1 files changed, 13 insertions, 2 deletions

diff --git a/internal/authz/middleware.go b/internal/authz/middleware.go
index a35b6b4..6763323 100644
--- a/internal/authz/middleware.go
+++ b/internal/authz/middleware.go
@@ -1,3 +1,4 @@
+// authentication and authorization module
 package authz
 
 import (
@@ -11,6 +12,13 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
+// AuthzContextKey key used to store urn of user in context
+type AuthzContextKey string
+
+var (
+	AuthzUrnKey AuthzContextKey = "goGitAuthzUrn"
+)
+
 func Authentication(authMap TokenMap, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		u, p, ok := req.BasicAuth()
@@ -34,7 +42,7 @@ func Authentication(authMap TokenMap, next http.Handler) http.Handler {
 			http.Error(rw, "Bad Request", http.StatusForbidden)
 			return
 		}
-		ctx := context.WithValue(req.Context(), "urn", urn)
+		ctx := context.WithValue(req.Context(), AuthzUrnKey, urn)
 		next.ServeHTTP(rw, req.WithContext(ctx))
 	})
 }
@@ -43,7 +51,10 @@ func Authentication(authMap TokenMap, next http.Handler) http.Handler {
 func Authorization(adminSvc *admin.Servicer, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()
-		urn := ctx.Value("urn").(string)
+		urn, ok := ctx.Value(AuthzUrnKey).(string)
+		if !ok || urn == "" {
+			http.Error(rw, "Bad Request", http.StatusBadRequest)
+		}
 		repo := req.URL.Path
 		action := req.Method
 		ok, err := adminSvc.Enforce(urn, repo, action)