e2e 구조변경

backend/internal/middleware/rbac.go

@@ -25,7 +25,7 @@ func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.
 	return func(c *fiber.Ctx) error {
 		profile, err := config.AuthHandler.GetEnrichedProfile(c)
 		if err != nil {
-			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized (trace:rbac_keto)"})
+			return errorJSON(c, fiber.StatusUnauthorized, "unauthorized (trace:rbac_keto)")
 		}
 
 		// Store profile in locals for further use in handlers
@@ -49,7 +49,7 @@ func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.
 
 		if objectID == "" {
 			slog.Error("RBAC Keto check failed: missing object id", "path", c.Path())
-			return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "missing object id for permission check"})
+			return errorJSON(c, fiber.StatusBadRequest, "missing object id for permission check")
 		}
 
 		slog.Info("Performing Keto permission check", "userID", profile.ID, "namespace", namespace, "objectID", objectID, "relation", relation)
@@ -63,12 +63,12 @@ func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.
 		allowed, err := config.KetoService.CheckPermission(c.Context(), profile.ID, namespace, objectID, relation)
 		if err != nil {
 			slog.Error("Keto service error", "error", err, "userID", profile.ID, "objectID", objectID)
-			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "permission check error"})
+			return errorJSON(c, fiber.StatusInternalServerError, "permission check error")
 		}
 
 		if !allowed {
 			slog.Warn("Keto permission denied", "userID", profile.ID, "namespace", namespace, "objectID", objectID, "relation", relation)
-			return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden: keto permission denied for " + namespace + ":" + objectID})
+			return errorJSON(c, fiber.StatusForbidden, "forbidden: keto permission denied for "+namespace+":"+objectID)
 		}
 
 		return c.Next()
@@ -85,9 +85,7 @@ func RequireRole(config RBACConfig) fiber.Handler {
 
 		profile, err := config.AuthHandler.GetEnrichedProfile(c)
 		if err != nil {
-			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
-				"error": "unauthorized (trace:rbac_role): " + err.Error(),
-			})
+			return errorJSON(c, fiber.StatusUnauthorized, "unauthorized (trace:rbac_role): "+err.Error())
 		}
 
 		// Store profile in locals for further use in handlers
@@ -114,9 +112,7 @@ func RequireRole(config RBACConfig) fiber.Handler {
 				"allowedRoles", config.AllowedRoles,
 				"path", c.Path(),
 			)
-			return c.Status(fiber.StatusForbidden).JSON(fiber.Map{
-				"error": "forbidden: insufficient permissions",
-			})
+			return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions")
 		}
 
 		// Store profile in locals for further use in handlers
@@ -136,7 +132,7 @@ func RequireTenantMatch(config RBACConfig) fiber.Handler {
 
 		profile, err := config.AuthHandler.GetEnrichedProfile(c)
 		if err != nil {
-			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized (trace:rbac_match)"})
+			return errorJSON(c, fiber.StatusUnauthorized, "unauthorized (trace:rbac_match)")
 		}
 
 		// Store profile in locals for further use in handlers
@@ -174,13 +170,11 @@ func RequireTenantMatch(config RBACConfig) fiber.Handler {
 
 			if !isAllowed {
 				slog.Warn("Tenant match failed", "userID", profile.ID, "targetTenantID", targetTenantID)
-				return c.Status(fiber.StatusForbidden).JSON(fiber.Map{
-					"error": "forbidden: you do not have access to this tenant",
-				})
+				return errorJSON(c, fiber.StatusForbidden, "forbidden: you do not have access to this tenant")
 			}
 			return c.Next()
 		}
 
-		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}
 }