Fixed DatabaseAuthenticator sq select

pkg/funcspec/function_api.go

@@ -58,6 +58,9 @@ func (h *Handler) SqlQueryList(sqlquery string, pNoCount, pBlankparms, pAllowFil
 			}
 		}()
 
+		// Create local copy to avoid modifying the captured parameter across requests
+		sqlquery := sqlquery
+
 		ctx, cancel := context.WithTimeout(r.Context(), 900*time.Second)
 		defer cancel()
 
@@ -393,6 +396,9 @@ func (h *Handler) SqlQuery(sqlquery string, pBlankparms bool) HTTPFuncType {
 			}
 		}()
 
+		// Create local copy to avoid modifying the captured parameter across requests
+		sqlquery := sqlquery
+
 		ctx, cancel := context.WithTimeout(r.Context(), 600*time.Second)
 		defer cancel()
 

pkg/security/examples_funcspec.go

@@ -0,0 +1,160 @@
+package security
+
+// This file contains usage examples for integrating security with funcspec handlers
+// These are example snippets - not executable code
+
+/*
+Example 1: Wrap handlers with authentication (required)
+
+	import (
+		"github.com/bitechdev/ResolveSpec/pkg/funcspec"
+		"github.com/bitechdev/ResolveSpec/pkg/security"
+		"github.com/gorilla/mux"
+	)
+
+	// Setup
+	db := ... // your database connection
+	securityList := ... // your security list
+	handler := funcspec.NewHandler(db)
+	router := mux.NewRouter()
+
+	// Wrap handler with required authentication (returns 401 if not authenticated)
+	ordersHandler := security.WithAuth(
+		handler.SqlQueryList("SELECT * FROM orders WHERE user_id = [rid_user]", false, false, false),
+		securityList,
+	)
+	router.HandleFunc("/api/orders", ordersHandler).Methods("GET")
+
+Example 2: Wrap handlers with optional authentication
+
+	// Wrap handler with optional authentication (falls back to guest if not authenticated)
+	productsHandler := security.WithOptionalAuth(
+		handler.SqlQueryList("SELECT * FROM products WHERE deleted = false", false, false, false),
+		securityList,
+	)
+	router.HandleFunc("/api/products", productsHandler).Methods("GET")
+
+	// The handler will show all products for guests, but could show personalized pricing
+	// or recommendations for authenticated users based on [rid_user]
+
+Example 3: Wrap handlers with both authentication and security context
+
+	// Use the convenience function for both auth and security context
+	usersHandler := security.WithAuthAndSecurity(
+		handler.SqlQueryList("SELECT * FROM users WHERE active = true", false, false, false),
+		securityList,
+	)
+	router.HandleFunc("/api/users", usersHandler).Methods("GET")
+
+	// Or use WithOptionalAuthAndSecurity for optional auth
+	postsHandler := security.WithOptionalAuthAndSecurity(
+		handler.SqlQueryList("SELECT * FROM posts WHERE published = true", false, false, false),
+		securityList,
+	)
+	router.HandleFunc("/api/posts", postsHandler).Methods("GET")
+
+Example 4: Wrap a single funcspec handler with security context only
+
+	import (
+		"github.com/bitechdev/ResolveSpec/pkg/funcspec"
+		"github.com/bitechdev/ResolveSpec/pkg/security"
+		"github.com/gorilla/mux"
+	)
+
+	// Setup
+	db := ... // your database connection
+	securityList := ... // your security list
+	handler := funcspec.NewHandler(db)
+	router := mux.NewRouter()
+
+	// Wrap a specific handler with security context
+	usersHandler := security.WithSecurityContext(
