ensures /howto/auth/ is included in page-loading coverage. |
tests/content.spec.ts |
Adds a basic render/content assertion for the auth how-to page. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@howto/auth.md`:
- Around line 142-143: Update the link definitions to be consistent and remove
unused ones: change the [ColdBrew cookiecutter] reference target to
/getting-started to match other docs (ensure the label "ColdBrew cookiecutter"
remains) and delete the unused [AddUnaryServerInterceptor] link definition since
it's not referenced in this file; verify no other references in howto/auth.md
rely on that label before removing.
- Around line 62-66: The RSA example link text in howto/auth.md is misleading:
either update the link URL to point to an actual RSA/ECDSA example in the
golang-jwt docs or change the link text to reflect that it points to the HMAC
example; also add a note pointing readers to JWTAuthFunc in service/auth/auth.go
(look for keyFunc and WithValidMethods) for the asymmetric-key changes so they
know where to swap the public key and allowed algorithms.
- Around line 108-121: The example imports the middleware as grpcauth but then
calls auth.JWTAuthFunc, causing a mismatch; update the call in AuthFuncOverride
to use the imported alias (grpcauth.JWTAuthFunc(s.jwtSecret)(ctx)) or change the
import to the local auth package so the symbol auth.JWTAuthFunc is available;
modify the import or the call consistently so AuthFuncOverride resolves the
JWTAuthFunc symbol.
In `@howto/interceptors.md`:
- Around line 264-268: Update the "Authentication" section in
howto/interceptors.md to match howto/auth.md: clarify that the JWT/API-key
interceptors are already wired into the generated project and are enabled via
the relevant environment variable (no code changes to main.go or
config/config.go are required), and if the cookiecutter template includes
commented examples, note that those are only illustrative (not required to
enable auth); reference the "Authentication" heading, main.go, config/config.go,
and the env var behavior so the two pages give consistent guidance.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 77d5fd7b-e4a5-49ac-896d-ec2621478953
📒 Files selected for processing (6)
Index.mdhowto/auth.mdhowto/interceptors.mdhowto/production.mdtests/content.spec.tstests/navigation.spec.ts
- Fix RSA link anchor (was pointing to HMAC example) - Add HMAC vs RSA guidance (when to use each) - Fix ServiceAuthFuncOverride example imports - Fix interceptors.md stale "uncomment" wording → env-var-controlled - Use /getting-started link, remove unused AddUnaryServerInterceptor ref
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…docly) Show how to use SetOpenAPIHandler with alternative UIs. Note that cookiecutter template now uses swaggest/swgui.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
howto/auth.md (1)
44-56: Add an explicit production-safety note for JWT secret examples.The sample secret strings are fine for local testing, but a short warning would reduce copy/paste risk in production docs usage (Line 49 / Line 55 context).
Proposed note addition
The auth package includes a `GenerateTestToken` helper for local development: +> **Note:** Example secrets below are for local testing only. In production, use a high-entropy secret (at least 32 random bytes) from a secret manager.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@howto/auth.md` around lines 44 - 56, Add an explicit production-safety warning near the JWT secret examples: update the howto/auth.md text around the GenerateTestToken example and the jwt-cli encode example to include a short, prominent note that the example secrets are for local/testing only and must not be used in production, and instruct readers to use a securely generated, high-entropy secret (or a managed secret store/rotation) in production environments; place the note immediately after the GenerateTestToken snippet and the jwt-cli snippet so readers copying those lines see the warning.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@howto/auth.md`:
- Around line 142-160: The docs currently show AuthFuncOverride example that
always falls back to auth.JWTAuthFunc(s.jwtSecret), which is misleading for
non-JWT setups; update the example in the AuthFuncOverride section to either (A)
explicitly state and label the snippet as a "JWT-specific example" and keep the
auth.JWTAuthFunc(s.jwtSecret) fallback, or (B) replace the hardcoded call with a
generic reference to the active auth function (e.g., call the configured global
auth function or a helper like auth.ActiveAuthFunc(ctx)) and mention
ServiceAuthFuncOverride, AuthFuncOverride, fullMethodName and JWTAuthFunc in the
text so readers know how to adapt the override to their own auth mechanism.
---
Nitpick comments:
In `@howto/auth.md`:
- Around line 44-56: Add an explicit production-safety warning near the JWT
secret examples: update the howto/auth.md text around the GenerateTestToken
example and the jwt-cli encode example to include a short, prominent note that
the example secrets are for local/testing only and must not be used in
production, and instruct readers to use a securely generated, high-entropy
secret (or a managed secret store/rotation) in production environments; place
the note immediately after the GenerateTestToken snippet and the jwt-cli snippet
so readers copying those lines see the warning.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: df569c1d-6387-433d-933c-c22ca57902d2
📒 Files selected for processing (3)
howto/auth.mdhowto/interceptors.mdhowto/swagger.md
✅ Files skipped from review due to trivial changes (2)
- howto/interceptors.md
- howto/swagger.md
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Add [ColdBrew cookiecutter] link ref to Index.md - Clarify auth interceptor chain position note - Make ServiceAuthFuncOverride example generic (not JWT-specific) - Capitalize Bearer in grpcurl example - Pin CDN versions for Scalar/RapiDoc/Redocly - Add SpecFS import context to Scalar snippet
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@howto/auth.md`:
- Around line 61-66: Change the gRPC Go metadata example to use the standard
"Bearer" casing: update the string passed to metadata.Pairs in the example where
token is created via auth.GenerateTestToken so it constructs "authorization"
with "Bearer "+token (the lines involving metadata.Pairs and
metadata.NewOutgoingContext around the auth.GenerateTestToken and client.Echo
usage).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 59f6e7d3-173f-4432-b752-5646da3533e6
📒 Files selected for processing (3)
Index.mdhowto/auth.mdhowto/swagger.md
✅ Files skipped from review due to trivial changes (1)
- howto/swagger.md
🚧 Files skipped from review as they are similar to previous changes (1)
- Index.md
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@howto/auth.md`:
- Around line 159-165: The AuthFuncOverride currently always returns an
Unauthenticated error which contradicts the comment instructing to delegate
non-public methods to the global auth function; update AuthFuncOverride to call
the global auth function used by the server (e.g., invoke the same function
returned by auth.JWTAuthFunc(...) or auth.APIKeyAuthFunc(...)) for methods that
are not in the publicly allowed map, instead of unconditionally returning
status.Error(codes.Unauthenticated, ...); locate the AuthFuncOverride
implementation and replace the fallback return with a call to the configured
global auth function so non-public RPCs are authenticated consistently with the
rest of the app.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
howto/auth.mdpage: JWT auth, API key auth, claims access, health check bypass, ServiceAuthFuncOverrideproduction.md: auth gap note now references auth examplesinterceptors.md: auth section with link to auth howtoIndex.md: auth examples in feature tableTest plan
cd docs.coldbrew.cloud && npx playwright test— all tests pass including new auth page tests/howto/auth/with code blocks and correct TOCSummary by CodeRabbit