Feature/connectrpc#33
Merged
Merged
Conversation
Add a connectrpc/ module (package connectrpcsec) that adapts the
transport-agnostic security core to the ConnectRPC framework, mirroring
the gRPC adapter.
ConnectRPC has a single connect.Interceptor interface covering unary and
streaming RPCs, so the adapter exposes two interceptors instead of the
four gRPC-style constructors:
- NewAuthenticationInterceptor runs the Engine against the request
headers and enriches the context; client-side calls pass through.
- NewAuthorizationInterceptor enforces an AccessDecisionManager.
It also ships a Carrier over http.Header, an ErrorMapper translating
security sentinels to connect.Code (Unauthenticated / PermissionDenied /
InvalidArgument), and OTel spans connectrpcsec.Authenticate /
connectrpcsec.Authorize.
Module tests pass with -race at 100% coverage; golangci-lint is clean.
Add a runnable ConnectRPC Bearer-token example mirroring grpc-bearer: it serves the gRPC-style health service (connectrpc.com/grpchealth) behind the connectrpcsec authentication and authorization interceptors, and mints a demo JWT at start-up. The end-to-end test serves the handler over httptest and asserts the Connect protocol HTTP status mapping: a valid scoped token yields 200, a missing or garbage token 401, and a token without the scope 403.
Add the connectrpc/ module to the workspace layout tables, the dependency policy, the README module list, the CHANGELOG, and the OTel span catalog (connectrpcsec.Authenticate / connectrpcsec.Authorize). grpc/go.mod picks up the workspace-aligned google.golang.org/protobuf v1.36.11 via go work sync.
Coverage Report for CI Build 26231047040Coverage increased (+0.3%) to 91.69%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
1 similar comment
Coverage Report for CI Build 26231047040Coverage increased (+0.3%) to 91.69%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
There was a problem hiding this comment.
Pull request overview
This PR adds a new ConnectRPC transport adapter module (connectrpcsec) to the security toolkit, including interceptors for authentication/authorization, error mapping, and an example service demonstrating JWT + scope enforcement. It also updates repository docs and the Go workspace to include and describe the new module.
Changes:
- Added
connectrpcmodule implementing ConnectRPC interceptors (AuthenticationInterceptor,AuthorizationInterceptor), carrier, and error mapper. - Added a runnable + tested example (
examples/connectrpc-bearer) demonstrating ConnectRPC authn/authz wiring. - Updated workspace wiring (
go.work) and documentation (README, architecture, observability, migration, changelog) to include ConnectRPC support.
Reviewed changes
Copilot reviewed 26 out of 29 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Mentions ConnectRPC support and lists the new connectrpc module. |
| MIGRATION.md | Documents the new module and updates the dependency boundary statement to include ConnectRPC. |
| grpc/go.sum | Updates protobuf version checksum (but currently missing the corresponding .../go.mod sum entry). |
| grpc/go.mod | Bumps google.golang.org/protobuf indirect version. |
| go.work.sum | Adds ConnectRPC-related sums and updates workspace dependency sums. |
| go.work | Adds ./connectrpc to the workspace modules. |
| examples/go.sum | Adds ConnectRPC dependencies and updates protobuf sums. |
| examples/go.mod | Adds connectrpc module replace/require and Connect dependencies. |
| examples/doc.go | Lists the new connectrpc-bearer example. |
| examples/connectrpc-bearer/main.go | New runnable ConnectRPC bearer-auth example server. |
| examples/connectrpc-bearer/main_test.go | End-to-end test for the ConnectRPC bearer example over httptest. |
| docs/observability.md | Adds ConnectRPC instrumentation scope and span catalog section. |
| docs/architecture.md | Adds ConnectRPC to module list, dependencies, and transport adapter description. |
| connectrpc/testing_helpers_test.go | Test helpers and fakes for ConnectRPC interceptor tests. |
| connectrpc/options.go | New option/config plumbing shared by ConnectRPC interceptors. |
| connectrpc/interceptor.go | Implements ConnectRPC authentication interceptor + header flushing. |
| connectrpc/interceptor_test.go | Tests for authentication interceptor behavior (unary/streaming, fallback, header flush, mapper). |
| connectrpc/go.sum | New module dependency lockfile for connectrpc. |
| connectrpc/go.mod | New connectrpc module definition and dependencies. |
| connectrpc/example_test.go | Package-level example covering default error mapping behavior. |
| connectrpc/error_mapper.go | Implements default security-error → Connect-code mapping. |
| connectrpc/error_mapper_test.go | Tests default error classification for ConnectRPC error mapping. |
| connectrpc/doc.go | Package docs describing the ConnectRPC adapter and allowed dependencies. |
| connectrpc/carrier.go | Implements security.Carrier over http.Header with staged response headers. |
| connectrpc/carrier_test.go | Tests carrier read/write semantics and nil-header behavior. |
| connectrpc/authorize.go | Implements ConnectRPC authorization interceptor (ADM enforcement). |
| connectrpc/authorize_test.go | Tests authz interceptor behavior and chaining with authn. |
| CLAUDE.md | Updates module list and conventions to include ConnectRPC adapter. |
| CHANGELOG.md | Documents the new ConnectRPC adapter and observability scope update. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.