+		handler.SqlQueryList("SELECT * FROM users WHERE active = true", false, false, false),
+		securityList,
+	)
+	router.HandleFunc("/api/users", usersHandler).Methods("GET")
+
+Example 5: Wrap multiple handlers for different paths
+
+	// Products list endpoint
+	productsHandler := security.WithSecurityContext(
+		handler.SqlQueryList("SELECT * FROM products WHERE deleted = false", false, true, true),
+		securityList,
+	)
+	router.HandleFunc("/api/products", productsHandler).Methods("GET")
+
+	// Single product endpoint
+	productHandler := security.WithSecurityContext(
+		handler.SqlQuery("SELECT * FROM products WHERE id = [id]", true),
+		securityList,
+	)
+	router.HandleFunc("/api/products/{id}", productHandler).Methods("GET")
+
+	// Orders endpoint with user filtering
+	ordersHandler := security.WithSecurityContext(
+		handler.SqlQueryList("SELECT * FROM orders WHERE user_id = [rid_user]", false, false, false),
+		securityList,
+	)
+	router.HandleFunc("/api/orders", ordersHandler).Methods("GET")
+
+Example 6: Helper function to wrap multiple handlers
+
+	// Create a helper function for your application
+	func secureHandler(h funcspec.HTTPFuncType, sl *SecurityList) funcspec.HTTPFuncType {
+		return security.WithSecurityContext(h, sl)
+	}
+
+	// Use it to wrap handlers
+	router.HandleFunc("/api/users", secureHandler(
+		handler.SqlQueryList("SELECT * FROM users", false, false, false),
+		securityList,
+	)).Methods("GET")
+
+	router.HandleFunc("/api/roles", secureHandler(
+		handler.SqlQueryList("SELECT * FROM roles", false, false, false),
+		securityList,
+	)).Methods("GET")
+
+Example 7: Access SecurityList and user context in hooks
+
+	// In your funcspec hook, you can now access the SecurityList and user context
+	handler.Hooks().Register(funcspec.BeforeQueryList, func(ctx *funcspec.HookContext) error {
+		// Get SecurityList from context
+		if secList, ok := security.GetSecurityList(ctx.Context); ok {
+			// Use secList to apply security rules
+			// e.g., apply row-level security, column masking, etc.
+			_ = secList
+		}
+
+		// Get user context
+		if userCtx, ok := security.GetUserContext(ctx.Context); ok {
+			// Access user information
+			logger.Info("User %s (ID: %d) accessing resource", userCtx.UserName, userCtx.UserID)
+		}
+
+		return nil
+	})
+
+Example 8: Mixing authentication and security patterns
+
+	// Public endpoint - no auth required, but has security context
+	publicHandler := security.WithSecurityContext(
+		handler.SqlQueryList("SELECT * FROM public_data", false, false, false),
+		securityList,
+	)
+	router.HandleFunc("/api/public", publicHandler).Methods("GET")
+
+	// Optional auth - personalized for logged-in users, works for guests
+	personalizedHandler := security.WithOptionalAuth(
+		handler.SqlQueryList("SELECT * FROM products WHERE category = [category]", false, true, false),
+		securityList,
+	)
+	router.HandleFunc("/api/products/category/{category}", personalizedHandler).Methods("GET")
+
+	// Required auth - must be logged in
+	privateHandler := security.WithAuthAndSecurity(
+		handler.SqlQueryList("SELECT * FROM private_data WHERE user_id = [rid_user]", false, false, false),
+		securityList,
+	)
+	router.HandleFunc("/api/private", privateHandler).Methods("GET")
+*/

