Refactor project service architecture and add authorization middleware

Major refactoring to improve code organization and maintainability:

  - Extract project endpoints into dedicated file
  (service_endpoint_project.go)
  - Move NATS infrastructure code into centralized package with
  proper interfaces
  - Add authorization middleware to capture auth headers in request
  context
  - Refactor main.go for better separation of concerns and graceful
  shutdown
  - Fix unsafe type assertions in context value extraction (prevent
  panics)
  - Restore health check endpoints (/livez, /readyz) to ingress route
  - Add comprehensive tests for authorization middleware
  - Update NATS message handling to use builder pattern

Technical improvements:
  - Remove redundant slog.Default() calls after log initialization
  - Fix RequestIDMiddleware test to use correct context constant
  - Consolidate NATS KV store and messaging models
  - Improve error handling in NATS setup

Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Signed-off-by: Andres Tobon <andrest2455@gmail.com>

Author: andrest50

README.md

@@ -1,6 +1,10 @@
 # LFX V2 Project Service
 
-This repository contains the source code the LFX v2 platform project service.
+This repository contains the source code for the LFX v2 platform project service.
+
+## Overview
+
+The LFX v2 Project Service is a RESTful API service that manages projects within the Linux Foundation's LFX platform. It provides endpoints for creating, reading, updating, and deleting projects with built-in authorization and audit capabilities.
 
 ## File Structure
 
@@ -10,13 +14,28 @@ This repository contains the source code the LFX v2 platform project service.
 ├── charts/                         # Helm charts for running the service in kubernetes
 ├── cmd/                            # Services (main packages)
 │   └── project-api/                # Project service code
+│       ├── gen/                    # Generated code from Goa design
+│       └── design/                 # API design specifications
 ├── internal/                       # Internal service packages
 │   ├── domain/                     # Domain logic layer
 │   ├── service/                    # Business logic layer
+│   ├── middleware/                 # HTTP middleware components
 │   └── infrastructure/             # Infrastructure layer
-└── pkg/                            # Shared packages for internal and external services
+│       └── nats/                   # NATS messaging infrastructure
+└── pkg/                            # Shared packages
+    └── constants/                  # Shared constants and configurations
 ```
 
+## Key Features
+
+- **RESTful API**: Full CRUD operations for project management
+- **NATS Integration**: Event-driven architecture using NATS for messaging and key-value storage
+- **Authorization**: JWT-based authentication with Heimdall middleware integration
+- **OpenFGA Support**: Fine-grained authorization control (configurable)
+- **Health Checks**: Built-in `/livez` and `/readyz` endpoints
+- **Request Tracking**: Automatic request ID generation and propagation
+- **Structured Logging**: JSON-formatted logs with contextual information
+
 ## Contributing
 
 To contribute to this repository:

charts/lfx-v2-project-service/templates/ingressroute.yaml

@@ -16,7 +16,7 @@ spec:
     - kind: Rule
       match: >-
         Host(`{{.Values.ingress.hostname}}`) &&
-        (Path(`/projects`) || PathPrefix(`/projects/`))
+        (Path(`/projects`) || PathPrefix(`/projects/`) || Path(`/livez`) || Path(`/readyz`))
       priority: 10
       middlewares:
         {{- if .Values.heimdall.enabled }}

cmd/project-api/README.md

@@ -35,7 +35,8 @@ This service handles the following NATS subjects:
 ├── gen/                            # Goa generated implementation code (not committed)
 ├── main.go                         # Dependency injection and startup
 ├── service.go                      # Base service implementation
-├── service_endpoint.go             # Service implementation of REST API endpoints
+├── service_endpoint.go             # Service implementation of health check endpoints
+├── service_endpoint_project.go     # Service implementation of project REST API endpoints
 ├── service_handler.go              # Service implementation of NATS handlers
 ├── repo.go                         # Interface with data stores
 ├── mock.go                         # Service mocks for tests
@@ -221,9 +222,9 @@ For local development without OpenFGA:
 
 Note: follow the [Development Workflow](#4-development-workflow) section on how to run the service code
 
-1. **Update design files**: Edit project file in `design/` to include specicification of the new endpoint with all of its supported parameters, responses, and errors, etc.
+1. **Update design files**: Edit project file in `design/` to include specification of the new endpoint with all of its supported parameters, responses, and errors, etc.
 2. **Regenerate code**: Run `make apigen` after design changes
-3. **Implement code**: Implement the new endpoint in `service_endpoint.go`. Follow similar standards of the other endpoint methods. Include tests for the new endpoint in `service_endpoint_test.go`.
+3. **Implement code**: Implement the new endpoint in `service_endpoint_project.go` (for project-related endpoints) or create a new `service_endpoint_*.go` file for other resource types. Follow similar standards of the other endpoint methods. Include tests for the new endpoint in the corresponding `*_test.go` file.
 4. **Update heimdall ruleset**: Ensure that `/charts/lfx-v2-project-service/templates/ruleset.yaml` has the route and method for the endpoint set so that authentication is configured when deployed. If the endpoint modifies data (PUT, DELETE, PATCH), consider adding OpenFGA authorization checks in the ruleset for proper access control
 
 ### Add new message handlers

cmd/project-api/jwt.go

@@ -50,22 +50,22 @@ type jwtAuth struct {
 	validator *validator.Validator
 }
 
-func setupJWTAuth(logger *slog.Logger) *jwtAuth {
+func setupJWTAuth() *jwtAuth {
 	// Set up Heimdall JWKS key provider.
 	jwksEnv := os.Getenv("JWKS_URL")
 	if jwksEnv == "" {
 		jwksEnv = "http://heimdall:4457/.well-known/jwks"
 	}
 	jwksURL, err := url.Parse(jwksEnv)
 	if err != nil {
-		logger.With(errKey, err).Error("invalid JWKS_URL")
+		slog.With(errKey, err).Error("invalid JWKS_URL")
 		os.Exit(1)
 	}
 	var issuer *url.URL
 	issuer, err = url.Parse(defaultIssuer)
 	if err != nil {
 		// This shouldn't happen; a bare hostname is a valid URL.
-		logger.Error("unexpected URL parsing of default issuer")
+		slog.Error("unexpected URL parsing of default issuer")
 		os.Exit(1)
 	}
 	provider := jwks.NewCachingProvider(issuer, 5*time.Minute, jwks.WithCustomJWKSURI(jwksURL))
@@ -84,7 +84,7 @@ func setupJWTAuth(logger *slog.Logger) *jwtAuth {
 		validator.WithAllowedClockSkew(5*time.Second),
 	)
 	if err != nil {
-		logger.With(errKey, err).Error("failed to set up the Heimdall JWT validator")
+		slog.With(errKey, err).Error("failed to set up the Heimdall JWT validator")
 		os.Exit(1)
 	}