fixed authorization (now checks the role inside of the project)

middleware/jwt.go

@@ -35,7 +35,7 @@ var (
 	errExpiredToken = "Invalid or expired token" // #nosec G101
 
 	// Redis key prefix for token cache
-	redisTokenPrefix = "jwt:token:"
+	redisTokenPrefix = "jwt:v2:token:"
 )
 
 func getRSAPublicKey() (*rsa.PublicKey, error) {
@@ -257,6 +257,15 @@ func buildContext(parent context.Context, claims *models.Claims) context.Context
 		}
 	}
 
+	for _, project := range claims.Projects {
+		for _, role := range project.RoleID {
+			if _, exists := unique[role]; !exists {
+				unique[role] = struct{}{}
+				roles = append(roles, role)
+			}
+		}
+	}
+
 	ctx = context.WithValue(ctx, roleIDKey, roles)
 	return ctx
 }

middleware/jwt_test.go

@@ -212,6 +212,32 @@ func TestBuildContextIncludesAdditionalRoles(t *testing.T) {
 	}
 }
 
+func TestBuildContextIncludesProjectRoles(t *testing.T) {
+	claims := &models.Claims{
+		UsersID:          "user123",
+		RoleID:           models.RoleIDs{30},
+		AdditionalRoleID: models.RoleIDs{4},
+		Projects: []models.ProjectClaim{
+			{ProjectID: 10, RoleID: models.RoleIDs{44, 52}},
+			{ProjectID: 11, RoleID: models.RoleIDs{30, 52, 61}},
+		},
+	}
+
+	ctx := buildContext(context.Background(), claims)
+	val, ok := ctx.Value(roleIDKey).([]int)
+	if !ok {
+		t.Fatal("Role not properly set in context")
+	}
+
+	if len(val) != 5 {
+		t.Fatalf("expected 5 unique roles, got %d (%v)", len(val), val)
+	}
+
+	if val[0] != 30 || val[1] != 4 || val[2] != 44 || val[3] != 52 || val[4] != 61 {
+		t.Fatalf("unexpected roles in context: %v", val)
+	}
+}
+
 func TestGetClaims(t *testing.T) {
 	claims := &models.Claims{
 		UsersID: "user123",