pkg/security/middleware.go

@@ -193,6 +193,115 @@ func SetSecurityMiddleware(securityList *SecurityList) func(http.Handler) http.H
 	}
 }
 
+// WithAuth wraps an HTTPFuncType handler with required authentication
+// This function performs authentication and returns 401 if authentication fails
+// Use this for handlers that require authenticated users
+//
+// Usage:
+//
+//	handler := funcspec.NewHandler(db)
+//	wrappedHandler := security.WithAuth(handler.SqlQueryList("SELECT * FROM orders WHERE user_id = [rid_user]", false, false, false), securityList)
+//	router.HandleFunc("/api/orders", wrappedHandler)
+func WithAuth(handler func(http.ResponseWriter, *http.Request), securityList *SecurityList) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Get the security provider
+		provider := securityList.Provider()
+		if provider == nil {
+			http.Error(w, "Security provider not configured", http.StatusInternalServerError)
+			return
+		}
+
+		// Authenticate the request
+		authenticatedReq, ok := authenticateRequest(w, r, provider)
+		if !ok {
+			return // authenticateRequest already wrote the error response
+		}
+
+		// Continue with authenticated context
+		handler(w, authenticatedReq)
+	}
+}
+
+// WithOptionalAuth wraps an HTTPFuncType handler with optional authentication
+// This function tries to authenticate but falls back to guest context if authentication fails
+// Use this for handlers that should show personalized content for authenticated users but still work for guests
+//
+// Usage:
+//
+//	handler := funcspec.NewHandler(db)
+//	wrappedHandler := security.WithOptionalAuth(handler.SqlQueryList("SELECT * FROM products", false, false, false), securityList)
+//	router.HandleFunc("/api/products", wrappedHandler)
+func WithOptionalAuth(handler func(http.ResponseWriter, *http.Request), securityList *SecurityList) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Get the security provider
+		provider := securityList.Provider()
+		if provider == nil {
+			http.Error(w, "Security provider not configured", http.StatusInternalServerError)
+			return
+		}
+
+		// Try to authenticate
+		userCtx, err := provider.Authenticate(r)
+		if err != nil {
+			// Authentication failed - set guest context and continue
+			guestCtx := createGuestContext(r)
+			handler(w, setUserContext(r, guestCtx))
+			return
+		}
+
+		// Authentication succeeded - set user context
+		handler(w, setUserContext(r, userCtx))
+	}
+}
+
+// WithSecurityContext wraps an HTTPFuncType handler with security context
+// This function allows you to add security context to specific handler functions
+// without needing to apply middleware globally
+//
+// Usage:
+//
+//	handler := funcspec.NewHandler(db)
+//	wrappedHandler := security.WithSecurityContext(handler.SqlQueryList("SELECT * FROM users", false, false, false), securityList)
+//	router.HandleFunc("/api/users", wrappedHandler)
+func WithSecurityContext(handler func(http.ResponseWriter, *http.Request), securityList *SecurityList) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		ctx := context.WithValue(r.Context(), SECURITY_CONTEXT_KEY, securityList)
+		handler(w, r.WithContext(ctx))
+	}
+}
+
+// WithAuthAndSecurity wraps an HTTPFuncType handler with both authentication and security context
+// This is a convenience function that combines WithAuth and WithSecurityContext
+// Use this when you need both authentication and security context for a handler
+//
+// Usage:
+//
+//	handler := funcspec.NewHandler(db)
+//	wrappedHandler := security.WithAuthAndSecurity(handler.SqlQueryList("SELECT * FROM users", false, false, false), securityList)
+//	router.HandleFunc("/api/users", wrappedHandler)
+func WithAuthAndSecurity(handler func(http.ResponseWriter, *http.Request), securityList *SecurityList) func(http.ResponseWriter, *http.Request) {
+	return WithAuth(WithSecurityContext(handler, securityList), securityList)
+}
+
+// WithOptionalAuthAndSecurity wraps an HTTPFuncType handler with optional authentication and security context
+// This is a convenience function that combines WithOptionalAuth and WithSecurityContext
+// Use this when you want optional authentication and security context for a handler
+//
+// Usage:
+//
+//	handler := funcspec.NewHandler(db)
+//	wrappedHandler := security.WithOptionalAuthAndSecurity(handler.SqlQueryList("SELECT * FROM products", false, false, false), securityList)
+//	router.HandleFunc("/api/products", wrappedHandler)
+func WithOptionalAuthAndSecurity(handler func(http.ResponseWriter, *http.Request), securityList *SecurityList) func(http.ResponseWriter, *http.Request) {
+	return WithOptionalAuth(WithSecurityContext(handler, securityList), securityList)
+}
+
+// GetSecurityList extracts the SecurityList from request context
+func GetSecurityList(ctx context.Context) (*SecurityList, bool) {
+	securityList, ok := ctx.Value(SECURITY_CONTEXT_KEY).(*SecurityList)
+	return securityList, ok
+}
+
 // GetUserContext extracts the full user context from request context
 func GetUserContext(ctx context.Context) (*UserContext, bool) {
 	userCtx, ok := ctx.Value(UserContextKey).(*UserContext)

pkg/security/providers.go

@@ -75,9 +75,9 @@ func (a *DatabaseAuthenticator) Login(ctx context.Context, req LoginRequest) (*L
 	// Call resolvespec_login stored procedure
 	var success bool
 	var errorMsg sql.NullString
-	var dataJSON []byte
+	var dataJSON sql.NullString
 
-	query := `SELECT p_success, p_error, p_data FROM resolvespec_login($1::jsonb)`
+	query := `SELECT p_success, p_error, p_data::text FROM resolvespec_login($1::jsonb)`
 	err = a.db.QueryRowContext(ctx, query, reqJSON).Scan(&success, &errorMsg, &dataJSON)
 	if err != nil {
 		return nil, fmt.Errorf("login query failed: %w", err)
@@ -92,7 +92,7 @@ func (a *DatabaseAuthenticator) Login(ctx context.Context, req LoginRequest) (*L
 
 	// Parse response
 	var response LoginResponse
-	if err := json.Unmarshal(dataJSON, &response); err != nil {
+	if err := json.Unmarshal([]byte(dataJSON.String), &response); err != nil {
 		return nil, fmt.Errorf("failed to parse login response: %w", err)
 	}
 
@@ -109,9 +109,9 @@ func (a *DatabaseAuthenticator) Logout(ctx context.Context, req LogoutRequest) e
 	// Call resolvespec_logout stored procedure
 	var success bool
 	var errorMsg sql.NullString
-	var dataJSON []byte
+	var dataJSON sql.NullString
 
-	query := `SELECT p_success, p_error, p_data FROM resolvespec_logout($1::jsonb)`
+	query := `SELECT p_success, p_error, p_data::text FROM resolvespec_logout($1::jsonb)`
 	err = a.db.QueryRowContext(ctx, query, reqJSON).Scan(&success, &errorMsg, &dataJSON)
 	if err != nil {
 		return fmt.Errorf("logout query failed: %w", err)
@@ -151,9 +151,9 @@ func (a *DatabaseAuthenticator) Authenticate(r *http.Request) (*UserContext, err
 
 	var success bool
 	var errorMsg sql.NullString
-	var userJSON []byte
+	var userJSON sql.NullString
 
-	query := `SELECT p_success, p_error, p_user FROM resolvespec_session($1, $2)`
+	query := `SELECT p_success, p_error, p_user::text FROM resolvespec_session($1, $2)`
 	err := a.db.QueryRowContext(r.Context(), query, sessionToken, reference).Scan(&success, &errorMsg, &userJSON)
 	if err != nil {
 		return nil, fmt.Errorf("session query failed: %w", err)
@@ -168,7 +168,7 @@ func (a *DatabaseAuthenticator) Authenticate(r *http.Request) (*UserContext, err
 
 	// Parse UserContext
 	var userCtx UserContext
-	if err := json.Unmarshal(userJSON, &userCtx); err != nil {
+	if err := json.Unmarshal([]byte(userJSON.String), &userCtx); err != nil {
 		return nil, fmt.Errorf("failed to parse user context: %w", err)
 	}
 
@@ -189,9 +189,9 @@ func (a *DatabaseAuthenticator) updateSessionActivity(ctx context.Context, sessi
 	// Call resolvespec_session_update stored procedure
 	var success bool
 	var errorMsg sql.NullString
-	var updatedUserJSON []byte
+	var updatedUserJSON sql.NullString
 
-	query := `SELECT p_success, p_error, p_user FROM resolvespec_session_update($1, $2::jsonb)`
+	query := `SELECT p_success, p_error, p_user::text FROM resolvespec_session_update($1, $2::jsonb)`
 	_ = a.db.QueryRowContext(ctx, query, sessionToken, userJSON).Scan(&success, &errorMsg, &updatedUserJSON)
 }
 
@@ -201,10 +201,9 @@ func (a *DatabaseAuthenticator) RefreshToken(ctx context.Context, refreshToken s
 	// First, we need to get the current user context for the refresh token
 	var success bool
 	var errorMsg sql.NullString
-	var userJSON []byte
-
+	var userJSON sql.NullString
 	// Get current session to pass to refresh
-	query := `SELECT p_success, p_error, p_user FROM resolvespec_session($1, $2)`
+	query := `SELECT p_success, p_error, p_user::text FROM resolvespec_session($1, $2)`
 	err := a.db.QueryRowContext(ctx, query, refreshToken, "refresh").Scan(&success, &errorMsg, &userJSON)
 	if err != nil {
 		return nil, fmt.Errorf("refresh token query failed: %w", err)
@@ -220,9 +219,9 @@ func (a *DatabaseAuthenticator) RefreshToken(ctx context.Context, refreshToken s
 	// Call resolvespec_refresh_token to generate new token
 	var newSuccess bool
 	var newErrorMsg sql.NullString
-	var newUserJSON []byte
+	var newUserJSON sql.NullString
 
-	refreshQuery := `SELECT p_success, p_error, p_user FROM resolvespec_refresh_token($1, $2::jsonb)`
+	refreshQuery := `SELECT p_success, p_error, p_user::text FROM resolvespec_refresh_token($1, $2::jsonb)`
 	err = a.db.QueryRowContext(ctx, refreshQuery, refreshToken, userJSON).Scan(&newSuccess, &newErrorMsg, &newUserJSON)
 	if err != nil {
 		return nil, fmt.Errorf("refresh token generation failed: %w", err)
@@ -237,7 +236,7 @@ func (a *DatabaseAuthenticator) RefreshToken(ctx context.Context, refreshToken s
 
 	// Parse refreshed user context
 	var userCtx UserContext
-	if err := json.Unmarshal(newUserJSON, &userCtx); err != nil {
+	if err := json.Unmarshal([]byte(newUserJSON.String), &userCtx); err != nil {
 		return nil, fmt.Errorf("failed to parse user context: %w", err)
 	}